Provided by: salt-common_2015.8.8+ds-1ubuntu0.1_all
NAME
salt - Salt Documentation
INTRODUCTION TO SALT
We’re not just talking about NaCl..SS The 30 second summary Salt is: • a configuration management system, capable of maintaining remote nodes in defined states (for example, ensuring that specific packages are installed and specific services are running) • a distributed remote execution system used to execute commands and query data on remote nodes, either individually or by arbitrary selection criteria It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster, and more malleable. Salt accomplishes this through its ability to handle large loads of information, and not just dozens but hundreds and even thousands of individual servers quickly through a simple and manageable interface. Simplicity Providing versatility between massive scale deployments and smaller systems may seem daunting, but Salt is very simple to set up and maintain, regardless of the size of the project. The architecture of Salt is designed to work with any number of servers, from a handful of local network systems to international deployments across different data centers. The topology is a simple server/client model with the needed functionality built into a single set of daemons. While the default configuration will work with little to no modification, Salt can be fine tuned to meet specific needs. Parallel execution The core functions of Salt: • enable commands to remote systems to be called in parallel rather than serially • use a secure and encrypted protocol • use the smallest and fastest network payloads possible • provide a simple programming interface Salt also introduces more granular controls to the realm of remote execution, allowing systems to be targeted not just by hostname, but also by system properties. Building on proven technology Salt takes advantage of a number of technologies and techniques. The networking layer is built with the excellent ZeroMQ networking library, so the Salt daemon includes a viable and transparent AMQ broker. Salt uses public keys for authentication with the master daemon, then uses faster AES encryption for payload communication; authentication and encryption are integral to Salt. Salt takes advantage of communication via msgpack, enabling fast and light network traffic. Python client interface In order to allow for simple expansion, Salt execution routines can be written as plain Python modules. The data collected from Salt executions can be sent back to the master server, or to any arbitrary program. Salt can be called from a simple Python API, or from the command line, so that Salt can be used to execute one-off commands as well as operate as an integral part of a larger application. Fast, flexible, scalable The result is a system that can execute commands at high speed on target server groups ranging from one to very many servers. Salt is very fast, easy to set up, amazingly malleable and provides a single remote execution architecture that can manage the diverse requirements of any number of servers. The Salt infrastructure brings together the best of the remote execution world, amplifies its capabilities and expands its range, resulting in a system that is as versatile as it is practical, suitable for any network. Open Salt is developed under the Apache 2.0 license, and can be used for open and proprietary projects. Please submit your expansions back to the Salt project so that we can all benefit together as Salt grows. Please feel free to sprinkle Salt around your systems and let the deliciousness come forth. Salt Community Join the Salt! There are many ways to participate in and communicate with the Salt community. Salt has an active IRC channel and a mailing list. Mailing List Join the salt-users mailing list. It is the best place to ask questions about Salt and see whats going on with Salt development! The Salt mailing list is hosted by Google Groups. It is open to new members. https://groups.google.com/forum/#!forum/salt-users There is also a low-traffic list used to announce new releases called salt-announce https://groups.google.com/forum/#!forum/salt-announce IRC The #salt IRC channel is hosted on the popular Freenode network. You can use the Freenode webchat client right from your browser. Logs of the IRC channel activity are being collected courtesy of Moritz Lenz. If you wish to discuss the development of Salt itself join us in #salt-devel. Follow on GitHub The Salt code is developed via GitHub. Follow Salt for constant updates on what is happening in Salt development: https://github.com/saltstack/salt Blogs SaltStack Inc. keeps a blog with recent news and advancements: http://www.saltstack.com/blog/ Thomas Hatch also shares news and thoughts on Salt and related projects in his personal blog The Red45: http://red45.wordpress.com/ Example Salt States The official salt-states repository is: https://github.com/saltstack/salt-states A few examples of salt states from the community: • https://github.com/blast-hardcheese/blast-salt-states • https://github.com/kevingranade/kevingranade-salt-state • https://github.com/mattmcclean/salt-openstack/tree/master/salt • https://github.com/rentalita/ubuntu-setup/ • https://github.com/brutasse/states • https://github.com/bclermont/states • https://github.com/pcrews/salt-data Follow on ohloh https://www.ohloh.net/p/salt Other community links • Salt Stack Inc. • Subreddit • Google+ • YouTube • Facebook • Twitter • Wikipedia page Hack the Source If you want to get involved with the development of source code or the documentation efforts, please review the hacking section!
INSTALLATION
SEE ALSO: Installing Salt for development and contributing to the project. Quick Install On most distributions, you can set up a Salt Minion with the Salt Bootstrap. Platform-specific Installation Instructions These guides go into detail how to install Salt on a given platform. Arch Linux Installation Salt (stable) is currently available via the Arch Linux Official repositories. There are currently -git packages available in the Arch User repositories (AUR) as well. Stable Release Install Salt stable releases from the Arch Linux Official repositories as follows: pacman -S salt-zmq To install Salt stable releases using the RAET protocol, use the following: pacman -S salt-raet NOTE: transports Unlike other linux distributions, please be aware that Arch Linux's package manager pacman defaults to RAET as the Salt transport. If you want to use ZeroMQ instead, make sure to enter the associated number for the salt-zmq repository when prompted. Tracking develop To install the bleeding edge version of Salt (may include bugs!), use the -git package. Installing the -git package as follows: wget https://aur.archlinux.org/packages/sa/salt-git/salt-git.tar.gz tar xf salt-git.tar.gz cd salt-git/ makepkg -is NOTE: yaourt If a tool such as Yaourt is used, the dependencies will be gathered and built automatically. The command to install salt using the yaourt tool is: yaourt salt-git Post-installation tasks systemd Activate the Salt Master and/or Minion via systemctl as follows: systemctl enable salt-master.service systemctl enable salt-minion.service Start the Master Once you've completed all of these steps you're ready to start your Salt Master. You should be able to start your Salt Master now using the command seen here: systemctl start salt-master Now go to the Configuring Salt page. Debian GNU/Linux / Raspbian Debian GNU/Linux distribution and some devariatives such as Raspbian already have included Salt packages to their repositories. However, current stable release codenamed "Jessie" contains old outdated Salt release. It is recommended to use SaltStack repository for Debian as described below. Installation from official Debian and Raspbian repositories is described here. Installation from the SaltStack Repository 2015.5 and later packages for Debian 8 ("Jessie") are available in the SaltStack repository. NOTE: SaltStack repository contains only packages suitable for i386 (32-bit Intel-compatible CPUs) and amd64 (64-bit) architectures. While Salt packages are built for all Debian ports (have all suffix in package names), some of the dependencies are avaivable only for amd64 systems. IMPORTANT: The repository folder structure changed in the 2015.8.3 release, though the previous repository structure that was documented in 2015.8.1 can continue to be used. To install using the SaltStack repository: 1. Run the following command to import the SaltStack repository key: wget -O - https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - 2. Add the following line to /etc/apt/sources.list: deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main 3. Run sudo apt-get update. 4. Now go to the packages installation section. Installation from the Community Repository The SaltStack community maintains a Debian repository at debian.saltstack.com. Packages for Debian Old Stable, Stable, and Unstable (Wheezy, Jessie, and Sid) for Salt 0.16 and later are published in this repository. NOTE: Packages in this repository are community built, and it can take a little while until the latest SaltStack release is available in this repository. Jessie (Stable) For Jessie, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d: deb http://debian.saltstack.com/debian jessie-saltstack main Wheezy (Old Stable) For Wheezy, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d: deb http://debian.saltstack.com/debian wheezy-saltstack main Squeeze (Old Old Stable) For Squeeze, you will need to enable the Debian backports repository as well as the debian.saltstack.com repository. To do so, add the following to /etc/apt/sources.list or a file in /etc/apt/sources.list.d: deb http://debian.saltstack.com/debian squeeze-saltstack main deb http://backports.debian.org/debian-backports squeeze-backports main Stretch (Testing) For Stretch, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d: deb http://debian.saltstack.com/debian stretch-saltstack main Sid (Unstable) For Sid, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d: deb http://debian.saltstack.com/debian unstable main Import the repository key You will need to import the key used for signing. wget -q -O- "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key" | apt-key add - NOTE: You can optionally verify the key integrity with sha512sum using the public key signature shown here. E.g: echo "b702969447140d5553e31e9701be13ca11cc0a7ed5fe2b30acb8491567560ee62f834772b5095d735dfcecb2384a5c1a20045f52861c417f50b68dd5ff4660e6 debian-salt-team-joehealy.gpg.key" | sha512sum -c Update the package database apt-get update Installation from the Debian / Raspbian Official Repository Stretch (Testing) and Sid (Unstable) distributions are already contain mostly up-to-date Salt packages built by Debian Salt Team. You can install Salt components directly from Debian. On Jessie (Stable) there is an option to install Salt minion from Stretch with python-tornado dependency from jessie-backports repositories. To install fresh release of Salt minion on Jessie: 1. Add jessie-backports and stretch repositories: Debian: echo 'deb http://httpredir.debian.org/debian jessie-backports main' >> /etc/apt/sources.list echo 'deb http://httpredir.debian.org/debian stretch main' >> /etc/apt/sources.list Raspbian: echo 'deb http://archive.raspbian.org/raspbian/ stretch main' >> /etc/apt/sources.list 2. Make Jessie a default release: echo 'APT::Default-Release "jessie";' > /etc/apt/apt.conf.d/10apt 3. Install Salt dependencies: Debian: apt-get update apt-get install python-zmq python-tornado/jessie-backports salt-common/stretch Raspbian: apt-get update apt-get install python-zmq python-tornado/stretch salt-common/stretch 4. Install Salt minion package from Stretch: apt-get install salt-minion/stretch Install Packages Install the Salt master, minion or other packages from the repository with the apt-get command. These examples each install one of Salt components, but more than one package name may be given at a time: • apt-get install salt-api • apt-get install salt-cloud • apt-get install salt-master • apt-get install salt-minion • apt-get install salt-ssh • apt-get install salt-syndic Post-installation tasks Now, go to the Configuring Salt page. Fedora Beginning with version 0.9.4, Salt has been available in the primary Fedora repositories and EPEL. It is installable using yum. Fedora will have more up to date versions of Salt than other members of the Red Hat family, which makes it a great place to help improve Salt! WARNING: Fedora 19 comes with systemd 204. Systemd has known bugs fixed in later revisions that prevent the salt-master from starting reliably or opening the network connections that it needs to. It's not likely that a salt-master will start or run reliably on any distribution that uses systemd version 204 or earlier. Running salt-minions should be OK. Installation Salt can be installed using yum and is available in the standard Fedora repositories. Stable Release Salt is packaged separately for the minion and the master. It is necessary only to install the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions. yum install salt-master yum install salt-minion Installing from updates-testing When a new Salt release is packaged, it is first admitted into the updates-testing repository, before being moved to the stable repo. To install from updates-testing, use the enablerepo argument for yum: yum --enablerepo=updates-testing install salt-master yum --enablerepo=updates-testing install salt-minion Installation Using pip Since Salt is on PyPI, it can be installed using pip, though most users prefer to install using a package manager. Installing from pip has a few additional requirements: • Install the group 'Development Tools', dnf groupinstall 'Development Tools' • Install the 'zeromq-devel' package if it fails on linking against that afterwards as well. A pip install does not make the init scripts or the /etc/salt directory, and you will need to provide your own systemd service unit. Installation from pip: pip install salt WARNING: If installing from pip (or from source using setup.py install), be advised that the yum-utils package is needed for Salt to manage packages. Also, if the Python dependencies are not already installed, then you will need additional libraries/tools installed to build some of them. More information on this can be found here. Post-installation tasks Master To have the Master start automatically at boot time: systemctl enable salt-master.service To start the Master: systemctl start salt-master.service Minion To have the Minion start automatically at boot time: systemctl enable salt-minion.service To start the Minion: systemctl start salt-minion.service Now go to the Configuring Salt page. FreeBSD Salt was added to the FreeBSD ports tree Dec 26th, 2011 by Christer Edwards <‐ christer.edwards@gmail.com>. It has been tested on FreeBSD 7.4, 8.2, 9.0, 9.1, 10.0 and later releases. Installation Salt is available in binary package form from both the FreeBSD pkgng repository or directly from SaltStack. The instructions below outline installation via both methods: FreeBSD repo The FreeBSD pkgng repository is preconfigured on systems 10.x and above. No configuration is needed to pull from these repositories. pkg install py27-salt These packages are usually available within a few days of upstream release. SaltStack repo SaltStack also hosts internal binary builds of the Salt package, available from https://repo.saltstack.com/freebsd/. To make use of this repository, add the following file to your system: /usr/local/etc/pkg/repos/saltstack.conf: saltstack: { url: "https://repo.saltstack.com/freebsd/${ABI}/", mirror_type: "http", enabled: yes priority: 10 } You should now be able to install Salt from this new repository: pkg install py27-salt These packages are usually available earlier than upstream FreeBSD. Also available are release candidates and development releases. Use these pre-release packages with caution. Post-installation tasks Master Copy the sample configuration file: cp /usr/local/etc/salt/master.sample /usr/local/etc/salt/master rc.conf Activate the Salt Master in /etc/rc.conf: sysrc salt_master_enable="YES" Start the Master Start the Salt Master as follows: service salt_master start Minion Copy the sample configuration file: cp /usr/local/etc/salt/minion.sample /usr/local/etc/salt/minion rc.conf Activate the Salt Minion in /etc/rc.conf: sysrc salt_minion_enable="YES" Start the Minion Start the Salt Minion as follows: service salt_minion start Now go to the Configuring Salt page. Gentoo Salt can be easily installed on Gentoo via Portage: emerge app-admin/salt Post-installation tasks Now go to the Configuring Salt page. OpenBSD Salt was added to the OpenBSD ports tree on Aug 10th 2013. It has been tested on OpenBSD 5.5 onwards. Salt is dependent on the following additional ports. These will be installed as dependencies of the sysutils/salt port: devel/py-futures devel/py-progressbar net/py-msgpack net/py-zmq security/py-crypto security/py-M2Crypto textproc/py-MarkupSafe textproc/py-yaml www/py-jinja2 www/py-requests www/py-tornado Installation To install Salt from the OpenBSD pkg repo, use the command: pkg_add salt Post-installation tasks Master To have the Master start automatically at boot time: rcctl enable salt_master To start the Master: rcctl start salt_master Minion To have the Minion start automatically at boot time: rcctl enable salt_minion To start the Minion: rcctl start salt_minion Now go to the Configuring Salt page. OS X Dependency Installation It should be noted that Homebrew explicitly discourages the use of sudo: Homebrew is designed to work without using sudo. You can decide to use it but we strongly recommend not to do so. If you have used sudo and run into a bug then it is likely to be the cause. Please don’t file a bug report unless you can reproduce it after reinstalling Homebrew from scratch without using sudo So when using Homebrew, if you want support from the Homebrew community, install this way: brew install saltstack When using MacPorts, install this way: sudo port install salt When only using the OS X system's pip, install this way: sudo pip install salt Salt-Master Customizations To run salt-master on OS X, the root user maxfiles limit must be increased: NOTE: On OS X 10.10 (Yosemite) and higher, maxfiles should not be adjusted. The default limits are sufficient in all but the most extreme scenarios. Overriding these values with the setting below will cause system instability! sudo launchctl limit maxfiles 4096 8192 And sudo add this configuration option to the /etc/salt/master file: max_open_files: 8192 Now the salt-master should run without errors: sudo salt-master --log-level=all Post-installation tasks Now go to the Configuring Salt page. RHEL / CentOS / Scientific Linux / Amazon Linux / Oracle Linux Salt should work properly with all mainstream derivatives of Red Hat Enterprise Linux, including CentOS, Scientific Linux, Oracle Linux, and Amazon Linux. Report any bugs or issues on the issue tracker. Installation from the SaltStack Repository 2015.5 and later packages for RHEL 5, 6, and 7 are available in the SaltStack repository. IMPORTANT: The repository folder structure changed in the 2015.8.3 release, though the previous repository structure that was documented in 2015.8.1 can continue to be used. To install using the SaltStack repository: 1. Run one of the following commands based on your version to import the SaltStack repository key: Version 7: rpm --import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub Version 6: rpm --import https://repo.saltstack.com/yum/redhat/6/x86_64/latest/SALTSTACK-GPG-KEY.pub Version 5: wget https://repo.saltstack.com/yum/redhat/5/x86_64/latest/SALTSTACK-EL5-GPG-KEY.pub rpm --import SALTSTACK-EL5-GPG-KEY.pub rm -f SALTSTACK-EL5-GPG-KEY.pub 2. Save the following file to /etc/yum.repos.d/saltstack.repo: Version 7 and 6: [saltstack-repo] name=SaltStack repo for RHEL/CentOS $releasever baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest enabled=1 gpgcheck=1 gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub Version 5: [saltstack-repo] name=SaltStack repo for RHEL/CentOS $releasever baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest enabled=1 gpgcheck=1 gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-EL5-GPG-KEY.pub 3. Run sudo yum clean expire-cache. 4. Run sudo yum update. 5. Install the salt-minion, salt-master, or other Salt components: • yum install salt-master • yum install salt-minion • yum install salt-ssh • yum install salt-syndic • yum install salt-cloud NOTE: As of 2015.8.0, EPEL repository is no longer required for installing on RHEL systems. SaltStack repository provides all needed dependencies. WARNING: If installing on Red Hat Enterprise Linux 7 with disabled (not subscribed on) 'RHEL Server Releases' or 'RHEL Server Optional Channel' repositories, append CentOS 7 GPG key URL to SaltStack yum repository configuration to install required base packages: [saltstack-repo] name=SaltStack repo for Red Hat Enterprise Linux $releasever baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest enabled=1 gpgcheck=1 gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/base/RPM-GPG-KEY-CentOS-7 NOTE: systemd and python-systemd are required by Salt, but are not installed by the Red Hat 7 @base installation or by the Salt installation. These dependencies might need to be installed before Salt. Installation from the Community Repository Beginning with version 0.9.4, Salt has been available in EPEL. For RHEL/CentOS 5, Fedora COPR is a single community repository that provides Salt packages due to the removal from EPEL5. NOTE: Packages in these repositories are built by community, and it can take a little while until the latest stable SaltStack release become available. RHEL/CentOS 6 and 7, Scientific Linux, etc. WARNING: Salt 2015.8 is currently not available in EPEL due to unsatisfied dependencies: python-crypto 2.6.1 or higher, and python-tornado version 4.2.1 or higher. These packages are not currently available in EPEL for Red Hat Enterprise Linux 6 and 7. Enabling EPEL If the EPEL repository is not installed on your system, you can download the RPM for RHEL/CentOS 6 or for RHEL/CentOS 7 and install it using the following command: rpm -Uvh epel-release-X-Y.rpm Replace epel-release-X-Y.rpm with the appropriate filename. Installing Stable Release Salt is packaged separately for the minion and the master. It is necessary to install only the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions. • yum install salt-master • yum install salt-minion • yum install salt-ssh • yum install salt-syndic • yum install salt-cloud Installing from epel-testing When a new Salt release is packaged, it is first admitted into the epel-testing repository, before being moved to the stable EPEL repository. To install from epel-testing, use the enablerepo argument for yum: yum --enablerepo=epel-testing install salt-minion Installation Using pip Since Salt is on PyPI, it can be installed using pip, though most users prefer to install using RPM packages (which can be installed from EPEL). Installing from pip has a few additional requirements: • Install the group 'Development Tools', yum groupinstall 'Development Tools' • Install the 'zeromq-devel' package if it fails on linking against that afterwards as well. A pip install does not make the init scripts or the /etc/salt directory, and you will need to provide your own systemd service unit. Installation from pip: pip install salt WARNING: If installing from pip (or from source using setup.py install), be advised that the yum-utils package is needed for Salt to manage packages. Also, if the Python dependencies are not already installed, then you will need additional libraries/tools installed to build some of them. More information on this can be found here. ZeroMQ 4 We recommend using ZeroMQ 4 where available. SaltStack provides ZeroMQ 4.0.5 and pyzmq 14.5.0 in the SaltStack Repository as well as a separate zeromq4 COPR repository. If this repository is added before Salt is installed, then installing either salt-master or salt-minion will automatically pull in ZeroMQ 4.0.5, and additional steps to upgrade ZeroMQ and pyzmq are unnecessary. WARNING: RHEL/CentOS 5 Users Using COPR repos on RHEL/CentOS 5 requires that the python-hashlib package be installed. Not having it present will result in checksum errors because YUM will not be able to process the SHA256 checksums used by COPR. NOTE: For RHEL/CentOS 5 installations, if using the SaltStack repo or Fedora COPR to install Salt (as described above), then it is not necessary to enable the zeromq4 COPR, because those repositories already include ZeroMQ 4. Package Management Salt's interface to yum makes heavy use of the repoquery utility, from the yum-utils package. This package will be installed as a dependency if salt is installed via EPEL. However, if salt has been installed using pip, or a host is being managed using salt-ssh, then as of version 2014.7.0 yum-utils will be installed automatically to satisfy this dependency. Post-installation tasks Master To have the Master start automatically at boot time: RHEL/CentOS 5 and 6 chkconfig salt-master on RHEL/CentOS 7 systemctl enable salt-master.service To start the Master: RHEL/CentOS 5 and 6 service salt-master start RHEL/CentOS 7 systemctl start salt-master.service Minion To have the Minion start automatically at boot time: RHEL/CentOS 5 and 6 chkconfig salt-minion on RHEL/CentOS 7 systemctl enable salt-minion.service To start the Minion: RHEL/CentOS 5 and 6 service salt-minion start RHEL/CentOS 7 systemctl start salt-minion.service Now go to the Configuring Salt page. Solaris Salt was added to the OpenCSW package repository in September of 2012 by Romeo Theriault <romeot@hawaii.edu> at version 0.10.2 of Salt. It has mainly been tested on Solaris 10 (sparc), though it is built for and has been tested minimally on Solaris 10 (x86), Solaris 9 (sparc/x86) and 11 (sparc/x86). (Please let me know if you're using it on these platforms!) Most of the testing has also just focused on the minion, though it has verified that the master starts up successfully on Solaris 10. Comments and patches for better support on these platforms is very welcome. As of version 0.10.4, Solaris is well supported under salt, with all of the following working well: 1. remote execution 2. grain detection 3. service control with SMF 4. 'pkg' states with 'pkgadd' and 'pkgutil' modules 5. cron modules/states 6. user and group modules/states 7. shadow password management modules/states Salt is dependent on the following additional packages. These will automatically be installed as dependencies of the py_salt package: • py_yaml • py_pyzmq • py_jinja2 • py_msgpack_python • py_m2crypto • py_crypto • python Installation To install Salt from the OpenCSW package repository you first need to install pkgutil assuming you don't already have it installed: On Solaris 10: pkgadd -d http://get.opencsw.org/now On Solaris 9: wget http://mirror.opencsw.org/opencsw/pkgutil.pkg pkgadd -d pkgutil.pkg all Once pkgutil is installed you'll need to edit it's config file /etc/opt/csw/pkgutil.conf to point it at the unstable catalog: - #mirror=http://mirror.opencsw.org/opencsw/testing + mirror=http://mirror.opencsw.org/opencsw/unstable OK, time to install salt. # Update the catalog root> /opt/csw/bin/pkgutil -U # Install salt root> /opt/csw/bin/pkgutil -i -y py_salt Minion Configuration Now that salt is installed you can find it's configuration files in /etc/opt/csw/salt/. You'll want to edit the minion config file to set the name of your salt master server: - #master: salt + master: your-salt-server If you would like to use pkgutil as the default package provider for your Solaris minions, you can do so using the providers option in the minion config file. You can now start the salt minion like so: On Solaris 10: svcadm enable salt-minion On Solaris 9: /etc/init.d/salt-minion start You should now be able to log onto the salt master and check to see if the salt-minion key is awaiting acceptance: salt-key -l un Accept the key: salt-key -a <your-salt-minion> Run a simple test against the minion: salt '<your-salt-minion>' test.ping Troubleshooting Logs are in /var/log/salt Ubuntu Installation from the SaltStack Repository 2015.5 and later packages for Ubuntu 14 (Trusty) and Ubuntu 12 (Precise) are available in the SaltStack repository. NOTE: While Salt packages are built for all Ubuntu supported CPU architectures (i386 and amd64), some of the dependencies avaivable from SaltStack corporate repository are only suitable for amd64 systems. IMPORTANT: The repository folder structure changed in the 2015.8.3 release, though the previous repository structure that was documented in 2015.8.1 can continue to be used. To install using the SaltStack repository: 1. Run the following command to import the SaltStack repository key: Ubuntu 14: wget -O - https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - Ubuntu 12: wget -O - https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - 2. Add the following line to /etc/apt/sources.list: Ubuntu 14: deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main Ubuntu 12: deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main 3. Run sudo apt-get update. 4. Now go to the packages installation section. Installation from the Community Repository Packages for Ubuntu are also published in the saltstack PPA. If you have the add-apt-repository utility, you can add the repository and import the key in one step: sudo add-apt-repository ppa:saltstack/salt In addition to the main repository, there are secondary repositories for each individual major release. These repositories receive security and point releases but will not upgrade to any subsequent major release. There are currently several available repos: salt16, salt17, salt2014-1, salt2014-7, salt2015-5. For example to follow 2015.5.x releases: sudo add-apt-repository ppa:saltstack/salt2015-5 add-apt-repository: command not found? The add-apt-repository command is not always present on Ubuntu systems. This can be fixed by installing python-software-properties: sudo apt-get install python-software-properties The following may be required as well: sudo apt-get install software-properties-common Note that since Ubuntu 12.10 (Raring Ringtail), add-apt-repository is found in the software-properties-common package, and is part of the base install. Thus, add-apt-repository should be able to be used out-of-the-box to add the PPA. Alternately, manually add the repository and import the PPA key with these commands: echo deb http://ppa.launchpad.net/saltstack/salt/ubuntu `lsb_release -sc` main | sudo tee /etc/apt/sources.list.d/saltstack.list wget -q -O- "http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x4759FA960E27C0A6" | sudo apt-key add - After adding the repository, update the package management database: sudo apt-get update Install Packages Install the Salt master, minion or other packages from the repository with the apt-get command. These examples each install one of Salt components, but more than one package name may be given at a time: • apt-get install salt-api • apt-get install salt-cloud • apt-get install salt-master • apt-get install salt-minion • apt-get install salt-ssh • apt-get install salt-syndic Post-installation tasks Now go to the Configuring Salt page. Windows Salt has full support for running the Salt Minion on Windows. There are no plans for the foreseeable future to develop a Salt Master on Windows. For now you must run your Salt Master on a supported operating system to control your Salt Minions on Windows. Many of the standard Salt modules have been ported to work on Windows and many of the Salt States currently work on Windows, as well. Windows Installer Salt Minion Windows installers can be found here. The output of md5sum <salt minion exe> should match the contents of the corresponding md5 file. Latest stable build from the selected branch: Earlier builds from supported branches Archived builds from unsupported branches NOTE: The installation executable installs dependencies that the Salt minion requires. The 64bit installer has been tested on Windows 7 64bit and Windows Server 2008R2 64bit. The 32bit installer has been tested on Windows 2003 Server 32bit. Please file a bug report on our GitHub repo if issues for other platforms are found. The installer asks for 2 bits of information; the master hostname and the minion name. The installer will update the minion config with these options and then start the minion. The salt-minion service will appear in the Windows Service Manager and can be started and stopped there or with the command line program sc like any other Windows service. If the minion won't start, try installing the Microsoft Visual C++ 2008 x64 SP1 redistributable. Allow all Windows updates to run salt-minion smoothly. Silent Installer Options The installer can be run silently by providing the /S option at the command line. The installer also accepts the following options for configuring the Salt Minion silently: • /master= A string value to set the IP address or host name of the master. Default value is 'salt' • /minion-name= A string value to set the minion name. Default is 'hostname' • /start-service= Either a 1 or 0. '1' will start the service, '0' will not. Default is to start the service after installation. Here's an example of using the silent installer: Salt-Minion-2015.5.6-Setup-amd64.exe /S /master=yoursaltmaster /minion-name=yourminionname /start-service=0 Running the Salt Minion on Windows as an Unprivileged User Notes: - These instructions were tested with Windows Server 2008 R2 - They are generalizable to any version of Windows that supports a salt-minion A. Create the Unprivileged User that the Salt Minion will Run As 1. Click Start > Control Panel > User Accounts. 2. Click Add or remove user accounts. 3. Click Create new account. 4. Enter salt-user (or a name of your preference) in the New account name field. 5. Select the Standard user radio button. 6. Click the Create Account button. 7. Click on the newly created user account. 8. Click the Create a password link. 9. In the New password and Confirm new password fields, provide a password (e.g "SuperSecretMinionPassword4Me!"). 10. In the Type a password hint field, provide appropriate text (e.g. "My Salt Password"). 11. Click the Create password button. 12. Close the Change an Account window. B. Add the New User to the Access Control List for the Salt Folder 1. In a File Explorer window, browse to the path where Salt is installed (the default path is C:\Salt). 2. Right-click on the Salt folder and select Properties. 3. Click on the Security tab. 4. Click the Edit button. 5. Click the Add button. 6. Type the name of your designated Salt user and click the OK button. 7. Check the box to Allow the Modify permission. 8. Click the OK button. 9. Click the OK button to close the Salt Properties window. C. Update the Windows Service User for the salt-minion Service 1. Click Start > Administrative Tools > Services. 2. In the Services list, right-click on salt-minion and select Properties. 3. Click the Log On tab. 4. Click the This account radio button. 5. Provide the account credentials created in section A. 6. Click the OK button. 7. Click the OK button to the prompt confirming that the user has been granted the Log On As A Service right. 8. Click the OK button to the prompt confirming that The new logon name will not take effect until you stop and restart the service. 9. Right-Click on salt-minion and select Stop. 10. Right-Click on salt-minion and select Start. Setting up a Windows build environment This document will explain how to set up a development environment for salt on Windows. The development environment allows you to work with the source code to customize or fix bugs. It will also allow you to build your own installation. The Easy Way Prerequisite Software To do this the easy way you only need to install Git for Windows. Create the Build Environment 1. Clone the Salt-Windows-Dev repo from github. Open a command line and type: git clone https://github.com/saltstack/salt-windows-dev 2. Build the Python Environment Go into the salt-windows-dev directory. Right-click the file named dev_env.ps1 and select Run with PowerShell If you get an error, you may need to change the execution policy. Open a powershell window and type the following: Set-ExecutionPolicy RemoteSigned This will download and install Python with all the dependencies needed to develop and build salt. 3. Build the Salt Environment Right-click on the file named dev_env_salt.ps1 and select Run with Powershell This will clone salt into C:\Salt-Dev\salt and set it to the 2015.5 branch. You could optionally run the command from a powershell window with a -Version switch to pull a different version. For example: dev_env_salt.ps1 -Version '2014.7' To view a list of available branches and tags, open a command prompt in your C:Salt-Devsalt directory and type: git branch -a git tag -n The Hard Way Prerequisite Software Install the following software: 1. Git for Windows 2. Nullsoft Installer Download the Prerequisite zip file for your CPU architecture from the SaltStack download site: • Salt32.zip • Salt64.zip These files contain all software required to build and develop salt. Unzip the contents of the file to C:\Salt-Dev\temp. Create the Build Environment 1. Build the Python Environment • Install Python: Browse to the C:\Salt-Dev\temp directory and find the Python installation file for your CPU Architecture under the corresponding subfolder. Double-click the file to install python. Make sure the following are in your PATH environment variable: C:\Python27 C:\Python27\Scripts • Install Pip Open a command prompt and navigate to C:\Salt-Dev\temp Run the following command: python get-pip.py • Easy Install compiled binaries. M2Crypto, PyCrypto, and PyWin32 need to be installed using Easy Install. Open a command prompt and navigate to C:\Salt-Dev\temp\<cpuarch>. Run the following commands: easy_install -Z <M2Crypto file name> easy_install -Z <PyCrypto file name> easy_install -Z <PyWin32 file name> NOTE: You can type the first part of the file name and then press the tab key to auto-complete the name of the file. • Pip Install Additional Prerequisites All remaining prerequisites need to be pip installed. These prerequisites are as follow: • MarkupSafe • Jinja • MsgPack • PSUtil • PyYAML • PyZMQ • WMI • Requests • Certifi Open a command prompt and navigate to C:\Salt-Dev\temp. Run the following commands: pip install <cpuarch>\<MarkupSafe file name> pip install <Jinja file name> pip install <cpuarch>\<MsgPack file name> pip install <cpuarch>\<psutil file name> pip install <cpuarch>\<PyYAML file name> pip install <cpuarch>\<pyzmq file name> pip install <WMI file name> pip install <requests file name> pip install <certifi file name> 2. Build the Salt Environment • Clone Salt Open a command prompt and navigate to C:\Salt-Dev. Run the following command to clone salt: git clone https://github.com/saltstack/salt • Checkout Branch Checkout the branch or tag of salt you want to work on or build. Open a command prompt and navigate to C:\Salt-Dev\salt. Get a list of available tags and branches by running the following commands: git fetch --all To view a list of available branches: git branch -a To view a list of availabel tags: git tag -n Checkout the branch or tag by typing the following command: git checkout <branch/tag name> • Clean the Environment When switching between branches residual files can be left behind that will interfere with the functionality of salt. Therefore, after you check out the branch you want to work on, type the following commands to clean the salt environment: Developing with Salt There are two ways to develop with salt. You can run salt's setup.py each time you make a change to source code or you can use the setup tools develop mode. Configure the Minion Both methods require that the minion configuration be in the C:\salt directory. Copy the conf and var directories from C:\Salt-Dev\salt\pkg\ windows\buildenv to C:\salt. Now go into the C:\salt\conf directory and edit the file name minion (no extension). You need to configure the master and id parameters in this file. Edit the following lines: master: <ip or name of your master> id: <name of your minion> Setup.py Method Go into the C:\Salt-Dev\salt directory from a cmd prompt and type: python setup.py install --force This will install python into your python installation at C:\Python27. Everytime you make an edit to your source code, you'll have to stop the minion, run the setup, and start the minion. To start the salt-minion go into C:\Python27\Scripts from a cmd prompt and type: salt-minion For debug mode type: salt-minion -l debug To stop the minion press Ctrl+C. Setup Tools Develop Mode (Preferred Method) To use the Setup Tools Develop Mode go into C:\Salt-Dev\salt from a cmd prompt and type: pip install -e . This will install pointers to your source code that resides at C:\Salt-Dev\salt. When you edit your source code you only have to restart the minion. Build the windows installer This is the method of building the installer as of version 2014.7.4. Clean the Environment Make sure you don't have any leftover salt files from previous versions of salt in your Python directory. 1. Remove all files that start with salt in the C:\Python27\Scripts directory 2. Remove all files and directorys that start with salt in the C:\Python27\Lib\site-packages directory Install Salt Install salt using salt's setup.py. From the C:\Salt-Dev\salt directory type the following command: python setup.py install --force Build the Installer From cmd prompt go into the C:\Salt-Dev\salt\pkg\windows directory. Type the following command for the branch or tag of salt you're building: BuildSalt.bat <branch or tag> This will copy python with salt installed to the buildenv\bin directory, make it portable, and then create the windows installer . The .exe for the windows installer will be placed in the installer directory. Testing the Salt minion 1. Create the directory C:\salt (if it doesn't exist already) 2. Copy the example conf and var directories from pkg/windows/buildenv/ into C:\salt 3. Edit C:\salt\conf\minion master: ipaddress or hostname of your salt-master 4. Start the salt-minion cd C:\Python27\Scripts python salt-minion 5. On the salt-master accept the new minion's key sudo salt-key -A This accepts all unaccepted keys. If you're concerned about security just accept the key for this specific minion. 6. Test that your minion is responding On the salt-master run: sudo salt '*' test.ping You should get the following response: {'your minion hostname': True} Single command bootstrap script On a 64 bit Windows host the following script makes an unattended install of salt, including all dependencies: Not up to date. This script is not up to date. Please use the installer found above # (All in one line.) "PowerShell (New-Object System.Net.WebClient).DownloadFile('http://csa-net.dk/salt/bootstrap64.bat','C:\bootstrap.bat');(New-Object -com Shell.Application).ShellExecute('C:\bootstrap.bat');" You can execute the above command remotely from a Linux host using winexe: winexe -U "administrator" //fqdn "PowerShell (New-Object ......);" For more info check http://csa-net.dk/salt Packages management under Windows 2003 On windows Server 2003, you need to install optional component "wmi windows installer provider" to have full list of installed packages. If you don't have this, salt-minion can't report some installed software. SUSE With openSUSE 13.2, Salt 2014.1.11 is available in the primary repositories. The devel:language:python repo will have more up to date versions of salt, all package development will be done there. Installation Salt can be installed using zypper and is available in the standard openSUSE repositories. Stable Release Salt is packaged separately for the minion and the master. It is necessary only to install the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions. zypper install salt-master zypper install salt-minion Post-installation tasks openSUSE Master To have the Master start automatically at boot time: systemctl enable salt-master.service To start the Master: systemctl start salt-master.service Minion To have the Minion start automatically at boot time: systemctl enable salt-minion.service To start the Minion: systemctl start salt-minion.service Post-installation tasks SLES Master To have the Master start automatically at boot time: chkconfig salt-master on To start the Master: rcsalt-master start Minion To have the Minion start automatically at boot time: chkconfig salt-minion on To start the Minion: rcsalt-minion start Unstable Release openSUSE For openSUSE Factory run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/openSUSE_Factory/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master For openSUSE 13.2 run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/openSUSE_13.2/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master For openSUSE 13.1 run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/openSUSE_13.1/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master For bleeding edge python Factory run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/bleeding_edge_python_Factory/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master Suse Linux Enterprise For SLE 12 run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/SLE_12/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master For SLE 11 SP3 run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/SLE_11_SP3/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master For SLE 11 SP2 run the following as root: zypper addrepo http://download.opensuse.org/repositories/devel:languages:python/SLE_11_SP2/devel:languages:python.repo zypper refresh zypper install salt salt-minion salt-master Now go to the Configuring Salt page. Dependencies Salt should run on any Unix-like platform so long as the dependencies are met. • Python 2.6 >= 2.6 <3.0 • msgpack-python - High-performance message interchange format • YAML - Python YAML bindings • Jinja2 - parsing Salt States (configurable in the master settings) • MarkupSafe - Implements a XML/HTML/XHTML Markup safe string for Python • apache-libcloud - Python lib for interacting with many of the popular cloud service providers using a unified API • Requests - HTTP library Depending on the chosen Salt transport, ZeroMQ or RAET, dependencies vary: • ZeroMQ: • ZeroMQ >= 3.2.0 • pyzmq >= 2.2.0 - ZeroMQ Python bindings • PyCrypto - The Python cryptography toolkit • RAET: • libnacl - Python bindings to libsodium • ioflo - The flo programming interface raet and salt-raet is built on • RAET - The worlds most awesome UDP protocol Salt defaults to the ZeroMQ transport, and the choice can be made at install time, for example: python setup.py --salt-transport=raet install This way, only the required dependencies are pulled by the setup script if need be. If installing using pip, the --salt-transport install option can be provided like: pip install --install-option="--salt-transport=raet" salt NOTE: Salt does not bundle dependencies that are typically distributed as part of the base OS. If you have unmet dependencies and are using a custom or minimal installation, you might need to install some additional packages from your OS vendor. Optional Dependencies • mako - an optional parser for Salt States (configurable in the master settings) • gcc - dynamic Cython module compiling Upgrading Salt When upgrading Salt, the master(s) should always be upgraded first. Backward compatibility for minions running newer versions of salt than their masters is not guaranteed. Whenever possible, backward compatibility between new masters and old minions will be preserved. Generally, the only exception to this policy is in case of a security vulnerability.
TUTORIALS
Introduction Salt Masterless Quickstart Running a masterless salt-minion lets you use Salt's configuration management for a single machine without calling out to a Salt master on another machine. Since the Salt minion contains such extensive functionality it can be useful to run it standalone. A standalone minion can be used to do a number of things: • Stand up a master server via States (Salting a Salt Master) • Use salt-call commands on a system without connectivity to a master • Masterless States, run states entirely from files local to the minion It is also useful for testing out state trees before deploying to a production setup. Bootstrap Salt Minion The salt-bootstrap script makes bootstrapping a server with Salt simple for any OS with a Bourne shell: curl -L https://bootstrap.saltstack.com -o install_salt.sh sudo sh install_salt.sh See the salt-bootstrap documentation for other one liners. When using Vagrant to test out salt, the Vagrant salt provisioner will provision the VM for you. Telling Salt to Run Masterless To instruct the minion to not look for a master, the file_client configuration option needs to be set in the minion configuration file. By default the file_client is set to remote so that the minion gathers file server and pillar data from the salt master. When setting the file_client option to local the minion is configured to not gather this data from the master. file_client: local Now the salt minion will not look for a master and will assume that the local system has all of the file and pillar resources. NOTE: When running Salt in masterless mode, do not run the salt-minion daemon. Otherwise, it will attempt to connect to a master and fail. The salt-call command stands on its own and does not need the salt-minion daemon. Create State Tree Following the successful installation of a salt-minion, the next step is to create a state tree, which is where the SLS files that comprise the possible states of the minion are stored. The following example walks through the steps necessary to create a state tree that ensures that the server has the Apache webserver installed. NOTE: For a complete explanation on Salt States, see the tutorial. 1. Create the top.sls file: /srv/salt/top.sls: base: '*': - webserver 2. Create the webserver state tree: /srv/salt/webserver.sls: apache: # ID declaration pkg: # state declaration - installed # function declaration NOTE: The apache package has different names on different platforms, for instance on Debian/Ubuntu it is apache2, on Fedora/RHEL it is httpd and on Arch it is apache The only thing left is to provision our minion using salt-call and the highstate command. Salt-call The salt-call command is used to run module functions locally on a minion instead of executing them from the master. Normally the salt-call command checks into the master to retrieve file server and pillar data, but when running standalone salt-call needs to be instructed to not check the master for this data: salt-call --local state.highstate The --local flag tells the salt-minion to look for the state tree in the local file system and not to contact a Salt Master for instructions. To provide verbose output, use -l debug: salt-call --local state.highstate -l debug The minion first examines the top.sls file and determines that it is a part of the group matched by * glob and that the webserver SLS should be applied. It then examines the webserver.sls file and finds the apache state, which installs the Apache package. The minion should now have Apache installed, and the next step is to begin learning how to write more complex states. Basics Standalone Minion Since the Salt minion contains such extensive functionality it can be useful to run it standalone. A standalone minion can be used to do a number of things: • Use salt-call commands on a system without connectivity to a master • Masterless States, run states entirely from files local to the minion NOTE: When running Salt in masterless mode, do not run the salt-minion daemon. Otherwise, it will attempt to connect to a master and fail. The salt-call command stands on its own and does not need the salt-minion daemon. Telling Salt Call to Run Masterless The salt-call command is used to run module functions locally on a minion instead of executing them from the master. Normally the salt-call command checks into the master to retrieve file server and pillar data, but when running standalone salt-call needs to be instructed to not check the master for this data. To instruct the minion to not look for a master when running salt-call the file_client configuration option needs to be set. By default the file_client is set to remote so that the minion knows that file server and pillar data are to be gathered from the master. When setting the file_client option to local the minion is configured to not gather this data from the master. file_client: local Now the salt-call command will not look for a master and will assume that the local system has all of the file and pillar resources. Running States Masterless The state system can be easily run without a Salt master, with all needed files local to the minion. To do this the minion configuration file needs to be set up to know how to return file_roots information like the master. The file_roots setting defaults to /srv/salt for the base environment just like on the master: file_roots: base: - /srv/salt Now set up the Salt State Tree, top file, and SLS modules in the same way that they would be set up on a master. Now, with the file_client option set to local and an available state tree then calls to functions in the state module will use the information in the file_roots on the minion instead of checking in with the master. Remember that when creating a state tree on a minion there are no syntax or path changes needed, SLS modules written to be used from a master do not need to be modified in any way to work with a minion. This makes it easy to "script" deployments with Salt states without having to set up a master, and allows for these SLS modules to be easily moved into a Salt master as the deployment grows. The declared state can now be executed with: salt-call state.highstate Or the salt-call command can be executed with the --local flag, this makes it unnecessary to change the configuration file: salt-call state.highstate --local External Pillars External pillars are supported when running in masterless mode. Opening the Firewall up for Salt The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506, which need to be accessible on the master only. This document outlines suggested firewall rules for allowing these incoming connections to the master. NOTE: No firewall configuration needs to be done on Salt minions. These changes refer to the master only. Fedora 18 and beyond / RHEL 7 / CentOS 7 Starting with Fedora 18 FirewallD is the tool that is used to dynamically manage the firewall rules on a host. It has support for IPv4/6 settings and the separation of runtime and permanent configurations. To interact with FirewallD use the command line client firewall-cmd. firewall-cmd example: firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp Please choose the desired zone according to your setup. Don't forget to reload after you made your changes. firewall-cmd --reload RHEL 6 / CentOS 6 The lokkit command packaged with some Linux distributions makes opening iptables firewall ports very simple via the command line. Just be careful to not lock out access to the server by neglecting to open the ssh port. lokkit example: lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp The system-config-firewall-tui command provides a text-based interface to modifying the firewall. system-config-firewall-tui: system-config-firewall-tui openSUSE Salt installs firewall rules in /etc/sysconfig/SuSEfirewall2.d/services/salt. Enable with: SuSEfirewall2 open SuSEfirewall2 start If you have an older package of Salt where the above configuration file is not included, the SuSEfirewall2 command makes opening iptables firewall ports very simple via the command line. SuSEfirewall example: SuSEfirewall2 open EXT TCP 4505 SuSEfirewall2 open EXT TCP 4506 The firewall module in YaST2 provides a text-based interface to modifying the firewall. YaST2: yast2 firewall iptables Different Linux distributions store their iptables (also known as netfilter) rules in different places, which makes it difficult to standardize firewall documentation. Included are some of the more common locations, but your mileage may vary. Fedora / RHEL / CentOS: /etc/sysconfig/iptables Arch Linux: /etc/iptables/iptables.rules Debian Follow these instructions: https://wiki.debian.org/iptables Once you've found your firewall rules, you'll need to add the two lines below to allow traffic on tcp/4505 and tcp/4506: -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT Ubuntu Salt installs firewall rules in /etc/ufw/applications.d/salt.ufw. Enable with: ufw allow salt pf.conf The BSD-family of operating systems uses packet filter (pf). The following example describes the additions to pf.conf needed to access the Salt master. pass in on $int_if proto tcp from any to $int_if port 4505 pass in on $int_if proto tcp from any to $int_if port 4506 Once these additions have been made to the pf.conf the rules will need to be reloaded. This can be done using the pfctl command. pfctl -vf /etc/pf.conf Whitelist communication to Master There are situations where you want to selectively allow Minion traffic from specific hosts or networks into your Salt Master. The first scenario which comes to mind is to prevent unwanted traffic to your Master out of security concerns, but another scenario is to handle Minion upgrades when there are backwards incompatible changes between the installed Salt versions in your environment. Here is an example Linux iptables ruleset to be set on the Master: # Allow Minions from these networks -I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT -I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT # Allow Salt to communicate with Master on the loopback interface -A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT # Reject everything else -A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT NOTE: The important thing to note here is that the salt command needs to communicate with the listening network socket of salt-master on the loopback interface. Without this you will see no outgoing Salt traffic from the master, even for a simple salt '*' test.ping, because the salt client never reached the salt-master to tell it to carry out the execution. Using cron with Salt The Salt Minion can initiate its own highstate using the salt-call command. $ salt-call state.highstate This will cause the minion to check in with the master and ensure it is in the correct 'state'. Use cron to initiate a highstate If you would like the Salt Minion to regularly check in with the master you can use the venerable cron to run the salt-call command. # PATH=/bin:/sbin:/usr/bin:/usr/sbin 00 00 * * * salt-call state.highstate The above cron entry will run a highstate every day at midnight. NOTE: Be aware that you may need to ensure the PATH for cron includes any scripts or commands that need to be executed. Remote execution tutorial Before continuing make sure you have a working Salt installation by following the installation and the configuration instructions. Stuck? There are many ways to get help from the Salt community including our mailing list and our IRC channel #salt. Order your minions around Now that you have a master and at least one minion communicating with each other you can perform commands on the minion via the salt command. Salt calls are comprised of three main components: salt '<target>' <function> [arguments] SEE ALSO: salt manpage target The target component allows you to filter which minions should run the following function. The default filter is a glob on the minion id. For example: salt '*' test.ping salt '*.example.org' test.ping Targets can be based on minion system information using the Grains system: salt -G 'os:Ubuntu' test.ping SEE ALSO: Grains system Targets can be filtered by regular expression: salt -E 'virtmach[0-9]' test.ping Targets can be explicitly specified in a list: salt -L 'foo,bar,baz,quo' test.ping Or Multiple target types can be combined in one command: salt -C 'G@os:Ubuntu and webser* or E@database.*' test.ping function A function is some functionality provided by a module. Salt ships with a large collection of available functions. List all available functions on your minions: salt '*' sys.doc Here are some examples: Show all currently available minions: salt '*' test.ping Run an arbitrary shell command: salt '*' cmd.run 'uname -a' SEE ALSO: the full list of modules arguments Space-delimited arguments to the function: salt '*' cmd.exec_code python 'import sys; print sys.version' Optional, keyword arguments are also supported: salt '*' pip.install salt timeout=5 upgrade=True They are always in the form of kwarg=argument. Pillar Walkthrough NOTE: This walkthrough assumes that the reader has already completed the initial Salt walkthrough. Pillars are tree-like structures of data defined on the Salt Master and passed through to minions. They allow confidential, targeted data to be securely sent only to the relevant minion. NOTE: Grains and Pillar are sometimes confused, just remember that Grains are data about a minion which is stored or generated from the minion. This is why information like the OS and CPU type are found in Grains. Pillar is information about a minion or many minions stored or generated on the Salt Master. Pillar data is useful for: Highly Sensitive Data: Information transferred via pillar is guaranteed to only be presented to the minions that are targeted, making Pillar suitable for managing security information, such as cryptographic keys and passwords. Minion Configuration: Minion modules such as the execution modules, states, and returners can often be configured via data stored in pillar. Variables: Variables which need to be assigned to specific minions or groups of minions can be defined in pillar and then accessed inside sls formulas and template files. Arbitrary Data: Pillar can contain any basic data structure in dictionary format, so a key/value store can be defined making it easy to iterate over a group of values in sls formulas. Pillar is therefore one of the most important systems when using Salt. This walkthrough is designed to get a simple Pillar up and running in a few minutes and then to dive into the capabilities of Pillar and where the data is available. Setting Up Pillar The pillar is already running in Salt by default. To see the minion's pillar data: salt '*' pillar.items NOTE: Prior to version 0.16.2, this function is named pillar.data. This function name is still supported for backwards compatibility. By default the contents of the master configuration file are loaded into pillar for all minions. This enables the master configuration file to be used for global configuration of minions. Similar to the state tree, the pillar is comprised of sls files and has a top file. The default location for the pillar is in /srv/pillar. NOTE: The pillar location can be configured via the pillar_roots option inside the master configuration file. It must not be in a subdirectory of the state tree or file_roots. If the pillar is under file_roots, any pillar targeting can be bypassed by minions. To start setting up the pillar, the /srv/pillar directory needs to be present: mkdir /srv/pillar Now create a simple top file, following the same format as the top file used for states: /srv/pillar/top.sls: base: '*': - data This top file associates the data.sls file to all minions. Now the /srv/pillar/data.sls file needs to be populated: /srv/pillar/data.sls: info: some data To ensure that the minions have the new pillar data, issue a command to them asking that they fetch their pillars from the master: salt '*' saltutil.refresh_pillar Now that the minions have the new pillar, it can be retrieved: salt '*' pillar.items The key info should now appear in the returned pillar data. More Complex Data Unlike states, pillar files do not need to define formulas. This example sets up user data with a UID: /srv/pillar/users/init.sls: users: thatch: 1000 shouse: 1001 utahdave: 1002 redbeard: 1003 NOTE: The same directory lookups that exist in states exist in pillar, so the file users/init.sls can be referenced with users in the top file. The top file will need to be updated to include this sls file: /srv/pillar/top.sls: base: '*': - data - users Now the data will be available to the minions. To use the pillar data in a state, you can use Jinja: /srv/salt/users/init.sls {% for user, uid in pillar.get('users', {}).items() %} {{user}}: user.present: - uid: {{uid}} {% endfor %} This approach allows for users to be safely defined in a pillar and then the user data is applied in an sls file. Parameterizing States With Pillar Pillar data can be accessed in state files to customise behavior for each minion. All pillar (and grain) data applicable to each minion is substituted into the state files through templating before being run. Typical uses include setting directories appropriate for the minion and skipping states that don't apply. A simple example is to set up a mapping of package names in pillar for separate Linux distributions: /srv/pillar/pkg/init.sls: pkgs: {% if grains['os_family'] == 'RedHat' %} apache: httpd vim: vim-enhanced {% elif grains['os_family'] == 'Debian' %} apache: apache2 vim: vim {% elif grains['os'] == 'Arch' %} apache: apache vim: vim {% endif %} The new pkg sls needs to be added to the top file: /srv/pillar/top.sls: base: '*': - data - users - pkg Now the minions will auto map values based on respective operating systems inside of the pillar, so sls files can be safely parameterized: /srv/salt/apache/init.sls: apache: pkg.installed: - name: {{ pillar['pkgs']['apache'] }} Or, if no pillar is available a default can be set as well: NOTE: The function pillar.get used in this example was added to Salt in version 0.14.0 /srv/salt/apache/init.sls: apache: pkg.installed: - name: {{ salt['pillar.get']('pkgs:apache', 'httpd') }} In the above example, if the pillar value pillar['pkgs']['apache'] is not set in the minion's pillar, then the default of httpd will be used. NOTE: Under the hood, pillar is just a Python dict, so Python dict methods such as get and items can be used. Pillar Makes Simple States Grow Easily One of the design goals of pillar is to make simple sls formulas easily grow into more flexible formulas without refactoring or complicating the states. A simple formula: /srv/salt/edit/vim.sls: vim: pkg.installed: [] /etc/vimrc: file.managed: - source: salt://edit/vimrc - mode: 644 - user: root - group: root - require: - pkg: vim Can be easily transformed into a powerful, parameterized formula: /srv/salt/edit/vim.sls: vim: pkg.installed: - name: {{ pillar['pkgs']['vim'] }} /etc/vimrc: file.managed: - source: {{ pillar['vimrc'] }} - mode: 644 - user: root - group: root - require: - pkg: vim Where the vimrc source location can now be changed via pillar: /srv/pillar/edit/vim.sls: {% if grains['id'].startswith('dev') %} vimrc: salt://edit/dev_vimrc {% elif grains['id'].startswith('qa') %} vimrc: salt://edit/qa_vimrc {% else %} vimrc: salt://edit/vimrc {% endif %} Ensuring that the right vimrc is sent out to the correct minions. Setting Pillar Data on the Command Line Pillar data can be set on the command line like so: salt '*' state.highstate pillar='{"foo": "bar"}' The state.sls command can also be used to set pillar values via the command line: salt '*' state.sls my_sls_file pillar='{"hello": "world"}' NOTE: If a key is passed on the command line that already exists on the minion, the key that is passed in will overwrite the entire value of that key, rather than merging only the specified value set via the command line. The example below will swap the value for vim with telnet in the previously specified list, notice the nested pillar dict: salt '*' state.sls edit.vim pillar='{"pkgs": {"vim": "telnet"}}' NOTE: This will attempt to install telnet on your minions, feel free to uninstall the package or replace telnet value with anything else. More On Pillar Pillar data is generated on the Salt master and securely distributed to minions. Salt is not restricted to the pillar sls files when defining the pillar but can retrieve data from external sources. This can be useful when information about an infrastructure is stored in a separate location. Reference information on pillar and the external pillar interface can be found in the Salt documentation: Pillar Minion Config in Pillar Minion configuration options can be set on pillars. Any option that you want to modify, should be in the first level of the pillars, in the same way you set the options in the config file. For example, to configure the MySQL root password to be used by MySQL Salt execution module: mysql.pass: hardtoguesspassword This is very convenient when you need some dynamic configuration change that you want to be applied on the fly. For example, there is a chicken and the egg problem if you do this: mysql-admin-passwd: mysql_user.present: - name: root - password: somepasswd mydb: mysql_db.present The second state will fail, because you changed the root password and the minion didn't notice it. Setting mysql.pass in the pillar, will help to sort out the issue. But always change the root admin password in the first place. This is very helpful for any module that needs credentials to apply state changes: mysql, keystone, etc. States How Do I Use Salt States? Simplicity, Simplicity, Simplicity Many of the most powerful and useful engineering solutions are founded on simple principles. Salt States strive to do just that: K.I.S.S. (Keep It Stupidly Simple) The core of the Salt State system is the SLS, or SaLt State file. The SLS is a representation of the state in which a system should be in, and is set up to contain this data in a simple format. This is often called configuration management. NOTE: This is just the beginning of using states, make sure to read up on pillar Pillar next. It is All Just Data Before delving into the particulars, it will help to understand that the SLS file is just a data structure under the hood. While understanding that the SLS is just a data structure isn't critical for understanding and making use of Salt States, it should help bolster knowledge of where the real power is. SLS files are therefore, in reality, just dictionaries, lists, strings, and numbers. By using this approach Salt can be much more flexible. As one writes more state files, it becomes clearer exactly what is being written. The result is a system that is easy to understand, yet grows with the needs of the admin or developer. The Top File The example SLS files in the below sections can be assigned to hosts using a file called top.sls. This file is described in-depth here. Default Data - YAML By default Salt represents the SLS data in what is one of the simplest serialization formats available - YAML. A typical SLS file will often look like this in YAML: NOTE: These demos use some generic service and package names, different distributions often use different names for packages and services. For instance apache should be replaced with httpd on a Red Hat system. Salt uses the name of the init script, systemd name, upstart name etc. based on what the underlying service management for the platform. To get a list of the available service names on a platform execute the service.get_all salt function. Information on how to make states work with multiple distributions is later in the tutorial. apache: pkg.installed: [] service.running: - require: - pkg: apache This SLS data will ensure that the package named apache is installed, and that the apache service is running. The components can be explained in a simple way. The first line is the ID for a set of data, and it is called the ID Declaration. This ID sets the name of the thing that needs to be manipulated. The second and third lines contain the state module function to be run, in the format <state_module>.<function>. The pkg.installed state module function ensures that a software package is installed via the system's native package manager. The service.running state module function ensures that a given system daemon is running. Finally, on line five, is the word require. This is called a Requisite Statement, and it makes sure that the Apache service is only started after a successful installation of the apache package. Adding Configs and Users When setting up a service like an Apache web server, many more components may need to be added. The Apache configuration file will most likely be managed, and a user and group may need to be set up. apache: pkg.installed: [] service.running: - watch: - pkg: apache - file: /etc/httpd/conf/httpd.conf - user: apache user.present: - uid: 87 - gid: 87 - home: /var/www/html - shell: /bin/nologin - require: - group: apache group.present: - gid: 87 - require: - pkg: apache /etc/httpd/conf/httpd.conf: file.managed: - source: salt://apache/httpd.conf - user: root - group: root - mode: 644 This SLS data greatly extends the first example, and includes a config file, a user, a group and new requisite statement: watch. Adding more states is easy, since the new user and group states are under the Apache ID, the user and group will be the Apache user and group. The require statements will make sure that the user will only be made after the group, and that the group will be made only after the Apache package is installed. Next, the require statement under service was changed to watch, and is now watching 3 states instead of just one. The watch statement does the same thing as require, making sure that the other states run before running the state with a watch, but it adds an extra component. The watch statement will run the state's watcher function for any changes to the watched states. So if the package was updated, the config file changed, or the user uid modified, then the service state's watcher will be run. The service state's watcher just restarts the service, so in this case, a change in the config file will also trigger a restart of the respective service. Moving Beyond a Single SLS When setting up Salt States in a scalable manner, more than one SLS will need to be used. The above examples were in a single SLS file, but two or more SLS files can be combined to build out a State Tree. The above example also references a file with a strange source - salt://apache/httpd.conf. That file will need to be available as well. The SLS files are laid out in a directory structure on the Salt master; an SLS is just a file and files to download are just files. The Apache example would be laid out in the root of the Salt file server like this: apache/init.sls apache/httpd.conf So the httpd.conf is just a file in the apache directory, and is referenced directly. Do not use dots in SLS file names or their directories The initial implementation of top.sls and include-declaration followed the python import model where a slash is represented as a period. This means that a SLS file with a period in the name ( besides the suffix period) can not be referenced. For example, webserver_1.0.sls is not referenceable because webserver_1.0 would refer to the directory/file webserver_1/0.sls The same applies for any subdirecortories, this is especially 'tricky' when git repos are created. Another command that typically can't render it's output is `state.show_sls` of a file in a path that contains a dot. But when using more than one single SLS file, more components can be added to the toolkit. Consider this SSH example: ssh/init.sls: openssh-client: pkg.installed /etc/ssh/ssh_config: file.managed: - user: root - group: root - mode: 644 - source: salt://ssh/ssh_config - require: - pkg: openssh-client ssh/server.sls: include: - ssh openssh-server: pkg.installed sshd: service.running: - require: - pkg: openssh-client - pkg: openssh-server - file: /etc/ssh/banner - file: /etc/ssh/sshd_config /etc/ssh/sshd_config: file.managed: - user: root - group: root - mode: 644 - source: salt://ssh/sshd_config - require: - pkg: openssh-server /etc/ssh/banner: file: - managed - user: root - group: root - mode: 644 - source: salt://ssh/banner - require: - pkg: openssh-server NOTE: Notice that we use two similar ways of denoting that a file is managed by Salt. In the /etc/ssh/sshd_config state section above, we use the file.managed state declaration whereas with the /etc/ssh/banner state section, we use the file state declaration and add a managed attribute to that state declaration. Both ways produce an identical result; the first way -- using file.managed -- is merely a shortcut. Now our State Tree looks like this: apache/init.sls apache/httpd.conf ssh/init.sls ssh/server.sls ssh/banner ssh/ssh_config ssh/sshd_config This example now introduces the include statement. The include statement includes another SLS file so that components found in it can be required, watched or as will soon be demonstrated - extended. The include statement allows for states to be cross linked. When an SLS has an include statement it is literally extended to include the contents of the included SLS files. Note that some of the SLS files are called init.sls, while others are not. More info on what this means can be found in the States Tutorial. Extending Included SLS Data Sometimes SLS data needs to be extended. Perhaps the apache service needs to watch additional resources, or under certain circumstances a different file needs to be placed. In these examples, the first will add a custom banner to ssh and the second will add more watchers to apache to include mod_python. ssh/custom-server.sls: include: - ssh.server extend: /etc/ssh/banner: file: - source: salt://ssh/custom-banner python/mod_python.sls: include: - apache extend: apache: service: - watch: - pkg: mod_python mod_python: pkg.installed The custom-server.sls file uses the extend statement to overwrite where the banner is being downloaded from, and therefore changing what file is being used to configure the banner. In the new mod_python SLS the mod_python package is added, but more importantly the apache service was extended to also watch the mod_python package. Using extend with require or watch The extend statement works differently for require or watch. It appends to, rather than replacing the requisite component. Understanding the Render System Since SLS data is simply that (data), it does not need to be represented with YAML. Salt defaults to YAML because it is very straightforward and easy to learn and use. But the SLS files can be rendered from almost any imaginable medium, so long as a renderer module is provided. The default rendering system is the yaml_jinja renderer. The yaml_jinja renderer will first pass the template through the Jinja2 templating system, and then through the YAML parser. The benefit here is that full programming constructs are available when creating SLS files. Other renderers available are yaml_mako and yaml_wempy which each use the Mako or Wempy templating system respectively rather than the jinja templating system, and more notably, the pure Python or py, pydsl & pyobjects renderers. The py renderer allows for SLS files to be written in pure Python, allowing for the utmost level of flexibility and power when preparing SLS data; while the pydsl renderer provides a flexible, domain-specific language for authoring SLS data in Python; and the pyobjects renderer gives you a "Pythonic" interface to building state data. NOTE: The templating engines described above aren't just available in SLS files. They can also be used in file.managed states, making file management much more dynamic and flexible. Some examples for using templates in managed files can be found in the documentation for the file states, as well as the MooseFS example below. Getting to Know the Default - yaml_jinja The default renderer - yaml_jinja, allows for use of the jinja templating system. A guide to the Jinja templating system can be found here: http://jinja.pocoo.org/docs When working with renderers a few very useful bits of data are passed in. In the case of templating engine based renderers, three critical components are available, salt, grains, and pillar. The salt object allows for any Salt function to be called from within the template, and grains allows for the Grains to be accessed from within the template. A few examples: apache/init.sls: apache: pkg.installed: {% if grains['os'] == 'RedHat'%} - name: httpd {% endif %} service.running: {% if grains['os'] == 'RedHat'%} - name: httpd {% endif %} - watch: - pkg: apache - file: /etc/httpd/conf/httpd.conf - user: apache user.present: - uid: 87 - gid: 87 - home: /var/www/html - shell: /bin/nologin - require: - group: apache group.present: - gid: 87 - require: - pkg: apache /etc/httpd/conf/httpd.conf: file.managed: - source: salt://apache/httpd.conf - user: root - group: root - mode: 644 This example is simple. If the os grain states that the operating system is Red Hat, then the name of the Apache package and service needs to be httpd. A more aggressive way to use Jinja can be found here, in a module to set up a MooseFS distributed filesystem chunkserver: moosefs/chunk.sls: include: - moosefs {% for mnt in salt['cmd.run']('ls /dev/data/moose*').split() %} /mnt/moose{{ mnt[-1] }}: mount.mounted: - device: {{ mnt }} - fstype: xfs - mkmnt: True file.directory: - user: mfs - group: mfs - require: - user: mfs - group: mfs {% endfor %} /etc/mfshdd.cfg: file.managed: - source: salt://moosefs/mfshdd.cfg - user: root - group: root - mode: 644 - template: jinja - require: - pkg: mfs-chunkserver /etc/mfschunkserver.cfg: file.managed: - source: salt://moosefs/mfschunkserver.cfg - user: root - group: root - mode: 644 - template: jinja - require: - pkg: mfs-chunkserver mfs-chunkserver: pkg.installed: [] mfschunkserver: service.running: - require: {% for mnt in salt['cmd.run']('ls /dev/data/moose*') %} - mount: /mnt/moose{{ mnt[-1] }} - file: /mnt/moose{{ mnt[-1] }} {% endfor %} - file: /etc/mfschunkserver.cfg - file: /etc/mfshdd.cfg - file: /var/lib/mfs This example shows much more of the available power of Jinja. Multiple for loops are used to dynamically detect available hard drives and set them up to be mounted, and the salt object is used multiple times to call shell commands to gather data. Introducing the Python, PyDSL, and the Pyobjects Renderers Sometimes the chosen default renderer might not have enough logical power to accomplish the needed task. When this happens, the Python renderer can be used. Normally a YAML renderer should be used for the majority of SLS files, but an SLS file set to use another renderer can be easily added to the tree. This example shows a very basic Python SLS file: python/django.sls: #!py def run(): ''' Install the django package ''' return {'include': ['python'], 'django': {'pkg': ['installed']}} This is a very simple example; the first line has an SLS shebang that tells Salt to not use the default renderer, but to use the py renderer. Then the run function is defined, the return value from the run function must be a Salt friendly data structure, or better known as a Salt HighState data structure. Alternatively, using the pydsl renderer, the above example can be written more succinctly as: #!pydsl include('python', delayed=True) state('django').pkg.installed() The pyobjects renderer provides an "Pythonic" object based approach for building the state data. The above example could be written as: #!pyobjects include('python') Pkg.installed("django") These Python examples would look like this if they were written in YAML: include: - python django: pkg.installed This example clearly illustrates that; one, using the YAML renderer by default is a wise decision and two, unbridled power can be obtained where needed by using a pure Python SLS. Running and debugging salt states. Once the rules in an SLS are ready, they should be tested to ensure they work properly. To invoke these rules, simply execute salt '*' state.highstate on the command line. If you get back only hostnames with a : after, but no return, chances are there is a problem with one or more of the sls files. On the minion, use the salt-call command: salt-call state.highstate -l debug to examine the output for errors. This should help troubleshoot the issue. The minions can also be started in the foreground in debug mode: salt-minion -l debug. Next Reading With an understanding of states, the next recommendation is to become familiar with Salt's pillar interface: Pillar Walkthrough States tutorial, part 1 - Basic Usage The purpose of this tutorial is to demonstrate how quickly you can configure a system to be managed by Salt States. For detailed information about the state system please refer to the full states reference. This tutorial will walk you through using Salt to configure a minion to run the Apache HTTP server and to ensure the server is running. Before continuing make sure you have a working Salt installation by following the installation and the configuration instructions. Stuck? There are many ways to get help from the Salt community including our mailing list and our IRC channel #salt. Setting up the Salt State Tree States are stored in text files on the master and transferred to the minions on demand via the master's File Server. The collection of state files make up the State Tree. To start using a central state system in Salt, the Salt File Server must first be set up. Edit the master config file (file_roots) and uncomment the following lines: file_roots: base: - /srv/salt NOTE: If you are deploying on FreeBSD via ports, the file_roots path defaults to /usr/local/etc/salt/states. Restart the Salt master in order to pick up this change: pkill salt-master salt-master -d Preparing the Top File On the master, in the directory uncommented in the previous step, (/srv/salt by default), create a new file called top.sls and add the following: base: '*': - webserver The top file is separated into environments (discussed later). The default environment is base. Under the base environment a collection of minion matches is defined; for now simply specify all hosts (*). Targeting minions The expressions can use any of the targeting mechanisms used by Salt — minions can be matched by glob, PCRE regular expression, or by grains. For example: base: 'os:Fedora': - match: grain - webserver Create an sls file In the same directory as the top file, create a file named webserver.sls, containing the following: apache: # ID declaration pkg: # state declaration - installed # function declaration The first line, called the id-declaration, is an arbitrary identifier. In this case it defines the name of the package to be installed. NOTE: The package name for the Apache httpd web server may differ depending on OS or distro — for example, on Fedora it is httpd but on Debian/Ubuntu it is apache2. The second line, called the state-declaration, defines which of the Salt States we are using. In this example, we are using the pkg state to ensure that a given package is installed. The third line, called the function-declaration, defines which function in the pkg state module to call. Renderers States sls files can be written in many formats. Salt requires only a simple data structure and is not concerned with how that data structure is built. Templating languages and DSLs are a dime-a-dozen and everyone has a favorite. Building the expected data structure is the job of Salt renderers and they are dead-simple to write. In this tutorial we will be using YAML in Jinja2 templates, which is the default format. The default can be changed by editing renderer in the master configuration file. Install the package Next, let's run the state we created. Open a terminal on the master and run: % salt '*' state.highstate Our master is instructing all targeted minions to run state.highstate. When a minion executes a highstate call it will download the top file and attempt to match the expressions. When it does match an expression the modules listed for it will be downloaded, compiled, and executed. Once completed, the minion will report back with a summary of all actions taken and all changes made. WARNING: If you have created custom grain modules, they will not be available in the top file until after the first highstate. To make custom grains available on a minion's first highstate, it is recommended to use this example to ensure that the custom grains are synced when the minion starts. SLS File Namespace Note that in the example above, the SLS file webserver.sls was referred to simply as webserver. The namespace for SLS files when referenced in top.sls or an include-declaration follows a few simple rules: 1. The .sls is discarded (i.e. webserver.sls becomes webserver). 2. Subdirectories can be used for better organization. a. Each subdirectory can be represented with a dot (following the python import model) or a slash. webserver/dev.sls can also be referred to as webserver.dev b. Because slashes can be represented as dots, SLS files can not contain dots in the name besides the dot for the SLS suffix. The SLS file webserver_1.0.sls can not be matched, and webserver_1.0 would match the directory/file webserver_1/0.sls 3. A file called init.sls in a subdirectory is referred to by the path of the directory. So, webserver/init.sls is referred to as webserver. 4. If both webserver.sls and webserver/init.sls happen to exist, webserver/init.sls will be ignored and webserver.sls will be the file referred to as webserver. Troubleshooting Salt If the expected output isn't seen, the following tips can help to narrow down the problem. Turn up logging Salt can be quite chatty when you change the logging setting to debug: salt-minion -l debug Run the minion in the foreground By not starting the minion in daemon mode (-d) one can view any output from the minion as it works: salt-minion & Increase the default timeout value when running salt. For example, to change the default timeout to 60 seconds: salt -t 60 For best results, combine all three: salt-minion -l debug & # On the minion salt '*' state.highstate -t 60 # On the master Next steps This tutorial focused on getting a simple Salt States configuration working. Part 2 will build on this example to cover more advanced sls syntax and will explore more of the states that ship with Salt. States tutorial, part 2 - More Complex States, Requisites NOTE: This tutorial builds on topics covered in part 1. It is recommended that you begin there. In the last part of the Salt States tutorial we covered the basics of installing a package. We will now modify our webserver.sls file to have requirements, and use even more Salt States. Call multiple States You can specify multiple state-declaration under an id-declaration. For example, a quick modification to our webserver.sls to also start Apache if it is not running: apache: pkg.installed: [] service.running: - require: - pkg: apache Try stopping Apache before running state.highstate once again and observe the output. NOTE: For those running RedhatOS derivatives (Centos, AWS), you will want to specify the service name to be httpd. More on state service here, service state. With the example above, just add "- name: httpd" above the require line and with the same spacing. Require other states We now have a working installation of Apache so let's add an HTML file to customize our website. It isn't exactly useful to have a website without a webserver so we don't want Salt to install our HTML file until Apache is installed and running. Include the following at the bottom of your webserver/init.sls file: apache: pkg.installed: [] service.running: - require: - pkg: apache /var/www/index.html: # ID declaration file: # state declaration - managed # function - source: salt://webserver/index.html # function arg - require: # requisite declaration - pkg: apache # requisite reference line 7 is the id-declaration. In this example it is the location we want to install our custom HTML file. (Note: the default location that Apache serves may differ from the above on your OS or distro. /srv/www could also be a likely place to look.) Line 8 the state-declaration. This example uses the Salt file state. Line 9 is the function-declaration. The managed function will download a file from the master and install it in the location specified. Line 10 is a function-arg-declaration which, in this example, passes the source argument to the managed function. Line 11 is a requisite-declaration. Line 12 is a requisite-reference which refers to a state and an ID. In this example, it is referring to the ID declaration from our example in part 1. This declaration tells Salt not to install the HTML file until Apache is installed. Next, create the index.html file and save it in the webserver directory: <!DOCTYPE html> <html> <head><title>Salt rocks</title></head> <body> <h1>This file brought to you by Salt</h1> </body> </html> Last, call state.highstate again and the minion will fetch and execute the highstate as well as our HTML file from the master using Salt's File Server: salt '*' state.highstate Verify that Apache is now serving your custom HTML. require vs. watch There are two requisite-declaration, “require”, and “watch”. Not every state supports “watch”. The service state does support “watch” and will restart a service based on the watch condition. For example, if you use Salt to install an Apache virtual host configuration file and want to restart Apache whenever that file is changed you could modify our Apache example from earlier as follows: /etc/httpd/extra/httpd-vhosts.conf: file.managed: - source: salt://webserver/httpd-vhosts.conf apache: pkg.installed: [] service.running: - watch: - file: /etc/httpd/extra/httpd-vhosts.conf - require: - pkg: apache If the pkg and service names differ on your OS or distro of choice you can specify each one separately using a name-declaration which explained in Part 3. Next steps In part 3 we will discuss how to use includes, extends, and templating to make a more complete State Tree configuration. States tutorial, part 3 - Templating, Includes, Extends NOTE: This tutorial builds on topics covered in part 1 and part 2. It is recommended that you begin there. This part of the tutorial will cover more advanced templating and configuration techniques for sls files. Templating SLS modules SLS modules may require programming logic or inline execution. This is accomplished with module templating. The default module templating system used is Jinja2 and may be configured by changing the renderer value in the master config. All states are passed through a templating system when they are initially read. To make use of the templating system, simply add some templating markup. An example of an sls module with templating markup may look like this: {% for usr in ['moe','larry','curly'] %} {{ usr }}: user.present {% endfor %} This templated sls file once generated will look like this: moe: user.present larry: user.present curly: user.present Here's a more complex example: # Comments in yaml start with a hash symbol. # Since jinja rendering occurs before yaml parsing, if you want to include jinja # in the comments you may need to escape them using 'jinja' comments to prevent # jinja from trying to render something which is not well-defined jinja. # e.g. # {# iterate over the Three Stooges using a {% for %}..{% endfor %} loop # with the iterator variable {{ usr }} becoming the state ID. #} {% for usr in 'moe','larry','curly' %} {{ usr }}: group: - present user: - present - gid_from_name: True - require: - group: {{ usr }} {% endfor %} Using Grains in SLS modules Often times a state will need to behave differently on different systems. Salt grains objects are made available in the template context. The grains can be used from within sls modules: apache: pkg.installed: {% if grains['os'] == 'RedHat' %} - name: httpd {% elif grains['os'] == 'Ubuntu' %} - name: apache2 {% endif %} Using Environment Variables in SLS modules You can use salt['environ.get']('VARNAME') to use an environment variable in a Salt state. MYENVVAR="world" salt-call state.template test.sls Create a file with contents from an environment variable: file.managed: - name: /tmp/hello - contents: {{ salt['environ.get']('MYENVVAR') }} Error checking: {% set myenvvar = salt['environ.get']('MYENVVAR') %} {% if myenvvar %} Create a file with contents from an environment variable: file.managed: - name: /tmp/hello - contents: {{ salt['environ.get']('MYENVVAR') }} {% else %} Fail - no environment passed in: test: A. fail_without_changes {% endif %} Calling Salt modules from templates All of the Salt modules loaded by the minion are available within the templating system. This allows data to be gathered in real time on the target system. It also allows for shell commands to be run easily from within the sls modules. The Salt module functions are also made available in the template context as salt: moe: user.present: - gid: {{ salt['file.group_to_gid']('some_group_that_exists') }} Note that for the above example to work, some_group_that_exists must exist before the state file is processed by the templating engine. Below is an example that uses the network.hw_addr function to retrieve the MAC address for eth0: salt['network.hw_addr']('eth0') Advanced SLS module syntax Lastly, we will cover some incredibly useful techniques for more complex State trees. Include declaration A previous example showed how to spread a Salt tree across several files. Similarly, requisites span multiple files by using an include-declaration. For example: python/python-libs.sls: python-dateutil: pkg.installed python/django.sls: include: - python.python-libs django: pkg.installed: - require: - pkg: python-dateutil Extend declaration You can modify previous declarations by using an extend-declaration. For example the following modifies the Apache tree to also restart Apache when the vhosts file is changed: apache/apache.sls: apache: pkg.installed apache/mywebsite.sls: include: - apache.apache extend: apache: service: - running - watch: - file: /etc/httpd/extra/httpd-vhosts.conf /etc/httpd/extra/httpd-vhosts.conf: file.managed: - source: salt://apache/httpd-vhosts.conf Using extend with require or watch The extend statement works differently for require or watch. It appends to, rather than replacing the requisite component. Name declaration You can override the id-declaration by using a name-declaration. For example, the previous example is a bit more maintainable if rewritten as follows: apache/mywebsite.sls: include: - apache.apache extend: apache: service: - running - watch: - file: mywebsite mywebsite: file.managed: - name: /etc/httpd/extra/httpd-vhosts.conf - source: salt://apache/httpd-vhosts.conf Names declaration Even more powerful is using a names-declaration to override the id-declaration for multiple states at once. This often can remove the need for looping in a template. For example, the first example in this tutorial can be rewritten without the loop: stooges: user.present: - names: - moe - larry - curly Next steps In part 4 we will discuss how to use salt's file_roots to set up a workflow in which states can be "promoted" from dev, to QA, to production. States tutorial, part 4 NOTE: This tutorial builds on topics covered in part 1, part 2 and part 3. It is recommended that you begin there. This part of the tutorial will show how to use salt's file_roots to set up a workflow in which states can be "promoted" from dev, to QA, to production. Salt fileserver path inheritance Salt's fileserver allows for more than one root directory per environment, like in the below example, which uses both a local directory and a secondary location shared to the salt master via NFS: # In the master config file (/etc/salt/master) file_roots: base: - /srv/salt - /mnt/salt-nfs/base Salt's fileserver collapses the list of root directories into a single virtual environment containing all files from each root. If the same file exists at the same relative path in more than one root, then the top-most match "wins". For example, if /srv/salt/foo.txt and /mnt/salt-nfs/base/foo.txt both exist, then salt://foo.txt will point to /srv/salt/foo.txt. NOTE: When using multiple fileserver backends, the order in which they are listed in the fileserver_backend parameter also matters. If both roots and git backends contain a file with the same relative path, and roots appears before git in the fileserver_backend list, then the file in roots will "win", and the file in gitfs will be ignored. A more thorough explanation of how Salt's modular fileserver works can be found here. We recommend reading this. Environment configuration Configure a multiple-environment setup like so: file_roots: base: - /srv/salt/prod qa: - /srv/salt/qa - /srv/salt/prod dev: - /srv/salt/dev - /srv/salt/qa - /srv/salt/prod Given the path inheritance described above, files within /srv/salt/prod would be available in all environments. Files within /srv/salt/qa would be available in both qa, and dev. Finally, the files within /srv/salt/dev would only be available within the dev environment. Based on the order in which the roots are defined, new files/states can be placed within /srv/salt/dev, and pushed out to the dev hosts for testing. Those files/states can then be moved to the same relative path within /srv/salt/qa, and they are now available only in the dev and qa environments, allowing them to be pushed to QA hosts and tested. Finally, if moved to the same relative path within /srv/salt/prod, the files are now available in all three environments. Practical Example As an example, consider a simple website, installed to /var/www/foobarcom. Below is a top.sls that can be used to deploy the website: /srv/salt/prod/top.sls: base: 'web*prod*': - webserver.foobarcom qa: 'web*qa*': - webserver.foobarcom dev: 'web*dev*': - webserver.foobarcom Using pillar, roles can be assigned to the hosts: /srv/pillar/top.sls: base: 'web*prod*': - webserver.prod 'web*qa*': - webserver.qa 'web*dev*': - webserver.dev /srv/pillar/webserver/prod.sls: webserver_role: prod /srv/pillar/webserver/qa.sls: webserver_role: qa /srv/pillar/webserver/dev.sls: webserver_role: dev And finally, the SLS to deploy the website: /srv/salt/prod/webserver/foobarcom.sls: {% if pillar.get('webserver_role', '') %} /var/www/foobarcom: file.recurse: - source: salt://webserver/src/foobarcom - env: {{ pillar['webserver_role'] }} - user: www - group: www - dir_mode: 755 - file_mode: 644 {% endif %} Given the above SLS, the source for the website should initially be placed in /srv/salt/dev/webserver/src/foobarcom. First, let's deploy to dev. Given the configuration in the top file, this can be done using state.highstate: salt --pillar 'webserver_role:dev' state.highstate However, in the event that it is not desirable to apply all states configured in the top file (which could be likely in more complex setups), it is possible to apply just the states for the foobarcom website, using state.sls: salt --pillar 'webserver_role:dev' state.sls webserver.foobarcom Once the site has been tested in dev, then the files can be moved from /srv/salt/dev/webserver/src/foobarcom to /srv/salt/qa/webserver/src/foobarcom, and deployed using the following: salt --pillar 'webserver_role:qa' state.sls webserver.foobarcom Finally, once the site has been tested in qa, then the files can be moved from /srv/salt/qa/webserver/src/foobarcom to /srv/salt/prod/webserver/src/foobarcom, and deployed using the following: salt --pillar 'webserver_role:prod' state.sls webserver.foobarcom Thanks to Salt's fileserver inheritance, even though the files have been moved to within /srv/salt/prod, they are still available from the same salt:// URI in both the qa and dev environments. Continue Learning The best way to continue learning about Salt States is to read through the reference documentation and to look through examples of existing state trees. Many pre-configured state trees can be found on GitHub in the saltstack-formulas collection of repositories. If you have any questions, suggestions, or just want to chat with other people who are using Salt, we have a very active community and we'd love to hear from you. In addition, by continuing to part 5, you can learn about the powerful orchestration of which Salt is capable. States Tutorial, Part 5 - Orchestration with Salt NOTE: This tutorial builds on some of the topics covered in the earlier States Walkthrough pages. It is recommended to start with Part 1 if you are not familiar with how to use states. Orchestration is accomplished in salt primarily through the Orchestrate Runner. Added in version 0.17.0, this Salt Runner can use the full suite of requisites available in states, and can also execute states/functions using salt-ssh. The Orchestrate Runner New in version 0.17.0. NOTE: Orchestrate Deprecates OverState The Orchestrate Runner (originally called the state.sls runner) offers all the functionality of the OverState, but with some advantages: • All requisites available in states can be used. • The states/functions will also work on salt-ssh minions. The Orchestrate Runner was added with the intent to eventually deprecate the OverState system, however the OverState will still be maintained until Salt 2015.8.0. The orchestrate runner generalizes the Salt state system to a Salt master context. Whereas the state.sls, state.highstate, et al functions are concurrently and independently executed on each Salt minion, the state.orchestrate runner is executed on the master, giving it a master-level view and control over requisites, such as state ordering and conditionals. This allows for inter minion requisites, like ordering the application of states on different minions that must not happen simultaneously, or for halting the state run on all minions if a minion fails one of its states. If you want to setup a load balancer in front of a cluster of web servers, for example, you can ensure the load balancer is setup before the web servers or stop the state run altogether if one of the minions does not set up correctly. The state.sls, state.highstate, et al functions allow you to statefully manage each minion and the state.orchestrate runner allows you to statefully manage your entire infrastructure. Executing the Orchestrate Runner The Orchestrate Runner command format is the same as for the state.sls function, except that since it is a runner, it is executed with salt-run rather than salt. Assuming you have a state.sls file called /srv/salt/orch/webserver.sls the following command run on the master will apply the states defined in that file. salt-run state.orchestrate orch.webserver NOTE: state.orch is a synonym for state.orchestrate Changed in version 2014.1.1: The runner function was renamed to state.orchestrate to avoid confusion with the state.sls execution function. In versions 0.17.0 through 2014.1.0, state.sls must be used. Examples Function To execute a function, use salt.function: # /srv/salt/orch/cleanfoo.sls cmd.run: salt.function: - tgt: '*' - arg: - rm -rf /tmp/foo salt-run state.orchestrate orch.cleanfoo State To execute a state, use salt.state. # /srv/salt/orch/webserver.sls install_nginx: salt.state: - tgt: 'web*' - sls: - nginx salt-run state.orchestrate orch.webserver Highstate To run a highstate, set highstate: True in your state config: # /srv/salt/orch/web_setup.sls webserver_setup: salt.state: - tgt: 'web*' - highstate: True salt-run state.orchestrate orch.web_setup More Complex Orchestration Many states/functions can be configured in a single file, which when combined with the full suite of requisites, can be used to easily configure complex orchestration tasks. Additionally, the states/functions will be executed in the order in which they are defined, unless prevented from doing so by any requisites, as is the default in SLS files since 0.17.0. cmd.run: salt.function: - tgt: 10.0.0.0/24 - tgt_type: ipcidr - arg: - bootstrap storage_setup: salt.state: - tgt: 'role:storage' - tgt_type: grain - sls: ceph - require: - salt: webserver_setup webserver_setup: salt.state: - tgt: 'web*' - highstate: True Given the above setup, the orchestration will be carried out as follows: 1. The shell command bootstrap will be executed on all minions in the 10.0.0.0/24 subnet. 2. A Highstate will be run on all minions whose ID starts with "web", since the storage_setup state requires it. 3. Finally, the ceph SLS target will be executed on all minions which have a grain called role with a value of storage. NOTE: Remember, salt-run is always executed on the master. Syslog-ng usage Overview Syslog_ng state module is for generating syslog-ng configurations. You can do the following things: • generate syslog-ng configuration from YAML, • use non-YAML configuration, • start, stop or reload syslog-ng. There is also an execution module, which can check the syntax of the configuration, get the version and other information about syslog-ng. Configuration Users can create syslog-ng configuration statements with the syslog_ng.config function. It requires a name and a config parameter. The name parameter determines the name of the generated statement and the config parameter holds a parsed YAML structure. A statement can be declared in the following forms (both are equivalent): source.s_localhost: syslog_ng.config: - config: - tcp: - ip: "127.0.0.1" - port: 1233 s_localhost: syslog_ng.config: - config: source: - tcp: - ip: "127.0.0.1" - port: 1233 The first one is called short form, because it needs less typing. Users can use lists and dictionaries to specify their configuration. The format is quite self describing and there are more examples [at the end](#examples) of this document. Quotation The quotation can be tricky sometimes but here are some rules to follow: • when a string meant to be "string" in the generated configuration, it should be like '"string"' in the YAML document • similarly, users should write "'string'" to get 'string' in the generated configuration Full example The following configuration is an example, how a complete syslog-ng configuration looks like: # Set the location of the configuration file set_location: module.run: - name: syslog_ng.set_config_file - m_name: "/home/tibi/install/syslog-ng/etc/syslog-ng.conf" # The syslog-ng and syslog-ng-ctl binaries are here. You needn't use # this method if these binaries can be found in a directory in your PATH. set_bin_path: module.run: - name: syslog_ng.set_binary_path - m_name: "/home/tibi/install/syslog-ng/sbin" # Writes the first lines into the config file, also erases its previous # content write_version: module.run: - name: syslog_ng.write_version - m_name: "3.6" # There is a shorter form to set the above variables set_variables: module.run: - name: syslog_ng.set_parameters - version: "3.6" - binary_path: "/home/tibi/install/syslog-ng/sbin" - config_file: "/home/tibi/install/syslog-ng/etc/syslog-ng.conf" # Some global options options.global_options: syslog_ng.config: - config: - time_reap: 30 - mark_freq: 10 - keep_hostname: "yes" source.s_localhost: syslog_ng.config: - config: - tcp: - ip: "127.0.0.1" - port: 1233 destination.d_log_server: syslog_ng.config: - config: - tcp: - "127.0.0.1" - port: 1234 log.l_log_to_central_server: syslog_ng.config: - config: - source: s_localhost - destination: d_log_server some_comment: module.run: - name: syslog_ng.write_config - config: | # Multi line # comment # Another mode to use comments or existing configuration snippets config.other_comment_form: syslog_ng.config: - config: | # Multi line # comment The syslog_ng.reloaded function can generate syslog-ng configuration from YAML. If the statement (source, destination, parser, etc.) has a name, this function uses the id as the name, otherwise (log statement) it's purpose is like a mandatory comment. After execution this example the syslog_ng state will generate this file: #Generated by Salt on 2014-08-18 00:11:11 @version: 3.6 options { time_reap( 30 ); mark_freq( 10 ); keep_hostname( yes ); }; source s_localhost { tcp( ip( 127.0.0.1 ), port( 1233 ) ); }; destination d_log_server { tcp( 127.0.0.1, port( 1234 ) ); }; log { source( s_localhost ); destination( d_log_server ); }; # Multi line # comment # Multi line # comment Users can include arbitrary texts in the generated configuration with using the config statement (see the example above). Syslog_ng module functions You can use syslog_ng.set_binary_path to set the directory which contains the syslog-ng and syslog-ng-ctl binaries. If this directory is in your PATH, you don't need to use this function. There is also a syslog_ng.set_config_file function to set the location of the configuration file. Examples Simple source source s_tail { file( "/var/log/apache/access.log", follow_freq(1), flags(no-parse, validate-utf8) ); }; s_tail: # Salt will call the source function of syslog_ng module syslog_ng.config: - config: source: - file: - file: ''"/var/log/apache/access.log"'' - follow_freq : 1 - flags: - no-parse - validate-utf8 OR s_tail: syslog_ng.config: - config: source: - file: - ''"/var/log/apache/access.log"'' - follow_freq : 1 - flags: - no-parse - validate-utf8 OR source.s_tail: syslog_ng.config: - config: - file: - ''"/var/log/apache/access.log"'' - follow_freq : 1 - flags: - no-parse - validate-utf8 Complex source source s_gsoc2014 { tcp( ip("0.0.0.0"), port(1234), flags(no-parse) ); }; s_gsoc2014: syslog_ng.config: - config: source: - tcp: - ip: 0.0.0.0 - port: 1234 - flags: no-parse Filter filter f_json { match( "@json:" ); }; f_json: syslog_ng.config: - config: filter: - match: - ''"@json:"'' Template template t_demo_filetemplate { template( "$ISODATE $HOST $MSG " ); template_escape( no ); }; t_demo_filetemplate: syslog_ng.config: -config: template: - template: - '"$ISODATE $HOST $MSG\n"' - template_escape: - "no" Rewrite rewrite r_set_message_to_MESSAGE { set( "${.json.message}", value("$MESSAGE") ); }; r_set_message_to_MESSAGE: syslog_ng.config: - config: rewrite: - set: - '"${.json.message}"' - value : '"$MESSAGE"' Global options options { time_reap(30); mark_freq(10); keep_hostname(yes); }; global_options: syslog_ng.config: - config: options: - time_reap: 30 - mark_freq: 10 - keep_hostname: "yes" Log log { source(s_gsoc2014); junction { channel { filter(f_json); parser(p_json); rewrite(r_set_json_tag); rewrite(r_set_message_to_MESSAGE); destination { file( "/tmp/json-input.log", template(t_gsoc2014) ); }; flags(final); }; channel { filter(f_not_json); parser { syslog-parser( ); }; rewrite(r_set_syslog_tag); flags(final); }; }; destination { file( "/tmp/all.log", template(t_gsoc2014) ); }; }; l_gsoc2014: syslog_ng.config: - config: log: - source: s_gsoc2014 - junction: - channel: - filter: f_json - parser: p_json - rewrite: r_set_json_tag - rewrite: r_set_message_to_MESSAGE - destination: - file: - '"/tmp/json-input.log"' - template: t_gsoc2014 - flags: final - channel: - filter: f_not_json - parser: - syslog-parser: [] - rewrite: r_set_syslog_tag - flags: final - destination: - file: - "/tmp/all.log" - template: t_gsoc2014 Advanced Topics SaltStack Walk-through NOTE: Welcome to SaltStack! I am excited that you are interested in Salt and starting down the path to better infrastructure management. I developed (and am continuing to develop) Salt with the goal of making the best software available to manage computers of almost any kind. I hope you enjoy working with Salt and that the software can solve your real world needs! • Thomas S Hatch • Salt creator and Chief Developer • CTO of SaltStack, Inc. Getting Started What is Salt? Salt is a different approach to infrastructure management, founded on the idea that high-speed communication with large numbers of systems can open up new capabilities. This approach makes Salt a powerful multitasking system that can solve many specific problems in an infrastructure. The backbone of Salt is the remote execution engine, which creates a high-speed, secure and bi-directional communication net for groups of systems. On top of this communication system, Salt provides an extremely fast, flexible, and easy-to-use configuration management system called Salt States. Installing Salt SaltStack has been made to be very easy to install and get started. The installation documents contain instructions for all supported platforms. Starting Salt Salt functions on a master/minion topology. A master server acts as a central control bus for the clients, which are called minions. The minions connect back to the master. Setting Up the Salt Master Turning on the Salt Master is easy -- just turn it on! The default configuration is suitable for the vast majority of installations. The Salt Master can be controlled by the local Linux/Unix service manager: On Systemd based platforms (OpenSuse, Fedora): systemctl start salt-master On Upstart based systems (Ubuntu, older Fedora/RHEL): service salt-master start On SysV Init systems (Debian, Gentoo etc.): /etc/init.d/salt-master start Alternatively, the Master can be started directly on the command-line: salt-master -d The Salt Master can also be started in the foreground in debug mode, thus greatly increasing the command output: salt-master -l debug The Salt Master needs to bind to two TCP network ports on the system. These ports are 4505 and 4506. For more in depth information on firewalling these ports, the firewall tutorial is available here. Setting up a Salt Minion NOTE: The Salt Minion can operate with or without a Salt Master. This walk-through assumes that the minion will be connected to the master, for information on how to run a master-less minion please see the master-less quick-start guide: Masterless Minion Quickstart The Salt Minion only needs to be aware of one piece of information to run, the network location of the master. By default the minion will look for the DNS name salt for the master, making the easiest approach to set internal DNS to resolve the name salt back to the Salt Master IP. Otherwise, the minion configuration file will need to be edited so that the configuration option master points to the DNS name or the IP of the Salt Master: NOTE: The default location of the configuration files is /etc/salt. Most platforms adhere to this convention, but platforms such as FreeBSD and Microsoft Windows place this file in different locations. /etc/salt/minion: master: saltmaster.example.com Now that the master can be found, start the minion in the same way as the master; with the platform init system or via the command line directly: As a daemon: salt-minion -d In the foreground in debug mode: salt-minion -l debug When the minion is started, it will generate an id value, unless it has been generated on a previous run and cached in the configuration directory, which is /etc/salt by default. This is the name by which the minion will attempt to authenticate to the master. The following steps are attempted, in order to try to find a value that is not localhost: 1. The Python function socket.getfqdn() is run 2. /etc/hostname is checked (non-Windows only) 3. /etc/hosts (%WINDIR%\system32\drivers\etc\hosts on Windows hosts) is checked for hostnames that map to anything within 127.0.0.0/8. If none of the above are able to produce an id which is not localhost, then a sorted list of IP addresses on the minion (excluding any within 127.0.0.0/8) is inspected. The first publicly-routable IP address is used, if there is one. Otherwise, the first privately-routable IP address is used. If all else fails, then localhost is used as a fallback. NOTE: Overriding the id The minion id can be manually specified using the id parameter in the minion config file. If this configuration value is specified, it will override all other sources for the id. Now that the minion is started, it will generate cryptographic keys and attempt to connect to the master. The next step is to venture back to the master server and accept the new minion's public key. Using salt-key Salt authenticates minions using public-key encryption and authentication. For a minion to start accepting commands from the master, the minion keys need to be accepted by the master. The salt-key command is used to manage all of the keys on the master. To list the keys that are on the master: salt-key -L The keys that have been rejected, accepted, and pending acceptance are listed. The easiest way to accept the minion key is to accept all pending keys: salt-key -A NOTE: Keys should be verified! Print the master key fingerprint by running salt-key -F master on the Salt master. Copy the master.pub fingerprint from the Local Keys section, and then set this value as the master_finger in the minion configuration file. Restart the Salt minion. On the master, run salt-key -f minion-id to print the fingerprint of the minion's public key that was received by the master. On the minion, run salt-call key.finger --local to print the fingerprint of the minion key. On the master: # salt-key -f foo.domain.com Unaccepted Keys: foo.domain.com: 39:f9:e4:8a:aa:74:8d:52:1a:ec:92:03:82:09:c8:f9 On the minion: # salt-call key.finger --local local: 39:f9:e4:8a:aa:74:8d:52:1a:ec:92:03:82:09:c8:f9 If they match, approve the key with salt-key -a foo.domain.com. Sending the First Commands Now that the minion is connected to the master and authenticated, the master can start to command the minion. Salt commands allow for a vast set of functions to be executed and for specific minions and groups of minions to be targeted for execution. The salt command is comprised of command options, target specification, the function to execute, and arguments to the function. A simple command to start with looks like this: salt '*' test.ping The * is the target, which specifies all minions. test.ping tells the minion to run the test.ping function. In the case of test.ping, test refers to a execution module. ping refers to the ping function contained in the aforementioned test module. NOTE: Execution modules are the workhorses of Salt. They do the work on the system to perform various tasks, such as manipulating files and restarting services. The result of running this command will be the master instructing all of the minions to execute test.ping in parallel and return the result. This is not an actual ICMP ping, but rather a simple function which returns True. Using test.ping is a good way of confirming that a minion is connected. NOTE: Each minion registers itself with a unique minion ID. This ID defaults to the minion's hostname, but can be explicitly defined in the minion config as well by using the id parameter. Of course, there are hundreds of other modules that can be called just as test.ping can. For example, the following would return disk usage on all targeted minions: salt '*' disk.usage Getting to Know the Functions Salt comes with a vast library of functions available for execution, and Salt functions are self-documenting. To see what functions are available on the minions execute the sys.doc function: salt '*' sys.doc This will display a very large list of available functions and documentation on them. NOTE: Module documentation is also available on the web. These functions cover everything from shelling out to package management to manipulating database servers. They comprise a powerful system management API which is the backbone to Salt configuration management and many other aspects of Salt. NOTE: Salt comes with many plugin systems. The functions that are available via the salt command are called Execution Modules. Helpful Functions to Know The cmd module contains functions to shell out on minions, such as cmd.run and cmd.run_all: salt '*' cmd.run 'ls -l /etc' The pkg functions automatically map local system package managers to the same salt functions. This means that pkg.install will install packages via yum on Red Hat based systems, apt on Debian systems, etc.: salt '*' pkg.install vim NOTE: Some custom Linux spins and derivatives of other distributions are not properly detected by Salt. If the above command returns an error message saying that pkg.install is not available, then you may need to override the pkg provider. This process is explained here. The network.interfaces function will list all interfaces on a minion, along with their IP addresses, netmasks, MAC addresses, etc: salt '*' network.interfaces Changing the Output Format The default output format used for most Salt commands is called the nested outputter, but there are several other outputters that can be used to change the way the output is displayed. For instance, the pprint outputter can be used to display the return data using Python's pprint module: root@saltmaster:~# salt myminion grains.item pythonpath --out=pprint {'myminion': {'pythonpath': ['/usr/lib64/python2.7', '/usr/lib/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/site-packages', '/usr/lib/python2.7/site-packages/gst-0.10', '/usr/lib/python2.7/site-packages/gtk-2.0']}} The full list of Salt outputters, as well as example output, can be found here. salt-call The examples so far have described running commands from the Master using the salt command, but when troubleshooting it can be more beneficial to login to the minion directly and use salt-call. Doing so allows you to see the minion log messages specific to the command you are running (which are not part of the return data you see when running the command from the Master using salt), making it unnecessary to tail the minion log. More information on salt-call and how to use it can be found here. Grains Salt uses a system called Grains to build up static data about minions. This data includes information about the operating system that is running, CPU architecture and much more. The grains system is used throughout Salt to deliver platform data to many components and to users. Grains can also be statically set, this makes it easy to assign values to minions for grouping and managing. A common practice is to assign grains to minions to specify what the role or roles a minion might be. These static grains can be set in the minion configuration file or via the grains.setval function. Targeting Salt allows for minions to be targeted based on a wide range of criteria. The default targeting system uses globular expressions to match minions, hence if there are minions named larry1, larry2, curly1, and curly2, a glob of larry* will match larry1 and larry2, and a glob of *1 will match larry1 and curly1. Many other targeting systems can be used other than globs, these systems include: Regular Expressions Target using PCRE-compliant regular expressions Grains Target based on grains data: Targeting with Grains Pillar Target based on pillar data: Targeting with Pillar IP Target based on IP address/subnet/range Compound Create logic to target based on multiple targets: Targeting with Compound Nodegroup Target with nodegroups: Targeting with Nodegroup The concepts of targets are used on the command line with Salt, but also function in many other areas as well, including the state system and the systems used for ACLs and user permissions. Passing in Arguments Many of the functions available accept arguments which can be passed in on the command line: salt '*' pkg.install vim This example passes the argument vim to the pkg.install function. Since many functions can accept more complex input than just a string, the arguments are parsed through YAML, allowing for more complex data to be sent on the command line: salt '*' test.echo 'foo: bar' In this case Salt translates the string 'foo: bar' into the dictionary "{'foo': 'bar'}" NOTE: Any line that contains a newline will not be parsed by YAML. Salt States Now that the basics are covered the time has come to evaluate States. Salt States, or the State System is the component of Salt made for configuration management. The state system is already available with a basic Salt setup, no additional configuration is required. States can be set up immediately. NOTE: Before diving into the state system, a brief overview of how states are constructed will make many of the concepts clearer. Salt states are based on data modeling and build on a low level data structure that is used to execute each state function. Then more logical layers are built on top of each other. The high layers of the state system which this tutorial will cover consists of everything that needs to be known to use states, the two high layers covered here are the sls layer and the highest layer highstate. Understanding the layers of data management in the State System will help with understanding states, but they never need to be used. Just as understanding how a compiler functions assists when learning a programming language, understanding what is going on under the hood of a configuration management system will also prove to be a valuable asset. The First SLS Formula The state system is built on SLS formulas. These formulas are built out in files on Salt's file server. To make a very basic SLS formula open up a file under /srv/salt named vim.sls. The following state ensures that vim is installed on a system to which that state has been applied. /srv/salt/vim.sls: vim: pkg.installed Now install vim on the minions by calling the SLS directly: salt '*' state.sls vim This command will invoke the state system and run the vim SLS. Now, to beef up the vim SLS formula, a vimrc can be added: /srv/salt/vim.sls: vim: pkg.installed: [] /etc/vimrc: file.managed: - source: salt://vimrc - mode: 644 - user: root - group: root Now the desired vimrc needs to be copied into the Salt file server to /srv/salt/vimrc. In Salt, everything is a file, so no path redirection needs to be accounted for. The vimrc file is placed right next to the vim.sls file. The same command as above can be executed to all the vim SLS formulas and now include managing the file. NOTE: Salt does not need to be restarted/reloaded or have the master manipulated in any way when changing SLS formulas. They are instantly available. Adding Some Depth Obviously maintaining SLS formulas right in a single directory at the root of the file server will not scale out to reasonably sized deployments. This is why more depth is required. Start by making an nginx formula a better way, make an nginx subdirectory and add an init.sls file: /srv/salt/nginx/init.sls: nginx: pkg.installed: [] service.running: - require: - pkg: nginx A few concepts are introduced in this SLS formula. First is the service statement which ensures that the nginx service is running. Of course, the nginx service can't be started unless the package is installed -- hence the require statement which sets up a dependency between the two. The require statement makes sure that the required component is executed before and that it results in success. NOTE: The require option belongs to a family of options called requisites. Requisites are a powerful component of Salt States, for more information on how requisites work and what is available see: Requisites Also evaluation ordering is available in Salt as well: Ordering States This new sls formula has a special name -- init.sls. When an SLS formula is named init.sls it inherits the name of the directory path that contains it. This formula can be referenced via the following command: salt '*' state.sls nginx NOTE: Reminder! Just as one could call the test.ping or disk.usage execution modules, state.sls is simply another execution module. It simply takes the name of an SLS file as an argument. Now that subdirectories can be used, the vim.sls formula can be cleaned up. To make things more flexible, move the vim.sls and vimrc into a new subdirectory called edit and change the vim.sls file to reflect the change: /srv/salt/edit/vim.sls: vim: pkg.installed /etc/vimrc: file.managed: - source: salt://edit/vimrc - mode: 644 - user: root - group: root Only the source path to the vimrc file has changed. Now the formula is referenced as edit.vim because it resides in the edit subdirectory. Now the edit subdirectory can contain formulas for emacs, nano, joe or any other editor that may need to be deployed. Next Reading Two walk-throughs are specifically recommended at this point. First, a deeper run through States, followed by an explanation of Pillar. 1. Starting States 2. Pillar Walkthrough An understanding of Pillar is extremely helpful in using States. Getting Deeper Into States Two more in-depth States tutorials exist, which delve much more deeply into States functionality. 1. How Do I Use Salt States?, covers much more to get off the ground with States. 2. The States Tutorial also provides a fantastic introduction. These tutorials include much more in-depth information including templating SLS formulas etc. So Much More! This concludes the initial Salt walk-through, but there are many more things still to learn! These documents will cover important core aspects of Salt: • Pillar • Job Management A few more tutorials are also available: • Remote Execution Tutorial • Standalone Minion This still is only scratching the surface, many components such as the reactor and event systems, extending Salt, modular components and more are not covered here. For an overview of all Salt features and documentation, look at the Table of Contents. running salt as normal user tutorial Before continuing make sure you have a working Salt installation by following the installation and the configuration instructions. Stuck? There are many ways to get help from the Salt community including our mailing list and our IRC channel #salt. Running Salt functions as non root user If you don't want to run salt cloud as root or even install it you can configure it to have a virtual root in your working directory. The salt system uses the salt.syspath module to find the variables If you run the salt-build, it will generated in: ./build/lib.linux-x86_64-2.7/salt/_syspaths.py To generate it, run the command: python setup.py build Copy the generated module into your salt directory cp ./build/lib.linux-x86_64-2.7/salt/_syspaths.py salt/_syspaths.py Edit it to include needed variables and your new paths # you need to edit this ROOT_DIR = *your current dir* + '/salt/root' # you need to edit this INSTALL_DIR = *location of source code* CONFIG_DIR = ROOT_DIR + '/etc/salt' CACHE_DIR = ROOT_DIR + '/var/cache/salt' SOCK_DIR = ROOT_DIR + '/var/run/salt' SRV_ROOT_DIR= ROOT_DIR + '/srv' BASE_FILE_ROOTS_DIR = ROOT_DIR + '/srv/salt' BASE_PILLAR_ROOTS_DIR = ROOT_DIR + '/srv/pillar' BASE_MASTER_ROOTS_DIR = ROOT_DIR + '/srv/salt-master' LOGS_DIR = ROOT_DIR + '/var/log/salt' PIDFILE_DIR = ROOT_DIR + '/var/run' CLOUD_DIR = INSTALL_DIR + '/cloud' BOOTSTRAP = CLOUD_DIR + '/deploy/bootstrap-salt.sh' Create the directory structure mkdir -p root/etc/salt root/var/cache/run root/run/salt root/srv root/srv/salt root/srv/pillar root/srv/salt-master root/var/log/salt root/var/run Populate the configuration files: cp -r conf/* root/etc/salt/ Edit your root/etc/salt/master configuration that is used by salt-cloud: user: *your user name* Run like this: PYTHONPATH=`pwd` scripts/salt-cloud MinionFS Backend Walkthrough Propagating Files New in version 2014.1.0. Sometimes, one might need to propagate files that are generated on a minion. Salt already has a feature to send files from a minion to the master. Enabling File Propagation To enable propagation, the file_recv option needs to be set to True. file_recv: True These changes require a restart of the master, then new requests for the salt://minion-id/ protocol will send files that are pushed by cp.push from minion-id to the master. salt 'minion-id' cp.push /path/to/the/file This command will store the file, including its full path, under cachedir /master/minions/minion-id/files. With the default cachedir the example file above would be stored as /var/cache/salt/master/minions/minion-id/files/path/to/the/file. NOTE: This walkthrough assumes basic knowledge of Salt and cp.push. To get up to speed, check out the walkthrough. MinionFS Backend Since it is not a good idea to expose the whole cachedir, MinionFS should be used to send these files to other minions. Simple Configuration To use the minionfs backend only two configuration changes are required on the master. The fileserver_backend option needs to contain a value of minion and file_recv needs to be set to true: fileserver_backend: - roots - minion file_recv: True These changes require a restart of the master, then new requests for the salt://minion-id/ protocol will send files that are pushed by cp.push from minion-id to the master. NOTE: All of the files that are pushed to the master are going to be available to all of the minions. If this is not what you want, please remove minion from fileserver_backend in the master config file. NOTE: Having directories with the same name as your minions in the root that can be accessed like salt://minion-id/ might cause confusion. Commandline Example Lets assume that we are going to generate SSH keys on a minion called minion-source and put the public part in ~/.ssh/authorized_keys of root user of a minion called minion-destination. First, lets make sure that /root/.ssh exists and has the right permissions: [root@salt-master file]# salt '*' file.mkdir dir_path=/root/.ssh user=root group=root mode=700 minion-source: None minion-destination: None We create an RSA key pair without a passphrase [*]: [root@salt-master file]# salt 'minion-source' cmd.run 'ssh-keygen -N "" -f /root/.ssh/id_rsa' minion-source: Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 9b:cd:1c:b9:c2:93:8e:ad:a3:52:a0:8b:0a:cc:d4:9b root@minion-source The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | o . | | o o S o | |= + . B o | |o+ E B = | |+ . .+ o | |o ...ooo | +-----------------+ and we send the public part to the master to be available to all minions: [root@salt-master file]# salt 'minion-source' cp.push /root/.ssh/id_rsa.pub minion-source: True now it can be seen by everyone: [root@salt-master file]# salt 'minion-destination' cp.list_master_dirs minion-destination: - . - etc - minion-source/root - minion-source/root/.ssh Lets copy that as the only authorized key to minion-destination: [root@salt-master file]# salt 'minion-destination' cp.get_file salt://minion-source/root/.ssh/id_rsa.pub /root/.ssh/authorized_keys minion-destination: /root/.ssh/authorized_keys Or we can use a more elegant and salty way to add an SSH key: [root@salt-master file]# salt 'minion-destination' ssh.set_auth_key_from_file user=root source=salt://minion-source/root/.ssh/id_rsa.pub minion-destination: new [*] Yes, that was the actual key on my server, but the server is already destroyed. Automatic Updates / Frozen Deployments New in version 0.10.3.d. Salt has support for the Esky application freezing and update tool. This tool allows one to build a complete zipfile out of the salt scripts and all their dependencies - including shared objects / DLLs. Getting Started To build frozen applications, suitable build environment will be needed for each platform. You should probably set up a virtualenv in order to limit the scope of Q/A. This process does work on Windows. Directions are available at https://github.com/saltstack/salt-windows-install for details on installing Salt in Windows. Only the 32-bit Python and dependencies have been tested, but they have been tested on 64-bit Windows. Install bbfreeze, and then esky from PyPI in order to enable the bdist_esky command in setup.py. Salt itself must also be installed, in addition to its dependencies. Building and Freezing Once you have your tools installed and the environment configured, use setup.py to prepare the distribution files. python setup.py sdist python setup.py bdist Once the distribution files are in place, Esky can be used traverse the module tree and pack all the scripts up into a redistributable. python setup.py bdist_esky There will be an appropriately versioned salt-VERSION.zip in dist/ if everything went smoothly. Windows C:\Python27\lib\site-packages\zmq will need to be added to the PATH variable. This helps bbfreeze find the zmq DLL so it can pack it up. Using the Frozen Build Unpack the zip file in the desired install location. Scripts like salt-minion and salt-call will be in the root of the zip file. The associated libraries and bootstrapping will be in the directories at the same level. (Check the Esky documentation for more information) To support updating your minions in the wild, put the builds on a web server that the minions can reach. salt.modules.saltutil.update() will trigger an update and (optionally) a restart of the minion service under the new version. Troubleshooting A Windows minion isn't responding The process dispatch on Windows is slower than it is on *nix. It may be necessary to add '-t 15' to salt commands to give minions plenty of time to return. Windows and the Visual Studio Redist The Visual C++ 2008 32-bit redistributable will need to be installed on all Windows minions. Esky has an option to pack the library into the zipfile, but OpenSSL does not seem to acknowledge the new location. If a no OPENSSL_Applink error appears on the console when trying to start a frozen minion, the redistributable is not installed. Mixed Linux environments and Yum The Yum Python module doesn't appear to be available on any of the standard Python package mirrors. If RHEL/CentOS systems need to be supported, the frozen build should created on that platform to support all the Linux nodes. Remember to build the virtualenv with --system-site-packages so that the yum module is included. Automatic (Python) module discovery Automatic (Python) module discovery does not work with the late-loaded scheme that Salt uses for (Salt) modules. Any misbehaving modules will need to be explicitly added to the freezer_includes in Salt's setup.py. Always check the zipped application to make sure that the necessary modules were included. Multi Master Tutorial As of Salt 0.16.0, the ability to connect minions to multiple masters has been made available. The multi-master system allows for redundancy of Salt masters and facilitates multiple points of communication out to minions. When using a multi-master setup, all masters are running hot, and any active master can be used to send commands out to the minions. NOTE: If you need failover capabilities with multiple masters, there is also a MultiMaster-PKI setup available, that uses a different topology MultiMaster-PKI with Failover Tutorial In 0.16.0, the masters do not share any information, keys need to be accepted on both masters, and shared files need to be shared manually or use tools like the git fileserver backend to ensure that the file_roots are kept consistent. Summary of Steps 1. Create a redundant master server 2. Copy primary master key to redundant master 3. Start redundant master 4. Configure minions to connect to redundant master 5. Restart minions 6. Accept keys on redundant master Prepping a Redundant Master The first task is to prepare the redundant master. If the redundant master is already running, stop it. There is only one requirement when preparing a redundant master, which is that masters share the same private key. When the first master was created, the master's identifying key pair was generated and placed in the master's pki_dir. The default location of the master's key pair is /etc/salt/pki/master/. Take the private key, master.pem, and copy it to the same location on the redundant master. Do the same for the master's public key, master.pub. Assuming that no minions have yet been connected to the new redundant master, it is safe to delete any existing key in this location and replace it. NOTE: There is no logical limit to the number of redundant masters that can be used. Once the new key is in place, the redundant master can be safely started. Configure Minions Since minions need to be master-aware, the new master needs to be added to the minion configurations. Simply update the minion configurations to list all connected masters: master: - saltmaster1.example.com - saltmaster2.example.com Now the minion can be safely restarted. NOTE: If the ipc_mode for the minion is set to TCP (default in Windows), then each minion in the multi-minion setup (one per master) needs its own tcp_pub_port and tcp_pull_port. If these settings are left as the default 4510/4511, each minion object will receive a port 2 higher than the previous. Thus the first minion will get 4510/4511, the second will get 4512/4513, and so on. If these port decisions are unacceptable, you must configure tcp_pub_port and tcp_pull_port with lists of ports for each master. The length of these lists should match the number of masters, and there should not be overlap in the lists. Now the minions will check into the original master and also check into the new redundant master. Both masters are first-class and have rights to the minions. NOTE: Minions can automatically detect failed masters and attempt to reconnect to reconnect to them quickly. To enable this functionality, set master_alive_interval in the minion config and specify a number of seconds to poll the masters for connection status. If this option is not set, minions will still reconnect to failed masters but the first command sent after a master comes back up may be lost while the minion authenticates. Sharing Files Between Masters Salt does not automatically share files between multiple masters. A number of files should be shared or sharing of these files should be strongly considered. Minion Keys Minion keys can be accepted the normal way using salt-key on both masters. Keys accepted, deleted, or rejected on one master will NOT be automatically managed on redundant masters; this needs to be taken care of by running salt-key on both masters or sharing the /etc/salt/pki/master/{minions,minions_pre,minions_rejected} directories between masters. NOTE: While sharing the /etc/salt/pki/master directory will work, it is strongly discouraged, since allowing access to the master.pem key outside of Salt creates a SERIOUS security risk. File_Roots The file_roots contents should be kept consistent between masters. Otherwise state runs will not always be consistent on minions since instructions managed by one master will not agree with other masters. The recommended way to sync these is to use a fileserver backend like gitfs or to keep these files on shared storage. Pillar_Roots Pillar roots should be given the same considerations as file_roots. Master Configurations While reasons may exist to maintain separate master configurations, it is wise to remember that each master maintains independent control over minions. Therefore, access controls should be in sync between masters unless a valid reason otherwise exists to keep them inconsistent. These access control options include but are not limited to: • external_auth • client_acl • peer • peer_run Multi-Master-PKI Tutorial With Failover This tutorial will explain, how to run a salt-environment where a single minion can have multiple masters and fail-over between them if its current master fails. The individual steps are • setup the master(s) to sign its auth-replies • setup minion(s) to verify master-public-keys • enable multiple masters on minion(s) • enable master-check on minion(s) Please note, that it is advised to have good knowledge of the salt- authentication and communication-process to understand this tutorial. All of the settings described here, go on top of the default authentication/communication process. Motivation The default behaviour of a salt-minion is to connect to a master and accept the masters public key. With each publication, the master sends his public-key for the minion to check and if this public-key ever changes, the minion complains and exits. Practically this means, that there can only be a single master at any given time. Would it not be much nicer, if the minion could have any number of masters (1:n) and jump to the next master if its current master died because of a network or hardware failure? NOTE: There is also a MultiMaster-Tutorial with a different approach and topology than this one, that might also suite your needs or might even be better suited Multi-Master Tutorial It is also desirable, to add some sort of authenticity-check to the very first public key a minion receives from a master. Currently a minions takes the first masters public key for granted. The Goal Setup the master to sign the public key it sends to the minions and enable the minions to verify this signature for authenticity. Prepping the master to sign its public key For signing to work, both master and minion must have the signing and/or verification settings enabled. If the master signs the public key but the minion does not verify it, the minion will complain and exit. The same happens, when the master does not sign but the minion tries to verify. The easiest way to have the master sign its public key is to set master_sign_pubkey: True After restarting the salt-master service, the master will automatically generate a new key-pair master_sign.pem master_sign.pub A custom name can be set for the signing key-pair by setting master_sign_key_name: <name_without_suffix> The master will then generate that key-pair upon restart and use it for creating the public keys signature attached to the auth-reply. The computation is done for every auth-request of a minion. If many minions auth very often, it is advised to use conf_master:master_pubkey_signature and conf_master:master_use_pubkey_signature settings described below. If multiple masters are in use and should sign their auth-replies, the signing key-pair master_sign.* has to be copied to each master. Otherwise a minion will fail to verify the masters public when connecting to a different master than it did initially. That is because the public keys signature was created with a different signing key-pair. Prepping the minion to verify received public keys The minion must have the public key (and only that one!) available to be able to verify a signature it receives. That public key (defaults to master_sign.pub) must be copied from the master to the minions pki-directory. /etc/salt/pki/minion/master_sign.pub DO NOT COPY THE master_sign.pem FILE. IT MUST STAY ON THE MASTER AND ONLY THERE! When that is done, enable the signature checking in the minions configuration verify_master_pubkey_sign: True and restart the minion. For the first try, the minion should be run in manual debug mode. $ salt-minion -l debug Upon connecting to the master, the following lines should appear on the output: [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10 [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem [DEBUG ] salt.crypt.verify_signature: Loading public key [DEBUG ] salt.crypt.verify_signature: Verifying signature [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub [INFO ] Received signed and verified master pubkey from master 172.16.0.10 [DEBUG ] Decrypting the current master AES key If the signature verification fails, something went wrong and it will look like this [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10 [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem [DEBUG ] salt.crypt.verify_signature: Loading public key [DEBUG ] salt.crypt.verify_signature: Verifying signature [DEBUG ] Failed to verify signature of public key [CRITICAL] The Salt Master server's public key did not authenticate! In a case like this, it should be checked, that the verification pubkey (master_sign.pub) on the minion is the same as the one on the master. Once the verification is successful, the minion can be started in daemon mode again. For the paranoid among us, its also possible to verify the public whenever it is received from the master. That is, for every single auth-attempt which can be quite frequent. For example just the start of the minion will force the signature to be checked 6 times for various things like auth, mine, highstate, etc. If that is desired, enable the setting always_verify_signature: True Multiple Masters For A Minion Configuring multiple masters on a minion is done by specifying two settings: • a list of masters addresses • what type of master is defined master: - 172.16.0.10 - 172.16.0.11 - 172.16.0.12 master_type: failover This tells the minion that all the master above are available for it to connect to. When started with this configuration, it will try the master in the order they are defined. To randomize that order, set master_shuffle: True The master-list will then be shuffled before the first connection attempt. The first master that accepts the minion, is used by the minion. If the master does not yet know the minion, that counts as accepted and the minion stays on that master. For the minion to be able to detect if its still connected to its current master enable the check for it master_alive_interval: <seconds> If the loss of the connection is detected, the minion will temporarily remove the failed master from the list and try one of the other masters defined (again shuffled if that is enabled). Testing the setup At least two running masters are needed to test the failover setup. Both masters should be running and the minion should be running on the command line in debug mode $ salt-minion -l debug The minion will connect to the first master from its master list [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.10 [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem [DEBUG ] salt.crypt.verify_signature: Loading public key [DEBUG ] salt.crypt.verify_signature: Verifying signature [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub [INFO ] Received signed and verified master pubkey from master 172.16.0.10 [DEBUG ] Decrypting the current master AES key A test.ping on the master the minion is currently connected to should be run to test connectivity. If successful, that master should be turned off. A firewall-rule denying the minions packets will also do the trick. Depending on the configured conf_minion:master_alive_interval, the minion will notice the loss of the connection and log it to its logfile. [INFO ] Connection to master 172.16.0.10 lost [INFO ] Trying to tune in to next master from master-list The minion will then remove the current master from the list and try connecting to the next master [INFO ] Removing possibly failed master 172.16.0.10 from list of masters [WARNING ] Master ip address changed from 172.16.0.10 to 172.16.0.11 [DEBUG ] Attempting to authenticate with the Salt Master at 172.16.0.11 If everything is configured correctly, the new masters public key will be verified successfully [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem [DEBUG ] salt.crypt.verify_signature: Loading public key [DEBUG ] salt.crypt.verify_signature: Verifying signature [DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub the authentication with the new master is successful [INFO ] Received signed and verified master pubkey from master 172.16.0.11 [DEBUG ] Decrypting the current master AES key [DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem [INFO ] Authentication with master successful! and the minion can be pinged again from its new master. Performance Tuning With the setup described above, the master computes a signature for every auth-request of a minion. With many minions and many auth-requests, that can chew up quite a bit of CPU-Power. To avoid that, the master can use a pre-created signature of its public-key. The signature is saved as a base64 encoded string which the master reads once when starting and attaches only that string to auth-replies. Enabling this also gives paranoid users the possibility, to have the signing key-pair on a different system than the actual salt-master and create the public keys signature there. Probably on a system with more restrictive firewall rules, without internet access, less users, etc. That signature can be created with $ salt-key --gen-signature This will create a default signature file in the master pki-directory /etc/salt/pki/master/master_pubkey_signature It is a simple text-file with the binary-signature converted to base64. If no signing-pair is present yet, this will auto-create the signing pair and the signature file in one call $ salt-key --gen-signature --auto-create Telling the master to use the pre-created signature is done with master_use_pubkey_signature: True That requires the file 'master_pubkey_signature' to be present in the masters pki-directory with the correct signature. If the signature file is named differently, its name can be set with master_pubkey_signature: <filename> With many masters and many public-keys (default and signing), it is advised to use the salt-masters hostname for the signature-files name. Signatures can be easily confused because they do not provide any information about the key the signature was created from. Verifying that everything works is done the same way as above. How the signing and verification works The default key-pair of the salt-master is /etc/salt/pki/master/master.pem /etc/salt/pki/master/master.pub To be able to create a signature of a message (in this case a public-key), another key-pair has to be added to the setup. Its default name is: master_sign.pem master_sign.pub The combination of the master.* and master_sign.* key-pairs give the possibility of generating signatures. The signature of a given message is unique and can be verified, if the public-key of the signing-key-pair is available to the recipient (the minion). The signature of the masters public-key in master.pub is computed with master_sign.pem master.pub M2Crypto.EVP.sign_update() This results in a binary signature which is converted to base64 and attached to the auth-reply send to the minion. With the signing-pairs public-key available to the minion, the attached signature can be verified with master_sign.pub master.pub M2Cryptos EVP.verify_update(). When running multiple masters, either the signing key-pair has to be present on all of them, or the master_pubkey_signature has to be pre-computed for each master individually (because they all have different public-keys). DO NOT PUT THE SAME master.pub ON ALL MASTERS FOR EASE OF USE. Preseed Minion with Accepted Key In some situations, it is not convenient to wait for a minion to start before accepting its key on the master. For instance, you may want the minion to bootstrap itself as soon as it comes online. You may also want to to let your developers provision new development machines on the fly. SEE ALSO: Many ways to preseed minion keys Salt has other ways to generate and pre-accept minion keys in addition to the manual steps outlined below. salt-cloud performs these same steps automatically when new cloud VMs are created (unless instructed not to). salt-api exposes an HTTP call to Salt's REST API to generate and download the new minion keys as a tarball. There is a general four step process to do this: 1. Generate the keys on the master: root@saltmaster# salt-key --gen-keys=[key_name] Pick a name for the key, such as the minion's id. 2. Add the public key to the accepted minion folder: root@saltmaster# cp key_name.pub /etc/salt/pki/master/minions/[minion_id] It is necessary that the public key file has the same name as your minion id. This is how Salt matches minions with their keys. Also note that the pki folder could be in a different location, depending on your OS or if specified in the master config file. 3. Distribute the minion keys. There is no single method to get the keypair to your minion. The difficulty is finding a distribution method which is secure. For Amazon EC2 only, an AWS best practice is to use IAM Roles to pass credentials. (See blog post, http://blogs.aws.amazon.com/security/post/Tx610S2MLVZWEA/Using-IAM-roles-to-distribute-non-AWS-credentials-to-your-EC2-instances ) Security Warning Since the minion key is already accepted on the master, distributing the private key poses a potential security risk. A malicious party will have access to your entire state tree and other sensitive data if they gain access to a preseeded minion key. 4. Preseed the Minion with the keys You will want to place the minion keys before starting the salt-minion daemon: /etc/salt/pki/minion/minion.pem /etc/salt/pki/minion/minion.pub Once in place, you should be able to start salt-minion and run salt-call state.highstate or any other salt commands that require master authentication. Salt Bootstrap The Salt Bootstrap script allows for a user to install the Salt Minion or Master on a variety of system distributions and versions. This shell script known as bootstrap-salt.sh runs through a series of checks to determine the operating system type and version. It then installs the Salt binaries using the appropriate methods. The Salt Bootstrap script installs the minimum number of packages required to run Salt. This means that in the event you run the bootstrap to install via package, Git will not be installed. Installing the minimum number of packages helps ensure the script stays as lightweight as possible, assuming the user will install any other required packages after the Salt binaries are present on the system. The script source is available on GitHub: https://github.com/saltstack/salt-bootstrap Supported Operating Systems • Amazon Linux 2012.09 • Arch • CentOS 5/6/7 • Debian 6/7/8 • Fedora 17/18/20/21/22 • FreeBSD 9.1/9.2/10/11 • Gentoo • Linaro • Linux Mint 13/14 • OpenSUSE 12/13 • Oracle Linux 5/5 • Red Hat 5/6 • Red Hat Enterprise 5/6 • Scientific Linux 5/6 • SmartOS • SUSE Linux Enterprise 11 SP1/11 SP2/11 SP3 • Ubuntu 10.x/11.x/12.x/13.x/14.x/15.04 • Elementary OS 0.2 NOTE: In the event you do not see your distribution or version available please review the develop branch on GitHub as it main contain updates that are not present in the stable release: https://github.com/saltstack/salt-bootstrap/tree/develop Example Usage If you're looking for the one-liner to install salt, please scroll to the bottom and use the instructions for Installing via an Insecure One-Liner NOTE: In every two-step example, you would be well-served to examine the downloaded file and examine it to ensure that it does what you expect. Using curl to install latest git: curl -L https://bootstrap.saltstack.com -o install_salt.sh sudo sh install_salt.sh git develop Using wget to install your distribution's stable packages: wget -O install_salt.sh https://bootstrap.saltstack.com sudo sh install_salt.sh Install a specific version from git using wget: wget -O install_salt.sh https://bootstrap.saltstack.com sudo sh install_salt.sh -P git v0.16.4 If you already have python installed, python 2.6, then it's as easy as: python -m urllib "https://bootstrap.saltstack.com" > install_salt.sh sudo sh install_salt.sh git develop All python versions should support the following one liner: python -c 'import urllib; print urllib.urlopen("https://bootstrap.saltstack.com").read()' > install_salt.sh sudo sh install_salt.sh git develop On a FreeBSD base system you usually don't have either of the above binaries available. You do have fetch available though: fetch -o install_salt.sh https://bootstrap.saltstack.com sudo sh install_salt.sh If all you want is to install a salt-master using latest git: curl -o install_salt.sh -L https://bootstrap.saltstack.com sudo sh install_salt.sh -M -N git develop If you want to install a specific release version (based on the git tags): curl -o install_salt.sh -L https://bootstrap.saltstack.com sudo sh install_salt.sh git v0.16.4 To install a specific branch from a git fork: curl -o install_salt.sh -L https://bootstrap.saltstack.com sudo sh install_salt.sh -g https://github.com/myuser/salt.git git mybranch Installing via an Insecure One-Liner The following examples illustrate how to install Salt via a one-liner. NOTE: Warning! These methods do not involve a verification step and assume that the delivered file is trustworthy. Examples Installing the latest develop branch of Salt: curl -L https://bootstrap.saltstack.com | sudo sh -s -- git develop Any of the example above which use two-lines can be made to run in a single-line configuration with minor modifications. Example Usage The Salt Bootstrap script has a wide variety of options that can be passed as well as several ways of obtaining the bootstrap script itself. For example, using curl to install your distribution's stable packages: curl -L https://bootstrap.saltstack.com | sudo sh Using wget to install your distribution's stable packages: wget -O - https://bootstrap.saltstack.com | sudo sh Installing the latest version available from git with curl: curl -L https://bootstrap.saltstack.com | sudo sh -s -- git develop Install a specific version from git using wget: wget -O - https://bootstrap.saltstack.com | sh -s -- -P git v0.16.4 If you already have python installed, python 2.6, then it's as easy as: python -m urllib "https://bootstrap.saltstack.com" | sudo sh -s -- git develop All python versions should support the following one liner: python -c 'import urllib; print urllib.urlopen("https://bootstrap.saltstack.com").read()' | \ sudo sh -s -- git develop On a FreeBSD base system you usually don't have either of the above binaries available. You do have fetch available though: fetch -o - https://bootstrap.saltstack.com | sudo sh If all you want is to install a salt-master using latest git: curl -L https://bootstrap.saltstack.com | sudo sh -s -- -M -N git develop If you want to install a specific release version (based on the git tags): curl -L https://bootstrap.saltstack.com | sudo sh -s -- git v0.16.4 Downloading the develop branch (from here standard command line options may be passed): wget https://bootstrap.saltstack.com/develop Command Line Options Here's a summary of the command line options: $ sh bootstrap-salt.sh -h Usage : bootstrap-salt.sh [options] <install-type> <install-type-args> Installation types: - stable (default) - stable [version] (ubuntu specific) - daily (ubuntu specific) - testing (redhat specific) - git Examples: - bootstrap-salt.sh - bootstrap-salt.sh stable - bootstrap-salt.sh stable 2014.7 - bootstrap-salt.sh daily - bootstrap-salt.sh testing - bootstrap-salt.sh git - bootstrap-salt.sh git develop - bootstrap-salt.sh git v0.17.0 - bootstrap-salt.sh git 8c3fadf15ec183e5ce8c63739850d543617e4357 Options: -h Display this message -v Display script version -n No colours. -D Show debug output. -c Temporary configuration directory -g Salt repository URL. (default: git://github.com/saltstack/salt.git) -G Instead of cloning from git://github.com/saltstack/salt.git, clone from https://github.com/saltstack/salt.git (Usually necessary on systems which have the regular git protocol port blocked, where https usually is not) -k Temporary directory holding the minion keys which will pre-seed the master. -s Sleep time used when waiting for daemons to start, restart and when checking for the services running. Default: 3 -M Also install salt-master -S Also install salt-syndic -N Do not install salt-minion -X Do not start daemons after installation -C Only run the configuration function. This option automatically bypasses any installation. -P Allow pip based installations. On some distributions the required salt packages or its dependencies are not available as a package for that distribution. Using this flag allows the script to use pip as a last resort method. NOTE: This only works for functions which actually implement pip based installations. -F Allow copied files to overwrite existing(config, init.d, etc) -U If set, fully upgrade the system prior to bootstrapping salt -K If set, keep the temporary files in the temporary directories specified with -c and -k. -I If set, allow insecure connections while downloading any files. For example, pass '--no-check-certificate' to 'wget' or '--insecure' to 'curl' -A Pass the salt-master DNS name or IP. This will be stored under ${_SALT_ETC_DIR}/minion.d/99-master-address.conf -i Pass the salt-minion id. This will be stored under ${_SALT_ETC_DIR}/minion_id -L Install the Apache Libcloud package if possible(required for salt-cloud) -p Extra-package to install while installing salt dependencies. One package per -p flag. You're responsible for providing the proper package name. -d Disable check_service functions. Setting this flag disables the 'install_<distro>_check_services' checks. You can also do this by touching /tmp/disable_salt_checks on the target host. Defaults ${BS_FALSE} -H Use the specified http proxy for the installation -Z Enable external software source for newer ZeroMQ(Only available for RHEL/CentOS/Fedora/Ubuntu based distributions) Git Fileserver Backend Walkthrough NOTE: This walkthrough assumes basic knowledge of Salt. To get up to speed, check out the Salt Walkthrough. The gitfs backend allows Salt to serve files from git repositories. It can be enabled by adding git to the fileserver_backend list, and configuring one or more repositories in gitfs_remotes. Branches and tags become Salt fileserver environments. Installing Dependencies Beginning with version 2014.7.0, both pygit2 and Dulwich are supported as alternatives to GitPython. The desired provider can be configured using the gitfs_provider parameter in the master config file. If gitfs_provider is not configured, then Salt will prefer pygit2 if a suitable version is available, followed by GitPython and Dulwich. NOTE: It is recommended to always run the most recent version of any the below dependencies. Certain features of gitfs may not be available without the most recent version of the chosen library. pygit2 The minimum supported version of pygit2 is 0.20.3. Availability for this version of pygit2 is still limited, though the SaltStack team is working to get compatible versions available for as many platforms as possible. For the Fedora/EPEL versions which have a new enough version packaged, the following command would be used to install pygit2: # yum install python-pygit2 Provided a valid version is packaged for Debian/Ubuntu (which is not currently the case), the package name would be the same, and the following command would be used to install it: # apt-get install python-pygit2 If pygit2 is not packaged for the platform on which the Master is running, the pygit2 website has installation instructions here. Keep in mind however that following these instructions will install libgit2 and pygit2 without system packages. Additionally, keep in mind that SSH authentication in pygit2 requires libssh2 (not libssh) development libraries to be present before libgit2 is built. On some distros (debian based) pkg-config is also required to link libgit2 with libssh2. WARNING: pygit2 is actively developed and frequently makes non-backwards-compatible API changes, even in minor releases. It is not uncommon for pygit2 upgrades to result in errors in Salt. Please take care when upgrading pygit2, and pay close attention to the changelog, keeping an eye out for API changes. Errors can be reported on the SaltStack issue tracker. GitPython GitPython 0.3.0 or newer is required to use GitPython for gitfs. For RHEL-based Linux distros, a compatible version is available in EPEL, and can be easily installed on the master using yum: # yum install GitPython Ubuntu 14.04 LTS and Debian Wheezy (7.x) also have a compatible version packaged: # apt-get install python-git If your master is running an older version (such as Ubuntu 12.04 LTS or Debian Squeeze), then you will need to install GitPython using either pip or easy_install (it is recommended to use pip). Version 0.3.2.RC1 is now marked as the stable release in PyPI, so it should be a simple matter of running pip install GitPython (or easy_install GitPython) as root. WARNING: Keep in mind that if GitPython has been previously installed on the master using pip (even if it was subsequently uninstalled), then it may still exist in the build cache (typically /tmp/pip-build-root/GitPython) if the cache is not cleared after installation. The package in the build cache will override any requirement specifiers, so if you try upgrading to version 0.3.2.RC1 by running pip install 'GitPython==0.3.2.RC1' then it will ignore this and simply install the version from the cache directory. Therefore, it may be necessary to delete the GitPython directory from the build cache in order to ensure that the specified version is installed. Dulwich Dulwich 0.9.4 or newer is required to use Dulwich as backend for gitfs. Dulwich is available in EPEL, and can be easily installed on the master using yum: # yum install python-dulwich For APT-based distros such as Ubuntu and Debian: # apt-get install python-dulwich IMPORTANT: If switching to Dulwich from GitPython/pygit2, or switching from GitPython/pygit2 to Dulwich, it is necessary to clear the gitfs cache to avoid unpredictable behavior. This is probably a good idea whenever switching to a new gitfs_provider, but it is less important when switching between GitPython and pygit2. Beginning in version 2015.5.0, the gitfs cache can be easily cleared using the fileserver.clear_cache runner. salt-run fileserver.clear_cache backend=git If the Master is running an earlier version, then the cache can be cleared by removing the gitfs and file_lists/gitfs directories (both paths relative to the master cache directory, usually /var/cache/salt/master). rm -rf /var/cache/salt/master{,/file_lists}/gitfs Simple Configuration To use the gitfs backend, only two configuration changes are required on the master: 1. Include git in the fileserver_backend list in the master config file: fileserver_backend: - git 2. Specify one or more git://, https://, file://, or ssh:// URLs in gitfs_remotes to configure which repositories to cache and search for requested files: gitfs_remotes: - https://github.com/saltstack-formulas/salt-formula.git SSH remotes can also be configured using scp-like syntax: gitfs_remotes: - git@github.com:user/repo.git - ssh://user@domain.tld/path/to/repo.git Information on how to authenticate to SSH remotes can be found here. NOTE: Dulwich does not recognize ssh:// URLs, git+ssh:// must be used instead. Salt version 2015.5.0 and later will automatically add the git+ to the beginning of these URLs before fetching, but earlier Salt versions will fail to fetch unless the URL is specified using git+ssh://. 3. Restart the master to load the new configuration. NOTE: In a master/minion setup, files from a gitfs remote are cached once by the master, so minions do not need direct access to the git repository. Multiple Remotes The gitfs_remotes option accepts an ordered list of git remotes to cache and search, in listed order, for requested files. A simple scenario illustrates this cascading lookup behavior: If the gitfs_remotes option specifies three remotes: gitfs_remotes: - git://github.com/example/first.git - https://github.com/example/second.git - file:///root/third And each repository contains some files: first.git: top.sls edit/vim.sls edit/vimrc nginx/init.sls second.git: edit/dev_vimrc haproxy/init.sls third: haproxy/haproxy.conf edit/dev_vimrc Salt will attempt to lookup the requested file from each gitfs remote repository in the order in which they are defined in the configuration. The git://github.com/example/first.git remote will be searched first. If the requested file is found, then it is served and no further searching is executed. For example: • A request for the file salt://haproxy/init.sls will be served from the https://github.com/example/second.git git repo. • A request for the file salt://haproxy/haproxy.conf will be served from the file:///root/third repo. NOTE: This example is purposefully contrived to illustrate the behavior of the gitfs backend. This example should not be read as a recommended way to lay out files and git repos. The file:// prefix denotes a git repository in a local directory. However, it will still use the given file:// URL as a remote, rather than copying the git repo to the salt cache. This means that any refs you want accessible must exist as local refs in the specified repo. WARNING: Salt versions prior to 2014.1.0 are not tolerant of changing the order of remotes or modifying the URI of existing remotes. In those versions, when modifying remotes it is a good idea to remove the gitfs cache directory (/var/cache/salt/master/gitfs) before restarting the salt-master service. Per-remote Configuration Parameters New in version 2014.7.0. The following master config parameters are global (that is, they apply to all configured gitfs remotes): • gitfs_base • gitfs_root • gitfs_mountpoint (new in 2014.7.0) • gitfs_user (pygit2 only, new in 2014.7.0) • gitfs_password (pygit2 only, new in 2014.7.0) • gitfs_insecure_auth (pygit2 only, new in 2014.7.0) • gitfs_pubkey (pygit2 only, new in 2014.7.0) • gitfs_privkey (pygit2 only, new in 2014.7.0) • gitfs_passphrase (pygit2 only, new in 2014.7.0) These parameters can now be overridden on a per-remote basis. This allows for a tremendous amount of customization. Here's some example usage: gitfs_provider: pygit2 gitfs_base: develop gitfs_remotes: - https://foo.com/foo.git - https://foo.com/bar.git: - root: salt - mountpoint: salt://foo/bar/baz - base: salt-base - http://foo.com/baz.git: - root: salt/states - user: joe - password: mysupersecretpassword - insecure_auth: True IMPORTANT: There are two important distinctions which should be noted for per-remote configuration: 1. The URL of a remote which has per-remote configuration must be suffixed with a colon. 2. Per-remote configuration parameters are named like the global versions, with the gitfs_ removed from the beginning. In the example configuration above, the following is true: 1. The first and third gitfs remotes will use the develop branch/tag as the base environment, while the second one will use the salt-base branch/tag as the base environment. 2. The first remote will serve all files in the repository. The second remote will only serve files from the salt directory (and its subdirectories), while the third remote will only serve files from the salt/states directory (and its subdirectories). 3. The files from the second remote will be located under salt://foo/bar/baz, while the files from the first and third remotes will be located under the root of the Salt fileserver namespace (salt://). 4. The third remote overrides the default behavior of not authenticating to insecure (non-HTTPS) remotes. Serving from a Subdirectory The gitfs_root parameter allows files to be served from a subdirectory within the repository. This allows for only part of a repository to be exposed to the Salt fileserver. Assume the below layout: .gitignore README.txt foo/ foo/bar/ foo/bar/one.txt foo/bar/two.txt foo/bar/three.txt foo/baz/ foo/baz/top.sls foo/baz/edit/vim.sls foo/baz/edit/vimrc foo/baz/nginx/init.sls The below configuration would serve only the files under foo/baz, ignoring the other files in the repository: gitfs_remotes: - git://mydomain.com/stuff.git gitfs_root: foo/baz The root can also be configured on a per-remote basis. Mountpoints New in version 2014.7.0. The gitfs_mountpoint parameter will prepend the specified path to the files served from gitfs. This allows an existing repository to be used, rather than needing to reorganize a repository or design it around the layout of the Salt fileserver. Before the addition of this feature, if a file being served up via gitfs was deeply nested within the root directory (for example, salt://webapps/foo/files/foo.conf, it would be necessary to ensure that the file was properly located in the remote repository, and that all of the the parent directories were present (for example, the directories webapps/foo/files/ would need to exist at the root of the repository). The below example would allow for a file foo.conf at the root of the repository to be served up from the Salt fileserver path salt://webapps/foo/files/foo.conf. gitfs_remotes: - https://mydomain.com/stuff.git gitfs_mountpoint: salt://webapps/foo/files Mountpoints can also be configured on a per-remote basis. Using gitfs Alongside Other Backends Sometimes it may make sense to use multiple backends; for instance, if sls files are stored in git but larger files are stored directly on the master. The cascading lookup logic used for multiple remotes is also used with multiple backends. If the fileserver_backend option contains multiple backends: fileserver_backend: - roots - git Then the roots backend (the default backend of files in /srv/salt) will be searched first for the requested file; then, if it is not found on the master, each configured git remote will be searched. Branches, Environments, and Top Files When using the gitfs backend, branches, and tags will be mapped to environments using the branch/tag name as an identifier. There is one exception to this rule: the master branch is implicitly mapped to the base environment. So, for a typical base, qa, dev setup, the following branches could be used: master qa dev top.sls files from different branches will be merged into one at runtime. Since this can lead to overly complex configurations, the recommended setup is to have a separate repository, containing only the top.sls file with just one single master branch. To map a branch other than master as the base environment, use the gitfs_base parameter. gitfs_base: salt-base The base can also be configured on a per-remote basis. Environment Whitelist/Blacklist New in version 2014.7.0. The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater control over which branches/tags are exposed as fileserver environments. Exact matches, globs, and regular expressions are supported, and are evaluated in that order. If using a regular expression, ^ and $ must be omitted, and the expression must match the entire branch/tag. gitfs_env_whitelist: - base - v1.* - 'mybranch\d+' NOTE: v1.*, in this example, will match as both a glob and a regular expression (though it will have been matched as a glob, since globs are evaluated before regular expressions). The behavior of the blacklist/whitelist will differ depending on which combination of the two options is used: • If only gitfs_env_whitelist is used, then only branches/tags which match the whitelist will be available as environments • If only gitfs_env_blacklist is used, then the branches/tags which match the blacklist will not be available as environments • If both are used, then the branches/tags which match the whitelist, but do not match the blacklist, will be available as environments. Authentication pygit2 New in version 2014.7.0. Both HTTPS and SSH authentication are supported as of version 0.20.3, which is the earliest version of pygit2 supported by Salt for gitfs. NOTE: The examples below make use of per-remote configuration parameters, a feature new to Salt 2014.7.0. More information on these can be found here. HTTPS For HTTPS repositories which require authentication, the username and password can be provided like so: gitfs_remotes: - https://domain.tld/myrepo.git: - user: git - password: mypassword If the repository is served over HTTP instead of HTTPS, then Salt will by default refuse to authenticate to it. This behavior can be overridden by adding an insecure_auth parameter: gitfs_remotes: - http://domain.tld/insecure_repo.git: - user: git - password: mypassword - insecure_auth: True SSH SSH repositories can be configured using the ssh:// protocol designation, or using scp-like syntax. So, the following two configurations are equivalent: • ssh://git@github.com/user/repo.git • git@github.com:user/repo.git Both gitfs_pubkey and gitfs_privkey (or their per-remote counterparts) must be configured in order to authenticate to SSH-based repos. If the private key is protected with a passphrase, it can be configured using gitfs_passphrase (or simply passphrase if being configured per-remote). For example: gitfs_remotes: - git@github.com:user/repo.git: - pubkey: /root/.ssh/id_rsa.pub - privkey: /root/.ssh/id_rsa - passphrase: myawesomepassphrase Finally, the SSH host key must be added to the known_hosts file. GitPython With GitPython, only passphrase-less SSH public key authentication is supported. The auth parameters (pubkey, privkey, etc.) shown in the pygit2 authentication examples above do not work with GitPython. gitfs_remotes: - ssh://git@github.com/example/salt-states.git Since GitPython wraps the git CLI, the private key must be located in ~/.ssh/id_rsa for the user under which the Master is running, and should have permissions of 0600. Also, in the absence of a user in the repo URL, GitPython will (just as SSH does) attempt to login as the current user (in other words, the user under which the Master is running, usually root). If a key needs to be used, then ~/.ssh/config can be configured to use the desired key. Information on how to do this can be found by viewing the manpage for ssh_config. Here's an example entry which can be added to the ~/.ssh/config to use an alternate key for gitfs: Host github.com IdentityFile /root/.ssh/id_rsa_gitfs The Host parameter should be a hostname (or hostname glob) that matches the domain name of the git repository. It is also necessary to add the SSH host key to the known_hosts file. The exception to this would be if strict host key checking is disabled, which can be done by adding StrictHostKeyChecking no to the entry in ~/.ssh/config Host github.com IdentityFile /root/.ssh/id_rsa_gitfs StrictHostKeyChecking no However, this is generally regarded as insecure, and is not recommended. Adding the SSH Host Key to the known_hosts File To use SSH authentication, it is necessary to have the remote repository's SSH host key in the ~/.ssh/known_hosts file. If the master is also a minion, this can be done using the ssh.set_known_host function: # salt mymaster ssh.set_known_host user=root hostname=github.com mymaster: ---------- new: ---------- enc: ssh-rsa fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 hostname: |1|OiefWWqOD4kwO3BhoIGa0loR5AA=|BIXVtmcTbPER+68HvXmceodDcfI= key: AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== old: None status: updated If not, then the easiest way to add the key is to su to the user (usually root) under which the salt-master runs and attempt to login to the server via SSH: $ su Password: # ssh github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts. Permission denied (publickey). It doesn't matter if the login was successful, as answering yes will write the fingerprint to the known_hosts file. Verifying the Fingerprint To verify that the correct fingerprint was added, it is a good idea to look it up. One way to do this is to use nmap: $ nmap github.com --script ssh-hostkey Starting Nmap 5.51 ( http://nmap.org ) at 2014-08-18 17:47 CDT Nmap scan report for github.com (192.30.252.129) Host is up (0.17s latency). Not shown: 996 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: 1024 ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c (DSA) |_2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 (RSA) 80/tcp open http 443/tcp open https 9418/tcp open git Nmap done: 1 IP address (1 host up) scanned in 28.78 seconds Another way is to check one's own known_hosts file, using this one-liner: $ ssh-keygen -l -f /dev/stdin <<<`ssh-keyscan -t rsa github.com 2>/dev/null` | awk '{print $2}' 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 Refreshing gitfs Upon Push By default, Salt updates the remote fileserver backends every 60 seconds. However, if it is desirable to refresh quicker than that, the Reactor System can be used to signal the master to update the fileserver on each push, provided that the git server is also a Salt minion. There are three steps to this process: 1. On the master, create a file /srv/reactor/update_fileserver.sls, with the following contents: update_fileserver: runner.fileserver.update 2. Add the following reactor configuration to the master config file: reactor: - 'salt/fileserver/gitfs/update': - /srv/reactor/update_fileserver.sls 3. On the git server, add a post-receive hook with the following contents: #!/usr/bin/env sh salt-call event.fire_master update salt/fileserver/gitfs/update The update argument right after event.fire_master in this example can really be anything, as it represents the data being passed in the event, and the passed data is ignored by this reactor. Similarly, the tag name salt/fileserver/gitfs/update can be replaced by anything, so long as the usage is consistent. Using Git as an External Pillar Source The git external pillar (a.k.a. git_pillar) has been rewritten for the 2015.8.0 release. This rewrite brings with it pygit2 support (allowing for access to authenticated repositories), as well as more granular support for per-remote configuration. To make use of the new features, changes to the git ext_pillar configuration must be made. The new configuration schema is detailed here. For Salt releases before 2015.8.0, click here for documentation. Why aren't my custom modules/states/etc. syncing to my Minions? In versions 0.16.3 and older, when using the git fileserver backend, certain versions of GitPython may generate errors when fetching, which Salt fails to catch. While not fatal to the fetch process, these interrupt the fileserver update that takes place before custom types are synced, and thus interrupt the sync itself. Try disabling the git fileserver backend in the master config, restarting the master, and attempting the sync again. This issue is worked around in Salt 0.16.4 and newer. The MacOS X (Maverick) Developer Step By Step Guide To Salt Installation This document provides a step-by-step guide to installing a Salt cluster consisting of one master, and one minion running on a local VM hosted on Mac OS X. NOTE: This guide is aimed at developers who wish to run Salt in a virtual machine. The official (Linux) walkthrough can be found here. The 5 Cent Salt Intro Since you're here you've probably already heard about Salt, so you already know Salt lets you configure and run commands on hordes of servers easily. Here's a brief overview of a Salt cluster: • Salt works by having a "master" server sending commands to one or multiple "minion" servers [1]. The master server is the "command center". It is going to be the place where you store your configuration files, aka: "which server is the db, which is the web server, and what libraries and software they should have installed". The minions receive orders from the master. Minions are the servers actually performing work for your business. • Salt has two types of configuration files: 1. the "salt communication channels" or "meta" or "config" configuration files (not official names): one for the master (usually is /etc/salt/master , on the master server), and one for minions (default is /etc/salt/minion or /etc/salt/minion.conf, on the minion servers). Those files are used to determine things like the Salt Master IP, port, Salt folder locations, etc.. If these are configured incorrectly, your minions will probably be unable to receive orders from the master, or the master will not know which software a given minion should install. 2. the "business" or "service" configuration files (once again, not an official name): these are configuration files, ending with ".sls" extension, that describe which software should run on which server, along with particular configuration properties for the software that is being installed. These files should be created in the /srv/salt folder by default, but their location can be changed using ... /etc/salt/master configuration file! NOTE: This tutorial contains a third important configuration file, not to be confused with the previous two: the virtual machine provisioning configuration file. This in itself is not specifically tied to Salt, but it also contains some Salt configuration. More on that in step 3. Also note that all configuration files are YAML files. So indentation matters. [1] Salt also works with "masterless" configuration where a minion is autonomous (in which case salt can be seen as a local configuration tool), or in "multiple master" configuration. See the documentation for more on that. Before Digging In, The Architecture Of The Salt Cluster Salt Master The "Salt master" server is going to be the Mac OS machine, directly. Commands will be run from a terminal app, so Salt will need to be installed on the Mac. This is going to be more convenient for toying around with configuration files. Salt Minion We'll only have one "Salt minion" server. It is going to be running on a Virtual Machine running on the Mac, using VirtualBox. It will run an Ubuntu distribution. Step 1 - Configuring The Salt Master On Your Mac official documentation Because Salt has a lot of dependencies that are not built in Mac OS X, we will use Homebrew to install Salt. Homebrew is a package manager for Mac, it's great, use it (for this tutorial at least!). Some people spend a lot of time installing libs by hand to better understand dependencies, and then realize how useful a package manager is once they're configuring a brand new machine and have to do it all over again. It also lets you uninstall things easily. NOTE: Brew is a Ruby program (Ruby is installed by default with your Mac). Brew downloads, compiles, and links software. The linking phase is when compiled software is deployed on your machine. It may conflict with manually installed software, especially in the /usr/local directory. It's ok, remove the manually installed version then refresh the link by typing brew link 'packageName'. Brew has a brew doctor command that can help you troubleshoot. It's a great command, use it often. Brew requires xcode command line tools. When you run brew the first time it asks you to install them if they're not already on your system. Brew installs software in /usr/local/bin (system bins are in /usr/bin). In order to use those bins you need your $PATH to search there first. Brew tells you if your $PATH needs to be fixed. TIP: Use the keyboard shortcut cmd + shift + period in the "open" Mac OS X dialog box to display hidden files and folders, such as .profile. Install Homebrew Install Homebrew here http://brew.sh/ Or just type ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)" Now type the following commands in your terminal (you may want to type brew doctor after each to make sure everything's fine): brew install python brew install swig brew install zmq NOTE: zmq is ZeroMQ. It's a fantastic library used for server to server network communication and is at the core of Salt efficiency. Install Salt You should now have everything ready to launch this command: pip install salt NOTE: There should be no need for sudo pip install salt. Brew installed Python for your user, so you should have all the access. In case you would like to check, type which python to ensure that it's /usr/local/bin/python, and which pip which should be /usr/local/bin/pip. Now type python in a terminal then, import salt. There should be no errors. Now exit the Python terminal using exit(). Create The Master Configuration If the default /etc/salt/master configuration file was not created, copy-paste it from here: http://docs.saltstack.com/ref/configuration/examples.html#configuration-examples-master NOTE: /etc/salt/master is a file, not a folder. Salt Master configuration changes. The Salt master needs a few customization to be able to run on Mac OS X: sudo launchctl limit maxfiles 4096 8192 In the /etc/salt/master file, change max_open_files to 8192 (or just add the line: max_open_files: 8192 (no quote) if it doesn't already exists). You should now be able to launch the Salt master: sudo salt-master --log-level=all There should be no errors when running the above command. NOTE: This command is supposed to be a daemon, but for toying around, we'll keep it running on a terminal to monitor the activity. Now that the master is set, let's configure a minion on a VM. Step 2 - Configuring The Minion VM The Salt minion is going to run on a Virtual Machine. There are a lot of software options that let you run virtual machines on a mac, But for this tutorial we're going to use VirtualBox. In addition to virtualBox, we will use Vagrant, which allows you to create the base VM configuration. Vagrant lets you build ready to use VM images, starting from an OS image and customizing it using "provisioners". In our case, we'll use it to: • Download the base Ubuntu image • Install salt on that Ubuntu image (Salt is going to be the "provisioner" for the VM). • Launch the VM • SSH into the VM to debug • Stop the VM once you're done. Install VirtualBox Go get it here: https://www.virtualBox.org/wiki/Downloads (click on VirtualBox for OS X hosts => x86/amd64) Install Vagrant Go get it here: http://downloads.vagrantup.com/ and choose the latest version (1.3.5 at time of writing), then the .dmg file. Double-click to install it. Make sure the vagrant command is found when run in the terminal. Type vagrant. It should display a list of commands. Create The Minion VM Folder Create a folder in which you will store your minion's VM. In this tutorial, it's going to be a minion folder in the $home directory. cd $home mkdir minion Initialize Vagrant From the minion folder, type vagrant init This command creates a default Vagrantfile configuration file. This configuration file will be used to pass configuration parameters to the Salt provisioner in Step 3. Import Precise64 Ubuntu Box vagrant box add precise64 http://files.vagrantup.com/precise64.box NOTE: This box is added at the global Vagrant level. You only need to do it once as each VM will use this same file. Modify the Vagrantfile Modify ./minion/Vagrantfile to use th precise64 box. Change the config.vm.box line to: config.vm.box = "precise64" Uncomment the line creating a host-only IP. This is the ip of your minion (you can change it to something else if that IP is already in use): config.vm.network :private_network, ip: "192.168.33.10" At this point you should have a VM that can run, although there won't be much in it. Let's check that. Checking The VM From the $home/minion folder type: vagrant up A log showing the VM booting should be present. Once it's done you'll be back to the terminal: ping 192.168.33.10 The VM should respond to your ping request. Now log into the VM in ssh using Vagrant again: vagrant ssh You should see the shell prompt change to something similar to vagrant@precise64:~$ meaning you're inside the VM. From there, enter the following: ping 10.0.2.2 NOTE: That ip is the ip of your VM host (the Mac OS X OS). The number is a VirtualBox default and is displayed in the log after the Vagrant ssh command. We'll use that IP to tell the minion where the Salt master is. Once you're done, end the ssh session by typing exit. It's now time to connect the VM to the salt master Step 3 - Connecting Master and Minion Creating The Minion Configuration File Create the /etc/salt/minion file. In that file, put the following lines, giving the ID for this minion, and the IP of the master: master: 10.0.2.2 id: 'minion1' file_client: remote Minions authenticate with the master using keys. Keys are generated automatically if you don't provide one and can accept them later on. However, this requires accepting the minion key every time the minion is destroyed or created (which could be quite often). A better way is to create those keys in advance, feed them to the minion, and authorize them once. Preseed minion keys From the minion folder on your Mac run: sudo salt-key --gen-keys=minion1 This should create two files: minion1.pem, and minion1.pub. Since those files have been created using sudo, but will be used by vagrant, you need to change ownership: sudo chown youruser:yourgroup minion1.pem sudo chown youruser:yourgroup minion1.pub Then copy the .pub file into the list of accepted minions: sudo cp minion1.pub /etc/salt/pki/master/minions/minion1 Modify Vagrantfile to Use Salt Provisioner Let's now modify the Vagrantfile used to provision the Salt VM. Add the following section in the Vagrantfile (note: it should be at the same indentation level as the other properties): # salt-vagrant config config.vm.provision :salt do |salt| salt.run_highstate = true salt.minion_config = "/etc/salt/minion" salt.minion_key = "./minion1.pem" salt.minion_pub = "./minion1.pub" end Now destroy the vm and recreate it from the /minion folder: vagrant destroy vagrant up If everything is fine you should see the following message: "Bootstrapping Salt... (this may take a while) Salt successfully configured and installed!" Checking Master-Minion Communication To make sure the master and minion are talking to each other, enter the following: sudo salt '*' test.ping You should see your minion answering the ping. It's now time to do some configuration. Step 4 - Configure Services to Install On the Minion In this step we'll use the Salt master to instruct our minion to install Nginx. Checking the system's original state First, make sure that an HTTP server is not installed on our minion. When opening a browser directed at http://192.168.33.10/ You should get an error saying the site cannot be reached. Initialize the top.sls file System configuration is done in the /srv/salt/top.sls file (and subfiles/folders), and then applied by running the state.highstate command to have the Salt master give orders so minions will update their instructions and run the associated commands. First Create an empty file on your Salt master (Mac OS X machine): touch /srv/salt/top.sls When the file is empty, or if no configuration is found for our minion an error is reported: sudo salt 'minion1' state.highstate Should return an error stating: "No Top file or external nodes data matches found". Create The Nginx Configuration Now is finally the time to enter the real meat of our server's configuration. For this tutorial our minion will be treated as a web server that needs to have Nginx installed. Insert the following lines into the /srv/salt/top.sls file (which should current be empty). base: 'minion1': - bin.nginx Now create a /srv/salt/bin/nginx.sls file containing the following: nginx: pkg.installed: - name: nginx service.running: - enable: True - reload: True Check Minion State Finally run the state.highstate command again: sudo salt 'minion1' state.highstate You should see a log showing that the Nginx package has been installed and the service configured. To prove it, open your browser and navigate to http://192.168.33.10/, you should see the standard Nginx welcome page. Congratulations! Where To Go From Here A full description of configuration management within Salt (sls files among other things) is available here: http://docs.saltstack.com/en/latest/index.html#configuration-management Salt's Test Suite: An Introduction NOTE: This tutorial makes a couple of assumptions. The first assumption is that you have a basic knowledge of Salt. To get up to speed, check out the Salt Walkthrough. The second assumption is that your Salt development environment is already configured and that you have a basic understanding of contributing to the Salt codebase. If you're unfamiliar with either of these topics, please refer to the Installing Salt for Development and the Contributing pages, respectively. Salt comes with a powerful integration and unit test suite. The test suite allows for the fully automated run of integration and/or unit tests from a single interface. Salt's test suite is located under the tests directory in the root of Salt's code base and is divided into two main types of tests: unit tests and integration tests. The unit and integration sub test suites are located in the tests directory, which is where the majority of Salt's test cases are housed. Getting Set Up For Tests There are a couple of requirements, in addition to Salt's requirements, that need to be installed in order to run Salt's test suite. You can install these additional requirements using the files located in the salt/requirements directory, depending on your relevant version of Python: pip install -r requirements/dev_python26.txt pip install -r requirements/dev_python27.txt Test Directory Structure As noted in the introduction to this tutorial, Salt's test suite is located in the tests directory in the root of Salt's code base. From there, the tests are divided into two groups integration and unit. Within each of these directories, the directory structure roughly mirrors the directory structure of Salt's own codebase. For example, the files inside tests/integration/modules contains tests for the files located within salt/modules. NOTE: tests/integration and tests/unit are the only directories discussed in this tutorial. With the exception of the tests/runtests.py file, which is used below in the Running the Test Suite section, the other directories and files located in tests are outside the scope of this tutorial. Integration vs. Unit Given that Salt's test suite contains two powerful, though very different, testing approaches, when should you write integration tests and when should you write unit tests? Integration tests use Salt masters, minions, and a syndic to test salt functionality directly and focus on testing the interaction of these components. Salt's integration test runner includes functionality to run Salt execution modules, runners, states, shell commands, salt-ssh commands, salt-api commands, and more. This provides a tremendous ability to use Salt to test itself and makes writing such tests a breeze. Integration tests are the preferred method of testing Salt functionality when possible. Unit tests do not spin up any Salt daemons, but instead find their value in testing singular implementations of individual functions. Instead of testing against specific interactions, unit tests should be used to test a function's logic. Unit tests should be used to test a function's exit point(s) such as any return or raises statements. Unit tests are also useful in cases where writing an integration test might not be possible. While the integration test suite is extremely powerful, unfortunately at this time, it does not cover all functional areas of Salt's ecosystem. For example, at the time of this writing, there is not a way to write integration tests for Proxy Minions. Since the test runner will need to be adjusted to account for Proxy Minion processes, unit tests can still provide some testing support in the interim by testing the logic contained inside Proxy Minion functions. Running the Test Suite Once all of the `requirements<Getting Set Up For Tests>`_ are installed, the runtests.py file in the salt/tests directory is used to instantiate Salt's test suite: python tests/runtests.py [OPTIONS] The command above, if executed without any options, will run the entire suite of integration and unit tests. Some tests require certain flags to run, such as destructive tests. If these flags are not included, then the test suite will only perform the tests that don't require special attention. At the end of the test run, you will see a summary output of the tests that passed, failed, or were skipped. The test runner also includes a --help option that lists all of the various command line options: python tests/runtests.py --help You can also call the test runner as an executable: ./tests/runtests.py --help Running Integration Tests Salt's set of integration tests use Salt to test itself. The integration portion of the test suite includes some built-in Salt daemons that will spin up in preparation of the test run. This list of Salt daemon processes includes: • 2 Salt Masters • 2 Salt Minions • 1 Salt Syndic These various daemons are used to execute Salt commands and functionality within the test suite, allowing you to write tests to assert against expected or unexpected behaviors. A simple example of a test utilizing a typical master/minion execution module command is the test for the test_ping function in the tests/integration/modules/test.py file: def test_ping(self): ''' test.ping ''' self.assertTrue(self.run_function('test.ping')) The test above is a very simple example where the test.ping function is executed by Salt's test suite runner and is asserting that the minion returned with a True response. Test Selection Options If you look in the output of the --help command of the test runner, you will see a section called Tests Selection Options. The options under this section contain various subsections of the integration test suite such as --modules, --ssh, or --states. By selecting any one of these options, the test daemons will spin up and the integration tests in the named subsection will run. ./tests/runtests.py --modules NOTE: The testing subsections listed in the Tests Selection Options of the --help output only apply to the integration tests. They do not run unit tests. Running Unit Tests While ./tests/runtests.py executes the entire test suite (barring any tests requiring special flags), the --unit flag can be used to run only Salt's unit tests. Salt's unit tests include the tests located in the tests/unit directory. The unit tests do not spin up any Salt testing daemons as the integration tests do and execute very quickly compared to the integration tests. ./tests/runtests.py --unit Running Specific Tests There are times when a specific test file, test class, or even a single, individual test need to be executed, such as when writing new tests. In these situations, the --name option should be used. For running a single test file, such as the pillar module test file in the integration test directory, you must provide the file path using . instead of / as separators and no file extension: ./tests/runtests.py --name=integration.modules.pillar ./tests/runtests.py -n integration.modules.pillar Some test files contain only one test class while other test files contain multiple test classes. To run a specific test class within the file, append the name of the test class to the end of the file path: ./tests/runtests.py --name=integration.modules.pillar.PillarModuleTest ./tests/runtests.py -n integration.modules.pillar.PillarModuleTest To run a single test within a file, append both the name of the test class the individual test belongs to, as well as the name of the test itself: ./tests/runtests.py --name=integration.modules.pillar.PillarModuleTest.test_data ./tests/runtests.py -n integration.modules.pillar.PillarModuleTest.test_data The --name and -n options can be used for unit tests as well as integration tests. The following command is an example of how to execute a single test found in the tests/unit/modules/cp_test.py file: ./tests/runtests.py -n unit.modules.cp_test.CpTestCase.test_get_template_success Writing Tests for Salt Once you're comfortable running tests, you can now start writing them! Be sure to review the Integration vs. Unit section of this tutorial to determine what type of test makes the most sense for the code you're testing. NOTE: There are many decorators, naming conventions, and code specifications required for Salt test files. We will not be covering all of the these specifics in this tutorial. Please refer to the testing documentation links listed below in the Additional Testing Documentation section to learn more about these requirements. In the following sections, the test examples assume the "new" test is added to a test file that is already present and regularly running in the test suite and is written with the correct requirements. Writing Integration Tests Since integration tests validate against a running environment, as explained in the Running Integration Tests section of this tutorial, integration tests are very easy to write and are generally the preferred method of writing Salt tests. The following integration test is an example taken from the test.py file in the tests/integration/modules directory. This test uses the run_function method to test the functionality of a traditional execution module command. The run_function method uses the integration test daemons to execute a module.function command as you would with Salt. The minion runs the function and returns. The test also uses Python's Assert Functions to test that the minion's return is expected. def test_ping(self): ''' test.ping ''' self.assertTrue(self.run_function('test.ping')) Args can be passed in to the run_function method as well: def test_echo(self): ''' test.echo ''' self.assertEqual(self.run_function('test.echo', ['text']), 'text') The next example is taken from the tests/integration/modules/aliases.py file and demonstrates how to pass kwargs to the run_function call. Also note that this test uses another salt function to ensure the correct data is present (via the aliases.set_target call) before attempting to assert what the aliases.get_target call should return. def test_set_target(self): ''' aliases.set_target and aliases.get_target ''' set_ret = self.run_function( 'aliases.set_target', alias='fred', target='bob') self.assertTrue(set_ret) tgt_ret = self.run_function( 'aliases.get_target', alias='fred') self.assertEqual(tgt_ret, 'bob') Using multiple Salt commands in this manor provides two useful benefits. The first is that it provides some additional coverage for the aliases.set_target function. The second benefit is the call to aliases.get_target is not dependent on the presence of any aliases set outside of this test. Tests should not be dependent on the previous execution, success, or failure of other tests. They should be isolated from other tests as much as possible. While it might be tempting to build out a test file where tests depend on one another before running, this should be avoided. SaltStack recommends that each test should test a single functionality and not rely on other tests. Therefore, when possible, individual tests should also be broken up into singular pieces. These are not hard-and-fast rules, but serve more as recommendations to keep the test suite simple. This helps with debugging code and related tests when failures occur and problems are exposed. There may be instances where large tests use many asserts to set up a use case that protects against potential regressions. NOTE: The examples above all use the run_function option to test execution module functions in a traditional master/minion environment. To see examples of how to test other common Salt components such as runners, salt-api, and more, please refer to the Integration Test Class Examples documentation. Destructive vs Non-destructive Tests Since Salt is used to change the settings and behavior of systems, often, the best approach to run tests is to make actual changes to an underlying system. This is where the concept of destructive integration tests comes into play. Tests can be written to alter the system they are running on. This capability is what fills in the gap needed to properly test aspects of system management like package installation. To write a destructive test, import and use the destructiveTest decorator for the test method: import integration from salttesting.helpers import destructiveTest class PkgTest(integration.ModuleCase): @destructiveTest def test_pkg_install(self): ret = self.run_function('pkg.install', name='finch') self.assertSaltTrueReturn(ret) ret = self.run_function('pkg.purge', name='finch') self.assertSaltTrueReturn(ret) Writing Unit Tests As explained in the Integration vs. Unit section above, unit tests should be written to test the logic of a function. This includes focusing on testing return and raises statements. Substantial effort should be made to mock external resources that are used in the code being tested. External resources that should be mocked include, but are not limited to, APIs, function calls, external data either globally available or passed in through function arguments, file data, etc. This practice helps to isolate unit tests to test Salt logic. One handy way to think about writing unit tests is to "block all of the exits". More information about how to properly mock external resources can be found in Salt's Unit Test documentation. Salt's unit tests utilize Python's mock class as well as MagicMock. The @patch decorator is also heavily used when "blocking all the exits". A simple example of a unit test currently in use in Salt is the test_get_file_not_found test in the tests/unit/modules/cp_test.py file. This test uses the @patch decorator and MagicMock to mock the return of the call to Salt's cp.hash_file execution module function. This ensures that we're testing the cp.get_file function directly, instead of inadvertently testing the call to cp.hash_file, which is used in cp.get_file. @patch('salt.modules.cp.hash_file', MagicMock(return_value=False)) def test_get_file_not_found(self): ''' Test if get_file can't find the file. ''' path = 'salt://saltines' dest = '/srv/salt/cheese' ret = '' self.assertEqual(cp.get_file(path, dest), ret) Note that Salt's cp module is imported at the top of the file, along with all of the other necessary testing imports. The get_file function is then called directed in the testing function, instead of using the run_fucntion method as the integration test examples do above. The call to cp.get_file returns an empty string when a hash_file isn't found. Therefore, the example above is a good illustration of a unit test "blocking the exits" via the @patch decorator, as well as testing logic via asserting against the return statement in the if clause. There are more examples of writing unit tests of varying complexities available in the following docs: • `Simple Unit Test Example<simple-unit-example>`_ • `Complete Unit Test Example<complete-unit-example>`_ • `Complex Unit Test Example<complex-unit-example>`_ NOTE: Considerable care should be made to ensure that you're testing something useful in your test functions. It is very easy to fall into a situation where you have mocked so much of the original function that the test results in only asserting against the data you have provided. This results in a poor and fragile unit test. Automated Test Runs SaltStack maintains a Jenkins server which can be viewed at http://jenkins.saltstack.com. The tests executed from this Jenkins server create fresh virtual machines for each test run, then execute the destructive tests on the new, clean virtual machine. This allows for the execution of tests across supported platforms. Additional Testing Documentation In addition to this tutorial, there are some other helpful resources and documentation that go into more depth on Salt's test runner, writing tests for Salt code, and general Python testing documentation. Please see the follow references for more information: • Salt's Test Suite Documentation • Integration Tests • Unit Tests • MagicMock • Python Unittest • Python's Assert Functions HTTP Modules This tutorial demonstrates using the various HTTP modules available in Salt. These modules wrap the Python tornado, urllib2, and requests libraries, extending them in a manner that is more consistent with Salt workflows. The salt.utils.http Library This library forms the core of the HTTP modules. Since it is designed to be used from the minion as an execution module, in addition to the master as a runner, it was abstracted into this multi-use library. This library can also be imported by 3rd-party programs wishing to take advantage of its extended functionality. Core functionality of the execution, state, and runner modules is derived from this library, so common usages between them are described here. Documentation specific to each module is described below. This library can be imported with: import salt.utils.http Configuring Libraries This library can make use of either tornado, which is required by Salt, urllib2, which ships with Python, or requests, which can be installed separately. By default, tornado will be used. In order to switch to urllib2, set the following variable: backend: urllib2 In order to switch to requests, set the following variable: backend: requests This can be set in the master or minion configuration file, or passed as an option directly to any http.query() functions. salt.utils.http.query() This function forms a basic query, but with some add-ons not present in the tornado, urllib2, and requests libraries. Not all functionality currently available in these libraries has been added, but can be in future iterations. A basic query can be performed by calling this function with no more than a single URL: salt.utils.http.query('http://example.com') By default the query will be performed with a GET method. The method can be overridden with the method argument: salt.utils.http.query('http://example.com/delete/url', 'DELETE') When using the POST method (and others, such as PUT), extra data is usually sent as well. This data can be sent directly, in whatever format is required by the remote server (XML, JSON, plain text, etc). salt.utils.http.query( 'http://example.com/delete/url', method='POST', data=json.loads(mydict) ) Bear in mind that this data must be sent pre-formatted; this function will not format it for you. However, a templated file stored on the local system may be passed through, along with variables to populate it with. To pass through only the file (untemplated): salt.utils.http.query( 'http://example.com/post/url', method='POST', data_file='/srv/salt/somefile.xml' ) To pass through a file that contains jinja + yaml templating (the default): salt.utils.http.query( 'http://example.com/post/url', method='POST', data_file='/srv/salt/somefile.jinja', data_render=True, template_data={'key1': 'value1', 'key2': 'value2'} ) To pass through a file that contains mako templating: salt.utils.http.query( 'http://example.com/post/url', method='POST', data_file='/srv/salt/somefile.mako', data_render=True, data_renderer='mako', template_data={'key1': 'value1', 'key2': 'value2'} ) Because this function uses Salt's own rendering system, any Salt renderer can be used. Because Salt's renderer requires __opts__ to be set, an opts dictionary should be passed in. If it is not, then the default __opts__ values for the node type (master or minion) will be used. Because this library is intended primarily for use by minions, the default node type is minion. However, this can be changed to master if necessary. salt.utils.http.query( 'http://example.com/post/url', method='POST', data_file='/srv/salt/somefile.jinja', data_render=True, template_data={'key1': 'value1', 'key2': 'value2'}, opts=__opts__ ) salt.utils.http.query( 'http://example.com/post/url', method='POST', data_file='/srv/salt/somefile.jinja', data_render=True, template_data={'key1': 'value1', 'key2': 'value2'}, node='master' ) Headers may also be passed through, either as a header_list, a header_dict, or as a header_file. As with the data_file, the header_file may also be templated. Take note that because HTTP headers are normally syntactically-correct YAML, they will automatically be imported as an a Python dict. salt.utils.http.query( 'http://example.com/delete/url', method='POST', header_file='/srv/salt/headers.jinja', header_render=True, header_renderer='jinja', template_data={'key1': 'value1', 'key2': 'value2'} ) Because much of the data that would be templated between headers and data may be the same, the template_data is the same for both. Correcting possible variable name collisions is up to the user. The query() function supports basic HTTP authentication. A username and password may be passed in as username and password, respectively. salt.utils.http.query( 'http://example.com', username='larry', password=`5700g3543v4r`, ) Cookies are also supported, using Python's built-in cookielib. However, they are turned off by default. To turn cookies on, set cookies to True. salt.utils.http.query( 'http://example.com', cookies=True ) By default cookies are stored in Salt's cache directory, normally /var/cache/salt, as a file called cookies.txt. However, this location may be changed with the cookie_jar argument: salt.utils.http.query( 'http://example.com', cookies=True, cookie_jar='/path/to/cookie_jar.txt' ) By default, the format of the cookie jar is LWP (aka, lib-www-perl). This default was chosen because it is a human-readable text file. If desired, the format of the cookie jar can be set to Mozilla: salt.utils.http.query( 'http://example.com', cookies=True, cookie_jar='/path/to/cookie_jar.txt', cookie_format='mozilla' ) Because Salt commands are normally one-off commands that are piped together, this library cannot normally behave as a normal browser, with session cookies that persist across multiple HTTP requests. However, the session can be persisted in a separate cookie jar. The default filename for this file, inside Salt's cache directory, is cookies.session.p. This can also be changed. salt.utils.http.query( 'http://example.com', persist_session=True, session_cookie_jar='/path/to/jar.p' ) The format of this file is msgpack, which is consistent with much of the rest of Salt's internal structure. Historically, the extension for this file is .p. There are no current plans to make this configurable. Return Data NOTE: Return data encoding If decode is set to True, query() will attempt to decode the return data. decode_type defaults to auto. Set it to a specific encoding, xml, for example, to override autodetection. Because Salt's http library was designed to be used with REST interfaces, query() will attempt to decode the data received from the remote server when decode is set to True. First it will check the Content-type header to try and find references to XML. If it does not find any, it will look for references to JSON. If it does not find any, it will fall back to plain text, which will not be decoded. JSON data is translated into a dict using Python's built-in json library. XML is translated using salt.utils.xml_util, which will use Python's built-in XML libraries to attempt to convert the XML into a dict. In order to force either JSON or XML decoding, the decode_type may be set: salt.utils.http.query( 'http://example.com', decode_type='xml' ) Once translated, the return dict from query() will include a dict called dict. If the data is not to be translated using one of these methods, decoding may be turned off. salt.utils.http.query( 'http://example.com', decode=False ) If decoding is turned on, and references to JSON or XML cannot be found, then this module will default to plain text, and return the undecoded data as text (even if text is set to False; see below). The query() function can return the HTTP status code, headers, and/or text as required. However, each must individually be turned on. salt.utils.http.query( 'http://example.com', status=True, headers=True, text=True ) The return from these will be found in the return dict as status, headers and text, respectively. Writing Return Data to Files It is possible to write either the return data or headers to files, as soon as the response is received from the server, but specifying file locations via the text_out or headers_out arguments. text and headers do not need to be returned to the user in order to do this. salt.utils.http.query( 'http://example.com', text=False, headers=False, text_out='/path/to/url_download.txt', headers_out='/path/to/headers_download.txt', ) SSL Verification By default, this function will verify SSL certificates. However, for testing or debugging purposes, SSL verification can be turned off. salt.utils.http.query( 'https://example.com', verify_ssl=False, ) CA Bundles The requests library has its own method of detecting which CA (certificate authority) bundle file to use. Usually this is implemented by the packager for the specific operating system distribution that you are using. However, urllib2 requires a little more work under the hood. By default, Salt will try to auto-detect the location of this file. However, if it is not in an expected location, or a different path needs to be specified, it may be done so using the ca_bundle variable. salt.utils.http.query( 'https://example.com', ca_bundle='/path/to/ca_bundle.pem', ) Updating CA Bundles The update_ca_bundle() function can be used to update the bundle file at a specified location. If the target location is not specified, then it will attempt to auto-detect the location of the bundle file. If the URL to download the bundle from does not exist, a bundle will be downloaded from the cURL website. CAUTION: The target and the source should always be specified! Failure to specify the target may result in the file being written to the wrong location on the local system. Failure to specify the source may cause the upstream URL to receive excess unnecessary traffic, and may cause a file to be download which is hazardous or does not meet the needs of the user. salt.utils.http.update_ca_bundle( target='/path/to/ca-bundle.crt', source='https://example.com/path/to/ca-bundle.crt', opts=__opts__, ) The opts parameter should also always be specified. If it is, then the target and the source may be specified in the relevant configuration file (master or minion) as ca_bundle and ca_bundle_url, respectively. ca_bundle: /path/to/ca-bundle.crt ca_bundle_url: https://example.com/path/to/ca-bundle.crt If Salt is unable to auto-detect the location of the CA bundle, it will raise an error. The update_ca_bundle() function can also be passed a string or a list of strings which represent files on the local system, which should be appended (in the specified order) to the end of the CA bundle file. This is useful in environments where private certs need to be made available, and are not otherwise reasonable to add to the bundle file. salt.utils.http.update_ca_bundle( opts=__opts__, merge_files=[ '/etc/ssl/private_cert_1.pem', '/etc/ssl/private_cert_2.pem', '/etc/ssl/private_cert_3.pem', ] ) Test Mode This function may be run in test mode. This mode will perform all work up until the actual HTTP request. By default, instead of performing the request, an empty dict will be returned. Using this function with TRACE logging turned on will reveal the contents of the headers and POST data to be sent. Rather than returning an empty dict, an alternate test_url may be passed in. If this is detected, then test mode will replace the url with the test_url, set test to True in the return data, and perform the rest of the requested operations as usual. This allows a custom, non-destructive URL to be used for testing when necessary. Execution Module The http execution module is a very thin wrapper around the salt.utils.http library. The opts can be passed through as well, but if they are not specified, the minion defaults will be used as necessary. Because passing complete data structures from the command line can be tricky at best and dangerous (in terms of execution injection attacks) at worse, the data_file, and header_file are likely to see more use here. All methods for the library are available in the execution module, as kwargs. salt myminion http.query http://example.com/restapi method=POST \ username='larry' password='5700g3543v4r' headers=True text=True \ status=True decode_type=xml data_render=True \ header_file=/tmp/headers.txt data_file=/tmp/data.txt \ header_render=True cookies=True persist_session=True Runner Module Like the execution module, the http runner module is a very thin wrapper around the salt.utils.http library. The only significant difference is that because runners execute on the master instead of a minion, a target is not required, and default opts will be derived from the master config, rather than the minion config. All methods for the library are available in the runner module, as kwargs. salt-run http.query http://example.com/restapi method=POST \ username='larry' password='5700g3543v4r' headers=True text=True \ status=True decode_type=xml data_render=True \ header_file=/tmp/headers.txt data_file=/tmp/data.txt \ header_render=True cookies=True persist_session=True State Module The state module is a wrapper around the runner module, which applies stateful logic to a query. All kwargs as listed above are specified as usual in state files, but two more kwargs are available to apply stateful logic. A required parameter is match, which specifies a pattern to look for in the return text. By default, this will perform a string comparison of looking for the value of match in the return text. In Python terms this looks like: if match in html_text: return True If more complex pattern matching is required, a regular expression can be used by specifying a match_type. By default this is set to string, but it can be manually set to pcre instead. Please note that despite the name, this will use Python's re.search() rather than re.match(). Therefore, the following states are valid: http://example.com/restapi: http.query: - match: 'SUCCESS' - username: 'larry' - password: '5700g3543v4r' - data_render: True - header_file: /tmp/headers.txt - data_file: /tmp/data.txt - header_render: True - cookies: True - persist_session: True http://example.com/restapi: http.query: - match_type: pcre - match: '(?i)succe[ss|ed]' - username: 'larry' - password: '5700g3543v4r' - data_render: True - header_file: /tmp/headers.txt - data_file: /tmp/data.txt - header_render: True - cookies: True - persist_session: True In addition to, or instead of a match pattern, the status code for a URL can be checked. This is done using the status argument: http://example.com/: http.query: - status: '200' If both are specified, both will be checked, but if only one is True and the other is False, then False will be returned. In this case, the comments in the return data will contain information for troubleshooting. Because this is a monitoring state, it will return extra data to code that expects it. This data will always include text and status. Optionally, headers and dict may also be requested by setting the headers and decode arguments to True, respectively. LXC Management with Salt NOTE: This walkthrough assumes basic knowledge of Salt. To get up to speed, check out the Salt Walkthrough. Dependencies Manipulation of LXC containers in Salt requires the minion to have an LXC version of at least 1.0 (an alpha or beta release of LXC 1.0 is acceptable). The following distributions are known to have new enough versions of LXC packaged: • RHEL/CentOS 6 and later (via EPEL) • Fedora (All non-EOL releases) • Debian 8.0 (Jessie) • Ubuntu 14.04 LTS and later (LXC templates are packaged separately as lxc-templates, it is recommended to also install this package) • openSUSE 13.2 and later Profiles Profiles allow for a sort of shorthand for commonly-used configurations to be defined in the minion config file, grains, pillar, or the master config file. The profile is retrieved by Salt using the config.get function, which looks in those locations, in that order. This allows for profiles to be defined centrally in the master config file, with several options for overriding them (if necessary) on groups of minions or individual minions. There are two types of profiles: • One for defining the parameters used in container creation/clone. • One for defining the container's network interface(s) settings. Container Profiles LXC container profiles are defined defined underneath the lxc.container_profile config option: lxc.container_profile: centos: template: centos backing: lvm vgname: vg1 lvname: lxclv size: 10G centos_big: template: centos backing: lvm vgname: vg1 lvname: lxclv size: 20G Profiles are retrieved using the config.get function, with the recurse merge strategy. This means that a profile can be defined at a lower level (for example, the master config file) and then parts of it can be overridden at a higher level (for example, in pillar data). Consider the following container profile data: In the Master config file: lxc.container_profile: centos: template: centos backing: lvm vgname: vg1 lvname: lxclv size: 10G In the Pillar data lxc.container_profile: centos: size: 20G Any minion with the above Pillar data would have the size parameter in the centos profile overridden to 20G, while those minions without the above Pillar data would have the 10G size value. This is another way of achieving the same result as the centos_big profile above, without having to define another whole profile that differs in just one value. NOTE: In the 2014.7.x release cycle and earlier, container profiles are defined under lxc.profile. This parameter will still work in version 2015.5.0, but is deprecated and will be removed in a future release. Please note however that the profile merging feature described above will only work with profiles defined under lxc.container_profile, and only in versions 2015.5.0 and later. Additionally, in version 2015.5.0 container profiles have been expanded to support passing template-specific CLI options to lxc.create. Below is a table describing the parameters which can be configured in container profiles: ┌──────────┬────────────────────┬──────────────────────┐ │Parameter │ 2015.5.0 and Newer │ 2014.7.x and Earlier │ ├──────────┼────────────────────┼──────────────────────┤ │template1 │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │options1 │ Yes │ No │ ├──────────┼────────────────────┼──────────────────────┤ │image1 │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │backing │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │snapshot2 │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │lvname1 │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │fstype1 │ Yes │ Yes │ ├──────────┼────────────────────┼──────────────────────┤ │size │ Yes │ Yes │ └──────────┴────────────────────┴──────────────────────┘ 1. Parameter is only supported for container creation, and will be ignored if the profile is used when cloning a container. 2. Parameter is only supported for container cloning, and will be ignored if the profile is used when not cloning a container. Network Profiles LXC network profiles are defined defined underneath the lxc.network_profile config option. By default, the module uses a DHCP based configuration and try to guess a bridge to get connectivity. WARNING: on pre 2015.5.2, you need to specify explicitly the network bridge lxc.network_profile: centos: eth0: link: br0 type: veth flags: up ubuntu: eth0: link: lxcbr0 type: veth flags: up As with container profiles, network profiles are retrieved using the config.get function, with the recurse merge strategy. Consider the following network profile data: In the Master config file: lxc.network_profile: centos: eth0: link: br0 type: veth flags: up In the Pillar data lxc.network_profile: centos: eth0: link: lxcbr0 Any minion with the above Pillar data would use the lxcbr0 interface as the bridge interface for any container configured using the centos network profile, while those minions without the above Pillar data would use the br0 interface for the same. NOTE: In the 2014.7.x release cycle and earlier, network profiles are defined under lxc.nic. This parameter will still work in version 2015.5.0, but is deprecated and will be removed in a future release. Please note however that the profile merging feature described above will only work with profiles defined under lxc.network_profile, and only in versions 2015.5.0 and later. The following are parameters which can be configured in network profiles. These will directly correspond to a parameter in an LXC configuration file (see man 5 lxc.container.conf). • type - Corresponds to lxc.network.type • link - Corresponds to lxc.network.link • flags - Corresponds to lxc.network.flags Interface-specific options (MAC address, IPv4/IPv6, etc.) must be passed on a container-by-container basis, for instance using the nic_opts argument to lxc.create: salt myminion lxc.create container1 profile=centos network_profile=centos nic_opts='{eth0: {ipv4: 10.0.0.20/24, gateway: 10.0.0.1}}' WARNING: The ipv4, ipv6, gateway, and link (bridge) settings in network profiles / nic_opts will only work if the container doesn't redefine the network configuration (for example in /etc/sysconfig/network-scripts/ifcfg-<interface_name> on RHEL/CentOS, or /etc/network/interfaces on Debian/Ubuntu/etc.). Use these with caution. The container images installed using the download template, for instance, typically are configured for eth0 to use DHCP, which will conflict with static IP addresses set at the container level. NOTE: For LXC < 1.0.7 and DHCP support, set ipv4.gateway: 'auto' is your network profile, ie.: lxc.network_profile.nic: debian: eth0: link: lxcbr0 ipv4.gateway: 'auto' Old lxc support (<1.0.7) With saltstack 2015.5.2 and above, normally the setting is autoselected, but before, you'll need to teach your network profile to set lxc.network.ipv4.gateway to auto when using a classic ipv4 configuration. Thus you'll need lxc.network_profile.foo: etho: link: lxcbr0 ipv4.gateway: auto Tricky network setups Examples This example covers how to make a container with both an internal ip and a public routable ip, wired on two veth pairs. The another interface which receives directly a public routable ip can't be on the first interface that we reserve for private inter LXC networking. lxc.network_profile.foo: eth0: {gateway: null, bridge: lxcbr0} eth1: # replace that by your main interface 'link': 'br0' 'mac': '00:16:5b:01:24:e1' 'gateway': '2.20.9.14' 'ipv4': '2.20.9.1' Creating a Container on the CLI From a Template LXC is commonly distributed with several template scripts in /usr/share/lxc/templates. Some distros may package these separately in an lxc-templates package, so make sure to check if this is the case. There are LXC template scripts for several different operating systems, but some of them are designed to use tools specific to a given distribution. For instance, the ubuntu template uses deb_bootstrap, the centos template uses yum, etc., making these templates impractical when a container from a different OS is desired. The lxc.create function is used to create containers using a template script. To create a CentOS container named container1 on a CentOS minion named mycentosminion, using the centos LXC template, one can simply run the following command: salt mycentosminion lxc.create container1 template=centos For these instances, there is a download template which retrieves minimal container images for several different operating systems. To use this template, it is necessary to provide an options parameter when creating the container, with three values: 1. dist - the Linux distribution (i.e. ubuntu or centos) 2. release - the release name/version (i.e. trusty or 6) 3. arch - CPU architecture (i.e. amd64 or i386) The lxc.images function (new in version 2015.5.0) can be used to list the available images. Alternatively, the releases can be viewed on http://images.linuxcontainers.org/images/. The images are organized in such a way that the dist, release, and arch can be determined using the following URL format: http://images.linuxcontainers.org/images/dist/release/arch. For example, http://images.linuxcontainers.org/images/centos/6/amd64 would correspond to a dist of centos, a release of 6, and an arch of amd64. Therefore, to use the download template to create a new 64-bit CentOS 6 container, the following command can be used: salt myminion lxc.create container1 template=download options='{dist: centos, release: 6, arch: amd64}' NOTE: These command-line options can be placed into a container profile, like so: lxc.container_profile.cent6: template: download options: dist: centos release: 6 arch: amd64 The options parameter is not supported in profiles for the 2014.7.x release cycle and earlier, so it would still need to be provided on the command-line. Cloning an Existing Container To clone a container, use the lxc.clone function: salt myminion lxc.clone container2 orig=container1 Using a Container Image While cloning is a good way to create new containers from a common base container, the source container that is being cloned needs to already exist on the minion. This makes deploying a common container across minions difficult. For this reason, Salt's lxc.create is capable of installing a container from a tar archive of another container's rootfs. To create an image of a container named cent6, run the following command as root: tar czf cent6.tar.gz -C /var/lib/lxc/cent6 rootfs NOTE: Before doing this, it is recommended that the container is stopped. The resulting tarball can then be placed alongside the files in the salt fileserver and referenced using a salt:// URL. To create a container using an image, use the image parameter with lxc.create: salt myminion lxc.create new-cent6 image=salt://path/to/cent6.tar.gz NOTE: Making images of containers with LVM backing For containers with LVM backing, the rootfs is not mounted, so it is necessary to mount it first before creating the tar archive. When a container is created using LVM backing, an empty rootfs dir is handily created within /var/lib/lxc/container_name, so this can be used as the mountpoint. The location of the logical volume for the container will be /dev/vgname/lvname, where vgname is the name of the volume group, and lvname is the name of the logical volume. Therefore, assuming a volume group of vg1, a logical volume of lxc-cent6, and a container name of cent6, the following commands can be used to create a tar archive of the rootfs: mount /dev/vg1/lxc-cent6 /var/lib/lxc/cent6/rootfs tar czf cent6.tar.gz -C /var/lib/lxc/cent6 rootfs umount /var/lib/lxc/cent6/rootfs WARNING: One caveat of using this method of container creation is that /etc/hosts is left unmodified. This could cause confusion for some distros if salt-minion is later installed on the container, as the functions that determine the hostname take /etc/hosts into account. Additionally, when creating an rootfs image, be sure to remove /etc/salt/minion_id and make sure that id is not defined in /etc/salt/minion, as this will cause similar issues. Initializing a New Container as a Salt Minion The above examples illustrate a few ways to create containers on the CLI, but often it is desirable to also have the new container run as a Minion. To do this, the lxc.init function can be used. This function will do the following: 1. Create a new container 2. Optionally set password and/or DNS 3. Bootstrap the minion (using either salt-bootstrap or a custom command) By default, the new container will be pointed at the same Salt Master as the host machine on which the container was created. It will then request to authenticate with the Master like any other bootstrapped Minion, at which point it can be accepted. salt myminion lxc.init test1 profile=centos salt-key -a test1 For even greater convenience, the LXC runner contains a runner function of the same name (lxc.init), which creates a keypair, seeds the new minion with it, and pre-accepts the key, allowing for the new Minion to be created and authorized in a single step: salt-run lxc.init test1 host=myminion profile=centos Running Commands Within a Container For containers which are not running their own Minion, commands can be run within the container in a manner similar to using (cmd.run <salt.modules.cmdmod.run). The means of doing this have been changed significantly in version 2015.5.0 (though the deprecated behavior will still be supported for a few releases). Both the old and new usage are documented below. 2015.5.0 and Newer New functions have been added to mimic the behavior of the functions in the cmd module. Below is a table with the cmd functions and their lxc module equivalents: ┌─────────────────────────┬────────────────┬────────────────┐ │Description │ cmd module │ lxc module │ ├─────────────────────────┼────────────────┼────────────────┤ │Run a command and get │ cmd.run │ lxc.run │ │all output │ │ │ ├─────────────────────────┼────────────────┼────────────────┤ │Run a command and get │ cmd.run_stdout │ lxc.run_stdout │ │just stdout │ │ │ ├─────────────────────────┼────────────────┼────────────────┤ │Run a command and get │ cmd.run_stderr │ lxc.run_stderr │ │just stderr │ │ │ ├─────────────────────────┼────────────────┼────────────────┤ │Run a command and get │ cmd.retcode │ lxc.retcode │ │just the retcode │ │ │ ├─────────────────────────┼────────────────┼────────────────┤ │Run a command and get │ cmd.run_all │ lxc.run_all │ │all information │ │ │ └─────────────────────────┴────────────────┴────────────────┘ 2014.7.x and Earlier Earlier Salt releases use a single function (lxc.run_cmd) to run commands within containers. Whether stdout, stderr, etc. are returned depends on how the function is invoked. To run a command and return the stdout: salt myminion lxc.run_cmd web1 'tail /var/log/messages' To run a command and return the stderr: salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=False stderr=True To run a command and return the retcode: salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=False stderr=False To run a command and return all information: salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=True stderr=True Container Management Using salt-cloud Salt cloud uses under the hood the salt runner and module to manage containers, Please look at this chapter Container Management Using States Several states are being renamed or otherwise modified in version 2015.5.0. The information in this tutorial refers to the new states. For 2014.7.x and earlier, please refer to the documentation for the LXC states. Ensuring a Container Is Present To ensure the existence of a named container, use the lxc.present state. Here are some examples: # Using a template web1: lxc.present: - template: download - options: dist: centos release: 6 arch: amd64 # Cloning web2: lxc.present: - clone_from: web-base # Using a rootfs image web3: lxc.present: - image: salt://path/to/cent6.tar.gz # Using profiles web4: lxc.present: - profile: centos_web - network_profile: centos WARNING: The lxc.present state will not modify an existing container (in other words, it will not re-create the container). If an lxc.present state is run on an existing container, there will be no change and the state will return a True result. The lxc.present state also includes an optional running parameter which can be used to ensure that a container is running/stopped. Note that there are standalone lxc.running and lxc.stopped states which can be used for this purpose. Ensuring a Container Does Not Exist To ensure that a named container is not present, use the lxc.absent state. For example: web1: lxc.absent Ensuring a Container is Running/Stopped/Frozen Containers can be in one of three states: • running - Container is running and active • frozen - Container is running, but all process are blocked and the container is essentially non-active until the container is "unfrozen" • stopped - Container is not running Salt has three states (lxc.running, lxc.frozen, and lxc.stopped) which can be used to ensure a container is in one of these states: web1: lxc.running # Restart the container if it was already running web2: lxc.running: - restart: True web3: lxc.stopped # Explicitly kill all tasks in container instead of gracefully stopping web4: lxc.stopped: - kill: True web5: lxc.frozen # If container is stopped, do not start it (in which case the state will fail) web6: lxc.frozen: - start: False Using Salt with Stormpath Stormpath is a user management and authentication service. This tutorial covers using SaltStack to manage and take advantage of Stormpath's features. External Authentication Stormpath can be used for Salt's external authentication system. In order to do this, the master should be configured with an apiid, apikey, and the ID of the application that is associated with the users to be authenticated: stormpath: apiid: 367DFSF4FRJ8767FSF4G34FGH apikey: FEFREF43t3FEFRe/f323fwer4FWF3445gferWRWEer1 application: 786786FREFrefreg435fr1 NOTE: These values can be found in the Stormpath dashboard <https://api.stormpath.com/ui2/index.html#/>`_. Users that are to be authenticated should be set up under the stormpath dict under external_auth: external_auth: stormpath: larry: - .* - '@runner' - '@wheel' Keep in mind that while Stormpath defaults the username associated with the account to the email address, it is better to use a username without an @ sign in it. Configuring Stormpath Modules Stormpath accounts can be managed via either an execution or state module. In order to use either, a minion must be configured with an API ID and key. stormpath: apiid: 367DFSF4FRJ8767FSF4G34FGH apikey: FEFREF43t3FEFRe/f323fwer4FWF3445gferWRWEer1 directory: efreg435fr1786786FREFr application: 786786FREFrefreg435fr1 Some functions in the stormpath modules can make use of other options. The following options are also available. directory The ID of the directory that is to be used with this minion. Many functions require an ID to be specified to do their work. However, if the ID of a directory is specified, then Salt can often look up the resource in question. application The ID of the application that is to be used with this minion. Many functions require an ID to be specified to do their work. However, if the ID of a application is specified, then Salt can often look up the resource in question. Managing Stormpath Accounts With the stormpath configuration in place, Salt can be used to configure accounts (which may be thought of as users) on the Stormpath service. The following functions are available. stormpath.create_account Create an account on the Stormpath service. This requires a directory_id as the first argument; it will not be retrieved from the minion configuration. An email address, password, first name (givenName) and last name (surname) are also required. For the full list of other parameters that may be specified, see: http://docs.stormpath.com/rest/product-guide/#account-resource When executed with no errors, this function will return the information about the account, from Stormpath. salt myminion stormpath.create_account <directory_id> shemp@example.com letmein Shemp Howard stormpath.list_accounts Show all accounts on the Stormpath service. This will return all accounts, regardless of directory, application, or group. salt myminion stormpath.list_accounts ''' stormpath.show_account Show the details for a specific Stormpath account. An account_id is normally required. However, if am email is provided instead, along with either a directory_id, application_id, or group_id, then Salt will search the specified resource to try and locate the account_id. salt myminion stormpath.show_account <account_id> salt myminion stormpath.show_account email=<email> directory_id=<directory_id> stormpath.update_account Update one or more items for this account. Specifying an empty value will clear it for that account. This function may be used in one of two ways. In order to update only one key/value pair, specify them in order: salt myminion stormpath.update_account <account_id> givenName shemp salt myminion stormpath.update_account <account_id> middleName '' In order to specify multiple items, they need to be passed in as a dict. From the command line, it is best to do this as a JSON string: salt myminion stormpath.update_account <account_id> items='{"givenName": "Shemp"} salt myminion stormpath.update_account <account_id> items='{"middlename": ""} When executed with no errors, this function will return the information about the account, from Stormpath. stormpath.delete_account Delete an account from Stormpath. salt myminion stormpath.delete_account <account_id> stormpath.list_directories Show all directories associated with this tenant. salt myminion stormpath.list_directories Using Stormpath States Stormpath resources may be managed using the state system. The following states are available. stormpath_account.present Ensure that an account exists on the Stormpath service. All options that are available with the stormpath.create_account function are available here. If an account needs to be created, then this function will require the same fields that stormpath.create_account requires, including the password. However, if a password changes for an existing account, it will NOT be updated by this state. curly@example.com: stormpath_account.present: - directory_id: efreg435fr1786786FREFr - password: badpass - firstName: Curly - surname: Howard - nickname: curly It is advisable to always set a nickname that is not also an email address, so that it can be used by Salt's external authentication module. stormpath_account.absent Ensure that an account does not exist on Stormpath. As with stormpath_account.present, the name supplied to this state is the email address associated with this account. Salt will use this, with or without the directory ID that is configured for the minion. However, lookups will be much faster with a directory ID specified. Salt Virt Salt as a Cloud Controller In Salt 0.14.0, an advanced cloud control system were introduced, allow private cloud vms to be managed directly with Salt. This system is generally referred to as Salt Virt. The Salt Virt system already exists and is installed within Salt itself, this means that beside setting up Salt, no additional salt code needs to be deployed. The main goal of Salt Virt is to facilitate a very fast and simple cloud. The cloud that can scale and fully featured. Salt Virt comes with the ability to set up and manage complex virtual machine networking, powerful image, and disk management, as well as virtual machine migration with and without shared storage. This means that Salt Virt can be used to create a cloud from a blade center and a SAN, but can also create a cloud out of a swarm of Linux Desktops without a single shared storage system. Salt Virt can make clouds from truly commodity hardware, but can also stand up the power of specialized hardware as well. Setting up Hypervisors The first step to set up the hypervisors involves getting the correct software installed and setting up the hypervisor network interfaces. Installing Hypervisor Software Salt Virt is made to be hypervisor agnostic but currently the only fully implemented hypervisor is KVM via libvirt. The required software for a hypervisor is libvirt and kvm. For advanced features install libguestfs or qemu-nbd. NOTE: Libguestfs and qemu-nbd allow for virtual machine images to be mounted before startup and get pre-seeded with configurations and a salt minion This sls will set up the needed software for a hypervisor, and run the routines to set up the libvirt pki keys. NOTE: Package names and setup used is Red Hat specific, different package names will be required for different platforms libvirt: pkg.installed: [] file.managed: - name: /etc/sysconfig/libvirtd - contents: 'LIBVIRTD_ARGS="--listen"' - require: - pkg: libvirt libvirt.keys: - require: - pkg: libvirt service.running: - name: libvirtd - require: - pkg: libvirt - network: br0 - libvirt: libvirt - watch: - file: libvirt libvirt-python: pkg.installed: [] libguestfs: pkg.installed: - pkgs: - libguestfs - libguestfs-tools Hypervisor Network Setup The hypervisors will need to be running a network bridge to serve up network devices for virtual machines, this formula will set up a standard bridge on a hypervisor connecting the bridge to eth0: eth0: network.managed: - enabled: True - type: eth - bridge: br0 br0: network.managed: - enabled: True - type: bridge - proto: dhcp - require: - network: eth0 Virtual Machine Network Setup Salt Virt comes with a system to model the network interfaces used by the deployed virtual machines; by default a single interface is created for the deployed virtual machine and is bridged to br0. To get going with the default networking setup, ensure that the bridge interface named br0 exists on the hypervisor and is bridged to an active network device. NOTE: To use more advanced networking in Salt Virt, read the Salt Virt Networking document: Salt Virt Networking Libvirt State One of the challenges of deploying a libvirt based cloud is the distribution of libvirt certificates. These certificates allow for virtual machine migration. Salt comes with a system used to auto deploy these certificates. Salt manages the signing authority key and generates keys for libvirt clients on the master, signs them with the certificate authority and uses pillar to distribute them. This is managed via the libvirt state. Simply execute this formula on the minion to ensure that the certificate is in place and up to date: NOTE: The above formula includes the calls needed to set up libvirt keys. libvirt_keys: libvirt.keys Getting Virtual Machine Images Ready Salt Virt, requires that virtual machine images be provided as these are not generated on the fly. Generating these virtual machine images differs greatly based on the underlying platform. Virtual machine images can be manually created using KVM and running through the installer, but this process is not recommended since it is very manual and prone to errors. Virtual Machine generation applications are available for many platforms: vm-builder: https://wiki.debian.org/VMBuilder SEE ALSO: vmbuilder-formula Once virtual machine images are available, the easiest way to make them available to Salt Virt is to place them in the Salt file server. Just copy an image into /srv/salt and it can now be used by Salt Virt. For purposes of this demo, the file name centos.img will be used. Existing Virtual Machine Images Many existing Linux distributions distribute virtual machine images which can be used with Salt Virt. Please be advised that NONE OF THESE IMAGES ARE SUPPORTED BY SALTSTACK. CentOS These images have been prepared for OpenNebula but should work without issue with Salt Virt, only the raw qcow image file is needed: http://wiki.centos.org/Cloud/OpenNebula Fedora Linux Images for Fedora Linux can be found here: http://fedoraproject.org/en/get-fedora#clouds Ubuntu Linux Images for Ubuntu Linux can be found here: http://cloud-images.ubuntu.com/ Using Salt Virt With hypervisors set up and virtual machine images ready, Salt can start issuing cloud commands. Start by running a Salt Virt hypervisor info command: salt-run virt.hyper_info This will query what the running hypervisor stats are and display information for all configured hypervisors. This command will also validate that the hypervisors are properly configured. Now that hypervisors are available a virtual machine can be provisioned. The virt.init routine will create a new virtual machine: salt-run virt.init centos1 2 512 salt://centos.img This command assumes that the CentOS virtual machine image is sitting in the root of the Salt fileserver. Salt Virt will now select a hypervisor to deploy the new virtual machine on and copy the virtual machine image down to the hypervisor. Once the VM image has been copied down the new virtual machine will be seeded. Seeding the VMs involves setting pre-authenticated Salt keys on the new VM and if needed, will install the Salt Minion on the new VM before it is started. NOTE: The biggest bottleneck in starting VMs is when the Salt Minion needs to be installed. Making sure that the source VM images already have Salt installed will GREATLY speed up virtual machine deployment. Now that the new VM has been prepared, it can be seen via the virt.query command: salt-run virt.query This command will return data about all of the hypervisors and respective virtual machines. Now that the new VM is booted it should have contacted the Salt Master, a test.ping will reveal if the new VM is running. Migrating Virtual Machines Salt Virt comes with full support for virtual machine migration, and using the libvirt state in the above formula makes migration possible. A few things need to be available to support migration. Many operating systems turn on firewalls when originally set up, the firewall needs to be opened up to allow for libvirt and kvm to cross communicate and execution migration routines. On Red Hat based hypervisors in particular port 16514 needs to be opened on hypervisors: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 16514 -j ACCEPT NOTE: More in-depth information regarding distribution specific firewall settings can read in: Opening the Firewall up for Salt Salt also needs an additional flag to be turned on as well. The virt.tunnel option needs to be turned on. This flag tells Salt to run migrations securely via the libvirt TLS tunnel and to use port 16514. Without virt.tunnel libvirt tries to bind to random ports when running migrations. To turn on virt.tunnel simple apply it to the master config file: virt.tunnel: True Once the master config has been updated, restart the master and send out a call to the minions to refresh the pillar to pick up on the change: salt \* saltutil.refresh_modules Now, migration routines can be run! To migrate a VM, simply run the Salt Virt migrate routine: salt-run virt.migrate centos <new hypervisor> VNC Consoles Salt Virt also sets up VNC consoles by default, allowing for remote visual consoles to be oped up. The information from a virt.query routine will display the vnc console port for the specific vms: centos CPU: 2 Memory: 524288 State: running Graphics: vnc - hyper6:5900 Disk - vda: Size: 2.0G File: /srv/salt-images/ubuntu2/system.qcow2 File Format: qcow2 Nic - ac:de:48:98:08:77: Source: br0 Type: bridge The line Graphics: vnc - hyper6:5900 holds the key. First the port named, in this case 5900, will need to be available in the hypervisor's firewall. Once the port is open, then the console can be easily opened via vncviewer: vncviewer hyper6:5900 By default there is no VNC security set up on these ports, which suggests that keeping them firewalled and mandating that SSH tunnels be used to access these VNC interfaces. Keep in mind that activity on a VNC interface that is accessed can be viewed by any other user that accesses that same VNC interface, and any other user logging in can also operate with the logged in user on the virtual machine. Conclusion Now with Salt Virt running, new hypervisors can be seamlessly added just by running the above states on new bare metal machines, and these machines will be instantly available to Salt Virt. LXC ESXi Proxy Minion ESXi Proxy Minion New in version 2015.8.4. NOTE: This tutorial assumes basic knowledge of Salt. To get up to speed, check out the Salt Walkthrough. This tutorial also assumes a basic understanding of Salt Proxy Minions. If you're unfamiliar with Salt's Proxy Minion system, please read the Salt Proxy Minion documentation and the Salt Proxy Minion End-to-End Example tutorial. The third assumption that this tutorial makes is that you also have a basic understanding of ESXi hosts. You can learn more about ESXi hosts on VMware's various resources. Salt's ESXi Proxy Minion allows a VMware ESXi host to be treated as an individual Salt Minion, without installing a Salt Minion on the ESXi host. Since an ESXi host may not necessarily run on an OS capable of hosting a Python stack, the ESXi host can't run a regular Salt Minion directly. Therefore, Salt's Proxy Minion functionality enables you to designate another machine to host a proxy process that "proxies" communication from the Salt Master to the ESXi host. The master does not know or care that the ESXi target is not a "real" Salt Minion. More in-depth conceptual reading on Proxy Minions can be found in the Proxy Minion section of Salt's documentation. Salt's ESXi Proxy Minion was added in the 2015.8.4 release of Salt. NOTE: Be aware that some functionality for the ESXi Proxy Minion may depend on the type of license attached the ESXi host(s). For example, certain services are only available to manipulate service state or policies with a VMware vSphere Enterprise or Enterprise Plus license, while others are available with a Standard license. The ntpd service is restricted to an Enterprise Plus license, while ssh is available via the Standard license. Please see the vSphere Comparison page for more information. Dependencies Manipulation of the ESXi host via a Proxy Minion requires the machine running the Proxy Minion process to have the ESXCLI package (and all of it's dependencies) and the pyVmomi Python Library to be installed. ESXi Password The ESXi Proxy Minion uses VMware's API to perform tasks on the host as if it was a regular Salt Minion. In order to access the API that is already running on the ESXi host, the ESXi host must have a username and password that is used to log into the host. The username is usually root. Before Salt can access the ESXi host via VMware's API, a default password must be set on the host. pyVmomi The pyVmomi Python library must be installed on the machine that is running the proxy process. pyVmomi can be installed via pip: pip install pyVmomi NOTE: Version 6.0 of pyVmomi has some problems with SSL error handling on certain versions of Python. If using version 6.0 of pyVmomi, the machine that you are running the proxy minion process from must have either Python 2.6, Python 2.7.9, or newer. This is due to an upstream dependency in pyVmomi 6.0 that is not supported in Python version 2.7 to 2.7.8. If the version of Python running the proxy process is not in the supported range, you will need to install an earlier version of pyVmomi. See Issue #29537 for more information. Based on the note above, to install an earlier version of pyVmomi than the version currently listed in PyPi, run the following: pip install pyVmomi==5.5.0.2014.1.1 The 5.5.0.2014.1.1 is a known stable version that the original ESXi Proxy Minion was developed against. ESXCLI Currently, about a third of the functions used for the ESXi Proxy Minion require the ESXCLI package be installed on the machine running the Proxy Minion process. The ESXCLI package is also referred to as the VMware vSphere CLI, or vCLI. VMware provides vCLI package installation instructions for vSphere 5.5 and vSphere 6.0. Once all of the required dependencies are in place and the vCLI package is installed, you can check to see if you can connect to your ESXi host by running the following command: esxcli -s <host-location> -u <username> -p <password> system syslog config get If the connection was successful, ESXCLI was successfully installed on your system. You should see output related to the ESXi host's syslog configuration. Configuration There are several places where various configuration values need to be set in order for the ESXi Proxy Minion to run and connect properly. Proxy Config File On the machine that will be running the Proxy Minon process(es), a proxy config file must be in place. This file should be located in the /etc/salt/ directory and should be named proxy. If the file is not there by default, create it. This file should contain the location of your Salt Master that the Salt Proxy will connect to. NOTE: If you're running your ESXi Proxy Minion on version of Salt that is 2015.8.4 or newer, you also need to set add_proxymodule_to_opts: False in your proxy config file. The need to specify this configuration will be removed with Salt Boron, the next major feature release. See the New in 2015.8.2 section of the Proxy Minion documentation for more information. Example Proxy Config File: # /etc/salt/proxy master: <salt-master-location> add_proxymodule_to_opts: False Pillar Profiles Proxy minions get their configuration from Salt's Pillar. Every proxy must have a stanza in Pillar and a reference in the Pillar top-file that matches the Proxy ID. At a minimum for communication with the ESXi host, the pillar should look like this: proxy: proxytype: esxi host: <ip or dns name of esxi host> username: <ESXi username> passwords: - first_password - second_password - third_password Some other optional settings are protocol and port. These can be added to the pillar configuration. proxytype The proxytype key and value pair is critical, as it tells Salt which interface to load from the proxy directory in Salt's install hierarchy, or from /srv/salt/_proxy on the Salt Master (if you have created your own proxy module, for example). To use this ESXi Proxy Module, set this to esxi. host The location, or ip/dns, of the ESXi host. Required. username The username used to login to the ESXi host, such as root. Required. passwords A list of passwords to be used to try and login to the ESXi host. At least one password in this list is required. The proxy integration will try the passwords listed in order. It is configured this way so you can have a regular password and the password you may be updating for an ESXi host either via the vsphere.update_host_password execution module function or via the esxi.password_present state function. This way, after the password is changed, you should not need to restart the proxy minion--it should just pick up the the new password provided in the list. You can then change pillar at will to move that password to the front and retire the unused ones. Use-case/reasoning for using a list of passwords: You are setting up an ESXi host for the first time, and the host comes with a default password. You know that you'll be changing this password during your initial setup from the default to a new password. If you only have one password option, and if you have a state changing the password, any remote execution commands or states that run after the password change will not be able to run on the host until the password is updated in Pillar and the Proxy Minion process is restarted. This allows you to use any number of potential fallback passwords. NOTE: When a password is changed on the host to one in the list of possible passwords, the further down on the list the password is, the longer individual commands will take to return. This is due to the nature of pyVmomi's login system. We have to wait for the first attempt to fail before trying the next password on the list. This scenario is especially true, and even slower, when the proxy minion first starts. If the correct password is not the first password on the list, it may take up to a minute for test.ping to respond with a True result. Once the initial authorization is complete, the responses for commands will be a little faster. To avoid these longer waiting periods, SaltStack recommends moving the correct password to the top of the list and restarting the proxy minion at your earliest convenience. protocol If the ESXi host is not using the default protocol, set this value to an alternate protocol. Default is https. For example: port If the ESXi host is not using the default port, set this value to an alternate port. Default is 443. Example Configuration Files An example of all of the basic configurations that need to be in place before starting the Proxy Minion processes includes the Proxy Config File, Pillar Top File, and any individual Proxy Minion Pillar files. In this example, we'll assuming there are two ESXi hosts to connect to. Therefore, we'll be creating two Proxy Minion config files, one config for each ESXi host. Proxy Config File: # /etc/salt/proxy master: <salt-master-location> add_proxymodule_to_opts: False Pillar Top File: # /srv/pillar/top.sls base: 'esxi-1': - esxi-1 'esxi-2': - esxi-2 Pillar Config File for the first ESXi host, esxi-1: # /srv/pillar/esxi-1.sls proxy: proxytype: esxi host: esxi-1.example.com username: 'root' passwords: - bad-password-1 - backup-bad-password-1 Pillar Config File for the second ESXi host, esxi-2: # /srv/pillar/esxi-2.sls proxy: proxytype: esxi host: esxi-2.example.com username: 'root' passwords: - bad-password-2 - backup-bad-password-2 Starting the Proxy Minion Once all of the correct configuration files are in place, it is time to start the proxy processes! 1. First, make sure your Salt Master is running. 2. Start the first Salt Proxy, in debug mode, by giving the Proxy Minion process and ID that matches the config file name created in the Configuration section. salt-proxy --proxyid='esxi-1' -l debug 1. Accept the esxi-1 Proxy Minion's key on the Salt Master: # salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: esxi-1 Rejected Keys: # # salt-key -a esxi-1 The following keys are going to be accepted: Unaccepted Keys: esxi-1 Proceed? [n/Y] y Key for minion esxi-1 accepted. 1. Repeat for the second Salt Proxy, this time we'll run the proxy process as a daemon, as an example. salt-proxy --proxyid='esxi-2' -d 1. Accept the esxi-2 Proxy Minion's key on the Salt Master: # salt-key -L Accepted Keys: esxi-1 Denied Keys: Unaccepted Keys: esxi-2 Rejected Keys: # # salt-key -a esxi-1 The following keys are going to be accepted: Unaccepted Keys: esxi-2 Proceed? [n/Y] y Key for minion esxi-1 accepted. 1. Check and see if your Proxy Minions are responding: # salt 'esxi-*' test.ping esxi-1: True esxi-3: True Executing Commands Now that you've configured your Proxy Minions and have them responding successfully to a test.ping, we can start executing commands against the ESXi hosts via Salt. It's important to understand how this particular proxy works, and there are a couple of important pieces to be aware of in order to start running remote execution and state commands against the ESXi host via a Proxy Minion: the vSphere Execution Module, the ESXi Execution Module, and the ESXi State Module. vSphere Execution Module The Salt.modules.vsphere is a standard Salt execution module that does the bulk of the work for the ESXi Proxy Minion. If you pull up the docs for it you'll see that almost every function in the module takes credentials (username and password) and a target host argument. When credentials and a host aren't passed, Salt runs commands through pyVmomi or ESXCLI against the local machine. If you wanted, you could run functions from this module on any machine where an appropriate version of pyVmomi and ESXCLI are installed, and that machine would reach out over the network and communicate with the ESXi host. You'll notice that most of the functions in the vSphere module require a host, username, and password. These parameters are contained in the Pillar files and passed through to the function via the proxy process that is already running. You don't need to provide these parameters when you execute the commands. See the Running Remote Execution Commands section below for an example. ESXi Execution Module In order for the Pillar information set up in the Configuration section above to be passed to the function call in the vSphere Execution Module, the salt.modules.esxi execution module acts as a "shim" between the vSphere execution module functions and the proxy process. The "shim" takes the authentication credentials specified in the Pillar files and passes them through to the host, username, password, and optional protocol and port options required by the vSphere Execution Module functions. If the function takes more positional, or keyword, arguments you can append them to the call. It's this shim that speaks to the ESXi host through the proxy, arranging for the credentials and hostname to be pulled from the Pillar section for the ESXi Proxy Minion. Because of the presence of the shim, to lookup documentation for what functions you can use to interface with the ESXi host, you'll want to look in salt.modules.vsphere instead of salt.modules.esxi. Running Remote Execution Commands To run commands from the Salt Master to execute, via the ESXi Proxy Minion, against the ESXi host, you use the esxi.cmd <vsphere-function-name> syntax to call functions located in the vSphere Execution Module. Both args and kwargs needed for various vsphere execution module functions must be passed through in a kwarg- type manor. For example: salt 'esxi-*' esxi.cmd system_info salt 'exsi-*' esxi.cmd get_service_running service_name='ssh' ESXi State Module The ESXi State Module functions similarly to other state modules. The "shim" provided by the ESXi Execution Module passes the necessary host, username, and password credentials through, so those options don't need to be provided in the state. Other than that, state files are written and executed just like any other Salt state. See the salt.modules.esxi state for ESXi state functions. The follow state file is an example of how to configure various pieces of an ESXi host including enabling SSH, uploading and SSH key, configuring a coredump network config, syslog, ntp, enabling VMotion, resetting a host password, and more. # /srv/salt/configure-esxi.sls configure-host-ssh: esxi.ssh_configured: - service_running: True - ssh_key_file: /etc/salt/ssh_keys/my_key.pub - service_policy: 'automatic' - service_restart: True - certificate_verify: True configure-host-coredump: esxi.coredump_configured: - enabled: True - dump_ip: 'my-coredump-ip.example.com' configure-host-syslog: esxi.syslog_configured: - syslog_configs: loghost: ssl://localhost:5432,tcp://10.1.0.1:1514 default-timeout: 120 - firewall: True - reset_service: True - reset_syslog_config: True - reset_configs: loghost,default-timeout configure-host-ntp: esxi.ntp_configured: - service_running: True - ntp_servers: - 192.174.1.100 - 192.174.1.200 - service_policy: 'automatic' - service_restart: True configure-vmotion: esxi.vmotion_configured: - enabled: True configure-host-vsan: esxi.vsan_configured: - enabled: True - add_disks_to_vsan: True configure-host-password: esxi.password_present: - password: 'new-bad-password' States are called via the ESXi Proxy Minion just as they would on a regular minion. For example: salt 'esxi-*' state.sls configure-esxi test=true salt 'esxi-*' state.sls configure-esxi Relevant Salt Files and Resources • ESXi Proxy Minion • ESXi Execution Module • ESXi State Module • Salt Proxy Minion Docs • Salt Proxy Minion End-to-End Example • vSphere Execution Module Using Salt at scale Using Salt at scale The focus of this tutorial will be building a Salt infrastructure for handling large numbers of minions. This will include tuning, topology, and best practices. For how to install the Salt Master please go here: Installing saltstack NOTE: This tutorial is intended for large installations, although these same settings won't hurt, it may not be worth the complexity to smaller installations. When used with minions, the term 'many' refers to at least a thousand and 'a few' always means 500. For simplicity reasons, this tutorial will default to the standard ports used by Salt. The Master The most common problems on the Salt Master are: 1. too many minions authing at once 2. too many minions re-authing at once 3. too many minions re-connecting at once 4. too many minions returning at once 5. too few resources (CPU/HDD) The first three are all "thundering herd" problems. To mitigate these issues we must configure the minions to back-off appropriately when the Master is under heavy load. The fourth is caused by masters with little hardware resources in combination with a possible bug in ZeroMQ. At least that's what it looks like till today (Issue 118651, Issue 5948, Mail thread) To fully understand each problem, it is important to understand, how Salt works. Very briefly, the Salt Master offers two services to the minions. • a job publisher on port 4505 • an open port 4506 to receive the minions returns All minions are always connected to the publisher on port 4505 and only connect to the open return port 4506 if necessary. On an idle Master, there will only be connections on port 4505. Too many minions authing When the Minion service is first started up, it will connect to its Master's publisher on port 4505. If too many minions are started at once, this can cause a "thundering herd". This can be avoided by not starting too many minions at once. The connection itself usually isn't the culprit, the more likely cause of master-side issues is the authentication that the Minion must do with the Master. If the Master is too heavily loaded to handle the auth request it will time it out. The Minion will then wait acceptance_wait_time to retry. If acceptance_wait_time_max is set then the Minion will increase its wait time by the acceptance_wait_time each subsequent retry until reaching acceptance_wait_time_max. Too many minions re-authing This is most likely to happen in the testing phase of a Salt deployment, when all Minion keys have already been accepted, but the framework is being tested and parameters are frequently changed in the Salt Master's configuration file(s). The Salt Master generates a new AES key to encrypt its publications at certain events such as a Master restart or the removal of a Minion key. If you are encountering this problem of too many minions re-authing against the Master, you will need to recalibrate your setup to reduce the rate of events like a Master restart or Minion key removal (salt-key -d). When the Master generates a new AES key, the minions aren't notified of this but will discover it on the next pub job they receive. When the Minion receives such a job it will then re-auth with the Master. Since Salt does minion-side filtering this means that all the minions will re-auth on the next command published on the master-- causing another "thundering herd". This can be avoided by setting the random_reauth_delay: 60 in the minions configuration file to a higher value and stagger the amount of re-auth attempts. Increasing this value will of course increase the time it takes until all minions are reachable via Salt commands. Too many minions re-connecting By default the zmq socket will re-connect every 100ms which for some larger installations may be too quick. This will control how quickly the TCP session is re-established, but has no bearing on the auth load. To tune the minions sockets reconnect attempts, there are a few values in the sample configuration file (default values) recon_default: 100ms recon_max: 5000 recon_randomize: True • recon_default: the default value the socket should use, i.e. 100ms • recon_max: the max value that the socket should use as a delay before trying to reconnect • recon_randomize: enables randomization between recon_default and recon_max To tune this values to an existing environment, a few decision have to be made. 1. How long can one wait, before the minions should be online and reachable via Salt? 2. How many reconnects can the Master handle without a syn flood? These questions can not be answered generally. Their answers depend on the hardware and the administrators requirements. Here is an example scenario with the goal, to have all minions reconnect within a 60 second time-frame on a Salt Master service restart. recon_default: 1000 recon_max: 59000 recon_randomize: True Each Minion will have a randomized reconnect value between 'recon_default' and 'recon_default + recon_max', which in this example means between 1000ms and 60000ms (or between 1 and 60 seconds). The generated random-value will be doubled after each attempt to reconnect (ZeroMQ default behavior). Lets say the generated random value is 11 seconds (or 11000ms). reconnect 1: wait 11 seconds reconnect 2: wait 22 seconds reconnect 3: wait 33 seconds reconnect 4: wait 44 seconds reconnect 5: wait 55 seconds reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max) reconnect 7: wait 11 seconds reconnect 8: wait 22 seconds reconnect 9: wait 33 seconds reconnect x: etc. With a thousand minions this will mean 1000/60 = ~16 round about 16 connection attempts a second. These values should be altered to values that match your environment. Keep in mind though, that it may grow over time and that more minions might raise the problem again. Too many minions returning at once This can also happen during the testing phase, if all minions are addressed at once with $ salt * disk.usage it may cause thousands of minions trying to return their data to the Salt Master open port 4506. Also causing a flood of syn-flood if the Master can't handle that many returns at once. This can be easily avoided with Salt's batch mode: $ salt * disk.usage -b 50 This will only address 50 minions at once while looping through all addressed minions. Too few resources The masters resources always have to match the environment. There is no way to give good advise without knowing the environment the Master is supposed to run in. But here are some general tuning tips for different situations: The Master is CPU bound Salt uses RSA-Key-Pairs on the masters and minions end. Both generate 4096 bit key-pairs on first start. While the key-size for the Master is currently not configurable, the minions keysize can be configured with different key-sizes. For example with a 2048 bit key: keysize: 2048 With thousands of decryptions, the amount of time that can be saved on the masters end should not be neglected. See here for reference: Pull Request 9235 how much influence the key-size can have. Downsizing the Salt Master's key is not that important, because the minions do not encrypt as many messages as the Master does. In installations with large or with complex pillar files, it is possible for the master to exhibit poor performance as a result of having to render many pillar files at once. This exhibit itself in a number of ways, both as high load on the master and on minions which block on waiting for their pillar to be delivered to them. To reduce pillar rendering times, it is possible to cache pillars on the master. To do this, see the set of master configuration options which are prefixed with pillar_cache. NOTE: Caching pillars on the master may introduce security considerations. Be certain to read caveats outlined in the master configuration file to understand how pillar caching may affect a master's ability to protect sensitive data! The Master is disk IO bound By default, the Master saves every Minion's return for every job in its job-cache. The cache can then be used later, to lookup results for previous jobs. The default directory for this is: cachedir: /var/cache/salt and then in the /proc directory. Each job return for every Minion is saved in a single file. Over time this directory can grow quite large, depending on the number of published jobs. The amount of files and directories will scale with the number of jobs published and the retention time defined by keep_jobs: 24 250 jobs/day * 2000 minions returns = 500.000 files a day If no job history is needed, the job cache can be disabled: job_cache: False If the job cache is necessary there are (currently) 2 options: • ext_job_cache: this will have the minions store their return data directly into a returner (not sent through the Master) • master_job_cache (New in 2014.7.0): this will make the Master store the job data using a returner (instead of the local job cache on disk).
TARGETING MINIONS
Targeting minions is specifying which minions should run a command or execute a state by matching against hostnames, or system information, or defined groups, or even combinations thereof. For example the command salt web1 apache.signal restart to restart the Apache httpd server specifies the machine web1 as the target and the command will only be run on that one minion. Similarly when using States, the following top file specifies that only the web1 minion should execute the contents of webserver.sls: base: 'web1': - webserver There are many ways to target individual minions or groups of minions in Salt: Matching the minion id Each minion needs a unique identifier. By default when a minion starts for the first time it chooses its FQDN as that identifier. The minion id can be overridden via the minion's id configuration setting. TIP: minion id and minion keys The minion id is used to generate the minion's public/private keys and if it ever changes the master must then accept the new key as though the minion was a new host. Globbing The default matching that Salt utilizes is shell-style globbing around the minion id. This also works for states in the top file. NOTE: You must wrap salt calls that use globbing in single-quotes to prevent the shell from expanding the globs before Salt is invoked. Match all minions: salt '*' test.ping Match all minions in the example.net domain or any of the example domains: salt '*.example.net' test.ping salt '*.example.*' test.ping Match all the webN minions in the example.net domain (web1.example.net, web2.example.net … webN.example.net): salt 'web?.example.net' test.ping Match the web1 through web5 minions: salt 'web[1-5]' test.ping Match the web1 and web3 minions: salt 'web[1,3]' test.ping Match the web-x, web-y, and web-z minions: salt 'web-[x-z]' test.ping NOTE: For additional targeting methods please review the compound matchers documentation. Regular Expressions Minions can be matched using Perl-compatible regular expressions (which is globbing on steroids and a ton of caffeine). Match both web1-prod and web1-devel minions: salt -E 'web1-(prod|devel)' test.ping When using regular expressions in a State's top file, you must specify the matcher as the first option. The following example executes the contents of webserver.sls on the above-mentioned minions. base: 'web1-(prod|devel)': - match: pcre - webserver Lists At the most basic level, you can specify a flat list of minion IDs: salt -L 'web1,web2,web3' test.ping Grains Salt comes with an interface to derive information about the underlying system. This is called the grains interface, because it presents salt with grains of information. Grains are collected for the operating system, domain name, IP address, kernel, OS type, memory, and many other system properties. The grains interface is made available to Salt modules and components so that the right salt minion commands are automatically available on the right systems. Grain data is relatively static, though if system information changes (for example, if network settings are changed), or if a new value is assigned to a custom grain, grain data is refreshed. NOTE: Grains resolve to lowercase letters. For example, FOO, and foo target the same grain. IMPORTANT: See Is Targeting using Grain Data Secure? for important security information. Match all CentOS minions: salt -G 'os:CentOS' test.ping Match all minions with 64-bit CPUs, and return number of CPU cores for each matching minion: salt -G 'cpuarch:x86_64' grains.item num_cpus Additionally, globs can be used in grain matches, and grains that are nested in a dictionary can be matched by adding a colon for each level that is traversed. For example, the following will match hosts that have a grain called ec2_tags, which itself is a dict with a key named environment, which has a value that contains the word production: salt -G 'ec2_tags:environment:*production*' Listing Grains Available grains can be listed by using the 'grains.ls' module: salt '*' grains.ls Grains data can be listed by using the 'grains.items' module: salt '*' grains.items Grains in the Minion Config Grains can also be statically assigned within the minion configuration file. Just add the option grains and pass options to it: grains: roles: - webserver - memcache deployment: datacenter4 cabinet: 13 cab_u: 14-15 Then status data specific to your servers can be retrieved via Salt, or used inside of the State system for matching. It also makes targeting, in the case of the example above, simply based on specific data about your deployment. Grains in /etc/salt/grains If you do not want to place your custom static grains in the minion config file, you can also put them in /etc/salt/grains on the minion. They are configured in the same way as in the above example, only without a top-level grains: key: roles: - webserver - memcache deployment: datacenter4 cabinet: 13 cab_u: 14-15 Matching Grains in the Top File With correctly configured grains on the Minion, the top file used in Pillar or during Highstate can be made very efficient. For example, consider the following configuration: 'node_type:web': - match: grain - webserver 'node_type:postgres': - match: grain - database 'node_type:redis': - match: grain - redis 'node_type:lb': - match: grain - lb For this example to work, you would need to have defined the grain node_type for the minions you wish to match. This simple example is nice, but too much of the code is similar. To go one step further, Jinja templating can be used to simplify the top file. {% set the_node_type = salt['grains.get']('node_type', '') %} {% if the_node_type %} 'node_type:{{ the_node_type }}': - match: grain - {{ the_node_type }} {% endif %} Using Jinja templating, only one match entry needs to be defined. NOTE: The example above uses the grains.get function to account for minions which do not have the node_type grain set. Writing Grains The grains interface is derived by executing all of the "public" functions found in the modules located in the grains package or the custom grains directory. The functions in the modules of the grains must return a Python dict, where the keys in the dict are the names of the grains and the values are the values. Custom grains should be placed in a _grains directory located under the file_roots specified by the master config file. The default path would be /srv/salt/_grains. Custom grains will be distributed to the minions when state.highstate is run, or by executing the saltutil.sync_grains or saltutil.sync_all functions. Grains are easy to write, and only need to return a dictionary. A common approach would be code something similar to the following: #!/usr/bin/env python def yourfunction(): # initialize a grains dictionary grains = {} # Some code for logic that sets grains like grains['yourcustomgrain'] = True grains['anothergrain'] = 'somevalue' return grains Before adding a grain to Salt, consider what the grain is and remember that grains need to be static data. If the data is something that is likely to change, consider using Pillar instead. WARNING: Custom grains will not be available in the top file until after the first highstate. To make custom grains available on a minion's first highstate, it is recommended to use this example to ensure that the custom grains are synced when the minion starts. Loading Custom Grains If you have multiple functions specifying grains that are called from a main function, be sure to prepend grain function names with an underscore. This prevents Salt from including the loaded grains from the grain functions in the final grain data structure. For example, consider this custom grain file: #!/usr/bin/env python def _my_custom_grain(): my_grain = {'foo': 'bar', 'hello': 'world'} return my_grain def main(): # initialize a grains dictionary grains = {} grains['my_grains'] = _my_custom_grain() return grains The output of this example renders like so: # salt-call --local grains.items local: ---------- <Snipped for brevity> my_grains: ---------- foo: bar hello: world However, if you don't prepend the my_custom_grain function with an underscore, the function will be rendered twice by Salt in the items output: once for the my_custom_grain call itself, and again when it is called in the main function: # salt-call --local grains.items local: ---------- <Snipped for brevity> foo: bar <Snipped for brevity> hello: world <Snipped for brevity> my_grains: ---------- foo: bar hello: world Precedence Core grains can be overridden by custom grains. As there are several ways of defining custom grains, there is an order of precedence which should be kept in mind when defining them. The order of evaluation is as follows: 1. Core grains. 2. Custom grains in /etc/salt/grains. 3. Custom grains in /etc/salt/minion. 4. Custom grain modules in _grains directory, synced to minions. Each successive evaluation overrides the previous ones, so any grains defined by custom grains modules synced to minions that have the same name as a core grain will override that core grain. Similarly, grains from /etc/salt/minion override both core grains and custom grain modules, and grains in _grains will override any grains of the same name. Examples of Grains The core module in the grains package is where the main grains are loaded by the Salt minion and provides the principal example of how to write grains: https://github.com/saltstack/salt/blob/develop/salt/grains/core.py Syncing Grains Syncing grains can be done a number of ways, they are automatically synced when state.highstate is called, or (as noted above) the grains can be manually synced and reloaded by calling the saltutil.sync_grains or saltutil.sync_all functions. Targeting with Pillar Pillar data can be used when targeting minions. This allows for ultimate control and flexibility when targeting minions. salt -I 'somekey:specialvalue' test.ping Like with Grains, it is possible to use globbing as well as match nested values in Pillar, by adding colons for each level that is being traversed. The below example would match minions with a pillar named foo, which is a dict containing a key bar, with a value beginning with baz: salt -I 'foo:bar:baz*' test.ping Subnet/IP Address Matching Minions can easily be matched based on IP address, or by subnet (using CIDR notation). salt -S 192.168.40.20 test.ping salt -S 10.0.0.0/24 test.ping Ipcidr matching can also be used in compound matches salt -C 'S@10.0.0.0/24 and G@os:Debian' test.ping It is also possible to use in both pillar and state-matching '172.16.0.0/12': - match: ipcidr - internal NOTE: Only IPv4 matching is supported at this time. Compound matchers Compound matchers allow very granular minion targeting using any of Salt's matchers. The default matcher is a glob match, just as with CLI and top file matching. To match using anything other than a glob, prefix the match string with the appropriate letter from the table below, followed by an @ sign. ┌───────┬───────────────────┬──────────────────────────────────────────┬────────────────┐ │Letter │ Match Type │ Example │ Alt Delimiter? │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │G │ Grains glob │ G@os:Ubuntu │ Yes │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │E │ PCRE Minion ID │ E@web\d+\.(dev|qa|prod)\.loc │ No │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │P │ Grains PCRE │ P@os:(RedHat|Fedora|CentOS) │ Yes │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │L │ List of minions │ L@minion1.example.com,minion3.domain.com │ No │ │ │ │ or bl*.domain.com │ │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │I │ Pillar glob │ I@pdata:foobar │ Yes │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │J │ Pillar PCRE │ J@pdata:^(foo|bar)$ │ Yes │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │S │ Subnet/IP address │ S@192.168.1.0/24 or S@192.168.1.100 │ No │ ├───────┼───────────────────┼──────────────────────────────────────────┼────────────────┤ │R │ Range cluster │ R@%foo.bar │ No │ └───────┴───────────────────┴──────────────────────────────────────────┴────────────────┘ Matchers can be joined using boolean and, or, and not operators. For example, the following string matches all Debian minions with a hostname that begins with webserv, as well as any minions that have a hostname which matches the regular expression web-dc1-srv.*: salt -C 'webserv* and G@os:Debian or E@web-dc1-srv.*' test.ping That same example expressed in a top file looks like the following: base: 'webserv* and G@os:Debian or E@web-dc1-srv.*': - match: compound - webserver New in version 2015.8.0. Excluding a minion based on its ID is also possible: salt -C 'not web-dc1-srv' test.ping Versions prior to 2015.8.0 a leading not was not supported in compound matches. Instead, something like the following was required: salt -C '* and not G@kernel:Darwin' test.ping Excluding a minion based on its ID was also possible: salt -C '* and not web-dc1-srv' test.ping Precedence Matching Matchers can be grouped together with parentheses to explicitly declare precedence amongst groups. salt -C '( ms-1 or G@id:ms-3 ) and G@id:ms-3' test.ping NOTE: Be certain to note that spaces are required between the parentheses and targets. Failing to obey this rule may result in incorrect targeting! Alternate Delimiters New in version 2015.8.0. Matchers that target based on a key value pair use a colon (:) as a delimiter. Matchers with a Yes in the Alt Delimiters column in the previous table support specifying an alternate delimiter character. This is done by specifying an alternate delimiter character between the leading matcher character and the @ pattern separator character. This avoids incorrect interpretation of the pattern in the case that : is part of the grain or pillar data structure traversal. salt -C 'J|@foo|bar|^foo:bar$ or J!@gitrepo!https://github.com:example/project.git' test.ping Node groups Nodegroups are declared using a compound target specification. The compound target documentation can be found here. The nodegroups master config file parameter is used to define nodegroups. Here's an example nodegroup configuration within /etc/salt/master: nodegroups: group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' group2: 'G@os:Debian and foo.domain.com' group3: 'G@os:Debian and N@group1' group4: - 'G@foo:bar' - 'or' - 'G@foo:baz' NOTE: The L within group1 is matching a list of minions, while the G in group2 is matching specific grains. See the compound matchers documentation for more details. New in version 2015.8.0. NOTE: Nodgroups can reference other nodegroups as seen in group3. Ensure that you do not have circular references. Circular references will be detected and cause partial expansion with a logged error message. New in version 2015.8.0. Compound nodegroups can be either string values or lists of string values. When the nodegroup is A string value will be tokenized by splitting on whitespace. This may be a problem if whitespace is necessary as part of a pattern. When a nodegroup is a list of strings then tokenization will happen for each list element as a whole. To match a nodegroup on the CLI, use the -N command-line option: salt -N group1 test.ping NOTE: The N@ classifier cannot be used in compound mathes within the CLI or top file, it is only recognized in the nodegroups master config file parameter. To match a nodegroup in your top file, make sure to put - match: nodegroup on the line directly following the nodegroup name. base: group1: - match: nodegroup - webserver NOTE: When adding or modifying nodegroups to a master configuration file, the master must be restarted for those changes to be fully recognized. A limited amount of functionality, such as targeting with -N from the command-line may be available without a restart. Using Nodegroups in SLS files To use Nodegroups in Jinja logic for SLS files, the pillar_opts option in /etc/salt/master must be set to "True". This will pass the master's configuration as Pillar data to each minion. NOTE: If the master's configuration contains any sensitive data, this will be passed to each minion. Do not enable this option if you have any configuration data that you do not want to get on your minions. Also, if you make changes to your nodegroups, you might need to run salt '*' saltutil.refresh_pillar after restarting the master. Once pillar_opts is enabled, you can find the nodegroups under the "master" pillar. To make sure that only the correct minions are targeted, you should use each matcher for the nodegroup definition. For example, to check if a minion is in the 'webserver' nodegroup: nodegroups: webserver: 'G@os:Debian and L@minion1,minion2' {% if grains.id in salt['pillar.get']('master:nodegroups:webserver', []) and grains.os in salt['pillar.get']('master:nodegroups:webserver', []) %} ... {% endif %} NOTE: If you do not include all of the matchers used to define a nodegroup, Salt might incorrectly target minions that meet some of the nodegroup requirements, but not all of them. Batch Size The -b (or --batch-size) option allows commands to be executed on only a specified number of minions at a time. Both percentages and finite numbers are supported. salt '*' -b 10 test.ping salt -G 'os:RedHat' --batch-size 25% apache.signal restart This will only run test.ping on 10 of the targeted minions at a time and then restart apache on 25% of the minions matching os:RedHat at a time and work through them all until the task is complete. This makes jobs like rolling web server restarts behind a load balancer or doing maintenance on BSD firewalls using carp much easier with salt. The batch system maintains a window of running minions, so, if there are a total of 150 minions targeted and the batch size is 10, then the command is sent to 10 minions, when one minion returns then the command is sent to one additional minion, so that the job is constantly running on 10 minions. SECO Range SECO range is a cluster-based metadata store developed and maintained by Yahoo! The Range project is hosted here: https://github.com/ytoolshed/range Learn more about range here: https://github.com/ytoolshed/range/wiki/ Prerequisites To utilize range support in Salt, a range server is required. Setting up a range server is outside the scope of this document. Apache modules are included in the range distribution. With a working range server, cluster files must be defined. These files are written in YAML and define hosts contained inside a cluster. Full documentation on writing YAML range files is here: https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec Additionally, the Python seco range libraries must be installed on the salt master. One can verify that they have been installed correctly via the following command: python -c 'import seco.range' If no errors are returned, range is installed successfully on the salt master. Preparing Salt Range support must be enabled on the salt master by setting the hostname and port of the range server inside the master configuration file: range_server: my.range.server.com:80 Following this, the master must be restarted for the change to have an effect. Targeting with Range Once a cluster has been defined, it can be targeted with a salt command by using the -R or --range flags. For example, given the following range YAML file being served from a range server: $ cat /etc/range/test.yaml CLUSTER: host1..100.test.com APPS: - frontend - backend - mysql One might target host1 through host100 in the test.com domain with Salt as follows: salt --range %test:CLUSTER test.ping The following salt command would target three hosts: frontend, backend, and mysql: salt --range %test:APPS test.ping
STORING STATIC DATA IN THE PILLAR
Pillar is an interface for Salt designed to offer global values that can be distributed to all minions. Pillar data is managed in a similar way as the Salt State Tree. Pillar was added to Salt in version 0.9.8 NOTE: Storing sensitive data Unlike state tree, pillar data is only available for the targeted minion specified by the matcher type. This makes it useful for storing sensitive data specific to a particular minion. Declaring the Master Pillar The Salt Master server maintains a pillar_roots setup that matches the structure of the file_roots used in the Salt file server. Like the Salt file server the pillar_roots option in the master config is based on environments mapping to directories. The pillar data is then mapped to minions based on matchers in a top file which is laid out in the same way as the state top file. Salt pillars can use the same matcher types as the standard top file. The configuration for the pillar_roots in the master config file is identical in behavior and function as file_roots: pillar_roots: base: - /srv/pillar This example configuration declares that the base environment will be located in the /srv/pillar directory. It must not be in a subdirectory of the state tree. The top file used matches the name of the top file used for States, and has the same structure: /srv/pillar/top.sls base: '*': - packages In the above top file, it is declared that in the base environment, the glob matching all minions will have the pillar data found in the packages pillar available to it. Assuming the pillar_roots value of /srv/pillar taken from above, the packages pillar would be located at /srv/pillar/packages.sls. Any number of matchers can be added to the base environment. For example, here is an expanded version of the Pillar top file stated above: /srv/pillar/top.sls: base: '*': - packages 'web*': - vim In this expanded top file, minions that match web* will have access to the /srv/pillar/pacakges.sls file, as well as the /srv/pillar/vim.sls file. Another example shows how to use other standard top matching types to deliver specific salt pillar data to minions with different properties. Here is an example using the grains matcher to target pillars to minions by their os grain: dev: 'os:Debian': - match: grain - servers /srv/pillar/packages.sls {% if grains['os'] == 'RedHat' %} apache: httpd git: git {% elif grains['os'] == 'Debian' %} apache: apache2 git: git-core {% endif %} company: Foo Industries IMPORTANT: See Is Targeting using Grain Data Secure? for important security information. The above pillar sets two key/value pairs. If a minion is running RedHat, then the apache key is set to httpd and the git key is set to the value of git. If the minion is running Debian, those values are changed to apache2 and git-core respectively. All minions that have this pillar targeting to them via a top file will have the key of company with a value of Foo Industries. Consequently this data can be used from within modules, renderers, State SLS files, and more via the shared pillar dict: apache: pkg.installed: - name: {{ pillar['apache'] }} git: pkg.installed: - name: {{ pillar['git'] }} Finally, the above states can utilize the values provided to them via Pillar. All pillar values targeted to a minion are available via the 'pillar' dictionary. As seen in the above example, Jinja substitution can then be utilized to access the keys and values in the Pillar dictionary. Note that you cannot just list key/value-information in top.sls. Instead, target a minion to a pillar file and then list the keys and values in the pillar. Here is an example top file that illustrates this point: base: '*': - common_pillar And the actual pillar file at '/srv/pillar/common_pillar.sls': foo: bar boo: baz Pillar namespace flattened The separate pillar files all share the same namespace. Given a top.sls of: base: '*': - packages - services a packages.sls file of: bind: bind9 and a services.sls file of: bind: named Then a request for the bind pillar will only return named; the bind9 value is not available. It is better to structure your pillar files with more hierarchy. For example your package.sls file could look like: packages: bind: bind9 Pillar Namespace Merges With some care, the pillar namespace can merge content from multiple pillar files under a single key, so long as conflicts are avoided as described above. For example, if the above example were modified as follows, the values are merged below a single key: base: '*': - packages - services And a packages.sls file like: bind: package-name: bind9 version: 9.9.5 And a services.sls file like: bind: port: 53 listen-on: any The resulting pillar will be as follows: $ salt-call pillar.get bind local: ---------- listen-on: any package-name: bind9 port: 53 version: 9.9.5 NOTE: Pillar files are applied in the order they are listed in the top file. Therefore conflicting keys will be overwritten in a 'last one wins' manner! For example, in the above scenario conflicting key values in services will overwrite those in packages because it's at the bottom of the list. Including Other Pillars New in version 0.16.0. Pillar SLS files may include other pillar files, similar to State files. Two syntaxes are available for this purpose. The simple form simply includes the additional pillar as if it were part of the same file: include: - users The full include form allows two additional options -- passing default values to the templating engine for the included pillar file as well as an optional key under which to nest the results of the included pillar: include: - users: defaults: sudo: ['bob', 'paul'] key: users With this form, the included file (users.sls) will be nested within the 'users' key of the compiled pillar. Additionally, the 'sudo' value will be available as a template variable to users.sls. Viewing Minion Pillar Once the pillar is set up the data can be viewed on the minion via the pillar module, the pillar module comes with functions, pillar.items and pillar.raw. pillar.items will return a freshly reloaded pillar and pillar.raw will return the current pillar without a refresh: salt '*' pillar.items NOTE: Prior to version 0.16.2, this function is named pillar.data. This function name is still supported for backwards compatibility. Pillar get Function New in version 0.14.0. The pillar.get function works much in the same way as the get method in a python dict, but with an enhancement: nested dict components can be extracted using a : delimiter. If a structure like this is in pillar: foo: bar: baz: qux Extracting it from the raw pillar in an sls formula or file template is done this way: {{ pillar['foo']['bar']['baz'] }} Now, with the new pillar.get function the data can be safely gathered and a default can be set, allowing the template to fall back if the value is not available: {{ salt['pillar.get']('foo:bar:baz', 'qux') }} This makes handling nested structures much easier. NOTE: pillar.get() vs salt['pillar.get']() It should be noted that within templating, the pillar variable is just a dictionary. This means that calling pillar.get() inside of a template will just use the default dictionary .get() function which does not include the extra : delimiter functionality. It must be called using the above syntax (salt['pillar.get']('foo:bar:baz', 'qux')) to get the salt function, instead of the default dictionary behavior. Refreshing Pillar Data When pillar data is changed on the master the minions need to refresh the data locally. This is done with the saltutil.refresh_pillar function. salt '*' saltutil.refresh_pillar This function triggers the minion to asynchronously refresh the pillar and will always return None. Set Pillar Data at the Command Line Pillar data can be set at the command line like the following example: salt '*' state.highstate pillar='{"cheese": "spam"}' This will create a dict with a key of 'cheese' and a value of 'spam'. A list can be created like this: salt '*' state.highstate pillar='["cheese", "milk", "bread"]' NOTE: Be aware that when sending sensitive data via pillar on the command-line that the publication containing that data will be received by all minions and will not be restricted to the targeted minions. This may represent a security concern in some cases. Master Config In Pillar For convenience the data stored in the master configuration file can be made available in all minion's pillars. This makes global configuration of services and systems very easy but may not be desired if sensitive data is stored in the master configuration. This option is disabled by default. To enable the master config from being added to the pillar set pillar_opts to True: pillar_opts: True Minion Config in Pillar Minion configuration options can be set on pillars. Any option that you want to modify, should be in the first level of the pillars, in the same way you set the options in the config file. For example, to configure the MySQL root password to be used by MySQL Salt execution module, set the following pillar variable: mysql.pass: hardtoguesspassword Master Provided Pillar Error By default if there is an error rendering a pillar, the detailed error is hidden and replaced with: Rendering SLS 'my.sls' failed. Please see master log for details. The error is protected because it's possible to contain templating data which would give that minion information it shouldn't know, like a password! To have the master provide the detailed error that could potentially carry protected data set pillar_safe_render_error to False: pillar_safe_render_error: False
REACTOR SYSTEM
Salt version 0.11.0 introduced the reactor system. The premise behind the reactor system is that with Salt's events and the ability to execute commands, a logic engine could be put in place to allow events to trigger actions, or more accurately, reactions. This system binds sls files to event tags on the master. These sls files then define reactions. This means that the reactor system has two parts. First, the reactor option needs to be set in the master configuration file. The reactor option allows for event tags to be associated with sls reaction files. Second, these reaction files use highdata (like the state system) to define reactions to be executed. Event System A basic understanding of the event system is required to understand reactors. The event system is a local ZeroMQ PUB interface which fires salt events. This event bus is an open system used for sending information notifying Salt and other systems about operations. The event system fires events with a very specific criteria. Every event has a tag. Event tags allow for fast top level filtering of events. In addition to the tag, each event has a data structure. This data structure is a dict, which contains information about the event. Mapping Events to Reactor SLS Files Reactor SLS files and event tags are associated in the master config file. By default this is /etc/salt/master, or /etc/salt/master.d/reactor.conf. New in version 2014.7.0: Added Reactor support for salt:// file paths. In the master config section 'reactor:' is a list of event tags to be matched and each event tag has a list of reactor SLS files to be run. reactor: # Master config section "reactor" - 'salt/minion/*/start': # Match tag "salt/minion/*/start" - /srv/reactor/start.sls # Things to do when a minion starts - /srv/reactor/monitor.sls # Other things to do - 'salt/cloud/*/destroyed': # Globs can be used to matching tags - /srv/reactor/destroy/*.sls # Globs can be used to match file names - 'myco/custom/event/tag': # React to custom event tags - salt://reactor/mycustom.sls # Put reactor files under file_roots Reactor sls files are similar to state and pillar sls files. They are by default yaml + Jinja templates and are passed familiar context variables. They differ because of the addition of the tag and data variables. • The tag variable is just the tag in the fired event. • The data variable is the event's data dict. Here is a simple reactor sls: {% if data['id'] == 'mysql1' %} highstate_run: local.state.highstate: - tgt: mysql1 {% endif %} This simple reactor file uses Jinja to further refine the reaction to be made. If the id in the event data is mysql1 (in other words, if the name of the minion is mysql1) then the following reaction is defined. The same data structure and compiler used for the state system is used for the reactor system. The only difference is that the data is matched up to the salt command API and the runner system. In this example, a command is published to the mysql1 minion with a function of state.highstate. Similarly, a runner can be called: {% if data['data']['orchestrate'] == 'refresh' %} orchestrate_run: runner.state.orchestrate {% endif %} This example will execute the state.orchestrate runner and initiate an orchestrate execution. Fire an event To fire an event from a minion call event.send salt-call event.send 'foo' '{orchestrate: refresh}' After this is called, any reactor sls files matching event tag foo will execute with {{ data['data']['orchestrate'] }} equal to 'refresh'. See salt.modules.event for more information. Knowing what event is being fired The best way to see exactly what events are fired and what data is available in each event is to use the state.event runner. SEE ALSO: Common Salt Events Example usage: salt-run state.event pretty=True Example output: salt/job/20150213001905721678/new { "_stamp": "2015-02-13T00:19:05.724583", "arg": [], "fun": "test.ping", "jid": "20150213001905721678", "minions": [ "jerry" ], "tgt": "*", "tgt_type": "glob", "user": "root" } salt/job/20150213001910749506/ret/jerry { "_stamp": "2015-02-13T00:19:11.136730", "cmd": "_return", "fun": "saltutil.find_job", "fun_args": [ "20150213001905721678" ], "id": "jerry", "jid": "20150213001910749506", "retcode": 0, "return": {}, "success": true } Debugging the Reactor The best window into the Reactor is to run the master in the foreground with debug logging enabled. The output will include when the master sees the event, what the master does in response to that event, and it will also include the rendered SLS file (or any errors generated while rendering the SLS file). 1. Stop the master. 2. Start the master manually: salt-master -l debug 3. Look for log entries in the form: [DEBUG ] Gathering reactors for tag foo/bar [DEBUG ] Compiling reactions for tag foo/bar [DEBUG ] Rendered data from file: /path/to/the/reactor_file.sls: <... Rendered output appears here. ...> The rendered output is the result of the Jinja parsing and is a good way to view the result of referencing Jinja variables. If the result is empty then Jinja produced an empty result and the Reactor will ignore it. Understanding the Structure of Reactor Formulas I.e., when to use `arg` and `kwarg` and when to specify the function arguments directly. While the reactor system uses the same basic data structure as the state system, the functions that will be called using that data structure are different functions than are called via Salt's state system. The Reactor can call Runner modules using the runner prefix, Wheel modules using the wheel prefix, and can also cause minions to run Execution modules using the local prefix. Changed in version 2014.7.0: The cmd prefix was renamed to local for consistency with other parts of Salt. A backward-compatible alias was added for cmd. The Reactor runs on the master and calls functions that exist on the master. In the case of Runner and Wheel functions the Reactor can just call those functions directly since they exist on the master and are run on the master. In the case of functions that exist on minions and are run on minions, the Reactor still needs to call a function on the master in order to send the necessary data to the minion so the minion can execute that function. The Reactor calls functions exposed in Salt's Python API documentation. and thus the structure of Reactor files very transparently reflects the function signatures of those functions. Calling Execution modules on Minions The Reactor sends commands down to minions in the exact same way Salt's CLI interface does. It calls a function locally on the master that sends the name of the function as well as a list of any arguments and a dictionary of any keyword arguments that the minion should use to execute that function. Specifically, the Reactor calls the async version of this function. You can see that function has 'arg' and 'kwarg' parameters which are both values that are sent down to the minion. Executing remote commands maps to the LocalClient interface which is used by the salt command. This interface more specifically maps to the cmd_async method inside of the LocalClient class. This means that the arguments passed are being passed to the cmd_async method, not the remote method. A field starts with local to use the LocalClient subsystem. The result is, to execute a remote command, a reactor formula would look like this: clean_tmp: local.cmd.run: - tgt: '*' - arg: - rm -rf /tmp/* The arg option takes a list of arguments as they would be presented on the command line, so the above declaration is the same as running this salt command: salt '*' cmd.run 'rm -rf /tmp/*' Use the expr_form argument to specify a matcher: clean_tmp: local.cmd.run: - tgt: 'os:Ubuntu' - expr_form: grain - arg: - rm -rf /tmp/* clean_tmp: local.cmd.run: - tgt: 'G@roles:hbase_master' - expr_form: compound - arg: - rm -rf /tmp/* Any other parameters in the LocalClient().cmd() method can be specified as well. Calling Runner modules and Wheel modules Calling Runner modules and Wheel modules from the Reactor uses a more direct syntax since the function is being executed locally instead of sending a command to a remote system to be executed there. There are no 'arg' or 'kwarg' parameters (unless the Runner function or Wheel function accepts a parameter with either of those names.) For example: clear_the_grains_cache_for_all_minions: runner.cache.clear_grains If the runner takes arguments then they can be specified as well: spin_up_more_web_machines: runner.cloud.profile: - prof: centos_6 - instances: - web11 # These VM names would be generated via Jinja in a - web12 # real-world example. Passing event data to Minions or Orchestrate as Pillar An interesting trick to pass data from the Reactor script to state.highstate or state.sls is to pass it as inline Pillar data since both functions take a keyword argument named pillar. The following example uses Salt's Reactor to listen for the event that is fired when the key for a new minion is accepted on the master using salt-key. /etc/salt/master.d/reactor.conf: reactor: - 'salt/key': - /srv/salt/haproxy/react_new_minion.sls The Reactor then fires a state.sls command targeted to the HAProxy servers and passes the ID of the new minion from the event to the state file via inline Pillar. /srv/salt/haproxy/react_new_minion.sls: {% if data['act'] == 'accept' and data['id'].startswith('web') %} add_new_minion_to_pool: local.state.sls: - tgt: 'haproxy*' - arg: - haproxy.refresh_pool - kwarg: pillar: new_minion: {{ data['id'] }} {% endif %} The above command is equivalent to the following command at the CLI: salt 'haproxy*' state.sls haproxy.refresh_pool 'pillar={new_minion: minionid}' This works with Orchestrate files as well: call_some_orchestrate_file: runner.state.orchestrate: - mods: some_orchestrate_file - pillar: stuff: things Which is equivalent to the following command at the CLI: salt-run state.orchestrate some_orchestrate_file pillar='{stuff: things}' Finally, that data is available in the state file using the normal Pillar lookup syntax. The following example is grabbing web server names and IP addresses from Salt Mine. If this state is invoked from the Reactor then the custom Pillar value from above will be available and the new minion will be added to the pool but with the disabled flag so that HAProxy won't yet direct traffic to it. /srv/salt/haproxy/refresh_pool.sls: {% set new_minion = salt['pillar.get']('new_minion') %} listen web *:80 balance source {% for server,ip in salt['mine.get']('web*', 'network.interfaces', ['eth0']).items() %} {% if server == new_minion %} server {{ server }} {{ ip }}:80 disabled {% else %} server {{ server }} {{ ip }}:80 check {% endif %} {% endfor %} A Complete Example In this example, we're going to assume that we have a group of servers that will come online at random and need to have keys automatically accepted. We'll also add that we don't want all servers being automatically accepted. For this example, we'll assume that all hosts that have an id that starts with 'ink' will be automatically accepted and have state.highstate executed. On top of this, we're going to add that a host coming up that was replaced (meaning a new key) will also be accepted. Our master configuration will be rather simple. All minions that attempte to authenticate will match the tag of salt/auth. When it comes to the minion key being accepted, we get a more refined tag that includes the minion id, which we can use for matching. /etc/salt/master.d/reactor.conf: reactor: - 'salt/auth': - /srv/reactor/auth-pending.sls - 'salt/minion/ink*/start': - /srv/reactor/auth-complete.sls In this sls file, we say that if the key was rejected we will delete the key on the master and then also tell the master to ssh in to the minion and tell it to restart the minion, since a minion process will die if the key is rejected. We also say that if the key is pending and the id starts with ink we will accept the key. A minion that is waiting on a pending key will retry authentication every ten seconds by default. /srv/reactor/auth-pending.sls: {# Ink server faild to authenticate -- remove accepted key #} {% if not data['result'] and data['id'].startswith('ink') %} minion_remove: wheel.key.delete: - match: {{ data['id'] }} minion_rejoin: local.cmd.run: - tgt: salt-master.domain.tld - arg: - ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "{{ data['id'] }}" 'sleep 10 && /etc/init.d/salt-minion restart' {% endif %} {# Ink server is sending new key -- accept this key #} {% if 'act' in data and data['act'] == 'pend' and data['id'].startswith('ink') %} minion_add: wheel.key.accept: - match: {{ data['id'] }} {% endif %} No if statements are needed here because we already limited this action to just Ink servers in the master configuration. /srv/reactor/auth-complete.sls: {# When an Ink server connects, run state.highstate. #} highstate_run: local.state.highstate: - tgt: {{ data['id'] }} - ret: smtp The above will also return the highstate result data using the smtp_return returner (use virtualname like when using from the command line with --return). The returner needs to be configured on the minion for this to work. See salt.returners.smtp_return documentation for that. Syncing Custom Types on Minion Start Salt will sync all custom types (by running a saltutil.sync_all) on every highstate. However, there is a chicken-and-egg issue where, on the initial highstate, a minion will not yet have these custom types synced when the top file is first compiled. This can be worked around with a simple reactor which watches for minion_start events, which each minion fires when it first starts up and connects to the master. On the master, create /srv/reactor/sync_grains.sls with the following contents: sync_grains: local.saltutil.sync_grains: - tgt: {{ data['id'] }} And in the master config file, add the following reactor configuration: reactor: - 'minion_start': - /srv/reactor/sync_grains.sls This will cause the master to instruct each minion to sync its custom grains when it starts, making these grains available when the initial highstate is executed. Other types can be synced by replacing local.saltutil.sync_grains with local.saltutil.sync_modules, local.saltutil.sync_all, or whatever else suits the intended use case.
THE SALT MINE
The Salt Mine is used to collect arbitrary data from Minions and store it on the Master. This data is then made available to all Minions via the salt.modules.mine module. Mine data is gathered on the Minion and sent back to the Master where only the most recent data is maintained (if long term data is required use returners or the external job cache). Mine vs Grains Mine data is designed to be much more up-to-date than grain data. Grains are refreshed on a very limited basis and are largely static data. Mines are designed to replace slow peer publishing calls when Minions need data from other Minions. Rather than having a Minion reach out to all the other Minions for a piece of data, the Salt Mine, running on the Master, can collect it from all the Minions every mine-interval, resulting in almost fresh data at any given time, with much less overhead. Mine Functions To enable the Salt Mine the mine_functions option needs to be applied to a Minion. This option can be applied via the Minion's configuration file, or the Minion's Pillar. The mine_functions option dictates what functions are being executed and allows for arguments to be passed in. If no arguments are passed, an empty list must be added: mine_functions: test.ping: [] network.ip_addrs: interface: eth0 cidr: '10.0.0.0/8' Mine Functions Aliases Function aliases can be used to provide friendly names, usage intentions or to allow multiple calls of the same function with different arguments. There is a different syntax for passing positional and key-value arguments. Mixing positional and key-value arguments is not supported. New in version 2014.7.0. mine_functions: network.ip_addrs: [eth0] networkplus.internal_ip_addrs: [] internal_ip_addrs: mine_function: network.ip_addrs cidr: 192.168.0.0/16 ip_list: - mine_function: grains.get - ip_interfaces Mine Interval The Salt Mine functions are executed when the Minion starts and at a given interval by the scheduler. The default interval is every 60 minutes and can be adjusted for the Minion via the mine_interval option: mine_interval: 60 Mine in Salt-SSH As of the 2015.5.0 release of salt, salt-ssh supports mine.get. Because the Minions cannot provide their own mine_functions configuration, we retrieve the args for specified mine functions in one of three places, searched in the following order: 1. Roster data 2. Pillar 3. Master config The mine_functions are formatted exactly the same as in normal salt, just stored in a different location. Here is an example of a flat roster containing mine_functions: test: host: 104.237.131.248 user: root mine_functions: cmd.run: ['echo "hello!"'] network.ip_addrs: interface: eth0 NOTE: Because of the differences in the architecture of salt-ssh, mine.get calls are somewhat inefficient. Salt must make a new salt-ssh call to each of the Minions in question to retrieve the requested data, much like a publish call. However, unlike publish, it must run the requested function as a wrapper function, so we can retrieve the function args from the pillar of the Minion in question. This results in a non-trivial delay in retrieving the requested data. Example One way to use data from Salt Mine is in a State. The values can be retrieved via Jinja and used in the SLS file. The following example is a partial HAProxy configuration file and pulls IP addresses from all Minions with the "web" grain to add them to the pool of load balanced servers. /srv/pillar/top.sls: base: 'G@roles:web': - web /srv/pillar/web.sls: mine_functions: network.ip_addrs: [eth0] /etc/salt/minion.d/mine.conf: mine_interval: 5 /srv/salt/haproxy.sls: haproxy_config: file.managed: - name: /etc/haproxy/config - source: salt://haproxy_config - template: jinja /srv/salt/haproxy_config: <...file contents snipped...> {% for server, addrs in salt['mine.get']('roles:web', 'network.ip_addrs', expr_form='pillar').items() %} server {{ server }} {{ addrs[0] }}:80 check {% endfor %} <...file contents snipped...>
EXTERNAL AUTHENTICATION SYSTEM
Salt's External Authentication System (eAuth) allows for Salt to pass through command authorization to any external authentication system, such as PAM or LDAP. NOTE: eAuth using the PAM external auth system requires salt-master to be run as root as this system needs root access to check authentication. Access Control System NOTE: When to Use client_acl and external_auth client_acl is useful for allowing local system users to run Salt commands without giving them root access. If you can log into the Salt master directly, then client_acl will allow you to use Salt without root privileges. If the local system is configured to authenticate against a remote system, like LDAP or Active Directory, then client_acl will interact with the remote system transparently. external_auth is useful for salt-api or for making your own scripts that use Salt's Python API. It can be used at the CLI (with the -a flag) but it is more cumbersome as there are more steps involved. The only time it is useful at the CLI is when the local system is not configured to authenticate against an external service but you still want Salt to authenticate against an external service. The external authentication system allows for specific users to be granted access to execute specific functions on specific minions. Access is configured in the master configuration file and uses the access control system: external_auth: pam: thatch: - 'web*': - test.* - network.* steve: - .* The above configuration allows the user thatch to execute functions in the test and network modules on the minions that match the web* target. User steve is given unrestricted access to minion commands. Salt respects the current PAM configuration in place, and uses the 'login' service to authenticate. NOTE: The PAM module does not allow authenticating as root. To allow access to wheel modules or runner modules the following @ syntax must be used: external_auth: pam: thatch: - '@wheel' # to allow access to all wheel modules - '@runner' # to allow access to all runner modules - '@jobs' # to allow access to the jobs runner and/or wheel module NOTE: The runner/wheel markup is different, since there are no minions to scope the acl to. NOTE: Globs will not match wheel or runners! They must be explicitly allowed with @wheel or @runner. The external authentication system can then be used from the command-line by any user on the same system as the master with the -a option: $ salt -a pam web\* test.ping The system will ask the user for the credentials required by the authentication system and then publish the command. To apply permissions to a group of users in an external authentication system, append a % to the ID: external_auth: pam: admins%: - '*': - 'pkg.*' WARNING: All users that have external authentication privileges are allowed to run saltutil.findjob. Be aware that this could inadvertently expose some data such as minion IDs. Tokens With external authentication alone, the authentication credentials will be required with every call to Salt. This can be alleviated with Salt tokens. Tokens are short term authorizations and can be easily created by just adding a -T option when authenticating: $ salt -T -a pam web\* test.ping Now a token will be created that has a expiration of 12 hours (by default). This token is stored in a file named salt_token in the active user's home directory. Once the token is created, it is sent with all subsequent communications. User authentication does not need to be entered again until the token expires. Token expiration time can be set in the Salt master config file. LDAP and Active Directory NOTE: LDAP usage requires that you have installed python-ldap. Salt supports both user and group authentication for LDAP (and Active Directory accessed via its LDAP interface) OpenLDAP and similar systems LDAP configuration happens in the Salt master configuration file. Server configuration values and their defaults: # Server to auth against auth.ldap.server: localhost # Port to connect via auth.ldap.port: 389 # Use TLS when connecting auth.ldap.tls: False # LDAP scope level, almost always 2 auth.ldap.scope: 2 # Server specified in URI format auth.ldap.uri: '' # Overrides .ldap.server, .ldap.port, .ldap.tls above # Verify server's TLS certificate auth.ldap.no_verify: False # Bind to LDAP anonymously to determine group membership # Active Directory does not allow anonymous binds without special configuration auth.ldap.anonymous: False # FOR TESTING ONLY, this is a VERY insecure setting. # If this is True, the LDAP bind password will be ignored and # access will be determined by group membership alone with # the group memberships being retrieved via anonymous bind auth.ldap.auth_by_group_membership_only: False # Require authenticating user to be part of this Organizational Unit # This can be blank if your LDAP schema does not use this kind of OU auth.ldap.groupou: 'Groups' # Object Class for groups. An LDAP search will be done to find all groups of this # class to which the authenticating user belongs. auth.ldap.groupclass: 'posixGroup' # Unique ID attribute name for the user auth.ldap.accountattributename: 'memberUid' # These are only for Active Directory auth.ldap.activedirectory: False auth.ldap.persontype: 'person' There are two phases to LDAP authentication. First, Salt authenticates to search for a users's Distinguished Name and group membership. The user it authenticates as in this phase is often a special LDAP system user with read-only access to the LDAP directory. After Salt searches the directory to determine the actual user's DN and groups, it re-authenticates as the user running the Salt commands. If you are already aware of the structure of your DNs and permissions in your LDAP store are set such that users can look up their own group memberships, then the first and second users can be the same. To tell Salt this is the case, omit the auth.ldap.bindpw parameter. You can template the binddn like this: auth.ldap.basedn: dc=saltstack,dc=com auth.ldap.binddn: uid={{ username }},cn=users,cn=accounts,dc=saltstack,dc=com Salt will use the password entered on the salt command line in place of the bindpw. To use two separate users, specify the LDAP lookup user in the binddn directive, and include a bindpw like so auth.ldap.binddn: uid=ldaplookup,cn=sysaccounts,cn=etc,dc=saltstack,dc=com auth.ldap.bindpw: mypassword As mentioned before, Salt uses a filter to find the DN associated with a user. Salt substitutes the {{ username }} value for the username when querying LDAP auth.ldap.filter: uid={{ username }} For OpenLDAP, to determine group membership, one can specify an OU that contains group data. This is prepended to the basedn to create a search path. Then the results are filtered against auth.ldap.groupclass, default posixGroup, and the account's 'name' attribute, memberUid by default. auth.ldap.groupou: Groups Active Directory Active Directory handles group membership differently, and does not utilize the groupou configuration variable. AD needs the following options in the master config: auth.ldap.activedirectory: True auth.ldap.filter: sAMAccountName={{username}} auth.ldap.accountattributename: sAMAccountName auth.ldap.groupclass: group auth.ldap.persontype: person To determine group membership in AD, the username and password that is entered when LDAP is requested as the eAuth mechanism on the command line is used to bind to AD's LDAP interface. If this fails, then it doesn't matter what groups the user belongs to, he or she is denied access. Next, the distinguishedName of the user is looked up with the following LDAP search: (&(<value of auth.ldap.accountattributename>={{username}}) (objectClass=<value of auth.ldap.persontype>) ) This should return a distinguishedName that we can use to filter for group membership. Then the following LDAP query is executed: (&(member=<distinguishedName from search above>) (objectClass=<value of auth.ldap.groupclass>) ) external_auth: ldap: test_ldap_user: - '*': - test.ping To configure an LDAP group, append a % to the ID: external_auth: ldap: test_ldap_group%: - '*': - test.echo
ACCESS CONTROL SYSTEM
New in version 0.10.4. Salt maintains a standard system used to open granular control to non administrative users to execute Salt commands. The access control system has been applied to all systems used to configure access to non administrative control interfaces in Salt.These interfaces include, the peer system, the external auth system and the client acl system. The access control system mandated a standard configuration syntax used in all of the three aforementioned systems. While this adds functionality to the configuration in 0.10.4, it does not negate the old configuration. Now specific functions can be opened up to specific minions from specific users in the case of external auth and client ACLs, and for specific minions in the case of the peer system. The access controls are manifested using matchers in these configurations: client_acl: fred: - web\*: - pkg.list_pkgs - test.* - apache.* In the above example, fred is able to send commands only to minions which match the specified glob target. This can be expanded to include other functions for other minions based on standard targets. external_auth: pam: dave: - test.ping - mongo\*: - network.* - log\*: - network.* - pkg.* - 'G@os:RedHat': - kmod.* steve: - .* The above allows for all minions to be hit by test.ping by dave, and adds a few functions that dave can execute on other minions. It also allows steve unrestricted access to salt commands. NOTE: Functions are matched using regular expressions.
JOB MANAGEMENT
New in version 0.9.7. Since Salt executes jobs running on many systems, Salt needs to be able to manage jobs running on many systems. The Minion proc System Salt Minions maintain a proc directory in the Salt cachedir. The proc directory maintains files named after the executed job ID. These files contain the information about the current running jobs on the minion and allow for jobs to be looked up. This is located in the proc directory under the cachedir, with a default configuration it is under /var/cache/salt/proc. Functions in the saltutil Module Salt 0.9.7 introduced a few new functions to the saltutil module for managing jobs. These functions are: 1. running Returns the data of all running jobs that are found in the proc directory. 2. find_job Returns specific data about a certain job based on job id. 3. signal_job Allows for a given jid to be sent a signal. 4. term_job Sends a termination signal (SIGTERM, 15) to the process controlling the specified job. 5. kill_job Sends a kill signal (SIGKILL, 9) to the process controlling the specified job. These functions make up the core of the back end used to manage jobs at the minion level. The jobs Runner A convenience runner front end and reporting system has been added as well. The jobs runner contains functions to make viewing data easier and cleaner. The jobs runner contains a number of functions... active The active function runs saltutil.running on all minions and formats the return data about all running jobs in a much more usable and compact format. The active function will also compare jobs that have returned and jobs that are still running, making it easier to see what systems have completed a job and what systems are still being waited on. # salt-run jobs.active lookup_jid When jobs are executed the return data is sent back to the master and cached. By default it is cached for 24 hours, but this can be configured via the keep_jobs option in the master configuration. Using the lookup_jid runner will display the same return data that the initial job invocation with the salt command would display. # salt-run jobs.lookup_jid <job id number> list_jobs Before finding a historic job, it may be required to find the job id. list_jobs will parse the cached execution data and display all of the job data for jobs that have already, or partially returned. # salt-run jobs.list_jobs Scheduling Jobs In Salt versions greater than 0.12.0, the scheduling system allows incremental executions on minions or the master. The schedule system exposes the execution of any execution function on minions or any runner on the master. Scheduling is enabled via the schedule option on either the master or minion config files, or via a minion's pillar data. Schedules that are impletemented via pillar data, only need to refresh the minion's pillar data, for example by using saltutil.refresh_pillar. Schedules implemented in the master or minion config have to restart the application in order for the schedule to be implemented. NOTE: The scheduler executes different functions on the master and minions. When running on the master the functions reference runner functions, when running on the minion the functions specify execution functions. A scheduled run has no output on the minion unless the config is set to info level or higher. Refer to minion logging settings. Specify maxrunning to ensure that there are no more than N copies of a particular routine running. Use this for jobs that may be long-running and could step on each other or otherwise double execute. The default for maxrunning is 1. States are executed on the minion, as all states are. You can pass positional arguments and provide a yaml dict of named arguments. schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True splay: 15 This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) splaying the time between 0 and 15 seconds schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True splay: start: 10 end: 15 This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) splaying the time between 10 and 15 seconds New in version 2014.7.0. Frequency of jobs can also be specified using date strings supported by the python dateutil library. This requires python-dateutil to be installed on the minion. schedule: job1: function: state.sls args: - httpd kwargs: test: True when: 5:00pm This will schedule the command: state.sls httpd test=True at 5:00pm minion localtime. schedule: job1: function: state.sls args: - httpd kwargs: test: True when: - Monday 5:00pm - Tuesday 3:00pm - Wednesday 5:00pm - Thursday 3:00pm - Friday 5:00pm This will schedule the command: state.sls httpd test=True at 5pm on Monday, Wednesday, and Friday, and 3pm on Tuesday and Thursday. schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True range: start: 8:00am end: 5:00pm This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) between the hours of 8am and 5pm. The range parameter must be a dictionary with the date strings using the dateutil format. This requires python-dateutil to be installed on the minion. New in version 2014.7.0. The scheduler also supports ensuring that there are no more than N copies of a particular routine running. Use this for jobs that may be long-running and could step on each other or pile up in case of infrastructure outage. The default for maxrunning is 1. schedule: long_running_job: function: big_file_transfer jid_include: True States schedule: log-loadavg: function: cmd.run seconds: 3660 args: - 'logger -t salt < /proc/loadavg' kwargs: stateful: False shell: /bin/sh Highstates To set up a highstate to run on a minion every 60 minutes set this in the minion config or pillar: schedule: highstate: function: state.highstate minutes: 60 Time intervals can be specified as seconds, minutes, hours, or days. Runners Runner executions can also be specified on the master within the master configuration file: schedule: run_my_orch: function: state.orchestrate hours: 6 splay: 600 args: - orchestration.my_orch The above configuration is analogous to running salt-run state.orch orchestration.my_orch every 6 hours. Scheduler With Returner The scheduler is also useful for tasks like gathering monitoring data about a minion, this schedule option will gather status data and send it to a MySQL returner database: schedule: uptime: function: status.uptime seconds: 60 returner: mysql meminfo: function: status.meminfo minutes: 5 returner: mysql Since specifying the returner repeatedly can be tiresome, the schedule_returner option is available to specify one or a list of global returners to be used by the minions when scheduling. In Salt versions greater than 0.12.0, the scheduling system allows incremental executions on minions or the master. The schedule system exposes the execution of any execution function on minions or any runner on the master. Scheduling is enabled via the schedule option on either the master or minion config files, or via a minion's pillar data. Schedules that are impletemented via pillar data, only need to refresh the minion's pillar data, for example by using saltutil.refresh_pillar. Schedules implemented in the master or minion config have to restart the application in order for the schedule to be implemented. NOTE: The scheduler executes different functions on the master and minions. When running on the master the functions reference runner functions, when running on the minion the functions specify execution functions. A scheduled run has no output on the minion unless the config is set to info level or higher. Refer to minion logging settings. Specify maxrunning to ensure that there are no more than N copies of a particular routine running. Use this for jobs that may be long-running and could step on each other or otherwise double execute. The default for maxrunning is 1. States are executed on the minion, as all states are. You can pass positional arguments and provide a yaml dict of named arguments. schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True splay: 15 This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) splaying the time between 0 and 15 seconds schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True splay: start: 10 end: 15 This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) splaying the time between 10 and 15 seconds New in version 2014.7.0. Frequency of jobs can also be specified using date strings supported by the python dateutil library. This requires python-dateutil to be installed on the minion. schedule: job1: function: state.sls args: - httpd kwargs: test: True when: 5:00pm This will schedule the command: state.sls httpd test=True at 5:00pm minion localtime. schedule: job1: function: state.sls args: - httpd kwargs: test: True when: - Monday 5:00pm - Tuesday 3:00pm - Wednesday 5:00pm - Thursday 3:00pm - Friday 5:00pm This will schedule the command: state.sls httpd test=True at 5pm on Monday, Wednesday, and Friday, and 3pm on Tuesday and Thursday. schedule: job1: function: state.sls seconds: 3600 args: - httpd kwargs: test: True range: start: 8:00am end: 5:00pm This will schedule the command: state.sls httpd test=True every 3600 seconds (every hour) between the hours of 8am and 5pm. The range parameter must be a dictionary with the date strings using the dateutil format. This requires python-dateutil to be installed on the minion. New in version 2014.7.0. The scheduler also supports ensuring that there are no more than N copies of a particular routine running. Use this for jobs that may be long-running and could step on each other or pile up in case of infrastructure outage. The default for maxrunning is 1. schedule: long_running_job: function: big_file_transfer jid_include: True States schedule: log-loadavg: function: cmd.run seconds: 3660 args: - 'logger -t salt < /proc/loadavg' kwargs: stateful: False shell: /bin/sh Highstates To set up a highstate to run on a minion every 60 minutes set this in the minion config or pillar: schedule: highstate: function: state.highstate minutes: 60 Time intervals can be specified as seconds, minutes, hours, or days. Runners Runner executions can also be specified on the master within the master configuration file: schedule: run_my_orch: function: state.orchestrate hours: 6 splay: 600 args: - orchestration.my_orch The above configuration is analogous to running salt-run state.orch orchestration.my_orch every 6 hours. Scheduler With Returner The scheduler is also useful for tasks like gathering monitoring data about a minion, this schedule option will gather status data and send it to a MySQL returner database: schedule: uptime: function: status.uptime seconds: 60 returner: mysql meminfo: function: status.meminfo minutes: 5 returner: mysql Since specifying the returner repeatedly can be tiresome, the schedule_returner option is available to specify one or a list of global returners to be used by the minions when scheduling.
MANAGING THE JOB CACHE
The Salt Master maintains a job cache of all job executions which can be queried via the jobs runner. This job cache is called the Default Job Cache. Default Job Cache A number of options are available when configuring the job cache. The default caching system uses local storage on the Salt Master and can be found in the job cache directory (on Linux systems this is typically /var/cache/salt/master/jobs). The default caching system is suitable for most deployments as it does not typically require any further configuration or management. The default job cache is a temporary cache and jobs will be stored for 24 hours. If the default cache needs to store jobs for a different period the time can be easily adjusted by changing the keep_jobs parameter in the Salt Master configuration file. The value passed in is measured via hours: keep_jobs: 24 Additional Job Cache Options Many deployments may wish to use an external database to maintain a long term register of executed jobs. Salt comes with two main mechanisms to do this, the master job cache and the external job cache. See Storing Job Results in an External System.
STORING JOB RESULTS IN AN EXTERNAL SYSTEM
After a job executes, job results are returned to the Salt Master by each Salt Minion. These results are stored in the Default Job Cache. In addition to the Default Job Cache, Salt provides two additional mechanisms to send job results to other systems (databases, local syslog, and others): • External Job Cache • Master Job Cache The major difference between these two mechanism is from where results are returned (from the Salt Master or Salt Minion). External Job Cache - Minion-Side Returner When an External Job Cache is configured, data is returned to the Default Job Cache on the Salt Master like usual, and then results are also sent to an External Job Cache using a Salt returner module running on the Salt Minion. [image] • Advantages: Data is stored without placing additional load on the Salt Master. • Disadvantages: Each Salt Minion connects to the external job cache, which can result in a large number of connections. Also requires additional configuration to get returner module settings on all Salt Minions. Master Job Cache - Master-Side Returner New in version 2014.7.0. Instead of configuring an External Job Cache on each Salt Minion, you can configure the Master Job Cache to send job results from the Salt Master instead. In this configuration, Salt Minions send data to the Default Job Cache as usual, and then the Salt Master sends the data to the external system using a Salt returner module running on the Salt Master. [image] • Advantages: A single connection is required to the external system. This is preferred for databases and similar systems. • Disadvantages: Places additional load on your Salt Master. Configure an External or Master Job Cache Step 1: Understand Salt Returners Before you configure a job cache, it is essential to understand Salt returner modules ("returners"). Returners are pluggable Salt Modules that take the data returned by jobs, and then perform any necessary steps to send the data to an external system. For example, a returner might establish a connection, authenticate, and then format and transfer data. The Salt Returner system provides the core functionality used by the External and Master Job Cache systems, and the same returners are used by both systems. Salt currently provides many different returners that let you connect to a wide variety of systems. A complete list is available at all Salt returners. Each returner is configured differently, so make sure you read and follow the instructions linked from that page. For example, the MySQL returner requires: • A database created using provided schema (structure is available at MySQL returner) • A user created with with privileges to the database • Optional SSL configuration A simpler returner, such as Slack or HipChat, requires: • An API key/version • The target channel/room • The username that should be used to send the message Step 2: Configure the Returner After you understand the configuration and have the external system ready, add the returner configuration settings to the Salt Minion configuration file for the External Job Cache, or to the Salt Master configuration file for the Master Job Cache. For example, MySQL requires: mysql.host: 'salt' mysql.user: 'salt' mysql.pass: 'salt' mysql.db: 'salt' mysql.port: 3306 Slack requires: slack.channel: 'channel' slack.api_key: 'key' slack.from_name: 'name' After you have configured the returner and added settings to the configuration file, you can enable the External or Master Job Cache. Step 3: Enable the External or Master Job Cache Configuration is a single line that specifies an already-configured returner to use to send all job data to an external system. External Job Cache To enable a returner as the External Job Cache (Minion-side), add the following line to the Salt Master configuration file: ext_job_cache: <returner> For example: ext_job_cache: mysql NOTE: When configuring an External Job Cache (Minion-side), the returner settings are added to the Minion configuration file, but the External Job Cache setting is configured in the Master configuration file. Master Job Cache To enable a returner as a Master Job Cache (Master-side), add the following line to the Salt Master configuration file: master_job_cache: <returner> For example: master_job_cache: mysql Verify that the returner configuration settings are in the Master configuration file, and be sure to restart the salt-master service after you make configuration changes. (service salt-master restart).
STORING DATA IN OTHER DATABASES
The SDB interface is designed to store and retrieve data that, unlike pillars and grains, is not necessarily minion-specific. The initial design goal was to allow passwords to be stored in a secure database, such as one managed by the keyring package, rather than as plain-text files. However, as a generic database interface, it could conceptually be used for a number of other purposes. SDB was added to Salt in version 2014.7.0. SDB is currently experimental, and should probably not be used in production. SDB Configuration In order to use the SDB interface, a configuration profile must be set up in either the master or minion configuration file. The configuration stanza includes the name/ID that the profile will be referred to as, a driver setting, and any other arguments that are necessary for the SDB module that will be used. For instance, a profile called mykeyring, which uses the system service in the keyring module would look like: mykeyring: driver: keyring service: system It is recommended to keep the name of the profile simple, as it is used in the SDB URI as well. SDB URIs SDB is designed to make small database queries (hence the name, SDB) using a compact URL. This allows users to reference a database value quickly inside a number of Salt configuration areas, without a lot of overhead. The basic format of an SDB URI is: sdb://<profile>/<args> The profile refers to the configuration profile defined in either the master or the minion configuration file. The args are specific to the module referred to in the profile, but will typically only need to refer to the key of a key/value pair inside the database. This is because the profile itself should define as many other parameters as possible. For example, a profile might be set up to reference credentials for a specific OpenStack account. The profile might look like: kevinopenstack: driver: keyring service: salt.cloud.openstack.kevin And the URI used to reference the password might look like: sdb://kevinopenstack/password Getting and Setting SDB Values Once an SDB driver is configured, you can use the sdb execution module to set and get values from it. There are two functions that will appear in any SDB module: set and get. Getting a value requires only the SDB URI to be specified. To retreive a value from the kevinopenstack profile above, you would use: salt-call sdb.get sdb://kevinopenstack/password Some drivers use slightly more complex URIs. For instance, the vault driver requires the full path to where the key is stored, followed by a question mark, followed by the key to be retrieved. If you were using a profile called myvault, you would use a URI that looks like: salt-call sdb.get 'sdb://myvault/secret/salt?saltstack' Setting a value uses the same URI as would be used to retrieve it, followed by the value as another argument. For the above myvault URI, you would set a new value using a command like: salt-call sdb.set 'sdb://myvault/secret/salt?saltstack' 'super awesome' The sdb.get and sdb.set functions are also available in the runner system: salt-run sdb.get 'sdb://myvault/secret/salt?saltstack' salt-run sdb.set 'sdb://myvault/secret/salt?saltstack' 'super awesome' Using SDB URIs in Files SDB URIs can be used in both configuration files, and files that are processed by the renderer system (jinja, mako, etc.). In a configuration file (such as /etc/salt/master, /etc/salt/minion, /etc/salt/cloud, etc.), make an entry as usual, and set the value to the SDB URI. For instance: mykey: sdb://myetcd/mykey To retrieve this value using a module, the module in question must use the config.get function to retrive configuration values. This would look something like: mykey = __salt__['config.get']('mykey') Templating renderers use a similar construct. To get the mykey value from above in Jinja, you would use: {{ salt['config.get']('mykey') }} When retrieving data from configuration files using config.get, the SDB URI need only appear in the configuration file itself. If you would like to retrieve a key directly from SDB, you would call the sdb.get function directly, using the SDB URI. For instance, in Jinja: {{ salt['sdb.get']('sdb://myetcd/mykey') }} When writing Salt modules, it is not recommended to call sdb.get directly, as it requires the user to provide vaules in SDB, using a specific URI. Use config.get instead. Writing SDB Modules There is currently one function that MUST exist in any SDB module (get()) and one that SHOULD exist (set_()). If using a (set_()) function, a __func_alias__ dictionary MUST be declared in the module as well: __func_alias__ = { 'set_': 'set', } This is because set is a Python built-in, and therefore functions should not be created which are called set(). The __func_alias__ functionality is provided via Salt's loader interfaces, and allows legally-named functions to be referred to using names that would otherwise be unwise to use. The get() function is required, as it will be called via functions in other areas of the code which make use of the sdb:// URI. For example, the config.get function in the config execution module uses this function. The set_() function may be provided, but is not required, as some sources may be read-only, or may be otherwise unwise to access via a URI (for instance, because of SQL injection attacks). A simple example of an SDB module is salt/sdb/keyring_db.py, as it provides basic examples of most, if not all, of the types of functionality that are available not only for SDB modules, but for Salt modules in general.
SALT EVENT SYSTEM
The Salt Event System is used to fire off events enabling third party applications or external processes to react to behavior within Salt. The event system is comprised of a two primary components: • The event sockets which publishes events. • The event library which can listen to events and send events into the salt system. Event types Salt Master Events These events are fired on the Salt Master event bus. This list is not comprehensive. Authentication events salt/auth Fired when a minion performs an authentication check with the master. Variables • id -- The minion ID. • act -- The current status of the minion key: accept, pend, reject. • pub -- The minion public key. NOTE: Minions fire auth events on fairly regular basis for a number of reasons. Writing reactors to respond to events through the auth cycle can lead to infinite reactor event loops (minion tries to auth, reactor responds by doing something that generates another auth event, minion sends auth event, etc.). Consider reacting to salt/key or salt/minion/<MID>/start or firing a custom event tag instead. Start events salt/minion/<MID>/start Fired every time a minion connects to the Salt master. Variables id -- The minion ID. Key events salt/key Fired when accepting and rejecting minions keys on the Salt master. Variables • id -- The minion ID. • act -- The new status of the minion key: accept, pend, reject. WARNING: If a master is in auto_accept mode, salt/key events will not be fired when the keys are accepted. In addition, pre-seeding keys (like happens through Salt-Cloud) will not cause firing of these events. Job events salt/job/<JID>/new Fired as a new job is sent out to minions. Variables • jid -- The job ID. • tgt -- The target of the job: *, a minion ID, G@os_family:RedHat, etc. • tgt_type -- The type of targeting used: glob, grain, compound, etc. • fun -- The function to run on minions: test.ping, network.interfaces, etc. • arg -- A list of arguments to pass to the function that will be called. • minions -- A list of minion IDs that Salt expects will return data for this job. • user -- The name of the user that ran the command as defined in Salt's Client ACL or external auth. salt/job/<JID>/ret/<MID> Fired each time a minion returns data for a job. Variables • id -- The minion ID. • jid -- The job ID. • retcode -- The return code for the job. • fun -- The function the minion ran. E.g., test.ping. • return -- The data returned from the execution module. salt/job/<JID>/prog/<MID>/<RUN NUM> Fired each time a each function in a state run completes execution. Must be enabled using the state_events option. Variables • data -- The data returned from the state module function. • id -- The minion ID. • jid -- The job ID. Presence events salt/presence/present Events fired on a regular interval about currently connected, newly connected, or recently disconnected minions. Requires the presence_events setting to be enabled. Variables present -- A list of minions that are currently connected to the Salt master. salt/presence/change Fired when the Presence system detects new minions connect or disconnect. Variables • new -- A list of minions that have connected since the last presence event. • lost -- A list of minions that have disconnected since the last presence event. Cloud Events Unlike other Master events, salt-cloud events are not fired on behalf of a Salt Minion. Instead, salt-cloud events are fired on behalf of a VM. This is because the minion-to-be may not yet exist to fire events to or also may have been destroyed. This behavior is reflected by the name variable in the event data for salt-cloud events as compared to the id variable for Salt Minion-triggered events. salt/cloud/<VM NAME>/creating Fired when salt-cloud starts the VM creation process. Variables • name -- the name of the VM being created. • event -- description of the event. • provider -- the cloud provider of the VM being created. • profile -- the cloud profile for the VM being created. salt/cloud/<VM NAME>/deploying Fired when the VM is available and salt-cloud begins deploying Salt to the new VM. Variables • name -- the name of the VM being created. • event -- description of the event. • kwargs -- options available as the deploy script is invoked: conf_file, deploy_command, display_ssh_output, host, keep_tmp, key_filename, make_minion, minion_conf, name, parallel, preseed_minion_keys, script, script_args, script_env, sock_dir, start_action, sudo, tmp_dir, tty, username salt/cloud/<VM NAME>/requesting Fired when salt-cloud sends the request to create a new VM. Variables • event -- description of the event. • location -- the location of the VM being requested. • kwargs -- options available as the VM is being requested: Action, ImageId, InstanceType, KeyName, MaxCount, MinCount, SecurityGroup.1 salt/cloud/<VM NAME>/querying Fired when salt-cloud queries data for a new instance. Variables • event -- description of the event. • instance_id -- the ID of the new VM. salt/cloud/<VM NAME>/tagging Fired when salt-cloud tags a new instance. Variables • event -- description of the event. • tags -- tags being set on the new instance. salt/cloud/<VM NAME>/waiting_for_ssh Fired while the salt-cloud deploy process is waiting for ssh to become available on the new instance. Variables • event -- description of the event. • ip_address -- IP address of the new instance. salt/cloud/<VM NAME>/deploy_script Fired once the deploy script is finished. Variables event -- description of the event. salt/cloud/<VM NAME>/created Fired once the new instance has been fully created. Variables • name -- the name of the VM being created. • event -- description of the event. • instance_id -- the ID of the new instance. • provider -- the cloud provider of the VM being created. • profile -- the cloud profile for the VM being created. salt/cloud/<VM NAME>/destroying Fired when salt-cloud requests the destruction of an instance. Variables • name -- the name of the VM being created. • event -- description of the event. • instance_id -- the ID of the new instance. salt/cloud/<VM NAME>/destroyed Fired when an instance has been destroyed. Variables • name -- the name of the VM being created. • event -- description of the event. • instance_id -- the ID of the new instance. Listening for Events Salt's Event Bus is used heavily within Salt and it is also written to integrate heavily with existing tooling and scripts. There is a variety of ways to consume it. From the CLI The quickest way to watch the event bus is by calling the state.event runner: salt-run state.event pretty=True That runner is designed to interact with the event bus from external tools and shell scripts. See the documentation for more examples. Remotely via the REST API Salt's event bus can be consumed salt.netapi.rest_cherrypy.app.Events as an HTTP stream from external tools or services. curl -SsNk https://salt-api.example.com:8000/events?token=05A3 From Python Python scripts can access the event bus only as the same system user that Salt is running as. The event system is accessed via the event library and can only be accessed by the same system user that Salt is running as. To listen to events a SaltEvent object needs to be created and then the get_event function needs to be run. The SaltEvent object needs to know the location that the Salt Unix sockets are kept. In the configuration this is the sock_dir option. The sock_dir option defaults to "/var/run/salt/master" on most systems. The following code will check for a single event: import salt.config import salt.utils.event opts = salt.config.client_config('/etc/salt/master') event = salt.utils.event.get_event( 'master', sock_dir=opts['sock_dir'], transport=opts['transport'], opts=opts) data = event.get_event() Events will also use a "tag". Tags allow for events to be filtered by prefix. By default all events will be returned. If only authentication events are desired, then pass the tag "salt/auth". The get_event method has a default poll time assigned of 5 seconds. To change this time set the "wait" option. The following example will only listen for auth events and will wait for 10 seconds instead of the default 5. data = event.get_event(wait=10, tag='salt/auth') To retrieve the tag as well as the event data, pass full=True: evdata = event.get_event(wait=10, tag='salt/job', full=True) tag, data = evdata['tag'], evdata['data'] Instead of looking for a single event, the iter_events method can be used to make a generator which will continually yield salt events. The iter_events method also accepts a tag but not a wait time: for data in event.iter_events(tag='salt/auth'): print(data) And finally event tags can be globbed, such as they can be in the Reactor, using the fnmatch library. import fnmatch import salt.config import salt.utils.event opts = salt.config.client_config('/etc/salt/master') sevent = salt.utils.event.get_event( 'master', sock_dir=opts['sock_dir'], transport=opts['transport'], opts=opts) while True: ret = sevent.get_event(full=True) if ret is None: continue if fnmatch.fnmatch(ret['tag'], 'salt/job/*/ret/*'): do_something_with_job_return(ret['data']) Firing Events It is possible to fire events on either the minion's local bus or to fire events intended for the master. To fire a local event from the minion on the command line call the event.fire execution function: salt-call event.fire '{"data": "message to be sent in the event"}' 'tag' To fire an event to be sent up to the master from the minion call the event.send execution function. Remember YAML can be used at the CLI in function arguments: salt-call event.send 'myco/mytag/success' '{success: True, message: "It works!"}' If a process is listening on the minion, it may be useful for a user on the master to fire an event to it: # Job on minion import salt.utils.event event = salt.utils.event.MinionEvent(**__opts__) for evdata in event.iter_events(tag='customtag/'): return evdata # do your processing here... salt minionname event.fire '{"data": "message for the minion"}' 'customtag/african/unladen' Firing Events from Python From Salt execution modules Events can be very useful when writing execution modules, in order to inform various processes on the master when a certain task has taken place. This is easily done using the normal cross-calling syntax: # /srv/salt/_modules/my_custom_module.py def do_something(): ''' Do something and fire an event to the master when finished CLI Example:: salt '*' my_custom_module:do_something ''' # do something! __salt__['event.send']('myco/my_custom_module/finished', { 'finished': True, 'message': "The something is finished!", }) From Custom Python Scripts Firing events from custom Python code is quite simple and mirrors how it is done at the CLI: import salt.client caller = salt.client.Caller() caller.sminion.functions['event.send']( 'myco/myevent/success', { 'success': True, 'message': "It works!", } )
BEACONS
The beacon system allows the minion to hook into a variety of system processes and continually monitor these processes. When monitored activity occurs in a system process, an event is sent on the Salt event bus that can be used to trigger a reactor. Salt beacons can currently monitor and send Salt events for many system activities, including: • file system changes • system load • service status • shell activity, such as user login • network and disk usage See beacon modules for a current list. NOTE: Salt beacons are an event generation mechanism. Beacons leverage the Salt reactor system to make changes when beacon events occur. Configuring Beacons Salt beacons do not require any changes to the system process that is being monitored, everything is configured using Salt. Beacons are typically enabled by placing a beacons: top level block in the minion configuration file: beacons: inotify: /etc/httpd/conf.d: {} /opt: {} The beacon system, like many others in Salt, can also be configured via the minion pillar, grains, or local config file. Beacon Monitoring Interval Beacons monitor on a 1-second interval by default. To set a different interval, provide an interval argument to a beacon. The following beacons run on 5- and 10-second intervals: beacons: inotify: /etc/httpd/conf.d: {} /opt: {} interval: 5 load: - 1m: - 0.0 - 2.0 - 5m: - 0.0 - 1.5 - 15m: - 0.1 - 1.0 - interval: 10 Avoiding Event Loops It is important to carefully consider the possibility of creating a loop between a reactor and a beacon. For example, one might set up a beacon which monitors whether a file is read which in turn fires a reactor to run a state which in turn reads the file and re-fires the beacon. To avoid these types of scenarios, the disable_during_state_run argument may be set. If a state run is in progress, the beacon will not be run on its regular interval until the minion detects that the state run has completed, at which point the normal beacon interval will resume. beacons: inotify: /etc/passwd: {} disable_during_state_run: True Beacon Example This example demonstrates configuring the inotify beacon to monitor a file for changes, and then create a backup each time a change is detected. NOTE: The inotify beacon requires Pyinotify on the minion, install it using salt myminion pkg.install python-inotify. First, on the Salt minion, add the following beacon configuration to /ect/salt/minion: beacons: inotify: home/user/importantfile: mask: - modify Replace user in the previous example with the name of your user account, and then save the configuration file and restart the minion service. Next, create a file in your home directory named importantfile and add some simple content. The beacon is now set up to monitor this file for modifications. View Events on the Master On your Salt master, start the event runner using the following command: salt-run state.event pretty=true This runner displays events as they are received on the Salt event bus. To test the beacon you set up in the previous section, make and save a modification to the importantfile you created. You'll see an event similar to the following on the event bus: salt/beacon/minion1/inotify/home/user/importantfile { "_stamp": "2015-09-09T15:59:37.972753", "data": { "change": "IN_IGNORED", "id": "minion1", "path": "/home/user/importantfile" }, "tag": "salt/beacon/minion1/inotify/home/user/importantfile" } This indicates that the event is being captured and sent correctly. Now you can create a reactor to take action when this event occurs. Create a Reactor On your Salt master, create a file named srv/reactor/backup.sls. If the reactor directory doesn't exist, create it. Add the following to backup.sls: backup file: cmd.file.copy: - tgt: {{ data['data']['id'] }} - arg: - {{ data['data']['path'] }} - {{ data['data']['path'] }}.bak Next, add the code to trigger the reactor to ect/salt/master: reactor: - salt/beacon/*/inotify/*/importantfile: - /srv/reactor/backup.sls This reactor creates a backup each time a file named importantfile is modified on a minion that has the inotify beacon configured as previously shown. NOTE: You can have only one top level reactor section, so if one already exists, add this code to the existing section. See Understanding the Structure of Reactor Formulas to learn more about reactor SLS syntax. Start the Salt Master in Debug Mode To help with troubleshooting, start the Salt master in debug mode: service salt-master stop salt-master -l debug When debug logging is enabled, event and reactor data are displayed so you can discover syntax and other issues. Trigger the Reactor On your minion, make and save another change to importantfile. On the Salt master, you'll see debug messages that indicate the event was received and the file.copy job was sent. When you list the directory on the minion, you'll now see importantfile.bak. All beacons are configured using a similar process of enabling the beacon, writing a reactor SLS, and mapping a beacon event to the reactor SLS. Writing Beacon Plugins Beacon plugins use the standard Salt loader system, meaning that many of the constructs from other plugin systems holds true, such as the __virtual__ function. The important function in the Beacon Plugin is the beacon function. When the beacon is configured to run, this function will be executed repeatedly by the minion. The beacon function therefore cannot block and should be as lightweight as possible. The beacon also must return a list of dicts, each dict in the list will be translated into an event on the master. Please see the inotify beacon as an example. The beacon Function The beacons system will look for a function named beacon in the module. If this function is not present then the beacon will not be fired. This function is called on a regular basis and defaults to being called on every iteration of the minion, which can be tens to hundreds of times a second. This means that the beacon function cannot block and should not be CPU or IO intensive. The beacon function will be passed in the configuration for the executed beacon. This makes it easy to establish a flexible configuration for each called beacon. This is also the preferred way to ingest the beacon's configuration as it allows for the configuration to be dynamically updated while the minion is running by configuring the beacon in the minion's pillar. The Beacon Return The information returned from the beacon is expected to follow a predefined structure. The returned value needs to be a list of dictionaries (standard python dictionaries are preferred, no ordered dicts are needed). The dictionaries represent individual events to be fired on the minion and master event buses. Each dict is a single event. The dict can contain any arbitrary keys but the 'tag' key will be extracted and added to the tag of the fired event. The return data structure would look something like this: [{'changes': ['/foo/bar'], 'tag': 'foo'}, {'changes': ['/foo/baz'], 'tag': 'bar'}] Calling Execution Modules Execution modules are still the preferred location for all work and system interaction to happen in Salt. For this reason the __salt__ variable is available inside the beacon. Please be careful when calling functions in __salt__, while this is the preferred means of executing complicated routines in Salt not all of the execution modules have been written with beacons in mind. Watch out for execution modules that may be CPU intense or IO bound. Please feel free to add new execution modules and functions to back specific beacons. Distributing Custom Beacons Custom beacons can be distributed to minions using saltutil, see Dynamic Module Distribution.
SALT ENGINES
New in version 2015.8.0. Salt Engines are long-running, external system processes that leverage Salt. • Engines have access to Salt configuration, execution modules, and runners (__opts__, __salt__, and __runners__). • Engines are executed in a separate process that is monitored by Salt. If a Salt engine stops, it is restarted automatically. • Engines can run on the Salt master and on Salt minions. Salt engines enhance and replace the external processes functionality. Configuration Salt engines are configured under an engines top-level section in your Salt master or Salt minion configuration. Provide a list of engines and parameters under this section. engines: - logstash: host: log.my_network.com port: 5959 Salt engines must be in the Salt path, or you can add the engines_dir option in your Salt master configuration with a list of directories under which Salt attempts to find Salt engines. Writing an Engine An example Salt engine, https://github.com/saltstack/salt/blob/develop/salt/engines/test.py, is available in the Salt source. To develop an engine, the only requirement is that your module implement the start() function.
RUNNING CUSTOM MASTER PROCESSES
NOTE: Salt engines are a new feature in 2015.8.0 that let you run custom processes on the Salt master and on Salt minions. Salt engines provide more functionality than ext_processes by accepting arguments, and by providing access to Salt config, execution modules, and runners. In addition to the processes that the Salt master automatically spawns, it is possible to configure it to start additional custom processes. This is useful if a dedicated process is needed that should run throughout the life of the Salt master. For periodic independent tasks, a scheduled runner may be more appropriate. Processes started in this way will be restarted if they die and will be killed when the Salt master is shut down. Example Configuration Processes are declared in the master config file with the ext_processes option. Processes will be started in the order they are declared. ext_processes: - mymodule.TestProcess - mymodule.AnotherProcess Example Process Class # Import python libs import time import logging from multiprocessing import Process # Import Salt libs from salt.utils.event import SaltEvent log = logging.getLogger(__name__) class TestProcess(Process): def __init__(self, opts): Process.__init__(self) self.opts = opts def run(self): self.event = SaltEvent('master', self.opts['sock_dir']) i = 0 while True: self.event.fire_event({'iteration': i}, 'ext_processes/test{0}') time.sleep(60)
HIGH AVAILABILITY FEATURES IN SALT
Salt supports several features for high availability and fault tolerance. Brief documentation for these features is listed alongside their configuration parameters in Configuration file examples. Multimaster Salt minions can connect to multiple masters at one time by configuring the master configuration parameter as a YAML list of all the available masters. By default, all masters are "hot", meaning that any master can direct commands to the Salt infrastructure. In a multimaster configuration, each master must have the same cryptographic keys, and minion keys must be accepted on all masters separately. The contents of file_roots and pillar_roots need to be kept in sync with processes external to Salt as well A tutorial on setting up multimaster with "hot" masters is here: Multimaster Tutorial Multimaster with Failover Changing the master_type parameter from str to failover will cause minions to connect to the first responding master in the list of masters. Every master_alive_check seconds the minions will check to make sure the current master is still responding. If the master does not respond, the minion will attempt to connect to the next master in the list. If the minion runs out of masters, the list will be recycled in case dead masters have been restored. Note that master_alive_check must be present in the minion configuration, or else the recurring job to check master status will not get scheduled. Failover can be combined with PKI-style encrypted keys, but PKI is NOT REQUIRED to use failover. Multimaster with PKI and Failover is discussed in this tutorial master_type: failover can be combined with master_shuffle: True to spread minion connections across all masters (one master per minion, not each minion connecting to all masters). Adding Salt Syndics into the mix makes it possible to create a load-balanced Salt infrastructure. If a master fails, minions will notice and select another master from the available list. Syndic Salt's Syndic feature is a way to create differing infrastructure topologies. It is not strictly an HA feature, but can be treated as such. With the syndic, a Salt infrastructure can be partitioned in such a way that certain masters control certain segments of the infrastructure, and "Master of Masters" nodes can control multiple segments underneath them. Syndics are covered in depth in Salt Syndic. Syndic with Multimaster New in version 2015.5.0. Syndic with Multimaster lets you connect a syndic to multiple masters to provide an additional layer of redundancy in a syndic configuration. Syndics are covered in depth in Salt Syndic.
SALT SYNDIC
The most basic or typical Salt topology consists of a single Master node controlling a group of Minion nodes. An intermediate node type, called Syndic, when used offers greater structural flexibility and scalability in the construction of Salt topologies than topologies constructed only out of Master and Minion node types. A Syndic node can be thought of as a special passthrough Minion node. A Syndic node consists of a salt-syndic daemon and a salt-master daemon running on the same system. The salt-master daemon running on the Syndic node controls a group of lower level Minion nodes and the salt-syndic daemon connects higher level Master node, sometimes called a Master of Masters. The salt-syndic daemon relays publications and events between the Master node and the local salt-master daemon. This gives the Master node control over the Minion nodes attached to the salt-master daemon running on the Syndic node. Configuring the Syndic To setup a Salt Syndic you need to tell the Syndic node and its Master node about each other. If your Master node is located at 10.10.0.1, then your configurations would be: On the Syndic node: # /etc/salt/master syndic_master: 10.10.0.1 # may be either an IP address or a hostname # /etc/salt/minion # id is shared by the salt-syndic daemon and a possible salt-minion daemon # on the Syndic node id: my_syndic On the Master node: # /etc/salt/master order_masters: True The syndic_master option tells the Syndic node where to find the Master node in the same way that the master option tells a Minion node where to find a Master node. The id option is used by the salt-syndic daemon to identify with the Master node and if unset will default to the hostname or IP address of the Syndic just as with a Minion. The order_masters option configures the Master node to send extra information with its publications that is needed by Syndic nodes connected directly to it. NOTE: Each Syndic must provide its own file_roots directory. Files will not be automatically transferred from the Master node. Configuring the Syndic with Multimaster New in version 2015.5.0. Syndic with Multimaster lets you connect a syndic to multiple masters to provide an additional layer of redundancy in a syndic configuration. Higher level masters should first be configured in a multimaster configuration. See Multimaster Tutorial. On the syndic, the syndic_master option is populated with a list of the higher level masters. Since each syndic is connected to each master, jobs sent from any master are forwarded to minions that are connected to each syndic. If the master_id value is set in the master config on the higher level masters, job results are returned to the master that originated the request in a best effort fashion. Events/jobs without a master_id are returned to any available master. Running the Syndic The salt-syndic daemon is a separate process that needs to be started in addition to the salt-master daemon running on the Syndic node. Starting the salt-syndic daemon is the same as starting the other Salt daemons. The Master node in many ways sees the Syndic as an ordinary Minion node. In particular, the Master will need to accept the Syndic's Minion key as it would for any other Minion. On the Syndic node: # salt-syndic or # service salt-syndic start On the Master node: # salt-key -a my_syndic The Master node will now be able to control the Minion nodes connected to the Syndic. Only the Syndic key will be listed in the Master node's key registry but this also means that key activity between the Syndic's Minions and the Syndic does not encumber the Master node. In this way, the Syndic's key on the Master node can be thought of as a placeholder for the keys of all the Minion and Syndic nodes beneath it, giving the Master node a clear, high level structural view on the Salt cluster. On the Master node: # salt-key -L Accepted Keys: my_syndic Denied Keys: Unaccepted Keys: Rejected Keys: # salt '*' test.ping minion_1: True minion_2: True minion_4: True minion_3: True Topology A Master node (a node which is itself not a Syndic to another higher level Master node) must run a salt-master daemon and optionally a salt-minion daemon. A Syndic node must run salt-syndic and salt-master daemons and optionally a salt-minion daemon. A Minion node must run a salt-minion daemon. When a salt-master daemon issues a command, it will be received by the Syndic and Minion nodes directly connected to it. A Minion node will process the command in the way it ordinarily would. On a Syndic node, the salt-syndic daemon will relay the command to the salt-master daemon running on the Syndic node, which then propagates the command to to the Minions and Syndics connected to it. When events and job return data are generated by salt-minion daemons, they are aggregated by the salt-master daemon they are connected to, which salt-master daemon then relays the data back through its salt-syndic daemon until the data reaches the Master or Syndic node that issued the command. Syndic wait NOTE: To reduce the amount of time the CLI waits for Minions to respond, install a Minion on the Syndic or tune the value of the syndic_wait configuration. While it is possible to run a Syndic without a Minion installed on the same system, it is recommended, for a faster CLI response time, to do so. Without a Minion installed on the Syndic node, the timeout value of syndic_wait increases significantly - about three-fold. With a Minion installed on the Syndic, the CLI timeout resides at the value defined in syndic_wait. NOTE: If you have a very large infrastructure or many layers of Syndics, you may find that the CLI doesn't wait long enough for the Syndics to return their events. If you think this is the case, you can set the syndic_wait value in the Master configs on the Master or Syndic nodes from which commands are executed. The default value is 5, and should work for the majority of deployments. In order for a Master or Syndic node to return information from Minions that are below their Syndics, the CLI requires a short wait time in order to allow the Syndics to gather responses from their Minions. This value is defined in the syndic_wait config option and has a default of five seconds. Syndic config options These are the options that can be used to configure a Syndic node. Note that other than id, Syndic config options are placed in the Master config on the Syndic node. • id: Syndic id (shared by the salt-syndic daemon with a potential salt-minion daemon on the same system) • syndic_master: Master node IP address or hostname • syndic_master_port: Master node ret_port • syndic_log_file: path to the logfile (absolute or not) • syndic_pidfile: path to the pidfile (absolute or not) • syndic_wait: time in seconds to wait on returns from this syndic
SALT PROXY MINION
Proxy minions are a developing Salt feature that enables controlling devices that, for whatever reason, cannot run a standard salt-minion. Examples include network gear that has an API but runs a proprietary OS, devices with limited CPU or memory, or devices that could run a minion, but for security reasons, will not. Proxy minions are not an "out of the box" feature. Because there are an infinite number of controllable devices, you will most likely have to write the interface yourself. Fortunately, this is only as difficult as the actual interface to the proxied device. Devices that have an existing Python module (PyUSB for example) would be relatively simple to interface. Code to control a device that has an HTML REST-based interface should be easy. Code to control your typical housecat would be excellent source material for a PhD thesis. Salt proxy-minions provide the 'plumbing' that allows device enumeration and discovery, control, status, remote execution, and state management. See the Proxy Minion Walkthrough for an end-to-end demonstration of a working proxy minion. See the Proxy Minion SSH Walkthrough for an end-to-end demonstration of a working SSH proxy minion. New in 2015.8.2 BREAKING CHANGE: Adding the proxymodule variable to __opts__ is deprecated. The proxymodule variable has been moved a new globally-injected variable called __proxy__. A related configuration option called add_proxymodule_to_opts has been added and defaults to True. In the next major release, codenamed Boron, this variable will default to False. In the meantime, proxies that functioned under 2015.8.0 and .1 should continue to work under 2015.8.2. You should rework your proxy code to use __proxy__ as soon as possible. The rest_sample example proxy minion has been updated to use __proxy__. This change was made because proxymodules are a LazyLoader object, but LazyLoaders cannot be serialized. __opts__ gets serialized, and so things like saltutil.sync_all and state.highstate would throw exceptions. Also in this release, proxymodules can be stored on the master in /srv/salt/_proxy. A new saltutil function called sync_proxies will transfer these to remote proxy minions. Note that you must restart the salt-proxy daemon to pick up these changes. In addition, a salt.utils helper function called is_proxy() was added to make it easier to tell when the running minion is a proxy minion. New in 2015.8 Starting with the 2015.8 release of Salt, proxy processes are no longer forked off from a controlling minion. Instead, they have their own script salt-proxy which takes mostly the same arguments that the standard Salt minion does with the addition of --proxyid. This is the id that the salt-proxy will use to identify itself to the master. Proxy configurations are still best kept in Pillar and their format has not changed. This change allows for better process control and logging. Proxy processes can now be listed with standard process management utilities (ps from the command line). Also, a full Salt minion is no longer required (though it is still strongly recommended) on machines hosting proxies. Getting Started The following diagram may be helpful in understanding the structure of a Salt installation that includes proxy-minions: [image] The key thing to remember is the left-most section of the diagram. Salt's nature is to have a minion connect to a master, then the master may control the minion. However, for proxy minions, the target device cannot run a minion. After the proxy minion is started and initiates its connection to the 'dumb' device, it connects back to the salt-master and for all intents and purposes looks like just another minion to the Salt master. To create support for a proxied device one needs to create four things: 1. The proxy_connection_module (located in salt/proxy). 2. The grains support code (located in salt/grains). 3. Salt modules specific to the controlled device. 4. Salt states specific to the controlled device. Configuration parameters Proxy minions require no configuration parameters in /etc/salt/master. Salt's Pillar system is ideally suited for configuring proxy-minions. Proxies can either be designated via a pillar file in pillar_roots, or through an external pillar. External pillars afford the opportunity for interfacing with a configuration management system, database, or other knowledgeable system that that may already contain all the details of proxy targets. To use static files in pillar_roots, pattern your files after the following examples, which are based on the diagram above: /srv/pillar/top.sls base: dumbdevice1: - dumbdevice1 dumbdevice2: - dumbdevice2 dumbdevice3: - dumbdevice3 dumbdevice4: - dumbdevice4 dumbdevice5: - dumbdevice5 dumbdevice6: - dumbdevice6 dumbdevice7: - dumbdevice7 /srv/pillar/dumbdevice1.sls proxy: proxytype: networkswitch host: 172.23.23.5 username: root passwd: letmein /srv/pillar/dumbdevice2.sls proxy: proxytype: networkswitch host: 172.23.23.6 username: root passwd: letmein /srv/pillar/dumbdevice3.sls proxy: proxytype: networkswitch host: 172.23.23.7 username: root passwd: letmein /srv/pillar/dumbdevice4.sls proxy: proxytype: i2c_lightshow i2c_address: 1 /srv/pillar/dumbdevice5.sls proxy: proxytype: i2c_lightshow i2c_address: 2 /srv/pillar/dumbdevice6.sls proxy: proxytype: 433mhz_wireless /srv/pillar/dumbdevice7.sls proxy: proxytype: sms_serial deventry: /dev/tty04 Note the contents of each minioncontroller key may differ widely based on the type of device that the proxy-minion is managing. In the above example • dumbdevices 1, 2, and 3 are network switches that have a management interface available at a particular IP address. • dumbdevices 4 and 5 are very low-level devices controlled over an i2c bus. In this case the devices are physically connected to machine 'minioncontroller2', and are addressable on the i2c bus at their respective i2c addresses. • dumbdevice6 is a 433 MHz wireless transmitter, also physically connected to minioncontroller2 • dumbdevice7 is an SMS gateway connected to machine minioncontroller3 via a serial port. Because of the way pillar works, each of the salt-proxy processes that fork off the proxy minions will only see the keys specific to the proxies it will be handling. Also, in general, proxy-minions are lightweight, so the machines that run them could conceivably control a large number of devices. To run more than one proxy from a single machine, simply start an additional proxy process with --proxyid set to the id to which you want the proxy to bind. It is possible for the proxy services to be spread across many machines if necessary, or intentionally run on machines that need to control devices because of some physical interface (e.g. i2c and serial above). Another reason to divide proxy services might be security. In more secure environments only certain machines may have a network path to certain devices. Proxymodules A proxy module encapsulates all the code necessary to interface with a device. Proxymodules are located inside the salt.proxy module. At a minimum a proxymodule object must implement the following functions: __virtual__(): This function performs the same duty that it does for other types of Salt modules. Logic goes here to determine if the module can be loaded, checking for the presence of Python modules on which the proxy depends. Returning False will prevent the module from loading. init(opts): Perform any initialization that the device needs. This is a good place to bring up a persistent connection to a device, or authenticate to create a persistent authorization token. shutdown(): Code to cleanly shut down or close a connection to a controlled device goes here. This function must exist, but can contain only the keyword pass if there is no shutdown logic required. ping(): While not required, it is highly recommended that this function also be defined in the proxymodule. The code for ping should contact the controlled device and make sure it is really available. Pre 2015.8 the proxymodule also must have an id() function. 2015.8 and following don't use this function because the proxy's id is required on the command line. id(opts): Returns a unique, unchanging id for the controlled device. This is the "name" of the device, and is used by the salt-master for targeting and key authentication. Here is an example proxymodule used to interface to a very simple REST server. Code for the server is in the salt-contrib GitHub repository This proxymodule enables "service" enumeration, starting, stopping, restarting, and status; "package" installation, and a ping. # -*- coding: utf-8 -*- ''' This is a simple proxy-minion designed to connect to and communicate with the bottle-based web service contained in https://github.com/saltstack/salt-contrib/proxyminion_rest_example ''' from __future__ import absolute_import # Import python libs import logging import salt.utils.http HAS_REST_EXAMPLE = True # This must be present or the Salt loader won't load this module __proxyenabled__ = ['rest_sample'] # Variables are scoped to this module so we can have persistent data # across calls to fns in here. GRAINS_CACHE = {} DETAILS = {} # Want logging! log = logging.getLogger(__file__) # This does nothing, it's here just as an example and to provide a log # entry when the module is loaded. def __virtual__(): ''' Only return if all the modules are available ''' log.debug('rest_sample proxy __virtual__() called...') return True # Every proxy module needs an 'init', though you can # just put a 'pass' here if it doesn't need to do anything. def init(opts): log.debug('rest_sample proxy init() called...') # Save the REST URL DETAILS['url'] = opts['proxy']['url'] # Make sure the REST URL ends with a '/' if not DETAILS['url'].endswith('/'): DETAILS['url'] += '/' def id(opts): ''' Return a unique ID for this proxy minion. This ID MUST NOT CHANGE. If it changes while the proxy is running the salt-master will get really confused and may stop talking to this minion ''' r = salt.utils.http.query(opts['proxy']['url']+'id', decode_type='json', decode=True) return r['dict']['id'].encode('ascii', 'ignore') def grains(): ''' Get the grains from the proxied device ''' if not GRAINS_CACHE: r = salt.utils.http.query(DETAILS['url']+'info', decode_type='json', decode=True) GRAINS_CACHE = r['dict'] return GRAINS_CACHE def grains_refresh(): ''' Refresh the grains from the proxied device ''' GRAINS_CACHE = {} return grains() def service_start(name): ''' Start a "service" on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'service/start/'+name, decode_type='json', decode=True) return r['dict'] def service_stop(name): ''' Stop a "service" on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'service/stop/'+name, decode_type='json', decode=True) return r['dict'] def service_restart(name): ''' Restart a "service" on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'service/restart/'+name, decode_type='json', decode=True) return r['dict'] def service_list(): ''' List "services" on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'service/list', decode_type='json', decode=True) return r['dict'] def service_status(name): ''' Check if a service is running on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'service/status/'+name, decode_type='json', decode=True) return r['dict'] def package_list(): ''' List "packages" installed on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'package/list', decode_type='json', decode=True) return r['dict'] def package_install(name, **kwargs): ''' Install a "package" on the REST server ''' cmd = DETAILS['url']+'package/install/'+name if 'version' in kwargs: cmd += '/'+kwargs['version'] else: cmd += '/1.0' r = salt.utils.http.query(cmd, decode_type='json', decode=True) def package_remove(name): ''' Remove a "package" on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'package/remove/'+name, decode_type='json', decode=True) return r['dict'] def package_status(name): ''' Check the installation status of a package on the REST server ''' r = salt.utils.http.query(DETAILS['url']+'package/status/'+name, decode_type='json', decode=True) return r['dict'] def ping(): ''' Is the REST server up? ''' r = salt.utils.http.query(DETAILS['url']+'ping', decode_type='json', decode=True) try: return r['dict'].get('ret', False) except Exception: return False def shutdown(opts): ''' For this proxy shutdown is a no-op ''' log.debug('rest_sample proxy shutdown() called...') pass Grains are data about minions. Most proxied devices will have a paltry amount of data as compared to a typical Linux server. By default, a proxy minion will have several grains taken from the host. Salt core code requires values for kernel, os, and os_family--all of these are forced to be proxy for proxy-minions. To add others to your proxy minion for a particular device, create a file in salt/grains named [proxytype].py and place inside it the different functions that need to be run to collect the data you are interested in. Here's an example: The __proxyenabled__ directive Salt execution modules, by, and large, cannot "automatically" work with proxied devices. Execution modules like pkg or sqlite3 have no meaning on a network switch or a housecat. For an execution module to be available to a proxy-minion, the __proxyenabled__ variable must be defined in the module as an array containing the names of all the proxytypes that this module can support. The array can contain the special value * to indicate that the module supports all proxies. If no __proxyenabled__ variable is defined, then by default, the execution module is unavailable to any proxy. Here is an excerpt from a module that was modified to support proxy-minions: __proxyenabled__ = ['*'] [...] def ping(): if not salt.utils.is_proxy(): return True else: ping_cmd = __opts__['proxy']['proxytype'] + '.ping' if __opts__.get('add_proxymodule_to_opts', False): return __opts__['proxymodule'][ping_cmd]() else: return __proxy__[ping_cmd]() And then in salt.proxy.rest_sample.py we find def ping(): ''' Is the REST server up? ''' r = salt.utils.http.query(DETAILS['url']+'ping', decode_type='json', decode=True) try: return r['dict'].get('ret', False) except Exception: return False Salt Proxy Minion End-to-End Example The following is walkthrough that documents how to run a sample REST service and configure one or more proxy minions to talk to and control it. 1. Ideally, create a Python virtualenv in which to run the REST service. This is not strictly required, but without a virtualenv you will need to install bottle via pip globally on your system 2. Clone https://github.com/saltstack/salt-contrib and copy the contents of the directory proxyminion_rest_example somewhere on a machine that is reachable from the machine on which you want to run the salt-proxy. This machine needs Python 2.7 or later. 3. Install bottle version 0.12.8 via pip or easy_install pip install bottle==0.12.8 4. Run python rest.py --help for usage 5. Start the REST API on an appropriate port and IP. 6. Load the REST service's status page in your browser by going to the IP/port combination (e.g. http://127.0.0.1:8000) 7. You should see a page entitled "Salt Proxy Minion" with two sections, one for "services" and one for "packages" and you should see a log entry in the terminal where you started the REST process indicating that the index page was retrieved. [image] Now, configure your salt-proxy. 1. Edit /etc/salt/proxy and add an entry for your master's location master: localhost 2. On your salt-master, ensure that pillar is configured properly. Select an ID for your proxy (in this example we will name the proxy with the letter 'p' followed by the port the proxy is answering on). In your pillar topfile, place an entry for your proxy: base: 'p8000': - p8000 This says that Salt's pillar should load some values for the proxy p8000 from the file /srv/pillar/p8000.sls (if you have not changed your default pillar_roots) 3. In the pillar root for your base environment, create this file: p8000.sls --------- proxy: proxytype: rest_sample url: http://<IP your REST listens on>:port In other words, if your REST service is listening on port 8000 on 127.0.0.1 the 'url' key above should say url: http://127.0.0.1:8000 4. Make sure your salt-master is running. 5. Start the salt-proxy in debug mode salt-proxy --proxyid=p8000 -l debug 6. Accept your proxy's key on your salt-master salt-key -y -a p8000 The following keys are going to be accepted: Unaccepted Keys: p8000 Key for minion p8000 accepted. 7. Now you should be able to ping your proxy. When you ping, you should see a log entry in the terminal where the REST service is running. salt p8000 test.ping 8. The REST service implements a degenerately simple pkg and service provider as well as a small set of grains. To "install" a package, use a standard pkg.install. If you pass '==' and a verrsion number after the package name then the service will parse that and accept that as the package's version. 9. Try running salt p8000 grains.items to see what grains are available. You can target proxies via grains if you like. 10. You can also start and stop the available services (apache, redbull, and postgresql with service.start, etc. 11. States can be written to target the proxy. Feel free to experiment with them. SSH Proxymodules See above for a general introduction to writing proxy modules. All of the guidelines that apply to REST are the same for SSH. This sections specifically talks about the SSH proxy module and explains the working of the example proxy module ssh_sample. Here is a simple example proxymodule used to interface to a device over SSH. Code for the SSH shell is in the salt-contrib GitHub repository This proxymodule enables "package" installation. # -*- coding: utf-8 -*- ''' This is a simple proxy-minion designed to connect to and communicate with a server that exposes functionality via SSH. This can be used as an option when the device does not provide an api over HTTP and doesn't have the python stack to run a minion. ''' from __future__ import absolute_import # Import python libs import json import logging # Import Salt's libs from salt.utils.vt_helper import SSHConnection from salt.utils.vt import TerminalException # This must be present or the Salt loader won't load this module __proxyenabled__ = ['ssh_sample'] DETAILS = {} # Want logging! log = logging.getLogger(__file__) # This does nothing, it's here just as an example and to provide a log # entry when the module is loaded. def __virtual__(): ''' Only return if all the modules are available ''' log.info('ssh_sample proxy __virtual__() called...') return True def init(opts): ''' Required. Can be used to initialize the server connection. ''' try: DETAILS['server'] = SSHConnection(host=__opts__['proxy']['host'], username=__opts__['proxy']['username'], password=__opts__['proxy']['password']) # connected to the SSH server out, err = DETAILS['server'].sendline('help') except TerminalException as e: log.error(e) return False def shutdown(opts): ''' Disconnect ''' DETAILS['server'].close_connection() def parse(out): ''' Extract json from out. Parameter out: Type string. The data returned by the ssh command. ''' jsonret = [] in_json = False for ln_ in out.split('\n'): if '{' in ln_: in_json = True if in_json: jsonret.append(ln_) if '}' in ln_: in_json = False return json.loads('\n'.join(jsonret)) def package_list(): ''' List "packages" by executing a command via ssh This function is called in response to the salt command ..code-block::bash salt target_minion pkg.list_pkgs ''' # Send the command to execute out, err = DETAILS['server'].sendline('pkg_list') # "scrape" the output and return the right fields as a dict return parse(out) def package_install(name, **kwargs): ''' Install a "package" on the REST server ''' cmd = 'pkg_install ' + name if 'version' in kwargs: cmd += '/'+kwargs['version'] else: cmd += '/1.0' # Send the command to execute out, err = DETAILS['server'].sendline(cmd) # "scrape" the output and return the right fields as a dict return parse(out) def package_remove(name): ''' Remove a "package" on the REST server ''' cmd = 'pkg_remove ' + name # Send the command to execute out, err = DETAILS['server'].sendline(cmd) # "scrape" the output and return the right fields as a dict return parse(out) Connection Setup The init() method is responsible for connection setup. It uses the host, username and password config variables defined in the pillar data. The prompt kwarg can be passed to SSHConnection if your SSH server's prompt differs from the example's prompt (Cmd). Instantiating the SSHConnection class establishes an SSH connection to the ssh server (using Salt VT). Command execution The package_* methods use the SSH connection (established in init()) to send commands out to the SSH server. The sendline() method of SSHConnection class can be used to send commands out to the server. In the above example we send commands like pkg_list or pkg_install. You can send any SSH command via this utility. Output parsing Output returned by sendline() is a tuple of strings representing the stdout and the stderr respectively. In the toy example shown we simply scrape the output and convert it to a python dictionary, as shown in the parse method. You can tailor this method to match your parsing logic. Connection teardown The shutdown method is responsible for calling the close_connection() method of SSHConnection class. This ends the SSH connection to the server. For more information please refer to class SSHConnection. Salt Proxy Minion SSH End-to-End Example The following is walkthrough that documents how to run a sample SSH service and configure one or more proxy minions to talk to and control it. 1. This walkthrough uses a custom SSH shell to provide an end to end example. Any other shells can be used too. 2. Setup the proxy command shell as shown https://github.com/saltstack/salt-contrib/tree/master/proxyminion_ssh_example Now, configure your salt-proxy. 1. Edit /etc/salt/proxy and add an entry for your master's location master: localhost add_proxymodule_to_opts: False multiprocessing: False 2. On your salt-master, ensure that pillar is configured properly. Select an ID for your proxy (in this example we will name the proxy with the letter 'p' followed by the port the proxy is answering on). In your pillar topfile, place an entry for your proxy: base: 'p8000': - p8000 This says that Salt's pillar should load some values for the proxy p8000 from the file /srv/pillar/p8000.sls (if you have not changed your default pillar_roots) 3. In the pillar root for your base environment, create this file: p8000.sls --------- proxy: proxytype: ssh_sample host: saltyVM username: salt password: badpass 4. Make sure your salt-master is running. 5. Start the salt-proxy in debug mode salt-proxy --proxyid=p8000 -l debug 6. Accept your proxy's key on your salt-master salt-key -y -a p8000 The following keys are going to be accepted: Unaccepted Keys: p8000 Key for minion p8000 accepted. 7. Now you should be able to run commands on your proxy. salt p8000 pkg.list_pkgs 8. The SSH shell implements a degenerately simple pkg. To "install" a package, use a standard pkg.install. If you pass '==' and a verrsion number after the package name then the service will parse that and accept that as the package's version.
SALT PACKAGE MANAGER
The Salt Package Manager, or SPM, allows Salt formulas to be packaged, for ease of deployment. The design of SPM was influenced by other existing packaging systems including RPM, Yum, and Pacman. Building Packages Before SPM can install packages, they must be built. The source for these packages is often a Git repository, such as those found at the saltstack-formulas organization on GitHub. FORMULA In addition to the formula itself, a FORMULA file must exist which describes the package. An example of this file is: name: apache os: RedHat, Debian, Ubuntu, Suse, FreeBSD os_family: RedHat, Debian, Suse, FreeBSD version: 201506 release: 2 summary: Formula for installing Apache description: Formula for installing Apache Required Fields This file must contain at least the following fields: name The name of the package, as it will appear in the package filename, in the repository metadata, and the package database. Even if the source formula has -formula in its name, this name should probably not include that. For instance, when packaging the apache-formula, the name should be set to apache. os The value of the os grain that this formula supports. This is used to help users know which operating systems can support this package. os_family The value of the os_family grain that this formula supports. This is used to help users know which operating system families can support this package. version The version of the package. While it is up to the organization that manages this package, it is suggested that this version is specified in a YYYYMM format. For instance, if this version was released in June 2015, the package version should be 201506. If multiple released are made in a month, the releasee field should be used. minimum_version Minimum recommended version of Salt to use this formula. Not currently enforced. release This field refers primarily to a release of a version, but also to multiple versions within a month. In general, if a version has been made public, and immediate updates need to be made to it, this field should also be updated. summary A one-line description of the package. description A more detailed description of the package which can contain more than one line. Optional Fields The following fields may also be present. top_level_dir This field is optional, but highly recommended. If it is not specified, the package name will be used. Formula repositories typically do not store .sls files in the root of the repository; instead they are stored in a subdirectory. For instance, an apache-formula repository would contain a directory called apache, which would contain an init.sls, plus a number of other related files. In this instance, the top_level_dir should be set to apache. Files outside the top_level_dir, such as README.rst, FORMULA, and LICENSE will not be installed. The exceptions to this rule are files that are already treated specially, such as pillar.example and _modules/. recommended A list of optional packages that are recommended to be installed with the package. This list is displayed in an informational message when the package is installed to SPM. Building a Package Once a FORMULA file has been created, it is placed into the root of the formula that is to be turned into a package. The spm build command is used to turn that formula into a package: spm build /path/to/saltstack-formulas/apache-formula The resulting file will be placed in the build directory. By default this directory is located at /srv/spm/. Building Repositories Once one or more packages have been built, they can be made available to SPM via a package repository. Place the packages into the directory to be served and issue an spm create_repo command: spm create_repo /srv/spm This command is used, even if repository metadata already exists in that directory. SPM will regenerate the repository metadata again, using all of the packages in that directory. Configuring Remote Repositories Before SPM can use a repository, two things need to happen. First, SPM needs to know where the repositories are. Then it needs to pull down the repository metadata. Repository Configuration Files Normally repository configuration files are placed in the /etc/salt/spm.repos.d. These files contain the name of the repository, and the link to that repository: my_repo: url: https://spm.example.com/ The URL can use http, https, ftp, or file. local_repo: url: file:///srv/spm Updating Local Repository Metadata Once the repository is configured, its metadata needs to be downloaded. At the moment, this is a manual process, using the spm update_repo command. spm update_repo Installing Packages Packages may be installed either from a local file, or from an SPM repository. To install from a repository, use the spm install command: spm install apache To install from a local file, use the spm local install command: spm local install /srv/spm/apache-201506-1.spm Currently, SPM does not check to see if files are already in place before installing them. That means that existing files will be overwritten without warning. Pillars Formula packages include a pillar.example file. Rather than being placed in the formula directory, this file is renamed to <formula name>.sls.orig and placed in the pillar_path, where it can be easily updated to meet the user's needs. Loader Modules When an execution module is placed in <file_roots>/_modules/ on the master, it will automatically be synced to minions, the next time a sync operation takes place. Other modules are also propagated this way: state modules can be placed in _states/, and so on. When SPM detects a file in a package which resides in one of these directories, that directory will be placed in <file_roots> instead of in the formula directory with the rest of the files. Removing Packages Packages may be removed once they are installed using the spm remove command. spm remove apache If files have been modified, they will not be removed. Empty directories will also be removed. Technical Information Packages are built using BZ2-compressed tarballs. By default, the package database is stored using the sqlite3 driver (see Loader Modules below). Support for these are built into Python, and so no external dependencies are needed. All other files belonging to SPM use YAML, for portability and ease of use and maintainability. SPM-Specific Loader Modules SPM was designed to behave like traditional package managers, which apply files to the filesystem and store package metadata in a local database. However, because modern infrastructures often extend beyond those use cases, certain parts of SPM have been broken out into their own set of modules. Package Database By default, the package database is stored using the sqlite3 module. This module was chosen because support for SQLite3 is built into Python itself. Please see the SPM Development Guide for information on creating new modules for package database management. Package Files By default, package files are installed using the local module. This module applies files to the local filesystem, on the machine that the package is installed on. Please see the SPM Development Guide for information on creating new modules for package file management. SPM Configuration There are a number of options that are specific to SPM. They may be configured in the master configuration file, or in SPM's own spm configuration file (normally located at /etc/salt/spm). If configured in both places, the spm file takes precedence. In general, these values will not need to be changed from the defaults. spm_logfile Default: /var/log/salt/spm Where SPM logs messages. spm_repos_config Default: /etc/salt/spm.repos SPM repositories are configured with this file. There is also a directory which corresponds to it, which ends in .d. For instance, if the filename is /etc/salt/spm.repos, the directory will be /etc/salt/spm.repos.d/. spm_cache_dir Default: /var/cache/salt/spm When SPM updates package repository metadata and downloads packaged, they will be placed in this directory. The package database, normally called packages.db, also lives in this directory. spm_db Default: /var/cache/salt/spm/packages.db The location and name of the package database. This database stores the names of all of the SPM packages installed on the system, the files that belong to them, and the metadata for those files. spm_build_dir Default: /srv/spm When packages are built, they will be placed in this directory. spm_build_exclude Default: ['.git'] When SPM builds a package, it normally adds all files in the formula directory to the package. Files listed here will be excluded from that package. This option requires a list to be specified. spm_build_exclude: - .git - .svn Types of Packages SPM supports different types of formula packages. The function of each package is denoted by its name. For instance, packages which end in -formula are considered to be Salt States (the most common type of formula). Packages which end in -conf contain configuration which is to be placed in the /etc/salt/ directory. Packages which do not contain one of these names are treated as if they have a -formula name. formula By default, most files from this type of package live in the /srv/spm/salt/ directory. The exception is the pillar.example file, which will be renamed to <package_name>.sls and placed in the pillar directory (/srv/spm/pillar/ by default). reactor By default, files from this type of package live in the /srv/spm/reactor/ directory. conf The files in this type of package are configuration files for Salt, which normally live in the /etc/salt/ directory. Configuration files for packages other than Salt can and should be handled with a Salt State (using a formula type of package). SPM Developmnent Guide This document discusses developing additional code for SPM. SPM-Specific Loader Modules SPM was designed to behave like traditional package managers, which apply files to the filesystem and store package metadata in a local database. However, because modern infrastructures often extend beyond those use cases, certain parts of SPM have been broken out into their own set of modules. Each function that accepts arguments has a set of required and optional arguments. Take note that SPM will pass all arguments in, and therefore each function must accept each of those arguments. However, arguments that are marked as required are crucial to SPM's core functionality, while arguments that are marked as optional are provided as a benefit to the module, if it needs to use them. Package Database By default, the package database is stored using the sqlite3 module. This module was chosen because support for SQLite3 is built into Python itself. Modules for managing the package database are stored in the salt/spm/pkgdb/ directory. A number of functions must exist to support database management. init() Get a database connection, and initialize the package database if necessary. This function accepts no arguments. If a database is used which supports a connection object, then that connection object is returned. For instance, the sqlite3 module returns a connect() object from the sqlite3 library: conn = sqlite3.connect(__opts__['spm_db'], isolation_level=None) ... return conn SPM itself will not use this connection object; it will be passed in as-is to the other functions in the module. Therefore, when you set up this object, make sure to do so in a way that is easily usable throughout the module. info() Return information for a package. This generally consists of the information that is stored in the FORMULA file in the package. The arguments that are passed in, in order, are package (required) and conn (optional). package is the name of the package, as specified in the FORMULA. conn is the connection object returned from init(). list_files() Return a list of files for an installed package. Only the filename should be returned, and no other information. The arguments that are passed in, in order, are package (required) and conn (optional). package is the name of the package, as specified in the FORMULA. conn is the connection object returned from init(). register_pkg() Register a package in the package database. Nothing is expected to be returned from this function. The arguments that are passed in, in order, are name (required), formula_def (required), and conn (optional). name is the name of the package, as specified in the FORMULA. formula_def is the contents of the FORMULA file, as a dict. conn is the connection object returned from init(). register_file() Register a file in the package database. Nothing is expected to be returned from this function. The arguments that are passed in are name (required), member (required), path (required), digest (optional), and conn (optional). name is the name of the package. member is a tarfile object for the package file. It is included, because it contains most of the information for the file. path is the location of the file on the local filesystem. digest is the SHA1 checksum of the file. conn is the connection object returned from init(). unregister_pkg() Unregister a package from the package database. This usually only involves removing the package's record from the database. Nothing is expected to be returned from this function. The arguments that are passed in, in order, are name (required) and conn (optional). name is the name of the package, as specified in the FORMULA. conn is the connection object returned from init(). unregister_file() Unregister a package from the package database. This usually only involves removing the package's record from the database. Nothing is expected to be returned from this function. The arguments that are passed in, in order, are name (required), pkg (optional) and conn (optional). name is the path of the file, as it was installed on the filesystem. pkg is the name of the package that the file belongs to. conn is the connection object returned from init(). db_exists() Check to see whether the package database already exists. This is the path to the package database file. This function will return True or False. The only argument that is expected is db_, which is the package database file. Package Files By default, package files are installed using the local module. This module applies files to the local filesystem, on the machine that the package is installed on. Modules for managing the package database are stored in the salt/spm/pkgfiles/ directory. A number of functions must exist to support file management. init() Initialize the installation location for the package files. Normally these will be directory paths, but other external destinations such as databases can be used. For this reason, this function will return a connection object, which can be a database object. However, in the default local module, this object is a dict containing the paths. This object will be passed into all other functions. Three directories are used for the destinations: formula_path, pillar_path, and reactor_path. formula_path is the location of most of the files that will be installed. The default is specific to the operating system, but is normally /srv/salt/. pillar_path is the location that the pillar.example file will be installed to. The default is specific to the operating system, but is normally /srv/pillar/. reactor_path is the location that reactor files will be installed to. The default is specific to the operating system, but is normally /srv/reactor/. check_existing() Check the filesystem for existing files. All files for the package will be checked, and if any are existing, then this function will normally state that SPM will refuse to install the package. This function returns a list of the files that exist on the system. The arguments that are passed into this function are, in order: package (required), pkg_files (required), formula_def (formula_def), and conn (optional). package is the name of the package that is to be installed. pkg_files is a list of the files to be checked. formula_def is a copy of the information that is stored in the FORMULA file. conn is the file connection object. install_file() Install a single file to the destination (normally on the filesystem). Nothing is expected to be returned from this function. This function returns the final location that the file was installed to. The arguments that are passed into this function are, in order, package (required), formula_tar (required), member (required), formula_def (required), and conn (optional). package is the name of the package that is to be installed. formula_tar is the tarfile object for the package. This is passed in so that the function can call formula_tar.extract() for the file. member is the tarfile object which represents the individual file. This may be modified as necessary, before being passed into formula_tar.extract(). formula_def is a copy of the information from the FORMULA file. conn is the file connection object. remove_file() Remove a single file from file system. Normally this will be little more than an os.remove(). Nothing is expected to be returned from this function. The arguments that are passed into this function are, in order, path (required) and conn (optional). path is the absolute path to the file to be removed. conn is the file connection object. hash_file() Returns the hexdigest hash value of a file. The arguments that are passed into this function are, in order, path (required), hashobj (required), and conn (optional). path is the absolute path to the file. hashobj is a reference to hashlib.sha1(), which is used to pull the hexdigest() for the file. conn is the file connection object. This function will not generally be more complex than: def hash_file(path, hashobj, conn=None): with salt.utils.fopen(path, 'r') as f: hashobj.update(f.read()) return hashobj.hexdigest() path_exists() Check to see whether the file already exists on the filesystem. Returns True or False. This function expects a path argument, which is the absolute path to the file to be checked. path_isdir() Check to see whether the path specified is a directory. Returns True or False. This function expects a path argument, which is the absolute path to be checked.
SALT TRANSPORT
One of fundamental features of Salt is remote execution. Salt has two basic "channels" for communicating with minions. Each channel requires a client (minion) and a server (master) implementation to work within Salt. These pairs of channels will work together to implement the specific message passing required by the channel interface. Pub Channel The pub channel, or publish channel, is how a master sends a job (payload) to a minion. This is a basic pub/sub paradigm, which has specific targeting semantics. All data which goes across the publish system should be encrypted such that only members of the Salt cluster can decrypt the publishes. Req Channel The req channel is how the minions send data to the master. This interface is primarily used for fetching files and returning job returns. The req channels have two basic interfaces when talking to the master. send is the basic method that guarantees the message is encrypted at least so that only minions attached to the same master can read it-- but no guarantee of minion-master confidentiality, wheras the crypted_transfer_decode_dictentry method does guarantee minion-master confidentiality. Zeromq Transport NOTE: Zeromq is the current default transport within Salt Zeromq is a messaging library with bindings into many languages. Zeromq implements a socket interface for message passing, with specific semantics for the socket type. Pub Channel The pub channel is implemented using zeromq's pub/sub sockets. By default we don't use zeromq's filtering, which means that all publish jobs are sent to all minions and filtered minion side. Zeromq does have publisher side filtering which can be enabled in salt using zmq_filtering. Req Channel The req channel is implemented using zeromq's req/rep sockets. These sockets enforce a send/recv pattern, which forces salt to serialize messages through these socket pairs. This means that although the interface is asynchronous on the minion we cannot send a second message until we have received the reply of the first message. TCP Transport The "tcp" transport is an implementation of Salt's channels using raw tcp sockets. Since this isn't using a pre-defined messaging library we will describe the wire protocol, message semantics, etc. in this document. Wire Protocol This implementation over TCP focuses on flexibility over absolute efficiency. This means we are okay to spend a couple of bytes of wire space for flexibility in the future. That being said, the wire framing is quite efficient and looks like: len(payload) msgpack({'head': SOMEHEADER, 'body': SOMEBODY}) The wire protocol is basically two parts, the length of the payload and a payload (which is a msgpack'd dict). Within that payload we have two items "head" and "body". Head contains header information (such as "message id"). The Body contains the actual message that we are sending. With this flexible wire protocol we can implement any message semantics that we'd like-- including multiplexed message passing on a single socket. Crypto The current implementation uses the same crypto as the zeromq transport. Pub Channel For the pub channel we send messages without "message ids" which the remote end interprets as a one-way send. NOTE: As of today we send all publishes to all minions and rely on minion-side filtering. Req Channel For the req channel we send messages with a "message id". This "message id" allows us to multiplex messages across the socket. The RAET Transport NOTE: The RAET transport is in very early development, it is functional but no promises are yet made as to its reliability or security. As for reliability and security, the encryption used has been audited and our tests show that raet is reliable. With this said we are still conducting more security audits and pushing the reliability. This document outlines the encryption used in RAET New in version 2014.7.0. The Reliable Asynchronous Event Transport, or RAET, is an alternative transport medium developed specifically with Salt in mind. It has been developed to allow queuing to happen up on the application layer and comes with socket layer encryption. It also abstracts a great deal of control over the socket layer and makes it easy to bubble up errors and exceptions. RAET also offers very powerful message routing capabilities, allowing for messages to be routed between processes on a single machine all the way up to processes on multiple machines. Messages can also be restricted, allowing processes to be sent messages of specific types from specific sources allowing for trust to be established. Using RAET in Salt Using RAET in Salt is easy, the main difference is that the core dependencies change, instead of needing pycrypto, M2Crypto, ZeroMQ, and PYZMQ, the packages libsodium, libnacl, ioflo, and raet are required. Encryption is handled very cleanly by libnacl, while the queueing and flow control is handled by ioflo. Distribution packages are forthcoming, but libsodium can be easily installed from source, or many distributions do ship packages for it. The libnacl and ioflo packages can be easily installed from pypi, distribution packages are in the works. Once the new deps are installed the 2014.7 release or higher of Salt needs to be installed. Once installed, modify the configuration files for the minion and master to set the transport to raet: /etc/salt/master: transport: raet /etc/salt/minion: transport: raet Now start salt as it would normally be started, the minion will connect to the master and share long term keys, which can then in turn be managed via salt-key. Remote execution and salt states will function in the same way as with Salt over ZeroMQ. Limitations The 2014.7 release of RAET is not complete! The Syndic and Multi Master have not been completed yet and these are slated for completion in the 2015.5.0 release. Also, Salt-Raet allows for more control over the client but these hooks have not been implemented yet, thereforre the client still uses the same system as the ZeroMQ client. This means that the extra reliability that RAET exposes has not yet been implemented in the CLI client. Why? Customer and User Request Why make an alternative transport for Salt? There are many reasons, but the primary motivation came from customer requests, many large companies came with requests to run Salt over an alternative transport, the reasoning was varied, from performance and scaling improvements to licensing concerns. These customers have partnered with SaltStack to make RAET a reality. More Capabilities RAET has been designed to allow salt to have greater communication capabilities. It has been designed to allow for development into features which out ZeroMQ topologies can't match. Many of the proposed features are still under development and will be announced as they enter proof of concept phases, but these features include salt-fuse - a filesystem over salt, salt-vt - a parallel api driven shell over the salt transport and many others. RAET Reliability RAET is reliable, hence the name (Reliable Asynchronous Event Transport). The concern posed by some over RAET reliability is based on the fact that RAET uses UDP instead of TCP and UDP does not have built in reliability. RAET itself implements the needed reliability layers that are not natively present in UDP, this allows RAET to dynamically optimize packet delivery in a way that keeps it both reliable and asynchronous. RAET and ZeroMQ When using RAET, ZeroMQ is not required. RAET is a complete networking replacement. It is noteworthy that RAET is not a ZeroMQ replacement in a general sense, the ZeroMQ constructs are not reproduced in RAET, but they are instead implemented in such a way that is specific to Salt's needs. RAET is primarily an async communication layer over truly async connections, defaulting to UDP. ZeroMQ is over TCP and abstracts async constructs within the socket layer. Salt is not dropping ZeroMQ support and has no immediate plans to do so. Encryption RAET uses Dan Bernstein's NACL encryption libraries and CurveCP handshake. The libnacl python binding binds to both libsodium and tweetnacl to execute the underlying cryptography. This allows us to completely rely on an externally developed cryptography system. Programming Intro Intro to RAET Programming NOTE: This page is still under construction The first thing to cover is that RAET does not present a socket api, it presents, and queueing api, all messages in RAET are made available to via queues. This is the single most differentiating factor with RAET vs other networking libraries, instead of making a socket, a stack is created. Instead of calling send() or recv(), messages are placed on the stack to be sent and messages that are received appear on the stack. Different kinds of stacks are also available, currently two stacks exist, the UDP stack, and the UXD stack. The UDP stack is used to communicate over udp sockets, and the UXD stack is used to communicate over Unix Domain Sockets. The UDP stack runs a context for communicating over networks, while the UXD stack has contexts for communicating between processes. UDP Stack Messages To create a UDP stack in RAET, simply create the stack, manage the queues, and process messages: from salt.transport.road.raet import stacking from salt.transport.road.raet import estating udp_stack = stacking.StackUdp(ha=('127.0.0.1', 7870)) r_estate = estating.Estate(stack=stack, name='foo', ha=('192.168.42.42', 7870)) msg = {'hello': 'world'} udp_stack.transmit(msg, udp_stack.estates[r_estate.name]) udp_stack.serviceAll()
WINDOWS SOFTWARE REPOSITORY
NOTE: In 2015.8.0 and later, the Windows Software Repository cache is compiled on the Salt Minion, which enables pillar, grains and other things to be available during compilation time. To support this new functionality, a next-generation (ng) package repository was created. See See the Changes in Version 2015.8.0 for details. The SaltStack Windows Software Repository provides a package manager and software repository similar to what is provided by yum and apt on Linux. This repository enables the installation of software using the installers on remote Windows systems. In many senses, the operation is similar to that of the other package managers salt is aware of: • the pkg.installed and similar states work on Windows. • the pkg.install and similar module functions work on Windows. High level differences to yum and apt are: • The repository metadata (SLS files) is hosted through either salt or git. • Packages can be downloaded from within the salt repository, a git repository or from http(s) or ftp urls. • No dependencies are managed. Dependencies between packages needs to be managed manually. Requirements: • GitPython 0.3 or later, or pygit2 0.20.3 with libgit 0.20.0 or later installed on your Salt master. The Windows package definitions are downloaded and updated using Git. Configuration Populate the Repository The SLS files used to install Windows packages are not distributed by default with Salt. Run the following command to initialize the repository on your Salt master: salt-run winrepo.update_git_repos Sync Repo to Windows Minions Run pkg.refresh_db on each of your Windows minions to synchronize the package repository. salt -G 'os:windows' pkg.refresh_db Install Windows Software After completing the configuration steps, you are ready to manage software on your Windows minions. Show Installed Packages salt -G 'os:windows' pkg.list_pkgs Install a Package You can query the available version of a package using the Salt pkg module. salt winminion pkg.available_version firefox {'firefox': {'15.0.1': 'Mozilla Firefox 15.0.1 (x86 en-US)', '16.0.2': 'Mozilla Firefox 16.0.2 (x86 en-US)', '17.0.1': 'Mozilla Firefox 17.0.1 (x86 en-US)'}} As you can see, there are three versions of Firefox available for installation. You can refer a software package by its name or its full_name surround by single quotes. salt winminion pkg.install 'firefox' The above line will install the latest version of Firefox. salt winminion pkg.install 'firefox' version=16.0.2 The above line will install version 16.0.2 of Firefox. If a different version of the package is already installed it will be replaced with the version in the winrepo (only if the package itself supports live updating). You can also specify the full name: salt winminion pkg.install 'Mozilla Firefox 17.0.1 (x86 en-US)' Uninstall Windows Software Uninstall software using the pkg module: salt winminion pkg.remove firefox salt winminion pkg.purge firefox NOTE: pkg.purge just executes pkg.remove on Windows. At some point in the future pkg.purge may direct the installer to remove all configs and settings for software packages that support that option. Repository Location Salt maintains a repository of SLS files to install a large number of Windows packages: • 2015.8.0 and later minions: https://github.com/saltstack/salt-winrepo-ng • Earlier releases: https://github.com/saltstack/salt-winrepo By default, these repositories are mirrored to /srv/salt/win/repo_ng and /srv/salt/win/repo. This location can be changed in the master config file by setting the winrepo_dir_ng and winrepo_dir options. Maintaining Windows Repo Definitions in Git Repositories Windows software package definitions can be hosted in one or more Git repositories. The default repositories are hosted on GitHub by SaltStack. These include software definition files for various open source software projects. These software definition files are .sls files. There are two default repositories: salt-winrepo and salt-winrepo-ng. salt-winrepo contains software definition files for older minions (older than 2015.8.0). salt-winrepo-ng is for newer minions (2015.8.0 and newer). Each software definition file contains all the information salt needs to install that software on a minion including the HTTP or FTP locations of the installer files, required command-line switches for silent install, etc. Anyone is welcome to send a pull request to this repo to add new package definitions. The repos can be browsed here: salt-winrepo salt-winrepo-ng NOTE: The newer software definition files are run through the salt's parser which allows for the use of jinja. Configure which git repositories the master can search for package definitions by modifying or extending the winrepo_remotes and winrepo_remotes_ng options. IMPORTANT: winrepo_remotes was called win_gitrepos in Salt versions earlier than 2015.8.0 Package definitions are pulled down from the online repository by running the winrepo.update_git_repos runner. This command is run on the master: salt-run winrepo.update_git_repos This will pull down the software definition files for older minions (salt-winrepo) and new minions (salt-winrepo-ng). They are stored in the file_roots under win/repo/salt-winrepo and win/repo-ng/salt-winrepo-ng respectively. IMPORTANT: If you have customized software definition files that aren't maintained in a repository, those should be stored under win/repo for older minions and win/repo-ng for newer minions. The reason for this is that the contents of win/repo/salt-winrepo and win/repo-ng/salt-winrepo-ng are wiped out every time you run a winrepo.update_git_repos. Additionally, when you run winrepo.genrepo and pkg.refresh_db the entire contents under win/repo and win/repo-ng, to include all subdirectories, are used to create the msgpack file. The next step (if you have older minions) is to create the msgpack file for the repo (winrepo.p). This is done by running the winrepo.genrepo runner. This is also run on the master: salt-run winrepo.genrepo NOTE: If you have only 2015.8.0 and newer minions, you no longer need to run salt-run winrepo.genrepo on the master. Finally, you need to refresh the minion database by running the pkg.refresh_db command. This is run on the master as well: salt '*' pkg.refresh_db On older minions (older than 2015.8.0) this will copy the winrepo.p file down to the minion. On newer minions (2015.8.0 and newer) this will copy all the software definition files (.sls) down to the minion and then create the msgpack file (winrepo.p) locally. The reason this is done locally is because the jinja needs to be parsed using the minion's grains. IMPORTANT: Every time you modify the software definition files on the master, either by running salt-run winrepo.update_git_repos, modifying existing files, or by creating your own, you need to refresh the database on your minions. For older minions, that means running salt-run winrepo.genrepo and then salt '*' pkg.refresh_db. For newer minions (2015.8.0 and newer) it is just salt '*' pkg.refresh_db. NOTE: If the winrepo.genrepo or the pkg.refresh_db fails, it is likely a problem with the jinja in one of the software definition files. This will cause the operations to stop. You'll need to fix the syntax in order for the msgpack file to be created successfully. Creating a Package Definition SLS File The package definition file is a yaml file that contains all the information needed to install a piece of software using salt. It defines information about the package to include version, full name, flags required for the installer and uninstaller, whether or not to use the windows task scheduler to install the package, where to find the installation package, etc. Take a look at this example for Firefox: firefox: '17.0.1': installer: 'salt://win/repo/firefox/English/Firefox Setup 17.0.1.exe' full_name: Mozilla Firefox 17.0.1 (x86 en-US) locale: en_US reboot: False install_flags: '-ms' uninstaller: '%ProgramFiles(x86)%/Mozilla Firefox/uninstall/helper.exe' uninstall_flags: '/S' '16.0.2': installer: 'salt://win/repo/firefox/English/Firefox Setup 16.0.2.exe' full_name: Mozilla Firefox 16.0.2 (x86 en-US) locale: en_US reboot: False install_flags: '-ms' uninstaller: '%ProgramFiles(x86)%/Mozilla Firefox/uninstall/helper.exe' uninstall_flags: '/S' '15.0.1': installer: 'salt://win/repo/firefox/English/Firefox Setup 15.0.1.exe' full_name: Mozilla Firefox 15.0.1 (x86 en-US) locale: en_US reboot: False install_flags: '-ms' uninstaller: '%ProgramFiles(x86)%/Mozilla Firefox/uninstall/helper.exe' uninstall_flags: '/S' Each software definition file begins with a package name for the software. As in the example above firefox. The next line is indented two spaces and contains the version to be defined. As in the example above, a software definition file can define multiple versions for the same piece of software. The lines following the version are indented two more spaces and contain all the information needed to install that package. WARNING: The package name and the full_name must be unique to all other packages in the software repository. The version line is the version for the package to be installed. It is used when you need to install a specific version of a piece of software. WARNING: The version must be enclosed in quotes, otherwise the yaml parser will remove trailing zeros. NOTE: There are unique situations where previous versions are unavailable. Take Google Chrome for example. There is only one url provided for a standalone installation of Google Chrome. (‐ https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi) When a new version is released, the url just points to the new version. To handle situations such as these, set the version to latest. Salt will install the version of Chrome at the URL and report that version. Here's an example: chrome: latest: full_name: 'Google Chrome' installer: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi' install_flags: '/qn /norestart' uninstaller: 'https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi' uninstall_flags: '/qn /norestart' msiexec: True locale: en_US reboot: False Available parameters are as follows: param str full_name The Full Name for the software as shown in "Programs and Features" in the control panel. You can also get this information by installing the package manually and then running pkg.list_pkgs. Here's an example of the output from pkg.list_pkgs: salt 'test-2008' pkg.list_pkgs test-2008 ---------- 7-Zip 9.20 (x64 edition): 9.20.00.0 Microsoft .NET Framework 4 Client Profile: 4.0.30319,4.0.30319 Microsoft .NET Framework 4 Extended: 4.0.30319,4.0.30319 Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022: 9.0.21022 Mozilla Firefox 17.0.1 (x86 en-US): 17.0.1 Mozilla Maintenance Service: 17.0.1 NSClient++ (x64): 0.3.8.76 Notepad++: 6.4.2 Salt Minion 0.16.0: 0.16.0 Notice the Full Name for Firefox: Mozilla Firefox 17.0.0 (x86 en-US). That's exactly what's in the full_name parameter in the software definition file. If any of the software insalled on the machine matches one of the software definition files in the repository the full_name will be automatically renamed to the package name. The example below shows the pkg.list_pkgs for a machine that already has Mozilla Firefox 17.0.1 installed. test-2008: ---------- 7zip: 9.20.00.0 Microsoft .NET Framework 4 Client Profile: 4.0.30319,4.0.30319 Microsoft .NET Framework 4 Extended: 4.0.30319,4.0.30319 Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022: 9.0.21022 Mozilla Maintenance Service: 17.0.1 Notepad++: 6.4.2 Salt Minion 0.16.0: 0.16.0 firefox: 17.0.1 nsclient: 0.3.9.328 IMPORTANT: The version number and full_name need to match the output from pkg.list_pkgs so that the status can be verified when running highstate. NOTE: It is still possible to successfully install packages using pkg.install even if they don't match. This can make troubleshooting difficult so be careful. param str installer The path to the .exe or .msi to use to install the package. This can be a path or a URL. If it is a URL or a salt path (salt://), the package will be cached locally and then executed. If it is a path to a file on disk or a file share, it will be executed directly. param str install_flags Any flags that need to be passed to the installer to make it perform a silent install. These can often be found by adding /? or /h when running the installer from the command-line. A great resource for finding these silent install flags can be found on the WPKG project's wiki: Salt will not return if the installer is waiting for user input so these are important. param str uninstaller The path to the program used to uninstall this software. This can be the path to the same exe or msi used to install the software. It can also be a GUID. You can find this value in the registry under the following keys: • Software\Microsoft\Windows\CurrentVersion\Uninstall • Software\Wow6432None\Microsoft\Windows\CurrentVersion\Uninstall param str uninstall_flags Any flags that need to be passed to the uninstaller to make it perform a silent uninstall. These can often be found by adding /? or /h when running the uninstaller from the command-line. A great resource for finding these silent install flags can be found on the WPKG project's wiki: Salt will not return if the uninstaller is waiting for user input so these are important. Here are some examples of installer and uninstaller settings: 7zip: '9.20.00.0': installer: salt://win/repo/7zip/7z920-x64.msi full_name: 7-Zip 9.20 (x64 edition) reboot: False install_flags: '/qn /norestart' msiexec: True uninstaller: '{23170F69-40C1-2702-0920-000001000000}' uninstall_flags: '/qn /norestart' Alternatively the uninstaller can also simply repeat the URL of the msi file. 7zip: '9.20.00.0': installer: salt://win/repo/7zip/7z920-x64.msi full_name: 7-Zip 9.20 (x64 edition) reboot: False install_flags: '/qn /norestart' msiexec: True uninstaller: salt://win/repo/7zip/7z920-x64.msi uninstall_flags: '/qn /norestart' param bool msiexec This tells salt to use msiexec /i to install the package and msiexec /x to uninstall. This is for .msi installations. param bool allusers This parameter is specific to .msi installations. It tells msiexec to install the software for all users. The default is True. param bool cache_dir If true, the entire directory where the installer resides will be recursively cached. This is useful for installers that depend on other files in the same directory for installation. NOTE: Only applies to salt: installer URLs. Here's an example for a software package that has dependent files: sqlexpress: '12.0.2000.8': installer: 'salt://win/repo/sqlexpress/setup.exe' full_name: Microsoft SQL Server 2014 Setup (English) reboot: False install_flags: '/ACTION=install /IACCEPTSQLSERVERLICENSETERMS /Q' cache_dir: True param bool use_scheduler If true, windows will use the task scheduler to run the installation. This is useful for running the salt installation itself as the installation process kills any currently running instances of salt. param bool reboot Not implemented param str local Not implemented Examples can be found at https://github.com/saltstack/salt-winrepo-ng Managing Windows Software on a Standalone Windows Minion The Windows Package Repository functions similar in a standalone environment, with a few differences in the configuration. To replace the winrepo runner that is used on the Salt master, an execution module exists to provide the same functionality to standalone minions. The functions are named the same as the ones in the runner, and are used in the same way; the only difference is that salt-call is used instead of salt-run: salt-call winrepo.update_git_repos salt-call winrepo.genrepo salt-call pkg.refresh_db After executing the previous commands the repository on the standalone system is ready to use. Custom Location for Repository SLS Files If file_roots has not been modified in the minion configuration, then no additional configuration needs to be added to the minion configuration. The winrepo.genrepo function from the winrepo execution module will by default look for the filename specified by winrepo_cachefile within C:\salt\srv\salt\win\repo. If the file_roots parameter has been modified, then winrepo_dir must be modified to fall within that path, at the proper relative path. For example, if the base environment in file_roots points to D:\foo, and winrepo_source_dir is salt://win/repo, then winrepo_dir must be set to D:\foo\win\repo to ensure that winrepo.genrepo puts the cachefile into right location. Config Options for Minions 2015.8.0 and Later The winrepo_source_dir config parameter (default: salt://win/repo) controls where pkg.refresh_db looks for the cachefile (default: winrepo.p). This means that the default location for the winrepo cachefile would be salt://win/repo/winrepo.p. Both winrepo_source_dir and winrepo_cachefile can be adjusted to match the actual location of this file on the Salt fileserver. Config Options for Minions Before 2015.8.0 If connected to a master, the minion will by default look for the winrepo cachefile (the file generated by the winrepo.genrepo runner) at salt://win/repo/winrepo.p. If the cachefile is in a different path on the salt fileserver, then win_repo_cachefile will need to be updated to reflect the proper location. Changes in Version 2015.8.0 Git repository management for the Windows Software Repository has changed in version 2015.8.0, and several master/minion config parameters have been renamed to make their naming more consistent with each other. For a list of the winrepo config options, see here for master config options, and here for configuration options for masterless Windows minions. On the master, the winrepo.update_git_repos runner has been updated to use either pygit2 or GitPython to checkout the git repositories containing repo data. If pygit2 or GitPython is installed, existing winrepo git checkouts should be removed after upgrading to 2015.8.0, to allow them to be checked out again by running winrepo.update_git_repos. If neither GitPython nor pygit2 are installed, then Salt will fall back to the pre-existing behavior for winrepo.update_git_repos, and a warning will be logged in the master log. NOTE: Standalone Windows minions do not support the new GitPython/pygit2 functionality, and will instead use the git.latest state to keep repositories up-to-date. More information on how to use the Windows Software Repo on a standalone minion can be found here. Config Parameters Renamed Many of the legacy winrepo configuration parameters have changed in version 2015.8.0 to make the naming more consistent. The old parameter names will still work, but a warning will be logged indicating that the old name is deprecated. Below are the parameters which have changed for version 2015.8.0: Master Config ┌─────────────────────────┬───────────────────┐ │Old Name │ New Name │ ├─────────────────────────┼───────────────────┤ │win_repo │ winrepo_dir │ ├─────────────────────────┼───────────────────┤ │win_repo_mastercachefile │ winrepo_cachefile │ ├─────────────────────────┼───────────────────┤ │win_gitrepos │ winrepo_remotes │ └─────────────────────────┴───────────────────┘ NOTE: winrepo_cachefile is no longer used by 2015.8.0 and later minions, and the winrepo_dir setting is replaced by winrepo_dir_ng for 2015.8.0 and later minions. See here for detailed information on all master config options for the Windows Repo. Minion Config ┌───────────────────┬───────────────────┐ │Old Name │ New Name │ ├───────────────────┼───────────────────┤ │win_repo │ winrepo_dir │ ├───────────────────┼───────────────────┤ │win_repo_cachefile │ winrepo_cachefile │ ├───────────────────┼───────────────────┤ │win_gitrepos │ winrepo_remotes │ └───────────────────┴───────────────────┘ See here for detailed information on all minion config options for the Windows Repo. pygit2/GitPython Support for Maintaining Git Repos The winrepo.update_git_repos runner (and the corresponding remote execution function for standalone minions) now makes use of the same underlying code used by the Git Fileserver Backend and Git External Pillar to maintain and update its local clones of git repositories. If a compatible version of either pygit2 (0.20.3 and later) or GitPython (0.3.0 or later) is installed, then Salt will use it instead of the old method (which invokes the git.latest state). NOTE: If compatible versions of both pygit2 and GitPython are installed, then Salt will prefer pygit2, to override this behavior use the winrepo_provider configuration parameter: winrepo_provider: gitpython The winrepo execution module (discussed above in the Managing Windows Software on a Standalone Windows Minion section) does not yet officially support the new pygit2/‐ GitPython functionality, but if either pygit2 or GitPython is installed into Salt's bundled Python then it should work. However, it should be considered experimental at this time. To minimize potential issues, it is a good idea to remove any winrepo git repositories that were checked out by the old (pre-2015.8.0) winrepo code when upgrading the master to 2015.8.0 or later, and run winrepo.update_git_repos to clone them anew after the master is started. Additional added features include the ability to access authenticated git repositories (NOTE: pygit2 only), and to set per-remote config settings. An example of this would be the following: winrepo_remotes: - https://github.com/saltstack/salt-winrepo.git - git@github.com:myuser/myrepo.git: - pubkey: /path/to/key.pub - privkey: /path/to/key - passphrase: myaw3s0m3pa$$phr4$3 - https://github.com/myuser/privaterepo.git: - user: mygithubuser - password: CorrectHorseBatteryStaple NOTE: Per-remote configuration settings work in the same fashion as they do in gitfs, with global parameters being overridden by their per-remote counterparts (for instance, setting winrepo_passphrase would set a global passphrase for winrepo that would apply to all SSH-based remotes, unless overridden by a passphrase per-remote parameter). See here for more a more in-depth explanation of how per-remote configuration works in gitfs, the same principles apply to winrepo. There are a couple other changes in how Salt manages git repos using pygit2/GitPython. First of all, a clean argument has been added to the winrepo.update_git_repos runner, which (if set to True) will tell the runner to dispose of directories under the winrepo_dir which are not explicitly configured. This prevents the need to manually remove these directories when a repo is removed from the config file. To clean these old directories, just pass clean=True, like so: salt-run winrepo.update_git_repos clean=True However, if a mix of git and non-git Windows Repo definition files are being used, then this should not be used, as it will remove the directories containing non-git definitions. The other major change is that collisions between repo names are now detected, and the winrepo.update_git_repos runner will not proceed if any are detected. Consider the following configuration: winrepo_remotes: - https://foo.com/bar/baz.git - https://mydomain.tld/baz.git - https://github.com/foobar/baz The winrepo.update_git_repos runner will refuse to update repos here, as all three of these repos would be checked out to the same directory. To work around this, a per-remote parameter called name can be used to resolve these conflicts: winrepo_remotes: - https://foo.com/bar/baz.git - https://mydomain.tld/baz.git: - name: baz_junior - https://github.com/foobar/baz: - name: baz_the_third Troubleshooting Incorrect name/version If the package seems to install properly, but salt reports a failure then it is likely you have a version or full_name mismatch. Check the exact full_name and version used by the package. Use pkg.list_pkgs to check that the names and version exactly match what is installed. Changes to sls files not being picked up Ensure you have (re)generated the repository cache file (for older minions) and then updated the repository cache on the relevant minions: salt-run winrepo.genrepo salt winminion pkg.refresh_db Packages management under Windows 2003 On Windows server 2003, you need to install optional Windows component "wmi windows installer provider" to have full list of installed packages. If you don't have this, salt-minion can't report some installed software. How Success and Failure are Reported The install state/module function of the Windows package manager works roughly as follows: 1. Execute pkg.list_pkgs and store the result 2. Check if any action needs to be taken. (i.e. compare required package and version against pkg.list_pkgs results) 3. If so, run the installer command. 4. Execute pkg.list_pkgs and compare to the result stored from before installation. 5. Success/Failure/Changes will be reported based on the differences between the original and final pkg.list_pkgs results. If there are any problems in using the package manager it is likely due to the data in your sls files not matching the difference between the pre and post pkg.list_pkgs results.
WINDOWS-SPECIFIC BEHAVIOUR
Salt is capable of managing Windows systems, however due to various differences between the operating systems, there are some things you need to keep in mind. This document will contain any quirks that apply across Salt or generally across multiple module functions. Any Windows-specific behavior for particular module functions will be documented in the module function documentation. Therefore this document should be read in conjunction with the module function documentation. Group parameter for files Salt was originally written for managing Unix-based systems, and therefore the file module functions were designed around that security model. Rather than trying to shoehorn that model on to Windows, Salt ignores these parameters and makes non-applicable module functions unavailable instead. One of the commonly ignored parameters is the group parameter for managing files. Under Windows, while files do have a 'primary group' property, this is rarely used. It generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). Because of this, any file module functions that typically require a group, do not under Windows. Attempts to directly use file module functions that operate on the group (e.g. file.chgrp) will return a pseudo-value and cause a log message to appear. No group parameters will be acted on. If you do want to access and change the 'primary group' property and understand the implications, use the file.get_pgid or file.get_pgroup functions or the pgroup parameter on the file.chown module function. Dealing with case-insensitive but case-preserving names Windows is case-insensitive, but however preserves the case of names and it is this preserved form that is returned from system functions. This causes some issues with Salt because it assumes case-sensitive names. These issues generally occur in the state functions and can cause bizarre looking errors. To avoid such issues, always pretend Windows is case-sensitive and use the right case for names, e.g. specify user=Administrator instead of user=administrator. Follow issue 11801 for any changes to this behavior. Dealing with various username forms Salt does not understand the various forms that Windows usernames can come in, e.g. username, mydomain\username, username@mydomain.tld can all refer to the same user. In fact, Salt generally only considers the raw username value, i.e. the username without the domain or host information. Using these alternative forms will likely confuse Salt and cause odd errors to happen. Use only the raw username value in the correct case to avoid problems. Follow issue 11801 for any changes to this behavior. Specifying the None group Each Windows system has built-in _None_ group. This is the default 'primary group' for files for users not on a domain environment. Unfortunately, the word _None_ has special meaning in Python - it is a special value indicating 'nothing', similar to null or nil in other languages. To specify the None group, it must be specified in quotes, e.g. ./salt '*' file.chpgrp C:\path\to\file "'None'". Symbolic link loops Under Windows, if any symbolic link loops are detected or if there are too many levels of symlinks (defaults to 64), an error is always raised. For some functions, this behavior is different to the behavior on Unix platforms. In general, avoid symlink loops on either platform. Modifying security properties (ACLs) on files There is no support in Salt for modifying ACLs, and therefore no support for changing file permissions, besides modifying the owner/user.
SALT CLOUD
Configuration Salt Cloud provides a powerful interface to interact with cloud hosts. This interface is tightly integrated with Salt, and new virtual machines are automatically connected to your Salt master after creation. Since Salt Cloud is designed to be an automated system, most configuration is done using the following YAML configuration files: • /etc/salt/cloud: The main configuration file, contains global settings that apply to all cloud hosts. See Salt Cloud Configuration. • /etc/salt/cloud.providers.d/*.conf: Contains settings that configure a specific cloud host, such as credentials, region settings, and so on. Since configuration varies significantly between each cloud host, a separate file should be created for each cloud host. In Salt Cloud, a provider is synonymous with a cloud host (Amazon EC2, Google Compute Engine, Rackspace, and so on). See Provider Specifics. • /etc/salt/cloud.profiles.d/*.conf: Contains settings that define a specific VM type. A profile defines the systems specs and image, and any other settings that are specific to this VM type. Each specific VM type is called a profile, and multiple profiles can be defined in a profile file. Each profile references a parent provider that defines the cloud host in which the VM is created (the provider settings are in the provider configuration explained above). Based on your needs, you might define different profiles for web servers, database servers, and so on. See VM Profiles. Configuration Inheritance Configuration settings are inherited in order from the cloud config => providers => profile. [image] For example, if you wanted to use the same image for all virtual machines for a specific provider, the image name could be placed in the provider file. This value is inherited by all profiles that use that provider, but is overridden if a image name is defined in the profile. Most configuration settings can be defined in any file, the main difference being how that setting is inherited. QuickStart The Salt Cloud Quickstart walks you through defining a provider, a VM profile, and shows you how to create virtual machines using Salt Cloud. Using Salt Cloud salt-cloud Provision virtual machines in the cloud with Salt Synopsis salt-cloud -m /etc/salt/cloud.map salt-cloud -m /etc/salt/cloud.map NAME salt-cloud -m /etc/salt/cloud.map NAME1 NAME2 salt-cloud -p PROFILE NAME salt-cloud -p PROFILE NAME1 NAME2 NAME3 NAME4 NAME5 NAME6 Description Salt Cloud is the system used to provision virtual machines on various public clouds via a cleanly controlled profile and mapping system. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. Execution Options -L LOCATION, --location=LOCATION Specify which region to connect to. -a ACTION, --action=ACTION Perform an action that may be specific to this cloud provider. This argument requires one or more instance names to be specified. -f <FUNC-NAME> <PROVIDER>, --function=<FUNC-NAME> <PROVIDER> Perform an function that may be specific to this cloud provider, that does not apply to an instance. This argument requires a provider to be specified (i.e.: nova). -p PROFILE, --profile=PROFILE Select a single profile to build the named cloud VMs from. The profile must be defined in the specified profiles file. -m MAP, --map=MAP Specify a map file to use. If used without any other options, this option will ensure that all of the mapped VMs are created. If the named VM already exists then it will be skipped. -H, --hard When specifying a map file, the default behavior is to ensure that all of the VMs specified in the map file are created. If the --hard option is set, then any VMs that exist on configured cloud providers that are not specified in the map file will be destroyed. Be advised that this can be a destructive operation and should be used with care. -d, --destroy Pass in the name(s) of VMs to destroy, salt-cloud will search the configured cloud providers for the specified names and destroy the VMs. Be advised that this is a destructive operation and should be used with care. Can be used in conjunction with the -m option to specify a map of VMs to be deleted. -P, --parallel Normally when building many cloud VMs they are executed serially. The -P option will run each cloud vm build in a separate process allowing for large groups of VMs to be build at once. Be advised that some cloud provider's systems don't seem to be well suited for this influx of vm creation. When creating large groups of VMs watch the cloud provider carefully. -u, --update-bootstrap Update salt-bootstrap to the latest develop version on GitHub. -y, --assume-yes Default yes in answer to all confirmation questions. -k, --keep-tmp Do not remove files from /tmp/ after deploy.sh finishes. --show-deploy-args Include the options used to deploy the minion in the data returned. --script-args=SCRIPT_ARGS Script arguments to be fed to the bootstrap script when deploying the VM. Query Options -Q, --query Execute a query and return some information about the nodes running on configured cloud providers -F, --full-query Execute a query and print out all available information about all cloud VMs. Can be used in conjunction with -m to display only information about the specified map. -S, --select-query Execute a query and print out selected information about all cloud VMs. Can be used in conjunction with -m to display only information about the specified map. --list-providers Display a list of configured providers. --list-profiles New in version 2014.7.0. Display a list of configured profiles. Pass in a cloud provider to view the provider's associated profiles, such as digital_ocean, or pass in all to list all the configured profiles. Cloud Providers Listings --list-locations=LIST_LOCATIONS Display a list of locations available in configured cloud providers. Pass the cloud provider that available locations are desired on, aka "linode", or pass "all" to list locations for all configured cloud providers --list-images=LIST_IMAGES Display a list of images available in configured cloud providers. Pass the cloud provider that available images are desired on, aka "linode", or pass "all" to list images for all configured cloud providers --list-sizes=LIST_SIZES Display a list of sizes available in configured cloud providers. Pass the cloud provider that available sizes are desired on, aka "AWS", or pass "all" to list sizes for all configured cloud providers Cloud Credentials --set-password=<USERNAME> <PROVIDER> Configure password for a cloud provider and save it to the keyring. PROVIDER can be specified with or without a driver, for example: "--set-password bob rackspace" or more specific "--set-password bob rackspace:openstack" DEPRECATED! Output Options --out Pass in an alternative outputter to display the return of data. This outputter can be any of the available outputters: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml Some outputters are formatted only for data returned from specific functions; for instance, the grains outputter will not work for non-grains data. If an outputter is used that does not support the data passed into it, then Salt will fall back on the pprint outputter and display the return data using the Python pprint standard library module. NOTE: If using --out=json, you will probably want --static as well. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. This is due to using an iterative outputter. So if you want to feed it to a JSON parser, use --static as well. --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disable indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --no-color Disable all colored output --force-color Force colored output NOTE: When using colored output the color codes are as follows: green denotes success, red denotes failure, blue denotes changes and success and yellow denotes a expected future change in configuration. Examples To create 4 VMs named web1, web2, db1, and db2 from specified profiles: salt-cloud -p fedora_rackspace web1 web2 db1 db2 To read in a map file and create all VMs specified therein: salt-cloud -m /path/to/cloud.map To read in a map file and create all VMs specified therein in parallel: salt-cloud -m /path/to/cloud.map -P To delete any VMs specified in the map file: salt-cloud -m /path/to/cloud.map -d To delete any VMs NOT specified in the map file: salt-cloud -m /path/to/cloud.map -H To display the status of all VMs specified in the map file: salt-cloud -m /path/to/cloud.map -Q See also salt-cloud(7) salt(7) salt-master(1) salt-minion(1) Salt Cloud basic usage Salt Cloud needs, at least, one configured Provider and Profile to be functional. Creating a VM To create a VM with salt cloud, use command: salt-cloud -p <profile> name_of_vm Assuming there is a profile configured as following: fedora_rackspace: provider: my-rackspace-config image: Fedora 17 size: 256 server script: bootstrap-salt Then, the command to create new VM named fedora_http_01 is: salt-cloud -p fedora_rackspace fedora_http_01 Destroying a VM To destroy a created-by-salt-cloud VM, use command: salt-cloud -d name_of_vm For example, to delete the VM created on above example, use: salt-cloud -d fedora_http_01 VM Profiles Salt cloud designates virtual machines inside the profile configuration file. The profile configuration file defaults to /etc/salt/cloud.profiles and is a yaml configuration. The syntax for declaring profiles is simple: fedora_rackspace: provider: my-rackspace-config image: Fedora 17 size: 256 server script: bootstrap-salt It should be noted that the script option defaults to bootstrap-salt, and does not normally need to be specified. Further examples in this document will not show the script option. A few key pieces of information need to be declared and can change based on the cloud provider. A number of additional parameters can also be inserted: centos_rackspace: provider: my-rackspace-config image: CentOS 6.2 size: 1024 server minion: master: salt.example.com append_domain: webs.example.com grains: role: webserver The image must be selected from available images. Similarly, sizes must be selected from the list of sizes. To get a list of available images and sizes use the following command: salt-cloud --list-images openstack salt-cloud --list-sizes openstack Some parameters can be specified in the main Salt cloud configuration file and then are applied to all cloud profiles. For instance if only a single cloud provider is being used then the provider option can be declared in the Salt cloud configuration file. Multiple Configuration Files In addition to /etc/salt/cloud.profiles, profiles can also be specified in any file matching cloud.profiles.d/*conf which is a sub-directory relative to the profiles configuration file(with the above configuration file as an example, /etc/salt/cloud.profiles.d/*.conf). This allows for more extensible configuration, and plays nicely with various configuration management tools as well as version control systems. Larger Example rhel_ec2: provider: my-ec2-config image: ami-e565ba8c size: t1.micro minion: cheese: edam ubuntu_ec2: provider: my-ec2-config image: ami-7e2da54e size: t1.micro minion: cheese: edam ubuntu_rackspace: provider: my-rackspace-config image: Ubuntu 12.04 LTS size: 256 server minion: cheese: edam fedora_rackspace: provider: my-rackspace-config image: Fedora 17 size: 256 server minion: cheese: edam cent_linode: provider: my-linode-config image: CentOS 6.2 64bit size: Linode 512 cent_gogrid: provider: my-gogrid-config image: 12834 size: 512MB cent_joyent: provider: my-joyent-config image: centos-6 size: Small 1GB Cloud Map File A number of options exist when creating virtual machines. They can be managed directly from profiles and the command line execution, or a more complex map file can be created. The map file allows for a number of virtual machines to be created and associated with specific profiles. Map files have a simple format, specify a profile and then a list of virtual machines to make from said profile: fedora_small: - web1 - web2 - web3 fedora_high: - redis1 - redis2 - redis3 cent_high: - riak1 - riak2 - riak3 This map file can then be called to roll out all of these virtual machines. Map files are called from the salt-cloud command with the -m option: $ salt-cloud -m /path/to/mapfile Remember, that as with direct profile provisioning the -P option can be passed to create the virtual machines in parallel: $ salt-cloud -m /path/to/mapfile -P NOTE: Due to limitations in the GoGrid API, instances cannot be provisioned in parallel with the GoGrid driver. Map files will work with GoGrid, but the -P argument should not be used on maps referencing GoGrid instances. A map file can also be enforced to represent the total state of a cloud deployment by using the --hard option. When using the hard option any vms that exist but are not specified in the map file will be destroyed: $ salt-cloud -m /path/to/mapfile -P -H Be careful with this argument, it is very dangerous! In fact, it is so dangerous that in order to use it, you must explicitly enable it in the main configuration file. enable_hard_maps: True A map file can include grains and minion configuration options: fedora_small: - web1: minion: log_level: debug grains: cheese: tasty omelet: du fromage - web2: minion: log_level: warn grains: cheese: more tasty omelet: with peppers A map file may also be used with the various query options: $ salt-cloud -m /path/to/mapfile -Q {'ec2': {'web1': {'id': 'i-e6aqfegb', 'image': None, 'private_ips': [], 'public_ips': [], 'size': None, 'state': 0}}, 'web2': {'Absent'}} ...or with the delete option: $ salt-cloud -m /path/to/mapfile -d The following virtual machines are set to be destroyed: web1 web2 Proceed? [N/y] WARNING: Specifying Nodes with Maps on the Command Line Specifying the name of a node or nodes with the maps options on the command line is not supported. This is especially important to remember when using --destroy with maps; salt-cloud will ignore any arguments passed in which are not directly relevant to the map file. When using ``--destroy`` with a map, every node in the map file will be deleted! Maps don't provide any useful information for destroying individual nodes, and should not be used to destroy a subset of a map. Setting up New Salt Masters Bootstrapping a new master in the map is as simple as: fedora_small: - web1: make_master: True - web2 - web3 Notice that ALL bootstrapped minions from the map will answer to the newly created salt-master. To make any of the bootstrapped minions answer to the bootstrapping salt-master as opposed to the newly created salt-master, as an example: fedora_small: - web1: make_master: True minion: master: <the local master ip address> local_master: True - web2 - web3 The above says the minion running on the newly created salt-master responds to the local master, ie, the master used to bootstrap these VMs. Another example: fedora_small: - web1: make_master: True - web2 - web3: minion: master: <the local master ip address> local_master: True The above example makes the web3 minion answer to the local master, not the newly created master. Cloud Actions Once a VM has been created, there are a number of actions that can be performed on it. The "reboot" action can be used across all providers, but all other actions are specific to the cloud provider. In order to perform an action, you may specify it from the command line, including the name(s) of the VM to perform the action on: $ salt-cloud -a reboot vm_name $ salt-cloud -a reboot vm1 vm2 vm2 Or you may specify a map which includes all VMs to perform the action on: $ salt-cloud -a reboot -m /path/to/mapfile The following is a list of actions currently supported by salt-cloud: all providers: - reboot ec2: - start - stop joyent: - stop linode: - start - stop Another useful reference for viewing more salt-cloud actions is the :ref:Salt Cloud Feature Matrix <salt-cloud-feature-matrix> Cloud Functions Cloud functions work much the same way as cloud actions, except that they don't perform an operation on a specific instance, and so do not need a machine name to be specified. However, since they perform an operation on a specific cloud provider, that provider must be specified. $ salt-cloud -f show_image ec2 image=ami-fd20ad94 There are three universal salt-cloud functions that are extremely useful for gathering information about instances on a provider basis: • list_nodes: Returns some general information about the instances for the given provider. • list_nodes_full: Returns all information about the instances for the given provider. • list_nodes_select: Returns select information about the instances for the given provider. $ salt-cloud -f list_nodes linode $ salt-cloud -f list_nodes_full linode $ salt-cloud -f list_nodes_select linode Another useful reference for viewing salt-cloud functions is the :ref:Salt Cloud Feature Matrix <salt-cloud-feature-matrix> Core Configuration Install Salt Cloud Salt Cloud is now part of Salt proper. It was merged in as of Salt version 2014.1.0. On Ubuntu, install Salt Cloud by using following command: sudo add-apt-repository ppa:saltstack/salt sudo apt-get update sudo apt-get install salt-cloud If using Salt Cloud on OS X, curl-ca-bundle must be installed. Presently, this package is not available via brew, but it is available using MacPorts: sudo port install curl-ca-bundle Salt Cloud depends on apache-libcloud. Libcloud can be installed via pip with pip install apache-libcloud. Installing Salt Cloud for development Installing Salt for development enables Salt Cloud development as well, just make sure apache-libcloud is installed as per above paragraph. See these instructions: Installing Salt for development. Core Configuration A number of core configuration options and some options that are global to the VM profiles can be set in the cloud configuration file. By default this file is located at /etc/salt/cloud. Thread Pool Size When salt cloud is operating in parallel mode via the -P argument, you can control the thread pool size by specifying the pool_size parameter with a positive integer value. By default, the thread pool size will be set to the number of VMs that salt cloud is operating on. pool_size: 10 Minion Configuration The default minion configuration is set up in this file. Minions created by salt-cloud derive their configuration from this file. Almost all parameters found in Configuring the Salt Minion can be used here. minion: master: saltmaster.example.com In particular, this is the location to specify the location of the salt master and its listening port, if the port is not set to the default. Similar to most other settings, Minion configuration settings are inherited across configuration files. For example, the master setting might be contained in the main cloud configuration file as demonstrated above, but additional settings can be placed in the provider or profile: ec2-web: size: t1.micro minion: environment: test startup_states: sls sls_list: - web Cloud Configuration Syntax The data specific to interacting with public clouds is set up here. Cloud provider configuration settings can live in several places. The first is in /etc/salt/cloud: # /etc/salt/cloud providers: my-aws-migrated-config: id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem driver: ec2 Cloud provider configuration data can also be housed in /etc/salt/cloud.providers or any file matching /etc/salt/cloud.providers.d/*.conf. All files in any of these locations will be parsed for cloud provider data. Using the example configuration above: # /etc/salt/cloud.providers # or could be /etc/salt/cloud.providers.d/*.conf my-aws-config: id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem driver: ec2 NOTE: Salt Cloud provider configurations within /etc/cloud.provider.d/ should not specify the ``providers starting key. It is also possible to have multiple cloud configuration blocks within the same alias block. For example: production-config: - id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem driver: ec2 - user: example_user apikey: 123984bjjas87034 driver: rackspace However, using this configuration method requires a change with profile configuration blocks. The provider alias needs to have the provider key value appended as in the following example: rhel_aws_dev: provider: production-config:ec2 image: ami-e565ba8c size: t1.micro rhel_aws_prod: provider: production-config:ec2 image: ami-e565ba8c size: High-CPU Extra Large Instance database_prod: provider: production-config:rackspace image: Ubuntu 12.04 LTS size: 256 server Notice that because of the multiple entries, one has to be explicit about the provider alias and name, from the above example, production-config: ec2. This data interactions with the salt-cloud binary regarding its --list-location, --list-images, and --list-sizes which needs a cloud provider as an argument. The argument used should be the configured cloud provider alias. If the provider alias has multiple entries, <provider-alias>: <provider-name> should be used. To allow for a more extensible configuration, --providers-config, which defaults to /etc/salt/cloud.providers, was added to the cli parser. It allows for the providers' configuration to be added on a per-file basis. Pillar Configuration It is possible to configure cloud providers using pillars. This is only used when inside the cloud module. You can setup a variable called cloud that contains your profile and provider to pass that information to the cloud servers instead of having to copy the full configuration to every minion. In your pillar file, you would use something like this: cloud: ssh_key_name: saltstack ssh_key_file: /root/.ssh/id_rsa update_cachedir: True diff_cache_events: True change_password: True providers: my-nova: identity_url: https://identity.api.rackspacecloud.com/v2.0/ compute_region: IAD user: myuser api_key: apikey tenant: 123456 driver: nova my-openstack: identity_url: https://identity.api.rackspacecloud.com/v2.0/tokens user: user2 apikey: apikey2 tenant: 654321 compute_region: DFW driver: openstack compute_name: cloudServersOpenStack profiles: ubuntu-nova: provider: my-nova size: performance1-8 image: bb02b1a3-bc77-4d17-ab5b-421d89850fca script_args: git develop ubuntu-openstack: provider: my-openstack size: performance1-8 image: bb02b1a3-bc77-4d17-ab5b-421d89850fca script_args: git develop Cloud Configurations Scaleway To use Salt Cloud with Scaleway, you need to get an access key and an API token. API tokens are unique identifiers associated with your Scaleway account. To retrieve your access key and API token, log-in to the Scaleway control panel, open the pull-down menu on your account name and click on "My Credentials" link. If you do not have API token you can create one by clicking the "Create New Token" button on the right corner. my-scaleway-config: access_key: 15cf404d-4560-41b1-9a0c-21c3d5c4ff1f token: a7347ec8-5de1-4024-a5e3-24b77d1ba91d driver: scaleway NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-scaleway-config. Rackspace Rackspace cloud requires two configuration options; a user and an apikey: my-rackspace-config: user: example_user apikey: 123984bjjas87034 driver: rackspace NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-rackspace-config. Amazon AWS A number of configuration options are required for Amazon AWS including id, key, keyname, securitygroup, and private_key: my-aws-quick-start: id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem driver: ec2 my-aws-default: id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: default private_key: /root/test.pem driver: ec2 NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be either provider: my-aws-quick-start or provider: my-aws-default. Linode Linode requires a single API key, but the default root password also needs to be set: my-linode-config: apikey: asldkgfakl;sdfjsjaslfjaklsdjf;askldjfaaklsjdfhasldsadfghdkf password: F00barbaz ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHEOLLbeXgaqRQT9NBAopVz366SdYc0KKX33vAnq+2R user@host ssh_key_file: ~/.ssh/id_ed25519 driver: linode The password needs to be 8 characters and contain lowercase, uppercase, and numbers. NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-linode-config Joyent Cloud The Joyent cloud requires three configuration parameters: The username and password that are used to log into the Joyent system, as well as the location of the private SSH key associated with the Joyent account. The SSH key is needed to send the provisioning commands up to the freshly created virtual machine. my-joyent-config: user: fred password: saltybacon private_key: /root/joyent.pem driver: joyent NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-joyent-config GoGrid To use Salt Cloud with GoGrid, log into the GoGrid web interface and create an API key. Do this by clicking on "My Account" and then going to the API Keys tab. The apikey and the sharedsecret configuration parameters need to be set in the configuration file to enable interfacing with GoGrid: my-gogrid-config: apikey: asdff7896asdh789 sharedsecret: saltybacon driver: gogrid NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-gogrid-config. OpenStack OpenStack configuration differs between providers, and at the moment several options need to be specified. This module has been officially tested against the HP and the Rackspace implementations, and some examples are provided for both. # For HP my-openstack-hp-config: identity_url: 'https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/' compute_name: Compute compute_region: 'az-1.region-a.geo-1' tenant: myuser-tenant1 user: myuser ssh_key_name: mykey ssh_key_file: '/etc/salt/hpcloud/mykey.pem' password: mypass driver: openstack # For Rackspace my-openstack-rackspace-config: identity_url: 'https://identity.api.rackspacecloud.com/v2.0/tokens' compute_name: cloudServersOpenStack protocol: ipv4 compute_region: DFW protocol: ipv4 user: myuser tenant: 5555555 password: mypass driver: openstack If you have an API key for your provider, it may be specified instead of a password: my-openstack-hp-config: apikey: 901d3f579h23c8v73q9 my-openstack-rackspace-config: apikey: 901d3f579h23c8v73q9 NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be either provider: my-openstack-hp-config or provider: my-openstack-rackspace-config. You will certainly need to configure the user, tenant, and either password or apikey. If your OpenStack instances only have private IP addresses and a CIDR range of private addresses are not reachable from the salt-master, you may set your preference to have Salt ignore it: my-openstack-config: ignore_cidr: 192.168.0.0/16 For in-house OpenStack Essex installation, libcloud needs the service_type : my-openstack-config: identity_url: 'http://control.openstack.example.org:5000/v2.0/' compute_name : Compute Service service_type : compute DigitalOcean Using Salt for DigitalOcean requires a client_key and an api_key. These can be found in the DigitalOcean web interface, in the "My Settings" section, under the API Access tab. my-digitalocean-config: driver: digital_ocean personal_access_token: xxx location: New York 1 NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-digital-ocean-config. Parallels Using Salt with Parallels requires a user, password and URL. These can be obtained from your cloud provider. my-parallels-config: user: myuser password: xyzzy url: https://api.cloud.xmission.com:4465/paci/v1.0/ driver: parallels NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-parallels-config. Proxmox Using Salt with Proxmox requires a user, password, and URL. These can be obtained from your cloud host. Both PAM and PVE users can be used. my-proxmox-config: driver: proxmox user: saltcloud@pve password: xyzzy url: your.proxmox.host NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: my-proxmox-config. LXC The lxc driver uses saltify to install salt and attach the lxc container as a new lxc minion. As soon as we can, we manage baremetal operation over SSH. You can also destroy those containers via this driver. devhost10-lxc: target: devhost10 driver: lxc And in the map file: devhost10-lxc: provider: devhost10-lxc from_container: ubuntu backing: lvm sudo: True size: 3g ip: 10.0.3.9 minion: master: 10.5.0.1 master_port: 4506 lxc_conf: - lxc.utsname: superlxc NOTE: In the cloud profile that uses this provider configuration, the syntax for the provider required field would be provider: devhost10-lxc. Saltify The Saltify driver is a new, experimental driver designed to install Salt on a remote machine, virtual or bare metal, using SSH. This driver is useful for provisioning machines which are already installed, but not Salted. For more information about using this driver and for configuration examples, please see the Gettting Started with Saltify documentation. Extending Profiles and Cloud Providers Configuration As of 0.8.7, the option to extend both the profiles and cloud providers configuration and avoid duplication was added. The extends feature works on the current profiles configuration, but, regarding the cloud providers configuration, only works in the new syntax and respective configuration files, i.e. /etc/salt/salt/cloud.providers or /etc/salt/cloud.providers.d/*.conf. NOTE: Extending cloud profiles and providers is not recursive. For example, a profile that is extended by a second profile is possible, but the second profile cannot be extended by a third profile. Also, if a profile (or provider) is extending another profile and each contains a list of values, the lists from the extending profile will override the list from the original profile. The lists are not merged together. Extending Profiles Some example usage on how to use extends with profiles. Consider /etc/salt/salt/cloud.profiles containing: development-instances: provider: my-ec2-config size: t1.micro ssh_username: ec2_user securitygroup: - default deploy: False Amazon-Linux-AMI-2012.09-64bit: image: ami-54cf5c3d extends: development-instances Fedora-17: image: ami-08d97e61 extends: development-instances CentOS-5: provider: my-aws-config image: ami-09b61d60 extends: development-instances The above configuration, once parsed would generate the following profiles data: [{'deploy': False, 'image': 'ami-08d97e61', 'profile': 'Fedora-17', 'provider': 'my-ec2-config', 'securitygroup': ['default'], 'size': 't1.micro', 'ssh_username': 'ec2_user'}, {'deploy': False, 'image': 'ami-09b61d60', 'profile': 'CentOS-5', 'provider': 'my-aws-config', 'securitygroup': ['default'], 'size': 't1.micro', 'ssh_username': 'ec2_user'}, {'deploy': False, 'image': 'ami-54cf5c3d', 'profile': 'Amazon-Linux-AMI-2012.09-64bit', 'provider': 'my-ec2-config', 'securitygroup': ['default'], 'size': 't1.micro', 'ssh_username': 'ec2_user'}, {'deploy': False, 'profile': 'development-instances', 'provider': 'my-ec2-config', 'securitygroup': ['default'], 'size': 't1.micro', 'ssh_username': 'ec2_user'}] Pretty cool right? Extending Providers Some example usage on how to use extends within the cloud providers configuration. Consider /etc/salt/salt/cloud.providers containing: my-develop-envs: - id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem location: ap-southeast-1 availability_zone: ap-southeast-1b driver: ec2 - user: myuser@mycorp.com password: mypass ssh_key_name: mykey ssh_key_file: '/etc/salt/ibm/mykey.pem' location: Raleigh driver: ibmsce my-productions-envs: - extends: my-develop-envs:ibmsce user: my-production-user@mycorp.com location: us-east-1 availability_zone: us-east-1 The above configuration, once parsed would generate the following providers data: 'providers': { 'my-develop-envs': [ {'availability_zone': 'ap-southeast-1b', 'id': 'HJGRYCILJLKJYG', 'key': 'kdjgfsgm;woormgl/aserigjksjdhasdfgn', 'keyname': 'test', 'location': 'ap-southeast-1', 'private_key': '/root/test.pem', 'driver': 'aws', 'securitygroup': 'quick-start' }, {'location': 'Raleigh', 'password': 'mypass', 'driver': 'ibmsce', 'ssh_key_file': '/etc/salt/ibm/mykey.pem', 'ssh_key_name': 'mykey', 'user': 'myuser@mycorp.com' } ], 'my-productions-envs': [ {'availability_zone': 'us-east-1', 'location': 'us-east-1', 'password': 'mypass', 'driver': 'ibmsce', 'ssh_key_file': '/etc/salt/ibm/mykey.pem', 'ssh_key_name': 'mykey', 'user': 'my-production-user@mycorp.com' } ] } Windows Configuration Spinning up Windows Minions It is possible to use Salt Cloud to spin up Windows instances, and then install Salt on them. This functionality is available on all cloud providers that are supported by Salt Cloud. However, it may not necessarily be available on all Windows images. Requirements Salt Cloud makes use of impacket and winexe to set up the Windows Salt Minion installer. impacket is usually available as either the impacket or the python-impacket package, depending on the distribution. More information on impacket can be found at the project home: • impacket project home winexe is less commonly available in distribution-specific repositories. However, it is currently being built for various distributions in 3rd party channels: • RPMs at pbone.net • OpenSuse Build Service Optionally WinRM can be used instead of winexe if the python module pywinrm is available and WinRM is supported on the target Windows version. Information on pywinrm can be found at the project home: • pywinrm project home Additionally, a copy of the Salt Minion Windows installer must be present on the system on which Salt Cloud is running. This installer may be downloaded from saltstack.com: • SaltStack Download Area Firewall Settings Because Salt Cloud makes use of smbclient and winexe, port 445 must be open on the target image. This port is not generally open by default on a standard Windows distribution, and care must be taken to use an image in which this port is open, or the Windows firewall is disabled. If supported by the cloud provider, a PowerShell script may be used to open up this port automatically, using the cloud provider's userdata. The following script would open up port 445, and apply the changes: <powershell> New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445 Set-Item (dir wsman:\localhost\Listener\*\Port -Recurse).pspath 445 -Force Restart-Service winrm </powershell> For EC2, this script may be saved as a file, and specified in the provider or profile configuration as userdata_file. For instance: userdata_file: /etc/salt/windows-firewall.ps1 If you are using WinRM on EC2 the HTTPS port for the WinRM service must also be enabled in your userdata. By default EC2 Windows images only have insecure HTTP enabled. To enable HTTPS and basic authentication required by pywinrm consider the following userdata example: <powershell> New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445 New-NetFirewallRule -Name "WINRM5986" -DisplayName "WINRM5986" -Protocol TCP -LocalPort 5986 winrm quickconfig -q winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}' winrm set winrm/config '@{MaxTimeoutms="1800000"}' winrm set winrm/config/service/auth '@{Basic="true"}' $SourceStoreScope = 'LocalMachine' $SourceStorename = 'Remote Desktop' $SourceStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $SourceStorename, $SourceStoreScope $SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly) $cert = $SourceStore.Certificates | Where-Object -FilterScript { $_.subject -like '*' } $DestStoreScope = 'LocalMachine' $DestStoreName = 'My' $DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) $DestStore.Add($cert) $SourceStore.Close() $DestStore.Close() winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`} Restart-Service winrm </powershell> No certificate store is available by default on EC2 images and creating one does not seem possible without an MMC (cannot be automated). To use the default EC2 Windows images the above copies the RDP store. Configuration Configuration is set as usual, with some extra configuration settings. The location of the Windows installer on the machine that Salt Cloud is running on must be specified. This may be done in any of the regular configuration files (main, providers, profiles, maps). For example: Setting the installer in /etc/salt/cloud.providers: my-softlayer: driver: softlayer user: MYUSER1138 apikey: 'e3b68aa711e6deadc62d5b76355674beef7cc3116062ddbacafe5f7e465bfdc9' minion: master: saltmaster.example.com win_installer: /root/Salt-Minion-2014.7.0-AMD64-Setup.exe win_username: Administrator win_password: letmein smb_port: 445 The default Windows user is Administrator, and the default Windows password is blank. If WinRM is to be used use_winrm needs to be set to True. winrm_port can be used to specify a custom port (must be HTTPS listener). Auto-Generated Passwords on EC2 On EC2, when the win_password is set to auto, Salt Cloud will query EC2 for an auto-generated password. This password is expected to take at least 4 minutes to generate, adding additional time to the deploy process. When the EC2 API is queried for the auto-generated password, it will be returned in a message encrypted with the specified keyname. This requires that the appropriate private_key file is also specified. Such a profile configuration might look like: windows-server-2012: provider: my-ec2-config image: ami-c49c0dac size: m1.small securitygroup: windows keyname: mykey private_key: /root/mykey.pem userdata_file: /etc/salt/windows-firewall.ps1 win_installer: /root/Salt-Minion-2014.7.0-AMD64-Setup.exe win_username: Administrator win_password: auto Cloud Provider Specifics Getting Started With Aliyun ECS The Aliyun ECS (Elastic Computer Service) is one of the most popular public cloud hosts in China. This cloud host can be used to manage aliyun instance using salt-cloud. http://www.aliyun.com/ Dependencies This driver requires the Python requests library to be installed. Configuration Using Salt for Aliyun ECS requires aliyun access key id and key secret. These can be found in the aliyun web interface, in the "User Center" section, under "My Service" tab. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-aliyun-config: # aliyun Access Key ID id: wDGEwGregedg3435gDgxd # aliyun Access Key Secret key: GDd45t43RDBTrkkkg43934t34qT43t4dgegerGEgg location: cn-qingdao driver: aliyun NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: aliyun_centos: provider: my-aliyun-config size: ecs.t1.small location: cn-qingdao securitygroup: G1989096784427999 image: centos6u3_64_20G_aliaegis_20130816.vhd Sizes can be obtained using the --list-sizes option for the salt-cloud command: # salt-cloud --list-sizes my-aliyun-config my-aliyun-config: ---------- aliyun: ---------- ecs.c1.large: ---------- CpuCoreCount: 8 InstanceTypeId: ecs.c1.large MemorySize: 16.0 ...SNIP... Images can be obtained using the --list-images option for the salt-cloud command: # salt-cloud --list-images my-aliyun-config my-aliyun-config: ---------- aliyun: ---------- centos5u8_64_20G_aliaegis_20131231.vhd: ---------- Architecture: x86_64 Description: ImageId: centos5u8_64_20G_aliaegis_20131231.vhd ImageName: CentOS 5.8 64位 ImageOwnerAlias: system ImageVersion: 1.0 OSName: CentOS 5.8 64位 Platform: CENTOS5 Size: 20 Visibility: public ...SNIP... Locations can be obtained using the --list-locations option for the salt-cloud command: my-aliyun-config: ---------- aliyun: ---------- cn-beijing: ---------- LocalName: 北京 RegionId: cn-beijing cn-hangzhou: ---------- LocalName: 杭州 RegionId: cn-hangzhou cn-hongkong: ---------- LocalName: 香港 RegionId: cn-hongkong cn-qingdao: ---------- LocalName: 青岛 RegionId: cn-qingdao Security Group can be obtained using the -f list_securitygroup option for the salt-cloud command: # salt-cloud --location=cn-qingdao -f list_securitygroup my-aliyun-config my-aliyun-config: ---------- aliyun: ---------- G1989096784427999: ---------- Description: G1989096784427999 SecurityGroupId: G1989096784427999 NOTE: Aliyun ECS REST API documentation is available from Aliyun ECS API. Getting Started With Azure New in version 2014.1.0. Azure is a cloud service by Microsoft providing virtual machines, SQL services, media services, and more. This document describes how to use Salt Cloud to create a virtual machine on Azure, with Salt installed. More information about Azure is located at http://www.windowsazure.com/. Dependencies • The Azure Python SDK >= 0.10.2 and < 1.0.0 • The python-requests library, for Python < 2.7.9. • A Microsoft Azure account • OpenSSL (to generate the certificates) • Salt NOTE: The Azure driver is currently being updated to work with the new version of the Python Azure SDK, 1.0.0. However until that process is complete, this driver will not work with Azure 1.0.0. Please be sure you're running on a minimum version of 0.10.2 and less than version 1.0.0. See Issue #27980 for more information. Configuration Set up the provider config at /etc/salt/cloud.providers.d/azure.conf: # Note: This example is for /etc/salt/cloud.providers.d/azure.conf my-azure-config: driver: azure subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617 certificate_path: /etc/salt/azure.pem # Set up the location of the salt master # minion: master: saltmaster.example.com # Optional management_host: management.core.windows.net The certificate used must be generated by the user. OpenSSL can be used to create the management certificates. Two certificates are needed: a .cer file, which is uploaded to Azure, and a .pem file, which is stored locally. To create the .pem file, execute the following command: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/salt/azure.pem -out /etc/salt/azure.pem To create the .cer file, execute the following command: openssl x509 -inform pem -in /etc/salt/azure.pem -outform der -out /etc/salt/azure.cer After creating these files, the .cer file will need to be uploaded to Azure via the "Upload a Management Certificate" action of the "Management Certificates" tab within the "Settings" section of the management portal. Optionally, a management_host may be configured, if necessary for the region. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles: azure-ubuntu: provider: my-azure-config image: 'b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-12_04_3-LTS-amd64-server-20131003-en-us-30GB' size: Small location: 'East US' ssh_username: azureuser ssh_password: verybadpass slot: production media_link: 'http://portalvhdabcdefghijklmn.blob.core.windows.net/vhds' virtual_network_name: azure-virtual-network subnet_name: azure-subnet These options are described in more detail below. Once configured, the profile can be realized with a salt command: salt-cloud -p azure-ubuntu newinstance This will create an salt minion instance named newinstance in Azure. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: salt newinstance test.ping Profile Options The following options are currently available for Azure. provider The name of the provider as configured in /etc/salt/cloud.providers.d/azure.conf. image The name of the image to use to create a VM. Available images can be viewed using the following command: salt-cloud --list-images my-azure-config size The name of the size to use to create a VM. Available sizes can be viewed using the following command: salt-cloud --list-sizes my-azure-config location The name of the location to create a VM in. Available locations can be viewed using the following command: salt-cloud --list-locations my-azure-config affinity_group The name of the affinity group to create a VM in. Either a location or an affinity_group may be specified, but not both. See Affinity Groups below. ssh_username The user to use to log into the newly-created VM to install Salt. ssh_password The password to use to log into the newly-created VM to install Salt. slot The environment to which the hosted service is deployed. Valid values are staging or production. When set to production, the resulting URL of the new VM will be <vm_name>.cloudapp.net. When set to staging, the resulting URL will contain a generated hash instead. media_link This is the URL of the container that will store the disk that this VM uses. Currently, this container must already exist. If a VM has previously been created in the associated account, a container should already exist. In the web interface, go into the Storage area and click one of the available storage selections. Click the Containers link, and then copy the URL from the container that will be used. It generally looks like: http://portalvhdabcdefghijklmn.blob.core.windows.net/vhds service_name The name of the service in which to create the VM. If this is not specified, then a service will be created with the same name as the VM. virtual_network_name Optional. The name of the virtual network for the VM to join. If this is not specified, then no virtual network will be joined. subnet_name Optional. The name of the subnet in the virtual network for the VM to join. Requires that a virtual_network_name is specified. Show Instance This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance. salt-cloud -a show_instance myinstance Destroying VMs There are certain options which can be specified in the global cloud configuration file (usually /etc/salt/cloud) which affect Salt Cloud's behavior when a VM is destroyed. cleanup_disks New in version 2015.8.0. Default is False. When set to True, Salt Cloud will wait for the VM to be destroyed, then attempt to destroy the main disk that is associated with the VM. cleanup_vhds New in version 2015.8.0. Default is False. Requires cleanup_disks to be set to True. When also set to True, Salt Cloud will ask Azure to delete the VHD associated with the disk that is also destroyed. cleanup_services New in version 2015.8.0. Default is False. Requires cleanup_disks to be set to True. When also set to True, Salt Cloud will wait for the disk to be destroyed, then attempt to remove the service that is associated with the VM. Because the disk belongs to the service, the disk must be destroyed before the service can be. Managing Hosted Services New in version 2015.8.0. An account can have one or more hosted services. A hosted service is required in order to create a VM. However, as mentioned above, if a hosted service is not specified when a VM is created, then one will automatically be created with the name of the name. The following functions are also available. create_service Create a hosted service. The following options are available. name Required. The name of the hosted service to create. label Required. A label to apply to the hosted service. description Optional. A longer description of the hosted service. location Required, if affinity_group is not set. The location in which to create the hosted service. Either the location or the affinity_group must be set, but not both. affinity_group Required, if location is not set. The affinity group in which to create the hosted service. Either the location or the affinity_group must be set, but not both. extended_properties Optional. Dictionary containing name/value pairs of hosted service properties. You can have a maximum of 50 extended property name/value pairs. The maximum length of the Name element is 64 characters, only alphanumeric characters and underscores are valid in the Name, and the name must start with a letter. The value has a maximum length of 255 characters. CLI Example The following example illustrates creating a hosted service. salt-cloud -f create_service my-azure name=my-service label=my-service location='West US' show_service Return details about a specific hosted service. Can also be called with get_service. salt-cloud -f show_storage my-azure name=my-service list_services List all hosted services associates with the subscription. salt-cloud -f list_services my-azure-config delete_service Delete a specific hosted service. salt-cloud -f delete_service my-azure name=my-service Managing Storage Accounts New in version 2015.8.0. Salt Cloud can manage storage accounts associated with the account. The following functions are available. Deprecated marked as deprecated are marked as such as per the SDK documentation, but are still included for completeness with the SDK. create_storage Create a storage account. The following options are supported. name Required. The name of the storage account to create. label Required. A label to apply to the storage account. description Optional. A longer description of the storage account. location Required, if affinity_group is not set. The location in which to create the storage account. Either the location or the affinity_group must be set, but not both. affinity_group Required, if location is not set. The affinity group in which to create the storage account. Either the location or the affinity_group must be set, but not both. extended_properties Optional. Dictionary containing name/value pairs of storage account properties. You can have a maximum of 50 extended property name/value pairs. The maximum length of the Name element is 64 characters, only alphanumeric characters and underscores are valid in the Name, and the name must start with a letter. The value has a maximum length of 255 characters. geo_replication_enabled Deprecated. Replaced by the account_type parameter. account_type Specifies whether the account supports locally-redundant storage, geo-redundant storage, zone-redundant storage, or read access geo-redundant storage. Possible values are: • Standard_LRS • Standard_ZRS • Standard_GRS • Standard_RAGRS CLI Example The following example illustrates creating a storage account. salt-cloud -f create_storage my-azure name=my-storage label=my-storage location='West US' list_storage List all storage accounts associates with the subscription. salt-cloud -f list_storage my-azure-config show_storage Return details about a specific storage account. Can also be called with get_storage. salt-cloud -f show_storage my-azure name=my-storage update_storage Update details concerning a storage account. Any of the options available in create_storage can be used, but the name cannot be changed. salt-cloud -f update_storage my-azure name=my-storage label=my-storage delete_storage Delete a specific storage account. salt-cloud -f delete_storage my-azure name=my-storage show_storage_keys Returns the primary and secondary access keys for the specified storage account. salt-cloud -f show_storage_keys my-azure name=my-storage regenerate_storage_keys Regenerate storage account keys. Requires a key_type ("primary" or "secondary") to be specified. salt-cloud -f regenerate_storage_keys my-azure name=my-storage key_type=primary Managing Disks New in version 2015.8.0. When a VM is created, a disk will also be created for it. The following functions are available for managing disks. Deprecated marked as deprecated are marked as such as per the SDK documentation, but are still included for completeness with the SDK. show_disk Return details about a specific disk. Can also be called with get_disk. salt-cloud -f show_disk my-azure name=my-disk list_disks List all disks associates with the account. salt-cloud -f list_disks my-azure update_disk Update details for a disk. The following options are available. name Required. The name of the disk to update. has_operating_system Deprecated. label Required. The label for the disk. media_link Deprecated. The location of the disk in the account, including the storage container that it is in. This should not need to be changed. new_name Deprecated. If renaming the disk, the new name. os Deprecated. CLI Example The following example illustrates updating a disk. salt-cloud -f update_disk my-azure name=my-disk label=my-disk delete_disk Delete a specific disk. salt-cloud -f delete_disk my-azure name=my-disk Managing Service Certificates New in version 2015.8.0. Stored at the cloud service level, these certificates are used by your deployed services. For more information on service certificates, see the following link: • Manage Certificates The following functions are available. list_service_certificates List service certificates associated with the account. salt-cloud -f list_service_certificates my-azure show_service_certificate Show the data for a specific service certificate associated with the account. The name, thumbprint, and thumbalgorithm can be obtained from list_service_certificates. Can also be called with get_service_certificate. salt-cloud -f show_service_certificate my-azure name=my_service_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF add_service_certificate Add a service certificate to the account. This requires that a certificate already exists, which is then added to the account. For more information on creating the certificate itself, see: • Create a Service Certificate for Azure The following options are available. name Required. The name of the hosted service that the certificate will belong to. data Required. The base-64 encoded form of the pfx file. certificate_format Required. The service certificate format. The only supported value is pfx. password The certificate password. salt-cloud -f add_service_certificate my-azure name=my-cert \ data='...CERT_DATA...' certificate_format=pfx password=verybadpass delete_service_certificate Delete a service certificate from the account. The name, thumbprint, and thumbalgorithm can be obtained from list_service_certificates. salt-cloud -f delete_service_certificate my-azure \ name=my_service_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF Managing Management Certificates New in version 2015.8.0. A Azure management certificate is an X.509 v3 certificate used to authenticate an agent, such as Visual Studio Tools for Windows Azure or a client application that uses the Service Management API, acting on behalf of the subscription owner to manage subscription resources. Azure management certificates are uploaded to Azure and stored at the subscription level. The management certificate store can hold up to 100 certificates per subscription. These certificates are used to authenticate your Windows Azure deployment. For more information on management certificates, see the following link. • Manage Certificates The following functions are available. list_management_certificates List management certificates associated with the account. salt-cloud -f list_management_certificates my-azure show_management_certificate Show the data for a specific management certificate associated with the account. The name, thumbprint, and thumbalgorithm can be obtained from list_management_certificates. Can also be called with get_management_certificate. salt-cloud -f show_management_certificate my-azure name=my_management_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF add_management_certificate Management certificates must have a key length of at least 2048 bits and should reside in the Personal certificate store. When the certificate is installed on the client, it should contain the private key of the certificate. To upload to the certificate to the Microsoft Azure Management Portal, you must export it as a .cer format file that does not contain the private key. For more information on creating management certificates, see the following link: • Create and Upload a Management Certificate for Azure The following options are available. public_key A base64 representation of the management certificate public key. thumbprint The thumb print that uniquely identifies the management certificate. data The certificate's raw data in base-64 encoded .cer format. salt-cloud -f add_management_certificate my-azure public_key='...PUBKEY...' \ thumbprint=0123456789ABCDEF data='...CERT_DATA...' delete_management_certificate Delete a management certificate from the account. The thumbprint can be obtained from list_management_certificates. salt-cloud -f delete_management_certificate my-azure thumbprint=0123456789ABCDEF Virtual Network Management New in version 2015.8.0. The following are functions for managing virtual networks. list_virtual_networks List input endpoints associated with the deployment. salt-cloud -f list_virtual_networks my-azure service=myservice deployment=mydeployment Managing Input Endpoints New in version 2015.8.0. Input endpoints are used to manage port access for roles. Because endpoints cannot be managed by the Azure Python SDK, Salt Cloud uses the API directly. With versions of Python before 2.7.9, the requests-python package needs to be installed in order for this to work. Additionally, the following needs to be set in the master's configuration file: requests_lib: True The following functions are available. list_input_endpoints List input endpoints associated with the deployment salt-cloud -f list_input_endpoints my-azure service=myservice deployment=mydeployment show_input_endpoint Show an input endpoint associated with the deployment salt-cloud -f show_input_endpoint my-azure service=myservice \ deployment=mydeployment name=SSH add_input_endpoint Add an input endpoint to the deployment. Please note that there may be a delay before the changes show up. The following options are available. service Required. The name of the hosted service which the VM belongs to. deployment Required. The name of the deployment that the VM belongs to. If the VM was created with Salt Cloud, the deployment name probably matches the VM name. role Required. The name of the role that the VM belongs to. If the VM was created with Salt Cloud, the role name probably matches the VM name. name Required. The name of the input endpoint. This typically matches the port that the endpoint is set to. For instance, port 22 would be called SSH. port Required. The public (Internet-facing) port that is used for the endpoint. local_port Optional. The private port on the VM itself that will be matched with the port. This is typically the same as the port. If this value is not specified, it will be copied from port. protocol Required. Either tcp or udp. enable_direct_server_return Optional. If an internal load balancer exists in the account, it can be used with a direct server return. The default value is False. Please see the following article for an explanation of this option. • Load Balancing for Azure Infrastructure Services timeout_for_tcp_idle_connection Optional. The default value is 4. Please see the following article for an explanation of this option. • Configurable Idle Timeout for Azure Load Balancer CLI Example The following example illustrates adding an input endpoint. salt-cloud -f add_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP local_port=80 \ port=80 protocol=tcp enable_direct_server_return=False \ timeout_for_tcp_idle_connection=4 update_input_endpoint Updates the details for a specific input endpoint. All options from add_input_endpoint are supported. salt-cloud -f update_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP local_port=80 \ port=80 protocol=tcp enable_direct_server_return=False \ timeout_for_tcp_idle_connection=4 delete_input_endpoint Delete an input endpoint from the deployment. Please note that there may be a delay before the changes show up. The following items are required. CLI Example The following example illustrates deleting an input endpoint. service The name of the hosted service which the VM belongs to. deployment The name of the deployment that the VM belongs to. If the VM was created with Salt Cloud, the deployment name probably matches the VM name. role The name of the role that the VM belongs to. If the VM was created with Salt Cloud, the role name probably matches the VM name. name The name of the input endpoint. This typically matches the port that the endpoint is set to. For instance, port 22 would be called SSH. salt-cloud -f delete_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP Managing Affinity Groups New in version 2015.8.0. Affinity groups allow you to group your Azure services to optimize performance. All services and VMs within an affinity group will be located in the same region. For more information on Affinity groups, see the following link: • Create an Affinity Group in the Management Portal The following functions are available. list_affinity_groups List input endpoints associated with the account salt-cloud -f list_affinity_groups my-azure show_affinity_group Show an affinity group associated with the account salt-cloud -f show_affinity_group my-azure service=myservice \ deployment=mydeployment name=SSH create_affinity_group Create a new affinity group. The following options are supported. name Required. The name of the new affinity group. location Required. The region in which the affinity group lives. label Required. A label describing the new affinity group. description Optional. A longer description of the affinity group. salt-cloud -f create_affinity_group my-azure name=my_affinity_group \ label=my-affinity-group location='West US' update_affinity_group Update an affinity group's properties salt-cloud -f update_affinity_group my-azure name=my_group label=my_group delete_affinity_group Delete a specific affinity group associated with the account salt-cloud -f delete_affinity_group my-azure name=my_affinity_group Managing Blob Storage New in version 2015.8.0. Azure storage containers and their contents can be managed with Salt Cloud. This is not as elegant as using one of the other available clients in Windows, but it benefits Linux and Unix users, as there are fewer options available on those platforms. Blob Storage Configuration Blob storage must be configured differently than the standard Azure configuration. Both a storage_account and a storage_key must be specified either through the Azure provider configuration (in addition to the other Azure configuration) or via the command line. storage_account: mystorage storage_key: ffhj334fDSGFEGDFGFDewr34fwfsFSDFwe== storage_account This is one of the storage accounts that is available via the list_storage function. storage_key Both a primary and a secondary storage_key can be obtained by running the show_storage_keys function. Either key may be used. Blob Functions The following functions are made available through Salt Cloud for managing blog storage. make_blob_url Creates the URL to access a blob salt-cloud -f make_blob_url my-azure container=mycontainer blob=myblob container Name of the container. blob Name of the blob. account Name of the storage account. If not specified, derives the host base from the provider configuration. protocol Protocol to use: 'http' or 'https'. If not specified, derives the host base from the provider configuration. host_base Live host base URL. If not specified, derives the host base from the provider configuration. list_storage_containers List containers associated with the storage account salt-cloud -f list_storage_containers my-azure create_storage_container Create a storage container salt-cloud -f create_storage_container my-azure name=mycontainer name Name of container to create. meta_name_values Optional. A dict with name_value pairs to associate with the container as metadata. Example:{'Category':'test'} blob_public_access Optional. Possible values include: container, blob fail_on_exist Specify whether to throw an exception when the container exists. show_storage_container Show a container associated with the storage account salt-cloud -f show_storage_container my-azure name=myservice name Name of container to show. show_storage_container_metadata Show a storage container's metadata salt-cloud -f show_storage_container_metadata my-azure name=myservice name Name of container to show. lease_id If specified, show_storage_container_metadata only succeeds if the container's lease is active and matches this ID. set_storage_container_metadata Set a storage container's metadata salt-cloud -f set_storage_container my-azure name=mycontainer \ x_ms_meta_name_values='{"my_name": "my_value"}' name Name of existing container. meta_name_values ```````````` A dict containing name, value for metadata. Example: {'category':'test'} lease_id ```` If specified, set_storage_container_metadata only succeeds if the container's lease is active and matches this ID. show_storage_container_acl Show a storage container's acl salt-cloud -f show_storage_container_acl my-azure name=myservice name Name of existing container. lease_id If specified, show_storage_container_acl only succeeds if the container's lease is active and matches this ID. set_storage_container_acl Set a storage container's acl salt-cloud -f set_storage_container my-azure name=mycontainer name Name of existing container. signed_identifiers SignedIdentifers instance blob_public_access Optional. Possible values include: container, blob lease_id If specified, set_storage_container_acl only succeeds if the container's lease is active and matches this ID. delete_storage_container Delete a container associated with the storage account salt-cloud -f delete_storage_container my-azure name=mycontainer name Name of container to create. fail_not_exist Specify whether to throw an exception when the container exists. lease_id If specified, delete_storage_container only succeeds if the container's lease is active and matches this ID. lease_storage_container Lease a container associated with the storage account salt-cloud -f lease_storage_container my-azure name=mycontainer name Name of container to create. lease_action Required. Possible values: acquire|renew|release|break|change lease_id Required if the container has an active lease. lease_duration Specifies the duration of the lease, in seconds, or negative one (-1) for a lease that never expires. A non-infinite lease can be between 15 and 60 seconds. A lease duration cannot be changed using renew or change. For backwards compatibility, the default is 60, and the value is only used on an acquire operation. lease_break_period Optional. For a break operation, this is the proposed duration of seconds that the lease should continue before it is broken, between 0 and 60 seconds. This break period is only used if it is shorter than the time remaining on the lease. If longer, the time remaining on the lease is used. A new lease will not be available before the break period has expired, but the lease may be held for longer than the break period. If this header does not appear with a break operation, a fixed-duration lease breaks after the remaining lease period elapses, and an infinite lease breaks immediately. proposed_lease_id Optional for acquire, required for change. Proposed lease ID, in a GUID string format. list_blobs List blobs associated with the container salt-cloud -f list_blobs my-azure container=mycontainer container The name of the storage container prefix Optional. Filters the results to return only blobs whose names begin with the specified prefix. marker Optional. A string value that identifies the portion of the list to be returned with the next list operation. The operation returns a marker value within the response body if the list returned was not complete. The marker value may then be used in a subsequent call to request the next set of list items. The marker value is opaque to the client. maxresults Optional. Specifies the maximum number of blobs to return, including all BlobPrefix elements. If the request does not specify maxresults or specifies a value greater than 5,000, the server will return up to 5,000 items. Setting maxresults to a value less than or equal to zero results in error response code 400 (Bad Request). include Optional. Specifies one or more datasets to include in the response. To specify more than one of these options on the URI, you must separate each option with a comma. Valid values are: snapshots: Specifies that snapshots should be included in the enumeration. Snapshots are listed from oldest to newest in the response. metadata: Specifies that blob metadata be returned in the response. uncommittedblobs: Specifies that blobs for which blocks have been uploaded, but which have not been committed using Put Block List (REST API), be included in the response. copy: Version 2012-02-12 and newer. Specifies that metadata related to any current or previous Copy Blob operation should be included in the response. delimiter Optional. When the request includes this parameter, the operation returns a BlobPrefix element in the response body that acts as a placeholder for all blobs whose names begin with the same substring up to the appearance of the delimiter character. The delimiter may be a single character or a string. show_blob_service_properties Show a blob's service properties salt-cloud -f show_blob_service_properties my-azure set_blob_service_properties Sets the properties of a storage account's Blob service, including Windows Azure Storage Analytics. You can also use this operation to set the default request version for all incoming requests that do not have a version specified. salt-cloud -f set_blob_service_properties my-azure properties a StorageServiceProperties object. timeout Optional. The timeout parameter is expressed in seconds. show_blob_properties Returns all user-defined metadata, standard HTTP properties, and system properties for the blob. salt-cloud -f show_blob_properties my-azure container=mycontainer blob=myblob container Name of existing container. blob Name of existing blob. lease_id Required if the blob has an active lease. set_blob_properties Set a blob's properties salt-cloud -f set_blob_properties my-azure container Name of existing container. blob Name of existing blob. blob_cache_control Optional. Modifies the cache control string for the blob. blob_content_type Optional. Sets the blob's content type. blob_content_md5 Optional. Sets the blob's MD5 hash. blob_content_encoding Optional. Sets the blob's content encoding. blob_content_language Optional. Sets the blob's content language. lease_id Required if the blob has an active lease. blob_content_disposition Optional. Sets the blob's Content-Disposition header. The Content-Disposition response header field conveys additional information about how to process the response payload, and also can be used to attach additional metadata. For example, if set to attachment, it indicates that the user-agent should not display the response, but instead show a Save As dialog with a filename other than the blob name specified. put_blob Upload a blob salt-cloud -f put_blob my-azure container=base name=top.sls blob_path=/srv/salt/top.sls salt-cloud -f put_blob my-azure container=base name=content.txt blob_content='Some content' container Name of existing container. name Name of existing blob. blob_path The path on the local machine of the file to upload as a blob. Either this or blob_content must be specified. blob_content The actual content to be uploaded as a blob. Either this or blob_path must me specified. cache_control Optional. The Blob service stores this value but does not use or modify it. content_language Optional. Specifies the natural languages used by this resource. content_md5 Optional. An MD5 hash of the blob content. This hash is used to verify the integrity of the blob during transport. When this header is specified, the storage service checks the hash that has arrived with the one that was sent. If the two hashes do not match, the operation will fail with error code 400 (Bad Request). blob_content_type Optional. Set the blob's content type. blob_content_encoding Optional. Set the blob's content encoding. blob_content_language Optional. Set the blob's content language. blob_content_md5 Optional. Set the blob's MD5 hash. blob_cache_control Optional. Sets the blob's cache control. meta_name_values A dict containing name, value for metadata. lease_id Required if the blob has an active lease. get_blob Download a blob salt-cloud -f get_blob my-azure container=base name=top.sls local_path=/srv/salt/top.sls salt-cloud -f get_blob my-azure container=base name=content.txt return_content=True container Name of existing container. name Name of existing blob. local_path The path on the local machine to download the blob to. Either this or return_content must be specified. return_content Whether or not to return the content directly from the blob. If specified, must be True or False. Either this or the local_path must be specified. snapshot Optional. The snapshot parameter is an opaque DateTime value that, when present, specifies the blob snapshot to retrieve. lease_id Required if the blob has an active lease. progress_callback callback for progress with signature function(current, total) where current is the number of bytes transferred so far, and total is the size of the blob. max_connections Maximum number of parallel connections to use when the blob size exceeds 64MB. Set to 1 to download the blob chunks sequentially. Set to 2 or more to download the blob chunks in parallel. This uses more system resources but will download faster. max_retries Number of times to retry download of blob chunk if an error occurs. retry_wait Sleep time in secs between retries. Getting Started With DigitalOcean DigitalOcean is a public cloud host that specializes in Linux instances. Configuration Using Salt for DigitalOcean requires a personal_access_token, an ssh_key_file, and at least one SSH key name in ssh_key_names. More ssh_key_names can be added by separating each key with a comma. The personal_access_token can be found in the DigitalOcean web interface in the "Apps & API" section. The SSH key name can be found under the "SSH Keys" section. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-digitalocean-config: driver: digital_ocean personal_access_token: xxx ssh_key_file: /path/to/ssh/key/file ssh_key_names: my-key-name,my-key-name-2 location: New York 1 NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: digitalocean-ubuntu: provider: my-digitalocean-config image: 14.04 x64 size: 512MB location: New York 1 private_networking: True backups_enabled: True ipv6: True Locations can be obtained using the --list-locations option for the salt-cloud command: # salt-cloud --list-locations my-digitalocean-config my-digitalocean-config: ---------- digital_ocean: ---------- Amsterdam 1: ---------- available: False features: [u'backups'] name: Amsterdam 1 sizes: [] slug: ams1 ...SNIP... Sizes can be obtained using the --list-sizes option for the salt-cloud command: # salt-cloud --list-sizes my-digitalocean-config my-digitalocean-config: ---------- digital_ocean: ---------- 512MB: ---------- cost_per_hour: 0.00744 cost_per_month: 5.0 cpu: 1 disk: 20 id: 66 memory: 512 name: 512MB slug: None ...SNIP... Images can be obtained using the --list-images option for the salt-cloud command: # salt-cloud --list-images my-digitalocean-config my-digitalocean-config: ---------- digital_ocean: ---------- 10.1: ---------- created_at: 2015-01-20T20:04:34Z distribution: FreeBSD id: 10144573 min_disk_size: 20 name: 10.1 public: True ...SNIP... Profile Specifics: ssh_username If using a FreeBSD image from Digital Ocean, you'll need to set the ssh_username setting to freebsd in your profile configuration. digitalocean-freebsd: provider: my-digitalocean-config image: 10.2 size: 512MB ssh_username: freebsd Miscellaneous Information NOTE: DigitalOcean's concept of Applications is nothing more than a pre-configured instance (same as a normal Droplet). You will find examples such Docker 0.7 Ubuntu 13.04 x64 and Wordpress on Ubuntu 12.10 when using the --list-images option. These names can be used just like the rest of the standard instances when specifying an image in the cloud profile configuration. NOTE: If your domain's DNS is managed with DigitalOcean, you can automatically create A-records for newly created droplets. Use create_dns_record: True in your config to enable this. Add delete_dns_record: True to also delete records when a droplet is destroyed. NOTE: Additional documentation is available from DigitalOcean. Getting Started With AWS EC2 Amazon EC2 is a very widely used public cloud platform and one of the core platforms Salt Cloud has been built to support. Previously, the suggested driver for AWS EC2 was the aws driver. This has been deprecated in favor of the ec2 driver. Configuration using the old aws driver will still function, but that driver is no longer in active development. Dependencies This driver requires the Python requests library to be installed. Configuration The following example illustrates some of the options that can be set. These parameters are discussed in more detail below. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-ec2-southeast-public-ips: # Set up the location of the salt master # minion: master: saltmaster.example.com # Set up grains information, which will be common for all nodes # using this provider grains: node_type: broker release: 1.0.1 # Specify whether to use public or private IP for deploy script. # # Valid options are: # private_ips - The salt-cloud command is run inside the EC2 # public_ips - The salt-cloud command is run outside of EC2 # ssh_interface: public_ips # Optionally configure the Windows credential validation number of # retries and delay between retries. This defaults to 10 retries # with a one second delay betwee retries win_deploy_auth_retries: 10 win_deploy_auth_retry_delay: 1 # Set the EC2 access credentials (see below) # id: 'use-instance-role-credentials' key: 'use-instance-role-credentials' # Make sure this key is owned by root with permissions 0400. # private_key: /etc/salt/my_test_key.pem keyname: my_test_key securitygroup: default # Optionally configure default region # Use salt-cloud --list-locations <provider> to obtain valid regions # location: ap-southeast-1 availability_zone: ap-southeast-1b # Configure which user to use to run the deploy script. This setting is # dependent upon the AMI that is used to deploy. It is usually safer to # configure this individually in a profile, than globally. Typical users # are: # # Amazon Linux -> ec2-user # RHEL -> ec2-user # CentOS -> ec2-user # Ubuntu -> ubuntu # ssh_username: ec2-user # Optionally add an IAM profile iam_profile: 'arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile' driver: ec2 my-ec2-southeast-private-ips: # Set up the location of the salt master # minion: master: saltmaster.example.com # Specify whether to use public or private IP for deploy script. # # Valid options are: # private_ips - The salt-master is also hosted with EC2 # public_ips - The salt-master is hosted outside of EC2 # ssh_interface: private_ips # Optionally configure the Windows credential validation number of # retries and delay between retries. This defaults to 10 retries # with a one second delay betwee retries win_deploy_auth_retries: 10 win_deploy_auth_retry_delay: 1 # Set the EC2 access credentials (see below) # id: 'use-instance-role-credentials' key: 'use-instance-role-credentials' # Make sure this key is owned by root with permissions 0400. # private_key: /etc/salt/my_test_key.pem keyname: my_test_key # This one should NOT be specified if VPC was not configured in AWS to be # the default. It might cause an error message which says that network # interfaces and an instance-level security groups may not be specified # on the same request. # securitygroup: default # Optionally configure default region # location: ap-southeast-1 availability_zone: ap-southeast-1b # Configure which user to use to run the deploy script. This setting is # dependent upon the AMI that is used to deploy. It is usually safer to # configure this individually in a profile, than globally. Typical users # are: # # Amazon Linux -> ec2-user # RHEL -> ec2-user # CentOS -> ec2-user # Ubuntu -> ubuntu # ssh_username: ec2-user # Optionally add an IAM profile iam_profile: 'my other profile name' driver: ec2 NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Access Credentials The id and key settings may be found in the Security Credentials area of the AWS Account page: https://portal.aws.amazon.com/gp/aws/securityCredentials Both are located in the Access Credentials area of the page, under the Access Keys tab. The id setting is labeled Access Key ID, and the key setting is labeled Secret Access Key. Note: if either id or key is set to 'use-instance-role-credentials' it is assumed that Salt is running on an AWS instance, and the instance role credentials will be retrieved and used. Since both the id and key are required parameters for the AWS ec2 provider, it is recommended to set both to 'use-instance-role-credentials' for this functionality. A "static" and "permanent" Access Key ID and Secret Key can be specified, but this is not recommended. Instance role keys are rotated on a regular basis, and are the recommended method of specifying AWS credentials. Windows Deploy Timeouts For Windows instances, it may take longer than normal for the instance to be ready. In these circumstances, the provider configuration can be configured with a win_deploy_auth_retries and/or a win_deploy_auth_retry_delay setting, which default to 10 retries and a one second delay between retries. These retries and timeouts relate to validating the Administrator password once AWS provides the credentials via the AWS API. Windows Deploy Timeouts For Windows instances, it may take longer than normal for the instance to be ready. In these circumstances, the provider configuration can be configured with a win_deploy_auth_retries and/or a win_deploy_auth_retry_delay setting, which default to 10 retries and a one second delay between retries. These retries and timeouts relate to validating the Administrator password once AWS provides the credentials via the AWS API. Key Pairs In order to create an instance with Salt installed and configured, a key pair will need to be created. This can be done in the EC2 Management Console, in the Key Pairs area. These key pairs are unique to a specific region. Keys in the us-east-1 region can be configured at: https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs Keys in the us-west-1 region can be configured at https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs ...and so on. When creating a key pair, the browser will prompt to download a pem file. This file must be placed in a directory accessible by Salt Cloud, with permissions set to either 0400 or 0600. Security Groups An instance on EC2 needs to belong to a security group. Like key pairs, these are unique to a specific region. These are also configured in the EC2 Management Console. Security groups for the us-east-1 region can be configured at: https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups ...and so on. A security group defines firewall rules which an instance will adhere to. If the salt-master is configured outside of EC2, the security group must open the SSH port (usually port 22) in order for Salt Cloud to install Salt. IAM Profile Amazon EC2 instances support the concept of an instance profile, which is a logical container for the IAM role. At the time that you launch an EC2 instance, you can associate the instance with an instance profile, which in turn corresponds to the IAM role. Any software that runs on the EC2 instance is able to access AWS using the permissions associated with the IAM role. Scaffolding the profile is a 2-step configuration process: 1. Configure an IAM Role from the IAM Management Console. 2. Attach this role to a new profile. It can be done with the AWS CLI: > aws iam create-instance-profile --instance-profile-name PROFILE_NAME > aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME Once the profile is created, you can use the PROFILE_NAME to configure your cloud profiles. Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles: base_ec2_private: provider: my-ec2-southeast-private-ips image: ami-e565ba8c size: t2.micro ssh_username: ec2-user base_ec2_public: provider: my-ec2-southeast-public-ips image: ami-e565ba8c size: t2.micro ssh_username: ec2-user base_ec2_db: provider: my-ec2-southeast-public-ips image: ami-e565ba8c size: m1.xlarge ssh_username: ec2-user volumes: - { size: 10, device: /dev/sdf } - { size: 10, device: /dev/sdg, type: io1, iops: 1000 } - { size: 10, device: /dev/sdh, type: io1, iops: 1000 } # optionally add tags to profile: tag: {'Environment': 'production', 'Role': 'database'} # force grains to sync after install sync_after_install: grains base_ec2_vpc: provider: my-ec2-southeast-public-ips image: ami-a73264ce size: m1.xlarge ssh_username: ec2-user script: /etc/salt/cloud.deploy.d/user_data.sh network_interfaces: - DeviceIndex: 0 PrivateIpAddresses: - Primary: True #auto assign public ip (not EIP) AssociatePublicIpAddress: True SubnetId: subnet-813d4bbf SecurityGroupId: - sg-750af413 del_root_vol_on_destroy: True del_all_vol_on_destroy: True volumes: - { size: 10, device: /dev/sdf } - { size: 10, device: /dev/sdg, type: io1, iops: 1000 } - { size: 10, device: /dev/sdh, type: io1, iops: 1000 } tag: {'Environment': 'production', 'Role': 'database'} sync_after_install: grains The profile can now be realized with a salt command: # salt-cloud -p base_ec2 ami.example.com # salt-cloud -p base_ec2_public ami.example.com # salt-cloud -p base_ec2_private ami.example.com This will create an instance named ami.example.com in EC2. The minion that is installed on this instance will have an id of ami.example.com. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt 'ami.example.com' test.ping Required Settings The following settings are always required for EC2: # Set the EC2 login data my-ec2-config: id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' keyname: test securitygroup: quick-start private_key: /root/test.pem driver: ec2 Optional Settings EC2 allows a userdata file to be passed to the instance to be created. This functionality was added to Salt in the 2015.5.0 release. my-ec2-config: # Pass userdata to the instance to be created userdata_file: /etc/salt/my-userdata-file EC2 allows a location to be set for servers to be deployed in. Availability zones exist inside regions, and may be added to increase specificity. my-ec2-config: # Optionally configure default region location: ap-southeast-1 availability_zone: ap-southeast-1b EC2 instances can have a public or private IP, or both. When an instance is deployed, Salt Cloud needs to log into it via SSH to run the deploy script. By default, the public IP will be used for this. If the salt-cloud command is run from another EC2 instance, the private IP should be used. my-ec2-config: # Specify whether to use public or private IP for deploy script # private_ips or public_ips ssh_interface: public_ips Many EC2 instances do not allow remote access to the root user by default. Instead, another user must be used to run the deploy script using sudo. Some common usernames include ec2-user (for Amazon Linux), ubuntu (for Ubuntu instances), admin (official Debian) and bitnami (for images provided by Bitnami). my-ec2-config: # Configure which user to use to run the deploy script ssh_username: ec2-user Multiple usernames can be provided, in which case Salt Cloud will attempt to guess the correct username. This is mostly useful in the main configuration file: my-ec2-config: ssh_username: - ec2-user - ubuntu - admin - bitnami Multiple security groups can also be specified in the same fashion: my-ec2-config: securitygroup: - default - extra Your instances may optionally make use of EC2 Spot Instances. The following example will request that spot instances be used and your maximum bid will be $0.10. Keep in mind that different spot prices may be needed based on the current value of the various EC2 instance sizes. You can check current and past spot instance pricing via the EC2 API or AWS Console. my-ec2-config: spot_config: spot_price: 0.10 By default, the spot instance type is set to 'one-time', meaning it will be launched and, if it's ever terminated for whatever reason, it will not be recreated. If you would like your spot instances to be relaunched after a termination (by your or AWS), set the type to 'persistent'. NOTE: Spot instances are a great way to save a bit of money, but you do run the risk of losing your spot instances if the current price for the instance size goes above your maximum bid. The following parameters may be set in the cloud configuration file to control various aspects of the spot instance launching: • wait_for_spot_timeout: seconds to wait before giving up on spot instance launch (default=600) • wait_for_spot_interval: seconds to wait in between polling requests to determine if a spot instance is available (default=30) • wait_for_spot_interval_multiplier: a multiplier to add to the interval in between requests, which is useful if AWS is throttling your requests (default=1) • wait_for_spot_max_failures: maximum number of failures before giving up on launching your spot instance (default=10) If you find that you're being throttled by AWS while polling for spot instances, you can set the following in your core cloud configuration file that will double the polling interval after each request to AWS. wait_for_spot_interval: 1 wait_for_spot_interval_multiplier: 2 See the AWS Spot Instances documentation for more information. Block device mappings enable you to specify additional EBS volumes or instance store volumes when the instance is launched. This setting is also available on each cloud profile. Note that the number of instance stores varies by instance type. If more mappings are provided than are supported by the instance type, mappings will be created in the order provided and additional mappings will be ignored. Consult the AWS documentation for a listing of the available instance stores, and device names. my-ec2-config: block_device_mappings: - DeviceName: /dev/sdb VirtualName: ephemeral0 - DeviceName: /dev/sdc VirtualName: ephemeral1 You can also use block device mappings to change the size of the root device at the provisioning time. For example, assuming the root device is '/dev/sda', you can set its size to 100G by using the following configuration. my-ec2-config: block_device_mappings: - DeviceName: /dev/sda Ebs.VolumeSize: 100 Ebs.VolumeType: gp2 Ebs.SnapshotId: dummy0 - DeviceName: /dev/sdb # required for devices > 2TB Ebs.VolumeType: gp2 Ebs.VolumeSize: 3001 Existing EBS volumes may also be attached (not created) to your instances or you can create new EBS volumes based on EBS snapshots. To simply attach an existing volume use the volume_id parameter. device: /dev/xvdj volume_id: vol-12345abcd Or, to create a volume from an EBS snapshot, use the snapshot parameter. device: /dev/xvdj snapshot: snap-abcd12345 Note that volume_id will take precedence over the snapshot parameter. Tags can be set once an instance has been launched. my-ec2-config: tag: tag0: value tag1: value Modify EC2 Tags One of the features of EC2 is the ability to tag resources. In fact, under the hood, the names given to EC2 instances by salt-cloud are actually just stored as a tag called Name. Salt Cloud has the ability to manage these tags: salt-cloud -a get_tags mymachine salt-cloud -a set_tags mymachine tag1=somestuff tag2='Other stuff' salt-cloud -a del_tags mymachine tag1,tag2,tag3 It is possible to manage tags on any resource in EC2 with a Resource ID, not just instances: salt-cloud -f get_tags my_ec2 resource_id=af5467ba salt-cloud -f set_tags my_ec2 resource_id=af5467ba tag1=somestuff salt-cloud -f del_tags my_ec2 resource_id=af5467ba tag1,tag2,tag3 Rename EC2 Instances As mentioned above, EC2 instances are named via a tag. However, renaming an instance by renaming its tag will cause the salt keys to mismatch. A rename function exists which renames both the instance, and the salt keys. salt-cloud -a rename mymachine newname=yourmachine EC2 Termination Protection EC2 allows the user to enable and disable termination protection on a specific instance. An instance with this protection enabled cannot be destroyed. salt-cloud -a enable_term_protect mymachine salt-cloud -a disable_term_protect mymachine Rename on Destroy When instances on EC2 are destroyed, there will be a lag between the time that the action is sent, and the time that Amazon cleans up the instance. During this time, the instance still retails a Name tag, which will cause a collision if the creation of an instance with the same name is attempted before the cleanup occurs. In order to avoid such collisions, Salt Cloud can be configured to rename instances when they are destroyed. The new name will look something like: myinstance-DEL20f5b8ad4eb64ed88f2c428df80a1a0c In order to enable this, add rename_on_destroy line to the main configuration file: my-ec2-config: rename_on_destroy: True Listing Images Normally, images can be queried on a cloud provider by passing the --list-images argument to Salt Cloud. This still holds true for EC2: salt-cloud --list-images my-ec2-config However, the full list of images on EC2 is extremely large, and querying all of the available images may cause Salt Cloud to behave as if frozen. Therefore, the default behavior of this option may be modified, by adding an owner argument to the provider configuration: owner: aws-marketplace The possible values for this setting are amazon, aws-marketplace, self, <AWS account ID> or all. The default setting is amazon. Take note that all and aws-marketplace may cause Salt Cloud to appear as if it is freezing, as it tries to handle the large amount of data. It is also possible to perform this query using different settings without modifying the configuration files. To do this, call the avail_images function directly: salt-cloud -f avail_images my-ec2-config owner=aws-marketplace EC2 Images The following are lists of available AMI images, generally sorted by OS. These lists are on 3rd-party websites, are not managed by Salt Stack in any way. They are provided here as a reference for those who are interested, and contain no warranty (express or implied) from anyone affiliated with Salt Stack. Most of them have never been used, much less tested, by the Salt Stack team. • Arch Linux • FreeBSD • Fedora • CentOS • Ubuntu • Debian • OmniOS • All Images on Amazon show_image This is a function that describes an AMI on EC2. This will give insight as to the defaults that will be applied to an instance using a particular AMI. $ salt-cloud -f show_image ec2 image=ami-fd20ad94 show_instance This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance. $ salt-cloud -a show_instance myinstance ebs_optimized This argument enables switching of the EbsOptimized setting which default to 'false'. Indicates whether the instance is optimized for EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. This setting can be added to the profile or map file for an instance. If set to True, this setting will enable an instance to be EbsOptimized ebs_optimized: True This can also be set as a cloud provider setting in the EC2 cloud configuration: my-ec2-config: ebs_optimized: True del_root_vol_on_destroy This argument overrides the default DeleteOnTermination setting in the AMI for the EBS root volumes for an instance. Many AMIs contain 'false' as a default, resulting in orphaned volumes in the EC2 account, which may unknowingly be charged to the account. This setting can be added to the profile or map file for an instance. If set, this setting will apply to the root EBS volume del_root_vol_on_destroy: True This can also be set as a cloud provider setting in the EC2 cloud configuration: my-ec2-config: del_root_vol_on_destroy: True del_all_vols_on_destroy This argument overrides the default DeleteOnTermination setting in the AMI for the not-root EBS volumes for an instance. Many AMIs contain 'false' as a default, resulting in orphaned volumes in the EC2 account, which may unknowingly be charged to the account. This setting can be added to the profile or map file for an instance. If set, this setting will apply to any (non-root) volumes that were created by salt-cloud using the 'volumes' setting. The volumes will not be deleted under the following conditions * If a volume is detached before terminating the instance * If a volume is created without this setting and attached to the instance del_all_vols_on_destroy: True This can also be set as a cloud provider setting in the EC2 cloud configuration: my-ec2-config: del_all_vols_on_destroy: True The setting for this may be changed on all volumes of an existing instance using one of the following commands: salt-cloud -a delvol_on_destroy myinstance salt-cloud -a keepvol_on_destroy myinstance salt-cloud -a show_delvol_on_destroy myinstance The setting for this may be changed on a volume on an existing instance using one of the following commands: salt-cloud -a delvol_on_destroy myinstance device=/dev/sda1 salt-cloud -a delvol_on_destroy myinstance volume_id=vol-1a2b3c4d salt-cloud -a keepvol_on_destroy myinstance device=/dev/sda1 salt-cloud -a keepvol_on_destroy myinstance volume_id=vol-1a2b3c4d salt-cloud -a show_delvol_on_destroy myinstance device=/dev/sda1 salt-cloud -a show_delvol_on_destroy myinstance volume_id=vol-1a2b3c4d EC2 Termination Protection EC2 allows the user to enable and disable termination protection on a specific instance. An instance with this protection enabled cannot be destroyed. The EC2 driver adds a show_term_protect action to the regular EC2 functionality. salt-cloud -a show_term_protect mymachine salt-cloud -a enable_term_protect mymachine salt-cloud -a disable_term_protect mymachine Alternate Endpoint Normally, EC2 endpoints are build using the region and the service_url. The resulting endpoint would follow this pattern: ec2.<region>.<service_url> This results in an endpoint that looks like: ec2.us-east-1.amazonaws.com There are other projects that support an EC2 compatibility layer, which this scheme does not account for. This can be overridden by specifying the endpoint directly in the main cloud configuration file: my-ec2-config: endpoint: myendpoint.example.com:1138/services/Cloud Volume Management The EC2 driver has several functions and actions for management of EBS volumes. Creating Volumes A volume may be created, independent of an instance. A zone must be specified. A size or a snapshot may be specified (in GiB). If neither is given, a default size of 10 GiB will be used. If a snapshot is given, the size of the snapshot will be used. The following parameters may also be set (when providing a snapshot OR size): • type: choose between standard (magnetic disk), gp2 (SSD), or io1 (provisioned IOPS). (default=standard) • iops: the number of IOPS (only applicable to io1 volumes) (default varies on volume size) • encrypted: enable encryption on the volume (default=false) salt-cloud -f create_volume ec2 zone=us-east-1b salt-cloud -f create_volume ec2 zone=us-east-1b size=10 salt-cloud -f create_volume ec2 zone=us-east-1b snapshot=snap12345678 salt-cloud -f create_volume ec2 size=10 type=standard salt-cloud -f create_volume ec2 size=10 type=gp2 salt-cloud -f create_volume ec2 size=10 type=io1 iops=1000 Attaching Volumes Unattached volumes may be attached to an instance. The following values are required; name or instance_id, volume_id, and device. salt-cloud -a attach_volume myinstance volume_id=vol-12345 device=/dev/sdb1 Show a Volume The details about an existing volume may be retrieved. salt-cloud -a show_volume myinstance volume_id=vol-12345 salt-cloud -f show_volume ec2 volume_id=vol-12345 Detaching Volumes An existing volume may be detached from an instance. salt-cloud -a detach_volume myinstance volume_id=vol-12345 Deleting Volumes A volume that is not attached to an instance may be deleted. salt-cloud -f delete_volume ec2 volume_id=vol-12345 Managing Key Pairs The EC2 driver has the ability to manage key pairs. Creating a Key Pair A key pair is required in order to create an instance. When creating a key pair with this function, the return data will contain a copy of the private key. This private key is not stored by Amazon, will not be obtainable past this point, and should be stored immediately. salt-cloud -f create_keypair ec2 keyname=mykeypair Importing a Key Pair salt-cloud -f import_keypair ec2 keyname=mykeypair file=/path/to/id_rsa.pub Show a Key Pair This function will show the details related to a key pair, not including the private key itself (which is not stored by Amazon). salt-cloud -f show_keypair ec2 keyname=mykeypair Delete a Key Pair This function removes the key pair from Amazon. salt-cloud -f delete_keypair ec2 keyname=mykeypair Launching instances into a VPC Simple launching into a VPC In the amazon web interface, identify the id of the subnet into which your image should be created. Then, edit your cloud.profiles file like so:- profile-id: provider: provider-name subnetid: subnet-XXXXXXXX image: ami-XXXXXXXX size: m1.medium ssh_username: ubuntu securitygroupid: - sg-XXXXXXXX Specifying interface properties New in version 2014.7.0. Launching into a VPC allows you to specify more complex configurations for the network interfaces of your virtual machines, for example:- profile-id: provider: provider-name image: ami-XXXXXXXX size: m1.medium ssh_username: ubuntu # Do not include either 'subnetid' or 'securitygroupid' here if you are # going to manually specify interface configuration # network_interfaces: - DeviceIndex: 0 SubnetId: subnet-XXXXXXXX SecurityGroupId: - sg-XXXXXXXX # Uncomment this line if you would like to set an explicit private # IP address for the ec2 instance # # PrivateIpAddress: 192.168.1.66 # Uncomment this to associate an existing Elastic IP Address with # this network interface: # # associate_eip: eipalloc-XXXXXXXX # You can allocate more than one IP address to an interface. Use the # 'ip addr list' command to see them. # # SecondaryPrivateIpAddressCount: 2 # Uncomment this to allocate a new Elastic IP Address to this # interface (will be associated with the primary private ip address # of the interface # # allocate_new_eip: True # Uncomment this instead to allocate a new Elastic IP Address to # both the primary private ip address and each of the secondary ones # allocate_new_eips: True # Uncomment this if you're creating NAT instances. Allows an instance # to accept IP packets with destinations other than itself. # SourceDestCheck: False Note that it is an error to assign a 'subnetid' or 'securitygroupid' to a profile where the interfaces are manually configured like this. These are both really properties of each network interface, not of the machine itself. Getting Started With GoGrid GoGrid is a public cloud host that supports Linux and Windows. Configuration To use Salt Cloud with GoGrid log into the GoGrid web interface and create an API key. Do this by clicking on "My Account" and then going to the API Keys tab. The apikey and the sharedsecret configuration parameters need to be set in the configuration file to enable interfacing with GoGrid: # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-gogrid-config: driver: gogrid apikey: asdff7896asdh789 sharedsecret: saltybacon NOTE: A Note about using Map files with GoGrid: Due to limitations in the GoGrid API, instances cannot be provisioned in parallel with the GoGrid driver. Map files will work with GoGrid, but the -P argument should not be used on maps referencing GoGrid instances. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: gogrid_512: provider: my-gogrid-config size: 512MB image: CentOS 6.2 (64-bit) w/ None Sizes can be obtained using the --list-sizes option for the salt-cloud command: # salt-cloud --list-sizes my-gogrid-config my-gogrid-config: ---------- gogrid: ---------- 512MB: ---------- bandwidth: None disk: 30 driver: get_uuid: id: 512MB name: 512MB price: 0.095 ram: 512 uuid: bde1e4d7c3a643536e42a35142c7caac34b060e9 ...SNIP... Images can be obtained using the --list-images option for the salt-cloud command: # salt-cloud --list-images my-gogrid-config my-gogrid-config: ---------- gogrid: ---------- CentOS 6.4 (64-bit) w/ None: ---------- driver: extra: ---------- get_uuid: id: 18094 name: CentOS 6.4 (64-bit) w/ None uuid: bfd4055389919e01aa6261828a96cf54c8dcc2c4 ...SNIP... Assigning IPs New in version 2015.8.0. The GoGrid API allows IP addresses to be manually assigned. Salt Cloud supports this functionality by allowing an IP address to be specified using the assign_public_ip argument. This likely makes the most sense inside a map file, but it may also be used inside a profile. gogrid_512: provider: my-gogrid-config size: 512MB image: CentOS 6.2 (64-bit) w/ None assign_public_ip: 11.38.257.42 Getting Started With Google Compute Engine Google Compute Engine (GCE) is Google-infrastructure as a service that lets you run your large-scale computing workloads on virtual machines. This document covers how to use Salt Cloud to provision and manage your virtual machines hosted within Google's infrastructure. You can find out more about GCE and other Google Cloud Platform services at https://cloud.google.com. Dependencies • LibCloud >= 0.14.1 • A Google Cloud Platform account with Compute Engine enabled • A registered Service Account for authorization • Oh, and obviously you'll need salt Google Compute Engine Setup 1. Sign up for Google Cloud Platform Go to https://cloud.google.com and use your Google account to sign up for Google Cloud Platform and complete the guided instructions. 2. Create a Project Next, go to the console at https://cloud.google.com/console and create a new Project. Make sure to select your new Project if you are not automatically directed to the Project. Projects are a way of grouping together related users, services, and billing. You may opt to create multiple Projects and the remaining instructions will need to be completed for each Project if you wish to use GCE and Salt Cloud to manage your virtual machines. 3. Enable the Google Compute Engine service In your Project, either just click Compute Engine to the left, or go to the APIs & auth section and APIs link and enable the Google Compute Engine service. 4. Create a Service Account To set up authorization, navigate to APIs & auth section and then the Credentials link and click the CREATE NEW CLIENT ID button. Select Service Account and click the Create Client ID button. This will automatically download a .json file, which may or may not be used in later steps, depending on your version of libcloud. Look for a new Service Account section in the page and record the generated email address for the matching key/fingerprint. The email address will be used in the service_account_email_address of the /etc/salt/cloud.providers or the /etc/salt/cloud.providers.d/*.conf file. 5. Key Format NOTE: If you are using libcloud >= 0.17.0 it is recommended that you use the JSON format file you downloaded above and skip to the Provider Configuration section below, using the JSON file in place of 'NEW.pem' in the documentation. If you are using an older version of libcloud or are unsure of the version you have, please follow the instructions below to generate and format a new P12 key. In the new Service Account section, click Generate new P12 key, which will automatically download a .p12 private key file. The .p12 private key needs to be converted to a format compatible with libcloud. This new Google-generated private key was encrypted using notasecret as a passphrase. Use the following command and record the location of the converted private key and record the location for use in the service_account_private_key of the /etc/salt/cloud file: openssl pkcs12 -in ORIG.p12 -passin pass:notasecret \ -nodes -nocerts | openssl rsa -out NEW.pem Provider Configuration Set up the provider cloud config at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/*.conf: gce-config: # Set up the Project name and Service Account authorization project: "your-project-id" service_account_email_address: "123-a5gt@developer.gserviceaccount.com" service_account_private_key: "/path/to/your/NEW.pem" # Set up the location of the salt master minion: master: saltmaster.example.com # Set up grains information, which will be common for all nodes # using this provider grains: node_type: broker release: 1.0.1 driver: gce NOTE: The value provided for project must not contain underscores or spaces and is labeled as "Project ID" on the Google Developers Console. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profile Configuration Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/*.conf: my-gce-profile: image: centos-6 size: n1-standard-1 location: europe-west1-b network: default tags: '["one", "two", "three"]' metadata: '{"one": "1", "2": "two"}' use_persistent_disk: True delete_boot_pd: False deploy: True make_master: False provider: gce-config The profile can be realized now with a salt command: salt-cloud -p my-gce-profile gce-instance This will create an salt minion instance named gce-instance in GCE. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with a salt-minion installed, connectivity to it can be verified with Salt: salt gce-instance test.ping GCE Specific Settings Consult the sample profile below for more information about GCE specific settings. Some of them are mandatory and are properly labeled below but typically also include a hard-coded default. Initial Profile Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/gce.conf: my-gce-profile: image: centos-6 size: n1-standard-1 location: europe-west1-b network: default tags: '["one", "two", "three"]' metadata: '{"one": "1", "2": "two"}' use_persistent_disk: True delete_boot_pd: False ssh_interface: public_ips external_ip: "ephemeral" image Image is used to define what Operating System image should be used to for the instance. Examples are Debian 7 (wheezy) and CentOS 6. Required. size A 'size', in GCE terms, refers to the instance's 'machine type'. See the on-line documentation for a complete list of GCE machine types. Required. location A 'location', in GCE terms, refers to the instance's 'zone'. GCE has the notion of both Regions (e.g. us-central1, europe-west1, etc) and Zones (e.g. us-central1-a, us-central1-b, etc). Required. network Use this setting to define the network resource for the instance. All GCE projects contain a network named 'default' but it's possible to use this setting to create instances belonging to a different network resource. tags GCE supports instance/network tags and this setting allows you to set custom tags. It should be a list of strings and must be parse-able by the python ast.literal_eval() function to convert it to a python list. metadata GCE supports instance metadata and this setting allows you to set custom metadata. It should be a hash of key/value strings and parse-able by the python ast.literal_eval() function to convert it to a python dictionary. use_persistent_disk Use this setting to ensure that when new instances are created, they will use a persistent disk to preserve data between instance terminations and re-creations. delete_boot_pd In the event that you wish the boot persistent disk to be permanently deleted when you destroy an instance, set delete_boot_pd to True. ssh_interface New in version 2015.5.0. Specify whether to use public or private IP for deploy script. Valid options are: • private_ips: The salt-master is also hosted with GCE • public_ips: The salt-master is hosted outside of GCE external_ip Per instance setting: Used a named fixed IP address to this host. Valid options are: • ephemeral: The host will use a GCE ephemeral IP • None: No external IP will be configured on this host. Optionally, pass the name of a GCE address to use a fixed IP address. If the address does not already exist, it will be created. ex_disk_type GCE supports two different disk types, pd-standard and pd-ssd. The default disk type setting is pd-standard. To specify using an SSD disk, set pd-ssd as the value. New in version 2014.7.0. ip_forwarding GCE instances can be enabled to use IP Forwarding. When set to True, this options allows the instance to send/receive non-matching src/dst packets. Default is False. New in version 2015.8.1. Profile with scopes Scopes can be specified by setting the optional ex_service_accounts key in your cloud profile. The following example enables the bigquery scope. my-gce-profile: image: centos-6 ssh_username: salt size: f1-micro location: us-central1-a network: default tags: '["one", "two", "three"]' metadata: '{"one": "1", "2": "two", "sshKeys": ""}' use_persistent_disk: True delete_boot_pd: False deploy: False make_master: False provider: gce-config ex_service_accounts: - scopes: - bigquery Email can also be specified as an (optional) parameter. my-gce-profile: ...snip ex_service_accounts: - scopes: - bigquery email: default There can be multiple entries for scopes since ex-service_accounts accepts a list of dictionaries. For more information refer to the libcloud documentation on specifying service account scopes. SSH Remote Access GCE instances do not allow remote access to the root user by default. Instead, another user must be used to run the deploy script using sudo. Append something like this to /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/*.conf: my-gce-profile: ... # SSH to GCE instances as gceuser ssh_username: gceuser # Use the local private SSH key file located here ssh_keyfile: /etc/cloud/google_compute_engine If you have not already used this SSH key to login to instances in this GCE project you will also need to add the public key to your projects metadata at https://cloud.google.com/console. You could also add it via the metadata setting too: my-gce-profile: ... metadata: '{"one": "1", "2": "two", "sshKeys": "gceuser:ssh-rsa <Your SSH Public Key> gceuser@host"}' Single instance details This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance. salt-cloud -a show_instance myinstance Destroy, persistent disks, and metadata As noted in the provider configuration, it's possible to force the boot persistent disk to be deleted when you destroy the instance. The way that this has been implemented is to use the instance metadata to record the cloud profile used when creating the instance. When destroy is called, if the instance contains a salt-cloud-profile key, it's value is used to reference the matching profile to determine if delete_boot_pd is set to True. Be aware that any GCE instances created with salt cloud will contain this custom salt-cloud-profile metadata entry. List various resources It's also possible to list several GCE resources similar to what can be done with other providers. The following commands can be used to list GCE zones (locations), machine types (sizes), and images. salt-cloud --list-locations gce salt-cloud --list-sizes gce salt-cloud --list-images gce Persistent Disk The Compute Engine provider provides functions via salt-cloud to manage your Persistent Disks. You can create and destroy disks as well as attach and detach them from running instances. Create When creating a disk, you can create an empty disk and specify its size (in GB), or specify either an 'image' or 'snapshot'. salt-cloud -f create_disk gce disk_name=pd location=us-central1-b size=200 Delete Deleting a disk only requires the name of the disk to delete salt-cloud -f delete_disk gce disk_name=old-backup Attach Attaching a disk to an existing instance is really an 'action' and requires both an instance name and disk name. It's possible to use this ation to create bootable persistent disks if necessary. Compute Engine also supports attaching a persistent disk in READ_ONLY mode to multiple instances at the same time (but then cannot be attached in READ_WRITE to any instance). salt-cloud -a attach_disk myinstance disk_name=pd mode=READ_WRITE boot=yes Detach Detaching a disk is also an action against an instance and only requires the name of the disk. Note that this does not safely sync and umount the disk from the instance. To ensure no data loss, you must first make sure the disk is unmounted from the instance. salt-cloud -a detach_disk myinstance disk_name=pd Show disk It's also possible to look up the details for an existing disk with either a function or an action. salt-cloud -a show_disk myinstance disk_name=pd salt-cloud -f show_disk gce disk_name=pd Create snapshot You can take a snapshot of an existing disk's content. The snapshot can then in turn be used to create other persistent disks. Note that to prevent data corruption, it is strongly suggested that you unmount the disk prior to taking a snapshot. You must name the snapshot and provide the name of the disk. salt-cloud -f create_snapshot gce name=backup-20140226 disk_name=pd Delete snapshot You can delete a snapshot when it's no longer needed by specifying the name of the snapshot. salt-cloud -f delete_snapshot gce name=backup-20140226 Show snapshot Use this function to look up information about the snapshot. salt-cloud -f show_snapshot gce name=backup-20140226 Networking Compute Engine supports multiple private networks per project. Instances within a private network can easily communicate with each other by an internal DNS service that resolves instance names. Instances within a private network can also communicate with either directly without needing special routing or firewall rules even if they span different regions/zones. Networks also support custom firewall rules. By default, traffic between instances on the same private network is open to all ports and protocols. Inbound SSH traffic (port 22) is also allowed but all other inbound traffic is blocked. Create network New networks require a name and CIDR range. New instances can be created and added to this network by setting the network name during create. It is not possible to add/remove existing instances to a network. salt-cloud -f create_network gce name=mynet cidr=10.10.10.0/24 Destroy network Destroy a network by specifying the name. Make sure that there are no instances associated with the network prior to deleting it or you'll have a bad day. salt-cloud -f delete_network gce name=mynet Show network Specify the network name to view information about the network. salt-cloud -f show_network gce name=mynet Create address Create a new named static IP address in a region. salt-cloud -f create_address gce name=my-fixed-ip region=us-central1 Delete address Delete an existing named fixed IP address. salt-cloud -f delete_address gce name=my-fixed-ip region=us-central1 Show address View details on a named address. salt-cloud -f show_address gce name=my-fixed-ip region=us-central1 Create firewall You'll need to create custom firewall rules if you want to allow other traffic than what is described above. For instance, if you run a web service on your instances, you'll need to explicitly allow HTTP and/or SSL traffic. The firewall rule must have a name and it will use the 'default' network unless otherwise specified with a 'network' attribute. Firewalls also support instance tags for source/destination salt-cloud -f create_fwrule gce name=web allow=tcp:80,tcp:443,icmp Delete firewall Deleting a firewall rule will prevent any previously allowed traffic for the named firewall rule. salt-cloud -f delete_fwrule gce name=web Show firewall Use this function to review an existing firewall rule's information. salt-cloud -f show_fwrule gce name=web Load Balancer Compute Engine possess a load-balancer feature for splitting traffic across multiple instances. Please reference the documentation for a more complete discription. The load-balancer functionality is slightly different than that described in Google's documentation. The concept of TargetPool and ForwardingRule are consolidated in salt-cloud/libcloud. HTTP Health Checks are optional. HTTP Health Check HTTP Health Checks can be used as a means to toggle load-balancing across instance members, or to detect if an HTTP site is functioning. A common use-case is to set up a health check URL and if you want to toggle traffic on/off to an instance, you can temporarily have it return a non-200 response. A non-200 response to the load-balancer's health check will keep the LB from sending any new traffic to the "down" instance. Once the instance's health check URL beings returning 200-responses, the LB will again start to send traffic to it. Review Compute Engine's documentation for allowable parameters. You can use the following salt-cloud functions to manage your HTTP health checks. salt-cloud -f create_hc gce name=myhc path=/ port=80 salt-cloud -f delete_hc gce name=myhc salt-cloud -f show_hc gce name=myhc Load-balancer When creating a new load-balancer, it requires a name, region, port range, and list of members. There are other optional parameters for protocol, and list of health checks. Deleting or showing details about the LB only requires the name. salt-cloud -f create_lb gce name=lb region=... ports=80 members=w1,w2,w3 salt-cloud -f delete_lb gce name=lb salt-cloud -f show_lb gce name=lb You can also create a load balancer using a named fixed IP addressby specifying the name of the address. If the address does not exist yet it will be created. salt-cloud -f create_lb gce name=my-lb region=us-central1 ports=234 members=s1,s2,s3 address=my-lb-ip Attach and Detach LB It is possible to attach or detach an instance from an existing load-balancer. Both the instance and load-balancer must exist before using these functions. salt-cloud -f attach_lb gce name=lb member=w4 salt-cloud -f detach_lb gce name=lb member=oops Getting Started With HP Cloud HP Cloud is a major public cloud platform and uses the libcloud openstack driver. The current version of OpenStack that HP Cloud uses is Havana. When an instance is booted, it must have a floating IP added to it in order to connect to it and further below you will see an example that adds context to this statement. Set up a cloud provider configuration file To use the openstack driver for HP Cloud, set up the cloud provider configuration file as in the example shown below: /etc/salt/cloud.providers.d/hpcloud.conf: hpcloud-config: # Set the location of the salt-master # minion: master: saltmaster.example.com # Configure HP Cloud using the OpenStack plugin # identity_url: https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens compute_name: Compute protocol: ipv4 # Set the compute region: # compute_region: region-b.geo-1 # Configure HP Cloud authentication credentials # user: myname tenant: myname-project1 password: xxxxxxxxx # keys to allow connection to the instance launched # ssh_key_name: yourkey ssh_key_file: /path/to/key/yourkey.priv driver: openstack The subsequent example that follows is using the openstack driver. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Compute Region Originally, HP Cloud, in its OpenStack Essex version (1.0), had 3 availability zones in one region, US West (region-a.geo-1), which each behaved each as a region. This has since changed, and the current OpenStack Havana version of HP Cloud (1.1) now has simplified this and now has two regions to choose from: region-a.geo-1 -> US West region-b.geo-1 -> US East Authentication The user is the same user as is used to log into the HP Cloud management UI. The tenant can be found in the upper left under "Project/Region/Scope". It is often named the same as user albeit with a -project1 appended. The password is of course what you created your account with. The management UI also has other information such as being able to select US East or US West. Set up a cloud profile config file The profile shown below is a know working profile for an Ubuntu instance. The profile configuration file is stored in the following location: /etc/salt/cloud.profiles.d/hp_ae1_ubuntu.conf: hp_ae1_ubuntu: provider: hp_ae1 image: 9302692b-b787-4b52-a3a6-daebb79cb498 ignore_cidr: 10.0.0.1/24 networks: - floating: Ext-Net size: standard.small ssh_key_file: /root/keys/test.key ssh_key_name: test ssh_username: ubuntu Some important things about the example above: • The image parameter can use either the image name or image ID which you can obtain by running in the example below (this case US East): # salt-cloud --list-images hp_ae1 • The parameter ignore_cidr specifies a range of addresses to ignore when trying to connect to the instance. In this case, it's the range of IP addresses used for an private IP of the instance. • The parameter networks is very important to include. In previous versions of Salt Cloud, this is what made it possible for salt-cloud to be able to attach a floating IP to the instance in order to connect to the instance and set up the minion. The current version of salt-cloud doesn't require it, though having it is of no harm either. Newer versions of salt-cloud will use this, and without it, will attempt to find a list of floating IP addresses to use regardless. • The ssh_key_file and ssh_key_name are the keys that will make it possible to connect to the instance to set up the minion • The ssh_username parameter, in this case, being that the image used will be ubuntu, will make it possible to not only log in but install the minion Launch an instance To instantiate a machine based on this profile (example): # salt-cloud -p hp_ae1_ubuntu ubuntu_instance_1 After several minutes, this will create an instance named ubuntu_instance_1 running in HP Cloud in the US East region and will set up the minion and then return information about the instance once completed. Manage the instance Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt ubuntu_instance_1 ping SSH to the instance Additionally, the instance can be accessed via SSH using the floating IP assigned to it # ssh ubuntu@<floating ip> Using a private IP Alternatively, in the cloud profile, using the private IP to log into the instance to set up the minion is another option, particularly if salt-cloud is running within the cloud on an instance that is on the same network with all the other instances (minions) The example below is a modified version of the previous example. Note the use of ssh_interface: hp_ae1_ubuntu: provider: hp_ae1 image: 9302692b-b787-4b52-a3a6-daebb79cb498 size: standard.small ssh_key_file: /root/keys/test.key ssh_key_name: test ssh_username: ubuntu ssh_interface: private_ips With this setup, salt-cloud will use the private IP address to ssh into the instance and set up the salt-minion Getting Started With Joyent Joyent is a public cloud host that supports SmartOS, Linux, FreeBSD, and Windows. Dependencies This driver requires the Python requests library to be installed. Configuration The Joyent cloud requires three configuration parameters. The user name and password that are used to log into the Joyent system, and the location of the private ssh key associated with the Joyent account. The ssh key is needed to send the provisioning commands up to the freshly created virtual machine. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-joyent-config: driver: joyent user: fred password: saltybacon private_key: /root/mykey.pem keyname: mykey NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: joyent_512 provider: my-joyent-config size: Extra Small 512 MB image: Arch Linux 2013.06 Sizes can be obtained using the --list-sizes option for the salt-cloud command: # salt-cloud --list-sizes my-joyent-config my-joyent-config: ---------- joyent: ---------- Extra Small 512 MB: ---------- default: false disk: 15360 id: Extra Small 512 MB memory: 512 name: Extra Small 512 MB swap: 1024 vcpus: 1 ...SNIP... Images can be obtained using the --list-images option for the salt-cloud command: # salt-cloud --list-images my-joyent-config my-joyent-config: ---------- joyent: ---------- base: ---------- description: A 32-bit SmartOS image with just essential packages installed. Ideal for users who are comfortable with setting up their own environment and tools. disabled: False files: ---------- - compression: bzip2 - sha1: 40cdc6457c237cf6306103c74b5f45f5bf2d9bbe - size: 82492182 name: base os: smartos owner: 352971aa-31ba-496c-9ade-a379feaecd52 public: True ...SNIP... SmartDataCenter This driver can also be used with the Joyent SmartDataCenter project. More details can be found at: Using SDC requires that an api_host_suffix is set. The default value for this is .api.joyentcloud.com. All characters, including the leading ., should be included: api_host_suffix: .api.myhostname.com Miscellaneous Configuration The following configuration items can be set in either provider or profile confuration files. use_ssl When set to True (the default), attach https:// to any URL that does not already have http:// or https:// included at the beginning. The best practice is to leave the protocol out of the URL, and use this setting to manage it. verify_ssl When set to True (the default), the underlying web library will verify the SSL certificate. This should only be set to False for debugging.` Getting Started With LXC The LXC module is designed to install Salt in an LXC container on a controlled and possibly remote minion. In other words, Salt will connect to a minion, then from that minion: • Provision and configure a container for networking access • Use those modules to deploy salt and re-attach to master. • lxc runner • lxc module • seed Limitations • You can only act on one minion and one provider at a time. • Listing images must be targeted to a particular LXC provider (nothing will be outputted with all) Operation Salt's LXC support does use lxc.init via the lxc.cloud_init_interface and seeds the minion via seed.mkconfig. You can provide to those lxc VMs a profile and a network profile like if you were directly using the minion module. Order of operation: • Create the LXC container on the desired minion (clone or template) • Change LXC config options (if any need to be changed) • Start container • Change base passwords if any • Change base DNS configuration if necessary • Wait for LXC container to be up and ready for ssh • Test SSH connection and bailout in error • Upload deploy script and seeds, then re-attach the minion. Provider configuration Here is a simple provider configuration: # Note: This example goes in /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. devhost10-lxc: target: devhost10 driver: lxc NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profile configuration Please read tutorial-lxc before anything else. And specially tutorial-lxc-profiles. Here are the options to configure your containers: target Host minion id to install the lxc Container into lxc_profile Name of the profile or inline options for the LXC vm creation/cloning, please see tutorial-lxc-profiles-container. network_profile Name of the profile or inline options for the LXC vm network settings, please see tutorial-lxc-profiles-network. nic_opts Totally optional. Per interface new-style configuration options mappings which will override any profile default option: eth0: {'mac': '00:16:3e:01:29:40', 'gateway': None, (default) 'link': 'br0', (default) 'gateway': None, (default) 'netmask': '', (default) 'ip': '22.1.4.25'}} password password for root and sysadmin users dnsservers List of DNS servers to use. This is optional. minion minion configuration (see Minion Configuration in Salt Cloud) bootstrap_delay specify the time to wait (in seconds) between container creation and salt bootstrap execution. It is useful to ensure that all essential services have started before the bootstrap script is executed. By default there's no wait time between container creation and bootstrap unless you are on systemd where we wait that the system is no more in starting state. bootstrap_shell shell for bootstraping script (default: /bin/sh) script defaults to salt-boostrap script_args arguments which are given to the bootstrap script. the {0} placeholder will be replaced by the path which contains the minion config and key files, eg: script_args="-c {0}" Using profiles: # Note: This example would go in /etc/salt/cloud.profiles or any file in the # /etc/salt/cloud.profiles.d/ directory. devhost10-lxc: provider: devhost10-lxc lxc_profile: foo network_profile: bar minion: master: 10.5.0.1 master_port: 4506 Using inline profiles (eg to override the network bridge): devhost11-lxc: provider: devhost10-lxc lxc_profile: clone_from: foo network_profile: etho: link: lxcbr0 minion: master: 10.5.0.1 master_port: 4506 Using a lxc template instead of a clone: devhost11-lxc: provider: devhost10-lxc lxc_profile: template: ubuntu # options: # release: trusty network_profile: etho: link: lxcbr0 minion: master: 10.5.0.1 master_port: 4506 Static ip: # Note: This example would go in /etc/salt/cloud.profiles or any file in the # /etc/salt/cloud.profiles.d/ directory. devhost10-lxc: provider: devhost10-lxc nic_opts: eth0: ipv4: 10.0.3.9 minion: master: 10.5.0.1 master_port: 4506 DHCP: # Note: This example would go in /etc/salt/cloud.profiles or any file in the # /etc/salt/cloud.profiles.d/ directory. devhost10-lxc: provider: devhost10-lxc minion: master: 10.5.0.1 master_port: 4506 Driver Support • Container creation • Image listing (LXC templates) • Running container information (IP addresses, etc.) Getting Started With Linode Linode is a public cloud host with a focus on Linux instances. Starting with the 2015.8.0 release of Salt, the Linode driver uses Linode's native REST API. There are no external dependencies required to use the Linode driver. Configuration Linode requires a single API key, but the default root password for new instances also needs to be set: # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-linode-config: apikey: asldkgfakl;sdfjsjaslfjaklsdjf;askldjfaaklsjdfhasldsadfghdkf password: F00barbaz ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHEOLLbeXgaqRQT9NBAopVz366SdYc0KKX33vAnq+2R user@host ssh_key_file: ~/.ssh/id_ed25519 driver: linode The password needs to be 8 characters and contain lowercase, uppercase, and numbers. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: linode_1024: provider: my-linode-config size: Linode 2048 image: CentOS 7 location: London, England, UK Sizes can be obtained using the --list-sizes option for the salt-cloud command: # salt-cloud --list-sizes my-linode-config my-linode-config: ---------- linode: ---------- Linode 1024: ---------- bandwidth: 2000 disk: 49152 driver: get_uuid: id: 1 name: Linode 1024 price: 20.0 ram: 1024 uuid: 03e18728ce4629e2ac07c9cbb48afffb8cb499c4 ...SNIP... Images can be obtained using the --list-images option for the salt-cloud command: # salt-cloud --list-images my-linode-config my-linode-config: ---------- linode: ---------- Arch Linux 2013.06: ---------- driver: extra: ---------- 64bit: 1 pvops: 1 get_uuid: id: 112 name: Arch Linux 2013.06 uuid: 8457f92eaffc92b7666b6734a96ad7abe1a8a6dd ...SNIP... Locations can be obtained using the --list-locations option for the salt-cloud command: # salt-cloud --list-locations my-linode-config my-linode-config: ---------- linode: ---------- Atlanta, GA, USA: ---------- abbreviation: atlanta id: 4 Dallas, TX, USA: ---------- abbreviation: dallas id: 2 ...SNIP... Cloning When salt-cloud accesses Linode via linode-python it can clone machines. It is safest to clone a stopped machine. To stop a machine run salt-cloud -a stop machine_to_clone To create a new machine based on another machine, add an entry to your linode cloud profile that looks like this: li-clone: provider: my-linode-config clonefrom: machine_to_clone script_args: -C -F Then run salt-cloud as normal, specifying -p li-clone. The profile name can be anything; It doesn't have to be li-clone. clonefrom: is the name of an existing machine in Linode from which to clone. Script_args: -C -F is necessary to avoid re-deploying Salt via salt-bootstrap. -C will just re-deploy keys so the new minion will not have a duplicate key or minion_id on the Master, and -F will force a rewrite of the Minion config file on the new Minion. If -F isn't provided, the new Minion will have the machine_to_clone's Minion ID, instead of its own Minion ID, which can cause problems. NOTE: Pull Request #733 to the salt-bootstrap repo makes the -F argument non-necessary. Once that change is released into a stable version of the Bootstrap Script, the -C argument will be sufficient for the script_args setting. If the machine_to_clone does not have Salt installed on it, refrain from using the script_args: -C -F altogether, because the new machine will need to have Salt installed. Getting Started With OpenStack OpenStack is one the most popular cloud projects. It's an open source project to build public and/or private clouds. You can use Salt Cloud to launch OpenStack instances. Dependencies • Libcloud >= 0.13.2 Configuration • Using the new format, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/openstack.conf: my-openstack-config: # Set the location of the salt-master # minion: master: saltmaster.example.com # Configure the OpenStack driver # identity_url: http://identity.youopenstack.com/v2.0/tokens compute_name: nova protocol: ipv4 compute_region: RegionOne # Configure Openstack authentication credentials # user: myname password: 123456 # tenant is the project name tenant: myproject driver: openstack # skip SSL certificate validation (default false) insecure: false NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Using nova client to get information from OpenStack One of the best ways to get information about OpenStack is using the novaclient python package (available in pypi as python-novaclient). The client configuration is a set of environment variables that you can get from the Dashboard. Log in and then go to Project -> Access & security -> API Access and download the "OpenStack RC file". Then: source /path/to/your/rcfile nova credentials nova endpoints In the nova endpoints output you can see the information about compute_region and compute_name. Compute Region It depends on the OpenStack cluster that you are using. Please, have a look at the previous sections. Authentication The user and password is the same user as is used to log into the OpenStack Dashboard. Profiles Here is an example of a profile: openstack_512: provider: my-openstack-config size: m1.tiny image: cirros-0.3.1-x86_64-uec ssh_key_file: /tmp/test.pem ssh_key_name: test ssh_interface: private_ips The following list explains some of the important properties. size can be one of the options listed in the output of nova flavor-list. image can be one of the options listed in the output of nova image-list. ssh_key_file The SSH private key that the salt-cloud uses to SSH into the VM after its first booted in order to execute a command or script. This private key's public key must be the openstack public key inserted into the authorized_key's file of the VM's root user account. ssh_key_name The name of the openstack SSH public key that is inserted into the authorized_keys file of the VM's root user account. Prior to using this public key, you must use openstack commands or the horizon web UI to load that key into the tenant's account. Note that this openstack tenant must be the one you defined in the cloud provider. ssh_interface This option allows you to create a VM without a public IP. If this option is omitted and the VM does not have a public IP, then the salt-cloud waits for a certain period of time and then destroys the VM. With the nova drive, private cloud networks can be defined here. For more information concerning cloud profiles, see here. change_password If no ssh_key_file is provided, and the server already exists, change_password will use the api to change the root password of the server so that it can be bootstrapped. change_password: True userdata_file Use userdata_file to specify the userdata file to upload for use with cloud-init if available. userdata_file: /etc/salt/cloud-init/packages.yml Getting Started With Parallels Parallels Cloud Server is a product by Parallels that delivers a cloud hosting solution. The PARALLELS module for Salt Cloud enables you to manage instances hosted using PCS. Further information can be found at: http://www.parallels.com/products/pcs/ • Using the old format, set up the cloud configuration at /etc/salt/cloud: # Set up the location of the salt master # minion: master: saltmaster.example.com # Set the PARALLELS access credentials (see below) # PARALLELS.user: myuser PARALLELS.password: badpass # Set the access URL for your PARALLELS host # PARALLELS.url: https://api.cloud.xmission.com:4465/paci/v1.0/ • Using the new format, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/parallels.conf: my-parallels-config: # Set up the location of the salt master # minion: master: saltmaster.example.com # Set the PARALLELS access credentials (see below) # user: myuser password: badpass # Set the access URL for your PARALLELS provider # url: https://api.cloud.xmission.com:4465/paci/v1.0/ driver: parallels NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Access Credentials The user, password, and url will be provided to you by your cloud host. These are all required in order for the PARALLELS driver to work. Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/parallels.conf: parallels-ubuntu: provider: my-parallels-config image: ubuntu-12.04-x86_64 The profile can be realized now with a salt command: # salt-cloud -p parallels-ubuntu myubuntu This will create an instance named myubuntu on the cloud host. The minion that is installed on this instance will have an id of myubuntu. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt myubuntu test.ping Required Settings The following settings are always required for PARALLELS: • Using the old cloud configuration format: PARALLELS.user: myuser PARALLELS.password: badpass PARALLELS.url: https://api.cloud.xmission.com:4465/paci/v1.0/ • Using the new cloud configuration format: my-parallels-config: user: myuser password: badpass url: https://api.cloud.xmission.com:4465/paci/v1.0/ driver: parallels Optional Settings Unlike other cloud providers in Salt Cloud, Parallels does not utilize a size setting. This is because Parallels allows the end-user to specify a more detailed configuration for their instances than is allowed by many other cloud hosts. The following options are available to be used in a profile, with their default settings listed. # Description of the instance. Defaults to the instance name. desc: <instance_name> # How many CPU cores, and how fast they are (in MHz) cpu_number: 1 cpu_power: 1000 # How many megabytes of RAM ram: 256 # Bandwidth available, in kbps bandwidth: 100 # How many public IPs will be assigned to this instance ip_num: 1 # Size of the instance disk (in GiB) disk_size: 10 # Username and password ssh_username: root password: <value from PARALLELS.password> # The name of the image, from ``salt-cloud --list-images parallels`` image: ubuntu-12.04-x86_64 Getting Started With Proxmox Proxmox Virtual Environment is a complete server virtualization management solution, based on KVM virtualization and OpenVZ containers. Further information can be found at: http://www.proxmox.org/ Dependencies • IPy >= 0.81 • requests >= 2.2.1 Please note: This module allows you to create both OpenVZ and KVM but installing Salt on it will only be done when the VM is an OpenVZ container rather than a KVM virtual machine. • Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/proxmox.conf: my-proxmox-config: # Set up the location of the salt master # minion: master: saltmaster.example.com # Set the PROXMOX access credentials (see below) # user: myuser@pve password: badpass # Set the access URL for your PROXMOX host # url: your.proxmox.host driver: proxmox NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Access Credentials The user, password, and url will be provided to you by your cloud host. These are all required in order for the PROXMOX driver to work. Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/proxmox.conf: • Configure a profile to be used: proxmox-ubuntu: provider: my-proxmox-config image: local:vztmpl/ubuntu-12.04-standard_12.04-1_amd64.tar.gz technology: openvz # host needs to be set to the configured name of the proxmox host # and not the ip address or FQDN of the server host: myvmhost ip_address: 192.168.100.155 password: topsecret The profile can be realized now with a salt command: # salt-cloud -p proxmox-ubuntu myubuntu This will create an instance named myubuntu on the cloud host. The minion that is installed on this instance will have a hostname of myubuntu. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt myubuntu test.ping Required Settings The following settings are always required for PROXMOX: • Using the new cloud configuration format: my-proxmox-config: driver: proxmox user: saltcloud@pve password: xyzzy url: your.proxmox.host Optional Settings Unlike other cloud providers in Salt Cloud, Proxmox does not utilize a size setting. This is because Proxmox allows the end-user to specify a more detailed configuration for their instances, than is allowed by many other cloud providers. The following options are available to be used in a profile, with their default settings listed. # Description of the instance. desc: <instance_name> # How many CPU cores, and how fast they are (in MHz) cpus: 1 cpuunits: 1000 # How many megabytes of RAM memory: 256 # How much swap space in MB swap: 256 # Whether to auto boot the vm after the host reboots onboot: 1 # Size of the instance disk (in GiB) disk: 10 # Host to create this vm on host: myvmhost # Nameservers. Defaults to host nameserver: 8.8.8.8 8.8.4.4 # Username and password ssh_username: root password: <value from PROXMOX.password> # The name of the image, from ``salt-cloud --list-images proxmox`` image: local:vztmpl/ubuntu-12.04-standard_12.04-1_amd64.tar.gz Getting Started With Rackspace Rackspace is a major public cloud platform which may be configured using either the rackspace or the openstack driver, depending on your needs. Please note that the rackspace driver is intended only for 1st gen instances, aka, "the old cloud" at Rackspace. It is required for 1st gen instances, but will not work with OpenStack-based instances. Unless you explicitly have a reason to use it, it is highly recommended that you use the openstack driver instead. Dependencies • Libcloud >= 0.13.2 Configuration To use the openstack driver (recommended), set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/rackspace.conf: my-rackspace-config: # Set the location of the salt-master # minion: master: saltmaster.example.com # Configure Rackspace using the OpenStack plugin # identity_url: 'https://identity.api.rackspacecloud.com/v2.0/tokens' compute_name: cloudServersOpenStack protocol: ipv4 # Set the compute region: # compute_region: DFW # Configure Rackspace authentication credentials # user: myname tenant: 123456 apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx driver: openstack To use the rackspace driver, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/rackspace.conf: my-rackspace-config: driver: rackspace # The Rackspace login user user: fred # The Rackspace user's apikey apikey: 901d3f579h23c8v73q9 The settings that follow are for using Rackspace with the openstack driver, and will not work with the rackspace driver. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Compute Region Rackspace currently has six compute regions which may be used: DFW -> Dallas/Forth Worth ORD -> Chicago SYD -> Sydney LON -> London IAD -> Northern Virginia HKG -> Hong Kong Note: Currently the LON region is only available with a UK account, and UK accounts cannot access other regions Authentication The user is the same user as is used to log into the Rackspace Control Panel. The tenant and apikey can be found in the API Keys area of the Control Panel. The apikey will be labeled as API Key (and may need to be generated), and tenant will be labeled as Cloud Account Number. An initial profile can be configured in /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/rackspace.conf: openstack_512: provider: my-rackspace-config size: 512 MB Standard image: Ubuntu 12.04 LTS (Precise Pangolin) To instantiate a machine based on this profile: # salt-cloud -p openstack_512 myinstance This will create a virtual machine at Rackspace with the name myinstance. This operation may take several minutes to complete, depending on the current load at the Rackspace data center. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt myinstance test.ping RackConnect Environments Rackspace offers a hybrid hosting configuration option called RackConnect that allows you to use a physical firewall appliance with your cloud servers. When this service is in use the public_ip assigned by nova will be replaced by a NAT ip on the firewall. For salt-cloud to work properly it must use the newly assigned "access ip" instead of the Nova assigned public ip. You can enable that capability by adding this to your profiles: openstack_512: provider: my-openstack-config size: 512 MB Standard image: Ubuntu 12.04 LTS (Precise Pangolin) rackconnect: True Managed Cloud Environments Rackspace offers a managed service level of hosting. As part of the managed service level you have the ability to choose from base of lamp installations on cloud server images. The post build process for both the base and the lamp installations used Chef to install things such as the cloud monitoring agent and the cloud backup agent. It also takes care of installing the lamp stack if selected. In order to prevent the post installation process from stomping over the bootstrapping you can add the below to your profiles. openstack_512: provider: my-rackspace-config size: 512 MB Standard image: Ubuntu 12.04 LTS (Precise Pangolin) managedcloud: True First and Next Generation Images Rackspace provides two sets of virtual machine images, first, and next generation. As of 0.8.9 salt-cloud will default to using the next generation images. To force the use of first generation images, on the profile configuration please add: FreeBSD-9.0-512: provider: my-rackspace-config size: 512 MB Standard image: FreeBSD 9.0 force_first_gen: True Private Subnets By default salt-cloud will not add Rackspace private networks to new servers. To enable a private network to a server instantiated by salt cloud, add the following section to the provider file (typically /etc/salt/cloud.providers.d/rackspace.conf) networks: - fixed: # This is the private network - private-network-id # This is Rackspace's "PublicNet" - 00000000-0000-0000-0000-000000000000 # This is Rackspace's "ServiceNet" - 11111111-1111-1111-1111-111111111111 To get the Rackspace private network ID, go to Networking, Networks and hover over the private network name. The order of the networks in the above code block does not map to the order of the ethernet devices on newly created servers. Public IP will always be first ( eth0 ) followed by servicenet ( eth1 ) and then private networks. Enabling the private network per above gives the option of using the private subnet for all master-minion communication, including the bootstrap install of salt-minion. To enable the minion to use the private subnet, update the master: line in the minion: section of the providers file. To configure the master to only listen on the private subnet IP, update the interface: line in the /etc/salt/master file to be the private subnet IP of the salt master. Getting Started With Saltify The Saltify driver is a new, experimental driver for installing Salt on existing machines (virtual or bare metal). Dependencies The Saltify driver has no external dependencies. Configuration Because the Saltify driver does not use an actual cloud provider host, it has a simple provider configuration. The only thing that is required to be set is the driver name, and any other potentially useful information, like the location of the salt-master: # Note: This example is for /etc/salt/cloud.providers file or any file in # the /etc/salt/cloud.providers.d/ directory. my-saltify-config: minion: master: 111.222.333.444 provider: saltify Profiles Saltify requires a profile to be configured for each machine that needs Salt installed. The initial profile can be set up at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory. Each profile requires both an ssh_host and an ssh_username key parameter as well as either an key_filename or a password. Profile configuration example: # /etc/salt/cloud.profiles.d/saltify.conf salt-this-machine: ssh_host: 12.34.56.78 ssh_username: root key_filename: '/etc/salt/mysshkey.pem' provider: my-saltify-config The machine can now be "Salted" with the following command: salt-cloud -p salt-this-machine my-machine This will install salt on the machine specified by the cloud profile, salt-this-machine, and will give the machine the minion id of my-machine. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once a salt-minion has been successfully installed on the instance, connectivity to it can be verified with Salt: salt my-machine test.ping Using Map Files The settings explained in the section above may also be set in a map file. An example of how to use the Saltify driver with a map file follows: # /etc/salt/saltify-map make_salty: - my-instance-0: ssh_host: 12.34.56.78 ssh_username: root password: very-bad-password - my-instance-1: ssh_host: 44.33.22.11 ssh_username: root password: another-bad-pass Note: When using a cloud map with the Saltify driver, the name of the profile to use, in this case make_salty, must be defined in a profile config. For example: # /etc/salt/cloud.profiles.d/saltify.conf make_salty: provider: my-saltify-config The machines listed in the map file can now be "Salted" by applying the following salt map command: salt-cloud -m /etc/salt/saltify-map This command will install salt on the machines specified in the map and will give each machine their minion id of my-instance-0 and my-instance-1, respectively. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Connectivity to the new "Salted" instances can now be verified with Salt: salt 'my-instance-*' test.ping Getting Started With Scaleway Scaleway is the first IaaS host worldwide to offer an ARM based cloud. It’s the ideal platform for horizontal scaling with BareMetal SSD servers. The solution provides on demand resources: it comes with on-demand SSD storage, movable IPs , images, security group and an Object Storage solution. https://scaleway.com Configuration Using Salt for Scaleway, requires an access key and an API token. API tokens are unique identifiers associated with your Scaleway account. To retrieve your access key and API token, log-in to the Scaleway control panel, open the pull-down menu on your account name and click on "My Credentials" link. If you do not have API token you can create one by clicking the "Create New Token" button on the right corner. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-scaleway-config: access_key: 15cf404d-4560-41b1-9a0c-21c3d5c4ff1f token: a7347ec8-5de1-4024-a5e3-24b77d1ba91d driver: scaleway NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory: scalewa-ubuntu: provider: my-scaleway-config image: Ubuntu Trusty (14.04 LTS) Images can be obtained using the --list-images option for the salt-cloud command: #salt-cloud --list-images my-scaleway-config my-scaleway-config: ---------- scaleway: ---------- 069fd876-eb04-44ab-a9cd-47e2fa3e5309: ---------- arch: arm creation_date: 2015-03-12T09:35:45.764477+00:00 default_bootscript: {u'kernel': {u'dtb': u'', u'title': u'Pimouss 3.2.34-30-std', u'id': u'cfda4308-cd6f-4e51-9744-905fc0da370f', u'path': u'kernel/pimouss-uImage-3.2.34-30-std'}, u'title': u'3.2.34-std #30 (stable)', u'id': u'c5af0215-2516-4316-befc-5da1cfad609c', u'initrd': {u'path': u'initrd/c1-uInitrd', u'id': u'1be14b1b-e24c-48e5-b0b6-7ba452e42b92', u'title': u'C1 initrd'}, u'bootcmdargs': {u'id': u'd22c4dde-e5a4-47ad-abb9-d23b54d542ff', u'value': u'ip=dhcp boot=local root=/dev/nbd0 USE_XNBD=1 nbd.max_parts=8'}, u'organization': u'11111111-1111-4111-8111-111111111111', u'public': True} extra_volumes: [] id: 069fd876-eb04-44ab-a9cd-47e2fa3e5309 modification_date: 2015-04-24T12:02:16.820256+00:00 name: Ubuntu Vivid (15.04) organization: a283af0b-d13e-42e1-a43f-855ffbf281ab public: True root_volume: {u'name': u'distrib-ubuntu-vivid-2015-03-12_10:32-snapshot', u'id': u'a6d02e63-8dee-4bce-b627-b21730f35a05', u'volume_type': u'l_ssd', u'size': 50000000000L} ... Execute a query and return all information about the nodes running on configured cloud providers using the -Q option for the salt-cloud command: # salt-cloud -F [INFO ] salt-cloud starting [INFO ] Starting new HTTPS connection (1): api.scaleway.com my-scaleway-config: ---------- scaleway: ---------- salt-manager: ---------- creation_date: 2015-06-03T08:17:38.818068+00:00 hostname: salt-manager ... NOTE: Additional documentation about Scaleway can be found at https://www.scaleway.com/docs. Getting Started With SoftLayer SoftLayer is a public cloud host, and baremetal hardware hosting service. Dependencies The SoftLayer driver for Salt Cloud requires the softlayer package, which is available at PyPI: https://pypi.python.org/pypi/SoftLayer This package can be installed using pip or easy_install: # pip install softlayer # easy_install softlayer Configuration Set up the cloud config at /etc/salt/cloud.providers: # Note: These examples are for /etc/salt/cloud.providers my-softlayer: # Set up the location of the salt master minion: master: saltmaster.example.com # Set the SoftLayer access credentials (see below) user: MYUSER1138 apikey: 'e3b68aa711e6deadc62d5b76355674beef7cc3116062ddbacafe5f7e465bfdc9' driver: softlayer my-softlayer-hw: # Set up the location of the salt master minion: master: saltmaster.example.com # Set the SoftLayer access credentials (see below) user: MYUSER1138 apikey: 'e3b68aa711e6deadc62d5b76355674beef7cc3116062ddbacafe5f7e465bfdc9' driver: softlayer_hw NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Access Credentials The user setting is the same user as is used to log into the SoftLayer Administration area. The apikey setting is found inside the Admin area after logging in: • Hover over the Account menu item. • Click the Users link. • Find the API Key column and click View. Profiles Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles: base_softlayer_ubuntu: provider: my-softlayer image: UBUNTU_LATEST cpu_number: 1 ram: 1024 disk_size: 100 local_disk: True hourly_billing: True domain: example.com location: sjc01 # Optional max_net_speed: 1000 private_vlan: 396 private_network: True private_ssh: True # May be used _instead_of_ image global_identifier: 320d8be5-46c0-dead-cafe-13e3c51 Most of the above items are required; optional items are specified below. image Images to build an instance can be found using the --list-images option: # salt-cloud --list-images my-softlayer The setting used will be labeled as template. cpu_number This is the number of CPU cores that will be used for this instance. This number may be dependent upon the image that is used. For instance: Red Hat Enterprise Linux 6 - Minimal Install (64 bit) (1 - 4 Core): ---------- name: Red Hat Enterprise Linux 6 - Minimal Install (64 bit) (1 - 4 Core) template: REDHAT_6_64 Red Hat Enterprise Linux 6 - Minimal Install (64 bit) (5 - 100 Core): ---------- name: Red Hat Enterprise Linux 6 - Minimal Install (64 bit) (5 - 100 Core) template: REDHAT_6_64 Note that the template (meaning, the image option) for both of these is the same, but the names suggests how many CPU cores are supported. ram This is the amount of memory, in megabytes, that will be allocated to this instance. disk_size The amount of disk space that will be allocated to this image, in gigabytes. base_softlayer_ubuntu: disk_size: 100 Using Multiple Disks New in version 2015.8.1. SoftLayer allows up to 5 disks to be specified for a virtual machine upon creation. Multiple disks can be specified either as a list or a comma-delimited string. The first disk_size specified in the string or list will be the first disk size assigned to the VM. List Example: base_softlayer_ubuntu: disk_size: ['100', '20', '20'] String Example: base_softlayer_ubuntu: disk_size: '100, 20, 20' local_disk When true the disks for the computing instance will be provisioned on the host which it runs, otherwise SAN disks will be provisioned. hourly_billing When true the computing instance will be billed on hourly usage, otherwise it will be billed on a monthly basis. domain The domain name that will be used in the FQDN (Fully Qualified Domain Name) for this instance. The domain setting will be used in conjunction with the instance name to form the FQDN. location Images to build an instance can be found using the --list-locations option: # salt-cloud --list-location my-softlayer max_net_speed Specifies the connection speed for the instance's network components. This setting is optional. By default, this is set to 10. post_uri Specifies the uri location of the script to be downloaded and run after the instance is provisioned. New in version 2015.8.1. Example: base_softlayer_ubuntu: post_uri: 'https://SOMESERVERIP:8000/myscript.sh' public_vlan If it is necessary for an instance to be created within a specific frontend VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below. This setting is optional. private_vlan If it is necessary for an instance to be created within a specific backend VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below. This setting is optional. private_network If a server is to only be used internally, meaning it does not have a public VLAN associated with it, this value would be set to True. This setting is optional. The default is False. private_ssh Whether to run the deploy script on the server using the public IP address or the private IP address. If set to True, Salt Cloud will attempt to SSH into the new server using the private IP address. The default is False. This settiong is optional. global_identifier When creating an instance using a custom template, this option is set to the corresponding value obtained using the list_custom_images function. This option will not be used if an image is set, and if an image is not set, it is required. The profile can be realized now with a salt command: # salt-cloud -p base_softlayer_ubuntu myserver Using the above configuration, this will create myserver.example.com. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt: # salt 'myserver.example.com' test.ping Cloud Profiles Set up an initial profile at /etc/salt/cloud.profiles: base_softlayer_hw_centos: provider: my-softlayer-hw # CentOS 6.0 - Minimal Install (64 bit) image: 13963 # 2 x 2.0 GHz Core Bare Metal Instance - 2 GB Ram size: 1921 # 500GB SATA II hdd: 1267 # San Jose 01 location: 168642 domain: example.com # Optional vlan: 396 port_speed: 273 banwidth: 248 Most of the above items are required; optional items are specified below. image Images to build an instance can be found using the --list-images option: # salt-cloud --list-images my-softlayer-hw A list of id`s and names will be provided. The `name will describe the operating system and architecture. The id will be the setting to be used in the profile. size Sizes to build an instance can be found using the --list-sizes option: # salt-cloud --list-sizes my-softlayer-hw A list of id`s and names will be provided. The `name will describe the speed and quantity of CPU cores, and the amount of memory that the hardware will contain. The id will be the setting to be used in the profile. hdd There is currently only one size of hard disk drive (HDD) that is available for hardware instances on SoftLayer: 1267: 500GB SATA II The hdd setting in the profile should be 1267. Other sizes may be added in the future. location Locations to build an instance can be found using the --list-images option: # salt-cloud --list-locations my-softlayer-hw A list of IDs and names will be provided. The location will describe the location in human terms. The id will be the setting to be used in the profile. domain The domain name that will be used in the FQDN (Fully Qualified Domain Name) for this instance. The domain setting will be used in conjunction with the instance name to form the FQDN. vlan If it is necessary for an instance to be created within a specific VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below. port_speed Specifies the speed for the instance's network port. This setting refers to an ID within the SoftLayer API, which sets the port speed. This setting is optional. The default is 273, or, 100 Mbps Public & Private Networks. The following settings are available: • 273: 100 Mbps Public & Private Networks • 274: 1 Gbps Public & Private Networks • 21509: 10 Mbps Dual Public & Private Networks (up to 20 Mbps) • 21513: 100 Mbps Dual Public & Private Networks (up to 200 Mbps) • 2314: 1 Gbps Dual Public & Private Networks (up to 2 Gbps) • 272: 10 Mbps Public & Private Networks bandwidth Specifies the network bandwidth available for the instance. This setting refers to an ID within the SoftLayer API, which sets the bandwidth. This setting is optional. The default is 248, or, 5000 GB Bandwidth. The following settings are available: • 248: 5000 GB Bandwidth • 129: 6000 GB Bandwidth • 130: 8000 GB Bandwidth • 131: 10000 GB Bandwidth • 36: Unlimited Bandwidth (10 Mbps Uplink) • 125: Unlimited Bandwidth (100 Mbps Uplink) Actions The following actions are currently supported by the SoftLayer Salt Cloud driver. show_instance This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance. $ salt-cloud -a show_instance myinstance Functions The following functions are currently supported by the SoftLayer Salt Cloud driver. list_vlans This function lists all VLANs associated with the account, and all known data from the SoftLayer API concerning those VLANs. $ salt-cloud -f list_vlans my-softlayer $ salt-cloud -f list_vlans my-softlayer-hw The id returned in this list is necessary for the vlan option when creating an instance. list_custom_images This function lists any custom templates associated with the account, that can be used to create a new instance. $ salt-cloud -f list_custom_images my-softlayer The globalIdentifier returned in this list is necessary for the global_identifier option when creating an image using a custom template. Optional Products for SoftLayer HW The softlayer_hw driver supports the ability to add optional products, which are supported by SoftLayer's API. These products each have an ID associated with them, that can be passed into Salt Cloud with the optional_products option: softlayer_hw_test: provider: my-softlayer-hw # CentOS 6.0 - Minimal Install (64 bit) image: 13963 # 2 x 2.0 GHz Core Bare Metal Instance - 2 GB Ram size: 1921 # 500GB SATA II hdd: 1267 # San Jose 01 location: 168642 domain: example.com optional_products: # MySQL for Linux - id: 28 # Business Continuance Insurance - id: 104 These values can be manually obtained by looking at the source of an order page on the SoftLayer web interface. For convenience, many of these values are listed here: Public Secondary IP Addresses • 22: 4 Public IP Addresses • 23: 8 Public IP Addresses Primary IPv6 Addresses • 17129: 1 IPv6 Address Public Static IPv6 Addresses • 1481: /64 Block Static Public IPv6 Addresses OS-Specific Addon • 17139: XenServer Advanced for XenServer 6.x • 17141: XenServer Enterprise for XenServer 6.x • 2334: XenServer Advanced for XenServer 5.6 • 2335: XenServer Enterprise for XenServer 5.6 • 13915: Microsoft WebMatrix • 21276: VMware vCenter 5.1 Standard Control Panel Software • 121: cPanel/WHM with Fantastico and RVskin • 20778: Parallels Plesk Panel 11 (Linux) 100 Domain w/ Power Pack • 20786: Parallels Plesk Panel 11 (Windows) 100 Domain w/ Power Pack • 20787: Parallels Plesk Panel 11 (Linux) Unlimited Domain w/ Power Pack • 20792: Parallels Plesk Panel 11 (Windows) Unlimited Domain w/ Power Pack • 2340: Parallels Plesk Panel 10 (Linux) 100 Domain w/ Power Pack • 2339: Parallels Plesk Panel 10 (Linux) Unlimited Domain w/ Power Pack • 13704: Parallels Plesk Panel 10 (Windows) Unlimited Domain w/ Power Pack Database Software • 29: MySQL 5.0 for Windows • 28: MySQL for Linux • 21501: Riak 1.x • 20893: MongoDB • 30: Microsoft SQL Server 2005 Express • 92: Microsoft SQL Server 2005 Workgroup • 90: Microsoft SQL Server 2005 Standard • 94: Microsoft SQL Server 2005 Enterprise • 1330: Microsoft SQL Server 2008 Express • 1340: Microsoft SQL Server 2008 Web • 1337: Microsoft SQL Server 2008 Workgroup • 1334: Microsoft SQL Server 2008 Standard • 1331: Microsoft SQL Server 2008 Enterprise • 2179: Microsoft SQL Server 2008 Express R2 • 2173: Microsoft SQL Server 2008 Web R2 • 2183: Microsoft SQL Server 2008 Workgroup R2 • 2180: Microsoft SQL Server 2008 Standard R2 • 2176: Microsoft SQL Server 2008 Enterprise R2 Anti-Virus & Spyware Protection • 594: McAfee VirusScan Anti-Virus - Windows • 414: McAfee Total Protection - Windows Insurance • 104: Business Continuance Insurance Monitoring • 55: Host Ping • 56: Host Ping and TCP Service Monitoring Notification • 57: Email and Ticket Advanced Monitoring • 2302: Monitoring Package - Basic • 2303: Monitoring Package - Advanced • 2304: Monitoring Package - Premium Application Response • 58: Automated Notification • 59: Automated Reboot from Monitoring • 60: 24x7x365 NOC Monitoring, Notification, and Response Intrusion Detection & Protection • 413: McAfee Host Intrusion Protection w/Reporting Hardware & Software Firewalls • 411: APF Software Firewall for Linux • 894: Microsoft Windows Firewall • 410: 10Mbps Hardware Firewall • 409: 100Mbps Hardware Firewall • 408: 1000Mbps Hardware Firewall Getting Started with VEXXHOST VEXXHOST is a cloud computing host which provides Canadian cloud computing services which are based in Monteral and use the libcloud OpenStack driver. VEXXHOST currently runs the Havana release of OpenStack. When provisioning new instances, they automatically get a public IP and private IP address. Therefore, you do not need to assign a floating IP to access your instance after it's booted. Cloud Provider Configuration To use the openstack driver for the VEXXHOST public cloud, you will need to set up the cloud provider configuration file as in the example below: /etc/salt/cloud.providers.d/vexxhost.conf: In order to use the VEXXHOST public cloud, you will need to setup a cloud provider configuration file as in the example below which uses the OpenStack driver. my-vexxhost-config: # Set the location of the salt-master # minion: master: saltmaster.example.com # Configure VEXXHOST using the OpenStack plugin # identity_url: http://auth.api.thenebulacloud.com:5000/v2.0/tokens compute_name: nova # Set the compute region: # compute_region: na-yul-nhs1 # Configure VEXXHOST authentication credentials # user: your-tenant-id password: your-api-key tenant: your-tenant-name # keys to allow connection to the instance launched # ssh_key_name: yourkey ssh_key_file: /path/to/key/yourkey.priv driver: openstack NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Authentication All of the authentication fields that you need can be found by logging into your VEXXHOST customer center. Once you've logged in, you will need to click on "CloudConsole" and then click on "API Credentials". Cloud Profile Configuration In order to get the correct image UUID and the instance type to use in the cloud profile, you can run the following command respectively: # salt-cloud --list-images=vexxhost-config # salt-cloud --list-sizes=vexxhost-config Once you have that, you can go ahead and create a new cloud profile. This profile will build an Ubuntu 12.04 LTS nb.2G instance. /etc/salt/cloud.profiles.d/vh_ubuntu1204_2G.conf: vh_ubuntu1204_2G: provider: my-vexxhost-config image: 4051139f-750d-4d72-8ef0-074f2ccc7e5a size: nb.2G Provision an instance To create an instance based on the sample profile that we created above, you can run the following salt-cloud command. # salt-cloud -p vh_ubuntu1204_2G vh_instance1 Typically, instances are provisioned in under 30 seconds on the VEXXHOST public cloud. After the instance provisions, it will be set up a minion and then return all the instance information once it's complete. Once the instance has been setup, you can test connectivity to it by running the following command: # salt vh_instance1 test.ping You can now continue to provision new instances and they will all automatically be set up as minions of the master you've defined in the configuration file. Getting Started With VMware New in version 2015.5.4. Author: Nitin Madhok <nmadhok@clemson.edu> The VMware cloud module allows you to manage VMware ESX, ESXi, and vCenter. Dependencies The vmware module for Salt Cloud requires the pyVmomi package, which is available at PyPI: https://pypi.python.org/pypi/pyvmomi This package can be installed using pip or easy_install: pip install pyvmomi easy_install pyvmomi Configuration The VMware cloud module needs the vCenter URL, username and password to be set up in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/vmware.conf: my-vmware-config: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: '10.20.30.40' vcenter01: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: 'vcenter01.domain.com' protocol: 'https' port: 443 vcenter02: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: 'vcenter02.domain.com' protocol: 'http' port: 80 NOTE: Optionally, protocol and port can be specified if the vCenter server is not using the defaults. Default is protocol: https and port: 443. NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/vmware.conf: vmware-centos6.5: provider: vcenter01 clonefrom: test-vm ## Optional arguments num_cpus: 4 memory: 8GB devices: cd: CD/DVD drive 1: device_type: datastore_iso_file iso_path: "[nap004-1] vmimages/tools-isoimages/linux.iso" CD/DVD drive 2: device_type: client_device mode: atapi CD/DVD drive 3: device_type: client_device mode: passthrough disk: Hard disk 1: size: 30 Hard disk 2: size: 20 Hard disk 3: size: 5 network: Network adapter 1: name: 10.20.30-400-Test switch_type: standard ip: 10.20.30.123 gateway: [10.20.30.110] subnet_mask: 255.255.255.128 domain: example.com Network adapter 2: name: 10.30.40-500-Dev-DHCP adapter_type: e1000 switch_type: distributed Network adapter 3: name: 10.40.50-600-Prod adapter_type: vmxnet3 switch_type: distributed ip: 10.40.50.123 gateway: [10.40.50.110] subnet_mask: 255.255.255.128 domain: example.com scsi: SCSI controller 1: type: lsilogic SCSI controller 2: type: lsilogic_sas bus_sharing: virtual SCSI controller 3: type: paravirtual bus_sharing: physical domain: example.com dns_servers: - 123.127.255.240 - 123.127.255.241 - 123.127.255.242 # If cloning from template, either resourcepool or cluster MUST be specified! resourcepool: Resources cluster: Prod datastore: HUGE-DATASTORE-Cluster folder: Development datacenter: DC1 host: c4212n-002.domain.com template: False power_on: True extra_config: mem.hotadd: 'yes' guestinfo.foo: bar guestinfo.domain: foobar.com guestinfo.customVariable: customValue deploy: True private_key: /root/.ssh/mykey.pem ssh_username: cloud-user password: veryVeryBadPassword minion: master: 123.127.193.105 file_map: /path/to/local/custom/script: /path/to/remote/script /path/to/local/file: /path/to/remote/file /srv/salt/yum/epel.repo: /etc/yum.repos.d/epel.repo hardware_version: 10 provider Enter the name that was specified when the cloud provider config was created. clonefrom Enter the name of the VM/template to clone from. num_cpus Enter the number of vCPUS that you want the VM/template to have. If not specified, the current VM/template's vCPU count is used. memory Enter the memory size (in MB or GB) that you want the VM/template to have. If not specified, the current VM/template's memory size is used. Example memory: 8GB or memory: 8192MB. devices Enter the device specifications here. Currently, the following devices can be created or reconfigured: cd Enter the CD/DVD drive specification here. If the CD/DVD drive doesn't exist, it will be created with the specified configuration. If the CD/DVD drive already exists, it will be reconfigured with the specifications. The following options can be specified per CD/DVD drive: device_type Specify how the CD/DVD drive should be used. Currently supported types are client_device and datastore_iso_file. Default is device_type: client_device iso_path Enter the path to the iso file present on the datastore only if device_type: datastore_iso_file. The syntax to specify this is iso_path: "[datastoreName] vmimages/tools-isoimages/linux.iso". This field is ignored if device_type: client_device mode Enter the mode of connection only if device_type: client_device. Currently supported modes are passthrough and atapi. This field is ignored if device_type: datastore_iso_file. Default is mode: passthrough disk Enter the disk specification here. If the hard disk doesn't exist, it will be created with the provided size. If the hard disk already exists, it will be expanded if the provided size is greater than the current size of the disk. network Enter the network adapter specification here. If the network adapter doesn't exist, a new network adapter will be created with the specified network name, type and other configuration. If the network adapter already exists, it will be reconfigured with the specifications. The following additional options can be specified per network adapter (See example above): name Enter the network name you want the network adapter to be mapped to. adapter_type Enter the network adapter type you want to create. Currently supported types are vmxnet, vmxnet2, vmxnet3, e1000 and e1000e. If no type is specified, by default vmxnet3 will be used. switch_type Enter the type of switch to use. This decides whether to use a standard switch network or a distributed virtual portgroup. Currently supported types are standard for standard portgroups and distributed for distributed virtual portgroups. ip Enter the static IP you want the network adapter to be mapped to. If the network specified is DHCP enabled, you do not have to specify this. gateway Enter the gateway for the network as a list. If the network specified is DHCP enabled, you do not have to specify this. subnet_mask Enter the subnet mask for the network. If the network specified is DHCP enabled, you do not have to specify this. domain Enter the domain to be used with the network adapter. If the network specified is DHCP enabled, you do not have to specify this. scsi Enter the SCSI adapter specification here. If the SCSI adapter doesn't exist, a new SCSI adapter will be created of the specified type. If the SCSI adapter already exists, it will be reconfigured with the specifications. The following additional options can be specified per SCSI adapter: type Enter the SCSI adapter type you want to create. Currently supported types are lsilogic, lsilogic_sas and paravirtual. Type must be specified when creating a new SCSI adapter. bus_sharing Specify this if sharing of virtual disks between virtual machines is desired. The following can be specified: virtual Virtual disks can be shared between virtual machines on the same server. physical Virtual disks can be shared between virtual machines on any server. no Virtual disks cannot be shared between virtual machines. domain Enter the global domain name to be used for DNS. If not specified and if the VM name is a FQDN, domain is set to the domain from the VM name. Default is local. dns_servers Enter the list of DNS servers to use in order of priority. resourcepool Enter the name of the resourcepool to which the new virtual machine should be attached. This determines what compute resources will be available to the clone. NOTE: • For a clone operation from a virtual machine, it will use the same resourcepool as the original virtual machine unless specified. • For a clone operation from a template to a virtual machine, specifying either this or cluster is required. If both are specified, the resourcepool value will be used. • For a clone operation to a template, this argument is ignored. cluster Enter the name of the cluster whose resource pool the new virtual machine should be attached to. NOTE: • For a clone operation from a virtual machine, it will use the same cluster's resourcepool as the original virtual machine unless specified. • For a clone operation from a template to a virtual machine, specifying either this or resourcepool is required. If both are specified, the resourcepool value will be used. • For a clone operation to a template, this argument is ignored. datastore Enter the name of the datastore or the datastore cluster where the virtual machine should be located on physical storage. If not specified, the current datastore is used. NOTE: • If you specify a datastore cluster name, DRS Storage recommendation is automatically applied. • If you specify a datastore name, DRS Storage recommendation is disabled. folder Enter the name of the folder that will contain the new virtual machine. NOTE: • For a clone operation from a VM/template, the new VM/template will be added to the same folder that the original VM/template belongs to unless specified. • If both folder and datacenter are specified, the folder value will be used. datacenter Enter the name of the datacenter that will contain the new virtual machine. NOTE: • For a clone operation from a VM/template, the new VM/template will be added to the same folder that the original VM/template belongs to unless specified. • If both folder and datacenter are specified, the folder value will be used. host Enter the name of the target host where the virtual machine should be registered. If not specified: NOTE: • If resource pool is not specified, current host is used. • If resource pool is specified, and the target pool represents a stand-alone host, the host is used. • If resource pool is specified, and the target pool represents a DRS-enabled cluster, a host selected by DRS is used. • If resource pool is specified and the target pool represents a cluster without DRS enabled, an InvalidArgument exception be thrown. template Specifies whether the new virtual machine should be marked as a template or not. Default is template: False. power_on Specifies whether the new virtual machine should be powered on or not. If template: True is set, this field is ignored. Default is power_on: True. extra_config Specifies the additional configuration information for the virtual machine. This describes a set of modifications to the additional options. If the key is already present, it will be reset with the new value provided. Otherwise, a new option is added. Keys with empty values will be removed. deploy Specifies if salt should be installed on the newly created VM. Default is True so salt will be installed using the bootstrap script. If template: True or power_on: False is set, this field is ignored and salt will not be installed. private_key Specify the path to the private key to use to be able to ssh to the VM. ssh_username Specify the username to use in order to ssh to the VM. Default is root password Specify a password to use in order to ssh to the VM. If private_key is specified, you do not need to specify this. minion Specify custom minion configuration you want the salt minion to have. A good example would be to specify the master as the IP/DNS name of the master. file_map Specify file/files you want to copy to the VM before the bootstrap script is run and salt is installed. A good example of using this would be if you need to put custom repo files on the server in case your server will be in a private network and cannot reach external networks. hardware_version Specify the virtual hardware version for the vm/template that is supported by the host. customization Specify whether the new virtual machine should be customized or not. If customization: False is set, the new virtual machine will not be customized. Default is customization: True. Getting Started With vSphere NOTE: Deprecated since version Carbon: The vsphere cloud driver has been deprecated in favor of the vmware cloud driver and will be removed in Salt Carbon. Please refer to Getting started with VMware instead to get started with the configuration. VMware vSphere is a management platform for virtual infrastructure and cloud computing. Dependencies The vSphere module for Salt Cloud requires the PySphere package, which is available at PyPI: https://pypi.python.org/pypi/pysphere This package can be installed using pip or easy_install: # pip install pysphere # easy_install pysphere Configuration Set up the cloud config at /etc/salt/cloud.providers or in the /etc/salt/cloud.providers.d/ directory: my-vsphere-config: driver: vsphere # Set the vSphere access credentials user: marco password: polo # Set the URL of your vSphere server url: 'vsphere.example.com' NOTE: Changed in version 2015.8.0. The provider parameter in cloud provider definitions was renamed to driver. This change was made to avoid confusion with the provider parameter that is used in cloud profile definitions. Cloud provider definitions now use driver to refer to the Salt cloud module that provides the underlying functionality to connect to a cloud host, while cloud profiles continue to use provider to refer to provider configurations that you define. Profiles Cloud Profiles vSphere uses a Managed Object Reference to identify objects located in vCenter. The MOR ID's are used when configuring a vSphere cloud profile. Use the following reference when locating the MOR's for the cloud profile. http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1017126&sliceId=1&docTypeID=DT_KB_1_1&dialogID=520386078&stateId=1%200%20520388386 Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d directory: vsphere-centos: provider: my-vsphere-config image: centos # Optional datastore: datastore-15 resourcepool: resgroup-8 folder: salt-cloud host: host-9 template: False provider Enter the name that was specified when the cloud provider profile was created. image Images available to build an instance can be found using the --list-images option: # salt-cloud --list-images my-vsphere-config datastore The MOR of the datastore where the virtual machine should be located. If not specified, the current datastore is used. resourcepool The MOR of the resourcepool to be used for the new vm. If not set, it will use the same resourcepool as the original vm. folder Name of the folder that will contain the new VM. If not set, the VM will be added to the folder the original VM belongs to. host The MOR of the host where the vm should be registered. If not specified: • if resourcepool is not specified, the current host is used. • if resourcepool is specified, and the target pool represents a stand-alone host, the host is used. • if resourcepool is specified, and the target pool represents a DRS-enabled cluster, a host selected by DRS is used. • if resourcepool is specified, and the target pool represents a cluster without DRS enabled, an InvalidArgument exception will be thrown. template Specifies whether or not the new virtual machine should be marked as a template. Default is False. Miscellaneous Options Miscellaneous Salt Cloud Options This page describes various miscellaneous options available in Salt Cloud Deploy Script Arguments Custom deploy scripts are unlikely to need custom arguments to be passed to them, but salt-bootstrap has been extended quite a bit, and this may be necessary. script_args can be specified in either the profile or the map file, to pass arguments to the deploy script: ec2-amazon: provider: my-ec2-config image: ami-1624987f size: t1.micro ssh_username: ec2-user script: bootstrap-salt script_args: -c /tmp/ This has also been tested to work with pipes, if needed: script_args: | head Selecting the File Transport By default, Salt Cloud uses SFTP to transfer files to Linux hosts. However, if SFTP is not available, or specific SCP functionality is needed, Salt Cloud can be configured to use SCP instead. file_transport: sftp file_transport: scp Sync After Install Salt allows users to create custom modules, grains, and states which can be synchronised to minions to extend Salt with further functionality. This option will inform Salt Cloud to synchronise your custom modules, grains, states or all these to the minion just after it has been created. For this to happen, the following line needs to be added to the main cloud configuration file: sync_after_install: all The available options for this setting are: modules grains states all Setting Up New Salt Masters It has become increasingly common for users to set up multi-hierarchal infrastructures using Salt Cloud. This sometimes involves setting up an instance to be a master in addition to a minion. With that in mind, you can now lay down master configuration on a machine by specifying master options in the profile or map file. make_master: True This will cause Salt Cloud to generate master keys for the instance, and tell salt-bootstrap to install the salt-master package, in addition to the salt-minion package. The default master configuration is usually appropriate for most users, and will not be changed unless specific master configuration has been added to the profile or map: master: user: root interface: 0.0.0.0 Setting Up a Salt Syndic with Salt Cloud In addition to setting up new Salt Masters, syndic`s can also be provisioned using Salt Cloud. In order to set up a Salt Syndic via Salt Cloud, a Salt Master needs to be installed on the new machine and a master configuration file needs to be set up using the ``make_master` setting. This setting can be defined either in a profile config file or in a map file: make_master: True To install the Salt Syndic, the only other specification that needs to be configured is the master_syndic key to specify the location of the master that the syndic will be reporting to. This modification needs to be placed in the master setting, which can be configured either in the profile, provider, or /etc/salt/cloud config file: master: master_syndic: 123.456.789 # may be either an IP address or a hostname Many other Salt Syndic configuration settings and specifications can be passed through to the new syndic machine via the master configuration setting. See the syndic documentation for more information. SSH Port By default ssh port is set to port 22. If you want to use a custom port in provider, profile, or map blocks use ssh_port option. New in version 2015.5.0. ssh_port: 2222 Delete SSH Keys When Salt Cloud deploys an instance, the SSH pub key for the instance is added to the known_hosts file for the user that ran the salt-cloud command. When an instance is deployed, a cloud host generally recycles the IP address for the instance. When Salt Cloud attempts to deploy an instance using a recycled IP address that has previously been accessed from the same machine, the old key in the known_hosts file will cause a conflict. In order to mitigate this issue, Salt Cloud can be configured to remove old keys from the known_hosts file when destroying the node. In order to do this, the following line needs to be added to the main cloud configuration file: delete_sshkeys: True Keeping /tmp/ Files When Salt Cloud deploys an instance, it uploads temporary files to /tmp/ for salt-bootstrap to put in place. After the script has run, they are deleted. To keep these files around (mostly for debugging purposes), the --keep-tmp option can be added: salt-cloud -p myprofile mymachine --keep-tmp For those wondering why /tmp/ was used instead of /root/, this had to be done for images which require the use of sudo, and therefore do not allow remote root logins, even for file transfers (which makes /root/ unavailable). Hide Output From Minion Install By default Salt Cloud will stream the output from the minion deploy script directly to STDOUT. Although this can been very useful, in certain cases you may wish to switch this off. The following config option is there to enable or disable this output: display_ssh_output: False Connection Timeout There are several stages when deploying Salt where Salt Cloud needs to wait for something to happen. The VM getting it's IP address, the VM's SSH port is available, etc. If you find that the Salt Cloud defaults are not enough and your deployment fails because Salt Cloud did not wait log enough, there are some settings you can tweak. Note All settings should be provided in lowercase All values should be provided in seconds You can tweak these settings globally, per cloud provider, or event per profile definition. wait_for_ip_timeout The amount of time Salt Cloud should wait for a VM to start and get an IP back from the cloud host. Default: varies by cloud provider ( between 5 and 25 minutes) wait_for_ip_interval The amount of time Salt Cloud should sleep while querying for the VM's IP. Default: varies by cloud provider ( between .5 and 10 seconds) ssh_connect_timeout The amount of time Salt Cloud should wait for a successful SSH connection to the VM. Default: varies by cloud provider (between 5 and 15 minutes) wait_for_passwd_timeout The amount of time until an ssh connection can be established via password or ssh key. Default: varies by cloud provider (mostly 15 seconds) wait_for_passwd_maxtries The number of attempts to connect to the VM until we abandon. Default: 15 attempts wait_for_fun_timeout Some cloud drivers check for an available IP or a successful SSH connection using a function, namely, SoftLayer, and SoftLayer-HW. So, the amount of time Salt Cloud should retry such functions before failing. Default: 15 minutes. wait_for_spot_timeout The amount of time Salt Cloud should wait before an EC2 Spot instance is available. This setting is only available for the EC2 cloud driver. Default: 10 minutes Salt Cloud Cache Salt Cloud can maintain a cache of node data, for supported providers. The following options manage this functionality. update_cachedir On supported cloud providers, whether or not to maintain a cache of nodes returned from a --full-query. The data will be stored in msgpack format under <SALT_CACHEDIR>/cloud/active/<DRIVER>/<PROVIDER>/<NODE_NAME>.p. This setting can be True or False. diff_cache_events When the cloud cachedir is being managed, if differences are encountered between the data that is returned live from the cloud host and the data in the cache, fire events which describe the changes. This setting can be True or False. Some of these events will contain data which describe a node. Because some of the fields returned may contain sensitive data, the cache_event_strip_fields configuration option exists to strip those fields from the event return. cache_event_strip_fields: - password - priv_key The following are events that can be fired based on this data. salt/cloud/minionid/cache_node_new A new node was found on the cloud host which was not listed in the cloud cachedir. A dict describing the new node will be contained in the event. salt/cloud/minionid/cache_node_missing A node that was previously listed in the cloud cachedir is no longer available on the cloud host. salt/cloud/minionid/cache_node_diff One or more pieces of data in the cloud cachedir has changed on the cloud host. A dict containing both the old and the new data will be contained in the event. SSH Known Hosts Normally when bootstrapping a VM, salt-cloud will ignore the SSH host key. This is because it does not know what the host key is before starting (because it doesn't exist yet). If strict host key checking is turned on without the key in the known_hosts file, then the host will never be available, and cannot be bootstrapped. If a provider is able to determine the host key before trying to bootstrap it, that provider's driver can add it to the known_hosts file, and then turn on strict host key checking. This can be set up in the main cloud configuration file (normally /etc/salt/cloud) or in the provider-specific configuration file: known_hosts_file: /path/to/.ssh/known_hosts If this is not set, it will default to /dev/null, and strict host key checking will be turned off. It is highly recommended that this option is not set, unless the user has verified that the provider supports this functionality, and that the image being used is capable of providing the necessary information. At this time, only the EC2 driver supports this functionality. SSH Agent New in version 2015.5.0. If the ssh key is not stored on the server salt-cloud is being run on, set ssh_agent, and salt-cloud will use the forwarded ssh-agent to authenticate. ssh_agent: True File Map Upload New in version 2014.7.0. The file_map option allows an arbitrary group of files to be uploaded to the target system before running the deploy script. This functionality requires a provider uses salt.utils.cloud.bootstrap(), which is currently limited to the ec2, gce, openstack and nova drivers. The file_map can be configured globally in /etc/salt/cloud, or in any cloud provider or profile file. For example, to upload an extra package or a custom deploy script, a cloud profile using file_map might look like: ubuntu14: provider: ec2-config image: ami-98aa1cf0 size: t1.micro ssh_username: root securitygroup: default file_map: /local/path/to/custom/script: /remote/path/to/use/custom/script /local/path/to/package: /remote/path/to/store/package Troubleshooting Steps Troubleshooting Salt Cloud This page describes various steps for troubleshooting problems that may arise while using Salt Cloud. Virtual Machines Are Created, But Do Not Respond Are TCP ports 4505 and 4506 open on the master? This is easy to overlook on new masters. Information on how to open firewall ports on various platforms can be found here. Generic Troubleshooting Steps This section describes a set of instructions that are useful to a large number of situations, and are likely to solve most issues that arise. Version Compatibility One of the most common issues that Salt Cloud users run into is import errors. These are often caused by version compatibility issues with Salt. Salt 0.16.x works with Salt Cloud 0.8.9 or greater. Salt 0.17.x requires Salt Cloud 0.8.11. Releases after 0.17.x (0.18 or greater) should not encounter issues as Salt Cloud has been merged into Salt itself. Debug Mode Frequently, running Salt Cloud in debug mode will reveal information about a deployment which would otherwise not be obvious: salt-cloud -p myprofile myinstance -l debug Keep in mind that a number of messages will appear that look at first like errors, but are in fact intended to give developers factual information to assist in debugging. A number of messages that appear will be for cloud providers that you do not have configured; in these cases, the message usually is intended to confirm that they are not configured. Salt Bootstrap By default, Salt Cloud uses the Salt Bootstrap script to provision instances: This script is packaged with Salt Cloud, but may be updated without updating the Salt package: salt-cloud -u The Bootstrap Log If the default deploy script was used, there should be a file in the /tmp/ directory called bootstrap-salt.log. This file contains the full output from the deployment, including any errors that may have occurred. Keeping Temp Files Salt Cloud uploads minion-specific files to instances once they are available via SSH, and then executes a deploy script to put them into the correct place and install Salt. The --keep-tmp option will instruct Salt Cloud not to remove those files when finished with them, so that the user may inspect them for problems: salt-cloud -p myprofile myinstance --keep-tmp By default, Salt Cloud will create a directory on the target instance called /tmp/.saltcloud/. This directory should be owned by the user that is to execute the deploy script, and should have permissions of 0700. Most cloud hosts are configured to use root as the default initial user for deployment, and as such, this directory and all files in it should be owned by the root user. The /tmp/.saltcloud/ directory should the following files: • A deploy.sh script. This script should have permissions of 0755. • A .pem and .pub key named after the minion. The .pem file should have permissions of 0600. Ensure that the .pem and .pub files have been properly copied to the /etc/salt/pki/minion/ directory. • A file called minion. This file should have been copied to the /etc/salt/ directory. • Optionally, a file called grains. This file, if present, should have been copied to the /etc/salt/ directory. Unprivileged Primary Users Some cloud hosts, most notably EC2, are configured with a different primary user. Some common examples are ec2-user, ubuntu, fedora, and bitnami. In these cases, the /tmp/.saltcloud/ directory and all files in it should be owned by this user. Some cloud hosts, such as EC2, are configured to not require these users to provide a password when using the sudo command. Because it is more secure to require sudo users to provide a password, other hosts are configured that way. If this instance is required to provide a password, it needs to be configured in Salt Cloud. A password for sudo to use may be added to either the provider configuration or the profile configuration: sudo_password: mypassword /tmp/ is Mounted as noexec It is more secure to mount the /tmp/ directory with a noexec option. This is uncommon on most cloud hosts, but very common in private environments. To see if the /tmp/ directory is mounted this way, run the following command: mount | grep tmp The if the output of this command includes a line that looks like this, then the /tmp/ directory is mounted as noexec: tmpfs on /tmp type tmpfs (rw,noexec) If this is the case, then the deploy_command will need to be changed in order to run the deploy script through the sh command, rather than trying to execute it directly. This may be specified in either the provider or the profile config: deploy_command: sh /tmp/.saltcloud/deploy.sh Please note that by default, Salt Cloud will place its files in a directory called /tmp/.saltcloud/. This may be also be changed in the provider or profile configuration: tmp_dir: /tmp/.saltcloud/ If this directory is changed, then the deploy_command need to be changed in order to reflect the tmp_dir configuration. Executing the Deploy Script Manually If all of the files needed for deployment were successfully uploaded to the correct locations, and contain the correct permissions and ownerships, the deploy script may be executed manually in order to check for other issues: cd /tmp/.saltcloud/ ./deploy.sh Extending Salt Cloud Writing Cloud Driver Modules Salt Cloud runs on a module system similar to the main Salt project. The modules inside saltcloud exist in the salt/cloud/clouds directory of the salt source. There are two basic types of cloud modules. If a cloud host is supported by libcloud, then using it is the fastest route to getting a module written. The Apache Libcloud project is located at: http://libcloud.apache.org/ Not every cloud host is supported by libcloud. Additionally, not every feature in a supported cloud host is necessarily supported by libcloud. In either of these cases, a module can be created which does not rely on libcloud. All Driver Modules The following functions are required by all driver modules, whether or not they are based on libcloud. The __virtual__() Function This function determines whether or not to make this cloud module available upon execution. Most often, it uses get_configured_provider() to determine if the necessary configuration has been set up. It may also check for necessary imports, to decide whether to load the module. In most cases, it will return a True or False value. If the name of the driver used does not match the filename, then that name should be returned instead of True. An example of this may be seen in the Azure module: https://github.com/saltstack/salt/tree/develop/salt/cloud/clouds/msazure.py The get_configured_provider() Function This function uses config.is_provider_configured() to determine wither all required information for this driver has been configured. The last value in the list of required settings should be followed by a comma. Libcloud Based Modules Writing a cloud module based on libcloud has two major advantages. First of all, much of the work has already been done by the libcloud project. Second, most of the functions necessary to Salt have already been added to the Salt Cloud project. The create() Function The most important function that does need to be manually written is the create() function. This is what is used to request a virtual machine to be created by the cloud host, wait for it to become available, and then (optionally) log in and install Salt on it. A good example to follow for writing a cloud driver module based on libcloud is the module provided for Linode: https://github.com/saltstack/salt/tree/develop/salt/cloud/clouds/linode.py The basic flow of a create() function is as follows: • Send a request to the cloud host to create a virtual machine. • Wait for the virtual machine to become available. • Generate kwargs to be used to deploy Salt. • Log into the virtual machine and deploy Salt. • Return a data structure that describes the newly-created virtual machine. At various points throughout this function, events may be fired on the Salt event bus. Four of these events, which are described below, are required. Other events may be added by the user, where appropriate. When the create() function is called, it is passed a data structure called vm_. This dict contains a composite of information describing the virtual machine to be created. A dict called __opts__ is also provided by Salt, which contains the options used to run Salt Cloud, as well as a set of configuration and environment variables. The first thing the create() function must do is fire an event stating that it has started the create process. This event is tagged salt/cloud/<vm name>/creating. The payload contains the names of the VM, profile, and provider. A set of kwargs is then usually created, to describe the parameters required by the cloud host to request the virtual machine. An event is then fired to state that a virtual machine is about to be requested. It is tagged as salt/cloud/<vm name>/requesting. The payload contains most or all of the parameters that will be sent to the cloud host. Any private information (such as passwords) should not be sent in the event. After a request is made, a set of deploy kwargs will be generated. These will be used to install Salt on the target machine. Windows options are supported at this point, and should be generated, even if the cloud host does not currently support Windows. This will save time in the future if the host does eventually decide to support Windows. An event is then fired to state that the deploy process is about to begin. This event is tagged salt/cloud/<vm name>/deploying. The payload for the event will contain a set of deploy kwargs, useful for debugging purposed. Any private data, including passwords and keys (including public keys) should be stripped from the deploy kwargs before the event is fired. If any Windows options have been passed in, the salt.utils.cloud.deploy_windows() function will be called. Otherwise, it will be assumed that the target is a Linux or Unix machine, and the salt.utils.cloud.deploy_script() will be called. Both of these functions will wait for the target machine to become available, then the necessary port to log in, then a successful login that can be used to install Salt. Minion configuration and keys will then be uploaded to a temporary directory on the target by the appropriate function. On a Windows target, the Windows Minion Installer will be run in silent mode. On a Linux/Unix target, a deploy script (bootstrap-salt.sh, by default) will be run, which will auto-detect the operating system, and install Salt using its native package manager. These do not need to be handled by the developer in the cloud module. The salt.utils.cloud.validate_windows_cred() function has been extended to take the number of retries and retry_delay parameters in case a specific cloud host has a delay between providing the Windows credentials and the credentials being available for use. In their create() function, or as a a sub-function called during the creation process, developers should use the win_deploy_auth_retries and win_deploy_auth_retry_delay parameters from the provider configuration to allow the end-user the ability to customize the number of tries and delay between tries for their particular host. After the appropriate deploy function completes, a final event is fired which describes the virtual machine that has just been created. This event is tagged salt/cloud/<vm name>/created. The payload contains the names of the VM, profile, and provider. Finally, a dict (queried from the provider) which describes the new virtual machine is returned to the user. Because this data is not fired on the event bus it can, and should, return any passwords that were returned by the cloud host. In some cases (for example, Rackspace), this is the only time that the password can be queried by the user; post-creation queries may not contain password information (depending upon the host). The libcloudfuncs Functions A number of other functions are required for all cloud hosts. However, with libcloud-based modules, these are all provided for free by the libcloudfuncs library. The following two lines set up the imports: from salt.cloud.libcloudfuncs import * # pylint: disable=W0614,W0401 from salt.utils import namespaced_function And then a series of declarations will make the necessary functions available within the cloud module. get_size = namespaced_function(get_size, globals()) get_image = namespaced_function(get_image, globals()) avail_locations = namespaced_function(avail_locations, globals()) avail_images = namespaced_function(avail_images, globals()) avail_sizes = namespaced_function(avail_sizes, globals()) script = namespaced_function(script, globals()) destroy = namespaced_function(destroy, globals()) list_nodes = namespaced_function(list_nodes, globals()) list_nodes_full = namespaced_function(list_nodes_full, globals()) list_nodes_select = namespaced_function(list_nodes_select, globals()) show_instance = namespaced_function(show_instance, globals()) If necessary, these functions may be replaced by removing the appropriate declaration line, and then adding the function as normal. These functions are required for all cloud modules, and are described in detail in the next section. Non-Libcloud Based Modules In some cases, using libcloud is not an option. This may be because libcloud has not yet included the necessary driver itself, or it may be that the driver that is included with libcloud does not contain all of the necessary features required by the developer. When this is the case, some or all of the functions in libcloudfuncs may be replaced. If they are all replaced, the libcloud imports should be absent from the Salt Cloud module. A good example of a non-libcloud driver is the DigitalOcean driver: https://github.com/saltstack/salt/tree/develop/salt/cloud/clouds/digital_ocean.py The create() Function The create() function must be created as described in the libcloud-based module documentation. The get_size() Function This function is only necessary for libcloud-based modules, and does not need to exist otherwise. The get_image() Function This function is only necessary for libcloud-based modules, and does not need to exist otherwise. The avail_locations() Function This function returns a list of locations available, if the cloud host uses multiple data centers. It is not necessary if the cloud host uses only one data center. It is normally called using the --list-locations option. salt-cloud --list-locations my-cloud-provider The avail_images() Function This function returns a list of images available for this cloud provider. There are not currently any known cloud providers that do not provide this functionality, though they may refer to images by a different name (for example, "templates"). It is normally called using the --list-images option. salt-cloud --list-images my-cloud-provider The avail_sizes() Function This function returns a list of sizes available for this cloud provider. Generally, this refers to a combination of RAM, CPU, and/or disk space. This functionality may not be present on some cloud providers. For example, the Parallels module breaks down RAM, CPU, and disk space into separate options, whereas in other providers, these options are baked into the image. It is normally called using the --list-sizes option. salt-cloud --list-sizes my-cloud-provider The script() Function This function builds the deploy script to be used on the remote machine. It is likely to be moved into the salt.utils.cloud library in the near future, as it is very generic and can usually be copied wholesale from another module. An excellent example is in the Azure driver. The destroy() Function This function irreversibly destroys a virtual machine on the cloud provider. Before doing so, it should fire an event on the Salt event bus. The tag for this event is salt/cloud/<vm name>/destroying. Once the virtual machine has been destroyed, another event is fired. The tag for that event is salt/cloud/<vm name>/destroyed. This function is normally called with the -d options: salt-cloud -d myinstance The list_nodes() Function This function returns a list of nodes available on this cloud provider, using the following fields: • id (str) • image (str) • size (str) • state (str) • private_ips (list) • public_ips (list) No other fields should be returned in this function, and all of these fields should be returned, even if empty. The private_ips and public_ips fields should always be of a list type, even if empty, and the other fields should always be of a str type. This function is normally called with the -Q option: salt-cloud -Q The list_nodes_full() Function All information available about all nodes should be returned in this function. The fields in the list_nodes() function should also be returned, even if they would not normally be provided by the cloud provider. This is because some functions both within Salt and 3rd party will break if an expected field is not present. This function is normally called with the -F option: salt-cloud -F The list_nodes_select() Function This function returns only the fields specified in the query.selection option in /etc/salt/cloud. Because this function is so generic, all of the heavy lifting has been moved into the salt.utils.cloud library. A function to call list_nodes_select() still needs to be present. In general, the following code can be used as-is: def list_nodes_select(call=None): ''' Return a list of the VMs that are on the provider, with select fields ''' return salt.utils.cloud.list_nodes_select( list_nodes_full('function'), __opts__['query.selection'], call, ) However, depending on the cloud provider, additional variables may be required. For instance, some modules use a conn object, or may need to pass other options into list_nodes_full(). In this case, be sure to update the function appropriately: def list_nodes_select(conn=None, call=None): ''' Return a list of the VMs that are on the provider, with select fields ''' if not conn: conn = get_conn() # pylint: disable=E0602 return salt.utils.cloud.list_nodes_select( list_nodes_full(conn, 'function'), __opts__['query.selection'], call, ) This function is normally called with the -S option: salt-cloud -S The show_instance() Function This function is used to display all of the information about a single node that is available from the cloud provider. The simplest way to provide this is usually to call list_nodes_full(), and return just the data for the requested node. It is normally called as an action: salt-cloud -a show_instance myinstance Actions and Functions Extra functionality may be added to a cloud provider in the form of an --action or a --function. Actions are performed against a cloud instance/virtual machine, and functions are performed against a cloud provider. Actions Actions are calls that are performed against a specific instance or virtual machine. The show_instance action should be available in all cloud modules. Actions are normally called with the -a option: salt-cloud -a show_instance myinstance Actions must accept a name as a first argument, may optionally support any number of kwargs as appropriate, and must accept an argument of call, with a default of None. Before performing any other work, an action should normally verify that it has been called correctly. It may then perform the desired feature, and return useful information to the user. A basic action looks like: def show_instance(name, call=None): ''' Show the details from EC2 concerning an AMI ''' if call != 'action': raise SaltCloudSystemExit( 'The show_instance action must be called with -a or --action.' ) return _get_node(name) Please note that generic kwargs, if used, are passed through to actions as kwargs and not **kwargs. An example of this is seen in the Functions section. Functions Functions are called that are performed against a specific cloud provider. An optional function that is often useful is show_image, which describes an image in detail. Functions are normally called with the -f option: salt-cloud -f show_image my-cloud-provider image='Ubuntu 13.10 64-bit' A function may accept any number of kwargs as appropriate, and must accept an argument of call with a default of None. Before performing any other work, a function should normally verify that it has been called correctly. It may then perform the desired feature, and return useful information to the user. A basic function looks like: def show_image(kwargs, call=None): ''' Show the details from EC2 concerning an AMI ''' if call != 'function': raise SaltCloudSystemExit( 'The show_image action must be called with -f or --function.' ) params = {'ImageId.1': kwargs['image'], 'Action': 'DescribeImages'} result = query(params) log.info(result) return result Take note that generic kwargs are passed through to functions as kwargs and not **kwargs. OS Support for Cloud VMs Salt Cloud works primarily by executing a script on the virtual machines as soon as they become available. The script that is executed is referenced in the cloud profile as the script. In older versions, this was the os argument. This was changed in 0.8.2. A number of legacy scripts exist in the deploy directory in the saltcloud source tree. The preferred method is currently to use the salt-bootstrap script. A stable version is included with each release tarball starting with 0.8.4. The most updated version can be found at: https://github.com/saltstack/salt-bootstrap If you do not specify a script argument, this script will be used at the default. If the Salt Bootstrap script does not meet your needs, you may write your own. The script should be written in bash and is a Jinja template. Deploy scripts need to execute a number of functions to do a complete salt setup. These functions include: 1. Install the salt minion. If this can be done via system packages this method is HIGHLY preferred. 2. Add the salt minion keys before the minion is started for the first time. The minion keys are available as strings that can be copied into place in the Jinja template under the dict named "vm". 3. Start the salt-minion daemon and enable it at startup time. 4. Set up the minion configuration file from the "minion" data available in the Jinja template. A good, well commented, example of this process is the Fedora deployment script: https://github.com/saltstack/salt-cloud/blob/master/saltcloud/deploy/Fedora.sh A number of legacy deploy scripts are included with the release tarball. None of them are as functional or complete as Salt Bootstrap, and are still included for academic purposes. Other Generic Deploy Scripts If you want to be assured of always using the latest Salt Bootstrap script, there are a few generic templates available in the deploy directory of your saltcloud source tree: curl-bootstrap curl-bootstrap-git python-bootstrap wget-bootstrap wget-bootstrap-git These are example scripts which were designed to be customized, adapted, and refit to meet your needs. One important use of them is to pass options to the salt-bootstrap script, such as updating to specific git tags. Post-Deploy Commands Once a minion has been deployed, it has the option to run a salt command. Normally, this would be the state.highstate command, which would finish provisioning the VM. Another common option is state.sls, or for just testing, test.ping. This is configured in the main cloud config file: start_action: state.highstate This is currently considered to be experimental functionality, and may not work well with all cloud hosts. If you experience problems with Salt Cloud hanging after Salt is deployed, consider using Startup States instead: http://docs.saltstack.com/ref/states/startup.html Skipping the Deploy Script For whatever reason, you may want to skip the deploy script altogether. This results in a VM being spun up much faster, with absolutely no configuration. This can be set from the command line: salt-cloud --no-deploy -p micro_aws my_instance Or it can be set from the main cloud config file: deploy: False Or it can be set from the provider's configuration: RACKSPACE.user: example_user RACKSPACE.apikey: 123984bjjas87034 RACKSPACE.deploy: False Or even on the VM's profile settings: ubuntu_aws: provider: my-ec2-config image: ami-7e2da54e size: t1.micro deploy: False The default for deploy is True. In the profile, you may also set the script option to None: script: None This is the slowest option, since it still uploads the None deploy script and executes it. Updating Salt Bootstrap Salt Bootstrap can be updated automatically with salt-cloud: salt-cloud -u salt-cloud --update-bootstrap Bear in mind that this updates to the latest stable version from: https://bootstrap.saltstack.com/stable/bootstrap-salt.sh To update Salt Bootstrap script to the develop version, run the following command on the Salt minion host with salt-cloud installed: salt-call config.gather_bootstrap_script 'https://bootstrap.saltstack.com/develop/bootstrap-salt.sh' Or just download the file manually: curl -L 'https://bootstrap.saltstack.com/develop' > /etc/salt/cloud.deploy.d/bootstrap-salt.sh Keeping /tmp/ Files When Salt Cloud deploys an instance, it uploads temporary files to /tmp/ for salt-bootstrap to put in place. After the script has run, they are deleted. To keep these files around (mostly for debugging purposes), the --keep-tmp option can be added: salt-cloud -p myprofile mymachine --keep-tmp For those wondering why /tmp/ was used instead of /root/, this had to be done for images which require the use of sudo, and therefore do not allow remote root logins, even for file transfers (which makes /root/ unavailable). Deploy Script Arguments Custom deploy scripts are unlikely to need custom arguments to be passed to them, but salt-bootstrap has been extended quite a bit, and this may be necessary. script_args can be specified in either the profile or the map file, to pass arguments to the deploy script: aws-amazon: provider: my-ec2-config image: ami-1624987f size: t1.micro ssh_username: ec2-user script: bootstrap-salt script_args: -c /tmp/ This has also been tested to work with pipes, if needed: script_args: | head Using Salt Cloud from Salt Using the Salt Modules for Cloud In addition to the salt-cloud command, Salt Cloud can be called from Salt, in a variety of different ways. Most users will be interested in either the execution module or the state module, but it is also possible to call Salt Cloud as a runner. Because the actual work will be performed on a remote minion, the normal Salt Cloud configuration must exist on any target minion that needs to execute a Salt Cloud command. Because Salt Cloud now supports breaking out configuration into individual files, the configuration is easily managed using Salt's own file.managed state function. For example, the following directories allow this configuration to be managed easily: /etc/salt/cloud.providers.d/ /etc/salt/cloud.profiles.d/ Minion Keys Keep in mind that when creating minions, Salt Cloud will create public and private minion keys, upload them to the minion, and place the public key on the machine that created the minion. It will not attempt to place any public minion keys on the master, unless the minion which was used to create the instance is also the Salt Master. This is because granting arbitrary minions access to modify keys on the master is a serious security risk, and must be avoided. Execution Module The cloud module is available to use from the command line. At the moment, almost every standard Salt Cloud feature is available to use. The following commands are available: list_images This command is designed to show images that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). Listing images requires a provider to be configured, and specified: salt myminion cloud.list_images my-cloud-provider list_sizes This command is designed to show sizes that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). This command is not available for all cloud providers; see the provider-specific documentation for details. Listing sizes requires a provider to be configured, and specified: salt myminion cloud.list_sizes my-cloud-provider list_locations This command is designed to show locations that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). This command is not available for all cloud providers; see the provider-specific documentation for details. Listing locations requires a provider to be configured, and specified: salt myminion cloud.list_locations my-cloud-provider query This command is used to query all configured cloud providers, and display all instances associated with those accounts. By default, it will run a standard query, returning the following fields: id The name or ID of the instance, as used by the cloud provider. image The disk image that was used to create this instance. private_ips Any public IP addresses currently assigned to this instance. public_ips Any private IP addresses currently assigned to this instance. size The size of the instance; can refer to RAM, CPU(s), disk space, etc., depending on the cloud provider. state The running state of the instance; for example, running, stopped, pending, etc. This state is dependent upon the provider. This command may also be used to perform a full query or a select query, as described below. The following usages are available: salt myminion cloud.query salt myminion cloud.query list_nodes salt myminion cloud.query list_nodes_full full_query This command behaves like the query command, but lists all information concerning each instance as provided by the cloud provider, in addition to the fields returned by the query command. salt myminion cloud.full_query select_query This command behaves like the query command, but only returned select fields as defined in the /etc/salt/cloud configuration file. A sample configuration for this section of the file might look like: query.selection: - id - key_name This configuration would only return the id and key_name fields, for those cloud providers that support those two fields. This would be called using the following command: salt myminion cloud.select_query profile This command is used to create an instance using a profile that is configured on the target minion. Please note that the profile must be configured before this command can be used with it. salt myminion cloud.profile ec2-centos64-x64 my-new-instance Please note that the execution module does not run in parallel mode. Using multiple minions to create instances can effectively perform parallel instance creation. create This command is similar to the profile command, in that it is used to create a new instance. However, it does not require a profile to be pre-configured. Instead, all of the options that are normally configured in a profile are passed directly to Salt Cloud to create the instance: salt myminion cloud.create my-ec2-config my-new-instance \ image=ami-1624987f size='t1.micro' ssh_username=ec2-user \ securitygroup=default delvol_on_destroy=True Please note that the execution module does not run in parallel mode. Using multiple minions to create instances can effectively perform parallel instance creation. destroy This command is used to destroy an instance or instances. This command will search all configured providers and remove any instance(s) which matches the name(s) passed in here. The results of this command are non-reversable and should be used with caution. salt myminion cloud.destroy myinstance salt myminion cloud.destroy myinstance1,myinstance2 action This command implements both the action and the function commands used in the standard salt-cloud command. If one of the standard action commands is used, an instance name must be provided. If one of the standard function commands is used, a provider configuration must be named. salt myminion cloud.action start instance=myinstance salt myminion cloud.action show_image provider=my-ec2-config \ image=ami-1624987f The actions available are largely dependent upon the module for the specific cloud provider. The following actions are available for all cloud providers: list_nodes This is a direct call to the query function as described above, but is only performed against a single cloud provider. A provider configuration must be included. list_nodes_select This is a direct call to the full_query function as described above, but is only performed against a single cloud provider. A provider configuration must be included. list_nodes_select This is a direct call to the select_query function as described above, but is only performed against a single cloud provider. A provider configuration must be included. show_instance This is a thin wrapper around list_nodes, which returns the full information about a single instance. An instance name must be provided. State Module A subset of the execution module is available through the cloud state module. Not all functions are currently included, because there is currently insufficient code for them to perform statefully. For example, a command to create an instance may be issued with a series of options, but those options cannot currently be statefully managed. Additional states to manage these options will be released at a later time. cloud.present This state will ensure that an instance is present inside a particular cloud provider. Any option that is normally specified in the cloud.create execution module and function may be declared here, but only the actual presence of the instance will be managed statefully. my-instance-name: cloud.present: - provider: my-ec2-config - image: ami-1624987f - size: 't1.micro' - ssh_username: ec2-user - securitygroup: default - delvol_on_destroy: True cloud.profile This state will ensure that an instance is present inside a particular cloud provider. This function calls the cloud.profile execution module and function, but as with cloud.present, only the actual presence of the instance will be managed statefully. my-instance-name: cloud.profile: - profile: ec2-centos64-x64 cloud.absent This state will ensure that an instance (identified by name) does not exist in any of the cloud providers configured on the target minion. Please note that this state is non-reversable and may be considered especially destructive when issued as a cloud state. my-instance-name: cloud.absent Runner Module The cloud runner module is executed on the master, and performs actions using the configuration and Salt modules on the master itself. This means that any public minion keys will also be properly accepted by the master. Using the functions in the runner module is no different than using those in the execution module, outside of the behavior described in the above paragraph. The following functions are available inside the runner: • list_images • list_sizes • list_locations • query • full_query • select_query • profile • destroy • action Outside of the standard usage of salt-run itself, commands are executed as usual: salt-run cloud.profile ec2-centos64-x86_64 my-instance-name CloudClient The execution, state, and runner modules ultimately all use the CloudClient library that ships with Salt. To use the CloudClient library locally (either on the master or a minion), create a client object and issue a command against it: import salt.cloud import pprint client = salt.cloud.CloudClient('/etc/salt/cloud') nodes = client.query() pprint.pprint(nodes) Reactor Examples of using the reactor with Salt Cloud are available in the ec2-autoscale-reactor and salt-cloud-reactor formulas. Feature Comparison Feature Matrix A number of features are available in most cloud hosts, but not all are available everywhere. This may be because the feature isn't supported by the cloud host itself, or it may only be that the feature has not yet been added to Salt Cloud. In a handful of cases, it is because the feature does not make sense for a particular cloud provider (Saltify, for instance). This matrix shows which features are available in which cloud hosts, as far as Salt Cloud is concerned. This is not a comprehensive list of all features available in all cloud hosts, and should not be used to make business decisions concerning choosing a cloud host. In most cases, adding support for a feature to Salt Cloud requires only a little effort. Legacy Drivers Both AWS and Rackspace are listed as "Legacy". This is because those drivers have been replaced by other drivers, which are generally the preferred method for working with those hosts. The EC2 driver should be used instead of the AWS driver, when possible. The OpenStack driver should be used instead of the Rackspace driver, unless the user is dealing with instances in "the old cloud" in Rackspace. Note for Developers When adding new features to a particular cloud host, please make sure to add the feature to this table. Additionally, if you notice a feature that is not properly listed here, pull requests to fix them is appreciated. Standard Features These are features that are available for almost every cloud host. ┌──────────┬──────────┬────────────┬─────────┬─────┬────────┬────────┬────────┬───────────┬───────────┬───────────┬─────────┬───────────┬───────────┬────────┐ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├──────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ └──────────┴──────────┴────────────┴─────────┴─────┴────────┴────────┴────────┴───────────┴───────────┴───────────┴─────────┴───────────┴───────────┴────────┘ Actions These are features that are performed on a specific instance, and require an instance name to be passed in. For example: # salt-cloud -a attach_volume ami.example.com ┌───────────────────────┬──────────┬────────────┬─────────┬─────┬────────┬────────┬────────┬───────────┬───────────┬───────────┬─────────┬───────────┬───────────┬────────┐ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├───────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ └───────────────────────┴──────────┴────────────┴─────────┴─────┴────────┴────────┴────────┴───────────┴───────────┴───────────┴─────────┴───────────┴───────────┴────────┘ Functions These are features that are performed against a specific cloud provider, and require the name of the provider to be passed in. For example: # salt-cloud -f list_images my_digitalocean ┌────────────────────────┬──────────┬────────────┬─────────┬─────┬────────┬────────┬────────┬───────────┬───────────┬───────────┬─────────┬───────────┬───────────┬────────┐ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ └────────────────────────┴──────────┴────────────┴─────────┴─────┴────────┴────────┴────────┴───────────┴───────────┴───────────┴─────────┴───────────┴───────────┴────────┘ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ ├────────────────────────┼──────────┼────────────┼─────────┼─────┼────────┼────────┼────────┼───────────┼───────────┼───────────┼─────────┼───────────┼───────────┼────────┤ └────────────────────────┴──────────┴────────────┴─────────┴─────┴────────┴────────┴────────┴───────────┴───────────┴───────────┴─────────┴───────────┴───────────┴────────┘ Tutorials Salt Cloud Quickstart Salt Cloud is built-in to Salt, and the easiest way to run Salt Cloud is directly from your Salt Master. On most platforms you can install the salt-cloud package from the same repo that you used to install Salt. This quickstart walks you through the basic steps of setting up a cloud host and defining some virtual machines to create. NOTE: Salt Cloud has its own process and does not rely on the Salt Master, so it can be installed on a standalone minion instead of your Salt Master. Define a Provider The first step is to add the credentials for your cloud host. Credentials and other settings provided by the cloud host are stored in provider configuration files. Provider configurations contain the details needed to connect to a cloud host such as EC2, GCE, Rackspace, etc., and any global options that you want set on your cloud minions (such as the location of your Salt Master). On your Salt Master, browse to /etc/salt/cloud.providers.d/ and create a file called <provider>.conf, replacing <provider> with ec2, softlayer, and so on. The name helps you identify the contents, and is not important as long as the file ends in .conf. Next, browse to the Provider specifics and add any required settings for your cloud host to this file. Here is an example for Amazon EC2: my-ec2: driver: ec2 # Set the EC2 access credentials (see below) # id: 'HJGRYCILJLKJYG' key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' # Make sure this key is owned by root with permissions 0400. # private_key: /etc/salt/my_test_key.pem keyname: my_test_key securitygroup: default # Optional: Set up the location of the Salt Master # minion: master: saltmaster.example.com The required configuration varies between cloud hosts so make sure you read the provider specifics. List Cloud Provider Options You can now query the cloud provider you configured for available locations, images, and sizes. This information is used when you set up VM profiles. salt-cloud --list-locations <provider_name> # my-ec2 in the previous example salt-cloud --list-images <provider_name> salt-cloud --list-sizes <provider_name> Replace <provider_name> with the name of the provider configuration you defined. Create VM Profiles On your Salt Master, browse to /etc/salt/cloud.profiles.d/ and create a file called <profile>.conf, replacing <profile> with ec2, softlayer, and so on. The file must end in .conf. You can now add any custom profiles you'd like to define to this file. Here are a few examples: micro_ec2: provider: my-ec2 image: ami-d514f291 size: t1.micro medium_ec2: provider: my-ec2 image: ami-d514f291 size: m3.medium large_ec2: provider: my-ec2 image: ami-d514f291 size: m3.large Notice that the provider in our profile matches the provider name that we defined? That is how Salt Cloud knows how to connect to to a cloud host to create a VM with these attributes. Create VMs VMs are created by calling salt-cloud with the following options: salt-cloud -p <profile> <name1> <name2> ... For example: salt-cloud -p micro_ec2 minion1 minion2 Destroy VMs Add a -d and the minion name you provided to destroy: salt-cloud -d minion1 minion2 Query VMs You can view details about the VMs you've created using --query: salt-cloud --query Cloud Map Now that you know how to create and destoy individual VMs, next you should learn how to use a cloud map to create a number of VMs at once. Cloud maps let you define a map of your infrastructure and quickly provision any number of VMs. On subsequent runs, any VMs that do not exist are created, and VMs that are already configured are left unmodified. See Cloud Map File. Using Salt Cloud with the Event Reactor One of the most powerful features of the Salt framework is the Event Reactor. As the Reactor was in development, Salt Cloud was regularly updated to take advantage of the Reactor upon completion. As such, various aspects of both the creation and destruction of instances with Salt Cloud fire events to the Salt Master, which can be used by the Event Reactor. Event Structure As of this writing, all events in Salt Cloud have a tag, which includes the ID of the instance being managed, and a payload which describes the task that is currently being handled. A Salt Cloud tag looks like: salt/cloud/<minion_id>/<task> For instance, the first event fired when creating an instance named web1 would look like: salt/cloud/web1/creating Assuming this instance is using the ec2-centos profile, which is in turn using the ec2-config provider, the payload for this tag would look like: {'name': 'web1', 'profile': 'ec2-centos', 'provider': 'ec2-config:ec2'} Available Events When an instance is created in Salt Cloud, whether by map, profile, or directly through an API, a minimum of five events are normally fired. More may be available, depending upon the cloud provider being used. Some of the common events are described below. salt/cloud/<minion_id>/creating This event states simply that the process to create an instance has begun. At this point in time, no actual work has begun. The payload for this event includes: name profile provider salt/cloud/<minion_id>/requesting Salt Cloud is about to make a request to the cloud provider to create an instance. At this point, all of the variables required to make the request have been gathered, and the payload of the event will reflect those variables which do not normally pose a security risk. What is returned here is dependent upon the cloud provider. Some common variables are: name image size location salt/cloud/<minion_id>/querying The instance has been successfully requested, but the necessary information to log into the instance (such as IP address) is not yet available. This event marks the beginning of the process to wait for this information. The payload for this event normally only includes the instance_id. salt/cloud/<minion_id>/waiting_for_ssh The information required to log into the instance has been retrieved, but the instance is not necessarily ready to be accessed. Following this event, Salt Cloud will wait for the IP address to respond to a ping, then wait for the specified port (usually 22) to respond to a connection, and on Linux systems, for SSH to become available. Salt Cloud will attempt to issue the date command on the remote system, as a means to check for availability. If no ssh_username has been specified, a list of usernames (starting with root) will be attempted. If one or more usernames was configured for ssh_username, they will be added to the beginning of the list, in order. The payload for this event normally only includes the ip_address. salt/cloud/<minion_id>/deploying The necessary port has been detected as available, and now Salt Cloud can log into the instance, upload any files used for deployment, and run the deploy script. Once the script has completed, Salt Cloud will log back into the instance and remove any remaining files. A number of variables are used to deploy instances, and the majority of these will be available in the payload. Any keys, passwords or other sensitive data will be scraped from the payload. Most of the variables returned will be related to the profile or provider config, and any default values that could have been changed in the profile or provider, but weren't. salt/cloud/<minion_id>/created The deploy sequence has completed, and the instance is now available, Salted, and ready for use. This event is the final task for Salt Cloud, before returning instance information to the user and exiting. The payload for this event contains little more than the initial creating event. This event is required in all cloud providers. Configuring the Event Reactor The Event Reactor is built into the Salt Master process, and as such is configured via the master configuration file. Normally this will be a YAML file located at /etc/salt/master. Additionally, master configuration items can be stored, in YAML format, inside the /etc/salt/master.d/ directory. These configuration items may be stored in either location; however, they may only be stored in one location. For organizational and security purposes, it may be best to create a single configuration file, which contains only Event Reactor configuration, at /etc/salt/master.d/reactor. The Event Reactor uses a top-level configuration item called reactor. This block contains a list of tags to be watched for, each of which also includes a list of sls files. For instance: reactor: - 'salt/minion/*/start': - '/srv/reactor/custom-reactor.sls' - 'salt/cloud/*/created': - '/srv/reactor/cloud-alert.sls' - 'salt/cloud/*/destroyed': - '/srv/reactor/cloud-destroy-alert.sls' The above configuration configures reactors for three different tags: one which is fired when a minion process has started and is available to receive commands, one which is fired when a cloud instance has been created, and one which is fired when a cloud instance is destroyed. Note that each tag contains a wildcard (*) in it. For each of these tags, this will normally refer to a minion_id. This is not required of event tags, but is very common. Reactor SLS Files Reactor sls files should be placed in the /srv/reactor/ directory for consistency between environments, but this is not currently enforced by Salt. Reactor sls files follow a similar format to other sls files in Salt. By default they are written in YAML and can be templated using Jinja, but since they are processed through Salt's rendering system, any available renderer (JSON, Mako, Cheetah, etc.) can be used. As with other sls files, each stanza will start with a declaration ID, followed by the function to run, and then any arguments for that function. For example: # /srv/reactor/cloud-alert.sls new_instance_alert: cmd.pagerduty.create_event: - tgt: alertserver - kwarg: description: "New instance: {{ data['name'] }}" details: "New cloud instance created on {{ data['provider'] }}" service_key: 1626dead5ecafe46231e968eb1be29c4 profile: my-pagerduty-account When the Event Reactor receives an event notifying it that a new instance has been created, this sls will create a new incident in PagerDuty, using the configured PagerDuty account. The declaration ID in this example is new_instance_alert. The function called is cmd.pagerduty.create_event. The cmd portion of this function specifies that an execution module and function will be called, in this case, the pagerduty.create_event function. Because an execution module is specified, a target (tgt) must be specified on which to call the function. In this case, a minion called alertserver has been used. Any arguments passed through to the function are declared in the kwarg block. Example: Reactor-Based Highstate When Salt Cloud creates an instance, by default it will install the Salt Minion onto the instance, along with any specified minion configuration, and automatically accept that minion's keys on the master. One of the configuration options that can be specified is startup_states, which is commonly set to highstate. This will tell the minion to immediately apply a highstate, as soon as it is able to do so. This can present a problem with some system images on some cloud hosts. For instance, Salt Cloud can be configured to log in as either the root user, or a user with sudo access. While some hosts commonly use images that lock out remote root access and require a user with sudo privileges to log in (notably EC2, with their ec2-user login), most cloud hosts fall back to root as the default login on all images, including for operating systems (such as Ubuntu) which normally disallow remote root login. For users of these operating systems, it is understandable that a highstate would include configuration to block remote root logins again. However, Salt Cloud may not have finished cleaning up its deployment files by the time the minion process has started, and kicked off a highstate run. Users have reported errors from Salt Cloud getting locked out while trying to clean up after itself. The goal of a startup state may be achieved using the Event Reactor. Because a minion fires an event when it is able to receive commands, this event can effectively be used inside the reactor system instead. The following will point the reactor system to the right sls file: reactor: - 'salt/cloud/*/created': - '/srv/reactor/startup_highstate.sls' And the following sls file will start a highstate run on the target minion: # /srv/reactor/startup_highstate.sls reactor_highstate: cmd.state.highstate: - tgt: {{ data['name'] }} Because this event will not be fired until Salt Cloud has cleaned up after itself, the highstate run will not step on Salt Cloud's toes. And because every file on the minion is configurable, including /etc/salt/minion, the startup_states can still be configured for future minion restarts, if desired.
NETAPI MODULES
Writing netapi modules netapi modules, put simply, bind a port and start a service. They are purposefully open-ended and can be used to present a variety of external interfaces to Salt, and even present multiple interfaces at once. SEE ALSO: The full list of netapi modules Configuration All netapi configuration is done in the Salt master config and takes a form similar to the following: rest_cherrypy: port: 8000 debug: True ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/certs/localhost.key The __virtual__ function Like all module types in Salt, netapi modules go through Salt's loader interface to determine if they should be loaded into memory and then executed. The __virtual__ function in the module makes this determination and should return False or a string that will serve as the name of the module. If the module raises an ImportError or any other errors, it will not be loaded. The start function The start() function will be called for each netapi module that is loaded. This function should contain the server loop that actually starts the service. This is started in a multiprocess. Inline documentation As with the rest of Salt, it is a best-practice to include liberal inline documentation in the form of a module docstring and docstrings on any classes, methods, and functions in your netapi module. Loader “magic” methods The loader makes the __opts__ data structure available to any function in a netapi module. Introduction to netapi modules netapi modules provide API-centric access to Salt. Usually externally-facing services such as REST or WebSockets, XMPP, XMLRPC, etc. In general netapi modules bind to a port and start a service. They are purposefully open-ended. A single module can be configured to run as well as multiple modules simultaneously. netapi modules are enabled by adding configuration to your Salt Master config file and then starting the salt-api daemon. Check the docs for each module to see external requirements and configuration settings. Communication with Salt and Salt satellite projects is done using Salt's own Python API. A list of available client interfaces is below. salt-api Prior to Salt's 2014.7.0 release, netapi modules lived in the separate sister projected salt-api. That project has been merged into the main Salt project. SEE ALSO: The full list of netapi modules Client interfaces Salt's client interfaces expose executing functions by crafting a dictionary of values that are mapped to function arguments. This allows calling functions simply by creating a data structure. (And this is exactly how much of Salt's own internals work!) class salt.netapi.NetapiClient(opts) Provide a uniform method of accessing the various client interfaces in Salt in the form of low-data data structures. For example: >>> client = NetapiClient(__opts__) >>> lowstate = {'client': 'local', 'tgt': '*', 'fun': 'test.ping', 'arg': ''} >>> client.run(lowstate) local(*args, **kwargs) Run execution modules synchronously See salt.client.LocalClient.cmd() for all available parameters. Sends a command from the master to the targeted minions. This is the same interface that Salt's own CLI uses. Note the arg and kwarg parameters are sent down to the minion(s) and the given function, fun, is called with those parameters. Returns Returns the result from the execution module local_async(*args, **kwargs) Run execution modules asynchronously Wraps salt.client.LocalClient.run_job(). Returns job ID local_batch(*args, **kwargs) Run execution modules against batches of minions New in version 0.8.4. Wraps salt.client.LocalClient.cmd_batch() Returns Returns the result from the exeuction module for each batch of returns runner(fun, timeout=None, **kwargs) Run runner modules <all-salt.runners> synchronously Wraps salt.runner.RunnerClient.cmd_sync(). Note that runner functions must be called using keyword arguments. Positional arguments are not supported. Returns Returns the result from the runner module runner_async(fun, **kwargs) Run runner modules <all-salt.runners> asynchronously Wraps salt.runner.RunnerClient.cmd_async(). Note that runner functions must be called using keyword arguments. Positional arguments are not supported. Returns event data and a job ID for the executed function. ssh(*args, **kwargs) Run salt-ssh commands synchronously Wraps salt.client.ssh.client.SSHClient.cmd_sync(). Returns Returns the result from the salt-ssh command ssh_async(fun, timeout=None, **kwargs) Run salt-ssh commands asynchronously Wraps salt.client.ssh.client.SSHClient.cmd_async(). Returns Returns the JID to check for results on wheel(fun, **kwargs) Run wheel modules synchronously Wraps salt.wheel.WheelClient.master_call(). Note that wheel functions must be called using keyword arguments. Positional arguments are not supported. Returns Returns the result from the wheel module wheel_async(fun, **kwargs) Run wheel modules asynchronously Wraps salt.wheel.WheelClient.master_call(). Note that wheel functions must be called using keyword arguments. Positional arguments are not supported. Returns Returns the result from the wheel module
SALT VIRT
The Salt Virt cloud controller capability was initially added to Salt in version 0.14.0 as an alpha technology. The initial Salt Virt system supports core cloud operations: • Virtual machine deployment • Inspection of deployed VMs • Virtual machine migration • Network profiling • Automatic VM integration with all aspects of Salt • Image Pre-seeding Many features are currently under development to enhance the capabilities of the Salt Virt systems. NOTE: It is noteworthy that Salt was originally developed with the intent of using the Salt communication system as the backbone to a cloud controller. This means that the Salt Virt system is not an afterthought, simply a system that took the back seat to other development. The original attempt to develop the cloud control aspects of Salt was a project called butter. This project never took off, but was functional and proves the early viability of Salt to be a cloud controller. WARNING: Salt Virt does not work with KVM that is running in a VM. KVM must be running on the base hardware. Salt Virt Tutorial A tutorial about how to get Salt Virt up and running has been added to the tutorial section: Cloud Controller Tutorial The Salt Virt Runner The point of interaction with the cloud controller is the virt runner. The virt runner comes with routines to execute specific virtual machine routines. Reference documentation for the virt runner is available with the runner module documentation: Virt Runner Reference Based on Live State Data The Salt Virt system is based on using Salt to query live data about hypervisors and then using the data gathered to make decisions about cloud operations. This means that no external resources are required to run Salt Virt, and that the information gathered about the cloud is live and accurate. Deploy from Network or Disk Virtual Machine Disk Profiles Salt Virt allows for the disks created for deployed virtual machines to be finely configured. The configuration is a simple data structure which is read from the config.option function, meaning that the configuration can be stored in the minion config file, the master config file, or the minion's pillar. This configuration option is called virt.disk. The default virt.disk data structure looks like this: virt.disk: default: - system: size: 8192 format: qcow2 model: virtio NOTE: The format and model does not need to be defined, Salt will default to the optimal format used by the underlying hypervisor, in the case of kvm this it is qcow2 and virtio. This configuration sets up a disk profile called default. The default profile creates a single system disk on the virtual machine. Define More Profiles Many environments will require more complex disk profiles and may require more than one profile, this can be easily accomplished: virt.disk: default: - system: size: 8192 database: - system: size: 8192 - data: size: 30720 web: - system: size: 1024 - logs: size: 5120 This configuration allows for one of three profiles to be selected, allowing virtual machines to be created with different storage needs of the deployed vm. Virtual Machine Network Profiles Salt Virt allows for the network devices created for deployed virtual machines to be finely configured. The configuration is a simple data structure which is read from the config.option function, meaning that the configuration can be stored in the minion config file, the master config file, or the minion's pillar. This configuration option is called virt.nic. By default the virt.nic option is empty but defaults to a data structure which looks like this: virt.nic: default: eth0: bridge: br0 model: virtio NOTE: The model does not need to be defined, Salt will default to the optimal model used by the underlying hypervisor, in the case of kvm this model is virtio This configuration sets up a network profile called default. The default profile creates a single Ethernet device on the virtual machine that is bridged to the hypervisor's br0 interface. This default setup does not require setting up the virt.nic configuration, and is the reason why a default install only requires setting up the br0 bridge device on the hypervisor. Define More Profiles Many environments will require more complex network profiles and may require more than one profile, this can be easily accomplished: virt.nic: dual: eth0: bridge: service_br eth1: bridge: storage_br single: eth0: bridge: service_br triple: eth0: bridge: service_br eth1: bridge: storage_br eth2: bridge: dmz_br all: eth0: bridge: service_br eth1: bridge: storage_br eth2: bridge: dmz_br eth3: bridge: database_br dmz: eth0: bridge: service_br eth1: bridge: dmz_br database: eth0: bridge: service_br eth1: bridge: database_br This configuration allows for one of six profiles to be selected, allowing virtual machines to be created which attach to different network depending on the needs of the deployed vm.
UNDERSTANDING YAML
The default renderer for SLS files is the YAML renderer. YAML is a markup language with many powerful features. However, Salt uses a small subset of YAML that maps over very commonly used data structures, like lists and dictionaries. It is the job of the YAML renderer to take the YAML data structure and compile it into a Python data structure for use by Salt. Though YAML syntax may seem daunting and terse at first, there are only three very simple rules to remember when writing YAML for SLS files. Rule One: Indentation YAML uses a fixed indentation scheme to represent relationships between data layers. Salt requires that the indentation for each level consists of exactly two spaces. Do not use tabs. Rule Two: Colons Python dictionaries are, of course, simply key-value pairs. Users from other languages may recognize this data type as hashes or associative arrays. Dictionary keys are represented in YAML as strings terminated by a trailing colon. Values are represented by either a string following the colon, separated by a space: my_key: my_value In Python, the above maps to: {'my_key': 'my_value'} Alternatively, a value can be associated with a key through indentation. my_key: my_value NOTE: The above syntax is valid YAML but is uncommon in SLS files because most often, the value for a key is not singular but instead is a list of values. In Python, the above maps to: {'my_key': 'my_value'} Dictionaries can be nested: first_level_dict_key: second_level_dict_key: value_in_second_level_dict And in Python: { 'first_level_dict_key': { 'second_level_dict_key': 'value_in_second_level_dict' } } Rule Three: Dashes To represent lists of items, a single dash followed by a space is used. Multiple items are a part of the same list as a function of their having the same level of indentation. - list_value_one - list_value_two - list_value_three Lists can be the value of a key-value pair. This is quite common in Salt: my_dictionary: - list_value_one - list_value_two - list_value_three In Python, the above maps to: {'my_dictionary': ['list_value_one', 'list_value_two', 'list_value_three']} Learning More One easy way to learn more about how YAML gets rendered into Python data structures is to use an online YAML parser to see the Python output. One excellent choice for experimenting with YAML parsing is: http://yaml-online-parser.appspot.com/
MASTER TOPS SYSTEM
In 0.10.4 the external_nodes system was upgraded to allow for modular subsystems to be used to generate the top file data for a highstate run on the master. The old external_nodes option has been removed. The master tops system contains a number of subsystems that are loaded via the Salt loader interfaces like modules, states, returners, runners, etc. Using the new master_tops option is simple: master_tops: ext_nodes: cobbler-external-nodes for Cobbler or: master_tops: reclass: inventory_base_uri: /etc/reclass classes_uri: roles for Reclass. It's also possible to create custom master_tops modules. These modules must go in a subdirectory called tops in the extension_modules directory. The extension_modules directory is not defined by default (the default /srv/salt/_modules will NOT work as of this release) Custom tops modules are written like any other execution module, see the source for the two modules above for examples of fully functional ones. Below is a degenerate example: /etc/salt/master: extension_modules: /srv/salt/modules master_tops: customtop: True /srv/salt/modules/tops/customtop.py: import logging import sys # Define the module's virtual name __virtualname__ = 'customtop' log = logging.getLogger(__name__) def __virtual__(): return __virtualname__ def top(**kwargs): log.debug('Calling top in customtop') return {'base': ['test']} salt minion state.show_top should then display something like: $ salt minion state.show_top minion ---------- base: - test
SALT SSH
Getting Started Salt SSH is very easy to use, simply set up a basic roster file of the systems to connect to and run salt-ssh commands in a similar way as standard salt commands. • Salt ssh is considered production ready in version 2014.7.0 • Python is required on the remote system (unless using the -r option to send raw ssh commands) • On many systems, the salt-ssh executable will be in its own package, usually named salt-ssh • The Salt SSH system does not supercede the standard Salt communication systems, it simply offers an SSH-based alternative that does not require ZeroMQ and a remote agent. Be aware that since all communication with Salt SSH is executed via SSH it is substantially slower than standard Salt with ZeroMQ. • At the moment fileserver operations must be wrapped to ensure that the relevant files are delivered with the salt-ssh commands. The state module is an exception, which compiles the state run on the master, and in the process finds all the references to salt:// paths and copies those files down in the same tarball as the state run. However, needed fileserver wrappers are still under development. Salt SSH Roster The roster system in Salt allows for remote minions to be easily defined. NOTE: See the Roster documentation for more details. Simply create the roster file, the default location is /etc/salt/roster: web1: 192.168.42.1 This is a very basic roster file where a Salt ID is being assigned to an IP address. A more elaborate roster can be created: web1: host: 192.168.42.1 # The IP addr or DNS hostname user: fred # Remote executions will be executed as user fred passwd: foobarbaz # The password to use for login, if omitted, keys are used sudo: True # Whether to sudo to root, not enabled by default web2: host: 192.168.42.2 NOTE: sudo works only if NOPASSWD is set for user in /etc/sudoers: fred ALL=(ALL) NOPASSWD: ALL Deploy ssh key for salt-ssh By default, salt-ssh will generate key pairs for ssh, the default path will be /etc/salt/pki/master/ssh/salt-ssh.rsa You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to your servers. ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub user@server.demo.com One could also create a simple shell script, named salt-ssh-copy-id.sh as follows: #!/bin/bash if [ -z $1 ]; then echo $0 user@host.com exit 0 fi ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub $1 NOTE: Be certain to chmod +x salt-ssh-copy-id.sh. ./salt-ssh-copy-id.sh user@server1.host.com ./salt-ssh-copy-id.sh user@server2.host.com Once keys are successfully deployed, salt-ssh can be used to control them. Calling Salt SSH The salt-ssh command can be easily executed in the same way as a salt command: salt-ssh '*' test.ping Commands with salt-ssh follow the same syntax as the salt command. The standard salt functions are available! The output is the same as salt and many of the same flags are available. Please see http://docs.saltstack.com/ref/cli/salt-ssh.html for all of the available options. Raw Shell Calls By default salt-ssh runs Salt execution modules on the remote system, but salt-ssh can also execute raw shell commands: salt-ssh '*' -r 'ifconfig' States Via Salt SSH The Salt State system can also be used with salt-ssh. The state system abstracts the same interface to the user in salt-ssh as it does when using standard salt. The intent is that Salt Formulas defined for standard salt will work seamlessly with salt-ssh and vice-versa. The standard Salt States walkthroughs function by simply replacing salt commands with salt-ssh. Targeting with Salt SSH Due to the fact that the targeting approach differs in salt-ssh, only glob and regex targets are supported as of this writing, the remaining target systems still need to be implemented. NOTE: By default, Grains are settable through salt-ssh. By default, these grains will not be persisted across reboots. See the "thin_dir" setting in Roster documentation for more details. Configuring Salt SSH Salt SSH takes its configuration from a master configuration file. Normally, this file is in /etc/salt/master. If one wishes to use a customized configuration file, the -c option to Salt SSH facilitates passing in a directory to look inside for a configuration file named master. Minion Config New in version 2015.5.1. Minion config options can be defined globally using the master configuration option ssh_minion_opts. It can also be defined on a per-minion basis with the minion_opts entry in the roster. Running Salt SSH as non-root user By default, Salt read all the configuration from /etc/salt/. If you are running Salt SSH with a regular user you have to modify some paths or you will get "Permission denied" messages. You have to modify two parameters: pki_dir and cachedir. Those should point to a full path writable for the user. It's recommed not to modify /etc/salt for this purpose. Create a private copy of /etc/salt for the user and run the command with -c /new/config/path. Define CLI Options with Saltfile If you are commonly passing in CLI options to salt-ssh, you can create a Saltfile to automatically use these options. This is common if you're managing several different salt projects on the same server. So you can cd into a directory that has a Saltfile with the following YAML contents: salt-ssh: config_dir: path/to/config/dir max_procs: 30 wipe_ssh: True Instead of having to call salt-ssh --config-dir=path/to/config/dir --max-procs=30 --wipe \* test.ping you can call salt-ssh \* test.ping. Boolean-style options should be specified in their YAML representation. NOTE: The option keys specified must match the destination attributes for the options specified in the parser salt.utils.parsers.SaltSSHOptionParser. For example, in the case of the --wipe command line option, its dest is configured to be wipe_ssh and thus this is what should be configured in the Saltfile. Using the names of flags for this option, being wipe: True or w: True, will not work. Debugging salt-ssh One common approach for debugging salt-ssh is to simply use the tarball that salt ships to the remote machine and call salt-call directly. To determine the location of salt-call, simply run salt-ssh with the -ldebug flag and look for a line containing the string, SALT_ARGV. This contains the salt-call command that salt-ssh attempted to execute. It is recommended that one modify this command a bit by removing the -l quiet, --metadata and --output json to get a better idea of what's going on on the target system.
SALT ROSTERS
Salt rosters are pluggable systems added in Salt 0.17.0 to facilitate the salt-ssh system. The roster system was created because salt-ssh needs a means to identify which systems need to be targeted for execution. SEE ALSO: all-salt.roster NOTE: The Roster System is not needed or used in standard Salt because the master does not need to be initially aware of target systems, since the Salt Minion checks itself into the master. Since the roster system is pluggable, it can be easily augmented to attach to any existing systems to gather information about what servers are presently available and should be attached to by salt-ssh. By default the roster file is located at /etc/salt/roster. How Rosters Work The roster system compiles a data structure internally referred to as targets. The targets is a list of target systems and attributes about how to connect to said systems. The only requirement for a roster module in Salt is to return the targets data structure. Targets Data The information which can be stored in a roster target is the following: <Salt ID>: # The id to reference the target system with host: # The IP address or DNS name of the remote host user: # The user to log in as passwd: # The password to log in with # Optional parameters port: # The target system's ssh port number sudo: # Boolean to run command via sudo tty: # Boolean: Set this option to True if sudo is also set to # True and requiretty is also set on the target system priv: # File path to ssh private key, defaults to salt-ssh.rsa timeout: # Number of seconds to wait for response when establishing # an SSH connection minion_opts: # Dictionary of minion opts thin_dir: # The target system's storage directory for Salt # components. Defaults to /tmp/salt-<hash>. cmd_umask: # umask to enforce for the salt-call command. Should be in # octal (so for 0o077 in YAML you would do 0077, or 63) thin_dir Salt needs to upload a standalone environment to the target system, and this defaults to /tmp/salt-<hash>. This directory will be cleaned up per normal systems operation. If you need a persistent Salt environment, for instance to set persistent grains, this value will need to be changed.
REFERENCE
Full list of builtin auth modules ┌──────────┬──────────────────────────────────┐ │auto │ An "Always Approved" eauth │ │ │ interface to test against, not │ │ │ intended for │ ├──────────┼──────────────────────────────────┤ │django │ Provide authentication using │ │ │ Django Web Framework │ ├──────────┼──────────────────────────────────┤ │keystone │ Provide authentication using │ │ │ OpenStack Keystone │ ├──────────┼──────────────────────────────────┤ │ldap │ Provide authentication using │ │ │ simple LDAP binds │ ├──────────┼──────────────────────────────────┤ │mysql │ Provide authentication using │ │ │ MySQL. │ ├──────────┼──────────────────────────────────┤ │pam │ Authenticate against PAM │ ├──────────┼──────────────────────────────────┤ │pki │ Authenticate via a PKI │ │ │ certificate. │ ├──────────┼──────────────────────────────────┤ │rest │ Provide authentication using a │ │ │ REST call │ ├──────────┼──────────────────────────────────┤ │stormpath │ Provide authentication using │ │ │ Stormpath. │ ├──────────┼──────────────────────────────────┤ │yubico │ Provide authentication using │ │ │ YubiKey. │ └──────────┴──────────────────────────────────┘ salt.auth.auto An "Always Approved" eauth interface to test against, not intended for production use salt.auth.auto.auth(username, password) Authenticate! salt.auth.django Provide authentication using Django Web Framework depends • Django Web Framework Django authentication depends on the presence of the django framework in the PYTHONPATH, the Django project's settings.py file being in the PYTHONPATH and accessible via the DJANGO_SETTINGS_MODULE environment variable. Django auth can be defined like any other eauth module: external_auth: django: fred: - .* - '@runner' This will authenticate Fred via Django and allow him to run any execution module and all runners. The authorization details can optionally be located inside the Django database. The relevant entry in the models.py file would look like this: class SaltExternalAuthModel(models.Model): user_fk = models.ForeignKey(auth.User) minion_matcher = models.CharField() minion_fn = models.CharField() The external_auth clause in the master config would then look like this: external_auth: django: ^model: <fully-qualified reference to model class> When a user attempts to authenticate via Django, Salt will import the package indicated via the keyword ^model. That model must have the fields indicated above, though the model DOES NOT have to be named 'SaltExternalAuthModel'. salt.auth.django.auth(username, password) Simple Django auth salt.auth.django.django_auth_setup() Prepare the connection to the Django authentication framework salt.auth.django.retrieve_auth_entries(u=None) Parameters u -- Username to filter for Returns Dictionary that can be slotted into the __opts__ structure for eauth that designates the user associated ACL Database records such as: ┌───────────┬──────────────────────┬────────────────────┐ │username │ minion_or_fn_matcher │ minion_fn │ ├───────────┼──────────────────────┼────────────────────┤ │fred │ │ test.ping │ ├───────────┼──────────────────────┼────────────────────┤ │fred │ server1 │ network.interfaces │ ├───────────┼──────────────────────┼────────────────────┤ │fred │ server1 │ raid.list │ ├───────────┼──────────────────────┼────────────────────┤ │fred │ server2 │ .* │ ├───────────┼──────────────────────┼────────────────────┤ │guru │ .* │ │ ├───────────┼──────────────────────┼────────────────────┤ │smartadmin │ server1 │ .* │ └───────────┴──────────────────────┴────────────────────┘ Should result in an eauth config such as: fred: - test.ping - server1: - network.interfaces - raid.list - server2: - .* guru: - .* smartadmin: - server1: - .* salt.auth.keystone Provide authentication using OpenStack Keystone depends • keystoneclient Python module salt.auth.keystone.auth(username, password) Try and authenticate salt.auth.keystone.get_auth_url() Try and get the URL from the config, else return localhost salt.auth.ldap Provide authentication using simple LDAP binds depends • ldap Python module salt.auth.ldap.auth(username, password) Simple LDAP auth salt.auth.ldap.groups(username, **kwargs) Authenticate against an LDAP group Behavior is highly dependent on if Active Directory is in use. AD handles group membership very differently than OpenLDAP. See the External Authentication documentation for a thorough discussion of available parameters for customizing the search. OpenLDAP allows you to search for all groups in the directory and returns members of those groups. Then we check against the username entered. salt.auth.mysql Provide authentication using MySQL. When using MySQL as an authentication backend, you will need to create or use an existing table that has a username and a password column. To get started, create a simple table that holds just a username and a password. The password field will hold a SHA256 checksum. CREATE TABLE `users` ( `id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(25) DEFAULT NULL, `password` varchar(70) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; To create a user within MySQL, execute the following statement. INSERT INTO users VALUES (NULL, 'diana', SHA2('secret', 256)) mysql_auth: hostname: localhost database: SaltStack username: root password: letmein auth_sql: 'SELECT username FROM users WHERE username = "{0}" AND password = SHA2("{1}", 256)' The auth_sql contains the SQL that will validate a user to ensure they are correctly authenticated. This is where you can specify other SQL queries to authenticate users. Enable MySQL authentication. external_auth: mysql: damian: - test.* depends • MySQL-python Python module salt.auth.mysql.auth(username, password) Authenticate using a MySQL user table salt.auth.pam Authenticate against PAM Provides an authenticate function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system. Implemented using ctypes, so no compilation is necessary. There is one extra configuration option for pam. The pam_service that is authenticated against. This defaults to login auth.pam.service: login NOTE: PAM authentication will not work for the root user. The Python interface to PAM does not support authenticating as root. class salt.auth.pam.PamConv Wrapper class for pam_conv structure appdata_ptr Structure/Union member conv Structure/Union member class salt.auth.pam.PamHandle Wrapper class for pam_handle_t handle Structure/Union member class salt.auth.pam.PamMessage Wrapper class for pam_message structure msg Structure/Union member msg_style Structure/Union member class salt.auth.pam.PamResponse Wrapper class for pam_response structure resp Structure/Union member resp_retcode Structure/Union member salt.auth.pam.auth(username, password, **kwargs) Authenticate via pam salt.auth.pam.authenticate(username, password) Returns True if the given username and password authenticate for the given service. Returns False otherwise username: the username to authenticate password: the password in plain text salt.auth.pam.groups(username, *args, **kwargs) Retrieve groups for a given user for this auth provider Uses system groups salt.auth.pki Authenticate via a PKI certificate. NOTE: This module is Experimental and should be used with caution Provides an authenticate function that will allow the caller to authenticate a user via their public cert against a pre-defined Certificate Authority. TODO: Add a 'ca_dir' option to configure a directory of CA files, a la Apache. depends • pyOpenSSL module salt.auth.pki.auth(pem, **kwargs) Returns True if the given user cert was issued by the CA. Returns False otherwise. pem: a pem-encoded user public key (certificate) Configure the CA cert in the master config file: external_auth: pki: ca_file: /etc/pki/tls/ca_certs/trusted-ca.crt salt.auth.rest module Provide authentication using a REST call Django auth can be defined like any other eauth module: external_auth: rest: ^url: https://url/for/rest/call fred: - .* - '@runner' If there are entries underneath the ^url entry then they are merged with any responses from the REST call. In the above example, assuming the REST call does not return any additional ACLs, this will authenticate Fred via a REST call and allow him to run any execution module and all runners. The REST call should return a JSON object that maps to a regular eauth YAML structure as above. salt.auth.rest.auth(username, password) REST authentication salt.auth.rest.rest_auth_setup() salt.auth.stormpath Provide authentication using Stormpath. This driver requires some extra configuration beyond that which Stormpath normally requires. stormpath: apiid: 1234567890 apikey: 1234567890/ABCDEF # Can use an application ID application: 6789012345 # Or can use a directory ID directory: 3456789012 # But not both New in version 2015.8.0. salt.auth.stormpath.auth(username, password) Authenticate using a Stormpath directory or application salt.auth.yubico Provide authentication using YubiKey. New in version 2015.5.0. depends yubico-client Python module To get your YubiKey API key you will need to visit the website below. https://upgrade.yubico.com/getapikey/ The resulting page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your /etc/salt/master configuration. /etc/salt/master yubico_users: damian: id: 12345 key: ABCDEFGHIJKLMNOPQRSTUVWXYZ external_auth: yubico: damian: - test.* Please wait five to ten minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. salt.auth.yubico.auth(username, password) Authentcate against yubico server Command Line Reference Salt can be controlled by a command line client by the root user on the Salt master. The Salt command line client uses the Salt client API to communicate with the Salt master server. The Salt client is straightforward and simple to use. Using the Salt client commands can be easily sent to the minions. Each of these commands accepts an explicit --config option to point to either the master or minion configuration file. If this option is not provided and the default configuration file does not exist then Salt falls back to use the environment variables SALT_MASTER_CONFIG and SALT_MINION_CONFIG. SEE ALSO: Configuration Using the Salt Command The Salt command needs a few components to send information to the Salt minions. The target minions need to be defined, the function to call and any arguments the function requires. Defining the Target Minions The first argument passed to salt, defines the target minions, the target minions are accessed via their hostname. The default target type is a bash glob: salt '*foo.com' sys.doc Salt can also define the target minions with regular expressions: salt -E '.*' cmd.run 'ls -l | grep foo' Or to explicitly list hosts, salt can take a list: salt -L foo.bar.baz,quo.qux cmd.run 'ps aux | grep foo' More Powerful Targets The simple target specifications, glob, regex, and list will cover many use cases, and for some will cover all use cases, but more powerful options exist. Targeting with Grains The Grains interface was built into Salt to allow minions to be targeted by system properties. So minions running on a particular operating system can be called to execute a function, or a specific kernel. Calling via a grain is done by passing the -G option to salt, specifying a grain and a glob expression to match the value of the grain. The syntax for the target is the grain key followed by a globexpression: "os:Arch*". salt -G 'os:Fedora' test.ping Will return True from all of the minions running Fedora. To discover what grains are available and what the values are, execute the grains.item salt function: salt '*' grains.items more info on using targeting with grains can be found here. Targeting with Executions As of 0.8.8 targeting with executions is still under heavy development and this documentation is written to reference the behavior of execution matching in the future. Execution matching allows for a primary function to be executed, and then based on the return of the primary function the main function is executed. Execution matching allows for matching minions based on any arbitrary running data on the minions. Compound Targeting New in version 0.9.5. Multiple target interfaces can be used in conjunction to determine the command targets. These targets can then be combined using and or or statements. This is well defined with an example: salt -C 'G@os:Debian and webser* or E@db.*' test.ping In this example any minion who's id starts with webser and is running Debian, or any minion who's id starts with db will be matched. The type of matcher defaults to glob, but can be specified with the corresponding letter followed by the @ symbol. In the above example a grain is used with G@ as well as a regular expression with E@. The webser* target does not need to be prefaced with a target type specifier because it is a glob. more info on using compound targeting can be found here. Node Group Targeting New in version 0.9.5. For certain cases, it can be convenient to have a predefined group of minions on which to execute commands. This can be accomplished using what are called nodegroups. Nodegroups allow for predefined compound targets to be declared in the master configuration file, as a sort of shorthand for having to type out complicated compound expressions. nodegroups: group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' group2: 'G@os:Debian and foo.domain.com' group3: 'G@os:Debian and N@group1' Calling the Function The function to call on the specified target is placed after the target specification. New in version 0.9.8. Functions may also accept arguments, space-delimited: salt '*' cmd.exec_code python 'import sys; print sys.version' Optional, keyword arguments are also supported: salt '*' pip.install salt timeout=5 upgrade=True They are always in the form of kwarg=argument. Arguments are formatted as YAML: salt '*' cmd.run 'echo "Hello: $FIRST_NAME"' env='{FIRST_NAME: "Joe"}' Note: dictionaries must have curly braces around them (like the env keyword argument above). This was changed in 0.15.1: in the above example, the first argument used to be parsed as the dictionary {'echo "Hello': '$FIRST_NAME"'}. This was generally not the expected behavior. If you want to test what parameters are actually passed to a module, use the test.arg_repr command: salt '*' test.arg_repr 'echo "Hello: $FIRST_NAME"' env='{FIRST_NAME: "Joe"}' Finding available minion functions The Salt functions are self documenting, all of the function documentation can be retried from the minions via the sys.doc() function: salt '*' sys.doc Compound Command Execution If a series of commands needs to be sent to a single target specification then the commands can be sent in a single publish. This can make gathering groups of information faster, and lowers the stress on the network for repeated commands. Compound command execution works by sending a list of functions and arguments instead of sending a single function and argument. The functions are executed on the minion in the order they are defined on the command line, and then the data from all of the commands are returned in a dictionary. This means that the set of commands are called in a predictable way, and the returned data can be easily interpreted. Executing compound commands if done by passing a comma delimited list of functions, followed by a comma delimited list of arguments: salt '*' cmd.run,test.ping,test.echo 'cat /proc/cpuinfo',,foo The trick to look out for here, is that if a function is being passed no arguments, then there needs to be a placeholder for the absent arguments. This is why in the above example, there are two commas right next to each other. test.ping takes no arguments, so we need to add another comma, otherwise Salt would attempt to pass "foo" to test.ping. If you need to pass arguments that include commas, then make sure you add spaces around the commas that separate arguments. For example: salt '*' cmd.run,test.ping,test.echo 'echo "1,2,3"' , , foo You may change the arguments separator using the --args-separator option: salt --args-separator=:: '*' some.fun,test.echo params with , comma :: foo CLI Completion Shell completion scripts for the Salt CLI are available in the pkg Salt source directory. salt-call salt-call Synopsis salt-call [options] Description The salt-call command is used to run module functions locally on a minion instead of executing them from the master. Salt-call is used to run a Standalone Minion, and was originally created for troubleshooting. The Salt Master is contacted to retrieve state files and other resources during execution unless the --local option is specified. NOTE: salt-call commands execute from the current user's shell context, while salt commands execute from the system's default context. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. --hard-crash Raise any original exception rather than exiting gracefully Default: False -g, --grains Return the information generated by the Salt grains -m MODULE_DIRS, --module-dirs=MODULE_DIRS Specify an additional directory to pull modules from. Multiple directories can be provided by passing -m /--module-dirs multiple times. -d, --doc, --documentation Return the documentation for the specified module or for all modules if none are specified --master=MASTER Specify the master to use. The minion must be authenticated with the master. If this option is omitted, the master options from the minion config will be used. If multi masters are set up the first listed master that responds will be used. --return RETURNER Set salt-call to pass the return data to one or many returner interfaces. To use many returner interfaces specify a comma delimited list of returners. --local Run salt-call locally, as if there was no master running. --file-root=FILE_ROOT Set this directory as the base file root. --pillar-root=PILLAR_ROOT Set this directory as the base pillar root. --retcode-passthrough Exit with the salt call retcode and not the salt binary retcode --metadata Print out the execution metadata as well as the return. This will print out the outputter data, the return code, etc. --id=ID Specify the minion id to use. If this option is omitted, the id option from the minion config will be used. --skip-grains Do not load grains. --refresh-grains-cache Force a refresh of the grains cache Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: info. --log-file=LOG_FILE Log file path. Default: /var/log/salt/minion. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: info. Output Options --out Pass in an alternative outputter to display the return of data. This outputter can be any of the available outputters: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml Some outputters are formatted only for data returned from specific functions; for instance, the grains outputter will not work for non-grains data. If an outputter is used that does not support the data passed into it, then Salt will fall back on the pprint outputter and display the return data using the Python pprint standard library module. NOTE: If using --out=json, you will probably want --static as well. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. This is due to using an iterative outputter. So if you want to feed it to a JSON parser, use --static as well. --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disable indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --no-color Disable all colored output --force-color Force colored output NOTE: When using colored output the color codes are as follows: green denotes success, red denotes failure, blue denotes changes and success and yellow denotes a expected future change in configuration. See also salt(1) salt-master(1) salt-minion(1) salt salt Synopsis salt '*' [ options ] sys.doc salt -E '.*' [ options ] sys.doc cmd salt -G 'os:Arch.*' [ options ] test.ping salt -C 'G@os:Arch.* and webserv* or G@kernel:FreeBSD' [ options ] test.ping Description Salt allows for commands to be executed across a swath of remote systems in parallel. This means that remote systems can be both controlled and queried with ease. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -t TIMEOUT, --timeout=TIMEOUT The timeout in seconds to wait for replies from the Salt minions. The timeout number specifies how long the command line client will wait to query the minions and check on running jobs. Default: 5 -s, --static By default as of version 0.9.8 the salt command returns data to the console as it is received from minions, but previous releases would return data only after all data was received. Use the static option to only return the data with a hard timeout and after all minions have returned. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. --async Instead of waiting for the job to run on minions only print the job id of the started execution and complete. --state-output=STATE_OUTPUT New in version 0.17. Override the configured state_output value for minion output. One of full, terse, mixed, changes or filter. Default: full. --subset=SUBSET Execute the routine on a random subset of the targeted minions. The minions will be verified that they have the named function before executing. -v VERBOSE, --verbose Turn on verbosity for the salt call, this will cause the salt command to print out extra data like the job id. --hide-timeout Instead of showing the return data for all minions. This option prints only the online minions which could be reached. -b BATCH, --batch-size=BATCH Instead of executing on all targeted minions at once, execute on a progressive set of minions. This option takes an argument in the form of an explicit number of minions to execute at once, or a percentage of minions to execute on. -a EAUTH, --auth=EAUTH Pass in an external authentication medium to validate against. The credentials will be prompted for. The options are auto, keystone, ldap, pam, and stormpath. Can be used with the -T option. -T, --make-token Used in conjunction with the -a option. This creates a token that allows for the authenticated user to send commands without needing to re-authenticate. --return=RETURNER Choose an alternative returner to call on the minion, if an alternative returner is used then the return will not come back to the command line but will be sent to the specified return system. The options are carbon, cassandra, couchbase, couchdb, elasticsearch, etcd, hipchat, local, local_cache, memcache, mongo, mysql, odbc, postgres, redis, sentry, slack, sms, smtp, sqlite3, syslog, and xmpp. -d, --doc, --documentation Return the documentation for the module functions available on the minions --args-separator=ARGS_SEPARATOR Set the special argument used as a delimiter between command arguments of compound commands. This is useful when one wants to pass commas as arguments to some of the commands in a compound command. Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/master. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. Target Selection -E, --pcre The target expression will be interpreted as a PCRE regular expression rather than a shell glob. -L, --list The target expression will be interpreted as a comma-delimited list; example: server1.foo.bar,server2.foo.bar,example7.quo.qux -G, --grain The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:<glob expression>'; example: 'os:Arch*' This was changed in version 0.9.8 to accept glob expressions instead of regular expression. To use regular expression matching with grains, use the --grain-pcre option. --grain-pcre The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:< regular expression>'; example: 'os:Arch.*' -N, --nodegroup Use a predefined compound target defined in the Salt master configuration file. -R, --range Instead of using shell globs to evaluate the target, use a range expression to identify targets. Range expressions look like %cluster. Using the Range option requires that a range server is set up and the location of the range server is referenced in the master configuration file. -C, --compound Utilize many target definitions to make the call very granular. This option takes a group of targets separated by and or or. The default matcher is a glob as usual. If something other than a glob is used, preface it with the letter denoting the type; example: 'webserv* and G@os:Debian or E@db*' Make sure that the compound target is encapsulated in quotes. -I, --pillar Instead of using shell globs to evaluate the target, use a pillar value to identify targets. The syntax for the target is the pillar key followed by a glob expression: "role:production*" -S, --ipcidr Match based on Subnet (CIDR notation) or IPv4 address. Output Options --out Pass in an alternative outputter to display the return of data. This outputter can be any of the available outputters: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml Some outputters are formatted only for data returned from specific functions; for instance, the grains outputter will not work for non-grains data. If an outputter is used that does not support the data passed into it, then Salt will fall back on the pprint outputter and display the return data using the Python pprint standard library module. NOTE: If using --out=json, you will probably want --static as well. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. This is due to using an iterative outputter. So if you want to feed it to a JSON parser, use --static as well. --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disable indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --no-color Disable all colored output --force-color Force colored output NOTE: When using colored output the color codes are as follows: green denotes success, red denotes failure, blue denotes changes and success and yellow denotes a expected future change in configuration. See also salt(7) salt-master(1) salt-minion(1) salt-cloud salt-cp salt-cp Copy a file to a set of systems Synopsis salt-cp '*' [ options ] SOURCE DEST salt-cp -E '.*' [ options ] SOURCE DEST salt-cp -G 'os:Arch.*' [ options ] SOURCE DEST Description Salt copy copies a local file out to all of the Salt minions matched by the given target. Note: salt-cp uses salt's publishing mechanism. This means the privacy of the contents of the file on the wire is completely dependent upon the transport in use. In addition, if the salt-master is running with debug logging it is possible that the contents of the file will be logged to disk. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -t TIMEOUT, --timeout=TIMEOUT The timeout in seconds to wait for replies from the Salt minions. The timeout number specifies how long the command line client will wait to query the minions and check on running jobs. Default: 5 Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/master. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. Target Selection -E, --pcre The target expression will be interpreted as a PCRE regular expression rather than a shell glob. -L, --list The target expression will be interpreted as a comma-delimited list; example: server1.foo.bar,server2.foo.bar,example7.quo.qux -G, --grain The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:<glob expression>'; example: 'os:Arch*' This was changed in version 0.9.8 to accept glob expressions instead of regular expression. To use regular expression matching with grains, use the --grain-pcre option. --grain-pcre The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:< regular expression>'; example: 'os:Arch.*' -N, --nodegroup Use a predefined compound target defined in the Salt master configuration file. -R, --range Instead of using shell globs to evaluate the target, use a range expression to identify targets. Range expressions look like %cluster. Using the Range option requires that a range server is set up and the location of the range server is referenced in the master configuration file. See also salt(1) salt-master(1) salt-minion(1) salt-key salt-key Synopsis salt-key [ options ] Description Salt-key executes simple management of Salt server public keys used for authentication. On initial connection, a Salt minion sends its public key to the Salt master. This key must be accepted using the salt-key command on the Salt master. Salt minion keys can be in one of the following states: • unaccepted: key is waiting to be accepted. • accepted: key was accepted and the minion can communicate with the Salt master. • rejected: key was rejected using the salt-key command. In this state the minion does not receive any communication from the Salt master. • denied: key was rejected automatically by the Salt master. This occurs when a minion has a duplicate ID, or when a minion was rebuilt or had new keys generated and the previous key was not deleted from the Salt master. In this state the minion does not receive any communication from the Salt master. To change the state of a minion key, use -d to delete the key and then accept or reject the key. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -u USER, --user=USER Specify user to run salt-key --hard-crash Raise any original exception rather than exiting gracefully. Default is False. -q, --quiet Suppress output -y, --yes Answer 'Yes' to all questions presented, defaults to False --rotate-aes-key=ROTATE_AES_KEY Setting this to False prevents the master from refreshing the key session when keys are deleted or rejected, this lowers the security of the key deletion/rejection operation. Default is True. Logging Options Logging options which override any settings defined on the configuration files. --log-file=LOG_FILE Log file path. Default: /var/log/salt/minion. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. Output Options --out Pass in an alternative outputter to display the return of data. This outputter can be any of the available outputters: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml Some outputters are formatted only for data returned from specific functions; for instance, the grains outputter will not work for non-grains data. If an outputter is used that does not support the data passed into it, then Salt will fall back on the pprint outputter and display the return data using the Python pprint standard library module. NOTE: If using --out=json, you will probably want --static as well. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. This is due to using an iterative outputter. So if you want to feed it to a JSON parser, use --static as well. --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disable indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --no-color Disable all colored output --force-color Force colored output NOTE: When using colored output the color codes are as follows: green denotes success, red denotes failure, blue denotes changes and success and yellow denotes a expected future change in configuration. Actions -l ARG, --list=ARG List the public keys. The args pre, un, and unaccepted will list unaccepted/unsigned keys. acc or accepted will list accepted/signed keys. rej or rejected will list rejected keys. Finally, all will list all keys. -L, --list-all List all public keys. (Deprecated: use --list all) -a ACCEPT, --accept=ACCEPT Accept the specified public key (use --include-all to match rejected keys in addition to pending keys). Globs are supported. -A, --accept-all Accepts all pending keys. -r REJECT, --reject=REJECT Reject the specified public key (use --include-all to match accepted keys in addition to pending keys). Globs are supported. -R, --reject-all Rejects all pending keys. --include-all Include non-pending keys when accepting/rejecting. -p PRINT, --print=PRINT Print the specified public key. -P, --print-all Print all public keys -d DELETE, --delete=DELETE Delete the specified key. Globs are supported. -D, --delete-all Delete all keys. -f FINGER, --finger=FINGER Print the specified key's fingerprint. -F, --finger-all Print all keys' fingerprints. Key Generation Options --gen-keys=GEN_KEYS Set a name to generate a keypair for use with salt --gen-keys-dir=GEN_KEYS_DIR Set the directory to save the generated keypair. Only works with 'gen_keys_dir' option; default is the current directory. --keysize=KEYSIZE Set the keysize for the generated key, only works with the '--gen-keys' option, the key size must be 2048 or higher, otherwise it will be rounded up to 2048. The default is 2048. --gen-signature Create a signature file of the masters public-key named master_pubkey_signature. The signature can be send to a minion in the masters auth-reply and enables the minion to verify the masters public-key cryptographically. This requires a new signing-key- pair which can be auto-created with the --auto-create parameter. --priv=PRIV The private-key file to create a signature with --signature-path=SIGNATURE_PATH The path where the signature file should be written --pub=PUB The public-key file to create a signature for --auto-create Auto-create a signing key-pair if it does not yet exist See also salt(7) salt-master(1) salt-minion(1) salt-master salt-master The Salt master daemon, used to control the Salt minions Synopsis salt-master [ options ] Description The master daemon controls the Salt minions Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -u USER, --user=USER Specify user to run salt-master -d, --daemon Run salt-master as a daemon --pid-file PIDFILE Specify the location of the pidfile. Default: /var/run/salt-master.pid Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/master. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt(1) salt(7) salt-minion(1) salt-minion salt-minion The Salt minion daemon, receives commands from a remote Salt master. Synopsis salt-minion [ options ] Description The Salt minion receives commands from the central Salt master and replies with the results of said commands. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -u USER, --user=USER Specify user to run salt-minion -d, --daemon Run salt-minion as a daemon --pid-file PIDFILE Specify the location of the pidfile. Default: /var/run/salt-minion.pid Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/minion. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt(1) salt(7) salt-master(1) salt-proxy salt-proxy Receives commands from a Salt master and proxies these commands to devices that are unable to run a full minion. Synopsis salt-proxy [ options ] Description The Salt proxy minion receives commands from a Salt master, transmits appropriate commands to devices that are unable to run a minion, and replies with the results of said commands. Options --proxyid The minion id that this proxy will assume. This is required. --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -u USER, --user=USER Specify user to run salt-proxy -d, --daemon Run salt-proxy as a daemon --pid-file PIDFILE Specify the location of the pidfile. Default: /var/run/salt-proxy-<id>.pid Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/minion. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt(1) salt(7) salt-master(1) salt-minion(1) salt-run salt-run Execute a Salt runner Synopsis salt-run RUNNER Description salt-run is the frontend command for executing Salt Runners. Salt runners are simple modules used to execute convenience functions on the master Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -t TIMEOUT, --timeout=TIMEOUT The timeout in seconds to wait for replies from the Salt minions. The timeout number specifies how long the command line client will wait to query the minions and check on running jobs. Default: 1 --hard-crash Raise any original exception rather than exiting gracefully. Default is False. -d, --doc, --documentation Display documentation for runners, pass a module or a runner to see documentation on only that module/runner. Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/master. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt(1) salt-master(1) salt-minion(1) salt-ssh salt-ssh Synopsis salt-ssh '*' [ options ] sys.doc salt-ssh -E '.*' [ options ] sys.doc cmd Description Salt SSH allows for salt routines to be executed using only SSH for transport Options -r, --raw, --raw-shell Execute a raw shell command. --priv Specify the SSH private key file to be used for authentication. --roster Define which roster system to use, this defines if a database backend, scanner, or custom roster system is used. Default is the flat file roster. --roster-file Define an alternative location for the default roster file location. The default roster file is called roster and is found in the same directory as the master config file. New in version 2014.1.0. --refresh, --refresh-cache Force a refresh of the master side data cache of the target's data. This is needed if a target's grains have been changed and the auto refresh timeframe has not been reached. --max-procs Set the number of concurrent minions to communicate with. This value defines how many processes are opened up at a time to manage connections, the more running process the faster communication should be, default is 25. -i, --ignore-host-keys Ignore the ssh host keys which by default are honored and connections would ask for approval. --passwd Set the default password to attempt to use when authenticating. --key-deploy Set this flag to attempt to deploy the authorized ssh key with all minions. This combined with --passwd can make initial deployment of keys very fast and easy. --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. Target Selection -E, --pcre The target expression will be interpreted as a PCRE regular expression rather than a shell glob. -L, --list The target expression will be interpreted as a comma-delimited list; example: server1.foo.bar,server2.foo.bar,example7.quo.qux -G, --grain The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:<glob expression>'; example: 'os:Arch*' This was changed in version 0.9.8 to accept glob expressions instead of regular expression. To use regular expression matching with grains, use the --grain-pcre option. --grain-pcre The target expression matches values returned by the Salt grains system on the minions. The target expression is in the format of '<grain value>:< regular expression>'; example: 'os:Arch.*' -N, --nodegroup Use a predefined compound target defined in the Salt master configuration file. -R, --range Instead of using shell globs to evaluate the target, use a range expression to identify targets. Range expressions look like %cluster. Using the Range option requires that a range server is set up and the location of the range server is referenced in the master configuration file. Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/ssh. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. Output Options --out Pass in an alternative outputter to display the return of data. This outputter can be any of the available outputters: grains, highstate, json, key, overstatestage, pprint, raw, txt, yaml Some outputters are formatted only for data returned from specific functions; for instance, the grains outputter will not work for non-grains data. If an outputter is used that does not support the data passed into it, then Salt will fall back on the pprint outputter and display the return data using the Python pprint standard library module. NOTE: If using --out=json, you will probably want --static as well. Without the static option, you will get a separate JSON string per minion which makes JSON output invalid as a whole. This is due to using an iterative outputter. So if you want to feed it to a JSON parser, use --static as well. --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disable indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --no-color Disable all colored output --force-color Force colored output NOTE: When using colored output the color codes are as follows: green denotes success, red denotes failure, blue denotes changes and success and yellow denotes a expected future change in configuration. See also salt(7) salt-master(1) salt-minion(1) salt-syndic salt-syndic The Salt syndic daemon, a special minion that passes through commands from a higher master Synopsis salt-syndic [ options ] Description The Salt syndic daemon, a special minion that passes through commands from a higher master. Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -u USER, --user=USER Specify user to run salt-syndic -d, --daemon Run salt-syndic as a daemon --pid-file PIDFILE Specify the location of the pidfile. Default: /var/run/salt-syndic.pid Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/master. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt(1) salt-master(1) salt-minion(1) salt-api salt-api Start interfaces used to remotely connect to the salt master Synopsis salt-api Description The Salt API system manages network api connectors for the Salt Master Options --version Print the version of Salt that is running. --versions-report Show program's dependencies and version number, and then exit -h, --help Show the help message and exit -c CONFIG_DIR, --config-dir=CONFIG_dir The location of the Salt configuration directory. This directory contains the configuration files for Salt master and minions. The default location on most systems is /etc/salt. -d, --daemon Run the salt-api as a daemon --pid-file=PIDFILE Specify the location of the pidfile. Default: /var/run/salt-api.pid Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/api. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. See also salt-api(7) salt(7) salt-master(1) spm spm Salt Package Manager Synopsis spm <command> [<argument>] Description spm is the frontend command for managing Salt packages. Packages normally only include formulas, meaning a group of SLS files that install into the file_roots on the Salt Master, but Salt modules can also be installed. Options -y, --assume-yes Assume yes instead of prompting the other whether or not to proceed with a particular command. Default is False. -f, --force When presented with a course of action that spm would normally refuse to perform, that action will be performed anyway. This is often destructive, and should be used with caution. Logging Options Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. --log-file=LOG_FILE Log file path. Default: /var/log/salt/spm. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of all, garbage, trace, debug, info, warning, error, quiet. Default: warning. Commands update_repo Connect to remote repositories locally configured on the system and download their metadata. install Install a package from a configured SPM repository. Requires a package name. remove Remove an installed package from the system. Requires a package name. info List information about an installed package. Requires a package name. files List files belonging to an installed package. Requires a package name. local Perform one of the above options (except for remove) on a package file, instead of on a package in a repository, or an installed package. Requires a valid path to a local file on the system. build Build a package from a directory containing a FORMULA file. Requires a valid path to a local directory on the system. create_repo Scan a directory for valid SPM package files and build an SPM-METADATA file in that directory which describes them. See also salt(1) salt-master(1) salt-minion(1) Client ACL system The salt client ACL system is a means to allow system users other than root to have access to execute select salt commands on minions from the master. The client ACL system is configured in the master configuration file via the client_acl configuration option. Under the client_acl configuration option the users open to send commands are specified and then a list of regular expressions which specify the minion functions which will be made available to specified user. This configuration is much like the peer configuration: client_acl: # Allow thatch to execute anything. thatch: - .* # Allow fred to use test and pkg, but only on "web*" minions. fred: - web*: - test.* - pkg.* Permission Issues Directories required for client_acl must be modified to be readable by the users specified: chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master NOTE: In addition to the changes above you will also need to modify the permissions of /var/log/salt and the existing log file to be writable by the user(s) which will be running the commands. If you do not wish to do this then you must disable logging or Salt will generate errors as it cannot write to the logs as the system users. If you are upgrading from earlier versions of salt you must also remove any existing user keys and re-start the Salt master: rm /var/cache/salt/.*key service salt-master restart Python client API Salt provides several entry points for interfacing with Python applications. These entry points are often referred to as *Client() APIs. Each client accesses different parts of Salt, either from the master or from a minion. Each client is detailed below. SEE ALSO: There are many ways to access Salt programmatically. Salt can be used from CLI scripts as well as via a REST interface. See Salt's outputter system to retrieve structured data from Salt as JSON, or as shell-friendly text, or many other formats. See the state.event runner to utilize Salt's event bus from shell scripts. Salt's netapi module provides access to Salt externally via a REST interface. Review the netapi module documentation for more information. Salt's opts dictionary Some clients require access to Salt's opts dictionary. (The dictionary representation of the master or minion config files.) A common pattern for fetching the opts dictionary is to defer to environment variables if they exist or otherwise fetch the config from the default location. salt.config.client_config(path, env_var='SALT_CLIENT_CONFIG', defaults=None) Load Master configuration data Usage: import salt.config master_opts = salt.config.client_config('/etc/salt/master') Returns a dictionary of the Salt Master configuration file with necessary options needed to communicate with a locally-running Salt Master daemon. This function searches for client specific configurations and adds them to the data from the master configuration. This is useful for master-side operations like LocalClient. salt.config.minion_config(path, env_var='SALT_MINION_CONFIG', defaults=None, cache_minion_id=False) Reads in the minion configuration file and sets up special options This is useful for Minion-side operations, such as the Caller class, and manually running the loader interface. import salt.client minion_opts = salt.config.minion_config('/etc/salt/minion') Salt's Loader Interface Modules in the Salt ecosystem are loaded into memory using a custom loader system. This allows modules to have conditional requirements (OS, OS version, installed libraries, etc) and allows Salt to inject special variables (__salt__, __opts__, etc). Most modules can be manually loaded. This is often useful in third-party Python apps or when writing tests. However some modules require and expect a full, running Salt system underneath. Notably modules that facilitate master-to-minion communication such as the mine, publish, and peer execution modules. The error KeyError: 'master_uri' is a likely indicator for this situation. In those instances use the Caller class to execute those modules instead. Each module type has a corresponding loader function. salt.loader.minion_mods(opts, context=None, utils=None, whitelist=None, include_errors=False, initial_load=False, loaded_base_name=None, notify=False, proxy=None) Load execution modules Returns a dictionary of execution modules appropriate for the current system by evaluating the __virtual__() function in each module. Parameters • opts (dict) -- The Salt options dictionary • context (dict) -- A Salt context that should be made present inside generated modules in __context__ • utils (dict) -- Utility functions which should be made available to Salt modules in __utils__. See utils_dir in salt.config for additional information about configuration. • whitelist (list) -- A list of modules which should be whitelisted. • include_errors (bool) -- Deprecated flag! Unused. • initial_load (bool) -- Deprecated flag! Unused. • loaded_base_name (str) -- A string marker for the loaded base name. • notify (bool) -- Flag indicating that an event should be fired upon completion of module loading. import salt.config import salt.loader __opts__ = salt.config.minion_config('/etc/salt/minion') __grains__ = salt.loader.grains(__opts__) __opts__['grains'] = __grains__ __salt__ = salt.loader.minion_mods(__opts__) __salt__['test.ping']() salt.loader.raw_mod(opts, name, functions, mod='modules') Returns a single module loaded raw and bypassing the __virtual__ function import salt.config import salt.loader __opts__ = salt.config.minion_config('/etc/salt/minion') testmod = salt.loader.raw_mod(__opts__, 'test', None) testmod['test.ping']() salt.loader.states(opts, functions, utils, whitelist=None) Returns the state modules Parameters • opts (dict) -- The Salt options dictionary • functions (dict) -- A dictionary of minion modules, with module names as keys and funcs as values. import salt.config import salt.loader __opts__ = salt.config.minion_config('/etc/salt/minion') statemods = salt.loader.states(__opts__, None, None) salt.loader.grains(opts, force_refresh=False, proxy=None) Return the functions for the dynamic grains and the values for the static grains. import salt.config import salt.loader __opts__ = salt.config.minion_config('/etc/salt/minion') __grains__ = salt.loader.grains(__opts__) print __grains__['id'] salt.loader.grain_funcs(opts) Returns the grain functions import salt.config import salt.loader __opts__ = salt.config.minion_config('/etc/salt/minion') grainfuncs = salt.loader.grain_funcs(__opts__) Salt's Client Interfaces LocalClient class salt.client.LocalClient(c_path='/etc/salt/master', mopts=None, skip_perm_errors=False) The interface used by the salt CLI tool on the Salt Master LocalClient is used to send a command to Salt minions to execute execution modules and return the results to the Salt Master. Importing and using LocalClient must be done on the same machine as the Salt Master and it must be done using the same user that the Salt Master is running as. (Unless external_auth is configured and authentication credentials are included in the execution). import salt.client local = salt.client.LocalClient() local.cmd('*', 'test.fib', [10]) cmd(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', jid='', kwarg=None, **kwargs) Synchronously execute a command on targeted minions The cmd method will execute and wait for the timeout period for all minions to reply, then it will return all minion data at once. >>> import salt.client >>> local = salt.client.LocalClient() >>> local.cmd('*', 'cmd.run', ['whoami']) {'jerry': 'root'} With extra keyword arguments for the command function to be run: local.cmd('*', 'test.arg', ['arg1', 'arg2'], kwarg={'foo': 'bar'}) Compound commands can be used for multiple executions in a single publish. Function names and function arguments are provided in separate lists but the index values must correlate and an empty list must be used if no arguments are required. >>> local.cmd('*', [ 'grains.items', 'sys.doc', 'cmd.run', ], [ [], [], ['uptime'], ]) Parameters • tgt (string or list) -- Which minions to target for the execution. Default is shell glob. Modified by the expr_form option. • fun (string or list of strings) -- The module and function to call on the specified minions of the form module.function. For example test.ping or grains.items. Compound commands Multiple functions may be called in a single publish by passing a list of commands. This can dramatically lower overhead and speed up the application communicating with Salt. This requires that the arg param is a list of lists. The fun list and the arg list must correlate by index meaning a function that does not take arguments must still have a corresponding empty list at the expected index. • arg (list or list-of-lists) -- A list of arguments to pass to the remote function. If the function takes no arguments arg may be omitted except when executing a compound command. • timeout -- Seconds to wait after the last minion returns but before all minions return. • expr_form -- The type of tgt. Allowed values: • glob - Bash glob completion - Default • pcre - Perl style regular expression • list - Python list of hosts • grain - Match based on a grain comparison • grain_pcre - Grain comparison with a regex • pillar - Pillar data comparison • pillar_pcre - Pillar data comparison with a regex • nodegroup - Match on nodegroup • range - Use a Range server for matching • compound - Pass a compound match string • ret -- The returner to use. The value passed can be single returner, or a comma delimited list of returners to call in order on the minions • kwarg -- A dictionary with keyword arguments for the function. • kwargs -- Optional keyword arguments. Authentication credentials may be passed when using external_auth. For example: local.cmd('*', 'test.ping', username='saltdev', password='saltdev', eauth='pam'). Or: local.cmd('*', 'test.ping', token='5871821ea51754fdcea8153c1c745433') Returns A dictionary with the result of the execution, keyed by minion ID. A compound command will return a sub-dictionary keyed by function name. cmd_async(tgt, fun, arg=(), expr_form='glob', ret='', jid='', kwarg=None, **kwargs) Asynchronously send a command to connected minions The function signature is the same as cmd() with the following exceptions. Returns A job ID or 0 on failure. >>> local.cmd_async('*', 'test.sleep', [300]) '20131219215921857715' cmd_batch(tgt, fun, arg=(), expr_form='glob', ret='', kwarg=None, batch='10%', **kwargs) Iteratively execute a command on subsets of minions at a time The function signature is the same as cmd() with the following exceptions. Parameters batch -- The batch identifier of systems to execute on Returns A generator of minion returns >>> returns = local.cmd_batch('*', 'state.highstate', bat='10%') >>> for ret in returns: ... print(ret) {'jerry': {...}} {'dave': {...}} {'stewart': {...}} cmd_iter(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', kwarg=None, **kwargs) Yields the individual minion returns as they come in The function signature is the same as cmd() with the following exceptions. Returns A generator yielding the individual minion returns >>> ret = local.cmd_iter('*', 'test.ping') >>> for i in ret: ... print(i) {'jerry': {'ret': True}} {'dave': {'ret': True}} {'stewart': {'ret': True}} cmd_iter_no_block(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', kwarg=None, **kwargs) Yields the individual minion returns as they come in, or None when no returns are available. The function signature is the same as cmd() with the following exceptions. Returns A generator yielding the individual minion returns, or None when no returns are available. This allows for actions to be injected in between minion returns. >>> ret = local.cmd_iter_no_block('*', 'test.ping') >>> for i in ret: ... print(i) None {'jerry': {'ret': True}} {'dave': {'ret': True}} None {'stewart': {'ret': True}} cmd_subset(tgt, fun, arg=(), expr_form='glob', ret='', kwarg=None, sub=3, cli=False, progress=False, **kwargs) Execute a command on a random subset of the targeted systems The function signature is the same as cmd() with the following exceptions. Parameters sub -- The number of systems to execute on >>> SLC.cmd_subset('*', 'test.ping', sub=1) {'jerry': True} get_cli_returns(jid, minions, timeout=None, tgt='*', tgt_type='glob', verbose=False, show_jid=False, **kwargs) Starts a watcher looking at the return data for a specified JID Returns all of the information for the JID get_event_iter_returns(jid, minions, timeout=None) Gather the return data from the event system, break hard when timeout is reached. run_job(tgt, fun, arg=(), expr_form='glob', ret='', timeout=None, jid='', kwarg=None, **kwargs) Asynchronously send a command to connected minions Prep the job directory and publish a command to any targeted minions. Returns A dictionary of (validated) pub_data or an empty dictionary on failure. The pub_data contains the job ID and a list of all minions that are expected to return data. >>> local.run_job('*', 'test.sleep', [300]) {'jid': '20131219215650131543', 'minions': ['jerry']} Salt Caller class salt.client.Caller(c_path='/etc/salt/minion', mopts=None) Caller is the same interface used by the salt-call command-line tool on the Salt Minion. Changed in version 2015.8.0: Added the cmd method for consistency with the other Salt clients. The existing function and sminion.functions interfaces still exist but have been removed from the docs. Importing and using Caller must be done on the same machine as a Salt Minion and it must be done using the same user that the Salt Minion is running as. Usage: import salt.client caller = salt.client.Caller() caller.cmd('test.ping') Note, a running master or minion daemon is not required to use this class. Running salt-call --local simply sets file_client to 'local'. The same can be achieved at the Python level by including that setting in a minion config file. New in version 2014.7.0: Pass the minion config as the mopts dictionary. import salt.client import salt.config __opts__ = salt.config.minion_config('/etc/salt/minion') __opts__['file_client'] = 'local' caller = salt.client.Caller(mopts=__opts__) cmd(fun, *args, **kwargs) Call an execution module with the given arguments and keyword arguments Changed in version 2015.8.0: Added the cmd method for consistency with the other Salt clients. The existing function and sminion.functions interfaces still exist but have been removed from the docs. caller.cmd('test.arg', 'Foo', 'Bar', baz='Baz') caller.cmd('event.send', 'myco/myevent/something', data={'foo': 'Foo'}, with_env=['GIT_COMMIT'], with_grains=True) RunnerClient class salt.runner.RunnerClient(opts) The interface used by the salt-run CLI tool on the Salt Master It executes runner modules which run on the Salt Master. Importing and using RunnerClient must be done on the same machine as the Salt Master and it must be done using the same user that the Salt Master is running as. Salt's external_auth can be used to authenticate calls. The eauth user must be authorized to execute runner modules: (@runner). Only the master_call() below supports eauth. async(fun, low, user='UNKNOWN') Execute the function in a multiprocess and return the event tag to use to watch for the return cmd(fun, arg=None, pub_data=None, kwarg=None) Execute a function >>> opts = salt.config.master_config('/etc/salt/master') >>> runner = salt.runner.RunnerClient(opts) >>> runner.cmd('jobs.list_jobs', []) { '20131219215650131543': { 'Arguments': [300], 'Function': 'test.sleep', 'StartTime': '2013, Dec 19 21:56:50.131543', 'Target': '*', 'Target-type': 'glob', 'User': 'saltdev' }, '20131219215921857715': { 'Arguments': [300], 'Function': 'test.sleep', 'StartTime': '2013, Dec 19 21:59:21.857715', 'Target': '*', 'Target-type': 'glob', 'User': 'saltdev' }, } cmd_async(low) Execute a runner function asynchronously; eauth is respected This function requires that external_auth is configured and the user is authorized to execute runner functions: (@runner). runner.eauth_async({ 'fun': 'jobs.list_jobs', 'username': 'saltdev', 'password': 'saltdev', 'eauth': 'pam', }) cmd_sync(low, timeout=None) Execute a runner function synchronously; eauth is respected This function requires that external_auth is configured and the user is authorized to execute runner functions: (@runner). runner.eauth_sync({ 'fun': 'jobs.list_jobs', 'username': 'saltdev', 'password': 'saltdev', 'eauth': 'pam', }) WheelClient class salt.wheel.WheelClient(opts=None) An interface to Salt's wheel modules Wheel modules interact with various parts of the Salt Master. Importing and using WheelClient must be done on the same machine as the Salt Master and it must be done using the same user that the Salt Master is running as. Unless external_auth is configured and the user is authorized to execute wheel functions: (@wheel). Usage: import salt.config import salt.wheel opts = salt.config.master_config('/etc/salt/master') wheel = salt.wheel.WheelClient(opts) async(fun, low, user='UNKNOWN') Execute the function in a multiprocess and return the event tag to use to watch for the return cmd(fun, arg=None, pub_data=None, kwarg=None) Execute a function >>> wheel.cmd('key.finger', ['jerry']) {'minions': {'jerry': '5d:f6:79:43:5e:d4:42:3f:57:b8:45:a8:7e:a4:6e:ca'}} cmd_async(low) Execute a function asynchronously; eauth is respected This function requires that external_auth is configured and the user is authorized >>> wheel.cmd_async({ 'fun': 'key.finger', 'match': 'jerry', 'eauth': 'auto', 'username': 'saltdev', 'password': 'saltdev', }) {'jid': '20131219224744416681', 'tag': 'salt/wheel/20131219224744416681'} cmd_sync(low, timeout=None) Execute a wheel function synchronously; eauth is respected This function requires that external_auth is configured and the user is authorized to execute runner functions: (@wheel). >>> wheel.cmd_sync({ 'fun': 'key.finger', 'match': 'jerry', 'eauth': 'auto', 'username': 'saltdev', 'password': 'saltdev', }) {'minions': {'jerry': '5d:f6:79:43:5e:d4:42:3f:57:b8:45:a8:7e:a4:6e:ca'}} CloudClient class salt.cloud.CloudClient(path=None, opts=None, config_dir=None, pillars=None) The client class to wrap cloud interactions action(fun=None, cloudmap=None, names=None, provider=None, instance=None, kwargs=None) Execute a single action via the cloud plugin backend Examples: client.action(fun='show_instance', names=['myinstance']) client.action(fun='show_image', provider='my-ec2-config', kwargs={'image': 'ami-10314d79'} ) create(provider, names, **kwargs) Create the named VMs, without using a profile Example: client.create(names=['myinstance'], provider='my-ec2-config', kwargs={'image': 'ami-1624987f', 'size': 't1.micro', 'ssh_username': 'ec2-user', 'securitygroup': 'default', 'delvol_on_destroy': True}) destroy(names) Destroy the named VMs extra_action(names, provider, action, **kwargs) Perform actions with block storage devices Example: client.extra_action(names=['myblock'], action='volume_create', provider='my-nova', kwargs={'voltype': 'SSD', 'size': 1000} ) client.extra_action(names=['salt-net'], action='network_create', provider='my-nova', kwargs={'cidr': '192.168.100.0/24'} ) full_query(query_type='list_nodes_full') Query all instance information list_images(provider=None) List all available images in configured cloud systems list_locations(provider=None) List all available locations in configured cloud systems list_sizes(provider=None) List all available sizes in configured cloud systems low(fun, low) Pass the cloud function and low data structure to run map_run(path, **kwargs) Pass in a location for a map to execute min_query(query_type='list_nodes_min') Query select instance information profile(profile, names, vm_overrides=None, **kwargs) Pass in a profile to create, names is a list of vm names to allocate vm_overrides is a special dict that will be per node options overrides Example: >>> client= salt.cloud.CloudClient(path='/etc/salt/cloud') >>> client.profile('do_512_git', names=['minion01',]) {'minion01': {u'backups_active': 'False', u'created_at': '2014-09-04T18:10:15Z', u'droplet': {u'event_id': 31000502, u'id': 2530006, u'image_id': 5140006, u'name': u'minion01', u'size_id': 66}, u'id': '2530006', u'image_id': '5140006', u'ip_address': '107.XXX.XXX.XXX', u'locked': 'True', u'name': 'minion01', u'private_ip_address': None, u'region_id': '4', u'size_id': '66', u'status': 'new'}} query(query_type='list_nodes') Query basic instance information select_query(query_type='list_nodes_select') Query select instance information SSHClient class salt.client.ssh.client.SSHClient(c_path='/etc/salt/master', mopts=None) Create a client object for executing routines via the salt-ssh backend New in version 2015.5.0. cmd(tgt, fun, arg=(), timeout=None, expr_form='glob', kwarg=None, **kwargs) Execute a single command via the salt-ssh subsystem and return all routines at once New in version 2015.5.0. cmd_iter(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', kwarg=None, **kwargs) Execute a single command via the salt-ssh subsystem and return a generator New in version 2015.5.0. Full list of Salt Cloud modules ┌──────────────┬──────────────────────────────────┐ │aliyun │ AliYun ECS Cloud Module │ ├──────────────┼──────────────────────────────────┤ │botocore_aws │ The AWS Cloud Module │ ├──────────────┼──────────────────────────────────┤ │cloudstack │ CloudStack Cloud Module │ ├──────────────┼──────────────────────────────────┤ │digital_ocean │ DigitalOcean Cloud Module │ ├──────────────┼──────────────────────────────────┤ │ec2 │ The EC2 Cloud Module │ ├──────────────┼──────────────────────────────────┤ │gce │ Copyright 2013 Google Inc. │ ├──────────────┼──────────────────────────────────┤ │gogrid │ GoGrid Cloud Module │ ├──────────────┼──────────────────────────────────┤ │joyent │ Joyent Cloud Module │ ├──────────────┼──────────────────────────────────┤ │libcloud_aws │ The AWS Cloud Module │ ├──────────────┼──────────────────────────────────┤ │linode │ Linode Cloud Module using │ │ │ Linode's REST API │ ├──────────────┼──────────────────────────────────┤ │lxc │ Install Salt on an LXC Container │ ├──────────────┼──────────────────────────────────┤ │msazure │ Azure Cloud Module │ ├──────────────┼──────────────────────────────────┤ │nova │ OpenStack Nova Cloud Module │ ├──────────────┼──────────────────────────────────┤ │opennebula │ OpenNebula Cloud Module │ ├──────────────┼──────────────────────────────────┤ │openstack │ OpenStack Cloud Module │ ├──────────────┼──────────────────────────────────┤ │parallels │ Parallels Cloud Module │ ├──────────────┼──────────────────────────────────┤ │proxmox │ Proxmox Cloud Module │ ├──────────────┼──────────────────────────────────┤ │pyrax │ Pyrax Cloud Module │ ├──────────────┼──────────────────────────────────┤ │rackspace │ Rackspace Cloud Module │ ├──────────────┼──────────────────────────────────┤ │saltify │ Saltify Module │ ├──────────────┼──────────────────────────────────┤ │softlayer │ SoftLayer Cloud Module │ ├──────────────┼──────────────────────────────────┤ │softlayer_hw │ SoftLayer HW Cloud Module │ ├──────────────┼──────────────────────────────────┤ │vmware │ VMware Cloud Module │ ├──────────────┼──────────────────────────────────┤ │vsphere │ vSphere Cloud Module │ └──────────────┴──────────────────────────────────┘ salt.cloud.clouds.aliyun AliYun ECS Cloud Module New in version 2014.7.0. The Aliyun cloud module is used to control access to the aliyun ECS. http://www.aliyun.com/ Use of this module requires the id and key parameter to be set. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/aliyun.conf: my-aliyun-config: # aliyun Access Key ID id: wFGEwgregeqw3435gDger # aliyun Access Key Secret key: GDE43t43REGTrkilg43934t34qT43t4dgegerGEgg location: cn-qingdao driver: aliyun depends requests salt.cloud.clouds.aliyun.avail_images(kwargs=None, call=None) Return a list of the images that are on the provider salt.cloud.clouds.aliyun.avail_locations(call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.aliyun.avail_sizes(call=None) Return a list of the image sizes that are on the provider salt.cloud.clouds.aliyun.create(vm_) Create a single VM from a data dict salt.cloud.clouds.aliyun.create_node(kwargs) Convenience function to make the rest api call for node creation. salt.cloud.clouds.aliyun.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud -a destroy myinstance salt-cloud -d myinstance salt.cloud.clouds.aliyun.get_configured_provider() Return the first configured instance. salt.cloud.clouds.aliyun.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.aliyun.get_image(vm_) Return the image object to use salt.cloud.clouds.aliyun.get_location(vm_=None) Return the aliyun region to use, in this order: • CLI parameter • VM parameter • Cloud profile setting salt.cloud.clouds.aliyun.get_securitygroup(vm_) Return the security group salt.cloud.clouds.aliyun.get_size(vm_) Return the VM's size. Used by create_node(). salt.cloud.clouds.aliyun.list_availability_zones(call=None) List all availability zones in the current region salt.cloud.clouds.aliyun.list_monitor_data(kwargs=None, call=None) Get monitor data of the instance. If instance name is missing, will show all the instance monitor data on the region. CLI Examples: salt-cloud -f list_monitor_data aliyun salt-cloud -f list_monitor_data aliyun name=AY14051311071990225bd salt.cloud.clouds.aliyun.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.aliyun.list_nodes_full(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.aliyun.list_nodes_min(call=None) Return a list of the VMs that are on the provider. Only a list of VM names, and their state, is returned. This is the minimum amount of information needed to check for existing VMs. salt.cloud.clouds.aliyun.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.aliyun.list_securitygroup(call=None) Return a list of security group salt.cloud.clouds.aliyun.query(params=None) Make a web call to aliyun ECS REST API salt.cloud.clouds.aliyun.reboot(name, call=None) Reboot a node CLI Examples: salt-cloud -a reboot myinstance salt.cloud.clouds.aliyun.script(vm_) Return the script deployment object salt.cloud.clouds.aliyun.show_disk(name, call=None) Show the disk details of the instance CLI Examples: salt-cloud -a show_disk aliyun myinstance salt.cloud.clouds.aliyun.show_image(kwargs, call=None) Show the details from aliyun image salt.cloud.clouds.aliyun.show_instance(name, call=None) Show the details from aliyun instance salt.cloud.clouds.aliyun.start(name, call=None) Start a node CLI Examples: salt-cloud -a start myinstance salt.cloud.clouds.aliyun.stop(name, force=False, call=None) Stop a node CLI Examples: salt-cloud -a stop myinstance salt-cloud -a stop myinstance force=True salt.cloud.clouds.botocore_aws The AWS Cloud Module The AWS cloud module is used to interact with the Amazon Web Services system. This module has been replaced by the EC2 cloud module, and is no longer supported. The documentation shown here is for reference only; it is highly recommended to change all usages of this driver over to the EC2 driver. If this driver is still needed, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/aws.conf: my-aws-botocore-config: # The AWS API authentication id id: GKTADJGHEIQSXMKKRBJ08H # The AWS API authentication key key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # The ssh keyname to use keyname: default # The amazon security group securitygroup: ssh_open # The location of the private key which corresponds to the keyname private_key: /root/default.pem driver: aws salt.cloud.clouds.botocore_aws.disable_term_protect(name, call=None) Disable termination protection on a node CLI Example: salt-cloud -a disable_term_protect mymachine salt.cloud.clouds.botocore_aws.enable_term_protect(name, call=None) Enable termination protection on a node CLI Example: salt-cloud -a enable_term_protect mymachine salt.cloud.clouds.botocore_aws.get_configured_provider() Return the first configured instance. salt.cloud.clouds.botocore_aws.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.cloudstack CloudStack Cloud Module The CloudStack cloud module is used to control access to a CloudStack based Public Cloud. depends libcloud >= 0.15 Use of this module requires the apikey, secretkey, host and path parameters. my-cloudstack-cloud-config: apikey: <your api key > secretkey: <your secret key > host: localhost path: /client/api driver: cloudstack salt.cloud.clouds.cloudstack.avail_images(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.cloudstack.avail_locations(conn=None, call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.cloudstack.avail_sizes(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.cloudstack.block_device_mappings(vm_) Return the block device mapping: [{'DeviceName': '/dev/sdb', 'VirtualName': 'ephemeral0'}, {'DeviceName': '/dev/sdc', 'VirtualName': 'ephemeral1'}] salt.cloud.clouds.cloudstack.cloudstack_displayname(vm_) Return display name of VM: :: "minion1" salt.cloud.clouds.cloudstack.create(vm_) Create a single VM from a data dict salt.cloud.clouds.cloudstack.destroy(name, conn=None, call=None) Delete a single VM, and all of its volumes salt.cloud.clouds.cloudstack.get_configured_provider() Return the first configured instance. salt.cloud.clouds.cloudstack.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.cloudstack.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.cloudstack.get_image(conn, vm_) Return the image object to use salt.cloud.clouds.cloudstack.get_ip(data) Return the IP address of the VM If the VM has public IP as defined by libcloud module then use it Otherwise try to extract the private IP and use that one. salt.cloud.clouds.cloudstack.get_key() Returns the ssh private key for VM access salt.cloud.clouds.cloudstack.get_keypair(vm_) Return the keypair to use salt.cloud.clouds.cloudstack.get_location(conn, vm_) Return the node location to use salt.cloud.clouds.cloudstack.get_networkid(vm_) Return the networkid to use, only valid for Advanced Zone salt.cloud.clouds.cloudstack.get_node(conn, name) Return a libcloud node for the named VM salt.cloud.clouds.cloudstack.get_password(vm_) Return the password to use salt.cloud.clouds.cloudstack.get_project(conn, vm_) Return the project to use. salt.cloud.clouds.cloudstack.get_size(conn, vm_) Return the VM's size object salt.cloud.clouds.cloudstack.list_nodes(conn=None, call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.cloudstack.list_nodes_full(conn=None, call=None) Return a list of the VMs that are on the provider, with all fields salt.cloud.clouds.cloudstack.list_nodes_select(conn=None, call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.cloudstack.script(vm_) Return the script deployment object salt.cloud.clouds.cloudstack.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.digital_ocean DigitalOcean Cloud Module The DigitalOcean cloud module is used to control access to the DigitalOcean VPS system. Use of this module requires a requires a personal_access_token, an ssh_key_file, and at least one SSH key name in ssh_key_names. More ssh_key_names can be added by separating each key with a comma. The personal_access_token can be found in the DigitalOcean web interface in the "Apps & API" section. The SSH key name can be found under the "SSH Keys" section. # Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my-digital-ocean-config: personal_access_token: xxx ssh_key_file: /path/to/ssh/key/file ssh_key_names: my-key-name,my-key-name-2 driver: digital_ocean depends requests salt.cloud.clouds.digital_ocean.avail_images(call=None) Return a list of the images that are on the provider salt.cloud.clouds.digital_ocean.avail_locations(call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.digital_ocean.avail_sizes(call=None) Return a list of the image sizes that are on the provider salt.cloud.clouds.digital_ocean.create(vm_) Create a single VM from a data dict salt.cloud.clouds.digital_ocean.create_dns_record(hostname, ip_address) Creates a DNS record for the given hostname if the domain is managed with DO. salt.cloud.clouds.digital_ocean.create_key(kwargs=None, call=None) Upload a public key salt.cloud.clouds.digital_ocean.create_node(args) Create a node salt.cloud.clouds.digital_ocean.delete_dns_record(hostname) Deletes a DNS for the given hostname if the domain is managed with DO. salt.cloud.clouds.digital_ocean.destroy(name, call=None) Destroy a node. Will check termination protection and warn if enabled. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.digital_ocean.get_configured_provider() Return the first configured instance. salt.cloud.clouds.digital_ocean.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.digital_ocean.get_image(vm_) Return the image object to use salt.cloud.clouds.digital_ocean.get_keyid(keyname) Return the ID of the keyname salt.cloud.clouds.digital_ocean.get_location(vm_) Return the VM's location salt.cloud.clouds.digital_ocean.get_size(vm_) Return the VM's size. Used by create_node(). salt.cloud.clouds.digital_ocean.list_keypairs(call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.digital_ocean.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.digital_ocean.list_nodes_full(call=None, for_output=True) Return a list of the VMs that are on the provider salt.cloud.clouds.digital_ocean.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.digital_ocean.query(method='droplets', droplet_id=None, command=None, args=None, http_method='get') Make a web call to DigitalOcean salt.cloud.clouds.digital_ocean.reboot(name, call=None) Reboot a droplet in DigitalOcean. New in version 2015.8.8. name The name of the droplet to restart. CLI Example: salt-cloud -a reboot droplet_name salt.cloud.clouds.digital_ocean.remove_key(kwargs=None, call=None) Delete public key salt.cloud.clouds.digital_ocean.script(vm_) Return the script deployment object salt.cloud.clouds.digital_ocean.show_instance(name, call=None) Show the details from DigitalOcean concerning a droplet salt.cloud.clouds.digital_ocean.show_keypair(kwargs=None, call=None) Show the details of an SSH keypair salt.cloud.clouds.digital_ocean.show_pricing(kwargs=None, call=None) Show pricing for a particular profile. This is only an estimate, based on unofficial pricing sources. New in version 2015.8.0. CLI Examples: salt-cloud -f show_pricing my-digitalocean-config profile=my-profile salt.cloud.clouds.digital_ocean.start(name, call=None) Start a droplet in DigitalOcean. New in version 2015.8.8. name The name of the droplet to start. CLI Example: salt-cloud -a start droplet_name salt.cloud.clouds.digital_ocean.stop(name, call=None) Stop a droplet in DigitalOcean. New in version 2015.8.8. name The name of the droplet to stop. CLI Example: salt-cloud -a stop droplet_name salt.cloud.clouds.ec2 The EC2 Cloud Module The EC2 cloud module is used to interact with the Amazon Elastic Cloud Computing. To use the EC2 cloud module, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/ec2.conf: my-ec2-config: # The EC2 API authentication id, set this and/or key to # 'use-instance-role-credentials' to use the instance role credentials # from the meta-data if running on an AWS instance id: GKTADJGHEIQSXMKKRBJ08H # The EC2 API authentication key, set this and/or id to # 'use-instance-role-credentials' to use the instance role credentials # from the meta-data if running on an AWS instance key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # The ssh keyname to use keyname: default # The amazon security group securitygroup: ssh_open # The location of the private key which corresponds to the keyname private_key: /root/default.pem # Be default, service_url is set to amazonaws.com. If you are using this # driver for something other than Amazon EC2, change it here: service_url: amazonaws.com # The endpoint that is ultimately used is usually formed using the region # and the service_url. If you would like to override that entirely, you # can explicitly define the endpoint: endpoint: myendpoint.example.com:1138/services/Cloud # SSH Gateways can be used with this provider. Gateways can be used # when a salt-master is not on the same private network as the instance # that is being deployed. # Defaults to None # Required ssh_gateway: gateway.example.com # Defaults to port 22 # Optional ssh_gateway_port: 22 # Defaults to root # Optional ssh_gateway_username: root # One authentication method is required. If both # are specified, Private key wins. # Private key defaults to None ssh_gateway_private_key: /path/to/key.pem # Password defaults to None ssh_gateway_password: ExamplePasswordHere driver: ec2 # Pass userdata to the instance to be created userdata_file: /etc/salt/my-userdata-file depends requests salt.cloud.clouds.ec2.attach_volume(name=None, kwargs=None, instance_id=None, call=None) Attach a volume to an instance salt.cloud.clouds.ec2.avail_images(kwargs=None, call=None) Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.ec2.avail_locations(call=None) List all available locations salt.cloud.clouds.ec2.avail_sizes(call=None) Return a dict of all available VM sizes on the cloud provider with relevant data. Latest version can be found at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html salt.cloud.clouds.ec2.block_device_mappings(vm_) Return the block device mapping: [{'DeviceName': '/dev/sdb', 'VirtualName': 'ephemeral0'}, {'DeviceName': '/dev/sdc', 'VirtualName': 'ephemeral1'}] salt.cloud.clouds.ec2.copy_snapshot(kwargs=None, call=None) Copy a snapshot salt.cloud.clouds.ec2.create(vm_=None, call=None) Create a single VM from a data dict salt.cloud.clouds.ec2.create_attach_volumes(name, kwargs, call=None, wait_to_finish=True) Create and attach volumes to created node salt.cloud.clouds.ec2.create_keypair(kwargs=None, call=None) Create an SSH keypair salt.cloud.clouds.ec2.create_snapshot(kwargs=None, call=None, wait_to_finish=False) Create a snapshot. volume_id The ID of the Volume from which to create a snapshot. description The optional description of the snapshot. CLI Exampe: salt-cloud -f create_snapshot my-ec2-config volume_id=vol-351d8826 salt-cloud -f create_snapshot my-ec2-config volume_id=vol-351d8826 \ description="My Snapshot Description" salt.cloud.clouds.ec2.create_volume(kwargs=None, call=None, wait_to_finish=False) Create a volume CLI Examples: salt-cloud -f create_volume my-ec2-config zone=us-east-1b salt-cloud -f create_volume my-ec2-config zone=us-east-1b tags='{"tag1": "val1", "tag2", "val2"}' salt.cloud.clouds.ec2.del_tags(name=None, kwargs=None, call=None, instance_id=None, resource_id=None) Delete tags for a resource. Normally a VM name or instance_id is passed in, but a resource_id may be passed instead. If both are passed in, the instance_id will be used. CLI Examples: salt-cloud -a del_tags mymachine tags=mytag, salt-cloud -a del_tags mymachine tags=tag1,tag2,tag3 salt-cloud -a del_tags resource_id=vol-3267ab32 tags=tag1,tag2,tag3 salt.cloud.clouds.ec2.delete_keypair(kwargs=None, call=None) Delete an SSH keypair salt.cloud.clouds.ec2.delete_snapshot(kwargs=None, call=None) Delete a snapshot salt.cloud.clouds.ec2.delete_volume(name=None, kwargs=None, instance_id=None, call=None) Delete a volume salt.cloud.clouds.ec2.delvol_on_destroy(name, kwargs=None, call=None) Delete all/specified EBS volumes upon instance termination CLI Example: salt-cloud -a delvol_on_destroy mymachine salt.cloud.clouds.ec2.describe_snapshots(kwargs=None, call=None) Describe a snapshot (or snapshots) snapshot_id One or more snapshot IDs. Multiple IDs must be separated by ",". owner Return the snapshots owned by the specified owner. Valid values include: self, amazon, <AWS Account ID>. Multiple values must be separated by ",". restorable_by One or more AWS accounts IDs that can create volumes from the snapshot. Multiple aws account IDs must be separated by ",". TODO: Add all of the filters. salt.cloud.clouds.ec2.describe_volumes(kwargs=None, call=None) Describe a volume (or volumes) volume_id One or more volume IDs. Multiple IDs must be separated by ",". TODO: Add all of the filters. salt.cloud.clouds.ec2.destroy(name, call=None) Destroy a node. Will check termination protection and warn if enabled. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.ec2.detach_volume(name=None, kwargs=None, instance_id=None, call=None) Detach a volume from an instance salt.cloud.clouds.ec2.disable_term_protect(name, call=None) Disable termination protection on a node CLI Example: salt-cloud -a disable_term_protect mymachine salt.cloud.clouds.ec2.enable_term_protect(name, call=None) Enable termination protection on a node CLI Example: salt-cloud -a enable_term_protect mymachine salt.cloud.clouds.ec2.get_availability_zone(vm_) Return the availability zone to use salt.cloud.clouds.ec2.get_configured_provider() Return the first configured instance. salt.cloud.clouds.ec2.get_console_output(name=None, location=None, instance_id=None, call=None, kwargs=None) Show the console output from the instance. By default, returns decoded data, not the Base64-encoded data that is actually returned from the EC2 API. salt.cloud.clouds.ec2.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.ec2.get_location(vm_=None) Return the EC2 region to use, in this order: • CLI parameter • VM parameter • Cloud profile setting salt.cloud.clouds.ec2.get_password_data(name=None, kwargs=None, instance_id=None, call=None) Return password data for a Windows instance. By default only the encrypted password data will be returned. However, if a key_file is passed in, then a decrypted password will also be returned. Note that the key_file references the private key that was used to generate the keypair associated with this instance. This private key will _not_ be transmitted to Amazon; it is only used internally inside of Salt Cloud to decrypt data _after_ it has been received from Amazon. CLI Examples: salt-cloud -a get_password_data mymachine salt-cloud -a get_password_data mymachine key_file=/root/ec2key.pem Note: PKCS1_v1_5 was added in PyCrypto 2.5 salt.cloud.clouds.ec2.get_placementgroup(vm_) Returns the PlacementGroup to use salt.cloud.clouds.ec2.get_provider(vm_=None) Extract the provider name from vm salt.cloud.clouds.ec2.get_spot_config(vm_) Returns the spot instance configuration for the provided vm salt.cloud.clouds.ec2.get_ssh_gateway_config(vm_) Return the ssh_gateway configuration. salt.cloud.clouds.ec2.get_subnetid(vm_) Returns the SubnetId to use salt.cloud.clouds.ec2.get_tags(name=None, instance_id=None, call=None, location=None, kwargs=None, resource_id=None) Retrieve tags for a resource. Normally a VM name or instance_id is passed in, but a resource_id may be passed instead. If both are passed in, the instance_id will be used. CLI Examples: salt-cloud -a get_tags mymachine salt-cloud -a get_tags resource_id=vol-3267ab32 salt.cloud.clouds.ec2.get_tenancy(vm_) Returns the Tenancy to use. Can be "dedicated" or "default". Cannot be present for spot instances. salt.cloud.clouds.ec2.iam_profile(vm_) Return the IAM profile. The IAM instance profile to associate with the instances. This is either the Amazon Resource Name (ARN) of the instance profile or the name of the role. Type: String Default: None Required: No Example: arn:aws:iam::111111111111:instance-profile/s3access Example: s3access salt.cloud.clouds.ec2.import_keypair(kwargs=None, call=None) Import an SSH public key salt.cloud.clouds.ec2.keepvol_on_destroy(name, kwargs=None, call=None) Do not delete all/specified EBS volumes upon instance termination CLI Example: salt-cloud -a keepvol_on_destroy mymachine salt.cloud.clouds.ec2.keyname(vm_) Return the keyname salt.cloud.clouds.ec2.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.ec2.list_nodes_full(location=None, call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.ec2.list_nodes_min(location=None, call=None) Return a list of the VMs that are on the provider. Only a list of VM names, and their state, is returned. This is the minimum amount of information needed to check for existing VMs. salt.cloud.clouds.ec2.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.ec2.optimize_providers(providers) Return an optimized list of providers. We want to reduce the duplication of querying the same region. If a provider is using the same credentials for the same region the same data will be returned for each provider, thus causing un-wanted duplicate data and API calls to EC2. salt.cloud.clouds.ec2.query(params=None, setname=None, requesturl=None, location=None, return_url=False, return_root=False) salt.cloud.clouds.ec2.query_instance(vm_=None, call=None) Query an instance upon creation from the EC2 API salt.cloud.clouds.ec2.queue_instances(instances) Queue a set of instances to be provisioned later. Expects a list. Currently this only queries node data, and then places it in the cloud cache (if configured). If the salt-cloud-reactor is being used, these instances will be automatically provisioned using that. For more information about the salt-cloud-reactor, see: https://github.com/saltstack-formulas/salt-cloud-reactor salt.cloud.clouds.ec2.reboot(name, call=None) Reboot a node. CLI Example: salt-cloud -a reboot mymachine salt.cloud.clouds.ec2.rename(name, kwargs, call=None) Properly rename a node. Pass in the new name as "new name". CLI Example: salt-cloud -a rename mymachine newname=yourmachine salt.cloud.clouds.ec2.request_instance(vm_=None, call=None) Put together all of the information necessary to request an instance on EC2, and then fire off the request the instance. Returns data about the instance salt.cloud.clouds.ec2.script(vm_) Return the script deployment object salt.cloud.clouds.ec2.securitygroup(vm_) Return the security group salt.cloud.clouds.ec2.securitygroupid(vm_) Returns the SecurityGroupId salt.cloud.clouds.ec2.set_tags(name=None, tags=None, call=None, location=None, instance_id=None, resource_id=None, kwargs=None) Set tags for a resource. Normally a VM name or instance_id is passed in, but a resource_id may be passed instead. If both are passed in, the instance_id will be used. CLI Examples: salt-cloud -a set_tags mymachine tag1=somestuff tag2='Other stuff' salt-cloud -a set_tags resource_id=vol-3267ab32 tag=somestuff salt.cloud.clouds.ec2.show_delvol_on_destroy(name, kwargs=None, call=None) Do not delete all/specified EBS volumes upon instance termination CLI Example: salt-cloud -a show_delvol_on_destroy mymachine salt.cloud.clouds.ec2.show_image(kwargs, call=None) Show the details from EC2 concerning an AMI salt.cloud.clouds.ec2.show_instance(name=None, instance_id=None, call=None, kwargs=None) Show the details from EC2 concerning an AMI. Can be called as an action (which requires a name): salt-cloud -a show_instance myinstance ...or as a function (which requires either a name or instance_id): salt-cloud -f show_instance my-ec2 name=myinstance salt-cloud -f show_instance my-ec2 instance_id=i-d34db33f salt.cloud.clouds.ec2.show_keypair(kwargs=None, call=None) Show the details of an SSH keypair salt.cloud.clouds.ec2.show_pricing(kwargs=None, call=None) Show pricing for a particular profile. This is only an estimate, based on unofficial pricing sources. CLI Examples: salt-cloud -f show_pricing my-ec2-config profile=my-profile If pricing sources have not been cached, they will be downloaded. Once they have been cached, they will not be updated automatically. To manually update all prices, use the following command: salt-cloud -f update_pricing <provider> New in version 2015.8.0. salt.cloud.clouds.ec2.show_term_protect(name=None, instance_id=None, call=None, quiet=False) Show the details from EC2 concerning an AMI salt.cloud.clouds.ec2.show_volume(kwargs=None, call=None) Wrapper around describe_volumes. Here just to keep functionality. Might be depreciated later. salt.cloud.clouds.ec2.sign(key, msg) salt.cloud.clouds.ec2.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.ec2.start(name, call=None) Start a node salt.cloud.clouds.ec2.stop(name, call=None) Stop a node salt.cloud.clouds.ec2.update_pricing(kwargs=None, call=None) Download most recent pricing information from AWS and convert to a local JSON file. CLI Examples: salt-cloud -f update_pricing my-ec2-config salt-cloud -f update_pricing my-ec2-config type=linux New in version 2015.8.0. salt.cloud.clouds.ec2.wait_for_instance(vm_=None, data=None, ip_address=None, display_ssh_output=True, call=None) Wait for an instance upon creation from the EC2 API, to become available salt.cloud.clouds.gce Copyright 2013 Google Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Google Compute Engine Module The Google Compute Engine module. This module interfaces with Google Compute Engine (GCE). To authenticate to GCE, you will need to create a Service Account. To set up Service Account Authentication, follow the gce_setup instructions. Example Provider Configuration my-gce-config: # The Google Cloud Platform Project ID project: "my-project-id" # The Service ACcount client ID service_account_email_address: 1234567890@developer.gserviceaccount.com # The location of the private key (PEM format) service_account_private_key: /home/erjohnso/PRIVKEY.pem driver: gce # Specify whether to use public or private IP for deploy script. # Valid options are: # private_ips - The salt-master is also hosted with GCE # public_ips - The salt-master is hosted outside of GCE ssh_interface: public_ips maintainer Eric Johnson <erjohnso@google.com> depends libcloud >= 0.14.1 salt.cloud.clouds.gce.attach_disk(name=None, kwargs=None, call=None) Attach an existing disk to an existing instance. CLI Example: salt-cloud -a attach_disk myinstance disk_name=mydisk mode=READ_WRITE salt.cloud.clouds.gce.attach_lb(kwargs=None, call=None) Add an existing node/member to an existing load-balancer configuration. CLI Example: salt-cloud -f attach_lb gce name=lb member=myinstance salt.cloud.clouds.gce.avail_images(conn=None) Return a dict of all available VM images on the cloud provider with relevant data Note that for GCE, there are custom images within the project, but the generic images are in other projects. This returns a dict of images in the project plus images in 'debian-cloud' and 'centos-cloud' (If there is overlap in names, the one in the current project is used.) salt.cloud.clouds.gce.avail_locations(conn=None, call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.gce.avail_sizes(conn=None) Return a dict of available instances sizes (a.k.a machine types) and convert them to something more serializable. salt.cloud.clouds.gce.create(vm_=None, call=None) Create a single GCE instance from a data dict. salt.cloud.clouds.gce.create_address(kwargs=None, call=None) Create a static address in a region. CLI Example: salt-cloud -f create_address gce name=my-ip region=us-central1 address=IP salt.cloud.clouds.gce.create_disk(kwargs=None, call=None) Create a new persistent disk. Must specify disk_name and location. Can also specify an image or snapshot but if neither of those are specified, a size (in GB) is required. CLI Example: salt-cloud -f create_disk gce disk_name=pd size=300 location=us-central1-b salt.cloud.clouds.gce.create_fwrule(kwargs=None, call=None) Create a GCE firewall rule. The 'default' network is used if not specified. CLI Example: salt-cloud -f create_fwrule gce name=allow-http allow=tcp:80 salt.cloud.clouds.gce.create_hc(kwargs=None, call=None) Create an HTTP health check configuration. CLI Example: salt-cloud -f create_hc gce name=hc path=/healthy port=80 salt.cloud.clouds.gce.create_lb(kwargs=None, call=None) Create a load-balancer configuration. CLI Example: salt-cloud -f create_lb gce name=lb region=us-central1 ports=80 salt.cloud.clouds.gce.create_network(kwargs=None, call=None) Create a GCE network. CLI Example: salt-cloud -f create_network gce name=mynet cidr=10.10.10.0/24 salt.cloud.clouds.gce.create_snapshot(kwargs=None, call=None) Create a new disk snapshot. Must specify name and disk_name. CLI Example: salt-cloud -f create_snapshot gce name=snap1 disk_name=pd salt.cloud.clouds.gce.delete_address(kwargs=None, call=None) Permanently delete a static address. CLI Example: salt-cloud -f delete_address gce name=my-ip salt.cloud.clouds.gce.delete_disk(kwargs=None, call=None) Permanently delete a persistent disk. CLI Example: salt-cloud -f delete_disk gce disk_name=pd salt.cloud.clouds.gce.delete_fwrule(kwargs=None, call=None) Permanently delete a firewall rule. CLI Example: salt-cloud -f delete_fwrule gce name=allow-http salt.cloud.clouds.gce.delete_hc(kwargs=None, call=None) Permanently delete a health check. CLI Example: salt-cloud -f delete_hc gce name=hc salt.cloud.clouds.gce.delete_lb(kwargs=None, call=None) Permanently delete a load-balancer. CLI Example: salt-cloud -f delete_lb gce name=lb salt.cloud.clouds.gce.delete_network(kwargs=None, call=None) Permanently delete a network. CLI Example: salt-cloud -f delete_network gce name=mynet salt.cloud.clouds.gce.delete_snapshot(kwargs=None, call=None) Permanently delete a disk snapshot. CLI Example: salt-cloud -f delete_snapshot gce name=disk-snap-1 salt.cloud.clouds.gce.destroy(vm_name, call=None) Call 'destroy' on the instance. Can be called with "-a destroy" or -d CLI Example: salt-cloud -a destroy myinstance1 myinstance2 ... salt-cloud -d myinstance1 myinstance2 ... salt.cloud.clouds.gce.detach_disk(name=None, kwargs=None, call=None) Detach a disk from an instance. CLI Example: salt-cloud -a detach_disk myinstance disk_name=mydisk salt.cloud.clouds.gce.detach_lb(kwargs=None, call=None) Remove an existing node/member from an existing load-balancer configuration. CLI Example: salt-cloud -f detach_lb gce name=lb member=myinstance salt.cloud.clouds.gce.get_configured_provider() Return the first configured instance. salt.cloud.clouds.gce.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.gce.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.gce.get_lb_conn(gce_driver=None) Return a load-balancer conn object salt.cloud.clouds.gce.list_nodes(conn=None, call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.gce.list_nodes_full(conn=None, call=None) Return a list of the VMs that are on the provider, with all fields salt.cloud.clouds.gce.list_nodes_select(conn=None, call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.gce.reboot(vm_name, call=None) Call GCE 'reset' on the instance. CLI Example: salt-cloud -a reboot myinstance salt.cloud.clouds.gce.script(vm_) Return the script deployment object salt.cloud.clouds.gce.show_address(kwargs=None, call=None) Show the details of an existing static address. CLI Example: salt-cloud -f show_address gce name=mysnapshot region=us-central1 salt.cloud.clouds.gce.show_disk(name=None, kwargs=None, call=None) Show the details of an existing disk. CLI Example: salt-cloud -a show_disk myinstance disk_name=mydisk salt-cloud -f show_disk gce disk_name=mydisk salt.cloud.clouds.gce.show_fwrule(kwargs=None, call=None) Show the details of an existing firewall rule. CLI Example: salt-cloud -f show_fwrule gce name=allow-http salt.cloud.clouds.gce.show_hc(kwargs=None, call=None) Show the details of an existing health check. CLI Example: salt-cloud -f show_hc gce name=hc salt.cloud.clouds.gce.show_instance(vm_name, call=None) Show the details of the existing instance. salt.cloud.clouds.gce.show_lb(kwargs=None, call=None) Show the details of an existing load-balancer. CLI Example: salt-cloud -f show_lb gce name=lb salt.cloud.clouds.gce.show_network(kwargs=None, call=None) Show the details of an existing network. CLI Example: salt-cloud -f show_network gce name=mynet salt.cloud.clouds.gce.show_pricing(kwargs=None, call=None) Show pricing for a particular profile. This is only an estimate, based on unofficial pricing sources. New in version 2015.8.0. CLI Examples: salt-cloud -f show_pricing my-gce-config profile=my-profile salt.cloud.clouds.gce.show_snapshot(kwargs=None, call=None) Show the details of an existing snapshot. CLI Example: salt-cloud -f show_snapshot gce name=mysnapshot salt.cloud.clouds.gce.update_pricing(kwargs=None, call=None) Download most recent pricing information from GCE and save locally CLI Examples: salt-cloud -f update_pricing my-gce-config New in version 2015.8.0. salt.cloud.clouds.gogrid GoGrid Cloud Module The GoGrid cloud module. This module interfaces with the gogrid public cloud service. To use Salt Cloud with GoGrid log into the GoGrid web interface and create an api key. Do this by clicking on "My Account" and then going to the API Keys tab. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/gogrid.conf: my-gogrid-config: # The generated api key to use apikey: asdff7896asdh789 # The apikey's shared secret sharedsecret: saltybacon driver: gogrid NOTE: A Note about using Map files with GoGrid: Due to limitations in the GoGrid API, instances cannot be provisioned in parallel with the GoGrid driver. Map files will work with GoGrid, but the -P argument should not be used on maps referencing GoGrid instances. NOTE: A Note about using Map files with GoGrid: Due to limitations in the GoGrid API, instances cannot be provisioned in parallel with the GoGrid driver. Map files will work with GoGrid, but the -P argument should not be used on maps referencing GoGrid instances. salt.cloud.clouds.gogrid.avail_images() Available images salt.cloud.clouds.gogrid.avail_locations() Available locations salt.cloud.clouds.gogrid.avail_sizes() Available sizes salt.cloud.clouds.gogrid.create(vm_) Create a single VM from a data dict salt.cloud.clouds.gogrid.destroy(name, call=None) Destroy a machine by name CLI Example: salt-cloud -d vm_name salt.cloud.clouds.gogrid.get_configured_provider() Return the first configured instance. salt.cloud.clouds.gogrid.list_common_lookups(kwargs=None, call=None) List common lookups for a particular type of item New in version 2015.8.0. salt.cloud.clouds.gogrid.list_nodes(full=False, call=None) List of nodes, keeping only a brief listing CLI Example: salt-cloud -Q salt.cloud.clouds.gogrid.list_nodes_full(call=None) List nodes, with all available information CLI Example: salt-cloud -F salt.cloud.clouds.gogrid.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields CLI Example: salt-cloud -S salt.cloud.clouds.gogrid.list_passwords(kwargs=None, call=None) List all password on the account New in version 2015.8.0. salt.cloud.clouds.gogrid.list_public_ips(kwargs=None, call=None) List all available public IPs. CLI Example: salt-cloud -f list_public_ips <provider> To list unavailable (assigned) IPs, use: CLI Example: salt-cloud -f list_public_ips <provider> state=assigned New in version 2015.8.0. salt.cloud.clouds.gogrid.reboot(name, call=None) Reboot a machine by name CLI Example: salt-cloud -a reboot vm_name New in version 2015.8.0. salt.cloud.clouds.gogrid.show_instance(name, call=None) Start a machine by name CLI Example: salt-cloud -a show_instance vm_name New in version 2015.8.0. salt.cloud.clouds.gogrid.start(name, call=None) Start a machine by name CLI Example: salt-cloud -a start vm_name New in version 2015.8.0. salt.cloud.clouds.gogrid.stop(name, call=None) Stop a machine by name CLI Example: salt-cloud -a stop vm_name New in version 2015.8.0. salt.cloud.clouds.joyent Joyent Cloud Module The Joyent Cloud module is used to interact with the Joyent cloud system. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/joyent.conf: my-joyent-config: driver: joyent # The Joyent login user user: fred # The Joyent user's password password: saltybacon # The location of the ssh private key that can log into the new VM private_key: /root/mykey.pem # The name of the private key private_key: mykey When creating your profiles for the joyent cloud, add the location attribute to the profile, this will automatically get picked up when performing tasks associated with that vm. An example profile might look like: joyent_512: provider: my-joyent-config size: Extra Small 512 MB image: centos-6 location: us-east-1 This driver can also be used with the Joyent SmartDataCenter project. More details can be found at: Using SDC requires that an api_host_suffix is set. The default value for this is .api.joyentcloud.com. All characters, including the leading ., should be included: api_host_suffix: .api.myhostname.com depends PyCrypto salt.cloud.clouds.joyent.avail_images(call=None) Get list of available images CLI Example: salt-cloud --list-images Can use a custom URL for images. Default is: image_url: images.joyent.com/image salt.cloud.clouds.joyent.avail_locations(call=None) List all available locations salt.cloud.clouds.joyent.avail_sizes(call=None) get list of available packages CLI Example: salt-cloud --list-sizes salt.cloud.clouds.joyent.create(vm_) Create a single VM from a data dict CLI Example: salt-cloud -p profile_name vm_name salt.cloud.clouds.joyent.create_node(**kwargs) convenience function to make the rest api call for node creation. salt.cloud.clouds.joyent.delete_key(kwargs=None, call=None) List the keys available CLI Example: salt-cloud -f delete_key joyent keyname=mykey salt.cloud.clouds.joyent.destroy(name, call=None) destroy a machine by name Parameters • name -- name given to the machine • call -- call value in this case is 'action' Returns array of booleans , true if successfully stopped and true if successfully removed CLI Example: salt-cloud -d vm_name salt.cloud.clouds.joyent.get_configured_provider() Return the first configured instance. salt.cloud.clouds.joyent.get_image(vm_) Return the image object to use salt.cloud.clouds.joyent.get_location(vm_=None) Return the joyent data center to use, in this order: • CLI parameter • VM parameter • Cloud profile setting salt.cloud.clouds.joyent.get_location_path(location='us-east-1', api_host_suffix='.api.joyentcloud.com') create url from location variable :param location: joyent data center location :return: url salt.cloud.clouds.joyent.get_node(name) gets the node from the full node list by name :param name: name of the vm :return: node object salt.cloud.clouds.joyent.get_size(vm_) Return the VM's size object salt.cloud.clouds.joyent.has_method(obj, method_name) Find if the provided object has a specific method salt.cloud.clouds.joyent.import_key(kwargs=None, call=None) List the keys available CLI Example: salt-cloud -f import_key joyent keyname=mykey keyfile=/tmp/mykey.pub salt.cloud.clouds.joyent.joyent_node_state(id_) Convert joyent returned state to state common to other data center return values for consistency Parameters id -- joyent state value Returns state value salt.cloud.clouds.joyent.key_list(items=None) convert list to dictionary using the key as the identifier :param items: array to iterate over :return: dictionary salt.cloud.clouds.joyent.list_keys(kwargs=None, call=None) List the keys available salt.cloud.clouds.joyent.list_nodes(full=False, call=None) list of nodes, keeping only a brief listing CLI Example: salt-cloud -Q salt.cloud.clouds.joyent.list_nodes_full(call=None) list of nodes, maintaining all content provided from joyent listings CLI Example: salt-cloud -F salt.cloud.clouds.joyent.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.joyent.query(action=None, command=None, args=None, method='GET', location=None, data=None) Make a web call to Joyent salt.cloud.clouds.joyent.query_instance(vm_=None, call=None) Query an instance upon creation from the Joyent API salt.cloud.clouds.joyent.reboot(name, call=None) reboot a machine by name :param name: name given to the machine :param call: call value in this case is 'action' :return: true if successful CLI Example: salt-cloud -a reboot vm_name salt.cloud.clouds.joyent.reformat_node(item=None, full=False) Reformat the returned data from joyent, determine public/private IPs and strip out fields if necessary to provide either full or brief content. Parameters • item -- node dictionary • full -- full or brief output Returns dict salt.cloud.clouds.joyent.show_instance(name, call=None) get details about a machine :param name: name given to the machine :param call: call value in this case is 'action' :return: machine information CLI Example: salt-cloud -a show_instance vm_name salt.cloud.clouds.joyent.show_key(kwargs=None, call=None) List the keys available salt.cloud.clouds.joyent.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.joyent.start(name, call=None) start a machine by name :param name: name given to the machine :param call: call value in this case is 'action' :return: true if successful CLI Example: salt-cloud -a start vm_name salt.cloud.clouds.joyent.stop(name, call=None) stop a machine by name :param name: name given to the machine :param call: call value in this case is 'action' :return: true if successful CLI Example: salt-cloud -a stop vm_name salt.cloud.clouds.joyent.take_action(name=None, call=None, command=None, data=None, method='GET', location='us-east-1') take action call used by start,stop, reboot :param name: name given to the machine :param call: call value in this case is 'action' :command: api path :data: any data to be passed to the api, must be in json format :method: GET,POST,or DELETE :location: data center to execute the command on :return: true if successful salt.cloud.clouds.libcloud_aws The AWS Cloud Module The AWS cloud module is used to interact with the Amazon Web Services system. This module has been replaced by the EC2 cloud module, and is no longer supported. The documentation shown here is for reference only; it is highly recommended to change all usages of this driver over to the EC2 driver. If this driver is still needed, set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/aws.conf: my-aws-config: # The AWS API authentication id id: GKTADJGHEIQSXMKKRBJ08H # The AWS API authentication key key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # The ssh keyname to use keyname: default # The amazon security group securitygroup: ssh_open # The location of the private key which corresponds to the keyname private_key: /root/default.pem driver: aws salt.cloud.clouds.libcloud_aws.block_device_mappings(vm_) Return the block device mapping: [{'DeviceName': '/dev/sdb', 'VirtualName': 'ephemeral0'}, {'DeviceName': '/dev/sdc', 'VirtualName': 'ephemeral1'}] salt.cloud.clouds.libcloud_aws.create(vm_) Create a single VM from a data dict salt.cloud.clouds.libcloud_aws.create_attach_volumes(volumes, location, data) Create and attach volumes to created node salt.cloud.clouds.libcloud_aws.del_tags(name, kwargs, call=None) Delete tags for a node CLI Example: salt-cloud -a del_tags mymachine tag1,tag2,tag3 salt.cloud.clouds.libcloud_aws.destroy(name) Wrap core libcloudfuncs destroy method, adding check for termination protection salt.cloud.clouds.libcloud_aws.get_availability_zone(conn, vm_) Return the availability zone to use salt.cloud.clouds.libcloud_aws.get_configured_provider() Return the first configured instance. salt.cloud.clouds.libcloud_aws.get_conn(**kwargs) Return a conn object for the passed VM data salt.cloud.clouds.libcloud_aws.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.libcloud_aws.get_location(vm_=None) Return the AWS region to use, in this order: • CLI parameter • Cloud profile setting • Global salt-cloud config salt.cloud.clouds.libcloud_aws.get_tags(name, call=None) Retrieve tags for a node salt.cloud.clouds.libcloud_aws.iam_profile(vm_) Return the IAM role salt.cloud.clouds.libcloud_aws.keyname(vm_) Return the keyname salt.cloud.clouds.libcloud_aws.rename(name, kwargs, call=None) Properly rename a node. Pass in the new name as "new name". CLI Example: salt-cloud -a rename mymachine newname=yourmachine salt.cloud.clouds.libcloud_aws.securitygroup(vm_) Return the security group salt.cloud.clouds.libcloud_aws.set_tags(name, tags, call=None) Set tags for a node CLI Example: salt-cloud -a set_tags mymachine tag1=somestuff tag2='Other stuff' salt.cloud.clouds.libcloud_aws.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.libcloud_aws.ssh_username(vm_) Return the ssh_username. Defaults to 'ec2-user'. salt.cloud.clouds.libcloud_aws.start(name, call=None) Start a node salt.cloud.clouds.libcloud_aws.stop(name, call=None) Stop a node salt.cloud.clouds.linode Linode Cloud Module using Linode's REST API The Linode cloud module is used to control access to the Linode VPS system. Use of this module only requires the apikey parameter. However, the default root password for new instances also needs to be set. The password needs to be 8 characters and contain lowercase, uppercase, and numbers. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/linode.conf: my-linode-provider: apikey: f4ZsmwtB1c7f85Jdu43RgXVDFlNjuJaeIYV8QMftTqKScEB2vSosFSr... password: F00barbaz driver: linode ssh_key_file: /tmp/salt-cloud_pubkey ssh_pubkey: ssh-rsa AAAAB3NzaC1yc2EA... linode-profile: provider: my-linode-provider size: Linode 1024 image: CentOS 7 location: London, England, UK private_ip: true To clone, add a profile with a clonefrom key, and a script_args: -C. clonefrom should be the name of the VM (linode) that is the source for the clone. script_args: -C passes a -C to the bootstrap script, which only configures the minion and doesn't try to install a new copy of salt-minion. This way the minion gets new keys and the keys get pre-seeded on the master, and the /etc/salt/minion file has the right 'id:' declaration. Cloning requires a post 2015-02-01 salt-bootstrap. salt.cloud.clouds.linode.avail_images(call=None) Return available Linode images. CLI Example: salt-cloud --list-images my-linode-config salt-cloud -f avail_images my-linode-config salt.cloud.clouds.linode.avail_locations(call=None) Return available Linode datacenter locations. CLI Example: salt-cloud --list-locations my-linode-config salt-cloud -f avail_locations my-linode-config salt.cloud.clouds.linode.avail_sizes(call=None) Return available Linode sizes. CLI Example: salt-cloud --list-sizes my-linode-config salt-cloud -f avail_sizes my-linode-config salt.cloud.clouds.linode.boot(name=None, kwargs=None, call=None) Boot a Linode. name The name of the Linode to boot. Can be used instead of linode_id. linode_id The ID of the Linode to boot. If provided, will be used as an alternative to name and reduces the number of API calls to Linode by one. Will be preferred over name. config_id The ID of the Config to boot. Required. check_running Defaults to True. If set to False, overrides the call to check if the VM is running before calling the linode.boot API call. Change check_running to True is useful during the boot call in the create function, since the new VM will not be running yet. Can be called as an action (which requires a name): salt-cloud -a boot my-instance config_id=10 ...or as a function (which requires either a name or linode_id): salt-cloud -f boot my-linode-config name=my-instance config_id=10 salt-cloud -f boot my-linode-config linode_id=1225876 config_id=10 salt.cloud.clouds.linode.clone(kwargs=None, call=None) Clone a Linode. linode_id The ID of the Linode to clone. Required. datacenter_id The ID of the Datacenter where the Linode will be placed. Required. plan_id The ID of the plan (size) of the Linode. Required. CLI Example: salt-cloud -f clone my-linode-config linode_id=1234567 datacenter_id=2 plan_id=5 salt.cloud.clouds.linode.create(vm_) Create a single Linode VM. salt.cloud.clouds.linode.create_config(kwargs=None, call=None) Creates a Linode Configuration Profile. name The name of the VM to create the config for. linode_id The ID of the Linode to create the configuration for. root_disk_id The Root Disk ID to be used for this config. swap_disk_id The Swap Disk ID to be used for this config. kernel_id The ID of the kernel to use for this configuration profile. salt.cloud.clouds.linode.create_disk_from_distro(vm_, linode_id, swap_size=None) Creates the disk for the Linode from the distribution. vm_ The VM profile to create the disk for. linode_id The ID of the Linode to create the distribution disk for. Required. swap_size The size of the disk, in MB. salt.cloud.clouds.linode.create_private_ip(vm_, linode_id) Creates a private IP for the specified Linode. vm_ The VM profile to create the swap disk for. linode_id The ID of the Linode to create the IP address for. salt.cloud.clouds.linode.create_swap_disk(vm_, linode_id, swap_size=None) Creates the disk for the specified Linode. vm_ The VM profile to create the swap disk for. linode_id The ID of the Linode to create the swap disk for. swap_size The size of the disk, in MB. salt.cloud.clouds.linode.destroy(name, call=None) Destroys a Linode by name. name The name of VM to be be destroyed. CLI Example: salt-cloud -d vm_name salt.cloud.clouds.linode.get_config_id(kwargs=None, call=None) Returns a config_id for a given linode. New in version 2015.8.0. name The name of the Linode for which to get the config_id. Can be used instead of linode_id.h linode_id The ID of the Linode for which to get the config_id. Can be used instead of name. CLI Example: salt-cloud -f get_config_id my-linode-config name=my-linode salt-cloud -f get_config_id my-linode-config linode_id=1234567 salt.cloud.clouds.linode.get_configured_provider() Return the first configured instance. salt.cloud.clouds.linode.get_datacenter_id(location) Returns the Linode Datacenter ID. location The location, or name, of the datacenter to get the ID from. salt.cloud.clouds.linode.get_disk_size(vm_, swap, linode_id) Returns the size of of the root disk in MB. vm_ The VM to get the disk size for. salt.cloud.clouds.linode.get_distribution_id(vm_) Returns the distribution ID for a VM vm_ The VM to get the distribution ID for salt.cloud.clouds.linode.get_ips(linode_id=None) Returns public and private IP addresses. linode_id Limits the IP addresses returned to the specified Linode ID. salt.cloud.clouds.linode.get_linode(kwargs=None, call=None) Returns data for a single named Linode. name The name of the Linode for which to get data. Can be used instead linode_id. Note this will induce an additional API call compared to using linode_id. linode_id The ID of the Linode for which to get data. Can be used instead of name. CLI Example: salt-cloud -f get_linode my-linode-config name=my-instance salt-cloud -f get_linode my-linode-config linode_id=1234567 salt.cloud.clouds.linode.get_linode_id_from_name(name) Returns the Linode ID for a VM from the provided name. name The name of the Linode from which to get the Linode ID. Required. salt.cloud.clouds.linode.get_password(vm_) Return the password to use for a VM. vm_ The configuration to obtain the password from. salt.cloud.clouds.linode.get_plan_id(kwargs=None, call=None) Returns the Linode Plan ID. label The label, or name, of the plan to get the ID from. CLI Example: salt-cloud -f get_plan_id linode label="Linode 1024" salt.cloud.clouds.linode.get_private_ip(vm_) Return True if a private ip address is requested salt.cloud.clouds.linode.get_pub_key(vm_) Return the SSH pubkey. vm_ The configuration to obtain the public key from. salt.cloud.clouds.linode.get_swap_size(vm_) Returns the amoutn of swap space to be used in MB. vm_ The VM profile to obtain the swap size from. salt.cloud.clouds.linode.get_vm_size(vm_) Returns the VM's size. vm_ The VM to get the size for. salt.cloud.clouds.linode.list_nodes(call=None) Returns a list of linodes, keeping only a brief listing. CLI Example: salt-cloud -Q salt-cloud --query salt-cloud -f list_nodes my-linode-config NOTE: The image label only displays information about the VM's distribution vendor, such as "Debian" or "RHEL" and does not display the actual image name. This is due to a limitation of the Linode API. salt.cloud.clouds.linode.list_nodes_full(call=None) List linodes, with all available information. CLI Example: salt-cloud -F salt-cloud --full-query salt-cloud -f list_nodes_full my-linode-config NOTE: The image label only displays information about the VM's distribution vendor, such as "Debian" or "RHEL" and does not display the actual image name. This is due to a limitation of the Linode API. salt.cloud.clouds.linode.list_nodes_min(call=None) Return a list of the VMs that are on the provider. Only a list of VM names and their state is returned. This is the minimum amount of information needed to check for existing VMs. New in version 2015.8.0. CLI Example: salt-cloud -f list_nodes_min my-linode-config salt-cloud --function list_nodes_min my-linode-config salt.cloud.clouds.linode.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields. salt.cloud.clouds.linode.reboot(name, call=None) Reboot a linode. New in version 2015.8.0. name The name of the VM to reboot. CLI Example: salt-cloud -a reboot vm_name salt.cloud.clouds.linode.show_instance(name, call=None) Displays details about a particular Linode VM. Either a name or a linode_id must be provided. New in version 2015.8.0. name The name of the VM for which to display details. CLI Example: salt-cloud -a show_instance vm_name NOTE: The image label only displays information about the VM's distribution vendor, such as "Debian" or "RHEL" and does not display the actual image name. This is due to a limitation of the Linode API. salt.cloud.clouds.linode.show_pricing(kwargs=None, call=None) Show pricing for a particular profile. This is only an estimate, based on unofficial pricing sources. New in version 2015.8.0. CLI Example: salt-cloud -f show_pricing my-linode-config profile=my-linode-profile salt.cloud.clouds.linode.start(name, call=None) Start a VM in Linode. name The name of the VM to start. CLI Example: salt-cloud -a stop vm_name salt.cloud.clouds.linode.stop(name, call=None) Stop a VM in Linode. name The name of the VM to stop. CLI Example: salt-cloud -a stop vm_name salt.cloud.clouds.linode.update_linode(linode_id, update_args=None) Updates a Linode's properties. linode_id The ID of the Linode to shutdown. Required. update_args The args to update the Linode with. Must be in dictionary form. salt.cloud.clouds.lxc Install Salt on an LXC Container New in version 2014.7.0. Please read core config documentation. salt.cloud.clouds.lxc.avail_images() salt.cloud.clouds.lxc.create(vm_, call=None) Create an lxc Container. This function is idempotent and will try to either provision or finish the provision of an lxc container. NOTE: Most of the initialization code has been moved and merged with the lxc runner and lxc.init functions salt.cloud.clouds.lxc.destroy(vm_, call=None) Destroy a lxc container salt.cloud.clouds.lxc.get_configured_provider(vm_=None) Return the contextual provider of None if no configured one can be found. salt.cloud.clouds.lxc.get_provider(name) salt.cloud.clouds.lxc.list_nodes(conn=None, call=None) salt.cloud.clouds.lxc.list_nodes_full(conn=None, call=None) salt.cloud.clouds.lxc.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.lxc.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.msazure Azure Cloud Module The Azure cloud module is used to control access to Microsoft Azure depends • Microsoft Azure SDK for Python >= 0.11.1 • python-requests, for Python < 2.7.9 configuration Required provider parameters: • apikey • certificate_path • subscription_id • requests_lib A Management Certificate (.pem and .crt files) must be created and the .pem file placed on the same machine that salt-cloud is run from. Information on creating the pem file to use, and uploading the associated cer file can be found at: http://www.windowsazure.com/en-us/develop/python/how-to-guides/service-management/ For users with Python < 2.7.9, requests_lib must currently be set to True. Example /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/azure.conf configuration: my-azure-config: driver: azure subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617 certificate_path: /etc/salt/azure.pem management_host: management.core.windows.net salt.cloud.clouds.msazure.add_input_endpoint(kwargs=None, conn=None, call=None) New in version 2015.8.0. Add an input endpoint to the deployment. Please note that there may be a delay before the changes show up. CLI Example: salt-cloud -f add_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP local_port=80 \ port=80 protocol=tcp enable_direct_server_return=False \ timeout_for_tcp_idle_connection=4 salt.cloud.clouds.msazure.add_management_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Add a new management certificate CLI Example: salt-cloud -f add_management_certificate my-azure public_key='...PUBKEY...' \ thumbprint=0123456789ABCDEF data='...CERT_DATA...' salt.cloud.clouds.msazure.add_service_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Add a new service certificate CLI Example: salt-cloud -f add_service_certificate my-azure name=my_service_certificate \ data='...CERT_DATA...' certificate_format=sha1 password=verybadpass salt.cloud.clouds.msazure.avail_images(conn=None, call=None) List available images for Azure salt.cloud.clouds.msazure.avail_locations(conn=None, call=None) List available locations for Azure salt.cloud.clouds.msazure.avail_sizes(call=None) Return a list of sizes from Azure salt.cloud.clouds.msazure.cleanup_unattached_disks(kwargs=None, conn=None, call=None) New in version 2015.8.0. Cleans up all disks associated with the account, which are not attached. * CAUTION * This is a destructive function with no undo button, and no "Are you sure?" confirmation! CLI Examples: salt-cloud -f cleanup_unattached_disks my-azure name=my_disk salt-cloud -f cleanup_unattached_disks my-azure name=my_disk delete_vhd=True salt.cloud.clouds.msazure.create(vm_) Create a single VM from a data dict salt.cloud.clouds.msazure.create_affinity_group(kwargs=None, conn=None, call=None) New in version 2015.8.0. Create a new affinity group CLI Example: salt-cloud -f create_affinity_group my-azure name=my_affinity_group salt.cloud.clouds.msazure.create_attach_volumes(name, kwargs, call=None, wait_to_finish=True) Create and attach volumes to created node salt.cloud.clouds.msazure.create_service(kwargs=None, conn=None, call=None) New in version 2015.8.0. Create a new hosted service CLI Example: salt-cloud -f create_service my-azure name=my_service label=my_service location='West US' salt.cloud.clouds.msazure.create_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. Create a new storage account CLI Example: salt-cloud -f create_storage my-azure name=my_storage label=my_storage location='West US' salt.cloud.clouds.msazure.create_storage_container(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Create a storage container CLI Example: salt-cloud -f create_storage_container my-azure name=mycontainer name: Name of container to create. meta_name_values: Optional. A dict with name_value pairs to associate with the container as metadata. Example:{'Category':'test'} blob_public_access: Optional. Possible values include: container, blob fail_on_exist: Specify whether to throw an exception when the container exists. salt.cloud.clouds.msazure.delete_affinity_group(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific affinity group associated with the account CLI Examples: salt-cloud -f delete_affinity_group my-azure name=my_affinity_group salt.cloud.clouds.msazure.delete_disk(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific disk associated with the account CLI Examples: salt-cloud -f delete_disk my-azure name=my_disk salt-cloud -f delete_disk my-azure name=my_disk delete_vhd=True salt.cloud.clouds.msazure.delete_input_endpoint(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete an input endpoint from the deployment. Please note that there may be a delay before the changes show up. CLI Example: salt-cloud -f delete_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP salt.cloud.clouds.msazure.delete_management_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific certificate associated with the management CLI Examples: salt-cloud -f delete_management_certificate my-azure name=my_management_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.delete_service(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific service associated with the account CLI Examples: salt-cloud -f delete_service my-azure name=my_service salt.cloud.clouds.msazure.delete_service_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific certificate associated with the service CLI Examples: salt-cloud -f delete_service_certificate my-azure name=my_service_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.delete_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. Delete a specific storage account CLI Examples: salt-cloud -f delete_storage my-azure name=my_storage salt.cloud.clouds.msazure.delete_storage_container(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Delete a container associated with the storage account CLI Example: salt-cloud -f delete_storage_container my-azure name=mycontainer name: Name of container to create. fail_not_exist: Specify whether to throw an exception when the container exists. lease_id: If specified, delete_storage_container only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.destroy(name, conn=None, call=None, kwargs=None) Destroy a VM CLI Examples: salt-cloud -d myminion salt-cloud -a destroy myminion service_name=myservice salt.cloud.clouds.msazure.get_affinity_group(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show an affinity group associated with the account CLI Example: salt-cloud -f show_affinity_group my-azure service=myservice \ deployment=mydeployment name=SSH salt.cloud.clouds.msazure.get_blob(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Download a blob CLI Example: salt-cloud -f get_blob my-azure container=base name=top.sls local_path=/srv/salt/top.sls salt-cloud -f get_blob my-azure container=base name=content.txt return_content=True container: Name of existing container. name: Name of existing blob. local_path: The path on the local machine to download the blob to. Either this or return_content must be specified. return_content: Whether or not to return the content directly from the blob. If specified, must be True or False. Either this or the local_path must be specified. snapshot: Optional. The snapshot parameter is an opaque DateTime value that, when present, specifies the blob snapshot to retrieve. lease_id: Required if the blob has an active lease. progress_callback: callback for progress with signature function(current, total) where current is the number of bytes transferred so far, and total is the size of the blob. max_connections: Maximum number of parallel connections to use when the blob size exceeds 64MB. Set to 1 to download the blob chunks sequentially. Set to 2 or more to download the blob chunks in parallel. This uses more system resources but will download faster. max_retries: Number of times to retry download of blob chunk if an error occurs. retry_wait: Sleep time in secs between retries. salt.cloud.clouds.msazure.get_blob_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Returns all user-defined metadata, standard HTTP properties, and system properties for the blob. CLI Example: salt-cloud -f show_blob_properties my-azure container=mycontainer blob=myblob container: Name of existing container. blob: Name of existing blob. lease_id: Required if the blob has an active lease. salt.cloud.clouds.msazure.get_blob_service_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a blob's service properties CLI Example: salt-cloud -f show_blob_service_properties my-azure salt.cloud.clouds.msazure.get_configured_provider() Return the first configured instance. salt.cloud.clouds.msazure.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.msazure.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.msazure.get_deployment(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a deployment CLI Example: salt-cloud -f show_deployment my-azure name=my_deployment salt.cloud.clouds.msazure.get_disk(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a disk CLI Example: salt-cloud -f show_disk my-azure name=my_disk salt.cloud.clouds.msazure.get_input_endpoint(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show an input endpoint associated with the deployment CLI Example: salt-cloud -f show_input_endpoint my-azure service=myservice \ deployment=mydeployment name=SSH salt.cloud.clouds.msazure.get_management_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a management_certificate CLI Example: salt-cloud -f get_management_certificate my-azure name=my_management_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.get_operation_status(kwargs=None, conn=None, call=None) New in version 2015.8.0. Get Operation Status, based on a request ID CLI Example: salt-cloud -f get_operation_status my-azure id=0123456789abcdef0123456789abcdef salt.cloud.clouds.msazure.get_service_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a service certificate CLI Example: salt-cloud -f show_service_certificate my-azure name=my_service_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.get_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. List storage service properties CLI Example: salt-cloud -f show_storage my-azure name=my_storage salt.cloud.clouds.msazure.get_storage_conn(storage_account=None, storage_key=None, conn_kwargs=None) New in version 2015.8.0. Return a storage_conn object for the storage account salt.cloud.clouds.msazure.get_storage_container(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a container associated with the storage account CLI Example: salt-cloud -f show_storage_container my-azure name=myservice name: Name of container to show. salt.cloud.clouds.msazure.get_storage_container_acl(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a storage container's acl CLI Example: salt-cloud -f show_storage_container_acl my-azure name=myservice name: Name of existing container. lease_id: If specified, show_storage_container_acl only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.get_storage_container_metadata(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a storage container's metadata CLI Example: salt-cloud -f show_storage_container_metadata my-azure name=myservice name: Name of container to show. lease_id: If specified, show_storage_container_metadata only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.get_storage_keys(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show storage account keys CLI Example: salt-cloud -f show_storage_keys my-azure name=my_storage salt.cloud.clouds.msazure.lease_storage_container(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Lease a container associated with the storage account CLI Example: salt-cloud -f lease_storage_container my-azure name=mycontainer name: Name of container to create. lease_action: Required. Possible values: acquire|renew|release|break|change lease_id: Required if the container has an active lease. lease_duration: Specifies the duration of the lease, in seconds, or negative one (-1) for a lease that never expires. A non-infinite lease can be between 15 and 60 seconds. A lease duration cannot be changed using renew or change. For backwards compatibility, the default is 60, and the value is only used on an acquire operation. lease_break_period: Optional. For a break operation, this is the proposed duration of seconds that the lease should continue before it is broken, between 0 and 60 seconds. This break period is only used if it is shorter than the time remaining on the lease. If longer, the time remaining on the lease is used. A new lease will not be available before the break period has expired, but the lease may be held for longer than the break period. If this header does not appear with a break operation, a fixed-duration lease breaks after the remaining lease period elapses, and an infinite lease breaks immediately. proposed_lease_id: Optional for acquire, required for change. Proposed lease ID, in a GUID string format. salt.cloud.clouds.msazure.list_affinity_groups(kwargs=None, conn=None, call=None) New in version 2015.8.0. List input endpoints associated with the deployment CLI Example: salt-cloud -f list_affinity_groups my-azure salt.cloud.clouds.msazure.list_blobs(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. List blobs associated with the container CLI Example: salt-cloud -f list_blobs my-azure container=mycontainer container: The name of the storage container prefix: Optional. Filters the results to return only blobs whose names begin with the specified prefix. marker: Optional. A string value that identifies the portion of the list to be returned with the next list operation. The operation returns a marker value within the response body if the list returned was not complete. The marker value may then be used in a subsequent call to request the next set of list items. The marker value is opaque to the client. maxresults: Optional. Specifies the maximum number of blobs to return, including all BlobPrefix elements. If the request does not specify maxresults or specifies a value greater than 5,000, the server will return up to 5,000 items. Setting maxresults to a value less than or equal to zero results in error response code 400 (Bad Request). include: Optional. Specifies one or more datasets to include in the response. To specify more than one of these options on the URI, you must separate each option with a comma. Valid values are: snapshots: Specifies that snapshots should be included in the enumeration. Snapshots are listed from oldest to newest in the response. metadata: Specifies that blob metadata be returned in the response. uncommittedblobs: Specifies that blobs for which blocks have been uploaded, but which have not been committed using Put Block List (REST API), be included in the response. copy: Version 2012-02-12 and newer. Specifies that metadata related to any current or previous Copy Blob operation should be included in the response. delimiter: Optional. When the request includes this parameter, the operation returns a BlobPrefix element in the response body that acts as a placeholder for all blobs whose names begin with the same substring up to the appearance of the delimiter character. The delimiter may be a single character or a string. salt.cloud.clouds.msazure.list_disks(kwargs=None, conn=None, call=None) New in version 2015.8.0. List disks associated with the account CLI Example: salt-cloud -f list_disks my-azure salt.cloud.clouds.msazure.list_hosted_services(conn=None, call=None) List VMs on this Azure account, with full information salt.cloud.clouds.msazure.list_input_endpoints(kwargs=None, conn=None, call=None) New in version 2015.8.0. List input endpoints associated with the deployment CLI Example: salt-cloud -f list_input_endpoints my-azure service=myservice deployment=mydeployment salt.cloud.clouds.msazure.list_management_certificates(kwargs=None, conn=None, call=None) New in version 2015.8.0. List management certificates associated with the subscription CLI Example: salt-cloud -f list_management_certificates my-azure name=my_management salt.cloud.clouds.msazure.list_nodes(conn=None, call=None) List VMs on this Azure account salt.cloud.clouds.msazure.list_nodes_full(conn=None, call=None) List VMs on this Azure account, with full information salt.cloud.clouds.msazure.list_nodes_select(conn=None, call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.msazure.list_service_certificates(kwargs=None, conn=None, call=None) New in version 2015.8.0. List certificates associated with the service CLI Example: salt-cloud -f list_service_certificates my-azure name=my_service salt.cloud.clouds.msazure.list_services(kwargs=None, conn=None, call=None) New in version 2015.8.0. List hosted services associated with the account CLI Example: salt-cloud -f list_services my-azure salt.cloud.clouds.msazure.list_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. List storage accounts associated with the account CLI Example: salt-cloud -f list_storage my-azure salt.cloud.clouds.msazure.list_storage_containers(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. List containers associated with the storage account CLI Example: salt-cloud -f list_storage_containers my-azure salt.cloud.clouds.msazure.list_storage_services(conn=None, call=None) List VMs on this Azure account, with full information salt.cloud.clouds.msazure.list_virtual_networks(kwargs=None, conn=None, call=None) New in version 2015.8.0. List input endpoints associated with the deployment CLI Example: salt-cloud -f list_virtual_networks my-azure service=myservice deployment=mydeployment salt.cloud.clouds.msazure.make_blob_url(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Creates the URL to access a blob CLI Example: salt-cloud -f make_blob_url my-azure container=mycontainer blob=myblob container: Name of the container. blob: Name of the blob. account: Name of the storage account. If not specified, derives the host base from the provider configuration. protocol: Protocol to use: 'http' or 'https'. If not specified, derives the host base from the provider configuration. host_base: Live host base URL. If not specified, derives the host base from the provider configuration. salt.cloud.clouds.msazure.put_blob(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Upload a blob CLI Examples: salt-cloud -f put_blob my-azure container=base name=top.sls blob_path=/srv/salt/top.sls salt-cloud -f put_blob my-azure container=base name=content.txt blob_content='Some content' container: Name of existing container. name: Name of existing blob. blob_path: The path on the local machine of the file to upload as a blob. Either this or blob_content must be specified. blob_content: The actual content to be uploaded as a blob. Either this or blob_path must me specified. cache_control: Optional. The Blob service stores this value but does not use or modify it. content_language: Optional. Specifies the natural languages used by this resource. content_md5: Optional. An MD5 hash of the blob content. This hash is used to verify the integrity of the blob during transport. When this header is specified, the storage service checks the hash that has arrived with the one that was sent. If the two hashes do not match, the operation will fail with error code 400 (Bad Request). blob_content_type: Optional. Set the blob's content type. blob_content_encoding: Optional. Set the blob's content encoding. blob_content_language: Optional. Set the blob's content language. blob_content_md5: Optional. Set the blob's MD5 hash. blob_cache_control: Optional. Sets the blob's cache control. meta_name_values: A dict containing name, value for metadata. lease_id: Required if the blob has an active lease. salt.cloud.clouds.msazure.query(path, method='GET', data=None, params=None, header_dict=None, decode=True) Perform a query directly against the Azure REST API salt.cloud.clouds.msazure.regenerate_storage_keys(kwargs=None, conn=None, call=None) New in version 2015.8.0. Regenerate storage account keys. Requires a key_type ("primary" or "secondary") to be specified. CLI Example: salt-cloud -f regenerate_storage_keys my-azure name=my_storage key_type=primary salt.cloud.clouds.msazure.script(vm_) Return the script deployment object salt.cloud.clouds.msazure.set_blob_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Set a blob's properties CLI Example: salt-cloud -f set_blob_properties my-azure container: Name of existing container. blob: Name of existing blob. blob_cache_control: Optional. Modifies the cache control string for the blob. blob_content_type: Optional. Sets the blob's content type. blob_content_md5: Optional. Sets the blob's MD5 hash. blob_content_encoding: Optional. Sets the blob's content encoding. blob_content_language: Optional. Sets the blob's content language. lease_id: Required if the blob has an active lease. blob_content_disposition: Optional. Sets the blob's Content-Disposition header. The Content-Disposition response header field conveys additional information about how to process the response payload, and also can be used to attach additional metadata. For example, if set to attachment, it indicates that the user-agent should not display the response, but instead show a Save As dialog with a filename other than the blob name specified. salt.cloud.clouds.msazure.set_blob_service_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Sets the properties of a storage account's Blob service, including Windows Azure Storage Analytics. You can also use this operation to set the default request version for all incoming requests that do not have a version specified. CLI Example: salt-cloud -f set_blob_service_properties my-azure properties: a StorageServiceProperties object. timeout: Optional. The timeout parameter is expressed in seconds. salt.cloud.clouds.msazure.set_storage_container_acl(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Set a storage container's acl CLI Example: salt-cloud -f set_storage_container my-azure name=mycontainer name: Name of existing container. signed_identifiers: SignedIdentifers instance blob_public_access: Optional. Possible values include: container, blob lease_id: If specified, set_storage_container_acl only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.set_storage_container_metadata(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Set a storage container's metadata CLI Example: salt-cloud -f set_storage_container my-azure name=mycontainer \ x_ms_meta_name_values='{"my_name": "my_value"}' name: Name of existing container. meta_name_values: A dict containing name, value for metadata. Example: {'category':'test'} lease_id: If specified, set_storage_container_metadata only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.show_affinity_group(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show an affinity group associated with the account CLI Example: salt-cloud -f show_affinity_group my-azure service=myservice \ deployment=mydeployment name=SSH salt.cloud.clouds.msazure.show_blob_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Returns all user-defined metadata, standard HTTP properties, and system properties for the blob. CLI Example: salt-cloud -f show_blob_properties my-azure container=mycontainer blob=myblob container: Name of existing container. blob: Name of existing blob. lease_id: Required if the blob has an active lease. salt.cloud.clouds.msazure.show_blob_service_properties(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a blob's service properties CLI Example: salt-cloud -f show_blob_service_properties my-azure salt.cloud.clouds.msazure.show_deployment(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a deployment CLI Example: salt-cloud -f show_deployment my-azure name=my_deployment salt.cloud.clouds.msazure.show_disk(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a disk CLI Example: salt-cloud -f show_disk my-azure name=my_disk salt.cloud.clouds.msazure.show_input_endpoint(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show an input endpoint associated with the deployment CLI Example: salt-cloud -f show_input_endpoint my-azure service=myservice \ deployment=mydeployment name=SSH salt.cloud.clouds.msazure.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.msazure.show_management_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a management_certificate CLI Example: salt-cloud -f get_management_certificate my-azure name=my_management_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.show_service(kwargs=None, conn=None, call=None) New in version 2015.8.0. List hosted service properties CLI Example: salt-cloud -f show_service my-azure name=my_service salt.cloud.clouds.msazure.show_service_certificate(kwargs=None, conn=None, call=None) New in version 2015.8.0. Return information about a service certificate CLI Example: salt-cloud -f show_service_certificate my-azure name=my_service_certificate \ thumbalgorithm=sha1 thumbprint=0123456789ABCDEF salt.cloud.clouds.msazure.show_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. List storage service properties CLI Example: salt-cloud -f show_storage my-azure name=my_storage salt.cloud.clouds.msazure.show_storage_container(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a container associated with the storage account CLI Example: salt-cloud -f show_storage_container my-azure name=myservice name: Name of container to show. salt.cloud.clouds.msazure.show_storage_container_acl(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a storage container's acl CLI Example: salt-cloud -f show_storage_container_acl my-azure name=myservice name: Name of existing container. lease_id: If specified, show_storage_container_acl only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.show_storage_container_metadata(kwargs=None, storage_conn=None, call=None) New in version 2015.8.0. Show a storage container's metadata CLI Example: salt-cloud -f show_storage_container_metadata my-azure name=myservice name: Name of container to show. lease_id: If specified, show_storage_container_metadata only succeeds if the container's lease is active and matches this ID. salt.cloud.clouds.msazure.show_storage_keys(kwargs=None, conn=None, call=None) New in version 2015.8.0. Show storage account keys CLI Example: salt-cloud -f show_storage_keys my-azure name=my_storage salt.cloud.clouds.msazure.update_affinity_group(kwargs=None, conn=None, call=None) New in version 2015.8.0. Update an affinity group's properties CLI Example: salt-cloud -f update_affinity_group my-azure name=my_group label=my_group salt.cloud.clouds.msazure.update_disk(kwargs=None, conn=None, call=None) New in version 2015.8.0. Update a disk's properties CLI Example: salt-cloud -f update_disk my-azure name=my_disk label=my_disk salt-cloud -f update_disk my-azure name=my_disk new_name=another_disk salt.cloud.clouds.msazure.update_input_endpoint(kwargs=None, conn=None, call=None, activity='update') New in version 2015.8.0. Update an input endpoint associated with the deployment. Please note that there may be a delay before the changes show up. CLI Example: salt-cloud -f update_input_endpoint my-azure service=myservice \ deployment=mydeployment role=myrole name=HTTP local_port=80 \ port=80 protocol=tcp enable_direct_server_return=False \ timeout_for_tcp_idle_connection=4 salt.cloud.clouds.msazure.update_storage(kwargs=None, conn=None, call=None) New in version 2015.8.0. Update a storage account's properties CLI Example: salt-cloud -f update_storage my-azure name=my_storage label=my_storage salt.cloud.clouds.nova OpenStack Nova Cloud Module OpenStack is an open source project that is in use by a number a cloud providers, each of which have their own ways of using it. The OpenStack Nova module for Salt Cloud was bootstrapped from the OpenStack module for Salt Cloud, which uses a libcloud-based connection. The Nova module is designed to use the nova and glance modules already built into Salt. These modules use the Python novaclient and glanceclient libraries, respectively. In order to use this module, the proper salt configuration must also be in place. This can be specified in the master config, the minion config, a set of grains or a set of pillars. my_openstack_profile: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' Note that there is currently a dependency upon netaddr. This can be installed on Debian-based systems by means of the python-netaddr package. This module currently requires the latest develop branch of Salt to be installed. This module has been tested to work with HP Cloud and Rackspace. See the documentation for specific options for either of these providers. These examples could be set up in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/openstack.conf: my-openstack-config: # The ID of the minion that will execute the salt nova functions auth_minion: myminion # The name of the configuration profile to use on said minion config_profile: my_openstack_profile ssh_key_name: mykey driver: nova userdata_file: /tmp/userdata.txt For local installations that only use private IP address ranges, the following option may be useful. Using the old syntax: Note: For api use, you will need an auth plugin. The base novaclient does not support apikeys, but some providers such as rackspace have extended keystone to accept them my-openstack-config: # Ignore IP addresses on this network for bootstrap ignore_cidr: 192.168.50.0/24 my-nova: identity_url: 'https://identity.api.rackspacecloud.com/v2.0/' compute_region: IAD user: myusername password: mypassword tenant: <userid> driver: nova my-api: identity_url: 'https://identity.api.rackspacecloud.com/v2.0/' compute_region: IAD user: myusername api_key: <api_key> os_auth_plugin: rackspace tenant: <userid> driver: nova networks: - net-id: 47a38ff2-fe21-4800-8604-42bd1848e743 - net-id: 00000000-0000-0000-0000-000000000000 - net-id: 11111111-1111-1111-1111-111111111111 This is an example profile. debian8-2-iad-cloudqe4: provider: cloudqe4-iad size: performance1-2 image: Debian 8 (Jessie) (PVHVM) script_args: -UP -p python-zmq git 2015.8 and one using cinder volumes already attached # create the block storage device centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 block_device: - source: image id: <image_id> dest: volume size: 100 shutdown: <preserve/remove> bootindex: 0 # with the volume already created centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 boot_volume: <volume id> # create the volume from a snapshot centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 snapshot: <cinder snapshot id> # create the create an extra ephemeral disk centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 ephemeral: - size: 100 format: <swap/ext4> # create the create an extra ephemeral disk centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 swap: <size> Block Device can also be used for having more than one block storage device attached centos7-2-iad-rackspace: provider: rackspace-iad size: general1-2 block_device: - source: image id: <image_id> dest: volume size: 100 shutdown: <preserve/remove> bootindex: 0 - source: blank dest: volume device: xvdc size: 100 shutdown: <preserve/remove> Note: You must include the default net-ids when setting networks or the server will be created without the rest of the interfaces Note: For rackconnect v3, rackconnectv3 needs to be specified with the rackconnect v3 cloud network as its variable. salt.cloud.clouds.nova.attach_volume(name, server_name, device='/dev/xvdb', **kwargs) Attach block volume salt.cloud.clouds.nova.avail_images() Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.nova.avail_locations(conn=None, call=None) Return a list of locations salt.cloud.clouds.nova.avail_sizes() Return a dict of all available VM sizes on the cloud provider. salt.cloud.clouds.nova.cloudnetwork(vm_) Determine if we should use an extra network to bootstrap Either 'False' (default) or 'True'. salt.cloud.clouds.nova.create(vm_) Create a single VM from a data dict salt.cloud.clouds.nova.create_attach_volumes(name, call=None, **kwargs) Create and attach volumes to created node salt.cloud.clouds.nova.create_volume(name, size=100, snapshot=None, voltype=None, **kwargs) Create block storage device salt.cloud.clouds.nova.destroy(name, conn=None, call=None) Delete a single VM salt.cloud.clouds.nova.get_block_mapping_opts(vm_) salt.cloud.clouds.nova.get_configured_provider() Return the first configured instance. salt.cloud.clouds.nova.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.nova.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.nova.get_image(conn, vm_) Return the image object to use salt.cloud.clouds.nova.get_size(conn, vm_) Return the VM's size object salt.cloud.clouds.nova.ignore_cidr(vm_, ip) Return True if we are to ignore the specified IP. Compatible with IPv4. salt.cloud.clouds.nova.list_nodes(call=None, **kwargs) Return a list of the VMs that in this location salt.cloud.clouds.nova.list_nodes_full(call=None, **kwargs) Return a list of the VMs that in this location salt.cloud.clouds.nova.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.nova.managedcloud(vm_) Determine if we should wait for the managed cloud automation before running. Either 'False' (default) or 'True'. salt.cloud.clouds.nova.network_create(name, **kwargs) Create private networks salt.cloud.clouds.nova.network_list(call=None, **kwargs) List private networks salt.cloud.clouds.nova.preferred_ip(vm_, ips) Return the preferred Internet protocol. Either 'ipv4' (default) or 'ipv6'. salt.cloud.clouds.nova.rackconnect(vm_) Determine if we should wait for rackconnect automation before running. Either 'False' (default) or 'True'. salt.cloud.clouds.nova.rackconnectv3(vm_) Determine if server is using rackconnectv3 or not Return the rackconnect network name or False salt.cloud.clouds.nova.reboot(name, conn=None) Reboot a single VM salt.cloud.clouds.nova.request_instance(vm_=None, call=None) Put together all of the information necessary to request an instance through Novaclient and then fire off the request the instance. Returns data about the instance salt.cloud.clouds.nova.script(vm_) Return the script deployment object salt.cloud.clouds.nova.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.nova.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.nova.virtual_interface_create(name, net_name, **kwargs) Create private networks salt.cloud.clouds.nova.virtual_interface_list(name, **kwargs) Create private networks salt.cloud.clouds.nova.volume_attach(name, server_name, device='/dev/xvdb', **kwargs) Attach block volume salt.cloud.clouds.nova.volume_create(name, size=100, snapshot=None, voltype=None, **kwargs) Create block storage device salt.cloud.clouds.nova.volume_create_attach(name, call=None, **kwargs) Create and attach volumes to created node salt.cloud.clouds.nova.volume_delete(name, **kwargs) Delete block storage device salt.cloud.clouds.nova.volume_detach(name, **kwargs) Detach block volume salt.cloud.clouds.nova.volume_list(**kwargs) List block devices salt.cloud.clouds.opennebula OpenNebula Cloud Module The OpenNebula cloud module is used to control access to an OpenNebula cloud. depends lxml Use of this module requires the xml_rpc, user and password parameter to be set. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/opennebula.conf: my-opennebula-config: xml_rpc: http://localhost:2633/RPC2 user: oneadmin password: JHGhgsayu32jsa driver: opennebula salt.cloud.clouds.opennebula.avail_images(call=None) Return a list of the templates that are on the provider salt.cloud.clouds.opennebula.avail_locations(call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.opennebula.avail_sizes(call=None) Because sizes are built into templates with OpenNebula, there will be no sizes to return here salt.cloud.clouds.opennebula.create(vm_) Create a single VM from a data dict salt.cloud.clouds.opennebula.destroy(name, call=None) Destroy a node. Will check termination protection and warn if enabled. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.opennebula.get_configured_provider() Return the first configured instance. salt.cloud.clouds.opennebula.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.opennebula.get_image(vm_) Return the image object to use salt.cloud.clouds.opennebula.get_location(vm_) Return the VM's location salt.cloud.clouds.opennebula.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.opennebula.list_nodes_full(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.opennebula.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.opennebula.script(vm_) Return the script deployment object salt.cloud.clouds.opennebula.show_instance(name, call=None) Show the details from OpenNebula concerning a VM salt.cloud.clouds.openstack OpenStack Cloud Module OpenStack is an open source project that is in use by a number a cloud providers, each of which have their own ways of using it. depends libcloud >= 0.13.2 OpenStack provides a number of ways to authenticate. This module uses password- based authentication, using auth v2.0. It is likely to start supporting other methods of authentication provided by OpenStack in the future. Note that there is currently a dependency upon netaddr. This can be installed on Debian-based systems by means of the python-netaddr package. This module has been tested to work with HP Cloud and Rackspace. See the documentation for specific options for either of these providers. Some examples, using the old cloud configuration syntax, are provided below: Set up in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/openstack.conf: my-openstack-config: # The OpenStack identity service url identity_url: https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0/ # The OpenStack compute region compute_region: region-b.geo-1 # The OpenStack compute service name compute_name: Compute # The OpenStack tenant name (not tenant ID) tenant: myuser-tenant1 # The OpenStack user name user: myuser # The OpenStack keypair name ssh_key_name: mykey # Skip SSL certificate validation insecure: false # The ssh key file ssh_key_file: /path/to/keyfile/test.pem # The OpenStack network UUIDs networks: - fixed: - 4402cd51-37ee-435e-a966-8245956dc0e6 - floating: - Ext-Net files: /path/to/dest.txt: /local/path/to/src.txt # Skips the service catalog API endpoint, and uses the following base_url: http://192.168.1.101:3000/v2/12345 driver: openstack userdata_file: /tmp/userdata.txt # config_drive is required for userdata at rackspace config_drive: True For in-house Openstack Essex installation, libcloud needs the service_type : my-openstack-config: identity_url: 'http://control.openstack.example.org:5000/v2.0/' compute_name : Compute Service service_type : compute Either a password or an API key must also be specified: my-openstack-password-or-api-config: # The OpenStack password password: letmein # The OpenStack API key apikey: 901d3f579h23c8v73q9 Optionally, if you don't want to save plain-text password in your configuration file, you can use keyring: my-openstack-keyring-config: # The OpenStack password is stored in keyring # don't forget to set the password by running something like: # salt-cloud --set-password=myuser my-openstack-keyring-config password: USE_KEYRING For local installations that only use private IP address ranges, the following option may be useful. Using the old syntax: my-openstack-config: # Ignore IP addresses on this network for bootstrap ignore_cidr: 192.168.50.0/24 It is possible to upload a small set of files (no more than 5, and nothing too large) to the remote server. Generally this should not be needed, as salt itself can upload to the server after it is spun up, with nowhere near the same restrictions. my-openstack-config: files: /path/to/dest.txt: /local/path/to/src.txt Alternatively, one could use the private IP to connect by specifying: my-openstack-config: ssh_interface: private_ips salt.cloud.clouds.openstack.avail_images(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.openstack.avail_locations(conn=None, call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.openstack.avail_sizes(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.openstack.create(vm_) Create a single VM from a data dict salt.cloud.clouds.openstack.destroy(name, conn=None, call=None) Delete a single VM salt.cloud.clouds.openstack.get_configured_provider() Return the first configured instance. salt.cloud.clouds.openstack.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.openstack.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.openstack.get_image(conn, vm_) Return the image object to use salt.cloud.clouds.openstack.get_node(conn, name) Return a libcloud node for the named VM salt.cloud.clouds.openstack.get_size(conn, vm_) Return the VM's size object salt.cloud.clouds.openstack.ignore_cidr(vm_, ip) Return True if we are to ignore the specified IP. Compatible with IPv4. salt.cloud.clouds.openstack.list_nodes(conn=None, call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.openstack.list_nodes_full(conn=None, call=None) Return a list of the VMs that are on the provider, with all fields salt.cloud.clouds.openstack.list_nodes_select(conn=None, call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.openstack.managedcloud(vm_) Determine if we should wait for the managed cloud automation before running. Either 'False' (default) or 'True'. salt.cloud.clouds.openstack.networks(vm_, kwargs=None) salt.cloud.clouds.openstack.preferred_ip(vm_, ips) Return the preferred Internet protocol. Either 'ipv4' (default) or 'ipv6'. salt.cloud.clouds.openstack.rackconnect(vm_) Determine if we should wait for rackconnect automation before running. Either 'False' (default) or 'True'. salt.cloud.clouds.openstack.reboot(name, conn=None) Reboot a single VM salt.cloud.clouds.openstack.request_instance(vm_=None, call=None) Put together all of the information necessary to request an instance on Openstack and then fire off the request the instance. Returns data about the instance salt.cloud.clouds.openstack.script(vm_) Return the script deployment object salt.cloud.clouds.openstack.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.openstack.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.parallels Parallels Cloud Module The Parallels cloud module is used to control access to cloud providers using the Parallels VPS system. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/parallels.conf: my-parallels-config: # Parallels account information user: myuser password: mypassword url: https://api.cloud.xmission.com:4465/paci/v1.0/ driver: parallels salt.cloud.clouds.parallels.avail_images(call=None) Return a list of the images that are on the provider salt.cloud.clouds.parallels.create(vm_) Create a single VM from a data dict salt.cloud.clouds.parallels.create_node(vm_) Build and submit the XML to create a node salt.cloud.clouds.parallels.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.parallels.get_configured_provider() Return the first configured instance. salt.cloud.clouds.parallels.get_image(vm_) Return the image object to use salt.cloud.clouds.parallels.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.parallels.list_nodes_full(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.parallels.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.parallels.query(action=None, command=None, args=None, method='GET', data=None) Make a web call to a Parallels provider salt.cloud.clouds.parallels.script(vm_) Return the script deployment object salt.cloud.clouds.parallels.show_image(kwargs, call=None) Show the details from Parallels concerning an image salt.cloud.clouds.parallels.show_instance(name, call=None) Show the details from Parallels concerning an instance salt.cloud.clouds.parallels.start(name, call=None) Start a node. CLI Example: salt-cloud -a start mymachine salt.cloud.clouds.parallels.stop(name, call=None) Stop a node. CLI Example: salt-cloud -a stop mymachine salt.cloud.clouds.parallels.wait_until(name, state, timeout=300) Wait until a specific state has been reached on a node salt.cloud.clouds.proxmox Proxmox Cloud Module New in version 2014.7.0. The Proxmox cloud module is used to control access to cloud providers using the Proxmox system (KVM / OpenVZ). Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/proxmox.conf: my-proxmox-config: # Proxmox account information user: myuser@pam or myuser@pve password: mypassword url: hypervisor.domain.tld driver: proxmox verify_ssl: True maintainer Frank Klaassen <frank@cloudright.nl> depends requests >= 2.2.1 depends IPy >= 0.81 salt.cloud.clouds.proxmox.avail_images(call=None, location='local') Return a list of the images that are on the provider CLI Example: salt-cloud --list-images my-proxmox-config salt.cloud.clouds.proxmox.avail_locations(call=None) Return a list of the hypervisors (nodes) which this Proxmox PVE machine manages CLI Example: salt-cloud --list-locations my-proxmox-config salt.cloud.clouds.proxmox.create(vm_) Create a single VM from a data dict CLI Example: salt-cloud -p proxmox-ubuntu vmhostname salt.cloud.clouds.proxmox.create_node(vm_) Build and submit the requestdata to create a new node salt.cloud.clouds.proxmox.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.proxmox.get_configured_provider() Return the first configured instance. salt.cloud.clouds.proxmox.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.proxmox.get_resources_nodes(call=None, resFilter=None) Retrieve all hypervisors (nodes) available on this environment CLI Example: salt-cloud -f get_resources_nodes my-proxmox-config salt.cloud.clouds.proxmox.get_resources_vms(call=None, resFilter=None, includeConfig=True) Retrieve all VMs available on this environment CLI Example: salt-cloud -f get_resources_vms my-proxmox-config salt.cloud.clouds.proxmox.get_vm_status(vmid=None, name=None) Get the status for a VM, either via the ID or the hostname salt.cloud.clouds.proxmox.get_vmconfig(vmid, node=None, node_type='openvz') Get VM configuration salt.cloud.clouds.proxmox.list_nodes(call=None) Return a list of the VMs that are managed by the provider CLI Example: salt-cloud -Q my-proxmox-config salt.cloud.clouds.proxmox.list_nodes_full(call=None) Return a list of the VMs that are on the provider CLI Example: salt-cloud -F my-proxmox-config salt.cloud.clouds.proxmox.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields CLI Example: salt-cloud -S my-proxmox-config salt.cloud.clouds.proxmox.query(conn_type, option, post_data=None) Execute the HTTP request to the API salt.cloud.clouds.proxmox.script(vm_) Return the script deployment object salt.cloud.clouds.proxmox.set_vm_status(status, name=None, vmid=None) Convenience function for setting VM status salt.cloud.clouds.proxmox.show_instance(name, call=None) Show the details from Proxmox concerning an instance salt.cloud.clouds.proxmox.shutdown(name=None, vmid=None, call=None) Shutdown a node via ACPI. CLI Example: salt-cloud -a shutdown mymachine salt.cloud.clouds.proxmox.start(name, vmid=None, call=None) Start a node. CLI Example: salt-cloud -a start mymachine salt.cloud.clouds.proxmox.stop(name, vmid=None, call=None) Stop a node ("pulling the plug"). CLI Example: salt-cloud -a stop mymachine salt.cloud.clouds.proxmox.wait_for_created(upid, timeout=300) Wait until a the vm has been created successfully salt.cloud.clouds.proxmox.wait_for_state(vmid, state, timeout=300) Wait until a specific state has been reached on a node salt.cloud.clouds.pyrax Pyrax Cloud Module PLEASE NOTE: This module is currently in early development, and considered to be experimental and unstable. It is not recommended for production use. Unless you are actively developing code in this module, you should use the OpenStack module instead. salt.cloud.clouds.pyrax.get_configured_provider() Return the first configured instance. salt.cloud.clouds.pyrax.get_conn(conn_type) Return a conn object for the passed VM data salt.cloud.clouds.pyrax.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.pyrax.queues_create(call, kwargs) salt.cloud.clouds.pyrax.queues_delete(call, kwargs) salt.cloud.clouds.pyrax.queues_exists(call, kwargs) salt.cloud.clouds.pyrax.queues_show(call, kwargs) salt.cloud.clouds.rackspace Rackspace Cloud Module The Rackspace cloud module. This module uses the preferred means to set up a libcloud based cloud module and should be used as the general template for setting up additional libcloud based modules. depends libcloud >= 0.13.2 Please note that the rackspace driver is only intended for 1st gen instances, aka, "the old cloud" at Rackspace. It is required for 1st gen instances, but will not work with OpenStack-based instances. Unless you explicitly have a reason to use it, it is highly recommended that you use the openstack driver instead. The rackspace cloud module interfaces with the Rackspace public cloud service and requires that two configuration parameters be set for use, user and apikey. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/rackspace.conf: my-rackspace-config: driver: rackspace # The Rackspace login user user: fred # The Rackspace user's apikey apikey: 901d3f579h23c8v73q9 salt.cloud.clouds.rackspace.avail_images(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.rackspace.avail_locations(conn=None, call=None) Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.rackspace.avail_sizes(conn=None, call=None) Return a dict of all available VM images on the cloud provider with relevant data salt.cloud.clouds.rackspace.create(vm_) Create a single VM from a data dict salt.cloud.clouds.rackspace.destroy(name, conn=None, call=None) Delete a single VM salt.cloud.clouds.rackspace.get_configured_provider() Return the first configured instance. salt.cloud.clouds.rackspace.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.rackspace.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.rackspace.get_image(conn, vm_) Return the image object to use salt.cloud.clouds.rackspace.get_size(conn, vm_) Return the VM's size object salt.cloud.clouds.rackspace.list_nodes(conn=None, call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.rackspace.list_nodes_full(conn=None, call=None) Return a list of the VMs that are on the provider, with all fields salt.cloud.clouds.rackspace.list_nodes_select(conn=None, call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.rackspace.preferred_ip(vm_, ips) Return the preferred Internet protocol. Either 'ipv4' (default) or 'ipv6'. salt.cloud.clouds.rackspace.script(vm_) Return the script deployment object salt.cloud.clouds.rackspace.show_instance(name, call=None) Show the details from the provider concerning an instance salt.cloud.clouds.rackspace.ssh_interface(vm_) Return the ssh_interface type to connect to. Either 'public_ips' (default) or 'private_ips'. salt.cloud.clouds.saltify Saltify Module The Saltify module is designed to install Salt on a remote machine, virtual or bare metal, using SSH. This module is useful for provisioning machines which are already installed, but not Salted. Use of this module requires some configuration in cloud profile and provider files as described in the Gettting Started with Saltify documentation. salt.cloud.clouds.saltify.create(vm_) Provision a single machine salt.cloud.clouds.saltify.get_configured_provider() Return the first configured instance. salt.cloud.clouds.saltify.list_nodes() Because this module is not specific to any cloud providers, there will be no nodes to list. salt.cloud.clouds.saltify.list_nodes_full() Because this module is not specific to any cloud providers, there will be no nodes to list. salt.cloud.clouds.saltify.list_nodes_select() Because this module is not specific to any cloud providers, there will be no nodes to list. salt.cloud.clouds.softlayer SoftLayer Cloud Module The SoftLayer cloud module is used to control access to the SoftLayer VPS system. Use of this module only requires the apikey parameter. Set up the cloud configuration at: /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/softlayer.conf: my-softlayer-config: # SoftLayer account api key user: MYLOGIN apikey: JVkbSJDGHSDKUKSDJfhsdklfjgsjdkflhjlsdfffhgdgjkenrtuinv driver: softlayer The SoftLayer Python Library needs to be installed in order to use the SoftLayer salt.cloud modules. See: https://pypi.python.org/pypi/SoftLayer depends softlayer salt.cloud.clouds.softlayer.avail_images(call=None) Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.softlayer.avail_locations(call=None) List all available locations salt.cloud.clouds.softlayer.avail_sizes(call=None) Return a dict of all available VM sizes on the cloud provider with relevant data. This data is provided in three dicts. salt.cloud.clouds.softlayer.create(vm_) Create a single VM from a data dict salt.cloud.clouds.softlayer.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.softlayer.get_configured_provider() Return the first configured instance. salt.cloud.clouds.softlayer.get_conn(service='SoftLayer_Virtual_Guest') Return a conn object for the passed VM data salt.cloud.clouds.softlayer.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.softlayer.get_location(vm_=None) Return the location to use, in this order: • CLI parameter • VM parameter • Cloud profile setting salt.cloud.clouds.softlayer.list_custom_images(call=None) Return a dict of all custom VM images on the cloud provider. salt.cloud.clouds.softlayer.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.softlayer.list_nodes_full(mask='mask[id]', call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.softlayer.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.softlayer.list_vlans(call=None) List all VLANs associated with the account salt.cloud.clouds.softlayer.script(vm_) Return the script deployment object salt.cloud.clouds.softlayer.show_instance(name, call=None) Show the details from SoftLayer concerning a guest salt.cloud.clouds.softlayer_hw SoftLayer HW Cloud Module The SoftLayer HW cloud module is used to control access to the SoftLayer hardware cloud system Use of this module only requires the apikey parameter. Set up the cloud configuration at: /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/softlayer.conf: my-softlayer-config: # SoftLayer account api key user: MYLOGIN apikey: JVkbSJDGHSDKUKSDJfhsdklfjgsjdkflhjlsdfffhgdgjkenrtuinv driver: softlayer_hw The SoftLayer Python Library needs to be installed in order to use the SoftLayer salt.cloud modules. See: https://pypi.python.org/pypi/SoftLayer depends softlayer salt.cloud.clouds.softlayer_hw.avail_images(call=None) Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.softlayer_hw.avail_locations(call=None) List all available locations salt.cloud.clouds.softlayer_hw.avail_sizes(call=None) Return a dict of all available VM sizes on the cloud provider with relevant data. This data is provided in three dicts. salt.cloud.clouds.softlayer_hw.create(vm_) Create a single VM from a data dict salt.cloud.clouds.softlayer_hw.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.softlayer_hw.get_configured_provider() Return the first configured instance. salt.cloud.clouds.softlayer_hw.get_conn(service='SoftLayer_Hardware') Return a conn object for the passed VM data salt.cloud.clouds.softlayer_hw.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.softlayer_hw.get_location(vm_=None) Return the location to use, in this order: • CLI parameter • VM parameter • Cloud profile setting salt.cloud.clouds.softlayer_hw.list_nodes(call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.softlayer_hw.list_nodes_full(mask='mask[id, hostname, primaryIpAddress, primaryBackendIpAddress, processorPhysicalCoreAmount, memoryCount]', call=None) Return a list of the VMs that are on the provider salt.cloud.clouds.softlayer_hw.list_nodes_select(call=None) Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.softlayer_hw.list_vlans(call=None) List all VLANs associated with the account salt.cloud.clouds.softlayer_hw.script(vm_) Return the script deployment object salt.cloud.clouds.softlayer_hw.show_all_prices(call=None, kwargs=None) Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.softlayer_hw.show_instance(name, call=None) Show the details from SoftLayer concerning a guest salt.cloud.clouds.softlayer_hw.show_pricing(kwargs=None, call=None) Show pricing for a particular profile. This is only an estimate, based on unofficial pricing sources. CLI Examples: salt-cloud -f show_pricing my-softlayerhw-config profile=my-profile If pricing sources have not been cached, they will be downloaded. Once they have been cached, they will not be updated automatically. To manually update all prices, use the following command: salt-cloud -f update_pricing <provider> New in version 2015.8.0. salt.cloud.clouds.vmware VMware Cloud Module New in version 2015.5.4. The VMware cloud module allows you to manage VMware ESX, ESXi, and vCenter. See Getting started with VMware to get started. codeauthor Nitin Madhok <nmadhok@clemson.edu> Dependencies • pyVmomi Python Module pyVmomi PyVmomi can be installed via pip: pip install pyVmomi NOTE: Version 6.0 of pyVmomi has some problems with SSL error handling on certain versions of Python. If using version 6.0 of pyVmomi, Python 2.6, Python 2.7.9, or newer must be present. This is due to an upstream dependency in pyVmomi 6.0 that is not supported in Python versions 2.7 to 2.7.8. If the version of Python is not in the supported range, you will need to install an earlier version of pyVmomi. See Issue #29537 for more information. Based on the note above, to install an earlier version of pyVmomi than the version currently listed in PyPi, run the following: pip install pyVmomi==5.5.0.2014.1.1 The 5.5.0.2014.1.1 is a known stable version that this original VMware cloud driver was developed against. NOTE: Ensure python pyVmomi module is installed by running following one-liner check. The output should be 0. python -c "import pyVmomi" ; echo $? Configuration To use this module, set up the vCenter URL, username and password in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/vmware.conf: my-vmware-config: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: '10.20.30.40' vcenter01: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: 'vcenter01.domain.com' protocol: 'https' port: 443 vcenter02: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: 'vcenter02.domain.com' protocol: 'http' port: 80 NOTE: Optionally, protocol and port can be specified if the vCenter server is not using the defaults. Default is protocol: https and port: 443. To test the connection for my-vmware-config specified in the cloud configuration, run test_vcenter_connection() salt.cloud.clouds.vmware.add_host(kwargs=None, call=None) Add a host system to the specified cluster or datacenter in this VMware environment NOTE: To use this function, you need to specify esxi_host_user and esxi_host_password under your provider configuration set up at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/vmware.conf: vcenter01: driver: vmware user: 'DOMAIN\user' password: 'verybadpass' url: 'vcenter01.domain.com' # Required when adding a host system esxi_host_user: 'root' esxi_host_password: 'myhostpassword' # Optional fields that can be specified when adding a host system esxi_host_ssl_thumbprint: '12:A3:45:B6:CD:7E:F8:90:A1:BC:23:45:D6:78:9E:FA:01:2B:34:CD' The SSL thumbprint of the host system can be optionally specified by setting esxi_host_ssl_thumbprint under your provider configuration. To get the SSL thumbprint of the host system, execute the following command from a remote server: echo -n | openssl s_client -connect <YOUR-HOSTSYSTEM-DNS/IP>:443 2>/dev/null | openssl x509 -noout -fingerprint -sha1 CLI Example: salt-cloud -f add_host my-vmware-config host="myHostSystemName" cluster="myClusterName" salt-cloud -f add_host my-vmware-config host="myHostSystemName" datacenter="myDatacenterName" salt.cloud.clouds.vmware.avail_images(call=None) Return a list of all the templates present in this VMware environment with basic details CLI Example: salt-cloud --list-images my-vmware-config salt.cloud.clouds.vmware.avail_locations(call=None) Return a list of all the available locations/datacenters in this VMware environment CLI Example: salt-cloud --list-locations my-vmware-config salt.cloud.clouds.vmware.avail_sizes(call=None) Return a list of all the available sizes in this VMware environment. CLI Example: salt-cloud --list-sizes my-vmware-config NOTE: Since sizes are built into templates, this function will return an empty dictionary. salt.cloud.clouds.vmware.connect_host(kwargs=None, call=None) Connect the specified host system in this VMware environment CLI Example: salt-cloud -f connect_host my-vmware-config host="myHostSystemName" salt.cloud.clouds.vmware.create(vm_) To create a single VM in the VMware environment. Sample profile and arguments that can be specified in it can be found here. CLI Example: salt-cloud -p vmware-centos6.5 vmname salt.cloud.clouds.vmware.create_cluster(kwargs=None, call=None) Create a new cluster under the specified datacenter in this VMware environment CLI Example: salt-cloud -f create_cluster my-vmware-config name="myNewCluster" datacenter="datacenterName" salt.cloud.clouds.vmware.create_datacenter(kwargs=None, call=None) Create a new data center in this VMware environment CLI Example: salt-cloud -f create_datacenter my-vmware-config name="MyNewDatacenter" salt.cloud.clouds.vmware.create_datastore_cluster(kwargs=None, call=None) Create a new datastore cluster for the specified datacenter in this VMware environment CLI Example: salt-cloud -f create_datastore_cluster my-vmware-config name="datastoreClusterName" datacenter="datacenterName" salt.cloud.clouds.vmware.create_folder(kwargs=None, call=None) Create the specified folder path in this VMware environment NOTE: To create a Host and Cluster Folder under a Datacenter, specify path="/yourDatacenterName/host/yourFolderName" To create a Network Folder under a Datacenter, specify path="/yourDatacenterName/network/yourFolderName" To create a Storage Folder under a Datacenter, specify path="/yourDatacenterName/datastore/yourFolderName" To create a VM and Template Folder under a Datacenter, specify path="/yourDatacenterName/vm/yourFolderName" CLI Example: salt-cloud -f create_folder my-vmware-config path="/Local/a/b/c" salt-cloud -f create_folder my-vmware-config path="/MyDatacenter/vm/MyVMFolder" salt-cloud -f create_folder my-vmware-config path="/MyDatacenter/host/MyHostFolder" salt-cloud -f create_folder my-vmware-config path="/MyDatacenter/network/MyNetworkFolder" salt-cloud -f create_folder my-vmware-config path="/MyDatacenter/storage/MyStorageFolder" salt.cloud.clouds.vmware.create_snapshot(name, kwargs=None, call=None) Create a snapshot of the specified virtual machine in this VMware environment NOTE: If the VM is powered on, the internal state of the VM (memory dump) is included in the snapshot by default which will also set the power state of the snapshot to "powered on". You can set memdump=False to override this. This field is ignored if the virtual machine is powered off or if the VM does not support snapshots with memory dumps. Default is memdump=True NOTE: If the VM is powered on when the snapshot is taken, VMware Tools can be used to quiesce the file system in the virtual machine by setting quiesce=True. This field is ignored if the virtual machine is powered off; if VMware Tools are not available or if memdump=True. Default is quiesce=False CLI Example: salt-cloud -a create_snapshot vmname snapshot_name="mySnapshot" salt-cloud -a create_snapshot vmname snapshot_name="mySnapshot" [description="My snapshot"] [memdump=False] [quiesce=True] salt.cloud.clouds.vmware.destroy(name, call=None) To destroy a VM from the VMware environment CLI Example: salt-cloud -d vmname salt-cloud --destroy vmname salt-cloud -a destroy vmname salt.cloud.clouds.vmware.disconnect_host(kwargs=None, call=None) Disconnect the specified host system in this VMware environment CLI Example: salt-cloud -f disconnect_host my-vmware-config host="myHostSystemName" salt.cloud.clouds.vmware.enter_maintenance_mode(kwargs=None, call=None) To put the specified host system in maintenance mode in this VMware environment CLI Example: salt-cloud -f enter_maintenance_mode my-vmware-config host="myHostSystemName" salt.cloud.clouds.vmware.exit_maintenance_mode(kwargs=None, call=None) To take the specified host system out of maintenance mode in this VMware environment CLI Example: salt-cloud -f exit_maintenance_mode my-vmware-config host="myHostSystemName" salt.cloud.clouds.vmware.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.vmware.get_vcenter_version(kwargs=None, call=None) Show the vCenter Server version with build number. CLI Example: salt-cloud -f get_vcenter_version my-vmware-config salt.cloud.clouds.vmware.list_clusters(kwargs=None, call=None) List all the clusters for this VMware environment CLI Example: salt-cloud -f list_clusters my-vmware-config salt.cloud.clouds.vmware.list_clusters_by_datacenter(kwargs=None, call=None) List clusters for each datacenter; or clusters for a specified datacenter in this VMware environment To list clusters for each datacenter: CLI Example: salt-cloud -f list_clusters_by_datacenter my-vmware-config To list clusters for a specified datacenter: CLI Example: salt-cloud -f list_clusters_by_datacenter my-vmware-config datacenter="datacenterName" salt.cloud.clouds.vmware.list_datacenters(kwargs=None, call=None) List all the data centers for this VMware environment CLI Example: salt-cloud -f list_datacenters my-vmware-config salt.cloud.clouds.vmware.list_datastore_clusters(kwargs=None, call=None) List all the datastore clusters for this VMware environment CLI Example: salt-cloud -f list_datastore_clusters my-vmware-config salt.cloud.clouds.vmware.list_datastores(kwargs=None, call=None) List all the datastores for this VMware environment CLI Example: salt-cloud -f list_datastores my-vmware-config salt.cloud.clouds.vmware.list_dvs(kwargs=None, call=None) List all the distributed virtual switches for this VMware environment CLI Example: salt-cloud -f list_dvs my-vmware-config salt.cloud.clouds.vmware.list_folders(kwargs=None, call=None) List all the folders for this VMware environment CLI Example: salt-cloud -f list_folders my-vmware-config salt.cloud.clouds.vmware.list_hbas(kwargs=None, call=None) List all HBAs for each host system; or all HBAs for a specified host system; or HBAs of specified type for each host system; or HBAs of specified type for a specified host system in this VMware environment NOTE: You can specify type as either parallel, iscsi, block or fibre. To list all HBAs for each host system: CLI Example: salt-cloud -f list_hbas my-vmware-config To list all HBAs for a specified host system: CLI Example: salt-cloud -f list_hbas my-vmware-config host="hostSystemName" To list HBAs of specified type for each host system: CLI Example: salt-cloud -f list_hbas my-vmware-config type="HBAType" To list HBAs of specified type for a specified host system: CLI Example: salt-cloud -f list_hbas my-vmware-config host="hostSystemName" type="HBAtype" salt.cloud.clouds.vmware.list_hosts(kwargs=None, call=None) List all the hosts for this VMware environment CLI Example: salt-cloud -f list_hosts my-vmware-config salt.cloud.clouds.vmware.list_hosts_by_cluster(kwargs=None, call=None) List hosts for each cluster; or hosts for a specified cluster in this VMware environment To list hosts for each cluster: CLI Example: salt-cloud -f list_hosts_by_cluster my-vmware-config To list hosts for a specified cluster: CLI Example: salt-cloud -f list_hosts_by_cluster my-vmware-config cluster="clusterName" salt.cloud.clouds.vmware.list_hosts_by_datacenter(kwargs=None, call=None) List hosts for each datacenter; or hosts for a specified datacenter in this VMware environment To list hosts for each datacenter: CLI Example: salt-cloud -f list_hosts_by_datacenter my-vmware-config To list hosts for a specified datacenter: CLI Example: salt-cloud -f list_hosts_by_datacenter my-vmware-config datacenter="datacenterName" salt.cloud.clouds.vmware.list_networks(kwargs=None, call=None) List all the standard networks for this VMware environment CLI Example: salt-cloud -f list_networks my-vmware-config salt.cloud.clouds.vmware.list_nodes(kwargs=None, call=None) Return a list of all VMs and templates that are on the specified provider, with basic fields CLI Example: salt-cloud -f list_nodes my-vmware-config To return a list of all VMs and templates present on ALL configured providers, with basic fields: CLI Example: salt-cloud -Q salt.cloud.clouds.vmware.list_nodes_full(kwargs=None, call=None) Return a list of all VMs and templates that are on the specified provider, with full details CLI Example: salt-cloud -f list_nodes_full my-vmware-config To return a list of all VMs and templates present on ALL configured providers, with full details: CLI Example: salt-cloud -F salt.cloud.clouds.vmware.list_nodes_min(kwargs=None, call=None) Return a list of all VMs and templates that are on the specified provider, with no details CLI Example: salt-cloud -f list_nodes_min my-vmware-config salt.cloud.clouds.vmware.list_nodes_select(call=None) Return a list of all VMs and templates that are on the specified provider, with fields specified under query.selection in /etc/salt/cloud CLI Example: salt-cloud -f list_nodes_select my-vmware-config To return a list of all VMs and templates present on ALL configured providers, with fields specified under query.selection in /etc/salt/cloud: CLI Example: salt-cloud -S salt.cloud.clouds.vmware.list_resourcepools(kwargs=None, call=None) List all the resource pools for this VMware environment CLI Example: salt-cloud -f list_resourcepools my-vmware-config salt.cloud.clouds.vmware.list_snapshots(kwargs=None, call=None) List snapshots either for all VMs and templates or for a specific VM/template in this VMware environment To list snapshots for all VMs and templates: CLI Example: salt-cloud -f list_snapshots my-vmware-config To list snapshots for a specific VM/template: CLI Example: salt-cloud -f list_snapshots my-vmware-config name="vmname" salt.cloud.clouds.vmware.list_templates(kwargs=None, call=None) List all the templates present in this VMware environment CLI Example: salt-cloud -f list_templates my-vmware-config salt.cloud.clouds.vmware.list_vapps(kwargs=None, call=None) List all the vApps for this VMware environment CLI Example: salt-cloud -f list_vapps my-vmware-config salt.cloud.clouds.vmware.reboot_host(kwargs=None, call=None) Reboot the specified host system in this VMware environment NOTE: If the host system is not in maintenance mode, it will not be rebooted. If you want to reboot the host system regardless of whether it is in maintenance mode, set force=True. Default is force=False. CLI Example: salt-cloud -f reboot_host my-vmware-config host="myHostSystemName" [force=True] salt.cloud.clouds.vmware.remove_all_snapshots(name, kwargs=None, call=None) Remove all the snapshots present for the specified virtual machine. NOTE: All the snapshots higher up in the hierarchy of the current snapshot tree are consolidated and their virtual disks are merged. To override this behavior and only remove all snapshots, set merge_snapshots=False. Default is merge_snapshots=True CLI Example: salt-cloud -a remove_all_snapshots vmname [merge_snapshots=False] salt.cloud.clouds.vmware.remove_host(kwargs=None, call=None) Remove the specified host system from this VMware environment CLI Example: salt-cloud -f remove_host my-vmware-config host="myHostSystemName" salt.cloud.clouds.vmware.rescan_hba(kwargs=None, call=None) To rescan a specified HBA or all the HBAs on the Host System CLI Example: salt-cloud -f rescan_hba my-vmware-config host="hostSystemName" salt-cloud -f rescan_hba my-vmware-config hba="hbaDeviceName" host="hostSystemName" salt.cloud.clouds.vmware.reset(name, call=None) To reset a VM using its name CLI Example: salt-cloud -a reset vmname salt.cloud.clouds.vmware.revert_to_snapshot(name, kwargs=None, call=None) Revert virtual machine to it's current snapshot. If no snapshot exists, the state of the virtual machine remains unchanged NOTE: The virtual machine will be powered on if the power state of the snapshot when it was created was set to "Powered On". Set power_off=True so that the virtual machine stays powered off regardless of the power state of the snapshot when it was created. Default is power_off=False. If the power state of the snapshot when it was created was "Powered On" and if power_off=True, the VM will be put in suspended state after it has been reverted to the snapshot. CLI Example: salt-cloud -a revert_to_snapshot vmame [power_off=True] salt.cloud.clouds.vmware.show_instance(name, call=None) List all available details of the specified VM CLI Example: salt-cloud -a show_instance vmname salt.cloud.clouds.vmware.start(name, call=None) To start/power on a VM using its name CLI Example: salt-cloud -a start vmname salt.cloud.clouds.vmware.stop(name, call=None) To stop/power off a VM using its name CLI Example: salt-cloud -a stop vmname salt.cloud.clouds.vmware.suspend(name, call=None) To suspend a VM using its name CLI Example: salt-cloud -a suspend vmname salt.cloud.clouds.vmware.terminate(name, call=None) To do an immediate power off of a VM using its name. A SIGKILL is issued to the vmx process of the VM CLI Example: salt-cloud -a terminate vmname salt.cloud.clouds.vmware.test_vcenter_connection(kwargs=None, call=None) Test if the connection can be made to the vCenter server using the specified credentials inside /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/vmware.conf CLI Example: salt-cloud -f test_vcenter_connection my-vmware-config salt.cloud.clouds.vmware.upgrade_tools(name, reboot=False, call=None) To upgrade VMware Tools on a specified virtual machine. NOTE: If the virtual machine is running Windows OS, use reboot=True to reboot the virtual machine after VMware tools upgrade. Default is reboot=False CLI Example: salt-cloud -a upgrade_tools vmname salt-cloud -a upgrade_tools vmname reboot=True salt.cloud.clouds.vmware.upgrade_tools_all(call=None) To upgrade VMware Tools on all virtual machines present in the specified provider NOTE: If the virtual machine is running Windows OS, this function will attempt to suppress the automatic reboot caused by a VMware Tools upgrade. CLI Example: salt-cloud -f upgrade_tools_all my-vmware-config salt.cloud.clouds.vsphere vSphere Cloud Module NOTE: Deprecated since version Carbon: The vsphere cloud driver has been deprecated in favor of the vmware cloud driver and will be removed in Salt Carbon. Please refer to Getting started with VMware to get started and convert your vsphere provider configurations to use the vmware driver. The vSphere cloud module is used to control access to VMWare vSphere. depends PySphere Python module >= 0.1.8 Note: Ensure python pysphere module is installed by running following one-liner check. The output should be 0. python -c "import pysphere" ; echo $? # if this fails install using pip install https://pysphere.googlecode.com/files/pysphere-0.1.8.zip Use of this module only requires a URL, username and password. Set up the cloud configuration at: /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/vsphere.conf: my-vsphere-config: driver: vsphere user: myuser password: verybadpass template_user: root template_password: mybadVMpassword url: 'https://10.1.1.1:443' Note: Your URL may or may not look like any of the following, depending on how your VMWare installation is configured: 10.1.1.1 10.1.1.1:443 https://10.1.1.1:443 https://10.1.1.1:443/sdk 10.1.1.1:443/sdk folder Name of the folder that will contain the new VM. If not set, the VM will be added to the folder the original VM belongs to. resourcepool MOR of the resourcepool to be used for the new vm. If not set, it uses the same resourcepool than the original vm. datastore MOR of the datastore where the virtual machine should be located. If not specified, the current datastore is used. host MOR of the host where the virtual machine should be registered. Id not specified: • if resourcepool is not specified, current host is used. • if resourcepool is specified, and the target pool represents a stand-alone host, the host is used. • if resourcepool is specified, and the target pool represents a DRS-enabled cluster, a host selected by DRS is used. • if resourcepool is specified and the target pool represents a cluster without DRS enabled, an InvalidArgument exception will be thrown. template Specifies whether or not the new virtual machine should be marked as a template. Default is False. template_user Specifies the user to access the VM. Should be template_password The password with which to access the VM. sudo The user to access the VM with sudo privileges. New in version 2015.5.2. sudo_password The password corresponding to the sudo user to access the VM with sudo privileges. New in version 2015.5.2. salt.cloud.clouds.vsphere.avail_images() Return a dict of all available VM images on the cloud provider. salt.cloud.clouds.vsphere.avail_locations() Return a dict of all available VM locations on the cloud provider with relevant data salt.cloud.clouds.vsphere.create(vm_) Create a single VM from a data dict salt.cloud.clouds.vsphere.create_snapshot(kwargs=None, call=None) Create a snapshot @name: Name of the virtual machine to snapshot @snapshot: Name of the snapshot @description: Description of the snapshot (optional) @memory: Dump of the internal state of the virtual machine (optional) New in version 2015.8.0. CLI Example: salt-cloud -f create_snapshot [PROVIDER] name=myvm.example.com snapshot=mysnapshot salt-cloud -f create_snapshot [PROVIDER] name=myvm.example.com snapshot=mysnapshot description='My Snapshot' memory=True salt.cloud.clouds.vsphere.delete_snapshot(kwargs=None, call=None) Delete snapshot New in version 2015.8.0. CLI Example: salt-cloud -f delete_snapshot [PROVIDER] name=myvm.example.com snapshot=mysnapshot salt.cloud.clouds.vsphere.destroy(name, call=None) Destroy a node. CLI Example: salt-cloud --destroy mymachine salt.cloud.clouds.vsphere.get_configured_provider() Return the first configured instance. salt.cloud.clouds.vsphere.get_conn() Return a conn object for the passed VM data salt.cloud.clouds.vsphere.get_dependencies() Warn if dependencies aren't met. salt.cloud.clouds.vsphere.list_clusters(kwargs=None, call=None) List the clusters for this VMware environment salt.cloud.clouds.vsphere.list_datacenters(kwargs=None, call=None) List the data centers for this VMware environment salt.cloud.clouds.vsphere.list_datastores(kwargs=None, call=None) List the datastores for this VMware environment salt.cloud.clouds.vsphere.list_folders(kwargs=None, call=None) List the folders for this VMWare environment salt.cloud.clouds.vsphere.list_hosts(kwargs=None, call=None) List the hosts for this VMware environment salt.cloud.clouds.vsphere.list_nodes(kwargs=None, call=None) Return a list of the VMs that are on the provider, with basic fields salt.cloud.clouds.vsphere.list_nodes_full(kwargs=None, call=None) Return a list of the VMs that are on the provider with full details salt.cloud.clouds.vsphere.list_nodes_min(kwargs=None, call=None) Return a list of the nodes in the provider, with no details salt.cloud.clouds.vsphere.list_nodes_select() Return a list of the VMs that are on the provider, with select fields salt.cloud.clouds.vsphere.list_resourcepools(kwargs=None, call=None) List the hosts for this VMware environment salt.cloud.clouds.vsphere.reset(name, call=None) To reset a VM using its name CLI Example: salt-cloud -a reset vmname salt.cloud.clouds.vsphere.script(vm_) Return the script deployment object salt.cloud.clouds.vsphere.show_instance(name, call=None) Show the details from vSphere concerning a guest salt.cloud.clouds.vsphere.snapshot_list(kwargs=None, call=None) List virtual machines with snapshots New in version 2015.8.0. CLI Example: salt-cloud -f snapshot_list salt.cloud.clouds.vsphere.start(name, call=None) To start/power on a VM using its name CLI Example: salt-cloud -a start vmname salt.cloud.clouds.vsphere.status(name, call=None) To check the status of a VM using its name CLI Example: salt-cloud -a status vmname salt.cloud.clouds.vsphere.stop(name, call=None) To stop/power off a VM using its name CLI Example: salt-cloud -a stop vmname salt.cloud.clouds.vsphere.suspend(name, call=None) To suspend a VM using its name CLI Example: salt-cloud -a suspend vmname salt.cloud.clouds.vsphere.wait_for_ip(vm_) Configuration file examples • Example master configuration file • Example minion configuration file Example master configuration file ##### Primary configuration settings ##### ########################################## # This configuration file is used to manage the behavior of the Salt Master. # Values that are commented out but have an empty line after the comment are # defaults that do not need to be set in the config. If there is no blank line # after the comment then the value is presented as an example and is not the # default. # Per default, the master will automatically include all config files # from master.d/*.conf (master.d is a directory in the same directory # as the main master config file). #default_include: master.d/*.conf # The address of the interface to bind to: #interface: 0.0.0.0 # Whether the master should listen for IPv6 connections. If this is set to True, # the interface option must be adjusted, too. (For example: "interface: '::'") #ipv6: False # The tcp port used by the publisher: #publish_port: 4505 # The user under which the salt master will run. Salt will update all # permissions to allow the specified user to run the master. The exception is # the job cache, which must be deleted if this user is changed. If the # modified files cause conflicts, set verify_env to False. #user: root # The port used by the communication interface. The ret (return) port is the # interface used for the file server, authentication, job returns, etc. #ret_port: 4506 # Specify the location of the daemon process ID file: #pidfile: /var/run/salt-master.pid # The root directory prepended to these options: pki_dir, cachedir, # sock_dir, log_file, autosign_file, autoreject_file, extension_modules, # key_logfile, pidfile: #root_dir: / # Directory used to store public key data: #pki_dir: /etc/salt/pki/master # Directory to store job and cache data: # This directory may contain sensitive data and should be protected accordingly. # #cachedir: /var/cache/salt/master # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", # "states", "returners", etc. #extension_modules: <no default> # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", # "states", "returners", etc. # Like 'extension_modules' but can take an array of paths #module_dirs: <no default> # - /var/cache/salt/minion/extmods # Verify and set permissions on configuration directories at startup: #verify_env: True # Set the number of hours to keep old job information in the job cache: #keep_jobs: 24 # Set the default timeout for the salt command and api. The default is 5 # seconds. #timeout: 5 # The loop_interval option controls the seconds for the master's maintenance # process check cycle. This process updates file server backends, cleans the # job cache and executes the scheduler. #loop_interval: 60 # Set the default outputter used by the salt command. The default is "nested". #output: nested # Return minions that timeout when running commands like test.ping #show_timeout: True # By default, output is colored. To disable colored output, set the color value # to False. #color: True # Do not strip off the colored output from nested results and state outputs # (true by default). # strip_colors: False # Set the directory used to hold unix sockets: #sock_dir: /var/run/salt/master # The master can take a while to start up when lspci and/or dmidecode is used # to populate the grains for the master. Enable if you want to see GPU hardware # data for your master. # enable_gpu_grains: False # The master maintains a job cache. While this is a great addition, it can be # a burden on the master for larger deployments (over 5000 minions). # Disabling the job cache will make previously executed jobs unavailable to # the jobs system and is not generally recommended. #job_cache: True # Cache minion grains and pillar data in the cachedir. #minion_data_cache: True # Store all returns in the given returner. # Setting this option requires that any returner-specific configuration also # be set. See various returners in salt/returners for details on required # configuration values. (See also, event_return_queue below.) # #event_return: mysql # On busy systems, enabling event_returns can cause a considerable load on # the storage system for returners. Events can be queued on the master and # stored in a batched fashion using a single transaction for multiple events. # By default, events are not queued. #event_return_queue: 0 # Only events returns matching tags in a whitelist # event_return_whitelist: # - salt/master/a_tag # - salt/master/another_tag # Store all event returns _except_ the tags in a blacklist # event_return_blacklist: # - salt/master/not_this_tag # - salt/master/or_this_one # Passing very large events can cause the minion to consume large amounts of # memory. This value tunes the maximum size of a message allowed onto the # master event bus. The value is expressed in bytes. #max_event_size: 1048576 # By default, the master AES key rotates every 24 hours. The next command # following a key rotation will trigger a key refresh from the minion which may # result in minions which do not respond to the first command after a key refresh. # # To tell the master to ping all minions immediately after an AES key refresh, set # ping_on_rotate to True. This should mitigate the issue where a minion does not # appear to initially respond after a key is rotated. # # Note that ping_on_rotate may cause high load on the master immediately after # the key rotation event as minions reconnect. Consider this carefully if this # salt master is managing a large number of minions. # # If disabled, it is recommended to handle this event by listening for the # 'aes_key_rotate' event with the 'key' tag and acting appropriately. # ping_on_rotate: False # By default, the master deletes its cache of minion data when the key for that # minion is removed. To preserve the cache after key deletion, set # 'preserve_minion_cache' to True. # # WARNING: This may have security implications if compromised minions auth with # a previous deleted minion ID. #preserve_minion_cache: False # If max_minions is used in large installations, the master might experience # high-load situations because of having to check the number of connected # minions for every authentication. This cache provides the minion-ids of # all connected minions to all MWorker-processes and greatly improves the # performance of max_minions. # con_cache: False # The master can include configuration from other files. To enable this, # pass a list of paths to this option. The paths can be either relative or # absolute; if relative, they are considered to be relative to the directory # the main master configuration file lives in (this file). Paths can make use # of shell-style globbing. If no files are matched by a path passed to this # option, then the master will log a warning message. # # Include a config file from some other path: # include: /etc/salt/extra_config # # Include config from several files and directories: # include: # - /etc/salt/extra_config ##### Large-scale tuning settings ##### ########################################## # Max open files # # Each minion connecting to the master uses AT LEAST one file descriptor, the # master subscription connection. If enough minions connect you might start # seeing on the console (and then salt-master crashes): # Too many open files (tcp_listener.cpp:335) # Aborted (core dumped) # # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for # max open files. # # If you wish to set a different value than the default one, uncomment and # configure this setting. Remember that this value CANNOT be higher than the # hard limit. Raising the hard limit depends on your OS and/or distribution, # a good way to find the limit is to search the internet. For example: # raise max open files hard limit debian # #max_open_files: 100000 # The number of worker threads to start. These threads are used to manage # return calls made from minions to the master. If the master seems to be # running slowly, increase the number of threads. This setting can not be # set lower than 3. #worker_threads: 5 # Set the ZeroMQ high water marks # http://api.zeromq.org/3-2:zmq-setsockopt # The publisher interface ZeroMQPubServerChannel #pub_hwm: 1000 # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm # are significant for masters with thousands of minions. When these are # insufficiently high it will manifest in random responses missing in the CLI # and even missing from the job cache. Masters that have fast CPUs and many # cores with appropriate worker_threads will not need these set as high. # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has # these settings: # # salt_event_pub_hwm: 128000 # event_publisher_pub_hwm: 64000 # ZMQ high-water-mark for SaltEvent pub socket #salt_event_pub_hwm: 20000 # ZMQ high-water-mark for EventPublisher pub socket #event_publisher_pub_hwm: 10000 ##### Security settings ##### ########################################## # Enable "open mode", this mode still maintains encryption, but turns off # authentication, this is only intended for highly secure environments or for # the situation where your keys end up in a bad state. If you run in open mode # you do so at your own risk! #open_mode: False # Enable auto_accept, this setting will automatically accept all incoming # public keys from the minions. Note that this is insecure. #auto_accept: False # Time in minutes that a incoming public key with a matching name found in # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys # are removed when the master checks the minion_autosign directory. # 0 equals no timeout # autosign_timeout: 120 # If the autosign_file is specified, incoming keys specified in the # autosign_file will be automatically accepted. This is insecure. Regular # expressions as well as globing lines are supported. #autosign_file: /etc/salt/autosign.conf # Works like autosign_file, but instead allows you to specify minion IDs for # which keys will automatically be rejected. Will override both membership in # the autosign_file and the auto_accept setting. #autoreject_file: /etc/salt/autoreject.conf # Enable permissive access to the salt keys. This allows you to run the # master or minion as root, but have a non-root group be given access to # your pki_dir. To make the access explicit, root must belong to the group # you've given access to. This is potentially quite insecure. If an autosign_file # is specified, enabling permissive_pki_access will allow group access to that # specific file. #permissive_pki_access: False # Allow users on the master access to execute specific commands on minions. # This setting should be treated with care since it opens up execution # capabilities to non root users. By default this capability is completely # disabled. #client_acl: # larry: # - test.ping # - network.* # # Blacklist any of the following users or modules # # This example would blacklist all non sudo users, including root from # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. # #client_acl_blacklist: # users: # - root # - '^(?!sudo_).*$' # all non sudo users # modules: # - cmd # Enforce client_acl & client_acl_blacklist when users have sudo # access to the salt command. # #sudo_acl: False # The external auth system uses the Salt auth modules to authenticate and # validate users to access areas of the Salt system. #external_auth: # pam: # fred: # - test.* # # Time (in seconds) for a newly generated token to live. Default: 12 hours #token_expire: 43200 # Allow minions to push files to the master. This is disabled by default, for # security purposes. #file_recv: False # Set a hard-limit on the size of the files that can be pushed to the master. # It will be interpreted as megabytes. Default: 100 #file_recv_max_size: 100 # Signature verification on messages published from the master. # This causes the master to cryptographically sign all messages published to its event # bus, and minions then verify that signature before acting on the message. # # This is False by default. # # Note that to facilitate interoperability with masters and minions that are different # versions, if sign_pub_messages is True but a message is received by a minion with # no signature, it will still be accepted, and a warning message will be logged. # Conversely, if sign_pub_messages is False, but a minion receives a signed # message it will be accepted, the signature will not be checked, and a warning message # will be logged. This behavior went away in Salt 2014.1.0 and these two situations # will cause minion to throw an exception and drop the message. # sign_pub_messages: False ##### Salt-SSH Configuration ##### ########################################## # Pass in an alternative location for the salt-ssh roster file #roster_file: /etc/salt/roster # Pass in minion option overrides that will be inserted into the SHIM for # salt-ssh calls. The local minion config is not used for salt-ssh. Can be # overridden on a per-minion basis in the roster (`minion_opts`) #ssh_minion_opts: # gpg_keydir: /root/gpg ##### Master Module Management ##### ########################################## # Manage how master side modules are loaded. # Add any additional locations to look for master runners: #runner_dirs: [] # Enable Cython for master side modules: #cython_enable: False ##### State System settings ##### ########################################## # The state system uses a "top" file to tell the minions what environment to # use and what modules to use. The state_top file is defined relative to the # root of the base environment as defined in "File Server settings" below. #state_top: top.sls # The master_tops option replaces the external_nodes option by creating # a plugable system for the generation of external top data. The external_nodes # option is deprecated by the master_tops option. # # To gain the capabilities of the classic external_nodes system, use the # following configuration: # master_tops: # ext_nodes: <Shell command which returns yaml> # #master_tops: {} # The external_nodes option allows Salt to gather data that would normally be # placed in a top file. The external_nodes option is the executable that will # return the ENC data. Remember that Salt will look for external nodes AND top # files and combine the results if both are enabled! #external_nodes: None # The renderer to use on the minions to render the state data #renderer: yaml_jinja # The Jinja renderer can strip extra carriage returns and whitespace # See http://jinja.pocoo.org/docs/api/#high-level-api # # If this is set to True the first newline after a Jinja block is removed # (block, not variable tag!). Defaults to False, corresponds to the Jinja # environment init variable "trim_blocks". #jinja_trim_blocks: False # # If this is set to True leading spaces and tabs are stripped from the start # of a line to a block. Defaults to False, corresponds to the Jinja # environment init variable "lstrip_blocks". #jinja_lstrip_blocks: False # The failhard option tells the minions to stop immediately after the first # failure detected in the state execution, defaults to False #failhard: False # The state_verbose and state_output settings can be used to change the way # state system data is printed to the display. By default all data is printed. # The state_verbose setting can be set to True or False, when set to False # all data that has a result of True and no changes will be suppressed. #state_verbose: True # The state_output setting changes if the output is the full multi line # output for each changed state if set to 'full', but if set to 'terse' # the output will be shortened to a single line. If set to 'mixed', the output # will be terse unless a state failed, in which case that output will be full. # If set to 'changes', the output will be full unless the state didn't change. #state_output: full # Automatically aggregate all states that have support for mod_aggregate by # setting to 'True'. Or pass a list of state module names to automatically # aggregate just those types. # # state_aggregate: # - pkg # #state_aggregate: False # Send progress events as each function in a state run completes execution # by setting to 'True'. Progress events are in the format # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'. #state_events: False ##### File Server settings ##### ########################################## # Salt runs a lightweight file server written in zeromq to deliver files to # minions. This file server is built into the master daemon and does not # require a dedicated port. # The file server works on environments passed to the master, each environment # can have multiple root directories, the subdirectories in the multiple file # roots cannot match, otherwise the downloaded files will not be able to be # reliably ensured. A base environment is required to house the top file. # Example: # file_roots: # base: # - /srv/salt/ # dev: # - /srv/salt/dev/services # - /srv/salt/dev/states # prod: # - /srv/salt/prod/services # - /srv/salt/prod/states # #file_roots: # base: # - /srv/salt # # When using multiple environments, each with their own top file, the # default behaviour is an unordered merge. To prevent top files from # being merged together and instead to only use the top file from the # requested environment, set this value to 'same'. #top_file_merging_strategy: merge # To specify the order in which environments are merged, set the ordering # in the env_order option. Given a conflict, the last matching value will # win. #env_order: ['base', 'dev', 'prod'] # If top_file_merging_strategy is set to 'same' and an environment does not # contain a top file, the top file in the environment specified by default_top # will be used instead. #default_top: base # The hash_type is the hash to use when discovering the hash of a file on # the master server. The default is md5 but sha1, sha224, sha256, sha384 # and sha512 are also supported. # # WARNING: While md5 is supported, do not use it due to the high chance # of possible collisions and thus security breach. # # Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. #hash_type: md5 # The buffer size in the file server can be adjusted here: #file_buffer_size: 1048576 # A regular expression (or a list of expressions) that will be matched # against the file path before syncing the modules and states to the minions. # This includes files affected by the file.recurse state. # For example, if you manage your custom modules and states in subversion # and don't want all the '.svn' folders and content synced to your minions, # you could set this to '/\.svn($|/)'. By default nothing is ignored. #file_ignore_regex: # - '/\.svn($|/)' # - '/\.git($|/)' # A file glob (or list of file globs) that will be matched against the file # path before syncing the modules and states to the minions. This is similar # to file_ignore_regex above, but works on globs instead of regex. By default # nothing is ignored. # file_ignore_glob: # - '*.pyc' # - '*/somefolder/*.bak' # - '*.swp' # File Server Backend # # Salt supports a modular fileserver backend system, this system allows # the salt master to link directly to third party systems to gather and # manage the files available to minions. Multiple backends can be # configured and will be searched for the requested file in the order in which # they are defined here. The default setting only enables the standard backend # "roots" which uses the "file_roots" option. #fileserver_backend: # - roots # # To use multiple backends list them in the order they are searched: #fileserver_backend: # - git # - roots # # Uncomment the line below if you do not want the file_server to follow # symlinks when walking the filesystem tree. This is set to True # by default. Currently this only applies to the default roots # fileserver_backend. #fileserver_followsymlinks: False # # Uncomment the line below if you do not want symlinks to be # treated as the files they are pointing to. By default this is set to # False. By uncommenting the line below, any detected symlink while listing # files on the Master will not be returned to the Minion. #fileserver_ignoresymlinks: True # # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only # traverses directories with SLS files and special Salt directories like _modules, # enable the option below. This might be useful for installations where a file root # has a very large number of files and performance is impacted. Default is False. # fileserver_limit_traversal: False # # The fileserver can fire events off every time the fileserver is updated, # these are disabled by default, but can be easily turned on by setting this # flag to True #fileserver_events: False # Git File Server Backend Configuration # # Gitfs can be provided by one of two python modules: GitPython or pygit2. If # using pygit2, both libgit2 and git must also be installed. #gitfs_provider: gitpython # # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. # # The repos will be searched in order to find the file requested by a client # and the first repo to have the file will return it. # When using the git backend branches and tags are translated into salt # environments. # Note: file:// repos will be treated as a remote, so refs you want used must # exist in that repo as *local* refs. #gitfs_remotes: # - git://github.com/saltstack/salt-states.git # - file:///var/git/saltmaster # # The gitfs_ssl_verify option specifies whether to ignore ssl certificate # errors when contacting the gitfs backend. You might want to set this to # false if you're using a git backend that uses a self-signed certificate but # keep in mind that setting this flag to anything other than the default of True # is a security concern, you may want to try using the ssh transport. #gitfs_ssl_verify: True # # The gitfs_root option gives the ability to serve files from a subdirectory # within the repository. The path is defined relative to the root of the # repository and defaults to the repository root. #gitfs_root: somefolder/otherfolder # # ##### Pillar settings ##### ########################################## # Salt Pillars allow for the building of global data that can be made selectively # available to different minions based on minion grain filtering. The Salt # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. #pillar_roots: # base: # - /srv/pillar # #ext_pillar: # - hiera: /etc/hiera.yaml # - cmd_yaml: cat /etc/salt/yaml # The ext_pillar_first option allows for external pillar sources to populate # before file system pillar. This allows for targeting file system pillar from # ext_pillar. #ext_pillar_first: False # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate # errors when contacting the pillar gitfs backend. You might want to set this to # false if you're using a git backend that uses a self-signed certificate but # keep in mind that setting this flag to anything other than the default of True # is a security concern, you may want to try using the ssh transport. #pillar_gitfs_ssl_verify: True # The pillar_opts option adds the master configuration file data to a dict in # the pillar called "master". This is used to set simple configurations in the # master config file that can then be used on minions. #pillar_opts: False # The pillar_safe_render_error option prevents the master from passing pillar # render errors to the minion. This is set on by default because the error could # contain templating data which would give that minion information it shouldn't # have, like a password! When set true the error message will only show: # Rendering SLS 'my.sls' failed. Please see master log for details. #pillar_safe_render_error: True # The pillar_source_merging_strategy option allows you to configure merging strategy # between different sources. It accepts four values: recurse, aggregate, overwrite, # or smart. Recurse will merge recursively mapping of data. Aggregate instructs # aggregation of elements between sources that use the #!yamlex renderer. Overwrite # will verwrite elements according the order in which they are processed. This is # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based # on the "renderer" setting and is the default value. #pillar_source_merging_strategy: smart # Recursively merge lists by aggregating them instead of replacing them. #pillar_merge_lists: False # A master can cache pillars locally to bypass the expense of having to render them # for each minion on every request. This feature should only be enabled in cases # where pillar rendering time is known to be unsatisfactory and any attendent security # concerns about storing pillars in a master cache have been addressed. # # When enabling this feature, be certain to read through the additional pillar_cache_* # configuration options to fully understand the tuneable parameters and their implications. # #pillar_cache: False # If and only if a master has set `pillar_cache: True`, the cache TTL controls the amount # of time, in seconds, before the cache is considered invalid by a master and a fresh # pillar is recompiled and stored. # # pillar_cache_ttl: 3600 # If an only if a master has set `pillar_cache: True`, one of several storage providers # can be utililzed. # # `disk`: The default storage backend. This caches rendered pillars to the master cache. # Rendered pillars are serialized and deserialized as msgpack structures for speed. # Note that pillars are stored UNENCRYPTED. Ensure that the master cache # has permissions set appropriately. (Sane defaults are provided.) # #`memory`: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python # in-memory data structure for maximal performance. There are several cavaets, # however. First, because each master worker contains its own in-memory cache, # there is no guarantee of cache consistency between minion requests. This # works best in situations where the pillar rarely if ever changes. Secondly, # and perhaps more importantly, this means that unencrypted pillars will # be accessible to any process which can examine the memory of the salt-master! # This may represent a substantial security risk. # #pillar_cache_backend: disk ##### Syndic settings ##### ########################################## # The Salt syndic is used to pass commands through a master from a higher # master. Using the syndic is simple. If this is a master that will have # syndic servers(s) below it, then set the "order_masters" setting to True. # # If this is a master that will be running a syndic daemon for passthrough, then # the "syndic_master" setting needs to be set to the location of the master server # to receive commands from. # Set the order_masters setting to True if this master will command lower # masters' syndic interfaces. #order_masters: False # If this master will be running a salt syndic daemon, syndic_master tells # this master where to receive commands from. #syndic_master: masterofmaster # This is the 'ret_port' of the MasterOfMaster: #syndic_master_port: 4506 # PID file of the syndic daemon: #syndic_pidfile: /var/run/salt-syndic.pid # LOG file of the syndic daemon: #syndic_log_file: syndic.log ##### Peer Publish settings ##### ########################################## # Salt minions can send commands to other minions, but only if the minion is # allowed to. By default "Peer Publication" is disabled, and when enabled it # is enabled for specific minions and specific commands. This allows secure # compartmentalization of commands based on individual minions. # The configuration uses regular expressions to match minions and then a list # of regular expressions to match functions. The following will allow the # minion authenticated as foo.example.com to execute functions from the test # and pkg modules. #peer: # foo.example.com: # - test.* # - pkg.* # # This will allow all minions to execute all commands: #peer: # .*: # - .* # # This is not recommended, since it would allow anyone who gets root on any # single minion to instantly have root on all of the minions! # Minions can also be allowed to execute runners from the salt master. # Since executing a runner from the minion could be considered a security risk, # it needs to be enabled. This setting functions just like the peer setting # except that it opens up runners instead of module functions. # # All peer runner support is turned off by default and must be enabled before # using. This will enable all peer runners for all minions: #peer_run: # .*: # - .* # # To enable just the manage.up runner for the minion foo.example.com: #peer_run: # foo.example.com: # - manage.up # # ##### Mine settings ##### ##################################### # Restrict mine.get access from minions. By default any minion has a full access # to get all mine data from master cache. In acl definion below, only pcre matches # are allowed. # mine_get: # .*: # - .* # # The example below enables minion foo.example.com to get 'network.interfaces' mine # data only, minions web* to get all network.* and disk.* mine data and all other # minions won't get any mine data. # mine_get: # foo.example.com: # - network.interfaces # web.*: # - network.* # - disk.* ##### Logging settings ##### ########################################## # The location of the master log file # The master log can be sent to a regular file, local path name, or network # location. Remote logging works best when configured to use rsyslogd(8) (e.g.: # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility> #log_file: /var/log/salt/master #log_file: file:///dev/log #log_file: udp://loghost:10514 #log_file: /var/log/salt/master #key_logfile: /var/log/salt/key # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # # The following log levels are considered INSECURE and may log sensitive data: # ['garbage', 'trace', 'debug'] # #log_level: warning # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # If using 'log_granular_levels' this must be set to the highest desired level. #log_level_logfile: warning # The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' # The format of the console logging messages. Allowed formatting options can # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes # # Console log colors are specified by these additional formatters: # # %(colorlevel)s # %(colorname)s # %(colorprocess)s # %(colormsg)s # # Since it is desirable to include the surrounding brackets, '[' and ']', in # the coloring of the messages, these color formatters also include padding as # well. Color LogRecord attributes are only available for console logging. # #log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' # #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets # 'salt.modules' to log at the 'debug' level: # log_granular_levels: # 'salt': 'warning' # 'salt.modules': 'debug' # #log_granular_levels: {} ##### Node Groups ###### ########################################## # Node groups allow for logical groupings of minion nodes. A group consists of # a group name and a compound target. Nodgroups can reference other nodegroups # with 'N@' classifier. Ensure that you do not have circular references. # #nodegroups: # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' # group2: 'G@os:Debian and foo.domain.com' # group3: 'G@os:Debian and N@group1' # group4: # - 'G@foo:bar' # - 'or' # - 'G@foo:baz' ##### Range Cluster settings ##### ########################################## # The range server (and optional port) that serves your cluster information # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec # #range_server: range:80 ##### Windows Software Repo settings ##### ########################################### # Location of the repo on the master: #winrepo_dir_ng: '/srv/salt/win/repo-ng' # # List of git repositories to include with the local repo: #winrepo_remotes_ng: # - 'https://github.com/saltstack/salt-winrepo-ng.git' ##### Windows Software Repo settings - Pre 2015.8 ##### ######################################################## # Legacy repo settings for pre-2015.8 Windows minions. # # Location of the repo on the master: #winrepo_dir: '/srv/salt/win/repo' # # Location of the master's repo cache file: #winrepo_mastercachefile: '/srv/salt/win/repo/winrepo.p' # # List of git repositories to include with the local repo: #winrepo_remotes: # - 'https://github.com/saltstack/salt-winrepo.git' ##### Returner settings ###### ############################################ # Which returner(s) will be used for minion's result: #return: mysql ###### Miscellaneous settings ###### ############################################ # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch #event_match_type: startswith ##### NetAPI settings ##### ############################################ # Allow the raw_shell parameter to be used when calling Salt SSH client via API #netapi_allow_raw_shell: True Example minion configuration file ##### Primary configuration settings ##### ########################################## # This configuration file is used to manage the behavior of the Salt Minion. # With the exception of the location of the Salt Master Server, values that are # commented out but have an empty line after the comment are defaults that need # not be set in the config. If there is no blank line after the comment, the # value is presented as an example and is not the default. # Per default the minion will automatically include all config files # from minion.d/*.conf (minion.d is a directory in the same directory # as the main minion config file). #default_include: minion.d/*.conf # Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. #master: salt # If multiple masters are specified in the 'master' setting, the default behavior # is to always try to connect to them in the order they are listed. If random_master is # set to True, the order will be randomized instead. This can be helpful in distributing # the load of many minions executing salt-call requests, for example, from a cron job. # If only one master is listed, this setting is ignored and a warning will be logged. # NOTE: If master_type is set to failover, use master_shuffle instead. #random_master: False # Use if master_type is set to failover. #master_shuffle: False # Minions can connect to multiple masters simultaneously (all masters # are "hot"), or can be configured to failover if a master becomes # unavailable. Multiple hot masters are configured by setting this # value to "str". Failover masters can be requested by setting # to "failover". MAKE SURE TO SET master_alive_interval if you are # using failover. # master_type: str # Poll interval in seconds for checking if the master is still there. Only # respected if master_type above is "failover". To disable the interval entirely, # set the value to -1. (This may be necessary on machines which have high numbers # of TCP connections, such as load balancers.) # master_alive_interval: 30 # Set whether the minion should connect to the master via IPv6: #ipv6: False # Set the number of seconds to wait before attempting to resolve # the master hostname if name resolution fails. Defaults to 30 seconds. # Set to zero if the minion should shutdown and not retry. # retry_dns: 30 # Set the port used by the master reply and authentication server. #master_port: 4506 # The user to run salt. #user: root # Setting sudo_user will cause salt to run all execution modules under an sudo # to the user given in sudo_user. The user under which the salt minion process # itself runs will still be that provided in the user config above, but all # execution modules run by the minion will be rerouted through sudo. #sudo_user: saltdev # Specify the location of the daemon process ID file. #pidfile: /var/run/salt-minion.pid # The root directory prepended to these options: pki_dir, cachedir, log_file, # sock_dir, pidfile. #root_dir: / # The directory to store the pki information in #pki_dir: /etc/salt/pki/minion # Explicitly declare the id for this minion to use, if left commented the id # will be the hostname as returned by the python call: socket.getfqdn() # Since salt uses detached ids it is possible to run multiple minions on the # same machine but with different ids, this can be useful for salt compute # clusters. #id: # Append a domain to a hostname in the event that it does not exist. This is # useful for systems where socket.getfqdn() does not actually result in a # FQDN (for instance, Solaris). #append_domain: # Custom static grains for this minion can be specified here and used in SLS # files just like all other grains. This example sets 4 custom grains, with # the 'roles' grain having two values that can be matched against. #grains: # roles: # - webserver # - memcache # deployment: datacenter4 # cabinet: 13 # cab_u: 14-15 # # Where cache data goes. # This data may contain sensitive data and should be protected accordingly. #cachedir: /var/cache/salt/minion # Verify and set permissions on configuration directories at startup. #verify_env: True # The minion can locally cache the return data from jobs sent to it, this # can be a good way to keep track of jobs the minion has executed # (on the minion side). By default this feature is disabled, to enable, set # cache_jobs to True. #cache_jobs: False # Set the directory used to hold unix sockets. #sock_dir: /var/run/salt/minion # Set the default outputter used by the salt-call command. The default is # "nested". #output: nested # # By default output is colored. To disable colored output, set the color value # to False. #color: True # Do not strip off the colored output from nested results and state outputs # (true by default). # strip_colors: False # Backup files that are replaced by file.managed and file.recurse under # 'cachedir'/file_backups relative to their original location and appended # with a timestamp. The only valid setting is "minion". Disabled by default. # # Alternatively this can be specified for each file in state files: # /etc/ssh/sshd_config: # file.managed: # - source: salt://ssh/sshd_config # - backup: minion # #backup_mode: minion # When waiting for a master to accept the minion's public key, salt will # continuously attempt to reconnect until successful. This is the time, in # seconds, between those reconnection attempts. #acceptance_wait_time: 10 # If this is nonzero, the time between reconnection attempts will increase by # acceptance_wait_time seconds per iteration, up to this maximum. If this is # set to zero, the time between reconnection attempts will stay constant. #acceptance_wait_time_max: 0 # If the master rejects the minion's public key, retry instead of exiting. # Rejected keys will be handled the same as waiting on acceptance. #rejected_retry: False # When the master key changes, the minion will try to re-auth itself to receive # the new master key. In larger environments this can cause a SYN flood on the # master because all minions try to re-auth immediately. To prevent this and # have a minion wait for a random amount of time, use this optional parameter. # The wait-time will be a random number of seconds between 0 and the defined value. #random_reauth_delay: 60 # When waiting for a master to accept the minion's public key, salt will # continuously attempt to reconnect until successful. This is the timeout value, # in seconds, for each individual attempt. After this timeout expires, the minion # will wait for acceptance_wait_time seconds before trying again. Unless your master # is under unusually heavy load, this should be left at the default. #auth_timeout: 60 # Number of consecutive SaltReqTimeoutError that are acceptable when trying to # authenticate. #auth_tries: 7 # If authentication fails due to SaltReqTimeoutError during a ping_interval, # cause sub minion process to restart. #auth_safemode: False # Ping Master to ensure connection is alive (minutes). #ping_interval: 0 # To auto recover minions if master changes IP address (DDNS) # auth_tries: 10 # auth_safemode: False # ping_interval: 90 # # Minions won't know master is missing until a ping fails. After the ping fail, # the minion will attempt authentication and likely fails out and cause a restart. # When the minion restarts it will resolve the masters IP and attempt to reconnect. # If you don't have any problems with syn-floods, don't bother with the # three recon_* settings described below, just leave the defaults! # # The ZeroMQ pull-socket that binds to the masters publishing interface tries # to reconnect immediately, if the socket is disconnected (for example if # the master processes are restarted). In large setups this will have all # minions reconnect immediately which might flood the master (the ZeroMQ-default # is usually a 100ms delay). To prevent this, these three recon_* settings # can be used. # recon_default: the interval in milliseconds that the socket should wait before # trying to reconnect to the master (1000ms = 1 second) # # recon_max: the maximum time a socket should wait. each interval the time to wait # is calculated by doubling the previous time. if recon_max is reached, # it starts again at recon_default. Short example: # # reconnect 1: the socket will wait 'recon_default' milliseconds # reconnect 2: 'recon_default' * 2 # reconnect 3: ('recon_default' * 2) * 2 # reconnect 4: value from previous interval * 2 # reconnect 5: value from previous interval * 2 # reconnect x: if value >= recon_max, it starts again with recon_default # # recon_randomize: generate a random wait time on minion start. The wait time will # be a random value between recon_default and recon_default + # recon_max. Having all minions reconnect with the same recon_default # and recon_max value kind of defeats the purpose of being able to # change these settings. If all minions have the same values and your # setup is quite large (several thousand minions), they will still # flood the master. The desired behavior is to have timeframe within # all minions try to reconnect. # # Example on how to use these settings. The goal: have all minions reconnect within a # 60 second timeframe on a disconnect. # recon_default: 1000 # recon_max: 59000 # recon_randomize: True # # Each minion will have a randomized reconnect value between 'recon_default' # and 'recon_default + recon_max', which in this example means between 1000ms # 60000ms (or between 1 and 60 seconds). The generated random-value will be # doubled after each attempt to reconnect. Lets say the generated random # value is 11 seconds (or 11000ms). # reconnect 1: wait 11 seconds # reconnect 2: wait 22 seconds # reconnect 3: wait 33 seconds # reconnect 4: wait 44 seconds # reconnect 5: wait 55 seconds # reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max) # reconnect 7: wait 11 seconds # reconnect 8: wait 22 seconds # reconnect 9: wait 33 seconds # reconnect x: etc. # # In a setup with ~6000 thousand hosts these settings would average the reconnects # to about 100 per second and all hosts would be reconnected within 60 seconds. # recon_default: 100 # recon_max: 5000 # recon_randomize: False # # # The loop_interval sets how long in seconds the minion will wait between # evaluating the scheduler and running cleanup tasks. This defaults to a # sane 60 seconds, but if the minion scheduler needs to be evaluated more # often lower this value #loop_interval: 60 # The grains_refresh_every setting allows for a minion to periodically check # its grains to see if they have changed and, if so, to inform the master # of the new grains. This operation is moderately expensive, therefore # care should be taken not to set this value too low. # # Note: This value is expressed in __minutes__! # # A value of 10 minutes is a reasonable default. # # If the value is set to zero, this check is disabled. #grains_refresh_every: 1 # Cache grains on the minion. Default is False. #grains_cache: False # Grains cache expiration, in seconds. If the cache file is older than this # number of seconds then the grains cache will be dumped and fully re-populated # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' # is not enabled. # grains_cache_expiration: 300 # Windows platforms lack posix IPC and must rely on slower TCP based inter- # process communications. Set ipc_mode to 'tcp' on such systems #ipc_mode: ipc # Overwrite the default tcp ports used by the minion when in tcp mode #tcp_pub_port: 4510 #tcp_pull_port: 4511 # Passing very large events can cause the minion to consume large amounts of # memory. This value tunes the maximum size of a message allowed onto the # minion event bus. The value is expressed in bytes. #max_event_size: 1048576 # To detect failed master(s) and fire events on connect/disconnect, set # master_alive_interval to the number of seconds to poll the masters for # connection events. # #master_alive_interval: 30 # The minion can include configuration from other files. To enable this, # pass a list of paths to this option. The paths can be either relative or # absolute; if relative, they are considered to be relative to the directory # the main minion configuration file lives in (this file). Paths can make use # of shell-style globbing. If no files are matched by a path passed to this # option then the minion will log a warning message. # # Include a config file from some other path: # include: /etc/salt/extra_config # # Include config from several files and directories: #include: # - /etc/salt/extra_config # - /etc/roles/webserver # # # ##### Minion module management ##### ########################################## # Disable specific modules. This allows the admin to limit the level of # access the master has to the minion. #disable_modules: [cmd,test] #disable_returners: [] # # Modules can be loaded from arbitrary paths. This enables the easy deployment # of third party modules. Modules for returners and minions can be loaded. # Specify a list of extra directories to search for minion modules and # returners. These paths must be fully qualified! #module_dirs: [] #returner_dirs: [] #states_dirs: [] #render_dirs: [] #utils_dirs: [] # # A module provider can be statically overwritten or extended for the minion # via the providers option, in this case the default module will be # overwritten by the specified module. In this example the pkg module will # be provided by the yumpkg5 module instead of the system default. #providers: # pkg: yumpkg5 # # Enable Cython modules searching and loading. (Default: False) #cython_enable: False # # Specify a max size (in bytes) for modules on import. This feature is currently # only supported on *nix operating systems and requires psutil. # modules_max_memory: -1 ##### State Management Settings ##### ########################################### # The state management system executes all of the state templates on the minion # to enable more granular control of system state management. The type of # template and serialization used for state management needs to be configured # on the minion, the default renderer is yaml_jinja. This is a yaml file # rendered from a jinja template, the available options are: # yaml_jinja # yaml_mako # yaml_wempy # json_jinja # json_mako # json_wempy # #renderer: yaml_jinja # # The failhard option tells the minions to stop immediately after the first # failure detected in the state execution. Defaults to False. #failhard: False # # Reload the modules prior to a highstate run. #autoload_dynamic_modules: True # # clean_dynamic_modules keeps the dynamic modules on the minion in sync with # the dynamic modules on the master, this means that if a dynamic module is # not on the master it will be deleted from the minion. By default, this is # enabled and can be disabled by changing this value to False. #clean_dynamic_modules: True # # Normally, the minion is not isolated to any single environment on the master # when running states, but the environment can be isolated on the minion side # by statically setting it. Remember that the recommended way to manage # environments is to isolate via the top file. #environment: None # # Isolates the pillar environment on the minion side. This functions the same # as the environment setting, but for pillar instead of states. #pillarenv: None # # If using the local file directory, then the state top file name needs to be # defined, by default this is top.sls. #state_top: top.sls # # Run states when the minion daemon starts. To enable, set startup_states to: # 'highstate' -- Execute state.highstate # 'sls' -- Read in the sls_list option and execute the named sls files # 'top' -- Read top_file option and execute based on that file on the Master #startup_states: '' # # List of states to run when the minion starts up if startup_states is 'sls': #sls_list: # - edit.vim # - hyper # # Top file to execute if startup_states is 'top': #top_file: '' # Automatically aggregate all states that have support for mod_aggregate by # setting to True. Or pass a list of state module names to automatically # aggregate just those types. # # state_aggregate: # - pkg # #state_aggregate: False ##### File Directory Settings ##### ########################################## # The Salt Minion can redirect all file server operations to a local directory, # this allows for the same state tree that is on the master to be used if # copied completely onto the minion. This is a literal copy of the settings on # the master but used to reference a local directory on the minion. # Set the file client. The client defaults to looking on the master server for # files, but can be directed to look at the local file directory setting # defined below by setting it to "local". Setting a local file_client runs the # minion in masterless mode. #file_client: remote # The file directory works on environments passed to the minion, each environment # can have multiple root directories, the subdirectories in the multiple file # roots cannot match, otherwise the downloaded files will not be able to be # reliably ensured. A base environment is required to house the top file. # Example: # file_roots: # base: # - /srv/salt/ # dev: # - /srv/salt/dev/services # - /srv/salt/dev/states # prod: # - /srv/salt/prod/services # - /srv/salt/prod/states # #file_roots: # base: # - /srv/salt # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only # traverses directories with SLS files and special Salt directories like _modules, # enable the option below. This might be useful for installations where a file root # has a very large number of files and performance is negatively impacted. Default # is False. #fileserver_limit_traversal: False # The hash_type is the hash to use when discovering the hash of a file in # the local fileserver. The default is sha256, sha224, sha384 and sha512 are also supported. # # WARNING: While md5 and sha1 are also supported, do not use it due to the high chance # of possible collisions and thus security breach. # # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. #hash_type: sha256 # The Salt pillar is searched for locally if file_client is set to local. If # this is the case, and pillar data is defined, then the pillar_roots need to # also be configured on the minion: #pillar_roots: # base: # - /srv/pillar # # ###### Security settings ##### ########################################### # Enable "open mode", this mode still maintains encryption, but turns off # authentication, this is only intended for highly secure environments or for # the situation where your keys end up in a bad state. If you run in open mode # you do so at your own risk! #open_mode: False # Enable permissive access to the salt keys. This allows you to run the # master or minion as root, but have a non-root group be given access to # your pki_dir. To make the access explicit, root must belong to the group # you've given access to. This is potentially quite insecure. #permissive_pki_access: False # The state_verbose and state_output settings can be used to change the way # state system data is printed to the display. By default all data is printed. # The state_verbose setting can be set to True or False, when set to False # all data that has a result of True and no changes will be suppressed. #state_verbose: True # The state_output setting changes if the output is the full multi line # output for each changed state if set to 'full', but if set to 'terse' # the output will be shortened to a single line. #state_output: full # The state_output_diff setting changes whether or not the output from # successful states is returned. Useful when even the terse output of these # states is cluttering the logs. Set it to True to ignore them. #state_output_diff: False # The state_output_profile setting changes whether profile information # will be shown for each state run. #state_output_profile: True # Fingerprint of the master public key to validate the identity of your Salt master # before the initial key exchange. The master fingerprint can be found by running # "salt-key -F master" on the Salt master. #master_finger: '' ###### Thread settings ##### ########################################### # Disable multiprocessing support, by default when a minion receives a # publication a new process is spawned and the command is executed therein. #multiprocessing: True ##### Logging settings ##### ########################################## # The location of the minion log file # The minion log can be sent to a regular file, local path name, or network # location. Remote logging works best when configured to use rsyslogd(8) (e.g.: # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility> #log_file: /var/log/salt/minion #log_file: file:///dev/log #log_file: udp://loghost:10514 # #log_file: /var/log/salt/minion #key_logfile: /var/log/salt/key # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # # The following log levels are considered INSECURE and may log sensitive data: # ['garbage', 'trace', 'debug'] # # Default: 'warning' #log_level: warning # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # If using 'log_granular_levels' this must be set to the highest desired level. # Default: 'warning' #log_level_logfile: # The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' # The format of the console logging messages. Allowed formatting options can # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes # # Console log colors are specified by these additional formatters: # # %(colorlevel)s # %(colorname)s # %(colorprocess)s # %(colormsg)s # # Since it is desirable to include the surrounding brackets, '[' and ']', in # the coloring of the messages, these color formatters also include padding as # well. Color LogRecord attributes are only available for console logging. # #log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' # #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets # 'salt.modules' to log at the 'debug' level: # log_granular_levels: # 'salt': 'warning' # 'salt.modules': 'debug' # #log_granular_levels: {} # To diagnose issues with minions disconnecting or missing returns, ZeroMQ # supports the use of monitor sockets to log connection events. This # feature requires ZeroMQ 4.0 or higher. # # To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a # debug level or higher. # # A sample log event is as follows: # # [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512, # 'value': 27, 'description': 'EVENT_DISCONNECTED'} # # All events logged will include the string 'ZeroMQ event'. A connection event # should be logged as the minion starts up and initially connects to the # master. If not, check for debug log level and that the necessary version of # ZeroMQ is installed. # #zmq_monitor: False ###### Module configuration ##### ########################################### # Salt allows for modules to be passed arbitrary configuration data, any data # passed here in valid yaml format will be passed on to the salt minion modules # for use. It is STRONGLY recommended that a naming convention be used in which # the module name is followed by a . and then the value. Also, all top level # data must be applied via the yaml dict construct, some examples: # # You can specify that all modules should run in test mode: #test: True # # A simple value for the test module: #test.foo: foo # # A list for the test module: #test.bar: [baz,quo] # # A dict for the test module: #test.baz: {spam: sausage, cheese: bread} # # ###### Update settings ###### ########################################### # Using the features in Esky, a salt minion can both run as a frozen app and # be updated on the fly. These options control how the update process # (saltutil.update()) behaves. # # The url for finding and downloading updates. Disabled by default. #update_url: False # # The list of services to restart after a successful update. Empty by default. #update_restart_services: [] ###### Keepalive settings ###### ############################################ # ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by # the OS. If connections between the minion and the master pass through # a state tracking device such as a firewall or VPN gateway, there is # the risk that it could tear down the connection the master and minion # without informing either party that their connection has been taken away. # Enabling TCP Keepalives prevents this from happening. # Overall state of TCP Keepalives, enable (1 or True), disable (0 or False) # or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled. #tcp_keepalive: True # How long before the first keepalive should be sent in seconds. Default 300 # to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds # on Linux see /proc/sys/net/ipv4/tcp_keepalive_time. #tcp_keepalive_idle: 300 # How many lost probes are needed to consider the connection lost. Default -1 # to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes. #tcp_keepalive_cnt: -1 # How often, in seconds, to send keepalives after the first one. Default -1 to # use OS defaults, typically 75 seconds on Linux, see # /proc/sys/net/ipv4/tcp_keepalive_intvl. #tcp_keepalive_intvl: -1 ###### Windows Software settings ###### ############################################ # Location of the repository cache file on the master: #win_repo_cachefile: 'salt://win/repo/winrepo.p' ###### Returner settings ###### ############################################ # Which returner(s) will be used for minion's result: #return: mysql ###### Miscellaneous settings ###### ############################################ # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch #event_match_type: startswith Configuring Salt Salt configuration is very simple. The default configuration for the master will work for most installations and the only requirement for setting up a minion is to set the location of the master in the minion configuration file. The configuration files will be installed to /etc/salt and are named after the respective components, /etc/salt/master, and /etc/salt/minion. Master Configuration By default the Salt master listens on ports 4505 and 4506 on all interfaces (0.0.0.0). To bind Salt to a specific IP, redefine the "interface" directive in the master configuration file, typically /etc/salt/master, as follows: - #interface: 0.0.0.0 + interface: 10.0.0.1 After updating the configuration file, restart the Salt master. See the master configuration reference for more details about other configurable options. Minion Configuration Although there are many Salt Minion configuration options, configuring a Salt Minion is very simple. By default a Salt Minion will try to connect to the DNS name "salt"; if the Minion is able to resolve that name correctly, no configuration is needed. If the DNS name "salt" does not resolve to point to the correct location of the Master, redefine the "master" directive in the minion configuration file, typically /etc/salt/minion, as follows: - #master: salt + master: 10.0.0.1 After updating the configuration file, restart the Salt minion. See the minion configuration reference for more details about other configurable options. Running Salt 1. Start the master in the foreground (to daemonize the process, pass the -d flag): salt-master 2. Start the minion in the foreground (to daemonize the process, pass the -d flag): salt-minion Having trouble? The simplest way to troubleshoot Salt is to run the master and minion in the foreground with log level set to debug: salt-master --log-level=debug For information on salt's logging system please see the logging document. Run as an unprivileged (non-root) user To run Salt as another user, set the user parameter in the master config file. Additionally, ownership, and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable): • /etc/salt • /var/cache/salt • /var/log/salt • /var/run/salt More information about running salt as a non-privileged user can be found here. There is also a full troubleshooting guide available. Key Identity Salt provides commands to validate the identity of your Salt master and Salt minions before the initial key exchange. Validating key identity helps avoid inadvertently connecting to the wrong Salt master, and helps prevent a potential MiTM attack when establishing the initial connection. Master Key Fingerprint Print the master key fingerprint by running the following command on the Salt master: salt-key -F master Copy the master.pub fingerprint from the Local Keys section, and then set this value as the master_finger in the minion configuration file. Save the configuration file and then restart the Salt minion. Minion Key Fingerprint Run the following command on each Salt minion to view the minion key fingerprint: salt-call --local key.finger Compare this value to the value that is displayed when you run the salt-key --finger <MINION_ID> command on the Salt master. Key Management Salt uses AES encryption for all communication between the Master and the Minion. This ensures that the commands sent to the Minions cannot be tampered with, and that communication between Master and Minion is authenticated through trusted, accepted keys. Before commands can be sent to a Minion, its key must be accepted on the Master. Run the salt-key command to list the keys known to the Salt Master: [root@master ~]# salt-key -L Unaccepted Keys: alpha bravo charlie delta Accepted Keys: This example shows that the Salt Master is aware of four Minions, but none of the keys has been accepted. To accept the keys and allow the Minions to be controlled by the Master, again use the salt-key command: [root@master ~]# salt-key -A [root@master ~]# salt-key -L Unaccepted Keys: Accepted Keys: alpha bravo charlie delta The salt-key command allows for signing keys individually or in bulk. The example above, using -A bulk-accepts all pending keys. To accept keys individually use the lowercase of the same option, -a keyname. SEE ALSO: salt-key manpage Sending Commands Communication between the Master and a Minion may be verified by running the test.ping command: [root@master ~]# salt alpha test.ping alpha: True Communication between the Master and all Minions may be tested in a similar way: [root@master ~]# salt '*' test.ping alpha: True bravo: True charlie: True delta: True Each of the Minions should send a True response as shown above. What's Next? Understanding targeting is important. From there, depending on the way you wish to use Salt, you should also proceed to learn about States and Execution Modules. Configuring the Salt Master The Salt system is amazingly simple and easy to configure, the two components of the Salt system each have a respective configuration file. The salt-master is configured via the master configuration file, and the salt-minion is configured via the minion configuration file. SEE ALSO: example master configuration file The configuration file for the salt-master is located at /etc/salt/master by default. A notable exception is FreeBSD, where the configuration file is located at /usr/local/etc/salt. The available options are as follows: Primary Master Configuration interface Default: 0.0.0.0 (all interfaces) The local interface to bind to. interface: 192.168.0.1 ipv6 Default: False Whether the master should listen for IPv6 connections. If this is set to True, the interface option must be adjusted too (for example: "interface: '::'") ipv6: True publish_port Default: 4505 The network port to set up the publication interface. publish_port: 4505 master_id Default: None The id to be passed in the publish job to minions. This is used for MultiSyndics to return the job to the requesting master. NOTE: This must be the same string as the syndic is configured with. master_id: MasterOfMaster user Default: root The user to run the Salt processes user: root max_open_files Default: 100000 Each minion connecting to the master uses AT LEAST one file descriptor, the master subscription connection. If enough minions connect you might start seeing on the console(and then salt-master crashes): Too many open files (tcp_listener.cpp:335) Aborted (core dumped) max_open_files: 100000 By default this value will be the one of ulimit -Hn, i.e., the hard limit for max open files. To set a different value than the default one, uncomment, and configure this setting. Remember that this value CANNOT be higher than the hard limit. Raising the hard limit depends on the OS and/or distribution, a good way to find the limit is to search the internet for something like this: raise max open files hard limit debian worker_threads Default: 5 The number of threads to start for receiving commands and replies from minions. If minions are stalling on replies because you have many minions, raise the worker_threads value. Worker threads should not be put below 3 when using the peer system, but can drop down to 1 worker otherwise. NOTE: When the master daemon starts, it is expected behaviour to see multiple salt-master processes, even if 'worker_threads' is set to '1'. At a minimum, a controlling process will start along with a Publisher, an EventPublisher, and a number of MWorker processes will be started. The number of MWorker processes is tuneable by the 'worker_threads' configuration value while the others are not. worker_threads: 5 ret_port Default: 4506 The port used by the return server, this is the server used by Salt to receive execution returns and command executions. ret_port: 4506 pidfile Default: /var/run/salt-master.pid Specify the location of the master pidfile. pidfile: /var/run/salt-master.pid root_dir Default: / The system root directory to operate from, change this to make Salt run from an alternative root. root_dir: / NOTE: This directory is prepended to the following options: pki_dir, cachedir, sock_dir, log_file, autosign_file, autoreject_file, pidfile. pki_dir Default: /etc/salt/pki The directory to store the pki authentication keys. pki_dir: /etc/salt/pki extension_modules Directory for custom modules. This directory can contain subdirectories for each of Salt's module types such as "runners", "output", "wheel", "modules", "states", "returners", etc. This path is appended to root_dir. extension_modules: srv/modules module_dirs Default: [] Like extension_modules, but a list of extra directories to search for Salt modules. module_dirs: - /var/cache/salt/minion/extmods cachedir Default: /var/cache/salt The location used to store cache information, particularly the job information for executed salt commands. This directory may contain sensitive data and should be protected accordingly. cachedir: /var/cache/salt verify_env Default: True Verify and set permissions on configuration directories at startup. verify_env: True keep_jobs Default: 24 Set the number of hours to keep old job information. timeout Default: 5 Set the default timeout for the salt command and api. loop_interval Default: 60 The loop_interval option controls the seconds for the master's maintenance process check cycle. This process updates file server backends, cleans the job cache and executes the scheduler. output Default: nested Set the default outputter used by the salt command. color Default: True By default output is colored, to disable colored output set the color value to False. color: False sock_dir Default: /var/run/salt/master Set the location to use for creating Unix sockets for master process communication. sock_dir: /var/run/salt/master enable_gpu_grains Default: True Enable GPU hardware data for your master. Be aware that the master can take a while to start up when lspci and/or dmidecode is used to populate the grains for the master. job_cache Default: True The master maintains a job cache, while this is a great addition it can be a burden on the master for larger deployments (over 5000 minions). Disabling the job cache will make previously executed jobs unavailable to the jobs system and is not generally recommended. Normally it is wise to make sure the master has access to a faster IO system or a tmpfs is mounted to the jobs dir. minion_data_cache Default: True The minion data cache is a cache of information about the minions stored on the master, this information is primarily the pillar and grains data. The data is cached in the Master cachedir under the name of the minion and used to predetermine what minions are expected to reply from executions. minion_data_cache: True ext_job_cache Default: '' Used to specify a default returner for all minions, when this option is set the specified returner needs to be properly configured and the minions will always default to sending returns to this returner. This will also disable the local job cache on the master. ext_job_cache: redis event_return New in version 2015.5.0. Default: '' Specify the returner to use to log events. A returner may have installation and configuration requirements. Read the returner's documentation. NOTE: Not all returners support event returns. Verify that a returner has an event_return() function before configuring this option with a returner. event_return: cassandra_cql master_job_cache New in version 2014.7.0. Default: 'local_cache' Specify the returner to use for the job cache. The job cache will only be interacted with from the salt master and therefore does not need to be accessible from the minions. master_job_cache: redis enforce_mine_cache Default: False By-default when disabling the minion_data_cache mine will stop working since it is based on cached data, by enabling this option we explicitly enabling only the cache for the mine system. enforce_mine_cache: False max_minions Default: 0 The maximum number of minion connections allowed by the master. Use this to accommodate the number of minions per master if you have different types of hardware serving your minions. The default of 0 means unlimited connections. Please note, that this can slow down the authentication process a bit in large setups. max_minions: 100 con_cache Default: False If max_minions is used in large installations, the master might experience high-load situations because of having to check the number of connected minions for every authentication. This cache provides the minion-ids of all connected minions to all MWorker-processes and greatly improves the performance of max_minions. con_cache: True presence_events Default: False Causes the master to periodically look for actively connected minions. Presence events are fired on the event bus on a regular interval with a list of connected minions, as well as events with lists of newly connected or disconnected minions. This is a master-only operation that does not send executions to minions. Note, this does not detect minions that connect to a master via localhost. presence_events: False transport Default: zeromq Changes the underlying transport layer. ZeroMQ is the recommended transport while additional transport layers are under development. Supported values are zeromq, raet (experimental), and tcp (experimental). This setting has a significant impact on performance and should not be changed unless you know what you are doing! Transports are explained in Salt Transports. transport: zeromq Salt-SSH Configuration roster_file Default: /etc/salt/roster Pass in an alternative location for the salt-ssh roster file. roster_file: /root/roster ssh_minion_opts Default: None Pass in minion option overrides that will be inserted into the SHIM for salt-ssh calls. The local minion config is not used for salt-ssh. Can be overridden on a per-minion basis in the roster (minion_opts) minion_opts: gpg_keydir: /root/gpg Master Security Settings open_mode Default: False Open mode is a dangerous security feature. One problem encountered with pki authentication systems is that keys can become "mixed up" and authentication begins to fail. Open mode turns off authentication and tells the master to accept all authentication. This will clean up the pki keys received from the minions. Open mode should not be turned on for general use. Open mode should only be used for a short period of time to clean up pki keys. To turn on open mode set this value to True. open_mode: False auto_accept Default: False Enable auto_accept. This setting will automatically accept all incoming public keys from minions. auto_accept: False autosign_timeout New in version 2014.7.0. Default: 120 Time in minutes that a incoming public key with a matching name found in pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys are removed when the master checks the minion_autosign directory. This method to auto accept minions can be safer than an autosign_file because the keyid record can expire and is limited to being an exact name match. This should still be considered a less than secure option, due to the fact that trust is based on just the requesting minion id. autosign_file Default: not defined If the autosign_file is specified incoming keys specified in the autosign_file will be automatically accepted. Matches will be searched for first by string comparison, then by globbing, then by full-string regex matching. This should still be considered a less than secure option, due to the fact that trust is based on just the requesting minion id. autoreject_file New in version 2014.1.0. Default: not defined Works like autosign_file, but instead allows you to specify minion IDs for which keys will automatically be rejected. Will override both membership in the autosign_file and the auto_accept setting. client_acl Default: {} Enable user accounts on the master to execute specific modules. These modules can be expressed as regular expressions. client_acl: fred: - test.ping - pkg.* client_acl_blacklist Default: {} Blacklist users or modules This example would blacklist all non sudo users, including root from running any commands. It would also blacklist any use of the "cmd" module. This is completely disabled by default. client_acl_blacklist: users: - root - '^(?!sudo_).*$' # all non sudo users modules: - cmd external_auth Default: {} The external auth system uses the Salt auth modules to authenticate and validate users to access areas of the Salt system. external_auth: pam: fred: - test.* token_expire Default: 43200 Time (in seconds) for a newly generated token to live. Default: 12 hours token_expire: 43200 file_recv Default: False Allow minions to push files to the master. This is disabled by default, for security purposes. file_recv: False master_sign_pubkey Default: False Sign the master auth-replies with a cryptographic signature of the masters public key. Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial master_sign_pubkey: True master_sign_key_name Default: master_sign The customizable name of the signing-key-pair without suffix. master_sign_key_name: <filename_without_suffix> master_pubkey_signature Default: master_pubkey_signature The name of the file in the masters pki-directory that holds the pre-calculated signature of the masters public-key. master_pubkey_signature: <filename> master_use_pubkey_signature Default: False Instead of computing the signature for each auth-reply, use a pre-calculated signature. The master_pubkey_signature must also be set for this. master_use_pubkey_signature: True rotate_aes_key Default: True Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. This is a very important security-setting. Disabling it will enable deleted minions to still listen in on the messages published by the salt-master. Do not disable this unless it is absolutely clear what this does. rotate_aes_key: True Master Module Management runner_dirs Default: [] Set additional directories to search for runner modules. cython_enable Default: False Set to true to enable Cython modules (.pyx files) to be compiled on the fly on the Salt master. cython_enable: False Master State System Settings state_top Default: top.sls The state system uses a "top" file to tell the minions what environment to use and what modules to use. The state_top file is defined relative to the root of the base environment. state_top: top.sls master_tops Default: {} The master_tops option replaces the external_nodes option by creating a pluggable system for the generation of external top data. The external_nodes option is deprecated by the master_tops option. To gain the capabilities of the classic external_nodes system, use the following configuration: master_tops: ext_nodes: <Shell command which returns yaml> external_nodes Default: None The external_nodes option allows Salt to gather data that would normally be placed in a top file from and external node controller. The external_nodes option is the executable that will return the ENC data. Remember that Salt will look for external nodes AND top files and combine the results if both are enabled and available! external_nodes: cobbler-ext-nodes renderer Default: yaml_jinja The renderer to use on the minions to render the state data. renderer: yaml_jinja failhard Default: False Set the global failhard flag, this informs all states to stop running states at the moment a single state fails. failhard: False state_verbose Default: True Controls the verbosity of state runs. By default, the results of all states are returned, but setting this value to False will cause salt to only display output for states which either failed, or succeeded without making any changes to the minion. state_verbose: False state_output Default: full The state_output setting changes if the output is the full multi line output for each changed state if set to 'full', but if set to 'terse' the output will be shortened to a single line. If set to 'mixed', the output will be terse unless a state failed, in which case that output will be full. If set to 'changes', the output will be full unless the state didn't change. state_output: full state_aggregate Default: False Automatically aggregate all states that have support for mod_aggregate by setting to True. Or pass a list of state module names to automatically aggregate just those types. state_aggregate: - pkg state_aggregate: True state_events Default: False Send progress events as each function in a state run completes execution by setting to True. Progress events are in the format salt/job/<JID>/prog/<MID>/<RUN NUM>. state_events: True yaml_utf8 Default: False Enable extra routines for YAML renderer used states containing UTF characters. yaml_utf8: False test Default: False Set all state calls to only test if they are going to actually make changes or just post what changes are going to be made. test: False Master File Server Settings fileserver_backend Default: ['roots'] Salt supports a modular fileserver backend system, this system allows the salt master to link directly to third party systems to gather and manage the files available to minions. Multiple backends can be configured and will be searched for the requested file in the order in which they are defined here. The default setting only enables the standard backend roots, which is configured using the file_roots option. Example: fileserver_backend: - roots - git hash_type Default: md5 The hash_type is the hash to use when discovering the hash of a file on the master server. The default is md5, but sha1, sha224, sha256, sha384, and sha512 are also supported. hash_type: md5 file_buffer_size Default: 1048576 The buffer size in the file server in bytes. file_buffer_size: 1048576 file_ignore_regex Default: '' A regular expression (or a list of expressions) that will be matched against the file path before syncing the modules and states to the minions. This includes files affected by the file.recurse state. For example, if you manage your custom modules and states in subversion and don't want all the '.svn' folders and content synced to your minions, you could set this to '/.svn($|/)'. By default nothing is ignored. file_ignore_regex: - '/\.svn($|/)' - '/\.git($|/)' file_ignore_glob Default '' A file glob (or list of file globs) that will be matched against the file path before syncing the modules and states to the minions. This is similar to file_ignore_regex above, but works on globs instead of regex. By default nothing is ignored. file_ignore_glob: - '\*.pyc' - '\*/somefolder/\*.bak' - '\*.swp' NOTE: Vim's .swp files are a common cause of Unicode errors in file.recurse states which use templating. Unless there is a good reason to distribute them via the fileserver, it is good practice to include '\*.swp' in the file_ignore_glob. roots: Master's Local File Server file_roots Default: base: - /srv/salt Salt runs a lightweight file server written in ZeroMQ to deliver files to minions. This file server is built into the master daemon and does not require a dedicated port. The file server works on environments passed to the master. Each environment can have multiple root directories. The subdirectories in the multiple file roots cannot match, otherwise the downloaded files will not be able to be reliably ensured. A base environment is required to house the top file. Example: file_roots: base: - /srv/salt dev: - /srv/salt/dev/services - /srv/salt/dev/states prod: - /srv/salt/prod/services - /srv/salt/prod/states git: Git Remote File Server Backend gitfs_remotes Default: [] When using the git fileserver backend at least one git remote needs to be defined. The user running the salt master will need read access to the repo. The repos will be searched in order to find the file requested by a client and the first repo to have the file will return it. Branches and tags are translated into salt environments. gitfs_remotes: - git://github.com/saltstack/salt-states.git - file:///var/git/saltmaster NOTE: file:// repos will be treated as a remote and copied into the master's gitfs cache, so only the local refs for those repos will be exposed as fileserver environments. As of 2014.7.0, it is possible to have per-repo versions of several of the gitfs configuration parameters. For more information, see the GitFS Walkthrough. gitfs_provider New in version 2014.7.0. Optional parameter used to specify the provider to be used for gitfs. More information can be found in the GitFS Walkthrough. Must be one of the following: pygit2, gitpython, or dulwich. If unset, then each will be tried in that same order, and the first one with a compatible version installed will be the provider that is used. gitfs_provider: dulwich gitfs_ssl_verify Default: True Specifies whether or not to ignore SSL certificate errors when contacting the remote repository. You might want to set this to False if you're using a git repo that uses a self-signed certificate. However, keep in mind that setting this to anything other True is a considered insecure, and using an SSH-based transport (if available) may be a better option. gitfs_ssl_verify: True gitfs_mountpoint New in version 2014.7.0. Default: '' Specifies a path on the salt fileserver which will be prepended to all files served by gitfs. This option can be used in conjunction with gitfs_root. It can also be configured on a per-remote basis, see here for more info. gitfs_mountpoint: salt://foo/bar NOTE: The salt:// protocol designation can be left off (in other words, foo/bar and salt://foo/bar are equivalent). Assuming a file baz.sh in the root of a gitfs remote, and the above example mountpoint, this file would be served up via salt://foo/bar/baz.sh. gitfs_root Default: '' Relative path to a subdirectory within the repository from which Salt should begin to serve files. This is useful when there are files in the repository that should not be available to the Salt fileserver. Can be used in conjunction with gitfs_mountpoint. If used, then from Salt's perspective the directories above the one specified will be ignored and the relative path will (for the purposes of gitfs) be considered as the root of the repo. gitfs_root: somefolder/otherfolder Changed in version 2014.7.0: Ability to specify gitfs roots on a per-remote basis was added. See here for more info. gitfs_base Default: master Defines which branch/tag should be used as the base environment. gitfs_base: salt Changed in version 2014.7.0: Ability to specify the base on a per-remote basis was added. See here for more info. gitfs_env_whitelist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if the repos in gitfs_remotes contain many branches/tags. More information can be found in the GitFS Walkthrough. gitfs_env_whitelist: - base - v1.* - 'mybranch\d+' gitfs_env_blacklist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if the repos in gitfs_remotes contain many branches/tags. More information can be found in the GitFS Walkthrough. gitfs_env_blacklist: - base - v1.* - 'mybranch\d+' GitFS Authentication Options These parameters only currently apply to the pygit2 gitfs provider. Examples of how to use these can be found in the GitFS Walkthrough. gitfs_user New in version 2014.7.0. Default: '' Along with gitfs_password, is used to authenticate to HTTPS remotes. gitfs_user: git gitfs_password New in version 2014.7.0. Default: '' Along with gitfs_user, is used to authenticate to HTTPS remotes. This parameter is not required if the repository does not use authentication. gitfs_password: mypassword gitfs_insecure_auth New in version 2014.7.0. Default: False By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This parameter enables authentication over HTTP. Enable this at your own risk. gitfs_insecure_auth: True gitfs_pubkey New in version 2014.7.0. Default: '' Along with gitfs_privkey (and optionally gitfs_passphrase), is used to authenticate to SSH remotes. This parameter (or its per-remote counterpart) is required for SSH remotes. gitfs_pubkey: /path/to/key.pub gitfs_privkey New in version 2014.7.0. Default: '' Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to authenticate to SSH remotes. This parameter (or its per-remote counterpart) is required for SSH remotes. gitfs_privkey: /path/to/key gitfs_passphrase New in version 2014.7.0. Default: '' This parameter is optional, required only when the SSH key being used to authenticate is protected by a passphrase. gitfs_passphrase: mypassphrase hg: Mercurial Remote File Server Backend hgfs_remotes New in version 0.17.0. Default: [] When using the hg fileserver backend at least one mercurial remote needs to be defined. The user running the salt master will need read access to the repo. The repos will be searched in order to find the file requested by a client and the first repo to have the file will return it. Branches and/or bookmarks are translated into salt environments, as defined by the hgfs_branch_method parameter. hgfs_remotes: - https://username@bitbucket.org/username/reponame NOTE: As of 2014.7.0, it is possible to have per-repo versions of the hgfs_root, hgfs_mountpoint, hgfs_base, and hgfs_branch_method parameters. For example: hgfs_remotes: - https://username@bitbucket.org/username/repo1 - base: saltstates - https://username@bitbucket.org/username/repo2: - root: salt - mountpoint: salt://foo/bar/baz - https://username@bitbucket.org/username/repo3: - root: salt/states - branch_method: mixed hgfs_branch_method New in version 0.17.0. Default: branches Defines the objects that will be used as fileserver environments. • branches - Only branches and tags will be used • bookmarks - Only bookmarks and tags will be used • mixed - Branches, bookmarks, and tags will be used hgfs_branch_method: mixed NOTE: Starting in version 2014.1.0, the value of the hgfs_base parameter defines which branch is used as the base environment, allowing for a base environment to be used with an hgfs_branch_method of bookmarks. Prior to this release, the default branch will be used as the base environment. hgfs_mountpoint New in version 2014.7.0. Default: '' Specifies a path on the salt fileserver which will be prepended to all files served by hgfs. This option can be used in conjunction with hgfs_root. It can also be configured on a per-remote basis, see here for more info. hgfs_mountpoint: salt://foo/bar NOTE: The salt:// protocol designation can be left off (in other words, foo/bar and salt://foo/bar are equivalent). Assuming a file baz.sh in the root of an hgfs remote, this file would be served up via salt://foo/bar/baz.sh. hgfs_root New in version 0.17.0. Default: '' Relative path to a subdirectory within the repository from which Salt should begin to serve files. This is useful when there are files in the repository that should not be available to the Salt fileserver. Can be used in conjunction with hgfs_mountpoint. If used, then from Salt's perspective the directories above the one specified will be ignored and the relative path will (for the purposes of hgfs) be considered as the root of the repo. hgfs_root: somefolder/otherfolder Changed in version 2014.7.0: Ability to specify hgfs roots on a per-remote basis was added. See here for more info. hgfs_base New in version 2014.1.0. Default: default Defines which branch should be used as the base environment. Change this if hgfs_branch_method is set to bookmarks to specify which bookmark should be used as the base environment. hgfs_base: salt hgfs_env_whitelist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if your hgfs remotes contain many branches/bookmarks/tags. Full names, globs, and regular expressions are supported. If using a regular expression, the expression must match the entire minion ID. If used, only branches/bookmarks/tags which match one of the specified expressions will be exposed as fileserver environments. If used in conjunction with hgfs_env_blacklist, then the subset of branches/bookmarks/tags which match the whitelist but do not match the blacklist will be exposed as fileserver environments. hgfs_env_whitelist: - base - v1.* - 'mybranch\d+' hgfs_env_blacklist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if your hgfs remotes contain many branches/bookmarks/tags. Full names, globs, and regular expressions are supported. If using a regular expression, the expression must match the entire minion ID. If used, branches/bookmarks/tags which match one of the specified expressions will not be exposed as fileserver environments. If used in conjunction with hgfs_env_whitelist, then the subset of branches/bookmarks/tags which match the whitelist but do not match the blacklist will be exposed as fileserver environments. hgfs_env_blacklist: - base - v1.* - 'mybranch\d+' svn: Subversion Remote File Server Backend svnfs_remotes New in version 0.17.0. Default: [] When using the svn fileserver backend at least one subversion remote needs to be defined. The user running the salt master will need read access to the repo. The repos will be searched in order to find the file requested by a client and the first repo to have the file will return it. The trunk, branches, and tags become environments, with the trunk being the base environment. svnfs_remotes: - svn://foo.com/svn/myproject NOTE: As of 2014.7.0, it is possible to have per-repo versions of the following configuration parameters: • svnfs_root • svnfs_mountpoint • svnfs_trunk • svnfs_branches • svnfs_tags For example: svnfs_remotes: - svn://foo.com/svn/project1 - svn://foo.com/svn/project2: - root: salt - mountpoint: salt://foo/bar/baz - svn//foo.com/svn/project3: - root: salt/states - branches: branch - tags: tag svnfs_mountpoint New in version 2014.7.0. Default: '' Specifies a path on the salt fileserver which will be prepended to all files served by hgfs. This option can be used in conjunction with svnfs_root. It can also be configured on a per-remote basis, see here for more info. svnfs_mountpoint: salt://foo/bar NOTE: The salt:// protocol designation can be left off (in other words, foo/bar and salt://foo/bar are equivalent). Assuming a file baz.sh in the root of an svnfs remote, this file would be served up via salt://foo/bar/baz.sh. svnfs_root New in version 0.17.0. Default: '' Relative path to a subdirectory within the repository from which Salt should begin to serve files. This is useful when there are files in the repository that should not be available to the Salt fileserver. Can be used in conjunction with svnfs_mountpoint. If used, then from Salt's perspective the directories above the one specified will be ignored and the relative path will (for the purposes of svnfs) be considered as the root of the repo. svnfs_root: somefolder/otherfolder Changed in version 2014.7.0: Ability to specify svnfs roots on a per-remote basis was added. See here for more info. svnfs_trunk New in version 2014.7.0. Default: trunk Path relative to the root of the repository where the trunk is located. Can also be configured on a per-remote basis, see here for more info. svnfs_trunk: trunk svnfs_branches New in version 2014.7.0. Default: branches Path relative to the root of the repository where the branches are located. Can also be configured on a per-remote basis, see here for more info. svnfs_branches: branches svnfs_tags New in version 2014.7.0. Default: tags Path relative to the root of the repository where the tags are located. Can also be configured on a per-remote basis, see here for more info. svnfs_tags: tags svnfs_env_whitelist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if your svnfs remotes contain many branches/tags. Full names, globs, and regular expressions are supported. If using a regular expression, the expression must match the entire minion ID. If used, only branches/tags which match one of the specified expressions will be exposed as fileserver environments. If used in conjunction with svnfs_env_blacklist, then the subset of branches/tags which match the whitelist but do not match the blacklist will be exposed as fileserver environments. svnfs_env_whitelist: - base - v1.* - 'mybranch\d+' svnfs_env_blacklist New in version 2014.7.0. Default: [] Used to restrict which environments are made available. Can speed up state runs if your svnfs remotes contain many branches/tags. Full names, globs, and regular expressions are supported. If using a regular expression, the expression must match the entire minion ID. If used, branches/tags which match one of the specified expressions will not be exposed as fileserver environments. If used in conjunction with svnfs_env_whitelist, then the subset of branches/tags which match the whitelist but do not match the blacklist will be exposed as fileserver environments. svnfs_env_blacklist: - base - v1.* - 'mybranch\d+' minion: MinionFS Remote File Server Backend minionfs_env New in version 2014.7.0. Default: base Environment from which MinionFS files are made available. minionfs_env: minionfs minionfs_mountpoint New in version 2014.7.0. Default: '' Specifies a path on the salt fileserver from which minionfs files are served. minionfs_mountpoint: salt://foo/bar NOTE: The salt:// protocol designation can be left off (in other words, foo/bar and salt://foo/bar are equivalent). minionfs_whitelist New in version 2014.7.0. Default: [] Used to restrict which minions' pushed files are exposed via minionfs. If using a regular expression, the expression must match the entire minion ID. If used, only the pushed files from minions which match one of the specified expressions will be exposed. If used in conjunction with minionfs_blacklist, then the subset of hosts which match the whitelist but do not match the blacklist will be exposed. minionfs_whitelist: - base - v1.* - 'mybranch\d+' minionfs_blacklist New in version 2014.7.0. Default: [] Used to restrict which minions' pushed files are exposed via minionfs. If using a regular expression, the expression must match the entire minion ID. If used, only the pushed files from minions which match one of the specified expressions will not be exposed. If used in conjunction with minionfs_whitelist, then the subset of hosts which match the whitelist but do not match the blacklist will be exposed. minionfs_blacklist: - base - v1.* - 'mybranch\d+' Pillar Configuration pillar_roots Default: base: - /srv/pillar Set the environments and directories used to hold pillar sls data. This configuration is the same as file_roots: pillar_roots: base: - /srv/pillar dev: - /srv/pillar/dev prod: - /srv/pillar/prod ext_pillar The ext_pillar option allows for any number of external pillar interfaces to be called when populating pillar data. The configuration is based on ext_pillar functions. The available ext_pillar functions can be found herein: https://github.com/saltstack/salt/blob/develop/salt/pillar By default, the ext_pillar interface is not configured to run. Default: None ext_pillar: - hiera: /etc/hiera.yaml - cmd_yaml: cat /etc/salt/yaml - reclass: inventory_base_uri: /etc/reclass There are additional details at salt-pillars ext_pillar_first New in version 2015.5.0. Default: False This option allows for external pillar sources to be evaluated before pillar_roots. This allows for targeting file system pillar from ext_pillar. ext_pillar_first: False Git External Pillar (git_pillar) Configuration Options git_pillar_provider New in version 2015.8.0. Specify the provider to be used for git_pillar. Must be either pygit2 or gitpython. If unset, then both will be tried in that same order, and the first one with a compatible version installed will be the provider that is used. git_pillar_provider: gitpython git_pillar_base New in version 2015.8.0. Default: master If the desired branch matches this value, and the environment is omitted from the git_pillar configuration, then the environment for that git_pillar remote will be base. For example, in the configuration below, the foo branch/tag would be assigned to the base environment, while bar would be mapped to the bar environment. git_pillar_base: foo ext_pillar: - git: - foo https://mygitserver/git-pillar.git - bar https://mygitserver/git-pillar.git git_pillar_branch New in version 2015.8.0. Default: master If the branch is omitted from a git_pillar remote, then this branch will be used instead. For example, in the configuration below, the first two remotes would use the pillardata branch/tag, while the third would use the foo branch/tag. git_pillar_branch: pillardata ext_pillar: - git: - https://mygitserver/pillar1.git - https://mygitserver/pillar2.git: - root: pillar - foo https://mygitserver/pillar3.git git_pillar_env New in version 2015.8.0. Default: '' (unset) Environment to use for git_pillar remotes. This is normally derived from the branch/tag (or from a per-remote env parameter), but if set this will override the process of deriving the env from the branch/tag name. For example, in the configuration below the foo branch would be assigned to the base environment, while the bar branch would need to explicitly have bar configured as it's environment to keep it from also being mapped to the base environment. git_pillar_env: base ext_pillar: - git: - foo https://mygitserver/git-pillar.git - bar https://mygitserver/git-pillar.git: - env: bar For this reason, this option is recommended to be left unset, unless the use case calls for all (or almost all) of the git_pillar remotes to use the same environment irrespective of the branch/tag being used. git_pillar_root New in version 2015.8.0. Default: '' Path relative to the root of the repository where the git_pillar top file and SLS files are located. In the below configuration, the pillar top file and SLS files would be looked for in a subdirectory called pillar. git_pillar_root: pillar ext_pillar: - git: - master https://mygitserver/pillar1.git - master https://mygitserver/pillar2.git NOTE: This is a global option. If only one or two repos need to have their files sourced from a subdirectory, then git_pillar_root can be omitted and the root can be specified on a per-remote basis, like so: ext_pillar: - git: - master https://mygitserver/pillar1.git - master https://mygitserver/pillar2.git: - root: pillar In this example, for the first remote the top file and SLS files would be looked for in the root of the repository, while in the second remote the pillar data would be retrieved from the pillar subdirectory. git_pillar_ssl_verify New in version 2015.8.0. Default: True Specifies whether or not to ignore SSL certificate errors when contacting the remote repository. You might want to set this to False if you're using a git repo that uses a self-signed certificate. However, keep in mind that setting this to anything other True is a considered insecure, and using an SSH-based transport (if available) may be a better option. git_pillar_ssl_verify: True Git External Pillar Authentication Options These parameters only currently apply to the pygit2 git_pillar_provider. Authentication works the same as it does in gitfs, as outlined in the GitFS Walkthrough, though the global configuration options are named differently to reflect that they are for git_pillar instead of gitfs. git_pillar_user New in version 2015.8.0. Default: '' Along with git_pillar_password, is used to authenticate to HTTPS remotes. git_pillar_user: git git_pillar_password New in version 2015.8.0. Default: '' Along with git_pillar_user, is used to authenticate to HTTPS remotes. This parameter is not required if the repository does not use authentication. git_pillar_password: mypassword git_pillar_insecure_auth New in version 2015.8.0. Default: False By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This parameter enables authentication over HTTP. Enable this at your own risk. git_pillar_insecure_auth: True git_pillar_pubkey New in version 2015.8.0. Default: '' Along with git_pillar_privkey (and optionally git_pillar_passphrase), is used to authenticate to SSH remotes. git_pillar_pubkey: /path/to/key.pub git_pillar_privkey New in version 2015.8.0. Default: '' Along with git_pillar_pubkey (and optionally git_pillar_passphrase), is used to authenticate to SSH remotes. git_pillar_privkey: /path/to/key git_pillar_passphrase New in version 2015.8.0. Default: '' This parameter is optional, required only when the SSH key being used to authenticate is protected by a passphrase. git_pillar_passphrase: mypassphrase pillar_source_merging_strategy New in version 2014.7.0. Default: smart The pillar_source_merging_strategy option allows you to configure merging strategy between different sources. It accepts 4 values: • recurse: it will merge recursively mapping of data. For example, theses 2 sources: foo: 42 bar: element1: True bar: element2: True baz: quux will be merged as: foo: 42 bar: element1: True element2: True baz: quux • aggregate: instructs aggregation of elements between sources that use the #!yamlex renderer. For example, these two documents: #!yamlex foo: 42 bar: !aggregate { element1: True } baz: !aggregate quux #!yamlex bar: !aggregate { element2: True } baz: !aggregate quux2 will be merged as: foo: 42 bar: element1: True element2: True baz: - quux - quux2 • overwrite: Will use the behaviour of the 2014.1 branch and earlier. Overwrites elements according the order in which they are processed. First pillar processed: A: first_key: blah second_key: blah Second pillar processed: A: third_key: blah fourth_key: blah will be merged as: A: third_key: blah fourth_key: blah • smart (default): Guesses the best strategy based on the "renderer" setting. pillar_merge_lists New in version 2015.8.0. Default: False Recursively merge lists by aggregating them instead of replacing them. pillar_merge_lists: False Syndic Server Settings A Salt syndic is a Salt master used to pass commands from a higher Salt master to minions below the syndic. Using the syndic is simple. If this is a master that will have syndic servers(s) below it, set the "order_masters" setting to True. If this is a master that will be running a syndic daemon for passthrough the "syndic_master" setting needs to be set to the location of the master server. Do not not forget that, in other words, it means that it shares with the local minion its ID and PKI_DIR. order_masters Default: False Extra data needs to be sent with publications if the master is controlling a lower level master via a syndic minion. If this is the case the order_masters value must be set to True order_masters: False syndic_master Default: None If this master will be running a salt-syndic to connect to a higher level master, specify the higher level master with this configuration value. syndic_master: masterofmasters You can optionally connect a syndic to multiple higher level masters by setting the 'syndic_master' value to a list: syndic_master: - masterofmasters1 - masterofmasters2 Each higher level master must be set up in a multimaster configuration. syndic_master_port Default: 4506 If this master will be running a salt-syndic to connect to a higher level master, specify the higher level master port with this configuration value. syndic_master_port: 4506 syndic_pidfile Default: salt-syndic.pid If this master will be running a salt-syndic to connect to a higher level master, specify the pidfile of the syndic daemon. syndic_pidfile: syndic.pid syndic_log_file Default: syndic.log If this master will be running a salt-syndic to connect to a higher level master, specify the log_file of the syndic daemon. syndic_log_file: salt-syndic.log Peer Publish Settings Salt minions can send commands to other minions, but only if the minion is allowed to. By default "Peer Publication" is disabled, and when enabled it is enabled for specific minions and specific commands. This allows secure compartmentalization of commands based on individual minions. peer Default: {} The configuration uses regular expressions to match minions and then a list of regular expressions to match functions. The following will allow the minion authenticated as foo.example.com to execute functions from the test and pkg modules. peer: foo.example.com: - test.* - pkg.* This will allow all minions to execute all commands: peer: .*: - .* This is not recommended, since it would allow anyone who gets root on any single minion to instantly have root on all of the minions! By adding an additional layer you can limit the target hosts in addition to the accessible commands: peer: foo.example.com: 'db*': - test.* - pkg.* peer_run Default: {} The peer_run option is used to open up runners on the master to access from the minions. The peer_run configuration matches the format of the peer configuration. The following example would allow foo.example.com to execute the manage.up runner: peer_run: foo.example.com: - manage.up Master Logging Settings log_file Default: /var/log/salt/master The master log can be sent to a regular file, local path name, or network location. See also log_file. Examples: log_file: /var/log/salt/master log_file: file:///dev/log log_file: udp://loghost:10514 log_level Default: warning The level of messages to send to the console. See also log_level. log_level: warning log_level_logfile Default: warning The level of messages to send to the log file. See also log_level_logfile. When it is not set explicitly it will inherit the level set by log_level option. log_level_logfile: warning log_datefmt Default: %H:%M:%S The date and time format used in console log messages. See also log_datefmt. log_datefmt: '%H:%M:%S' log_datefmt_logfile Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. See also log_datefmt_logfile. log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' log_fmt_console Default: [%(levelname)-8s] %(message)s The format of the console logging messages. See also log_fmt_console. NOTE: Log colors are enabled in log_fmt_console rather than the color config since the logging system is loaded before the master config. Console log colors are specified by these additional formatters: %(colorlevel)s %(colorname)s %(colorprocess)s %(colormsg)s Since it is desirable to include the surrounding brackets, '[' and ']', in the coloring of the messages, these color formatters also include padding as well. Color LogRecord attributes are only available for console logging. log_fmt_console: '%(colorlevel)s %(colormsg)s' log_fmt_console: '[%(levelname)-8s] %(message)s' log_fmt_logfile Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. See also log_fmt_logfile. log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' log_granular_levels Default: {} This can be used to control logging levels more specifically. See also log_granular_levels. Node Groups Default: {} Node groups allow for logical groupings of minion nodes. A group consists of a group name and a compound target. nodegroups: group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' group2: 'G@os:Debian and foo.domain.com' group3: 'G@os:Debian and N@group1' group4: - 'G@foo:bar' - 'or' - 'G@foo:baz' More information on using nodegroups can be found here. Range Cluster Settings range_server Default: '' The range server (and optional port) that serves your cluster information https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec range_server: range:80 Include Configuration default_include Default: master.d/*.conf The master can include configuration from other files. Per default the master will automatically include all config files from master.d/*.conf where master.d is relative to the directory of the master configuration file. include Default: not defined The master can include configuration from other files. To enable this, pass a list of paths to this option. The paths can be either relative or absolute; if relative, they are considered to be relative to the directory the main minion configuration file lives in. Paths can make use of shell-style globbing. If no files are matched by a path passed to this option then the master will log a warning message. # Include files from a master.d directory in the same # directory as the master config file include: master.d/* # Include a single extra file into the configuration include: /etc/roles/webserver # Include several files and the master.d directory include: - extra_config - master.d/* - /etc/roles/webserver Windows Software Repo Settings winrepo_provider New in version 2015.8.0. Specify the provider to be used for winrepo. Must be either pygit2 or gitpython. If unset, then both will be tried in that same order, and the first one with a compatible version installed will be the provider that is used. winrepo_provider: gitpython winrepo_dir Changed in version 2015.8.0: Renamed from win_repo to winrepo_dir. Default: /srv/salt/win/repo Location on the master where the winrepo_remotes are checked out for pre-2015.8.0 minions. 2015.8.0 and later minions use winrepo_remotes_ng instead. winrepo_dir: /srv/salt/win/repo winrepo_dir_ng New in version 2015.8.0: A new ng repo was added. Default: /srv/salt/win/repo-ng Location on the master where the winrepo_remotes_ng are checked out for 2015.8.0 and later minions. winrepo_dir_ng: /srv/salt/win/repo-ng winrepo_cachefile Changed in version 2015.8.0: Renamed from win_repo_mastercachefile to winrepo_cachefile NOTE: 2015.8.0 and later minions do not use this setting since the cachefile is now located on the minion. Default: winrepo.p Path relative to winrepo_dir where the winrepo cache should be created. winrepo_cachefile: winrepo.p winrepo_remotes Changed in version 2015.8.0: Renamed from win_gitrepos to winrepo_remotes. Default: ['https://github.com/saltstack/salt-winrepo.git'] List of git repositories to checkout and include in the winrepo for pre-2015.8.0 minions. 2015.8.0 and later minions use winrepo_remotes_ng instead. winrepo_remotes: - https://github.com/saltstack/salt-winrepo.git To specify a specific revision of the repository, prepend a commit ID to the URL of the repository: winrepo_remotes: - '<commit_id> https://github.com/saltstack/salt-winrepo.git' Replace <commit_id> with the SHA1 hash of a commit ID. Specifying a commit ID is useful in that it allows one to revert back to a previous version in the event that an error is introduced in the latest revision of the repo. winrepo_remotes_ng New in version 2015.8.0: A new ng repo was added. Default: ['https://github.com/saltstack/salt-winrepo-ng.git'] List of git repositories to checkout and include in the winrepo for 2015.8.0 and later minions. winrepo_remotes_ng: - https://github.com/saltstack/salt-winrepo-ng.git To specify a specific revision of the repository, prepend a commit ID to the URL of the repository: winrepo_remotes: - '<commit_id> https://github.com/saltstack/salt-winrepo-ng.git' Replace <commit_id> with the SHA1 hash of a commit ID. Specifying a commit ID is useful in that it allows one to revert back to a previous version in the event that an error is introduced in the latest revision of the repo. winrepo_branch New in version 2015.8.0. Default: master If the branch is omitted from a winrepo remote, then this branch will be used instead. For example, in the configuration below, the first two remotes would use the winrepo branch/tag, while the third would use the foo branch/tag. winrepo_branch: winrepo ext_pillar: - git: - https://mygitserver/winrepo1.git - https://mygitserver/winrepo2.git: - foo https://mygitserver/winrepo3.git winrepo_ssl_verify New in version 2015.8.0. Default: True Specifies whether or not to ignore SSL certificate errors when contacting the remote repository. You might want to set this to False if you're using a git repo that uses a self-signed certificate. However, keep in mind that setting this to anything other True is a considered insecure, and using an SSH-based transport (if available) may be a better option. winrepo_ssl_verify: True Winrepo Authentication Options These parameters only currently apply to the pygit2 winrepo_provider. Authentication works the same as it does in gitfs, as outlined in the GitFS Walkthrough, though the global configuration options are named differently to reflect that they are for winrepo instead of gitfs. winrepo_user New in version 2015.8.0. Default: '' Along with winrepo_password, is used to authenticate to HTTPS remotes. winrepo_user: git winrepo_password New in version 2015.8.0. Default: '' Along with winrepo_user, is used to authenticate to HTTPS remotes. This parameter is not required if the repository does not use authentication. winrepo_password: mypassword winrepo_insecure_auth New in version 2015.8.0. Default: False By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This parameter enables authentication over HTTP. Enable this at your own risk. winrepo_insecure_auth: True winrepo_pubkey New in version 2015.8.0. Default: '' Along with winrepo_privkey (and optionally winrepo_passphrase), is used to authenticate to SSH remotes. winrepo_pubkey: /path/to/key.pub winrepo_privkey New in version 2015.8.0. Default: '' Along with winrepo_pubkey (and optionally winrepo_passphrase), is used to authenticate to SSH remotes. winrepo_privkey: /path/to/key winrepo_passphrase New in version 2015.8.0. Default: '' This parameter is optional, required only when the SSH key being used to authenticate is protected by a passphrase. winrepo_passphrase: mypassphrase Configuring the Salt Minion The Salt system is amazingly simple and easy to configure. The two components of the Salt system each have a respective configuration file. The salt-master is configured via the master configuration file, and the salt-minion is configured via the minion configuration file. SEE ALSO: example minion configuration file The Salt Minion configuration is very simple. Typically, the only value that needs to be set is the master value so the minion knows where to locate its master. By default, the salt-minion configuration will be in /etc/salt/minion. A notable exception is FreeBSD, where the configuration will be in /usr/local/etc/salt/minion. Minion Primary Configuration master Default: salt The hostname or ipv4 of the master. Default: salt master: salt The option can can also be set to a list of masters, enabling multi-master mode. master: - address1 - address2 Changed in version 2014.7.0: The master can be dynamically configured. The master value can be set to an module function which will be executed and will assume that the returning value is the ip or hostname of the desired master. If a function is being specified, then the master_type option must be set to func, to tell the minion that the value is a function to be run and not a fully-qualified domain name. master: module.function master_type: func In addition, instead of using multi-master mode, the minion can be configured to use the list of master addresses as a failover list, trying the first address, then the second, etc. until the minion successfully connects. To enable this behavior, set master_type to failover: master: - address1 - address2 master_type: failover master_type New in version 2014.7.0. Default: str The type of the master variable. Can be str, failover or func. master_type: failover If this option is set to failover, master must be a list of master addresses. The minion will then try each master in the order specified in the list until it successfully connects. master_alive_interval must also be set, this determines how often the minion will verify the presence of the master. master_type: func If the master needs to be dynamically assigned by executing a function instead of reading in the static master value, set this to func. This can be used to manage the minion's master setting from an execution module. By simply changing the algorithm in the module to return a new master ip/fqdn, restart the minion and it will connect to the new master. master_alive_interval master_alive_interval: 30 Configures how often, in seconds, the minion will verify that the current master is alive and responding. The minion will try to establish a connection to the next master in the list if it finds the existing one is dead. master_shuffle New in version 2014.7.0. Default: False If master is a list of addresses and :conf_minion`master_type` is failover, shuffle them before trying to connect to distribute the minions over all available masters. This uses Python's random.shuffle method. master_shuffle: True random_master Default: False If master is a list of addresses, shuffle them before trying to connect to distribute the minions over all available masters. This uses Python's random.randint method. random_master: True retry_dns Default: 30 Set the number of seconds to wait before attempting to resolve the master hostname if name resolution fails. Defaults to 30 seconds. Set to zero if the minion should shutdown and not retry. retry_dns: 30 master_port Default: 4506 The port of the master ret server, this needs to coincide with the ret_port option on the Salt master. master_port: 4506 user Default: root The user to run the Salt processes user: root sudo_runas Default: None The user to run salt remote execution commands as via sudo. If this option is enabled then sudo will be used to change the active user executing the remote command. If enabled the user will need to be allowed access via the sudoers file for the user that the salt minion is configured to run as. The most common option would be to use the root user. If this option is set the user option should also be set to a non-root user. If migrating from a root minion to a non root minion the minion cache should be cleared and the minion pki directory will need to be changed to the ownership of the new user. sudo_user: root sudo_user Default: '' Setting sudo_user will cause salt to run all execution modules under an sudo to the user given in sudo_user. The user under which the salt minion process itself runs will still be that provided in user above, but all execution modules run by the minion will be rerouted through sudo. sudo_user: saltadm pidfile Default: /var/run/salt-minion.pid The location of the daemon's process ID file pidfile: /var/run/salt-minion.pid root_dir Default: / This directory is prepended to the following options: pki_dir, cachedir, log_file, sock_dir, and pidfile. root_dir: / pki_dir Default: /etc/salt/pki The directory used to store the minion's public and private keys. pki_dir: /etc/salt/pki id Default: the system's hostname SEE ALSO: Salt Walkthrough The Setting up a Salt Minion section contains detailed information on how the hostname is determined. Explicitly declare the id for this minion to use. Since Salt uses detached ids it is possible to run multiple minions on the same machine but with different ids. id: foo.bar.com append_domain Default: None Append a domain to a hostname in the event that it does not exist. This is useful for systems where socket.getfqdn() does not actually result in a FQDN (for instance, Solaris). append_domain: foo.org cachedir Default: /var/cache/salt The location for minion cache data. This directory may contain sensitive data and should be protected accordingly. cachedir: /var/cache/salt verify_env Default: True Verify and set permissions on configuration directories at startup. verify_env: True NOTE: When marked as True the verify_env option requires WRITE access to the configuration directory (/etc/salt/). In certain situations such as mounting /etc/salt/ as read-only for templating this will create a stack trace when state.highstate is called. cache_jobs Default: False The minion can locally cache the return data from jobs sent to it, this can be a good way to keep track of the minion side of the jobs the minion has executed. By default this feature is disabled, to enable set cache_jobs to True. cache_jobs: False grains_cache Default: False The minion can locally cache grain data instead of refreshing the data each time the grain is referenced. By default this feature is disabled, to enable set grains_cache to True. grains_cache: False sock_dir Default: /var/run/salt/minion The directory where Unix sockets will be kept. sock_dir: /var/run/salt/minion backup_mode Default: [] Backup files replaced by file.managed and file.recurse under cachedir. backup_mode: minion acceptance_wait_time Default: 10 The number of seconds to wait until attempting to re-authenticate with the master. acceptance_wait_time: 10 random_reauth_delay When the master key changes, the minion will try to re-auth itself to receive the new master key. In larger environments this can cause a syn-flood on the master because all minions try to re-auth immediately. To prevent this and have a minion wait for a random amount of time, use this optional parameter. The wait-time will be a random number of seconds between 0 and the defined value. random_reauth_delay: 60 acceptance_wait_time_max Default: None The maximum number of seconds to wait until attempting to re-authenticate with the master. If set, the wait will increase by acceptance_wait_time seconds each iteration. acceptance_wait_time_max: None recon_default Default: 1000 The interval in milliseconds that the socket should wait before trying to reconnect to the master (1000ms = 1 second). recon_default: 1000 recon_max Default: 10000 The maximum time a socket should wait. Each interval the time to wait is calculated by doubling the previous time. If recon_max is reached, it starts again at the recon_default. Short example: • reconnect 1: the socket will wait 'recon_default' milliseconds • reconnect 2: 'recon_default' * 2 • reconnect 3: ('recon_default' * 2) * 2 • reconnect 4: value from previous interval * 2 • reconnect 5: value from previous interval * 2 • reconnect x: if value >= recon_max, it starts again with recon_default recon_max: 10000 recon_randomize Default: True Generate a random wait time on minion start. The wait time will be a random value between recon_default and recon_default and recon_max. Having all minions reconnect with the same recon_default and recon_max value kind of defeats the purpose of being able to change these settings. If all minions have the same values and the setup is quite large (several thousand minions), they will still flood the master. The desired behavior is to have time-frame within all minions try to reconnect. recon_randomize: True return_retry_timer Default: 5 The default timeout for a minion return attempt. return_retry_timer: 5 return_retry_timer_max Default: 10 The maximum timeout for a minion return attempt. If non-zero the minion return retry timeout will be a random int beween return_retry_timer and return_retry_timer_max return_retry_timer_max: 10 cache_sreqs Default: True The connection to the master ret_port is kept open. When set to False, the minion creates a new connection for every return to the master. environment, set this value to False. cache_sreqs: True ipc_mode Default: ipc Windows platforms lack POSIX IPC and must rely on slower TCP based inter- process communications. Set ipc_mode to tcp on such systems. ipc_mode: ipc tcp_pub_port Default: 4510 Publish port used when ipc_mode is set to tcp. tcp_pub_port: 4510 tcp_pull_port Default: 4511 Pull port used when ipc_mode is set to tcp. tcp_pull_port: 4511 transport Default: zeromq Changes the underlying transport layer. ZeroMQ is the recommended transport while additional transport layers are under development. Supported values are zeromq, raet (experimental), and tcp (experimental). This setting has a significant impact on performance and should not be changed unless you know what you are doing! Transports are explained in Salt Transports. transport: zeromq Minion Module Management disable_modules Default: [] (all modules are enabled by default) The event may occur in which the administrator desires that a minion should not be able to execute a certain module. The sys module is built into the minion and cannot be disabled. This setting can also tune the minion, as all modules are loaded into ram disabling modules will lower the minion's ram footprint. disable_modules: - test - solr disable_returners Default: [] (all returners are enabled by default) If certain returners should be disabled, this is the place disable_returners: - mongo_return module_dirs Default: [] A list of extra directories to search for Salt modules module_dirs: - /var/lib/salt/modules returner_dirs Default: [] A list of extra directories to search for Salt returners returners_dirs: - /var/lib/salt/returners states_dirs Default: [] A list of extra directories to search for Salt states states_dirs: - /var/lib/salt/states grains_dirs Default: [] A list of extra directories to search for Salt grains grains_dirs: - /var/lib/salt/grains render_dirs Default: [] A list of extra directories to search for Salt renderers render_dirs: - /var/lib/salt/renderers cython_enable Default: False Set this value to true to enable auto-loading and compiling of .pyx modules, This setting requires that gcc and cython are installed on the minion cython_enable: False enable_zip_modules New in version 2015.8.0. Default: False Set this value to true to enable loading of zip archives as extension modules. This allows for packing module code with specific dependencies to avoid conflicts and/or having to install specific modules' dependencies in system libraries. enable_zip_modules: False providers Default: (empty) A module provider can be statically overwritten or extended for the minion via the providers option. This can be done on an individual basis in an SLS file, or globally here in the minion config, like below. providers: service: systemd State Management Settings renderer Default: yaml_jinja The default renderer used for local state executions renderer: yaml_jinja state_verbose Default: False state_verbose allows for the data returned from the minion to be more verbose. Normally only states that fail or states that have changes are returned, but setting state_verbose to True will return all states that were checked state_verbose: True state_output Default: full The state_output setting changes if the output is the full multi line output for each changed state if set to 'full', but if set to 'terse' the output will be shortened to a single line. state_output: full autoload_dynamic_modules Default: True autoload_dynamic_modules Turns on automatic loading of modules found in the environments on the master. This is turned on by default, to turn of auto-loading modules when states run set this value to False autoload_dynamic_modules: True Default: True clean_dynamic_modules keeps the dynamic modules on the minion in sync with the dynamic modules on the master, this means that if a dynamic module is not on the master it will be deleted from the minion. By default this is enabled and can be disabled by changing this value to False clean_dynamic_modules: True environment Default: None Normally the minion is not isolated to any single environment on the master when running states, but the environment can be isolated on the minion side by statically setting it. Remember that the recommended way to manage environments is to isolate via the top file. environment: None File Directory Settings file_client Default: remote The client defaults to looking on the master server for files, but can be directed to look on the minion by setting this parameter to local. file_client: remote use_master_when_local Default: False When using a local file_client, this parameter is used to allow the client to connect to a master for remote execution. use_master_when_local: False file_roots Default: base: - /srv/salt When using a local file_client, this parameter is used to setup the fileserver's environments. This parameter operates identically to the master config parameter of the same name. file_roots: base: - /srv/salt dev: - /srv/salt/dev/services - /srv/salt/dev/states prod: - /srv/salt/prod/services - /srv/salt/prod/states hash_type Default: md5 The hash_type is the hash to use when discovering the hash of a file on the local fileserver. The default is md5, but sha1, sha224, sha256, sha384, and sha512 are also supported. hash_type: md5 Pillar Settings pillar_roots Default: base: - /srv/pillar When using a local file_client, this parameter is used to setup the pillar environments. pillar_roots: base: - /srv/pillar dev: - /srv/pillar/dev prod: - /srv/pillar/prod pillarenv Default: None Isolates the pillar environment on the minion side. This functions the same as the environment setting, but for pillar instead of states. pillarenv: None Security Settings open_mode Default: False Open mode can be used to clean out the PKI key received from the Salt master, turn on open mode, restart the minion, then turn off open mode and restart the minion to clean the keys. open_mode: False master_finger Default: '' Fingerprint of the master public key to validate the identity of your Salt master before the initial key exchange. The master fingerprint can be found by running "salt-key -F master" on the Salt master. master_finger: 'ba:30:65:2a:d6:9e:20:4f:d8:b2:f3:a7:d4:65:11:13' verify_master_pubkey_sign Default: False Enables verification of the master-public-signature returned by the master in auth-replies. Please see the tutorial on how to configure this properly Multimaster-PKI with Failover Tutorial New in version 2014.7.0. verify_master_pubkey_sign: True If this is set to True, master_sign_pubkey must be also set to True in the master configuration file. master_sign_key_name Default: master_sign The filename without the .pub suffix of the public key that should be used for verifying the signature from the master. The file must be located in the minion's pki directory. New in version 2014.7.0. master_sign_key_name: <filename_without_suffix> always_verify_signature Default: False If verify_master_pubkey_sign is enabled, the signature is only verified, if the public-key of the master changes. If the signature should always be verified, this can be set to True. New in version 2014.7.0. always_verify_signature: True Thread Settings Default: True Disable multiprocessing support by default when a minion receives a publication a new process is spawned and the command is executed therein. multiprocessing: True Minion Logging Settings log_file Default: /var/log/salt/minion The minion log can be sent to a regular file, local path name, or network location. See also log_file. Examples: log_file: /var/log/salt/minion log_file: file:///dev/log log_file: udp://loghost:10514 log_level Default: warning The level of messages to send to the console. See also log_level. log_level: warning log_level_logfile Default: warning The level of messages to send to the log file. See also log_level_logfile. When it is not set explicitly it will inherit the level set by log_level option. log_level_logfile: warning log_datefmt Default: %H:%M:%S The date and time format used in console log messages. See also log_datefmt. log_datefmt: '%H:%M:%S' log_datefmt_logfile Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. See also log_datefmt_logfile. log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' log_fmt_console Default: [%(levelname)-8s] %(message)s The format of the console logging messages. See also log_fmt_console. NOTE: Log colors are enabled in log_fmt_console rather than the color config since the logging system is loaded before the minion config. Console log colors are specified by these additional formatters: %(colorlevel)s %(colorname)s %(colorprocess)s %(colormsg)s Since it is desirable to include the surrounding brackets, '[' and ']', in the coloring of the messages, these color formatters also include padding as well. Color LogRecord attributes are only available for console logging. log_fmt_console: '%(colorlevel)s %(colormsg)s' log_fmt_console: '[%(levelname)-8s] %(message)s' log_fmt_logfile Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. See also log_fmt_logfile. log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' log_granular_levels Default: {} This can be used to control logging levels more specifically. See also log_granular_levels. zmq_monitor Default: False To diagnose issues with minions disconnecting or missing returns, ZeroMQ supports the use of monitor sockets to log connection events. This feature requires ZeroMQ 4.0 or higher. To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a debug level or higher. A sample log event is as follows: [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512, 'value': 27, 'description': 'EVENT_DISCONNECTED'} All events logged will include the string ZeroMQ event. A connection event should be logged as the minion starts up and initially connects to the master. If not, check for debug log level and that the necessary version of ZeroMQ is installed. failhard Default: False Set the global failhard flag, this informs all states to stop running states at the moment a single state fails failhard: False Include Configuration default_include Default: minion.d/*.conf The minion can include configuration from other files. Per default the minion will automatically include all config files from minion.d/*.conf where minion.d is relative to the directory of the minion configuration file. include Default: not defined The minion can include configuration from other files. To enable this, pass a list of paths to this option. The paths can be either relative or absolute; if relative, they are considered to be relative to the directory the main minion configuration file lives in. Paths can make use of shell-style globbing. If no files are matched by a path passed to this option then the minion will log a warning message. # Include files from a minion.d directory in the same # directory as the minion config file include: minion.d/*.conf # Include a single extra file into the configuration include: /etc/roles/webserver # Include several files and the minion.d directory include: - extra_config - minion.d/* - /etc/roles/webserver Frozen Build Update Settings These options control how salt.modules.saltutil.update() works with esky frozen apps. For more information look at https://github.com/cloudmatrix/esky/. update_url Default: False (Update feature is disabled) The url to use when looking for application updates. Esky depends on directory listings to search for new versions. A webserver running on your Master is a good starting point for most setups. update_url: 'http://salt.example.com/minion-updates' update_restart_services Default: [] (service restarting on update is disabled) A list of services to restart when the minion software is updated. This would typically just be a list containing the minion's service name, but you may have other services that need to go with it. update_restart_services: ['salt-minion'] Standalone Minion Windows Software Repo Settings IMPORTANT: To use these config options, the minion must be running in masterless mode (set file_client to local). winrepo_dir Changed in version 2015.8.0: Renamed from win_repo to winrepo_dir. Also, this option did not have a default value until this version. Default: C:\salt\srv\salt\win\repo Location on the minion where the winrepo_remotes are checked out. winrepo_dir: 'D:\winrepo' winrepo_cachefile Changed in version 2015.8.0: Renamed from win_repo_cachefile to winrepo_cachefile. Also, this option did not have a default value until this version. Default: winrepo.p Path relative to winrepo_dir where the winrepo cache should be created. winrepo_cachefile: winrepo.p winrepo_remotes Changed in version 2015.8.0: Renamed from win_gitrepos to winrepo_remotes. Also, this option did not have a default value until this version. New in version 2015.8.0. Default: ['https://github.com/saltstack/salt-winrepo.git'] List of git repositories to checkout and include in the winrepo winrepo_remotes: - https://github.com/saltstack/salt-winrepo.git To specify a specific revision of the repository, prepend a commit ID to the URL of the the repository: winrepo_remotes: - '<commit_id> https://github.com/saltstack/salt-winrepo.git' Replace <commit_id> with the SHA1 hash of a commit ID. Specifying a commit ID is useful in that it allows one to revert back to a previous version in the event that an error is introduced in the latest revision of the repo. Running the Salt Master/Minion as an Unprivileged User While the default setup runs the master and minion as the root user, some may consider it an extra measure of security to run the master as a non-root user. Keep in mind that doing so does not change the master's capability to access minions as the user they are running as. Due to this many feel that running the master as a non-root user does not grant any real security advantage which is why the master has remained as root by default. NOTE: Some of Salt's operations cannot execute correctly when the master is not running as root, specifically the pam external auth system, as this system needs root access to check authentication. As of Salt 0.9.10 it is possible to run Salt as a non-root user. This can be done by setting the user parameter in the master configuration file. and restarting the salt-master service. The minion has it's own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes. In order to allow Salt to successfully run as a non-root user, ownership, and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable): • /etc/salt • /var/cache/salt • /var/log/salt • /var/run/salt Ownership can be easily changed with chown, like so: # chown -R user /etc/salt /var/cache/salt /var/log/salt /var/run/salt WARNING: Running either the master or minion with the root_dir parameter specified will affect these paths, as will setting options like pki_dir, cachedir, log_file, and other options that normally live in the above directories. Logging The salt project tries to get the logging to work for you and help us solve any issues you might find along the way. If you want to get some more information on the nitty-gritty of salt's logging system, please head over to the logging development document, if all you're after is salt's logging configurations, please continue reading. Available Configuration Settings log_file The log records can be sent to a regular file, local path name, or network location. Remote logging works best when configured to use rsyslogd(8) (e.g.: file:///dev/log), with rsyslogd(8) configured for network logging. The format for remote addresses is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>. Default: Dependent of the binary being executed, for example, for salt-master, /var/log/salt/master. Examples: log_file: /var/log/salt/master log_file: /var/log/salt/minion log_file: file:///dev/log log_file: udp://loghost:10514 log_level Default: warning The level of log record messages to send to the console. One of all, garbage, trace, debug, info, warning, error, critical, quiet. log_level: warning log_level_logfile Default: warning The level of messages to send to the log file. One of all, garbage, trace, debug, info, warning, error, critical, quiet. log_level_logfile: warning log_datefmt Default: %H:%M:%S The date and time format used in console log messages. Allowed date/time formatting can be seen on time.strftime. log_datefmt: '%H:%M:%S' log_datefmt_logfile Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. Allowed date/time formatting can be seen on time.strftime. log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' log_fmt_console Default: [%(levelname)-8s] %(message)s The format of the console logging messages. All standard python logging LogRecord attributes can be used. Salt also provides these custom LogRecord attributes to colorize console log output: '%(colorlevel)s' # log level name colorized by level '%(colorname)s' # colorized module name '%(colorprocess)s' # colorized process number '%(colormsg)s' # log message colorized by level NOTE: The %(colorlevel)s, %(colorname)s, and %(colorprocess) LogRecord attributes also include padding and enclosing brackets, [ and ] to match the default values of their collateral non-colorized LogRecord attributes. log_fmt_console: '[%(levelname)-8s] %(message)s' log_fmt_logfile Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. All standard python logging LogRecord attributes can be used. Salt also provides these custom LogRecord attributes that include padding and enclosing brackets [ and ]: '%(bracketlevel)s' # equivalent to [%(levelname)-8s] '%(bracketname)s' # equivalent to [%(name)-17s] '%(bracketprocess)s' # equivalent to [%(process)5s] log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' log_granular_levels Default: {} This can be used to control logging levels more specifically. The example sets the main salt library at the 'warning' level, but sets salt.modules to log at the debug level: log_granular_levels: 'salt': 'warning' 'salt.modules': 'debug' External Logging Handlers Besides the internal logging handlers used by salt, there are some external which can be used, see the external logging handlers document. External Logging Handlers ┌─────────────┬──────────────────────────┐ │logstash_mod │ Logstash Logging Handler │ ├─────────────┼──────────────────────────┤ │sentry_mod │ Sentry Logging Handler │ └─────────────┴──────────────────────────┘ Logstash Logging Handler New in version 0.17.0. This module provides some Logstash logging handlers. UDP Logging Handler For versions of Logstash before 1.2.0: In the salt configuration file: logstash_udp_handler: host: 127.0.0.1 port: 9999 version: 0 In the Logstash configuration file: input { udp { type => "udp-type" format => "json_event" } } For version 1.2.0 of Logstash and newer: In the salt configuration file: logstash_udp_handler: host: 127.0.0.1 port: 9999 version: 1 In the Logstash configuration file: input { udp { port => 9999 codec => json } } Please read the UDP input configuration page for additional information. ZeroMQ Logging Handler For versions of Logstash before 1.2.0: In the salt configuration file: logstash_zmq_handler: address: tcp://127.0.0.1:2021 version: 0 In the Logstash configuration file: input { zeromq { type => "zeromq-type" mode => "server" topology => "pubsub" address => "tcp://0.0.0.0:2021" charset => "UTF-8" format => "json_event" } } For version 1.2.0 of Logstash and newer: In the salt configuration file: logstash_zmq_handler: address: tcp://127.0.0.1:2021 version: 1 In the Logstash configuration file: input { zeromq { topology => "pubsub" address => "tcp://0.0.0.0:2021" codec => json } } Please read the ZeroMQ input configuration page for additional information. Important Logstash Setting One of the most important settings that you should not forget on your Logstash configuration file regarding these logging handlers is format. Both the UDP and ZeroMQ inputs need to have format as json_event which is what we send over the wire. Log Level Both the logstash_udp_handler and the logstash_zmq_handler configuration sections accept an additional setting log_level. If not set, the logging level used will be the one defined for log_level in the global configuration file section. HWM The high water mark for the ZMQ socket setting. Only applicable for the logstash_zmq_handler. Inspiration This work was inspired in pylogstash, python-logstash, canary and the PyZMQ logging handler. Sentry Logging Handler New in version 0.17.0. This module provides a Sentry logging handler. Note The Raven library needs to be installed on the system for this logging handler to be available. Configuring the python Sentry client, Raven, should be done under the sentry_handler configuration key. Additional context may be provided for coresponding grain item(s). At the bare minimum, you need to define the DSN. As an example: sentry_handler: dsn: https://pub-key:secret-key@app.getsentry.com/app-id More complex configurations can be achieved, for example: sentry_handler: servers: - https://sentry.example.com - http://192.168.1.1 project: app-id public_key: deadbeefdeadbeefdeadbeefdeadbeef secret_key: beefdeadbeefdeadbeefdeadbeefdead context: - os - master - saltversion - cpuarch - ec2.tags.environment All the client configuration keys are supported, please see the Raven client documentation. The default logging level for the sentry handler is ERROR. If you wish to define a different one, define log_level under the sentry_handler configuration key: sentry_handler: dsn: https://pub-key:secret-key@app.getsentry.com/app-id log_level: warning The available log levels are those also available for the salt cli tools and configuration; salt --help should give you the required information. Threaded Transports Raven's documents rightly suggest using its threaded transport for critical applications. However, don't forget that if you start having troubles with Salt after enabling the threaded transport, please try switching to a non-threaded transport to see if that fixes your problem. Salt File Server Salt comes with a simple file server suitable for distributing files to the Salt minions. The file server is a stateless ZeroMQ server that is built into the Salt master. The main intent of the Salt file server is to present files for use in the Salt state system. With this said, the Salt file server can be used for any general file transfer from the master to the minions. File Server Backends In Salt 0.12.0, the modular fileserver was introduced. This feature added the ability for the Salt Master to integrate different file server backends. File server backends allow the Salt file server to act as a transparent bridge to external resources. A good example of this is the git backend, which allows Salt to serve files sourced from one or more git repositories, but there are several others as well. Click here for a full list of Salt's fileserver backends. Enabling a Fileserver Backend Fileserver backends can be enabled with the fileserver_backend option. fileserver_backend: - git See the documentation for each backend to find the correct value to add to fileserver_backend in order to enable them. Using Multiple Backends If fileserver_backend is not defined in the Master config file, Salt will use the roots backend, but the fileserver_backend option supports multiple backends. When more than one backend is in use, the files from the enabled backends are merged into a single virtual filesystem. When a file is requested, the backends will be searched in order for that file, and the first backend to match will be the one which returns the file. fileserver_backend: - roots - git With this configuration, the environments and files defined in the file_roots parameter will be searched first, and if the file is not found then the git repositories defined in gitfs_remotes will be searched. Environments Just as the order of the values in fileserver_backend matters, so too does the order in which different sources are defined within a fileserver environment. For example, given the below file_roots configuration, if both /srv/salt/dev/foo.txt and /srv/salt/prod/foo.txt exist on the Master, then salt://foo.txt would point to /srv/salt/dev/foo.txt in the dev environment, but it would point to /srv/salt/prod/foo.txt in the base environment. file_roots: base: - /srv/salt/prod qa: - /srv/salt/qa - /srv/salt/prod dev: - /srv/salt/dev - /srv/salt/qa - /srv/salt/prod Similarly, when using the git backend, if both repositories defined below have a hotfix23 branch/tag, and both of them also contain the file bar.txt in the root of the repository at that branch/tag, then salt://bar.txt in the hotfix23 environment would be served from the first repository. gitfs_remotes: - https://mydomain.tld/repos/first.git - https://mydomain.tld/repos/second.git NOTE: Environments map differently based on the fileserver backend. For instance, the mappings are explicitly defined in roots backend, while in the VCS backends (git, hg, svn) the environments are created from branches/tags/bookmarks/etc. For the minion backend, the files are all in a single environment, which is specified by the minionfs_env option. See the documentation for each backend for a more detailed explanation of how environments are mapped. Dynamic Module Distribution New in version 0.9.5. Custom Salt execution, state, and other modules can be distributed to Salt minions using the Salt file server. Under the root of any environment defined via the file_roots option on the master server directories corresponding to the type of module can be used. The directories are prepended with an underscore: • _beacons • _modules • _grains • _renderers • _returners • _states • _output • _utils The contents of these directories need to be synced over to the minions after Python modules have been created in them. There are a number of ways to sync the modules. Sync Via States The minion configuration contains an option autoload_dynamic_modules which defaults to True. This option makes the state system refresh all dynamic modules when states are run. To disable this behavior set autoload_dynamic_modules to False in the minion config. When dynamic modules are autoloaded via states, modules only pertinent to the environments matched in the master's top file are downloaded. This is important to remember, because modules can be manually loaded from any specific environment that environment specific modules will be loaded when a state run is executed. Sync Via the saltutil Module The saltutil module has a number of functions that can be used to sync all or specific dynamic modules. The saltutil module function saltutil.sync_all will sync all module types over to a minion. For more information see: salt.modules.saltutil File Server Configuration The Salt file server is a high performance file server written in ZeroMQ. It manages large files quickly and with little overhead, and has been optimized to handle small files in an extremely efficient manner. The Salt file server is an environment aware file server. This means that files can be allocated within many root directories and accessed by specifying both the file path and the environment to search. The individual environments can span across multiple directory roots to create overlays and to allow for files to be organized in many flexible ways. Environments The Salt file server defaults to the mandatory base environment. This environment MUST be defined and is used to download files when no environment is specified. Environments allow for files and sls data to be logically separated, but environments are not isolated from each other. This allows for logical isolation of environments by the engineer using Salt, but also allows for information to be used in multiple environments. Directory Overlay The environment setting is a list of directories to publish files from. These directories are searched in order to find the specified file and the first file found is returned. This means that directory data is prioritized based on the order in which they are listed. In the case of this file_roots configuration: file_roots: base: - /srv/salt/base - /srv/salt/failover If a file's URI is salt://httpd/httpd.conf, it will first search for the file at /srv/salt/base/httpd/httpd.conf. If the file is found there it will be returned. If the file is not found there, then /srv/salt/failover/httpd/httpd.conf will be used for the source. This allows for directories to be overlaid and prioritized based on the order they are defined in the configuration. It is also possible to have file_roots which supports multiple environments: file_roots: base: - /srv/salt/base dev: - /srv/salt/dev - /srv/salt/base prod: - /srv/salt/prod - /srv/salt/base This example ensures that each environment will check the associated environment directory for files first. If a file is not found in the appropriate directory, the system will default to using the base directory. Local File Server New in version 0.9.8. The file server can be rerouted to run from the minion. This is primarily to enable running Salt states without a Salt master. To use the local file server interface, copy the file server data to the minion and set the file_roots option on the minion to point to the directories copied from the master. Once the minion file_roots option has been set, change the file_client option to local to make sure that the local file server interface is used. The cp Module The cp module is the home of minion side file server operations. The cp module is used by the Salt state system, salt-cp, and can be used to distribute files presented by the Salt file server. Escaping Special Characters The salt:// url format can potentially contain a query string, for example salt://dir/file.txt?saltenv=base. You can prevent the fileclient/fileserver from interpreting ? as the initial token of a query string by referencing the file with salt://| rather than salt://. /etc/marathon/conf/?checkpoint: file.managed: - source: salt://|hw/config/?checkpoint - makedirs: True Environments Since the file server is made to work with the Salt state system, it supports environments. The environments are defined in the master config file and when referencing an environment the file specified will be based on the root directory of the environment. get_file The cp.get_file function can be used on the minion to download a file from the master, the syntax looks like this: # salt '*' cp.get_file salt://vimrc /etc/vimrc This will instruct all Salt minions to download the vimrc file and copy it to /etc/vimrc Template rendering can be enabled on both the source and destination file names like so: # salt '*' cp.get_file "salt://{{grains.os}}/vimrc" /etc/vimrc template=jinja This example would instruct all Salt minions to download the vimrc from a directory with the same name as their OS grain and copy it to /etc/vimrc For larger files, the cp.get_file module also supports gzip compression. Because gzip is CPU-intensive, this should only be used in scenarios where the compression ratio is very high (e.g. pretty-printed JSON or YAML files). To use compression, use the gzip named argument. Valid values are integers from 1 to 9, where 1 is the lightest compression and 9 the heaviest. In other words, 1 uses the least CPU on the master (and minion), while 9 uses the most. # salt '*' cp.get_file salt://vimrc /etc/vimrc gzip=5 Finally, note that by default cp.get_file does not create new destination directories if they do not exist. To change this, use the makedirs argument: # salt '*' cp.get_file salt://vimrc /etc/vim/vimrc makedirs=True In this example, /etc/vim/ would be created if it didn't already exist. get_dir The cp.get_dir function can be used on the minion to download an entire directory from the master. The syntax is very similar to get_file: # salt '*' cp.get_dir salt://etc/apache2 /etc cp.get_dir supports template rendering and gzip compression arguments just like get_file: # salt '*' cp.get_dir salt://etc/{{pillar.webserver}} /etc gzip=5 template=jinja File Server Client API A client API is available which allows for modules and applications to be written which make use of the Salt file server. The file server uses the same authentication and encryption used by the rest of the Salt system for network communication. FileClient Class The FileClient class is used to set up the communication from the minion to the master. When creating a FileClient object the minion configuration needs to be passed in. When using the FileClient from within a minion module the built in __opts__ data can be passed: import salt.minion def get_file(path, dest, env='base'): ''' Used to get a single file from the Salt master CLI Example: salt '*' cp.get_file salt://vimrc /etc/vimrc ''' # Create the FileClient object client = salt.minion.FileClient(__opts__) # Call get_file return client.get_file(path, dest, False, env) Using the FileClient class outside of a minion module where the __opts__ data is not available, it needs to be generated: import salt.minion import salt.config def get_file(path, dest, env='base'): ''' Used to get a single file from the Salt master ''' # Get the configuration data opts = salt.config.minion_config('/etc/salt/minion') # Create the FileClient object client = salt.minion.FileClient(opts) # Call get_file return client.get_file(path, dest, False, env) Full list of builtin fileserver modules ┌─────────┬──────────────────────────────────┐ │azurefs │ The backend for serving files │ │ │ from the Azure blob storage │ │ │ service. │ ├─────────┼──────────────────────────────────┤ │gitfs │ Git Fileserver Backend │ ├─────────┼──────────────────────────────────┤ │hgfs │ Mercurial Fileserver Backend │ ├─────────┼──────────────────────────────────┤ │minionfs │ Fileserver backend which serves │ │ │ files pushed to the Master │ ├─────────┼──────────────────────────────────┤ │roots │ The default file server backend │ ├─────────┼──────────────────────────────────┤ │s3fs │ Amazon S3 Fileserver Backend │ ├─────────┼──────────────────────────────────┤ │svnfs │ Subversion Fileserver Backend │ └─────────┴──────────────────────────────────┘ salt.fileserver.azurefs The backend for serving files from the Azure blob storage service. To enable, add azurefs to the fileserver_backend option in the Master config file. fileserver_backend: - azurefs Each environment is configured as a storage container. The name of the container must match the name of the environment. The storage_account is the name of the storage account inside Azure where the container lives, and the storage_key is the access key used for that storage account: azurefs_envs: base: storage_account: my_storage storage_key: frehgfw34fWGegG07fwsfw343tGFDSDGDFGD== With this configuration, multiple storage accounts can be used with a single salt instrastructure. salt.fileserver.azurefs.dir_list(load) Return a list of all directories on the master salt.fileserver.azurefs.envs() Treat each container as an environment salt.fileserver.azurefs.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.azurefs.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.azurefs.find_file(path, saltenv='base', env=None, **kwargs) Search the environment for the relative path salt.fileserver.azurefs.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.azurefs.update() When we are asked to update (regular interval) lets reap the cache salt.fileserver.gitfs Git Fileserver Backend With this backend, branches and tags in a remote git repository are exposed to salt as different environments. To enable, add git to the fileserver_backend option in the Master config file. fileserver_backend: - git As of Salt 2014.7.0, the Git fileserver backend supports GitPython, pygit2, and dulwich to provide the Python interface to git. If more than one of these are present, the order of preference for which one will be chosen is the same as the order in which they were listed: pygit2, GitPython, dulwich (keep in mind, this order is subject to change). An optional master config parameter (gitfs_provider) can be used to specify which provider should be used. More detailed information on how to use gitfs can be found in the Gitfs Walkthrough. NOTE: Minimum requirements To use GitPython for gitfs requires a minimum GitPython version of 0.3.0, as well as the git CLI utility. Instructions for installing GitPython can be found here. To use pygit2 for gitfs requires a minimum pygit2 version of 0.20.3. pygit2 0.20.3 requires libgit2 0.20.0. pygit2 and libgit2 are developed alongside one another, so it is recommended to keep them both at the same major release to avoid unexpected behavior. For example, pygit2 0.21.x requires libgit2 0.21.x, pygit2 0.22.x will require libgit2 0.22.x, etc. To find stale refs, pygit2 additionally requires the git CLI utility to be installed. salt.fileserver.gitfs.clear_cache() Completely clear gitfs cache salt.fileserver.gitfs.clear_lock(remote=None, lock_type='update') Clear update.lk salt.fileserver.gitfs.dir_list(load) Return a list of all directories on the master salt.fileserver.gitfs.envs(ignore_cache=False) Return a list of refs that can be used as environments salt.fileserver.gitfs.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.gitfs.file_list(load) Return a list of all files on the file server in a specified environment (specified as a key within the load dict). salt.fileserver.gitfs.file_list_emptydirs(load) Return a list of all empty directories on the master salt.fileserver.gitfs.find_file(path, tgt_env='base', **kwargs) Find the first file to match the path and ref, read the file out of git and send the path to the newly cached file salt.fileserver.gitfs.init() Initialize remotes. This is only used by the master's pre-flight checks, and is not invoked by GitFS. salt.fileserver.gitfs.lock(remote=None) Place an update.lk remote can either be a dictionary containing repo configuration information, or a pattern. If the latter, then remotes for which the URL matches the pattern will be locked. salt.fileserver.gitfs.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.gitfs.symlink_list(load) Return a dict of all symlinks based on a given path in the repo salt.fileserver.gitfs.update() Execute a git fetch on all of the repos salt.fileserver.hgfs Mercurial Fileserver Backend To enable, add hg to the fileserver_backend option in the Master config file. fileserver_backend: - hg After enabling this backend, branches, bookmarks, and tags in a remote mercurial repository are exposed to salt as different environments. This feature is managed by the fileserver_backend option in the salt master config file. This fileserver has an additional option hgfs_branch_method that will set the desired branch method. Possible values are: branches, bookmarks, or mixed. If using branches or mixed, the default branch will be mapped to base. Changed in version 2014.1.0: The hgfs_base master config parameter was added, allowing for a branch other than default to be used for the base environment, and allowing for a base environment to be specified when using an hgfs_branch_method of bookmarks. depends • mercurial • python bindings for mercurial (python-hglib) salt.fileserver.hgfs.clear_cache() Completely clear hgfs cache salt.fileserver.hgfs.clear_lock(remote=None) Clear update.lk remote can either be a dictionary containing repo configuration information, or a pattern. If the latter, then remotes for which the URL matches the pattern will be locked. salt.fileserver.hgfs.dir_list(load) Return a list of all directories on the master salt.fileserver.hgfs.envs(ignore_cache=False) Return a list of refs that can be used as environments salt.fileserver.hgfs.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.hgfs.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.hgfs.file_list_emptydirs(load) Return a list of all empty directories on the master salt.fileserver.hgfs.find_file(path, tgt_env='base', **kwargs) Find the first file to match the path and ref, read the file out of hg and send the path to the newly cached file salt.fileserver.hgfs.init() Return a list of hglib objects for the various hgfs remotes salt.fileserver.hgfs.lock(remote=None) Place an update.lk remote can either be a dictionary containing repo configuration information, or a pattern. If the latter, then remotes for which the URL matches the pattern will be locked. salt.fileserver.hgfs.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.hgfs.update() Execute an hg pull on all of the repos salt.fileserver.minionfs Fileserver backend which serves files pushed to the Master The cp.push function allows Minions to push files up to the Master. Using this backend, these pushed files are exposed to other Minions via the Salt fileserver. To enable minionfs, file_recv needs to be set to True in the master config file (otherwise cp.push will not be allowed to push files to the Master), and minion must be added to the fileserver_backends list. fileserver_backend: - minion Other minionfs settings include: minionfs_whitelist, minionfs_blacklist, minionfs_mountpoint, and minionfs_env. SEE ALSO: tutorial-minionfs salt.fileserver.minionfs.dir_list(load) Return a list of all directories on the master CLI Example: $ salt 'source-minion' cp.push /absolute/path/file # Push the file to the master $ salt 'destination-minion' cp.list_master_dirs destination-minion: - source-minion/absolute - source-minion/absolute/path salt.fileserver.minionfs.envs() Returns the one environment specified for minionfs in the master configuration. salt.fileserver.minionfs.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.minionfs.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.minionfs.find_file(path, tgt_env='base', **kwargs) Search the environment for the relative path salt.fileserver.minionfs.serve_file(load, fnd) Return a chunk from a file based on the data received CLI Example: # Push the file to the master $ salt 'source-minion' cp.push /path/to/the/file $ salt 'destination-minion' cp.get_file salt://source-minion/path/to/the/file /destination/file salt.fileserver.minionfs.update() When we are asked to update (regular interval) lets reap the cache salt.fileserver.roots The default file server backend This fileserver backend serves files from the Master's local filesystem. If fileserver_backend is not defined in the Master config file, then this backend is enabled by default. If it is defined then roots must be in the fileserver_backend list to enable this backend. fileserver_backend: - roots Fileserver environments are defined using the file_roots configuration option. salt.fileserver.roots.dir_list(load) Return a list of all directories on the master salt.fileserver.roots.envs() Return the file server environments salt.fileserver.roots.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.roots.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.roots.file_list_emptydirs(load) Return a list of all empty directories on the master salt.fileserver.roots.find_file(path, saltenv='base', env=None, **kwargs) Search the environment for the relative path salt.fileserver.roots.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.roots.symlink_list(load) Return a dict of all symlinks based on a given path on the Master salt.fileserver.roots.update() When we are asked to update (regular interval) lets reap the cache salt.fileserver.s3fs Amazon S3 Fileserver Backend This backend exposes directories in S3 buckets as Salt environments. To enable this backend, add s3fs to the fileserver_backend option in the Master config file. fileserver_backend: - s3fs S3 credentials must also be set in the master config file: s3.keyid: GKTADJGHEIQSXMKKRBJ08H s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs Alternatively, if on EC2 these credentials can be automatically loaded from instance metadata. This fileserver supports two modes of operation for the buckets: 1. A single bucket per environment s3.buckets: production: - bucket1 - bucket2 staging: - bucket3 - bucket4 2. Multiple environments per bucket s3.buckets: - bucket1 - bucket2 - bucket3 - bucket4 Note that bucket names must be all lowercase both in the AWS console and in Salt, otherwise you may encounter SignatureDoesNotMatch errors. A multiple-environment bucket must adhere to the following root directory structure: s3://<bucket name>/<environment>/<files> NOTE: This fileserver back-end requires the use of the MD5 hashing algorithm. MD5 may not be compliant with all security policies. salt.fileserver.s3fs.dir_list(load) Return a list of all directories on the master salt.fileserver.s3fs.envs() Return a list of directories within the bucket that can be used as environments. salt.fileserver.s3fs.file_hash(load, fnd) Return an MD5 file hash salt.fileserver.s3fs.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.s3fs.file_list_emptydirs(load) Return a list of all empty directories on the master salt.fileserver.s3fs.find_file(path, saltenv='base', env=None, **kwargs) Look through the buckets cache file for a match. If the field is found, it is retrieved from S3 only if its cached version is missing, or if the MD5 does not match. salt.fileserver.s3fs.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.s3fs.update() Update the cache file for the bucket. salt.fileserver.svnfs Subversion Fileserver Backend After enabling this backend, branches, and tags in a remote subversion repository are exposed to salt as different environments. To enable this backend, add svn to the fileserver_backend option in the Master config file. fileserver_backend: - svn This backend assumes a standard svn layout with directories for branches, tags, and trunk, at the repository root. depends • subversion • pysvn Changed in version 2014.7.0: The paths to the trunk, branches, and tags have been made configurable, via the config options svnfs_trunk, svnfs_branches, and svnfs_tags. svnfs_mountpoint was also added. Finally, support for per-remote configuration parameters was added. See the documentation for more information. salt.fileserver.svnfs.clear_cache() Completely clear svnfs cache salt.fileserver.svnfs.clear_lock(remote=None) Clear update.lk remote can either be a dictionary containing repo configuration information, or a pattern. If the latter, then remotes for which the URL matches the pattern will be locked. salt.fileserver.svnfs.dir_list(load) Return a list of all directories on the master salt.fileserver.svnfs.envs(ignore_cache=False) Return a list of refs that can be used as environments salt.fileserver.svnfs.file_hash(load, fnd) Return a file hash, the hash type is set in the master config file salt.fileserver.svnfs.file_list(load) Return a list of all files on the file server in a specified environment salt.fileserver.svnfs.file_list_emptydirs(load) Return a list of all empty directories on the master salt.fileserver.svnfs.find_file(path, tgt_env='base', **kwargs) Find the first file to match the path and ref. This operates similarly to the roots file sever but with assumptions of the directory structure based on svn standard practices. salt.fileserver.svnfs.init() Return the list of svn remotes and their configuration information salt.fileserver.svnfs.lock(remote=None) Place an update.lk remote can either be a dictionary containing repo configuration information, or a pattern. If the latter, then remotes for which the URL matches the pattern will be locked. salt.fileserver.svnfs.serve_file(load, fnd) Return a chunk from a file based on the data received salt.fileserver.svnfs.update() Execute an svn update on all of the repos Full list of builtin grains modules ┌────────────┬──────────────────────────────────┐ │chronos │ Generate chronos proxy minion │ │ │ grains. │ ├────────────┼──────────────────────────────────┤ │core │ The static grains, these are the │ │ │ core, or built in grains. │ ├────────────┼──────────────────────────────────┤ │disks │ Detect disks │ ├────────────┼──────────────────────────────────┤ │esxi │ Generate baseline proxy minion │ │ │ grains for ESXi hosts. │ ├────────────┼──────────────────────────────────┤ │extra │ │ ├────────────┼──────────────────────────────────┤ │fx2 │ Generate baseline proxy minion │ │ │ grains for Dell FX2 chassis. │ ├────────────┼──────────────────────────────────┤ │junos │ Grains for junos. │ ├────────────┼──────────────────────────────────┤ │marathon │ Generate marathon proxy minion │ │ │ grains. │ ├────────────┼──────────────────────────────────┤ │mdadm │ Detect MDADM RAIDs │ ├────────────┼──────────────────────────────────┤ │opts │ Simple grain to merge the opts │ │ │ into the grains directly if the │ │ │ grain_opts │ ├────────────┼──────────────────────────────────┤ │philips_hue │ Static grains for the Philips │ │ │ HUE lamps │ ├────────────┼──────────────────────────────────┤ │rest_sample │ Generate baseline proxy minion │ │ │ grains │ └────────────┴──────────────────────────────────┘ salt.grains.chronos Generate chronos proxy minion grains. New in version 2015.8.2. salt.grains.chronos.kernel() salt.grains.chronos.os() salt.grains.chronos.os_data() salt.grains.chronos.os_family() salt.grains.core The static grains, these are the core, or built in grains. When grains are loaded they are not loaded in the same way that modules are loaded, grain functions are detected and executed, the functions MUST return a dict which will be applied to the main grains dict. This module will always be executed first, so that any grains loaded here in the core module can be overwritten just by returning dict keys with the same value as those returned here salt.grains.core.append_domain() Return append_domain if set salt.grains.core.fqdn_ip4() Return a list of ipv4 addrs of fqdn salt.grains.core.fqdn_ip6() Return a list of ipv6 addrs of fqdn salt.grains.core.get_machine_id() Provide the machine-id salt.grains.core.get_master() Provides the minion with the name of its master. This is useful in states to target other services running on the master. salt.grains.core.get_server_id() Provides an integer based on the FQDN of a machine. Useful as server-id in MySQL replication or anywhere else you'll need an ID like this. salt.grains.core.hostname() Return fqdn, hostname, domainname salt.grains.core.hwaddr_interfaces() Provide a dict of the connected interfaces and their hw addresses (Mac Address) salt.grains.core.id_() Return the id salt.grains.core.ip4() Return a list of ipv4 addrs salt.grains.core.ip4_interfaces() Provide a dict of the connected interfaces and their ip4 addresses The addresses will be passed as a list for each interface salt.grains.core.ip6() Return a list of ipv6 addrs salt.grains.core.ip6_interfaces() Provide a dict of the connected interfaces and their ip6 addresses The addresses will be passed as a list for each interface salt.grains.core.ip_interfaces() Provide a dict of the connected interfaces and their ip addresses The addresses will be passed as a list for each interface salt.grains.core.locale_info() Provides defaultlanguage defaultencoding salt.grains.core.os_data() Return grains pertaining to the operating system salt.grains.core.path() Return the path salt.grains.core.pythonexecutable() Return the python executable in use salt.grains.core.pythonpath() Return the Python path salt.grains.core.pythonversion() Return the Python version salt.grains.core.saltpath() Return the path of the salt module salt.grains.core.saltversion() Return the version of salt salt.grains.core.saltversioninfo() Return the version_info of salt New in version 0.17.0. salt.grains.core.zmqversion() Return the zeromq version salt.grains.disks Detect disks salt.grains.disks.disks() Return list of disk devices salt.grains.esxi Generate baseline proxy minion grains for ESXi hosts. ., versionadded:: 2015.8.4 salt.grains.esxi.esxi() salt.grains.esxi.kernel() salt.grains.esxi.os() salt.grains.esxi.os_family() salt.grains.extra salt.grains.extra.config() Return the grains set in the grains file salt.grains.extra.shell() Return the default shell to use on this system salt.grains.fx2 Generate baseline proxy minion grains for Dell FX2 chassis. The challenge is that most of Salt isn't bootstrapped yet, so we need to repeat a bunch of things that would normally happen in proxy/fx2.py--just enough to get data from the chassis to include in grains. salt.grains.fx2.fx2() salt.grains.fx2.kernel() salt.grains.fx2.location() salt.grains.fx2.os_data() salt.grains.fx2.os_family() salt.grains.junos Grains for junos. NOTE this is a little complicated--junos can only be accessed via salt-proxy-minion. Thus, some grains make sense to get them from the minion (PYTHONPATH), but others don't (ip_interfaces) salt.grains.junos.defaults() salt.grains.junos.facts() salt.grains.junos.os_family() salt.grains.marathon Generate marathon proxy minion grains. New in version 2015.8.2. salt.grains.marathon.kernel() salt.grains.marathon.marathon() salt.grains.marathon.os() salt.grains.marathon.os_data() salt.grains.marathon.os_family() salt.grains.mdadm Detect MDADM RAIDs salt.grains.mdadm.mdadm() Return list of mdadm devices salt.grains.opts Simple grain to merge the opts into the grains directly if the grain_opts configuration value is set salt.grains.opts.opts() Return the minion configuration settings salt.grains.philips_hue Static grains for the Philips HUE lamps New in version 2015.8.3. salt.grains.philips_hue.kernel() salt.grains.philips_hue.os() salt.grains.philips_hue.os_family() salt.grains.philips_hue.product() salt.grains.philips_hue.vendor() salt.grains.rest_sample Generate baseline proxy minion grains salt.grains.rest_sample.kernel() salt.grains.rest_sample.location() salt.grains.rest_sample.os() salt.grains.rest_sample.os_data() salt.grains.rest_sample.os_family() Salt code and internals Reference documentation on Salt's internal code. Contents salt.aggregation salt.utils.aggregation This library makes it possible to introspect dataset and aggregate nodes when it is instructed. NOTE: The following examples with be expressed in YAML for convenience's sake: • !aggr-scalar will refer to Scalar python function • !aggr-map will refer to Map python object • !aggr-seq will refer for Sequence python object How to instructs merging This yaml document has duplicate keys: foo: !aggr-scalar first foo: !aggr-scalar second bar: !aggr-map {first: foo} bar: !aggr-map {second: bar} baz: !aggr-scalar 42 but tagged values instruct Salt that overlapping values they can be merged together: foo: !aggr-seq [first, second] bar: !aggr-map {first: foo, second: bar} baz: !aggr-seq [42] Default merge strategy is keep untouched For example, this yaml document still has duplicate keys, but does not instruct aggregation: foo: first foo: second bar: {first: foo} bar: {second: bar} baz: 42 So the late found values prevail: foo: second bar: {second: bar} baz: 42 Limitations Aggregation is permitted between tagged objects that share the same type. If not, the default merge strategy prevails. For example, these examples: foo: {first: value} foo: !aggr-map {second: value} bar: !aggr-map {first: value} bar: 42 baz: !aggr-seq [42] baz: [fail] qux: 42 qux: !aggr-scalar fail are interpreted like this: foo: !aggr-map{second: value} bar: 42 baz: [fail] qux: !aggr-seq [fail] Introspection TODO: write this part salt.utils.aggregation.aggregate(obj_a, obj_b, level=False, map_class=<class 'salt.utils.aggregation.Map'>, sequence_class=<class 'salt.utils.aggregation.Sequence'>) Merge obj_b into obj_a. >>> aggregate('first', 'second', True) == ['first', 'second'] True class salt.utils.aggregation.Aggregate Aggregation base. class salt.utils.aggregation.Map(*args, **kwds) Map aggregation. salt.utils.aggregation.Scalar(obj) Shortcut for Sequence creation >>> Scalar('foo') == Sequence(['foo']) True class salt.utils.aggregation.Sequence Sequence aggregation. Exceptions Salt-specific exceptions should be thrown as often as possible so the various interfaces to Salt (CLI, API, etc) can handle those errors appropriately and display error messages appropriately. ┌────────────────┬──────────────────────────────────┐ │salt.exceptions │ This module is a central │ │ │ location for all salt exceptions │ └────────────────┴──────────────────────────────────┘ salt.exceptions This module is a central location for all salt exceptions exception salt.exceptions.AuthenticationError(message='') If sha256 signature fails during decryption exception salt.exceptions.AuthorizationError(message='') Thrown when runner or wheel execution fails due to permissions exception salt.exceptions.CommandExecutionError(message='') Used when a module runs a command which returns an error and wants to show the user the output gracefully instead of dying exception salt.exceptions.CommandNotFoundError(message='') Used in modules or grains when a required binary is not available exception salt.exceptions.EauthAuthenticationError(message='') Thrown when eauth authentication fails exception salt.exceptions.FileLockError(msg, time_start=None, *args, **kwargs) Used when an error occurs obtaining a file lock exception salt.exceptions.FileserverConfigError(message='') Used when invalid fileserver settings are detected exception salt.exceptions.GitLockError(errno, strerror, *args, **kwargs) Raised when an uncaught error occurs in the midst of obtaining an update/checkout lock in salt.utils.gitfs. NOTE: While this uses the errno param similar to an OSError, this exception class is not as subclass of OSError. This is done intentionally, so that this exception class can be caught in a try/except without being caught as an OSError. exception salt.exceptions.LoaderError(message='') Problems loading the right renderer exception salt.exceptions.MasterExit Rise when the master exits exception salt.exceptions.MinionError(message='') Minion problems reading uris such as salt:// or http:// exception salt.exceptions.NotImplemented(message='') Used when a module runs a command which returns an error and wants to show the user the output gracefully instead of dying exception salt.exceptions.PkgParseError(message='') Used when of the pkg modules cannot correctly parse the output from the CLI tool (pacman, yum, apt, aptitude, etc) exception salt.exceptions.PublishError(message='') Problems encountered when trying to publish a command exception salt.exceptions.SaltCacheError(message='') Thrown when a problem was encountered trying to read or write from the salt cache exception salt.exceptions.SaltClientError(message='') Problem reading the master root key exception salt.exceptions.SaltClientTimeout(msg, jid=None, *args, **kwargs) Thrown when a job sent through one of the Client interfaces times out Takes the jid as a parameter exception salt.exceptions.SaltCloudConfigError(message='') Raised when a configuration setting is not found and should exist. exception salt.exceptions.SaltCloudException(message='') Generic Salt Cloud Exception exception salt.exceptions.SaltCloudExecutionFailure(message='') Raised when too much failures have occurred while querying/waiting for data. exception salt.exceptions.SaltCloudExecutionTimeout(message='') Raised when too much time has passed while querying/waiting for data. exception salt.exceptions.SaltCloudNotFound(message='') Raised when some cloud provider function cannot find what's being searched. exception salt.exceptions.SaltCloudPasswordError(message='') Raise when virtual terminal password input failed exception salt.exceptions.SaltCloudSystemExit(message, exit_code=1) This exception is raised when the execution should be stopped. exception salt.exceptions.SaltDaemonNotRunning(message='') Throw when a running master/minion/syndic is not running but is needed to perform the requested operation (e.g., eauth). exception salt.exceptions.SaltException(message='') Base exception class; all Salt-specific exceptions should subclass this pack() Pack this exception into a serializable dictionary that is safe for transport via msgpack exception salt.exceptions.SaltInvocationError(message='') Used when the wrong number of arguments are sent to modules or invalid arguments are specified on the command line exception salt.exceptions.SaltMasterError(message='') Problem reading the master root key exception salt.exceptions.SaltNoMinionsFound(message='') An attempt to retrieve a list of minions failed exception salt.exceptions.SaltRenderError(message, line_num=None, buf='', marker=' <======================', trace=None) Used when a renderer needs to raise an explicit error. If a line number and buffer string are passed, get_context will be invoked to get the location of the error. exception salt.exceptions.SaltReqTimeoutError(message='') Thrown when a salt master request call fails to return within the timeout exception salt.exceptions.SaltRunnerError(message='') Problem in runner exception salt.exceptions.SaltSyndicMasterError(message='') Problem while proxying a request in the syndication master exception salt.exceptions.SaltSystemExit(code=0, msg=None) This exception is raised when an unsolvable problem is found. There's nothing else to do, salt should just exit. exception salt.exceptions.SaltWheelError(message='') Problem in wheel exception salt.exceptions.TimedProcTimeoutError(message='') Thrown when a timed subprocess does not terminate within the timeout, or if the specified timeout is not an int or a float exception salt.exceptions.TokenAuthenticationError(message='') Thrown when token authentication fails Salt opts dictionary It is very common in the Salt codebase to see opts referred to in a number of contexts. For example, it can be seen as __opts__ in certain cases, or simply as opts as an argument to a function in others. Simply put, this data structure is a dictionary of Salt's runtime configuration information that's passed around in order for functions to know how Salt is configured. When writing Python code to use specific parts of Salt, it may become necessary to initialize a copy of opts from scratch in order to have it available for a given function. To do so, use the utility functions available in salt.config. As an example, here is how one might generate and print an options dictionary for a minion instance: import salt.config opts = salt.config.minion_config('/etc/salt/minion') print(opts) To generate and display opts for a master, the process is similar: import salt.config opts = salt.config.master_config('/etc/salt/master') print(opts) Full list of builtin execution modules Virtual modules salt.modules.pkg pkg is a virtual module that is fulfilled by one of the following modules: • salt.modules.aptpkg • salt.modules.brew • salt.modules.ebuild • salt.modules.freebsdpkg • salt.modules.openbsdpkg • salt.modules.pacman • salt.modules.pkgin • salt.modules.pkgng • salt.modules.pkgutil • salt.modules.solarispkg • salt.modules.win_pkg • salt.modules.yumpkg • salt.modules.zypper ┌─────────────────────┬──────────────────────────────────────────────────────────────┐ │aliases │ Manage the information in the │ │ │ aliases file │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │alternatives │ Support for Alternatives system │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │apache │ Support for Apache │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │aptpkg │ Support for APT (Advanced │ │ │ Packaging Tool) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │archive │ A module to wrap (non-Windows) │ │ │ archive calls │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │artifactory │ Module for fetching artifacts │ │ │ from Artifactory │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │at │ Wrapper module for at(1) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │augeas_cfg │ Manages configuration files via │ │ │ augeas │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │aws_sqs │ Support for the Amazon Simple │ │ │ Queue Service. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bamboohr │ Support for BambooHR │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │beacons │ Module for managing the Salt │ │ │ beacons on a minion │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bigip │ An execution module which can │ │ │ manipulate an f5 bigip via │ │ │ iControl REST │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │blockdev │ Module for managing block │ │ │ devices │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bluez │ Support for Bluetooth (using │ │ │ BlueZ in Linux). │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_asg │ Connection module for Amazon │ │ │ Autoscale Groups │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_cfn │ Connection module for Amazon │ │ │ Cloud Formation │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_cloudwatch │ Connection module for Amazon │ │ │ CloudWatch │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_dynamodb │ Connection module for Amazon │ │ │ DynamoDB │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_ec2 │ Connection module for Amazon EC2 │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_elasticache │ Connection module for Amazon │ │ │ Elasticache │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │boto_elb │ Connection module for Amazon ELB │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_iam │ Connection module for Amazon IAM │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_kms │ Connection module for Amazon KMS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_rds │ Connection module for Amazon RDS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_route53 │ Connection module for Amazon │ │ │ Route53 │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_secgroup │ Connection module for Amazon │ │ │ Security Groups │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_sns │ Connection module for Amazon SNS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_sqs │ Connection module for Amazon SQS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │boto_vpc │ Connection module for Amazon VPC │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bower │ Manage and query Bower packages │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │brew │ Homebrew for Mac OS X │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bridge │ Module for gathering and │ │ │ managing bridging information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │bsd_shadow │ Manage the password database on │ │ │ BSD systems │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │btrfs │ Module for managing BTRFS file │ │ │ systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cabal │ Manage and query Cabal packages │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cassandra │ Cassandra NoSQL Database Module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cassandra_cql │ Cassandra Database Module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │chassis │ Glue execution module to link to │ │ │ the fx2 proxymodule. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │chef │ Execute chef in server or solo │ │ │ mode │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │chocolatey │ A dead simple module wrapping │ │ │ calls to the Chocolatey package │ │ │ manager │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cloud │ Salt-specific interface for │ │ │ calling Salt Cloud directly │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cmdmod │ A module for shelling out. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │composer │ Use composer to install PHP │ │ │ dependencies for a directory │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │config │ Return config information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │consul │ Interact with Consul │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │container_resource │ Common resources for LXC and │ │ │ systemd-nspawn containers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cp │ Minion side functions for │ │ │ salt-cp │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cpan │ Manage Perl modules using CPAN │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cron │ Work with cron │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │cyg │ Manage cygwin packages. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │daemontools │ daemontools service module. This │ │ │ module will create daemontools │ │ │ type │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │darwin_pkgutil │ Installer support for OS X. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │darwin_sysctl │ Module for viewing and modifying │ │ │ sysctl parameters │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │data │ Manage a local persistent data │ │ │ structure that can hold any │ │ │ arbitrary data │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ddns │ Support for RFC 2136 dynamic DNS │ │ │ updates. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │deb_apache │ Support for Apache │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │deb_postgres │ Module to provide Postgres │ │ │ compatibility to salt for debian │ │ │ family specific tools. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │debbuild │ Debian Package builder system │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │debconfmod │ Support for Debconf │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │debian_ip │ The networking module for Debian │ │ │ based distros │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │debian_service │ Service support for Debian │ │ │ systems (uses update-rc.d and │ │ │ /sbin/service) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │defaults │ │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │devmap │ Device-Mapper module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dig │ Compendium of generic DNS │ │ │ utilities. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │disk │ Module for gathering disk │ │ │ information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │djangomod │ Manage Django sites │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dnsmasq │ Module for managing dnsmasq │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dnsutil │ Compendium of generic DNS │ │ │ utilities │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dockerio │ Management of Docker Containers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dockerng │ Management of Docker Containers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dpkg │ Support for DEB packages │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │drac │ Manage Dell DRAC │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │dracr │ Manage Dell DRAC. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │drbd │ DRBD administration module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ebuild │ Support for Portage │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │eix │ Support for Eix │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │elasticsearch │ Elasticsearch - A distributed │ │ │ RESTful search and analytics │ │ │ server │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │environ │ Support for getting and setting │ │ │ the environment variables of the │ │ │ current salt process. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │eselect │ Support for eselect, Gentoo's │ │ │ configuration and management │ │ │ tool. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │esxi │ Glues the VMware vSphere │ │ │ Execution Module to the VMware │ │ │ ESXi Proxy Minions to the esxi │ │ │ proxymodule. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │etcd_mod │ Execution module to work with │ │ │ etcd │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │event │ Use the Salt Event System to │ │ │ fire events from the master to │ │ │ the minion and vice-versa. │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │extfs │ Module for managing ext2/3/4 │ │ │ file systems │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │file │ Manage information about regular │ │ │ files, directories, │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │firewalld │ Support for firewalld. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsd_sysctl │ Module for viewing and modifying │ │ │ sysctl parameters │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsdjail │ The jail module for FreeBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsdkmod │ Module to manage FreeBSD kernel │ │ │ modules │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsdpkg │ Remote package support using │ │ │ pkg_add(1) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsdports │ Install software from the │ │ │ FreeBSD ports(7) system │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │freebsdservice │ The service module for FreeBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │gem │ Manage ruby gems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │genesis │ Module for managing container │ │ │ and VM images │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │gentoo_service │ Top level package command │ │ │ wrapper, used to translate the │ │ │ os detected by grains │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │gentoolkitmod │ Support for Gentoolkit │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │git │ Support for the Git SCM │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │glance │ Module for handling openstack │ │ │ glance calls. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │glusterfs │ Manage a glusterfs pool │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │gnomedesktop │ GNOME implementations │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │gpg │ Manage a GPG keychains, add │ │ │ keys, create keys, retrieve keys │ │ │ from keyservers. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │grains │ Return/control aspects of the │ │ │ grains data │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │groupadd │ Manage groups on Linux, OpenBSD │ │ │ and NetBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │grub_legacy │ Support for GRUB Legacy │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │guestfs │ Interact with virtual machine │ │ │ images via libguestfs │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │hadoop │ Support for hadoop │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │haproxyconn │ Support for haproxy │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │hashutil │ A collection of hashing and │ │ │ encoding functions │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │hg │ Support for the Mercurial SCM │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │hipchat │ Module for sending messages to │ │ │ hipchat. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │hosts │ Manage the information in the │ │ │ hosts file │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │htpasswd │ Support for htpasswd command. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │http │ Module for making various web │ │ │ calls. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ifttt │ Support for IFTTT │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ilo │ Manage HP ILO │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │img │ Virtual machine image management │ │ │ tools │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │incron │ Work with incron │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │influx │ InfluxDB - A distributed time │ │ │ series database │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ini_manage │ Edit ini files │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │inspectlib │ │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │introspect │ Functions to perform │ │ │ introspection on a minion, and │ │ │ return data in a format │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ipmi │ Support IPMI commands over LAN. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ipset │ Support for ipset │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │iptables │ Support for iptables │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │jboss7 │ Module for managing JBoss AS 7 │ │ │ through the CLI interface. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │jboss7_cli │ Module for low-level interaction │ │ │ with JbossAS7 through CLI. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │junos │ Module for interfacing to Junos │ │ │ devices │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │kerberos │ Manage Kerberos KDC │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │key │ Functions to view the minion's │ │ │ public key information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │keyboard │ Module for managing keyboards on │ │ │ supported POSIX-like systems │ │ │ using systemd, or such as │ │ │ Redhat, Debian and Gentoo. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │keystone │ Module for handling openstack │ │ │ keystone calls. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │kmod │ Module to manage Linux kernel │ │ │ modules │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │launchctl │ Module for the management of │ │ │ MacOS systems that use │ │ │ launchd/launchctl │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │layman │ Support for Layman │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ldapmod │ Salt interface to LDAP commands │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │linux_acl │ Support for Linux File Access │ │ │ Control Lists │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │linux_lvm │ Support for Linux LVM2 │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │linux_sysctl │ Module for viewing and modifying │ │ │ sysctl parameters │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │localemod │ Module for managing locales on │ │ │ POSIX-like systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │locate │ Module for using the locate │ │ │ utilities │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │logadm │ Module for managing Solaris │ │ │ logadm based log rotations. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │logrotate │ Module for managing logrotate. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │lvs │ Support for LVS (Linux Virtual │ │ │ Server) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │lxc │ Control Linux Containers via │ │ │ Salt │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mac_group │ Manage groups on Mac OS 10.7+ │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │mac_user │ Manage users on Mac OS 10.7+ │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │macports │ Support for MacPorts under Mac │ │ │ OSX. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │makeconf │ Support for modifying make.conf │ │ │ under Gentoo │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │match │ The match module allows for │ │ │ match routines to be run and │ │ │ determine target specs │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mdadm │ Salt module to manage RAID │ │ │ arrays with mdadm │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │memcached │ Module for Management of │ │ │ Memcached Keys │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mine │ The function cache system allows │ │ │ for data to be stored on the │ │ │ master so it can be easily read │ │ │ by other minions │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mod_random │ Provides access to randomness │ │ │ generators. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │modjk │ Control Modjk via the Apache │ │ │ Tomcat "Status" worker │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mongodb │ Module to provide MongoDB │ │ │ functionality to Salt │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │monit │ Monit service module. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │moosefs │ Module for gathering and │ │ │ managing information about │ │ │ MooseFS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mount │ Salt module to manage Unix │ │ │ mounts and the fstab file │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mssql │ Module to provide MS SQL Server │ │ │ compatibility to salt. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │munin │ Run munin plugins/checks from │ │ │ salt and format the output as │ │ │ data. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │mysql │ Module to provide MySQL │ │ │ compatibility to salt. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nacl │ This module helps include │ │ │ encrypted passwords in pillars, │ │ │ grains and salt state files. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nagios │ Run nagios plugins/checks from │ │ │ salt and get the return as data. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nagios_rpc │ Check Host & Service status from │ │ │ Nagios via JSON RPC. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │netbsd_sysctl │ Module for viewing and modifying │ │ │ sysctl parameters │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │netbsdservice │ The service module for NetBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │netscaler │ Module to provide Citrix │ │ │ Netscaler compatibility to Salt │ │ │ (compatible with netscaler 9.2+) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │network │ Module for gathering and │ │ │ managing network information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │neutron │ Module for handling OpenStack │ │ │ Neutron calls │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nfs3 │ Module for managing NFS version │ │ │ 3. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nftables │ Support for nftables │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nginx │ Support for nginx │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │node │ Module for full system │ │ │ inspection. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nova │ Module for handling OpenStack │ │ │ Nova calls │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │npm │ Manage and query NPM packages. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │nspawn │ Manage nspawn containers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │omapi │ This module interacts with an │ │ │ ISC DHCP Server via OMAPI. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │openbsd_sysctl │ Module for viewing and modifying │ │ │ OpenBSD sysctl parameters │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │openbsdpkg │ Package support for OpenBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │openbsdrcctl │ The rcctl service module for │ │ │ OpenBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │openbsdservice │ The service module for OpenBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │openstack_config │ Modify, retrieve, or delete │ │ │ values from OpenStack │ │ │ configuration files. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │oracle │ Oracle DataBase connection │ │ │ module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │osquery │ Support for OSQuery - │ │ │ https://osquery.io. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │osxdesktop │ Mac OS X implementations of │ │ │ various commands in the │ │ │ "desktop" interface │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pacman │ A module to wrap pacman calls, │ │ │ since Arch is the best │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pagerduty │ Module for Firing Events via │ │ │ PagerDuty │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pagerduty_util │ Module for manageing PagerDuty │ │ │ resource │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pam │ Support for pam │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │parted │ Module for managing partitions │ │ │ on POSIX-like systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pecl │ Manage PHP pecl extensions. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pillar │ Extract the pillar data for this │ │ │ minion │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pip │ Install Python packages with pip │ │ │ to either the system or a │ │ │ virtualenv │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pkg_resource │ Resources needed by pkg │ │ │ providers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pkgin │ Package support for pkgin based │ │ │ systems, inspired from │ │ │ freebsdpkg module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pkgng │ Support for pkgng, the new │ │ │ package manager for FreeBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pkgutil │ Pkgutil support for Solaris │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │portage_config │ Configure portage(5) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │postfix │ Support for Postfix │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │postgres │ Module to provide Postgres │ │ │ compatibility to salt. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │poudriere │ Support for poudriere │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │powerpath │ powerpath support. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ps │ A salt interface to psutil, a │ │ │ system and process library. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │publish │ Publish a command from a minion │ │ │ to a target │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │puppet │ Execute puppet routines │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pushover_notify │ Module for sending messages to │ │ │ Pushover (‐ │ │ │ https://www.pushover.net) │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pw_group │ Manage groups on FreeBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pw_user │ Manage users with the useradd │ │ │ command │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │pyenv │ Manage python installations with │ │ │ pyenv. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │qemu_img │ Qemu-img Command Wrapper │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │qemu_nbd │ Qemu Command Wrapper │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │quota │ Module for managing quotas on │ │ │ POSIX-like systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rabbitmq │ Module to provide RabbitMQ │ │ │ compatibility to Salt. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │raet_publish │ Publish a command from a minion │ │ │ to a target │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rallydev │ Support for RallyDev │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │random_org │ Module for retrieving random │ │ │ information from Random.org │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rbenv │ Manage ruby installations with │ │ │ rbenv. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rdp │ Manage RDP Service on Windows │ │ │ servers │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │redismod │ Module to provide redis │ │ │ functionality to Salt │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │reg │ │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rest_package │ Package support for the REST │ │ │ example │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rest_service │ Provide the service module for │ │ │ the proxy-minion REST sample │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ret │ Module to integrate with the │ │ │ returner system and retrieve │ │ │ data sent to a salt returner │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rh_ip │ The networking module for │ │ │ RHEL/Fedora based distros │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rh_service │ Service support for RHEL-based │ │ │ systems, including support for │ │ │ both upstart and sysvinit │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │riak │ Riak Salt Module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rpm │ Support for rpm │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rpmbuild │ RPM Package builder system │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rsync │ Wrapper for rsync │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │runit │ runit service module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │rvm │ Manage ruby installations and │ │ │ gemsets with RVM, the Ruby │ │ │ Version Manager. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │s3 │ Connection module for Amazon S3 │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │saltcloudmod │ Control a salt cloud system │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │saltutil │ The Saltutil module is used to │ │ │ manage the state of the salt │ │ │ minion itself. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │schedule │ Module for managing the Salt │ │ │ schedule on a minion │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │scsi │ SCSI administration module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sdb │ Module for Manipulating Data via │ │ │ the Salt DB API │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │seed │ Virtual machine image management │ │ │ tools │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │selinux │ Execute calls on selinux │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sensors │ Read lm-sensors │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │serverdensity_device │ Wrapper around Server Density │ │ │ API │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │service │ The default service module, if │ │ │ not otherwise specified salt │ │ │ will fall back │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │shadow │ Manage the shadow file │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │slack_notify │ Module for sending messages to │ │ │ Slack │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │slsutil │ Utility functions for use with │ │ │ or in SLS files │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smartos_imgadm │ Module for running imgadm │ │ │ command on SmartOS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smartos_virt │ Module for managing VMs on │ │ │ SmartOS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smartos_vmadm │ Module for running vmadm command │ │ │ on SmartOS │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smbios │ Interface to SMBIOS/DMI │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smf │ Service support for Solaris 10 │ │ │ and 11, should work with other │ │ │ systems that use SMF also. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │smtp │ Module for Sending Messages via │ │ │ SMTP │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │softwareupdate │ Support for the softwareupdate │ │ │ command on MacOS. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solaris_group │ Manage groups on Solaris │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solaris_shadow │ Manage the password database on │ │ │ Solaris systems │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solaris_user │ Manage users with the useradd │ │ │ command │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solarisips │ IPS pkg support for Solaris │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solarispkg │ Package support for Solaris │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │solr │ Apache Solr Salt Module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │splay │ Splay function calls across │ │ │ targeted minions │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │splunk_search │ Module for interop with the │ │ │ Splunk API │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sqlite3 │ Support for SQLite3 │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ssh │ Manage client ssh components │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │state │ Control the state system on the │ │ │ minion. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │status │ Module for returning various │ │ │ status data about a minion. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │stormpath │ Support for Stormpath │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sudo │ Allow for the calling of │ │ │ execution modules via sudo. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │supervisord │ Provide the service module for │ │ │ system supervisord or │ │ │ supervisord in a │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │svn │ Subversion SCM │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │swift │ Module for handling OpenStack │ │ │ Swift calls │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sysbench │ The 'sysbench' module is used to │ │ │ analyze the performance of the │ │ │ minions, right from the master! │ │ │ It measures various system │ │ │ parameters such as CPU, Memory, │ │ │ File I/O, Threads and Mutex. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │syslog_ng │ Module for getting information │ │ │ about syslog-ng │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sysmod │ The sys module provides │ │ │ information about the available │ │ │ functions on the minion │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │sysrc │ sysrc module for FreeBSD │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │system │ Support for reboot, shutdown, │ │ │ etc │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │system_profiler │ System Profiler Module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │systemd │ Provide the service module for │ │ │ systemd │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │temp │ Simple module for creating │ │ │ temporary directories and files │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │test │ Module for running arbitrary │ │ │ tests │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │test_virtual │ Module for running arbitrary │ │ │ tests with a __virtual__ │ │ │ function │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │timezone │ Module for managing timezone on │ │ │ POSIX-like systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │tls │ A salt module for SSL/TLS. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │tomcat │ Support for Tomcat │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │trafficserver │ Apache Traffic Server execution │ │ │ module. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │tuned │ Interface to Red Hat tuned-adm │ │ │ module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │twilio_notify │ Module for notifications via │ │ │ Twilio │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │udev │ Manage and query udev info │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │upstart │ Module for the management of │ │ │ upstart systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │uptime │ Wrapper around uptime API │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │useradd │ Manage users with the useradd │ │ │ command │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │uwsgi │ uWSGI stats server │ │ │ http://uwsgi-docs.readthedocs.org/en/latest/StatsServer.html │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │varnish │ Support for Varnish │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │vbox_guest │ VirtualBox Guest Additions installer │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │victorops │ Support for VictorOps │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │virt │ Work with virtual machines managed by libvirt │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │virtualenv_mod │ Create virtualenv environments. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │vsphere │ Manage VMware vCenter servers and ESXi hosts. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_autoruns │ Module for listing programs that automatically run on │ │ │ startup │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_dacl │ Manage DACLs on Windows │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_disk │ Module for gathering disk information on Windows │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_dns_client │ Module for configuring DNS Client on Windows systems │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_file │ Manage information about files on the minion, set/read user, │ │ │ group │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_firewall │ Module for configuring Windows Firewall │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_groupadd │ Manage groups on Windows │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_ip │ The networking module for Windows based systems │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_network │ Module for gathering and managing network information │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_ntp │ Management of NTP servers on Windows │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_path │ Manage the Windows System PATH │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_pkg │ A module to manage software on Windows │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_powercfg │ This module allows you to control the power settings of a │ │ │ windows minion via powercfg. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_repo │ Module to manage Windows software repo on a Standalone │ │ │ Minion │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_servermanager │ Manage Windows features via the ServerManager powershell │ │ │ module │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_service │ Windows Service module. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_shadow │ Manage the shadow file │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_status │ Module for returning various status data about a minion. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_system │ Module for managing windows systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_timezone │ Module for managing timezone on Windows systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_update │ Module for running windows updates. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_useradd │ Module for managing Windows Users │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │win_wua │ Module for managing Windows Updates using the Windows Update │ │ │ Agent. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │x509 │ Manage X509 certificates │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │xapi │ This module (mostly) uses the XenAPI to manage Xen virtual │ │ │ machines. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │xfs │ Module for managing XFS file systems. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │xmpp │ Module for Sending Messages via XMPP (a.k.a. │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │yumpkg │ Support for YUM/DNF │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │zcbuildout │ Management of zc.buildout │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │zfs │ Salt interface to ZFS commands │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │zk_concurrency │ Concurrency controls in zookeeper │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ │znc │ znc - An advanced IRC bouncer │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │zpool │ Module for running ZFS zpool command │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │zypper │ Package support for openSUSE via the zypper package manager │ └─────────────────────┴──────────────────────────────────────────────────────────────┘ salt.modules.aliases Manage the information in the aliases file salt.modules.aliases.get_target(alias) Return the target associated with an alias CLI Example: salt '*' aliases.get_target alias salt.modules.aliases.has_target(alias, target) Return true if the alias/target is set CLI Example: salt '*' aliases.has_target alias target salt.modules.aliases.list_aliases() Return the aliases found in the aliases file in this format: {'alias': 'target'} CLI Example: salt '*' aliases.list_aliases salt.modules.aliases.rm_alias(alias) Remove an entry from the aliases file CLI Example: salt '*' aliases.rm_alias alias salt.modules.aliases.set_target(alias, target) Set the entry in the aliases file for the given alias, this will overwrite any previous entry for the given alias or create a new one if it does not exist. CLI Example: salt '*' aliases.set_target alias target salt.modules.alternatives Support for Alternatives system codeauthor Radek Rada <radek.rada@gmail.com> salt.modules.alternatives.auto(name) Trigger alternatives to set the path for <name> as specified by priority. CLI Example: salt '*' alternatives.auto name salt.modules.alternatives.check_exists(name, path) Check if the given path is an alternative for a name. New in version 2015.8.4. CLI Example: salt '*' alternatives.check_exists name path salt.modules.alternatives.check_installed(name, path) Check if the current highest-priority match for a given alternatives link is set to the desired path CLI Example: salt '*' alternatives.check_installed name path salt.modules.alternatives.display(name) Display alternatives settings for defined command name CLI Example: salt '*' alternatives.display editor salt.modules.alternatives.install(name, link, path, priority) Install symbolic links determining default commands CLI Example: salt '*' alternatives.install editor /usr/bin/editor /usr/bin/emacs23 50 salt.modules.alternatives.remove(name, path) Remove symbolic links determining the default commands. CLI Example: salt '*' alternatives.remove name path salt.modules.alternatives.set(name, path) Manually set the alternative <path> for <name>. CLI Example: salt '*' alternatives.set name path salt.modules.alternatives.show_current(name) Display the current highest-priority alternative for a given alternatives link CLI Example: salt '*' alternatives.show_current editor salt.modules.apache Support for Apache NOTE: The functions in here are generic functions designed to work with all implementations of Apache. Debian-specific functions have been moved into deb_apache.py, but will still load under the apache namespace when a Debian-based system is detected. salt.modules.apache.config(name, config, edit=True) Create VirtualHost configuration files name File for the virtual host config VirtualHost configurations NOTE: This function is not meant to be used from the command line. Config is meant to be an ordered dict of all of the apache configs. CLI Example: salt '*' apache.config /etc/httpd/conf.d/ports.conf config="[{'Listen': '22'}]" salt.modules.apache.directives() Return list of directives together with expected arguments and places where the directive is valid (apachectl -L) CLI Example: salt '*' apache.directives salt.modules.apache.fullversion() Return server version (apachectl -V) CLI Example: salt '*' apache.fullversion salt.modules.apache.modules() Return list of static and shared modules (apachectl -M) CLI Example: salt '*' apache.modules salt.modules.apache.server_status(profile='default') Get Information from the Apache server-status handler NOTE: The server-status handler is disabled by default. In order for this function to work it needs to be enabled. See http://httpd.apache.org/docs/2.2/mod/mod_status.html The following configuration needs to exists in pillar/grains. Each entry nested in apache.server-status is a profile of a vhost/server. This would give support for multiple apache servers/vhosts. apache.server-status: default: url: http://localhost/server-status user: someuser pass: password realm: 'authentication realm for digest passwords' timeout: 5 CLI Examples: salt '*' apache.server_status salt '*' apache.server_status other-profile salt.modules.apache.servermods() Return list of modules compiled into the server (apachectl -l) CLI Example: salt '*' apache.servermods salt.modules.apache.signal(signal=None) Signals httpd to start, restart, or stop. CLI Example: salt '*' apache.signal restart salt.modules.apache.useradd(pwfile, user, password, opts='') Add HTTP user using the htpasswd command. If the htpasswd file does not exist, it will be created. Valid options that can be passed are: n Don't update file; display results on stdout. m Force MD5 hashing of the password (default). d Force CRYPT(3) hashing of the password. p Do not hash the password (plaintext). s Force SHA1 hashing of the password. CLI Examples: salt '*' apache.useradd /etc/httpd/htpasswd larry badpassword salt '*' apache.useradd /etc/httpd/htpasswd larry badpass opts=ns salt.modules.apache.userdel(pwfile, user) Delete HTTP user from the specified htpasswd file. CLI Example: salt '*' apache.userdel /etc/httpd/htpasswd larry salt.modules.apache.version() Return server version (apachectl -v) CLI Example: salt '*' apache.version salt.modules.apache.vhosts() Show the settings as parsed from the config file (currently only shows the virtualhost settings) (apachectl -S). Because each additional virtual host adds to the execution time, this command may require a long timeout be specified by using -t 10. CLI Example: salt -t 10 '*' apache.vhosts salt.modules.aptpkg Support for APT (Advanced Packaging Tool) NOTE: For virtual package support, either the python-apt or dctrl-tools package must be installed. For repository management, the python-apt package must be installed. salt.modules.aptpkg.autoremove(list_only=False, purge=False) New in version 2015.5.0. Remove packages not required by another package using apt-get autoremove. list_only False Only retrieve the list of packages to be auto-removed, do not actually perform the auto-removal. purge False Also remove package config data when autoremoving packages. New in version 2015.8.0. CLI Example: salt '*' pkg.autoremove salt '*' pkg.autoremove list_only=True salt '*' pkg.autoremove purge=True salt.modules.aptpkg.del_repo(repo, **kwargs) Delete a repo from the sources.list / sources.list.d If the .list file is in the sources.list.d directory and the file that the repo exists in does not contain any other repo configuration, the file itself will be deleted. The repo passed in must be a fully formed repository definition string. CLI Examples: salt '*' pkg.del_repo "myrepo definition" salt.modules.aptpkg.del_repo_key(name=None, **kwargs) New in version 2015.8.0. Remove a repo key using apt-key del name Repo from which to remove the key. Unnecessary if keyid is passed. keyid The KeyID of the GPG key to remove keyid_ppa False If set to True, the repo's GPG key ID will be looked up from ppa.launchpad.net and removed. NOTE: Setting this option to True requires that the name param also be passed. CLI Examples: salt '*' pkg.del_repo_key keyid=0123ABCD salt '*' pkg.del_repo_key name='ppa:foo/bar' keyid_ppa=True salt.modules.aptpkg.expand_repo_def(repokwargs) Take a repository definition and expand it to the full pkg repository dict that can be used for comparison. This is a helper function to make the Debian/Ubuntu apt sources sane for comparison in the pkgrepo states. There is no use to calling this function via the CLI. salt.modules.aptpkg.file_dict(*packages) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.aptpkg.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.aptpkg.get_repo(repo, **kwargs) Display a repo from the sources.list / sources.list.d The repo passed in needs to be a complete repo entry. CLI Examples: salt '*' pkg.get_repo "myrepo definition" salt.modules.aptpkg.get_selections(pattern=None, state=None) View package state from the dpkg database. Returns a dict of dicts containing the state, and package names: {'<host>': {'<state>': ['pkg1', ... ] }, ... } CLI Example: salt '*' pkg.get_selections salt '*' pkg.get_selections 'python-*' salt '*' pkg.get_selections state=hold salt '*' pkg.get_selections 'openssh*' state=hold salt.modules.aptpkg.hold(name=None, pkgs=None, sources=None, **kwargs) New in version 2014.7.0. Set package in 'hold' state, meaning it will not be upgraded. name The name of the package, e.g., 'tmux' CLI Example: salt '*' pkg.hold <package name> pkgs A list of packages to hold. Must be passed as a python list. CLI Example: salt '*' pkg.hold pkgs='["foo", "bar"]' salt.modules.aptpkg.info_installed(*names) Return the information of the named package(s) installed on the system. New in version 2015.8.1. names The names of the packages for which to return information. CLI example: salt '*' pkg.info_installed <package1> salt '*' pkg.info_installed <package1> <package2> <package3> ... salt.modules.aptpkg.install(name=None, refresh=False, fromrepo=None, skip_verify=False, debconf=None, pkgs=None, sources=None, reinstall=False, **kwargs) Install the passed package, add refresh=True to update the dpkg database. name The name of the package to be installed. Note that this parameter is ignored if either "pkgs" or "sources" is passed. Additionally, please note that this option can only be used to install packages from a software repository. To install a package file manually, use the "sources" option. 32-bit packages can be installed on 64-bit systems by appending the architecture designation (:i386, etc.) to the end of the package name. CLI Example: salt '*' pkg.install <package name> refresh Whether or not to refresh the package database before installing. fromrepo Specify a package repository to install from (e.g., apt-get -t unstable install somepackage) skip_verify Skip the GPG verification check (e.g., --allow-unauthenticated, or --force-bad-verify for install from package file). debconf Provide the path to a debconf answers file, processed before installation. version Install a specific version of the package, e.g. 1.2.3~0ubuntu0. Ignored if "pkgs" or "sources" is passed. reinstall False Specifying reinstall=True will use apt-get install --reinstall rather than simply apt-get install for requested packages that are already installed. If a version is specified with the requested package, then apt-get install --reinstall will only be used if the installed version matches the requested version. New in version 2015.8.0. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo", "bar"]' salt '*' pkg.install pkgs='["foo", {"bar": "1.2.3-0ubuntu0"}]' sources A list of DEB packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. Dependencies are automatically resolved and marked as auto-installed. 32-bit packages can be installed on 64-bit systems by appending the architecture designation (:i386, etc.) to the end of the package name. Changed in version 2014.7.0. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.deb"},{"bar": "salt://bar.deb"}]' force_yes Passes --force-yes to the apt-get command. Don't use this unless you know what you're doing. New in version 0.17.4. install_recommends Whether to install the packages marked as recommended. Default is True. New in version 2015.5.0. only_upgrade Only upgrade the packages, if they are already installed. Default is False. New in version 2015.5.0. force_conf_new Always install the new version of any configuration files. New in version 2015.8.0. Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.aptpkg.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. A specific repo can be requested using the fromrepo keyword argument. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package name> fromrepo=unstable salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.aptpkg.list_pkgs(versions_as_list=False, removed=False, purge_desired=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} removed If True, then only packages which have been removed (but not purged) will be returned. purge_desired If True, then only packages which have been marked to be purged, but can't be purged due to their status as dependencies for other installed packages, will be returned. Note that these packages will appear in installed Changed in version 2014.1.1: Packages in this state now correctly show up in the output of this function. NOTE: External dependencies Virtual package resolution requires the dctrl-tools package to be installed. Virtual packages will show a version of 1. CLI Example: salt '*' pkg.list_pkgs salt '*' pkg.list_pkgs versions_as_list=True salt.modules.aptpkg.list_repos() Lists all repos in the sources.list (and sources.lists.d) files CLI Example: salt '*' pkg.list_repos salt '*' pkg.list_repos disabled=True salt.modules.aptpkg.list_upgrades(refresh=True, dist_upgrade=True) List all available package upgrades. refresh Whether to refresh the package database before listing upgrades. Default: True. dist_upgrade Whether to list the upgrades using dist-upgrade vs upgrade. Default is to use dist-upgrade. CLI Example: salt '*' pkg.list_upgrades salt.modules.aptpkg.mod_repo(repo, saltenv='base', **kwargs) Modify one or more values for a repo. If the repo does not exist, it will be created, so long as the definition is well formed. For Ubuntu the ppa:<project>/repo format is acceptable. ppa: format can only be used to create a new repository. The following options are available to modify a repo definition: comps a comma separated list of components for the repo, e.g. main file a file name to be used keyserver keyserver to get gpg key from keyid key id to load with the keyserver argument key_url URL to a GPG key to add to the APT GPG keyring consolidate if True, will attempt to de-dup and consolidate sources NOTE: Due to the way keys are stored for APT, there is a known issue where the key won't be updated unless another change is made at the same time. Keys should be properly added on initial configuration. CLI Examples: salt '*' pkg.mod_repo 'myrepo definition' uri=http://new/uri salt '*' pkg.mod_repo 'myrepo definition' comps=main,universe salt.modules.aptpkg.owner(*paths) New in version 2014.7.0. Return the name of the package that owns the file. Multiple file paths can be passed. Like pkg.version, if a single path is passed, a string will be returned, and if multiple paths are passed, a dictionary of file/package name pairs will be returned. If the file is not owned by a package, or is not present on the minion, then an empty string will be returned for that path. CLI Example: salt '*' pkg.owner /usr/bin/apachectl salt '*' pkg.owner /usr/bin/apachectl /usr/bin/basename salt.modules.aptpkg.purge(name=None, pkgs=None, **kwargs) Remove packages via apt-get purge along with all configuration files. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.aptpkg.refresh_db() Updates the APT database to latest packages based upon repositories Returns a dict, with the keys being package databases and the values being the result of the update attempt. Values can be one of the following: • True: Database updated successfully • False: Problem updating database • None: Database already up-to-date CLI Example: salt '*' pkg.refresh_db salt.modules.aptpkg.remove(name=None, pkgs=None, **kwargs) Remove packages using apt-get remove. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.aptpkg.set_selections(path=None, selection=None, clear=False, saltenv='base') Change package state in the dpkg database. The state can be any one of, documented in dpkg(1): • install • hold • deinstall • purge This command is commonly used to mark specific packages to be held from being upgraded, that is, to be kept at a certain version. When a state is changed to anything but being held, then it is typically followed by apt-get -u dselect-upgrade. Note: Be careful with the clear argument, since it will start with setting all packages to deinstall state. Returns a dict of dicts containing the package names, and the new and old versions: {'<host>': {'<package>': {'new': '<new-state>', 'old': '<old-state>'} }, ... } CLI Example: salt '*' pkg.set_selections selection='{"install": ["netcat"]}' salt '*' pkg.set_selections selection='{"hold": ["openssh-server", "openssh-client"]}' salt '*' pkg.set_selections salt://path/to/file salt '*' pkg.set_selections salt://path/to/file clear=True salt.modules.aptpkg.unhold(name=None, pkgs=None, sources=None, **kwargs) New in version 2014.7.0. Set package current in 'hold' state to install state, meaning it will be upgraded. name The name of the package, e.g., 'tmux' CLI Example: salt '*' pkg.unhold <package name> pkgs A list of packages to hold. Must be passed as a python list. CLI Example: salt '*' pkg.unhold pkgs='["foo", "bar"]' salt.modules.aptpkg.upgrade(refresh=True, dist_upgrade=False, **kwargs) Upgrades all packages via apt-get upgrade or apt-get dist-upgrade if dist_upgrade is True. Returns a dict containing the changes: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} dist_upgrade Whether to perform the upgrade using dist-upgrade vs upgrade. Default is to use upgrade. New in version 2014.7.0. force_conf_new Always install the new version of any configuration files. New in version 2015.8.0. CLI Example: salt '*' pkg.upgrade salt.modules.aptpkg.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.aptpkg.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.aptpkg.version_cmp(pkg1, pkg2) Do a cmp-style comparison on two packages. Return -1 if pkg1 < pkg2, 0 if pkg1 == pkg2, and 1 if pkg1 > pkg2. Return None if there was a problem making the comparison. CLI Example: salt '*' pkg.version_cmp '0.2.4-0ubuntu1' '0.2.4.1-0ubuntu1' salt.modules.archive A module to wrap (non-Windows) archive calls New in version 2014.1.0. salt.modules.archive.cmd_unzip(zip_file, dest, excludes=None, template=None, options=None, runas=None) New in version 2015.5.0: In versions 2014.7.x and earlier, this function was known as archive.unzip. Uses the unzip command to unpack zip files. This command is part of the Info-ZIP suite of tools, and is typically packaged as simply unzip. zip_file Path of zip file to be unpacked dest The destination directory into which the file should be unpacked excludes None Comma-separated list of files not to unpack. Can also be passed in a Python list. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.cmd_unzip template=jinja /tmp/zipfile.zip /tmp/{{grains.id}}/ excludes=file_1,file_2 options None Additional command-line options to pass to the unzip binary. Changed in version 2015.8.0: The mandatory - prefixing has been removed. An options string beginning with a --long-option, would have uncharacteristically needed its first - removed under the former scheme. runas None Unpack the zip file as the specified user. Defaults to the user under which the minion is running. New in version 2015.5.0. CLI Example: salt '*' archive.cmd_unzip /tmp/zipfile.zip /home/strongbad/ excludes=file_1,file_2 salt.modules.archive.cmd_zip(zip_file, sources, template=None, cwd=None, runas=None) New in version 2015.5.0: In versions 2014.7.x and earlier, this function was known as archive.zip. Uses the zip command to create zip files. This command is part of the Info-ZIP suite of tools, and is typically packaged as simply zip. zip_file Path of zip file to be created sources Comma-separated list of sources to include in the zip file. Sources can also be passed in a Python list. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.cmd_zip template=jinja /tmp/zipfile.zip /tmp/sourcefile1,/tmp/{{grains.id}}.txt cwd None Use this argument along with relative paths in sources to create zip files which do not contain the leading directories. If not specified, the zip file will be created as if the cwd was /, and creating a zip file of /foo/bar/baz.txt will contain the parent directories foo and bar. To create a zip file containing just baz.txt, the following command would be used: salt '*' archive.cmd_zip /tmp/baz.zip baz.txt cwd=/foo/bar New in version 2014.7.1. runas None Create the zip file as the specified user. Defaults to the user under which the minion is running. New in version 2015.5.0. CLI Example: salt '*' archive.cmd_zip /tmp/zipfile.zip /tmp/sourcefile1,/tmp/sourcefile2 salt.modules.archive.gunzip(gzipfile, template=None, runas=None) Uses the gunzip command to unpack gzip files template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.gunzip template=jinja /tmp/{{grains.id}}.txt.gz CLI Example: # Create /tmp/sourcefile.txt salt '*' archive.gunzip /tmp/sourcefile.txt.gz salt.modules.archive.gzip(sourcefile, template=None, runas=None) Uses the gzip command to create gzip files template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.gzip template=jinja /tmp/{{grains.id}}.txt CLI Example: # Create /tmp/sourcefile.txt.gz salt '*' archive.gzip /tmp/sourcefile.txt salt.modules.archive.rar(rarfile, sources, template=None, cwd=None, runas=None) Uses rar for Linux to create rar files rarfile Path of rar file to be created sources Comma-separated list of sources to include in the rar file. Sources can also be passed in a Python list. cwd None Run the rar command from the specified directory. Use this argument along with relative file paths to create rar files which do not contain the leading directories. If not specified, this will default to the home directory of the user under which the salt minion process is running. New in version 2014.7.1. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.rar template=jinja /tmp/rarfile.rar '/tmp/sourcefile1,/tmp/{{grains.id}}.txt' CLI Example: salt '*' archive.rar /tmp/rarfile.rar /tmp/sourcefile1,/tmp/sourcefile2 salt.modules.archive.tar(options, tarfile, sources=None, dest=None, cwd=None, template=None, runas=None) NOTE: This function has changed for version 0.17.0. In prior versions, the cwd and template arguments must be specified, with the source directories/files coming as a space-separated list at the end of the command. Beginning with 0.17.0, sources must be a comma-separated list, and the cwd and template arguments are optional. Uses the tar command to pack, unpack, etc. tar files options Options to pass to the tar command Changed in version 2015.8.0: The mandatory - prefixing has been removed. An options string beginning with a --long-option, would have uncharacteristically needed its first - removed under the former scheme. Also, tar will parse its options differently if short options are used with or without a preceding -, so it is better to not confuse the user into thinking they're using the non-- format, when really they are using the with-- format. tarfile The filename of the tar archive to pack/unpack sources Comma delimited list of files to pack into the tarfile. Can also be passed as a Python list. dest The destination directory into which to unpack the tarfile cwd None The directory in which the tar command should be executed. If not specified, will default to the home directory of the user under which the salt minion process is running. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.tar -cjvf /tmp/salt.tar.bz2 {{grains.saltpath}} template=jinja CLI Examples: # Create a tarfile salt '*' archive.tar -cjvf /tmp/tarfile.tar.bz2 /tmp/file_1,/tmp/file_2 # Unpack a tarfile salt '*' archive.tar xf foo.tar dest=/target/directory salt.modules.archive.unrar(rarfile, dest, excludes=None, template=None, runas=None) Uses rar for Linux to unpack rar files rarfile Name of rar file to be unpacked dest The destination directory into which to unpack the rar file template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.unrar template=jinja /tmp/rarfile.rar /tmp/{{grains.id}}/ excludes=file_1,file_2 CLI Example: salt '*' archive.unrar /tmp/rarfile.rar /home/strongbad/ excludes=file_1,file_2 salt.modules.archive.unzip(zip_file, dest, excludes=None, template=None, runas=None) Uses the zipfile Python module to unpack zip files Changed in version 2015.5.0: This function was rewritten to use Python's native zip file support. The old functionality has been preserved in the new function archive.cmd_unzip. For versions 2014.7.x and earlier, see the archive.cmd_zip documentation. zip_file Path of zip file to be unpacked dest The destination directory into which the file should be unpacked excludes None Comma-separated list of files not to unpack. Can also be passed in a Python list. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.unzip template=jinja /tmp/zipfile.zip /tmp/{{grains.id}}/ excludes=file_1,file_2 runas None Unpack the zip file as the specified user. Defaults to the user under which the minion is running. CLI Example: salt '*' archive.unzip /tmp/zipfile.zip /home/strongbad/ excludes=file_1,file_2 salt.modules.archive.zip(zip_file, sources, template=None, cwd=None, runas=None) Uses the zipfile Python module to create zip files Changed in version 2015.5.0: This function was rewritten to use Python's native zip file support. The old functionality has been preserved in the new function archive.cmd_zip. For versions 2014.7.x and earlier, see the archive.cmd_zip documentation. zip_file Path of zip file to be created sources Comma-separated list of sources to include in the zip file. Sources can also be passed in a Python list. template None Can be set to 'jinja' or another supported template engine to render the command arguments before execution: salt '*' archive.zip template=jinja /tmp/zipfile.zip /tmp/sourcefile1,/tmp/{{grains.id}}.txt cwd None Use this argument along with relative paths in sources to create zip files which do not contain the leading directories. If not specified, the zip file will be created as if the cwd was /, and creating a zip file of /foo/bar/baz.txt will contain the parent directories foo and bar. To create a zip file containing just baz.txt, the following command would be used: salt '*' archive.zip /tmp/baz.zip baz.txt cwd=/foo/bar runas None Create the zip file as the specified user. Defaults to the user under which the minion is running. CLI Example: salt '*' archive.zip /tmp/zipfile.zip /tmp/sourcefile1,/tmp/sourcefile2 salt.modules.artifactory Module for fetching artifacts from Artifactory exception salt.modules.artifactory.ArtifactoryError(value) salt.modules.artifactory.get_latest_snapshot(artifactory_url, repository, group_id, artifact_id, packaging, target_dir='/tmp', target_file=None, classifier=None, username=None, password=None) Gets latest snapshot of the given artifact artifactory_url URL of artifactory instance repository Snapshot repository in artifactory to retrieve artifact from, for example: libs-snapshots group_id Group Id of the artifact artifact_id Artifact Id of the artifact packaging Packaging type (jar,war,ear,etc) target_dir Target directory to download artifact to (default: /tmp) target_file Target file to download artifact to (by default it is target_dir/artifact_id-snapshot_version.packaging) classifier Artifact classifier name (ex: sources,javadoc,etc). Optional parameter. username Artifactory username. Optional parameter. password Artifactory password. Optional parameter. salt.modules.artifactory.get_release(artifactory_url, repository, group_id, artifact_id, packaging, version, target_dir='/tmp', target_file=None, classifier=None, username=None, password=None) Gets the specified release of the artifact artifactory_url URL of artifactory instance repository Release repository in artifactory to retrieve artifact from, for example: libs-releases group_id Group Id of the artifact artifact_id Artifact Id of the artifact packaging Packaging type (jar,war,ear,etc) version Version of the artifact target_dir Target directory to download artifact to (default: /tmp) target_file Target file to download artifact to (by default it is target_dir/artifact_id-version.packaging) classifier Artifact classifier name (ex: sources,javadoc,etc). Optional parameter. username Artifactory username. Optional parameter. password Artifactory password. Optional parameter. salt.modules.artifactory.get_snapshot(artifactory_url, repository, group_id, artifact_id, packaging, version, snapshot_version=None, target_dir='/tmp', target_file=None, classifier=None, username=None, password=None) Gets snapshot of the desired version of the artifact artifactory_url URL of artifactory instance repository Snapshot repository in artifactory to retrieve artifact from, for example: libs-snapshots group_id Group Id of the artifact artifact_id Artifact Id of the artifact packaging Packaging type (jar,war,ear,etc) version Version of the artifact target_dir Target directory to download artifact to (default: /tmp) target_file Target file to download artifact to (by default it is target_dir/artifact_id-snapshot_version.packaging) classifier Artifact classifier name (ex: sources,javadoc,etc). Optional parameter. username Artifactory username. Optional parameter. password Artifactory password. Optional parameter. salt.modules.at Wrapper module for at(1) Also, a 'tag' feature has been added to more easily tag jobs. salt.modules.at.at(*args, **kwargs) Add a job to the queue. The 'timespec' follows the format documented in the at(1) manpage. CLI Example: salt '*' at.at <timespec> <cmd> [tag=<tag>] [runas=<user>] salt '*' at.at 12:05am '/sbin/reboot' tag=reboot salt '*' at.at '3:05am +3 days' 'bin/myscript' tag=nightly runas=jim salt.modules.at.atc(jobid) Print the at(1) script that will run for the passed job id. This is mostly for debugging so the output will just be text. CLI Example: salt '*' at.atc <jobid> salt.modules.at.atq(tag=None) List all queued and running jobs or only those with an optional 'tag'. CLI Example: salt '*' at.atq salt '*' at.atq [tag] salt '*' at.atq [job number] salt.modules.at.atrm(*args) Remove jobs from the queue. CLI Example: salt '*' at.atrm <jobid> <jobid> .. <jobid> salt '*' at.atrm all salt '*' at.atrm all [tag] salt.modules.at.jobcheck(**kwargs) Check the job from queue. The kwargs dict include 'hour minute day month year tag runas' Other parameters will be ignored. CLI Example: salt '*' at.jobcheck runas=jam day=13 salt '*' at.jobcheck day=13 month=12 year=13 tag=rose salt.modules.augeas_cfg Manages configuration files via augeas This module requires the augeas Python module. WARNING: Minimal installations of Debian and Ubuntu have been seen to have packaging bugs with python-augeas, causing the augeas module to fail to import. If the minion has the augeas module installed, but the functions in this execution module fail to run due to being unavailable, first restart the salt-minion service. If the problem persists past that, the following command can be run from the master to determine what is causing the import to fail: salt minion-id cmd.run 'python -c "from augeas import Augeas"' For affected Debian/Ubuntu hosts, installing libpython2.7 has been known to resolve the issue. salt.modules.augeas_cfg.execute(context=None, lens=None, commands=()) Execute Augeas commands New in version 2014.7.0. CLI Example: salt '*' augeas.execute /files/etc/redis/redis.conf commands='["set bind 0.0.0.0", "set maxmemory 1G"]' salt.modules.augeas_cfg.get(path, value='') Get a value for a specific augeas path CLI Example: salt '*' augeas.get /files/etc/hosts/1/ ipaddr salt.modules.augeas_cfg.ls(path) List the direct children of a node CLI Example: salt '*' augeas.ls /files/etc/passwd salt.modules.augeas_cfg.match(path, value='') Get matches for path expression CLI Example: salt '*' augeas.match /files/etc/services/service-name ssh salt.modules.augeas_cfg.remove(path) Get matches for path expression CLI Example: salt '*' augeas.remove /files/etc/sysctl.conf/net.ipv4.conf.all.log_martians salt.modules.augeas_cfg.setvalue(*args) Set a value for a specific augeas path CLI Example: salt '*' augeas.setvalue /files/etc/hosts/1/canonical localhost This will set the first entry in /etc/hosts to localhost CLI Example: salt '*' augeas.setvalue /files/etc/hosts/01/ipaddr 192.168.1.1 \ /files/etc/hosts/01/canonical test Adds a new host to /etc/hosts the ip address 192.168.1.1 and hostname test CLI Example: salt '*' augeas.setvalue prefix=/files/etc/sudoers/ \ "spec[user = '%wheel']/user" "%wheel" \ "spec[user = '%wheel']/host_group/host" 'ALL' \ "spec[user = '%wheel']/host_group/command[1]" 'ALL' \ "spec[user = '%wheel']/host_group/command[1]/tag" 'PASSWD' \ "spec[user = '%wheel']/host_group/command[2]" '/usr/bin/apt-get' \ "spec[user = '%wheel']/host_group/command[2]/tag" NOPASSWD Ensures that the following line is present in /etc/sudoers: %wheel ALL = PASSWD : ALL , NOPASSWD : /usr/bin/apt-get , /usr/bin/aptitude salt.modules.augeas_cfg.tree(path) Returns recursively the complete tree of a node CLI Example: salt '*' augeas.tree /files/etc/ salt.modules.aws_sqs Support for the Amazon Simple Queue Service. salt.modules.aws_sqs.create_queue(name, region, opts=None, user=None) Creates a queue with the correct name. name Name of the SQS queue to create region Region to create the SQS queue in opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as salt.modules.aws_sqs.delete_message(queue, region, receipthandle, opts=None, user=None) Delete one or more messages from a queue in a region queue The name of the queue to delete messages from region Region where SQS queues exists receipthandle The ReceiptHandle of the message to delete. The ReceiptHandle is obtained in the return from receive_message opts None Any additional options to add to the command line user None Run as a user other than what the minion runs as CLI Example: salt '*' aws_sqs.delete_message <sqs queue> <region> receipthandle='<sqs ReceiptHandle>' New in version 2014.7.0. salt.modules.aws_sqs.delete_queue(name, region, opts=None, user=None) Deletes a queue in the region. name Name of the SQS queue to deletes region Name of the region to delete the queue from opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as salt.modules.aws_sqs.list_queues(region, opts=None, user=None) List the queues in the selected region. region Region to list SQS queues for opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as salt.modules.aws_sqs.queue_exists(name, region, opts=None, user=None) Returns True or False on whether the queue exists in the region name Name of the SQS queue to search for region Name of the region to search for the queue in opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as salt.modules.aws_sqs.receive_message(queue, region, num=1, opts=None, user=None) Receive one or more messages from a queue in a region queue The name of the queue to receive messages from region Region where SQS queues exists num 1 The max number of messages to receive opts None Any additional options to add to the command line user None Run as a user other than what the minion runs as CLI Example: salt '*' aws_sqs.receive_message <sqs queue> <region> salt '*' aws_sqs.receive_message <sqs queue> <region> num=10 New in version 2014.7.0. salt.modules.bamboohr Support for BambooHR New in version 2015.8.0. Requires a subdomain and an apikey in /etc/salt/minion: salt.modules.bamboohr.list_employees(order_by='id') Show all employees for this company. CLI Example: salt myminion bamboohr.list_employees By default, the return data will be keyed by ID. However, it can be ordered by any other field. Keep in mind that if the field that is chosen contains duplicate values (i.e., location is used, for a company which only has one location), then each duplicate value will be overwritten by the previous. Therefore, it is advisable to only sort by fields that are guaranteed to be unique. CLI Examples: salt myminion bamboohr.list_employees order_by=id salt myminion bamboohr.list_employees order_by=displayName salt myminion bamboohr.list_employees order_by=workEmail salt.modules.bamboohr.list_meta_fields() Show all meta data fields for this company. CLI Example: salt myminion bamboohr.list_meta_fields salt.modules.bamboohr.list_users(order_by='id') Show all users for this company. CLI Example: salt myminion bamboohr.list_users By default, the return data will be keyed by ID. However, it can be ordered by any other field. Keep in mind that if the field that is chosen contains duplicate values (i.e., location is used, for a company which only has one location), then each duplicate value will be overwritten by the previous. Therefore, it is advisable to only sort by fields that are guaranteed to be unique. CLI Examples: salt myminion bamboohr.list_users order_by=id salt myminion bamboohr.list_users order_by=email salt.modules.bamboohr.show_employee(emp_id, fields=None) Show all employees for this company. CLI Example: salt myminion bamboohr.show_employee 1138 By default, the fields normally returned from bamboohr.list_employees are returned. These fields are: • canUploadPhoto • department • displayName • firstName • id • jobTitle • lastName • location • mobilePhone • nickname • photoUploaded • photoUrl • workEmail • workPhone • workPhoneExtension If needed, a different set of fields may be specified, separated by commas: CLI Example: salt myminion bamboohr.show_employee 1138 displayName,dateOfBirth A list of available fields can be found at http://www.bamboohr.com/api/documentation/employees.php salt.modules.bamboohr.update_employee(emp_id, key=None, value=None, items=None) Update one or more items for this employee. Specifying an empty value will clear it for that employee. CLI Examples: salt myminion bamboohr.update_employee 1138 nickname Curly salt myminion bamboohr.update_employee 1138 nickname '' salt myminion bamboohr.update_employee 1138 items='{"nickname": "Curly"} salt myminion bamboohr.update_employee 1138 items='{"nickname": ""} salt.modules.beacons Module for managing the Salt beacons on a minion New in version 2015.8.0. salt.modules.beacons.add(name, beacon_data, **kwargs) Add a beacon on the minion Parameters • name -- Name of the beacon to configure • beacon_data -- Dictionary or list containing configuration for beacon. Returns Boolean and status message on success or failure of add. CLI Example: salt '*' beacons.add ps "{'salt-master': 'stopped', 'apache2': 'stopped'}" salt.modules.beacons.delete(name, **kwargs) Delete a beacon item Parameters name -- Name of the beacon to delete Returns Boolean and status message on success or failure of delete. CLI Example: salt '*' beacons.delete ps salt '*' beacons.delete load salt.modules.beacons.disable(**kwargs) Disable all beaconsd jobs on the minion Returns Boolean and status message on success or failure of disable. CLI Example: salt '*' beacons.disable salt.modules.beacons.disable_beacon(name, **kwargs) Disable beacon on the minion Name Name of the beacon to disable. Returns Boolean and status message on success or failure of disable. CLI Example: salt '*' beacons.disable_beacon ps salt.modules.beacons.enable(**kwargs) Enable all beacons on the minion Returns Boolean and status message on success or failure of enable. CLI Example: salt '*' beacons.enable salt.modules.beacons.enable_beacon(name, **kwargs) Enable beacon on the minion Name Name of the beacon to enable. Returns Boolean and status message on success or failure of enable. CLI Example: salt '*' beacons.enable_beacon ps salt.modules.beacons.list(return_yaml=True) List the beacons currently configured on the minion Parameters return_yaml -- Whether to return YAML formatted output, default True Returns List of currently configured Beacons. CLI Example: salt '*' beacons.list salt.modules.beacons.modify(name, beacon_data, **kwargs) Modify an existing beacon Parameters • name -- Name of the beacon to configure • beacon_data -- Dictionary or list containing updated configuration for beacon. Returns Boolean and status message on success or failure of modify. CLI Example: salt '*' beacon.modify ps "{'salt-master': 'stopped', 'apache2': 'stopped'}" salt.modules.beacons.save() Save all beacons on the minion Returns Boolean and status message on success or failure of save. CLI Example: salt '*' beacons.save salt.modules.bigip An execution module which can manipulate an f5 bigip via iControl REST maturity develop platform f5_bigip_11.6 salt.modules.bigip.add_pool_member(hostname, username, password, name, member) A function to connect to a bigip device and add a new member to an existing pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify member The name of the member to add i.e. 10.1.1.2:80 CLI Example: salt '*' bigip.add_pool_members bigip admin admin my-pool 10.2.2.1:80 salt.modules.bigip.commit_transaction(hostname, username, password, label) A function to connect to a bigip device and commit an existing transaction. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password label the label of this transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.commit_transaction bigip admin admin my_transaction salt.modules.bigip.create_monitor(hostname, username, password, monitor_type, name, **kwargs) A function to connect to a bigip device and create a monitor. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to create name The name of the monitor to create kwargs Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. CLI Example: salt '*' bigip.create_monitor bigip admin admin http my-http-monitor timeout=10 interval=5 salt.modules.bigip.create_node(hostname, username, password, name, address, trans_label=None) A function to connect to a bigip device and create a node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node address The address of the node trans_label The label of the transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.create_node bigip admin admin 10.1.1.2 salt.modules.bigip.create_pool(hostname, username, password, name, members=None, allow_nat=None, allow_snat=None, description=None, gateway_failsafe_device=None, ignore_persisted_weight=None, ip_tos_to_client=None, ip_tos_to_server=None, link_qos_to_client=None, link_qos_to_server=None, load_balancing_mode=None, min_active_members=None, min_up_members=None, min_up_members_action=None, min_up_members_checking=None, monitor=None, profiles=None, queue_depth_limit=None, queue_on_connection_limit=None, queue_time_limit=None, reselect_tries=None, service_down_action=None, slow_ramp_time=None) A function to connect to a bigip device and create a pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to create. members List of comma delimited pool members to add to the pool. i.e. 10.1.1.1:80,10.1.1.2:80,10.1.1.3:80 allow_nat [yes | no] allow_snat [yes | no] description [string] gateway_failsafe_device [string] ignore_persisted_weight [enabled | disabled] ip_tos_to_client [pass-through | [integer]] ip_tos_to_server [pass-through | [integer]] link_qos_to_client [pass-through | [integer]] link_qos_to_server [pass-through | [integer]] load_balancing_mode [dynamic-ratio-member | dynamic-ratio-node | fastest-app-response | fastest-node | least-connections-members | least-connections-node | least-sessions | observed-member | observed-node | predictive-member | predictive-node | ratio-least-connections-member | ratio-least-connections-node | ratio-member | ratio-node | ratio-session | round-robin | weighted-least-connections-member | weighted-least-connections-node] min_active_members [integer] min_up_members [integer] min_up_members_action [failover | reboot | restart-all] min_up_members_checking [enabled | disabled] monitor [name] profiles [none | profile_name] queue_depth_limit [integer] queue_on_connection_limit [enabled | disabled] queue_time_limit [integer] reselect_tries [integer] service_down_action [drop | none | reselect | reset] slow_ramp_time [integer] CLI Example: salt '*' bigip.create_pool bigip admin admin my-pool 10.1.1.1:80,10.1.1.2:80,10.1.1.3:80 monitor=http salt.modules.bigip.create_profile(hostname, username, password, profile_type, name, **kwargs) A function to connect to a bigip device and create a profile. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... [arg=key1:val1,key2:val2] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. Creating Complex Args Profiles can get pretty complicated in terms of the amount of possible config options. Use the following shorthand to create complex arguments such as lists, dictionaries, and lists of dictionaries. An option is also provided to pass raw json as well. lists [i,i,i]: param='item1,item2,item3' Dictionary [k:v,k:v,k,v]: param='key-1:val-1,key-2:val2,key-3:va-3' List of Dictionaries [k:v,k:v|k:v,k:v|k:v,k:v]: param='key-1:val-1,key-2:val-2|key-1:val-1,key-2:val-2|key-1:val-1,key-2:val-2' JSON: 'j{ ... }j': cert-key-chain='j{ "default": { "cert": "default.crt", "chain": "default.crt", "key": "default.key" } }j' Escaping Delimiters: Use \, or \: or \| to escape characters which shouldn't be treated as delimiters i.e. ciphers='DEFAULT\:!SSLv3' CLI Examples: salt '*' bigip.create_profile bigip admin admin http my-http-profile defaultsFrom='/Common/http' salt '*' bigip.create_profile bigip admin admin http my-http-profile defaultsFrom='/Common/http' \ enforcement=maxHeaderCount:3200,maxRequests:10 salt.modules.bigip.create_virtual(hostname, username, password, name, destination, pool=None, address_status=None, auto_lasthop=None, bwc_policy=None, cmp_enabled=None, connection_limit=None, dhcp_relay=None, description=None, fallback_persistence=None, flow_eviction_policy=None, gtm_score=None, ip_forward=None, ip_protocol=None, internal=None, twelve_forward=None, last_hop_pool=None, mask=None, mirror=None, nat64=None, persist=None, profiles=None, policies=None, rate_class=None, rate_limit=None, rate_limit_mode=None, rate_limit_dst=None, rate_limit_src=None, rules=None, related_rules=None, reject=None, source=None, source_address_translation=None, source_port=None, state=None, traffic_classes=None, translate_address=None, translate_port=None, vlans=None) A function to connect to a bigip device and create a virtual server. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to create destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ] pool [ [pool_name] | none] address_status [yes | no] auto_lasthop [default | enabled | disabled ] bwc_policy [none] | string] cmp_enabled [yes | no] dhcp_relay [yes | no] connection_limit [integer] description [string] state [disabled | enabled] fallback_persistence [none | [profile name] ] flow_eviction_policy [none | [eviction policy name] ] gtm_score [integer] ip_forward [yes | no] ip_protocol [any | protocol] internal [yes | no] twelve_forward (12-forward) [yes | no] last_hop-pool [ [pool_name] | none] mask { [ipv4] | [ipv6] } mirror { [disabled | enabled | none] } nat64 [enabled | disabled] persist [none | profile1,profile2,profile3 ... ] profiles [none | default | profile1,profile2,profile3 ... ] policies [none | default | policy1,policy2,policy3 ... ] rate_class [name] rate_limit [integer] rate_limit_mode [destination | object | object-destination | object-source | object-source-destination | source | source-destination] rate_limit_dst [integer] rate_limitçsrc [integer] rules [none | [rule_one,rule_two ...] ] related_rules [none | [rule_one,rule_two ...] ] reject [yes | no] source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] } source_address_translation [none | snat:pool_name | lsn | automap ] source_port [change | preserve | preserve-strict] state [enabled | disabled] traffic_classes [none | default | class_one,class_two ... ] translate_address [enabled | disabled] translate_port [enabled | disabled] vlans [none | default | [enabled|disabled]:vlan1,vlan2,vlan3 ... ] CLI Examples: salt '*' bigip.create_virtual bigip admin admin my-virtual-3 26.2.2.5:80 \ pool=my-http-pool-http profiles=http,tcp salt '*' bigip.create_virtual bigip admin admin my-virtual-3 43.2.2.5:80 \ pool=test-http-pool-http profiles=http,websecurity persist=cookie,hash \ policies=asm_auto_l7_policy__http-virtual \ rules=_sys_APM_ExchangeSupport_helper,_sys_https_redirect \ related_rules=_sys_APM_activesync,_sys_APM_ExchangeSupport_helper \ source_address_translation=snat:my-snat-pool \ translate_address=enabled translate_port=enabled \ traffic_classes=my-class,other-class \ vlans=enabled:external,internal salt.modules.bigip.delete_monitor(hostname, username, password, monitor_type, name) A function to connect to a bigip device and delete an existing monitor. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to delete name The name of the monitor to delete CLI Example: salt '*' bigip.delete_monitor bigip admin admin http my-http-monitor salt.modules.bigip.delete_node(hostname, username, password, name, trans_label=None) A function to connect to a bigip device and delete a specific node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node which will be deleted. trans_label The label of the transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.delete_node bigip admin admin my-node salt.modules.bigip.delete_pool(hostname, username, password, name) A function to connect to a bigip device and delete a specific pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool which will be deleted CLI Example: salt '*' bigip.delete_node bigip admin admin my-pool salt.modules.bigip.delete_pool_member(hostname, username, password, name, member) A function to connect to a bigip device and delete a specific pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify member The name of the pool member to delete CLI Example: salt '*' bigip.delete_node bigip admin admin my-pool 10.2.2.2:80 salt.modules.bigip.delete_profile(hostname, username, password, profile_type, name) A function to connect to a bigip device and delete an existing profile. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to delete name The name of the profile to delete CLI Example: salt '*' bigip.delete_profile bigip admin admin http my-http-profile salt.modules.bigip.delete_transaction(hostname, username, password, label) A function to connect to a bigip device and delete an existing transaction. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password label The label of this transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.delete_transaction bigip admin admin my_transaction salt.modules.bigip.delete_virtual(hostname, username, password, name) A function to connect to a bigip device and delete a specific virtual. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to delete CLI Example: salt '*' bigip.delete_virtual bigip admin admin my-virtual salt.modules.bigip.list_monitor(hostname, username, password, monitor_type, name=None) A function to connect to a bigip device and list an existing monitor. If no name is provided than all monitors of the specified type will be listed. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor(s) to list name The name of the monitor to list CLI Example: salt '*' bigip.list_monitor bigip admin admin http my-http-monitor salt.modules.bigip.list_node(hostname, username, password, name=None, trans_label=None) A function to connect to a bigip device and list all nodes or a specific node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to list. If no name is specified than all nodes will be listed. trans_label The label of the transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.list_node bigip admin admin my-node salt.modules.bigip.list_pool(hostname, username, password, name=None) A function to connect to a bigip device and list all pools or a specific pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to list. If no name is specified then all pools will be listed. CLI Example: salt '*' bigip.list_pool bigip admin admin my-pool salt.modules.bigip.list_profile(hostname, username, password, profile_type, name=None) A function to connect to a bigip device and list an existing profile. If no name is provided than all profiles of the specified type will be listed. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile(s) to list name The name of the profile to list CLI Example: salt '*' bigip.list_profile bigip admin admin http my-http-profile salt.modules.bigip.list_transaction(hostname, username, password, label) A function to connect to a bigip device and list an existing transaction. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password label the label of this transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.list_transaction bigip admin admin my_transaction salt.modules.bigip.list_virtual(hostname, username, password, name=None) A function to connect to a bigip device and list all virtuals or a specific virtual. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to list. If no name is specified than all virtuals will be listed. CLI Example: salt '*' bigip.list_virtual bigip admin admin my-virtual salt.modules.bigip.modify_monitor(hostname, username, password, monitor_type, name, **kwargs) A function to connect to a bigip device and modify an existing monitor. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to modify name The name of the monitor to modify kwargs Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. CLI Example: salt '*' bigip.modify_monitor bigip admin admin http my-http-monitor timout=16 interval=6 salt.modules.bigip.modify_node(hostname, username, password, name, connection_limit=None, description=None, dynamic_ratio=None, logging=None, monitor=None, rate_limit=None, ratio=None, session=None, state=None, trans_label=None) A function to connect to a bigip device and modify an existing node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to modify connection_limit [integer] description [string] dynamic_ratio [integer] logging [enabled | disabled] monitor [[name] | none | default] rate_limit [integer] ratio [integer] session [user-enabled | user-disabled] state [user-down | user-up ] trans_label The label of the transaction stored within the grain: bigip_f5_trans:<label> CLI Example: salt '*' bigip.modify_node bigip admin admin 10.1.1.2 ratio=2 logging=enabled salt.modules.bigip.modify_pool(hostname, username, password, name, allow_nat=None, allow_snat=None, description=None, gateway_failsafe_device=None, ignore_persisted_weight=None, ip_tos_to_client=None, ip_tos_to_server=None, link_qos_to_client=None, link_qos_to_server=None, load_balancing_mode=None, min_active_members=None, min_up_members=None, min_up_members_action=None, min_up_members_checking=None, monitor=None, profiles=None, queue_depth_limit=None, queue_on_connection_limit=None, queue_time_limit=None, reselect_tries=None, service_down_action=None, slow_ramp_time=None) A function to connect to a bigip device and modify an existing pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify. allow_nat [yes | no] allow_snat [yes | no] description [string] gateway_failsafe_device [string] ignore_persisted_weight [yes | no] ip_tos_to_client [pass-through | [integer]] ip_tos_to_server [pass-through | [integer]] link_qos_to_client [pass-through | [integer]] link_qos_to_server [pass-through | [integer]] load_balancing_mode [dynamic-ratio-member | dynamic-ratio-node | fastest-app-response | fastest-node | least-connections-members | least-connections-node | least-sessions | observed-member | observed-node | predictive-member | predictive-node | ratio-least-connections-member | ratio-least-connections-node | ratio-member | ratio-node | ratio-session | round-robin | weighted-least-connections-member | weighted-least-connections-node] min_active_members [integer] min_up_members [integer] min_up_members_action [failover | reboot | restart-all] min_up_members_checking [enabled | disabled] monitor [name] profiles [none | profile_name] queue_on_connection_limit [enabled | disabled] queue_depth_limit [integer] queue_time_limit [integer] reselect_tries [integer] service_down_action [drop | none | reselect | reset] slow_ramp_time [integer] CLI Example: salt '*' bigip.modify_pool bigip admin admin my-pool 10.1.1.1:80,10.1.1.2:80,10.1.1.3:80 min_active_members=1 salt.modules.bigip.modify_pool_member(hostname, username, password, name, member, connection_limit=None, description=None, dynamic_ratio=None, inherit_profile=None, logging=None, monitor=None, priority_group=None, profiles=None, rate_limit=None, ratio=None, session=None, state=None) A function to connect to a bigip device and modify an existing member of a pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify member The name of the member to modify i.e. 10.1.1.2:80 connection_limit [integer] description [string] dynamic_ratio [integer] inherit_profile [enabled | disabled] logging [enabled | disabled] monitor [name] priority_group [integer] profiles [none | profile_name] rate_limit [integer] ratio [integer] session [user-enabled | user-disabled] state [ user-up | user-down ] CLI Example: salt '*' bigip.modify_pool_member bigip admin admin my-pool 10.2.2.1:80 state=use-down session=user-disabled salt.modules.bigip.modify_profile(hostname, username, password, profile_type, name, **kwargs) A function to connect to a bigip device and create a profile. A function to connect to a bigip device and create a profile. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... [arg=key1:val1,key2:val2] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. Creating Complex Args Profiles can get pretty complicated in terms of the amount of possible config options. Use the following shorthand to create complex arguments such as lists, dictionaries, and lists of dictionaries. An option is also provided to pass raw json as well. lists [i,i,i]: param='item1,item2,item3' Dictionary [k:v,k:v,k,v]: param='key-1:val-1,key-2:val2,key-3:va-3' List of Dictionaries [k:v,k:v|k:v,k:v|k:v,k:v]: param='key-1:val-1,key-2:val-2|key-1:val-1,key-2:val-2|key-1:val-1,key-2:val-2' JSON: 'j{ ... }j': cert-key-chain='j{ "default": { "cert": "default.crt", "chain": "default.crt", "key": "default.key" } }j' Escaping Delimiters: Use \, or \: or \| to escape characters which shouldn't be treated as delimiters i.e. ciphers='DEFAULT\:!SSLv3' CLI Examples: salt '*' bigip.modify_profile bigip admin admin http my-http-profile defaultsFrom='/Common/http' salt '*' bigip.modify_profile bigip admin admin http my-http-profile defaultsFrom='/Common/http' \ enforcement=maxHeaderCount:3200,maxRequests:10 salt '*' bigip.modify_profile bigip admin admin client-ssl my-client-ssl-1 retainCertificate=false \ ciphers='DEFAULT\:!SSLv3' cert_key_chain='j{ "default": { "cert": "default.crt", "chain": "default.crt", "key": "default.key" } }j' salt.modules.bigip.modify_virtual(hostname, username, password, name, destination=None, pool=None, address_status=None, auto_lasthop=None, bwc_policy=None, cmp_enabled=None, connection_limit=None, dhcp_relay=None, description=None, fallback_persistence=None, flow_eviction_policy=None, gtm_score=None, ip_forward=None, ip_protocol=None, internal=None, twelve_forward=None, last_hop_pool=None, mask=None, mirror=None, nat64=None, persist=None, profiles=None, policies=None, rate_class=None, rate_limit=None, rate_limit_mode=None, rate_limit_dst=None, rate_limit_src=None, rules=None, related_rules=None, reject=None, source=None, source_address_translation=None, source_port=None, state=None, traffic_classes=None, translate_address=None, translate_port=None, vlans=None) A function to connect to a bigip device and modify an existing virtual server. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to modify destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ] pool [ [pool_name] | none] address_status [yes | no] auto_lasthop [default | enabled | disabled ] bwc_policy [none] | string] cmp_enabled [yes | no] dhcp_relay [yes | no} connection_limit [integer] description [string] state [disabled | enabled] fallback_persistence [none | [profile name] ] flow_eviction_policy [none | [eviction policy name] ] gtm_score [integer] ip_forward [yes | no] ip_protocol [any | protocol] internal [yes | no] twelve_forward (12-forward) [yes | no] last_hop-pool [ [pool_name] | none] mask { [ipv4] | [ipv6] } mirror { [disabled | enabled | none] } nat64 [enabled | disabled] persist [none | profile1,profile2,profile3 ... ] profiles [none | default | profile1,profile2,profile3 ... ] policies [none | default | policy1,policy2,policy3 ... ] rate_class [name] rate_limit [integer] rate_limitr_mode [destination | object | object-destination | object-source | object-source-destination | source | source-destination] rate_limit_dst [integer] rate_limit_src [integer] rules [none | [rule_one,rule_two ...] ] related_rules [none | [rule_one,rule_two ...] ] reject [yes | no] source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] } source_address_translation [none | snat:pool_name | lsn | automap ] source_port [change | preserve | preserve-strict] state [enabled | disable] traffic_classes [none | default | class_one,class_two ... ] translate_address [enabled | disabled] translate_port [enabled | disabled] vlans [none | default | [enabled|disabled]:vlan1,vlan2,vlan3 ... ] CLI Example: salt '*' bigip.modify_virtual bigip admin admin my-virtual source_address_translation=none salt '*' bigip.modify_virtual bigip admin admin my-virtual rules=my-rule,my-other-rule salt.modules.bigip.replace_pool_members(hostname, username, password, name, members) A function to connect to a bigip device and replace members of an existing pool with new members. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify members List of comma delimited pool members to replace existing members with. i.e. 10.1.1.1:80,10.1.1.2:80,10.1.1.3:80 CLI Example: salt '*' bigip.replace_pool_members bigip admin admin my-pool 10.2.2.1:80,10.2.2.2:80,10.2.2.3:80 salt.modules.bigip.start_transaction(hostname, username, password, label) A function to connect to a bigip device and start a new transaction. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password label The name / alias for this transaction. The actual transaction id will be stored within a grain called bigip_f5_trans:<label> CLI Example: salt '*' bigip.start_transaction bigip admin admin my_transaction salt.modules.blockdev Module for managing block devices New in version 2014.7.0. salt.modules.blockdev.dump(device, args=None) Return all contents of dumpe2fs for a specified device args a list containing only the desired arguments to return CLI Example: salt '*' blockdev.dump /dev/sdX1 salt.modules.blockdev.format(device, fs_type='ext4', inode_size=None, lazy_itable_init=None) Format a filesystem onto a block device New in version 2015.8.2. device The block device in which to create the new filesystem fs_type The type of filesystem to create inode_size Size of the inodes This option is only enabled for ext and xfs filesystems lazy_itable_init If enabled and the uninit_bg feature is enabled, the inode table will not be fully initialized by mke2fs. This speeds up filesystem initialization noticeably, but it requires the kernel to finish initializing the filesystem in the background when the filesystem is first mounted. If the option value is omitted, it defaults to 1 to enable lazy inode table zeroing. This option is only enabled for ext filesystems CLI Example: salt '*' blockdev.format /dev/sdX1 salt.modules.blockdev.fstype(device) Return the filesystem name of a block device New in version 2015.8.2. device The name of the block device CLI Example: salt '*' blockdev.fstype /dev/sdX1 salt.modules.blockdev.resize2fs(device) Resizes the filesystem. CLI Example: salt '*' blockdev.resize2fs /dev/sdX1 salt.modules.blockdev.tune(device, **kwargs) Set attributes for the specified device CLI Example: salt '*' blockdev.tune /dev/sdX1 read-ahead=1024 read-write=True Valid options are: read-ahead, filesystem-read-ahead, read-only, read-write. See the blockdev(8) manpage for a more complete description of these options. salt.modules.blockdev.wipe(device) Remove the filesystem information CLI Example: salt '*' blockdev.wipe /dev/sdX1 salt.modules.bluez Support for Bluetooth (using BlueZ in Linux). The following packages are required packages for this module: bluez >= 5.7 bluez-libs >= 5.7 bluez-utils >= 5.7 pybluez >= 0.18 salt.modules.bluez.address() Get the many addresses of the Bluetooth adapter CLI Example: salt '*' bluetooth.address salt.modules.bluez.block(bdaddr) Block a specific bluetooth device by BD Address CLI Example: salt '*' bluetooth.block DE:AD:BE:EF:CA:FE salt.modules.bluez.discoverable(dev) Enable this bluetooth device to be discoverable. CLI Example: salt '*' bluetooth.discoverable hci0 salt.modules.bluez.noscan(dev) Turn off scanning modes on this device. CLI Example: salt '*' bluetooth.noscan hci0 salt.modules.bluez.pair(address, key) Pair the bluetooth adapter with a device CLI Example: salt '*' bluetooth.pair DE:AD:BE:EF:CA:FE 1234 Where DE:AD:BE:EF:CA:FE is the address of the device to pair with, and 1234 is the passphrase. TODO: This function is currently broken, as the bluez-simple-agent program no longer ships with BlueZ >= 5.0. It needs to be refactored. salt.modules.bluez.power(dev, mode) Power a bluetooth device on or off CLI Examples: salt '*' bluetooth.power hci0 on salt '*' bluetooth.power hci0 off salt.modules.bluez.scan() Scan for bluetooth devices in the area CLI Example: salt '*' bluetooth.scan salt.modules.bluez.start() Start the bluetooth service. CLI Example: salt '*' bluetooth.start salt.modules.bluez.stop() Stop the bluetooth service. CLI Example: salt '*' bluetooth.stop salt.modules.bluez.unblock(bdaddr) Unblock a specific bluetooth device by BD Address CLI Example: salt '*' bluetooth.unblock DE:AD:BE:EF:CA:FE salt.modules.bluez.unpair(address) Unpair the bluetooth adapter from a device CLI Example: salt '*' bluetooth.unpair DE:AD:BE:EF:CA:FE Where DE:AD:BE:EF:CA:FE is the address of the device to unpair. TODO: This function is currently broken, as the bluez-simple-agent program no longer ships with BlueZ >= 5.0. It needs to be refactored. salt.modules.bluez.version() Return Bluez version from bluetoothd -v CLI Example: salt '*' bluetoothd.version salt.modules.boto_asg Connection module for Amazon Autoscale Groups New in version 2014.7.0. configuration This module accepts explicit autoscale credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: asg.keyid: GKTADJGHEIQSXMKKRBJ08H asg.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: asg.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_asg.create(name, launch_config_name, availability_zones, min_size, max_size, desired_capacity=None, load_balancers=None, default_cooldown=None, health_check_type=None, health_check_period=None, placement_group=None, vpc_zone_identifier=None, tags=None, termination_policies=None, suspended_processes=None, scaling_policies=None, region=None, notification_arn=None, notification_types=None, key=None, keyid=None, profile=None) Create an autoscale group. CLI example: salt myminion boto_asg.create myasg mylc '["us-east-1a", "us-east-1e"]' 1 10 load_balancers='["myelb", "myelb2"]' tags='[{"key": "Name", value="myasg", "propagate_at_launch": True}]' salt.modules.boto_asg.create_launch_configuration(name, image_id, key_name=None, security_groups=None, user_data=None, instance_type='m1.small', kernel_id=None, ramdisk_id=None, block_device_mappings=None, instance_monitoring=False, spot_price=None, instance_profile_name=None, ebs_optimized=False, associate_public_ip_address=None, volume_type=None, delete_on_termination=True, iops=None, use_block_device_types=False, region=None, key=None, keyid=None, profile=None) Create a launch configuration. CLI example: salt myminion boto_asg.create_launch_configuration mylc image_id=ami-0b9c9f62 key_name='mykey' security_groups='["mygroup"]' instance_type='c3.2xlarge' salt.modules.boto_asg.delete(name, force=False, region=None, key=None, keyid=None, profile=None) Delete an autoscale group. CLI example: salt myminion boto_asg.delete myasg region=us-east-1 salt.modules.boto_asg.delete_launch_configuration(name, region=None, key=None, keyid=None, profile=None) Delete a launch configuration. CLI example: salt myminion boto_asg.delete_launch_configuration mylc salt.modules.boto_asg.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if an autoscale group exists. CLI example: salt myminion boto_asg.exists myasg region=us-east-1 salt.modules.boto_asg.get_cloud_init_mime(cloud_init) Get a mime multipart encoded string from a cloud-init dict. Currently supports scripts and cloud-config. CLI Example: salt myminion boto.get_cloud_init_mime <cloud init> salt.modules.boto_asg.get_config(name, region=None, key=None, keyid=None, profile=None) Get the configuration for an autoscale group. CLI example: salt myminion boto_asg.get_config myasg region=us-east-1 salt.modules.boto_asg.get_instances(name, lifecycle_state='InService', health_status='Healthy', attribute='private_ip_address', region=None, key=None, keyid=None, profile=None) return attribute of all instances in the named autoscale group. CLI example: salt-call boto_asg.get_instances my_autoscale_group_name salt.modules.boto_asg.get_scaling_policy_arn(as_group, scaling_policy_name, region=None, key=None, keyid=None, profile=None) Return the arn for a scaling policy in a specific autoscale group or None if not found. Mainly used as a helper method for boto_cloudwatch_alarm, for linking alarms to scaling policies. CLI Example: salt '*' boto_asg.get_scaling_policy_arn mygroup mypolicy salt.modules.boto_asg.launch_configuration_exists(name, region=None, key=None, keyid=None, profile=None) Check for a launch configuration's existence. CLI example: salt myminion boto_asg.launch_configuration_exists mylc salt.modules.boto_asg.update(name, launch_config_name, availability_zones, min_size, max_size, desired_capacity=None, load_balancers=None, default_cooldown=None, health_check_type=None, health_check_period=None, placement_group=None, vpc_zone_identifier=None, tags=None, termination_policies=None, suspended_processes=None, scaling_policies=None, notification_arn=None, notification_types=None, region=None, key=None, keyid=None, profile=None) Update an autoscale group. CLI example: salt myminion boto_asg.update myasg mylc '["us-east-1a", "us-east-1e"]' 1 10 load_balancers='["myelb", "myelb2"]' tags='[{"key": "Name", value="myasg", "propagate_at_launch": True}]' salt.modules.boto_cfn Connection module for Amazon Cloud Formation New in version 2015.5.0. configuration This module accepts explicit AWS credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: cfn.keyid: GKTADJGHEIQSXMKKRBJ08H cfn.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: cfn.region: us-east-1 depends boto salt.modules.boto_cfn.create(name, template_body=None, template_url=None, parameters=None, notification_arns=None, disable_rollback=None, timeout_in_minutes=None, capabilities=None, tags=None, on_failure=None, stack_policy_body=None, stack_policy_url=None, region=None, key=None, keyid=None, profile=None) Create a CFN stack. CLI example to create a stack: salt myminion boto_cfn.create mystack template_url='https://s3.amazonaws.com/bucket/template.cft' region=us-east-1 salt.modules.boto_cfn.delete(name, region=None, key=None, keyid=None, profile=None) Delete a CFN stack. CLI example to delete a stack: salt myminion boto_cfn.delete mystack region=us-east-1 salt.modules.boto_cfn.describe(name, region=None, key=None, keyid=None, profile=None) Describe a stack. New in version 2015.8.0. CLI example: salt myminion boto_cfn.describe mystack region=us-east-1 salt.modules.boto_cfn.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if a stack exists. CLI example: salt myminion boto_cfn.exists mystack region=us-east-1 salt.modules.boto_cfn.get_template(name, region=None, key=None, keyid=None, profile=None) Check to see if attributes are set on a CFN stack. CLI example: salt myminion boto_cfn.get_template mystack salt.modules.boto_cfn.update_stack(name, template_body=None, template_url=None, parameters=None, notification_arns=None, disable_rollback=False, timeout_in_minutes=None, capabilities=None, tags=None, use_previous_template=None, stack_policy_during_update_body=None, stack_policy_during_update_url=None, stack_policy_body=None, stack_policy_url=None, region=None, key=None, keyid=None, profile=None) Update a CFN stack. New in version 2015.8.0. CLI example to update a stack: salt myminion boto_cfn.update_stack mystack template_url='https://s3.amazonaws.com/bucket/template.cft' region=us-east-1 salt.modules.boto_cfn.validate_template(template_body=None, template_url=None, region=None, key=None, keyid=None, profile=None) Validate cloudformation template New in version 2015.8.0. CLI example: salt myminion boto_cfn.validate_template mystack-template salt.modules.boto_cloudwatch Connection module for Amazon CloudWatch New in version 2014.7.0. configuration This module accepts explicit credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: cloudwatch.keyid: GKTADJGHEIQSXMKKRBJ08H cloudwatch.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: cloudwatch.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_cloudwatch.convert_to_arn(arns, region=None, key=None, keyid=None, profile=None) Convert a list of strings into actual arns. Converts convenience names such as 'scaling_policy:...' CLI Example: salt '*' convert_to_arn 'scaling_policy:' salt.modules.boto_cloudwatch.create_or_update_alarm(connection=None, name=None, metric=None, namespace=None, statistic=None, comparison=None, threshold=None, period=None, evaluation_periods=None, unit=None, description='', dimensions=None, alarm_actions=None, insufficient_data_actions=None, ok_actions=None, region=None, key=None, keyid=None, profile=None) Create or update a cloudwatch alarm. Params are the same as: http://boto.readthedocs.org/en/latest/ref/cloudwatch.html#boto.ec2.cloudwatch.alarm.MetricAlarm. Dimensions must be a dict. If the value of Dimensions is a string, it will be json decoded to produce a dict. alarm_actions, insufficient_data_actions, and ok_actions must be lists of string. If the passed-in value is a string, it will be split on "," to produce a list. The strings themselves for alarm_actions, insufficient_data_actions, and ok_actions must be Amazon resource names (ARN's); however, this method also supports an arn lookup notation, as follows: arn:aws:.... ARN as per http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html scaling_policy:<as_name>:<scaling_policy_name> The named autoscale group scaling policy, for the named group (e.g. scaling_policy:my-asg:ScaleDown) This is convenient for setting up autoscaling as follows. First specify a boto_asg.present state for an ASG with scaling_policies, and then set up boto_cloudwatch_alarm.present states which have alarm_actions that reference the scaling_policy. CLI example: salt myminion boto_cloudwatch.create_alarm name=myalarm ... region=us-east-1 salt.modules.boto_cloudwatch.delete_alarm(name, region=None, key=None, keyid=None, profile=None) Delete a cloudwatch alarm CLI example to delete a queue: salt myminion boto_cloudwatch.delete_alarm myalarm region=us-east-1 salt.modules.boto_cloudwatch.get_alarm(name, region=None, key=None, keyid=None, profile=None) Get alarm details. Also can be used to check to see if an alarm exists. CLI example: salt myminion boto_cloudwatch.get_alarm myalarm region=us-east-1 salt.modules.boto_cloudwatch.get_all_alarms(region=None, prefix=None, key=None, keyid=None, profile=None) Get all alarm details. Produces results that can be used to create an sls file. If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows: 1. Make a backup of all existing alarms $ salt-call boto_cloudwatch.get_all_alarms --out=txt | sed "s/local: //" > legacy_alarms.sls 2. Get all alarms with new prefixed names $ salt-call boto_cloudwatch.get_all_alarms "prefix=**MANAGED BY SALT** " --out=txt | sed "s/local: //" > managed_alarms.sls 3. Insert the managed alarms into cloudwatch $ salt-call state.template managed_alarms.sls 4. Manually verify that the new alarms look right 5. Delete the original alarms $ sed s/present/absent/ legacy_alarms.sls > remove_legacy_alarms.sls $ salt-call state.template remove_legacy_alarms.sls 6. Get all alarms again, verify no changes $ salt-call boto_cloudwatch.get_all_alarms --out=txt | sed "s/local: //" > final_alarms.sls $ diff final_alarms.sls managed_alarms.sls CLI example: salt myminion boto_cloudwatch.get_all_alarms region=us-east-1 --out=txt salt.modules.boto_dynamodb Connection module for Amazon DynamoDB New in version 2015.5.0. configuration This module accepts explicit DynamoDB credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: .. code-block:: yaml myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_dynamodb.create_table(table_name, region=None, key=None, keyid=None, profile=None, read_capacity_units=None, write_capacity_units=None, hash_key=None, hash_key_data_type=None, range_key=None, range_key_data_type=None, local_indexes=None, global_indexes=None) Creates a DynamoDB table. CLI Example: salt myminion boto_dynamodb.create_table table_name / region=us-east-1 / hash_key=id / hash_key_data_type=N / range_key=created_at / range_key_data_type=N / read_capacity_units=1 / write_capacity_units=1 salt.modules.boto_dynamodb.delete(table_name, region=None, key=None, keyid=None, profile=None) Delete a DynamoDB table. CLI Example: salt myminion boto_dynamodb.delete table_name region=us-east-1 salt.modules.boto_dynamodb.exists(table_name, region=None, key=None, keyid=None, profile=None) Check to see if a table exists. CLI Example: salt myminion boto_dynamodb.exists table_name region=us-east-1 salt.modules.boto_ec2 Connection module for Amazon EC2 New in version 2015.8.0. configuration This module accepts explicit EC2 credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: ec2.keyid: GKTADJGHEIQSXMKKRBJ08H ec2.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: ec2.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid, and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_ec2.create_key(key_name, save_path, region=None, key=None, keyid=None, profile=None) Creates a key and saves it to a given path. Returns the private key. CLI Example: salt myminion boto_ec2.create mykey /root/ salt.modules.boto_ec2.delete_key(key_name, region=None, key=None, keyid=None, profile=None) Deletes a key. Always returns True CLI Example: salt myminion boto_ec2.delete_key mykey salt.modules.boto_ec2.exists(instance_id=None, name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a instance id, check to see if the given instance id exists. Returns True if the given an instance with the given id, name, or tags exists; otherwise, False is returned. CLI Example: salt myminion boto_ec2.exists myinstance salt.modules.boto_ec2.find_instances(instance_id=None, name=None, tags=None, region=None, key=None, keyid=None, profile=None, return_objs=False) Given instance properties, find and return matching instance ids CLI Examples: salt myminion boto_ec2.find_instances # Lists all instances salt myminion boto_ec2.find_instances name=myinstance salt myminion boto_ec2.find_instances tags='{"mytag": "value"}' salt.modules.boto_ec2.get_attribute(attribute, instance_name=None, instance_id=None, region=None, key=None, keyid=None, profile=None) Get an EC2 instance attribute. CLI Example: salt myminion boto_ec2.get_attribute sourceDestCheck instance_name=my_instance Available attributes: • instanceType • kernel • ramdisk • userData • disableApiTermination • instanceInitiatedShutdownBehavior • rootDeviceName • blockDeviceMapping • productCodes • sourceDestCheck • groupSet • ebsOptimized • sriovNetSupport salt.modules.boto_ec2.get_id(name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given instace properties, return the instance id if it exist. CLI Example: salt myminion boto_ec2.get_id myinstance salt.modules.boto_ec2.get_key(key_name, region=None, key=None, keyid=None, profile=None) Check to see if a key exists. Returns fingerprint and name if it does and False if it doesn't CLI Example: salt myminion boto_ec2.get_key mykey salt.modules.boto_ec2.get_keys(keynames=None, filters=None, region=None, key=None, keyid=None, profile=None) Gets all keys or filters them by name and returns a list. keynames (list):: A list of the names of keypairs to retrieve. If not provided, all key pairs will be returned. filters (dict) :: Optional filters that can be used to limit the results returned. Filters are provided in the form of a dictionary consisting of filter names as the key and filter values as the value. The set of allowable filter names/values is dependent on the request being performed. Check the EC2 API guide for details. CLI Example: salt myminion boto_ec2.get_keys salt.modules.boto_ec2.get_zones(region=None, key=None, keyid=None, profile=None) Get a list of AZs for the configured region. CLI Example: salt myminion boto_ec2.get_zones salt.modules.boto_ec2.import_key(key_name, public_key_material, region=None, key=None, keyid=None, profile=None) Imports the public key from an RSA key pair that you created with a third-party tool. Supported formats: - OpenSSH public key format (e.g., the format in ~/.ssh/authorized_keys) - Base64 encoded DER format - SSH public key file format as specified in RFC4716 - DSA keys are not supported. Make sure your key generator is set up to create RSA keys. Supported lengths: 1024, 2048, and 4096. CLI Example: salt myminion boto_ec2.import mykey publickey salt.modules.boto_ec2.run(image_id, name=None, tags=None, instance_type='m1.small', key_name=None, security_groups=None, user_data=None, placement=None, region=None, key=None, keyid=None, profile=None) Create and start an EC2 instance. Returns True if the instance was created; otherwise False. CLI Example: salt myminion boto_ec2.run ami-b80c2b87 name=myinstance salt.modules.boto_ec2.set_attribute(attribute, attribute_value, instance_name=None, instance_id=None, region=None, key=None, keyid=None, profile=None) Set an EC2 instance attribute. Returns whether the operation succeeded or not. CLI Example: salt myminion boto_ec2.set_attribute sourceDestCheck False instance_name=my_instance Available attributes: • instanceType • kernel • ramdisk • userData • disableApiTermination • instanceInitiatedShutdownBehavior • rootDeviceName • blockDeviceMapping • productCodes • sourceDestCheck • groupSet • ebsOptimized • sriovNetSupport salt.modules.boto_ec2.terminate(instance_id=None, name=None, region=None, key=None, keyid=None, profile=None) Terminate the instance described by instance_id or name. CLI Example: salt myminion boto_ec2.terminate name=myinstance salt myminion boto_ec2.terminate instance_id=i-a46b9f salt.modules.boto_elasticache Connection module for Amazon Elasticache New in version 2014.7.0. configuration This module accepts explicit elasticache credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: elasticache.keyid: GKTADJGHEIQSXMKKRBJ08H elasticache.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: elasticache.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_elasticache.authorize_cache_security_group_ingress(name, ec2_security_group_name, ec2_security_group_owner_id, region=None, key=None, keyid=None, profile=None) Authorize network ingress from an ec2 security group to a cache security group. CLI example: salt myminion boto_elasticache.authorize_cache_security_group_ingress myelasticachesg myec2sg 879879 salt.modules.boto_elasticache.create(name, num_cache_nodes=None, engine=None, cache_node_type=None, replication_group_id=None, engine_version=None, cache_parameter_group_name=None, cache_subnet_group_name=None, cache_security_group_names=None, security_group_ids=None, snapshot_arns=None, preferred_availability_zone=None, preferred_maintenance_window=None, port=None, notification_topic_arn=None, auto_minor_version_upgrade=None, wait=None, region=None, key=None, keyid=None, profile=None) Create a cache cluster. CLI example: salt myminion boto_elasticache.create myelasticache 1 redis cache.t1.micro cache_security_group_names='["myelasticachesg"]' salt.modules.boto_elasticache.create_cache_security_group(name, description, region=None, key=None, keyid=None, profile=None) Create a cache security group. CLI example: salt myminion boto_elasticache.create_cache_security_group myelasticachesg 'My Cache Security Group' salt.modules.boto_elasticache.create_replication_group(name, primary_cluster_id, replication_group_description, wait=None, region=None, key=None, keyid=None, profile=None) Create replication group. CLI example: salt myminion boto_elasticache.create_replication_group myelasticache myprimarycluster description salt.modules.boto_elasticache.create_subnet_group(name, description, subnet_ids, tags=None, region=None, key=None, keyid=None, profile=None) Create an ElastiCache subnet group CLI example to create an ElastiCache subnet group: salt myminion boto_elasticache.create_subnet_group my-subnet-group "group description" '[subnet-12345678, subnet-87654321]' region=us-east-1 salt.modules.boto_elasticache.delete(name, wait=False, region=None, key=None, keyid=None, profile=None) Delete a cache cluster. CLI example: salt myminion boto_elasticache.delete myelasticache salt.modules.boto_elasticache.delete_cache_security_group(name, region=None, key=None, keyid=None, profile=None) Delete a cache security group. CLI example: salt myminion boto_elasticache.delete_cache_security_group myelasticachesg 'My Cache Security Group' salt.modules.boto_elasticache.delete_subnet_group(name, region=None, key=None, keyid=None, profile=None) Delete an ElastiCache subnet group. CLI example: salt myminion boto_elasticache.delete_subnet_group my-subnet-group region=us-east-1 salt.modules.boto_elasticache.describe_replication_group(name, region=None, key=None, keyid=None, profile=None, parameter=None) Get replication group information. CLI example: salt myminion boto_elasticache.describe_replication_group mygroup salt.modules.boto_elasticache.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if a cache cluster exists. CLI example: salt myminion boto_elasticache.exists myelasticache salt.modules.boto_elasticache.get_cache_subnet_group(name, region=None, key=None, keyid=None, profile=None) Get information about a cache subnet group. CLI example: salt myminion boto_elasticache.get_cache_subnet_group mycache_subnet_group salt.modules.boto_elasticache.get_config(name, region=None, key=None, keyid=None, profile=None) Get the configuration for a cache cluster. CLI example: salt myminion boto_elasticache.get_config myelasticache salt.modules.boto_elasticache.get_group_host(name, region=None, key=None, keyid=None, profile=None) Get hostname from replication cache group CLI example: salt myminion boto_elasticache.get_group_host myelasticachegroup salt.modules.boto_elasticache.get_node_host(name, region=None, key=None, keyid=None, profile=None) Get hostname from cache node CLI example: salt myminion boto_elasticache.get_node_host myelasticache salt.modules.boto_elasticache.group_exists(name, region=None, key=None, keyid=None, profile=None) Check to see if a replication group exists. CLI example: salt myminion boto_elasticache.group_exists myelasticache salt.modules.boto_elasticache.revoke_cache_security_group_ingress(name, ec2_security_group_name, ec2_security_group_owner_id, region=None, key=None, keyid=None, profile=None) Revoke network ingress from an ec2 security group to a cache security group. CLI example: salt myminion boto_elasticache.revoke_cache_security_group_ingress myelasticachesg myec2sg 879879 salt.modules.boto_elasticache.subnet_group_exists(name, tags=None, region=None, key=None, keyid=None, profile=None) Check to see if an ElastiCache subnet group exists. CLI example: salt myminion boto_elasticache.subnet_group_exists my-param-group region=us-east-1 salt.modules.boto_elb Connection module for Amazon ELB New in version 2014.7.0. configuration This module accepts explicit elb credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: elb.keyid: GKTADJGHEIQSXMKKRBJ08H elb.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: elb.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto >= 2.33.0 salt.modules.boto_elb.apply_security_groups(name, security_groups, region=None, key=None, keyid=None, profile=None) Apply security groups to ELB. CLI example: salt myminion boto_elb.apply_security_groups myelb '["mysecgroup1"]' salt.modules.boto_elb.attach_subnets(name, subnets, region=None, key=None, keyid=None, profile=None) Attach ELB to subnets. CLI example: salt myminion boto_elb.attach_subnets myelb '["mysubnet"]' salt.modules.boto_elb.create(name, availability_zones, listeners=None, subnets=None, security_groups=None, scheme='internet-facing', region=None, key=None, keyid=None, profile=None) Create an ELB CLI example to create an ELB: salt myminion boto_elb.create myelb '["us-east-1a", "us-east-1e"]' listeners='[[443, 80, "HTTPS", "HTTP", "arn:aws:iam::1111111:server-certificate/mycert"]]' region=us-east-1 salt.modules.boto_elb.create_listeners(name, listeners=None, region=None, key=None, keyid=None, profile=None) Create listeners on an ELB. CLI example: salt myminion boto_elb.create_listeners myelb listeners='[["HTTPS", "HTTP", 443, 80, "arn:aws:iam::11 11111:server-certificate/mycert"]]' salt.modules.boto_elb.delete(name, region=None, key=None, keyid=None, profile=None) Delete an ELB. CLI example to delete an ELB: salt myminion boto_elb.delete myelb region=us-east-1 salt.modules.boto_elb.delete_listeners(name, ports, region=None, key=None, keyid=None, profile=None) Delete listeners on an ELB. CLI example: salt myminion boto_elb.delete_listeners myelb '[80,443]' salt.modules.boto_elb.deregister_instances(name, instances, region=None, key=None, keyid=None, profile=None) Deregister instances with an ELB. Instances is either a string instance id or a list of string instance id's. Returns: • True: instance(s) deregistered successfully • False: instance(s) failed to be deregistered • None: instance(s) not valid or not registered, no action taken CLI example: salt myminion boto_elb.deregister_instances myelb instance_id salt myminion boto_elb.deregister_instances myelb "[instance_id, instance_id]" salt.modules.boto_elb.detach_subnets(name, subnets, region=None, key=None, keyid=None, profile=None) Detach ELB from subnets. CLI example: salt myminion boto_elb.detach_subnets myelb '["mysubnet"]' salt.modules.boto_elb.disable_availability_zones(name, availability_zones, region=None, key=None, keyid=None, profile=None) Disable availability zones for ELB. CLI example: salt myminion boto_elb.disable_availability_zones myelb '["us-east-1a"]' salt.modules.boto_elb.enable_availability_zones(name, availability_zones, region=None, key=None, keyid=None, profile=None) Enable availability zones for ELB. CLI example: salt myminion boto_elb.enable_availability_zones myelb '["us-east-1a"]' salt.modules.boto_elb.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if an ELB exists. CLI example: salt myminion boto_elb.exists myelb region=us-east-1 salt.modules.boto_elb.get_attributes(name, region=None, key=None, keyid=None, profile=None) Check to see if attributes are set on an ELB. CLI example: salt myminion boto_elb.get_attributes myelb salt.modules.boto_elb.get_elb_config(name, region=None, key=None, keyid=None, profile=None) Check to see if an ELB exists. CLI example: salt myminion boto_elb.exists myelb region=us-east-1 salt.modules.boto_elb.get_health_check(name, region=None, key=None, keyid=None, profile=None) Get the health check configured for this ELB. CLI example: salt myminion boto_elb.get_health_check myelb salt.modules.boto_elb.get_instance_health(name, region=None, key=None, keyid=None, profile=None, instances=None) Get a list of instances and their health state CLI example: salt myminion boto_elb.get_instance_health myelb salt myminion boto_elb.get_instance_health myelb region=us-east-1 instances="[instance_id,instance_id]" salt.modules.boto_elb.register_instances(name, instances, region=None, key=None, keyid=None, profile=None) Register instances with an ELB. Instances is either a string instance id or a list of string instance id's. Returns: • True: instance(s) registered successfully • False: instance(s) failed to be registered CLI example: salt myminion boto_elb.register_instances myelb instance_id salt myminion boto_elb.register_instances myelb "[instance_id,instance_id]" salt.modules.boto_elb.set_attributes(name, attributes, region=None, key=None, keyid=None, profile=None) Set attributes on an ELB. CLI example to set attributes on an ELB: salt myminion boto_elb.set_attributes myelb '{"access_log": {"enabled": "true", "s3_bucket_name": "mybucket", "s3_bucket_prefix": "mylogs/", "emit_interval": "5"}}' region=us-east-1 salt.modules.boto_elb.set_health_check(name, health_check, region=None, key=None, keyid=None, profile=None) Set attributes on an ELB. CLI example to set attributes on an ELB: salt myminion boto_elb.set_health_check myelb '{"target": "HTTP:80/"}' salt.modules.boto_iam Connection module for Amazon IAM New in version 2014.7.0. configuration This module accepts explicit iam credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: iam.keyid: GKTADJGHEIQSXMKKRBJ08H iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs iam.region: us-east-1 It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_iam.add_user_to_group(user_name, group_name, region=None, key=None, keyid=None, profile=None) Add user to group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.add_user_to_group myuser mygroup salt.modules.boto_iam.associate_profile_to_role(profile_name, role_name, region=None, key=None, keyid=None, profile=None) Associate an instance profile with an IAM role. CLI Example: salt myminion boto_iam.associate_profile_to_role myirole myiprofile salt.modules.boto_iam.build_policy(region=None, key=None, keyid=None, profile=None) Build a default assume role policy. New in version 2015.8.0. CLI Example: salt myminion boto_iam.build_policy salt.modules.boto_iam.create_access_key(user_name, region=None, key=None, keyid=None, profile=None) Create access key id for a user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.create_access_key myuser salt.modules.boto_iam.create_group(group_name, path=None, region=None, key=None, keyid=None, profile=None) Create a group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.create_group group salt.modules.boto_iam.create_instance_profile(name, region=None, key=None, keyid=None, profile=None) Create an instance profile. CLI Example: salt myminion boto_iam.create_instance_profile myiprofile salt.modules.boto_iam.create_login_profile(user_name, password, region=None, key=None, keyid=None, profile=None) Creates a login profile for the specified user, give the user the ability to access AWS services and the AWS Management Console. New in version 2015.8.0. CLI Example: salt myminion boto_iam.create_login_profile user_name password salt.modules.boto_iam.create_role(name, policy_document=None, path=None, region=None, key=None, keyid=None, profile=None) Create an instance role. CLI Example: salt myminion boto_iam.create_role myrole salt.modules.boto_iam.create_role_policy(role_name, policy_name, policy, region=None, key=None, keyid=None, profile=None) Create or modify a role policy. CLI Example: salt myminion boto_iam.create_role_policy myirole mypolicy '{"MyPolicy": "Statement": [{"Action": ["sqs:*"], "Effect": "Allow", "Resource": ["arn:aws:sqs:*:*:*"], "Sid": "MyPolicySqs1"}]}' salt.modules.boto_iam.create_user(user_name, path=None, region=None, key=None, keyid=None, profile=None) Create a user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.create_user myuser salt.modules.boto_iam.delete_access_key(access_key_id, user_name=None, region=None, key=None, keyid=None, profile=None) Delete access key id from a user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.delete_access_key myuser salt.modules.boto_iam.delete_group_policy(group_name, policy_name, region=None, key=None, keyid=None, profile=None) Delete a group policy. CLI Example: .. code-block:: bash salt myminion boto_iam.delete_group_policy mygroup mypolicy salt.modules.boto_iam.delete_instance_profile(name, region=None, key=None, keyid=None, profile=None) Delete an instance profile. CLI Example: salt myminion boto_iam.delete_instance_profile myiprofile salt.modules.boto_iam.delete_role(name, region=None, key=None, keyid=None, profile=None) Delete an IAM role. CLI Example: salt myminion boto_iam.delete_role myirole salt.modules.boto_iam.delete_role_policy(role_name, policy_name, region=None, key=None, keyid=None, profile=None) Delete a role policy. CLI Example: salt myminion boto_iam.delete_role_policy myirole mypolicy salt.modules.boto_iam.delete_server_cert(cert_name, region=None, key=None, keyid=None, profile=None) Deletes a certificate from Amazon. New in version 2015.8.0. CLI Example: salt myminion boto_iam.delete_server_cert mycert_name salt.modules.boto_iam.delete_user(user_name, region=None, key=None, keyid=None, profile=None) Delete a user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.delete_user myuser salt.modules.boto_iam.delete_user_policy(user_name, policy_name, region=None, key=None, keyid=None, profile=None) Delete a user policy. CLI Example: salt myminion boto_iam.delete_user_policy myuser mypolicy salt.modules.boto_iam.describe_role(name, region=None, key=None, keyid=None, profile=None) Get information for a role. CLI Example: salt myminion boto_iam.describe_role myirole salt.modules.boto_iam.disassociate_profile_from_role(profile_name, role_name, region=None, key=None, keyid=None, profile=None) Disassociate an instance profile from an IAM role. CLI Example: salt myminion boto_iam.disassociate_profile_from_role myirole myiprofile salt.modules.boto_iam.get_account_id(region=None, key=None, keyid=None, profile=None) Get a the AWS account id associated with the used credentials. CLI Example: salt myminion boto_iam.get_account_id salt.modules.boto_iam.get_account_policy(region=None, key=None, keyid=None, profile=None) Get account policy for the AWS account. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_account_policy salt.modules.boto_iam.get_all_access_keys(user_name, marker=None, max_items=None, region=None, key=None, keyid=None, profile=None) Get all access keys from a user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_all_access_keys myuser salt.modules.boto_iam.get_all_group_policies(group_name, region=None, key=None, keyid=None, profile=None) Get a list of policy names from a group. CLI Example: salt myminion boto_iam.get_all_group_policies mygroup salt.modules.boto_iam.get_all_user_policies(user_name, marker=None, max_items=None, region=None, key=None, keyid=None, profile=None) Get all user policies. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_group mygroup salt.modules.boto_iam.get_group(group_name, marker=None, max_items=None, region=None, key=None, keyid=None, profile=None) Get group information. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_group mygroup salt.modules.boto_iam.get_group_policy(group_name, policy_name, region=None, key=None, keyid=None, profile=None) Retrieves the specified policy document for the specified group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_group_policy mygroup policyname salt.modules.boto_iam.get_role_policy(role_name, policy_name, region=None, key=None, keyid=None, profile=None) Get a role policy. CLI Example: salt myminion boto_iam.get_role_policy myirole mypolicy salt.modules.boto_iam.get_server_certificate(cert_name, region=None, key=None, keyid=None, profile=None) Returns certificate information from Amazon New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_server_certificate mycert_name salt.modules.boto_iam.get_user(user_name=None, region=None, key=None, keyid=None, profile=None) Get user information. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_user myuser salt.modules.boto_iam.get_user_policy(user_name, policy_name, region=None, key=None, keyid=None, profile=None) Retrieves the specified policy document for the specified user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.get_user_policy myuser mypolicyname salt.modules.boto_iam.instance_profile_exists(name, region=None, key=None, keyid=None, profile=None) Check to see if an instance profile exists. CLI Example: salt myminion boto_iam.instance_profile_exists myiprofile salt.modules.boto_iam.list_role_policies(role_name, region=None, key=None, keyid=None, profile=None) Get a list of policy names from a role. CLI Example: salt myminion boto_iam.list_role_policies myirole salt.modules.boto_iam.profile_associated(role_name, profile_name, region, key, keyid, profile) Check to see if an instance profile is associated with an IAM role. CLI Example: salt myminion boto_iam.profile_associated myirole myiprofile salt.modules.boto_iam.put_group_policy(group_name, policy_name, policy_json, region=None, key=None, keyid=None, profile=None) Adds or updates the specified policy document for the specified group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.put_group_policy mygroup policyname policyrules salt.modules.boto_iam.put_user_policy(user_name, policy_name, policy_json, region=None, key=None, keyid=None, profile=None) Adds or updates the specified policy document for the specified user. New in version 2015.8.0. CLI Example: salt myminion boto_iam.put_user_policy myuser policyname policyrules salt.modules.boto_iam.remove_user_from_group(group_name, user_name, region=None, key=None, keyid=None, profile=None) Remove user from group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.remove_user_from_group mygroup myuser salt.modules.boto_iam.role_exists(name, region=None, key=None, keyid=None, profile=None) Check to see if an IAM role exists. CLI Example: salt myminion boto_iam.role_exists myirole salt.modules.boto_iam.update_account_password_policy(allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None) Update the password policy for the AWS account. New in version 2015.8.0. CLI Example: salt myminion boto_iam.update_account_password_policy True salt.modules.boto_iam.update_assume_role_policy(role_name, policy_document, region=None, key=None, keyid=None, profile=None) Update an assume role policy for a role. New in version 2015.8.0. CLI Example: salt myminion boto_iam.update_assume_role_policy myrole '{"Statement":"..."}' salt.modules.boto_iam.upload_server_cert(cert_name, cert_body, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None) Upload a certificate to Amazon. New in version 2015.8.0. CLI Example: salt myminion boto_iam.upload_server_cert mycert_name crt priv_key Parameters • cert_name -- The name for the server certificate. Do not include the path in this value. • cert_body -- The contents of the public key certificate in PEM-encoded format. • private_key -- The contents of the private key in PEM-encoded format. • cert_chain -- The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain. • path -- The path for the server certificate. • region -- The name of the region to connect to. • key -- The key to be used in order to connect • keyid -- The keyid to be used in order to connect • profile -- The profile that contains a dict of region, key, keyid Returns True / False salt.modules.boto_iam.user_exists_in_group(user_name, group_name, region=None, key=None, keyid=None, profile=None) Check if user exists in group. New in version 2015.8.0. CLI Example: salt myminion boto_iam.user_exists_in_group myuser mygroup salt.modules.boto_kms Connection module for Amazon KMS New in version 2015.8.0. configuration This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: kms.keyid: GKTADJGHEIQSXMKKRBJ08H kms.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: kms.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_kms.create_alias(alias_name, target_key_id, region=None, key=None, keyid=None, profile=None) Create a display name for a key. CLI example: salt myminion boto_kms.create_alias 'alias/mykey' key_id salt.modules.boto_kms.create_grant(key_id, grantee_principal, retiring_principal=None, operations=None, constraints=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Adds a grant to a key to specify who can access the key and under what conditions. CLI example: salt myminion boto_kms.create_grant 'alias/mykey' 'arn:aws:iam::1111111:/role/myrole' operations='["Encrypt","Decrypt"]' salt.modules.boto_kms.create_key(policy=None, description=None, key_usage=None, region=None, key=None, keyid=None, profile=None) Creates a master key. CLI example: salt myminion boto_kms.create_key '{"Statement":...}' "My master key" salt.modules.boto_kms.decrypt(ciphertext_blob, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Decrypt ciphertext. CLI example: salt myminion boto_kms.decrypt encrypted_ciphertext salt.modules.boto_kms.describe_key(key_id, region=None, key=None, keyid=None, profile=None) Get detailed information about a key. CLI example: salt myminion boto_kms.describe_key 'alias/mykey' salt.modules.boto_kms.disable_key(key_id, region=None, key=None, keyid=None, profile=None) Mark key as disabled. CLI example: salt myminion boto_kms.disable_key 'alias/mykey' salt.modules.boto_kms.disable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None) Disable key rotation for specified key. CLI example: salt myminion boto_kms.disable_key_rotation 'alias/mykey' salt.modules.boto_kms.enable_key(key_id, region=None, key=None, keyid=None, profile=None) Mark key as enabled. CLI example: salt myminion boto_kms.enable_key 'alias/mykey' salt.modules.boto_kms.enable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None) Disable key rotation for specified key. CLI example: salt myminion boto_kms.enable_key_rotation 'alias/mykey' salt.modules.boto_kms.encrypt(key_id, plaintext, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Encrypt plaintext into cipher text using specified key. CLI example: salt myminion boto_kms.encrypt 'alias/mykey' 'myplaindata' '{"aws:username":"myuser"}' salt.modules.boto_kms.generate_data_key(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Generate a secure data key. CLI example: salt myminion boto_kms.generate_data_key 'alias/mykey' number_of_bytes=1024 key_spec=AES_128 salt.modules.boto_kms.generate_data_key_without_plaintext(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Generate a secure data key without a plaintext copy of the key. CLI example: salt myminion boto_kms.generate_data_key_without_plaintext 'alias/mykey' number_of_bytes=1024 key_spec=AES_128 salt.modules.boto_kms.generate_random(number_of_bytes=None, region=None, key=None, keyid=None, profile=None) Generate a random string. CLI example: salt myminion boto_kms.generate_random number_of_bytes=1024 salt.modules.boto_kms.get_key_policy(key_id, policy_name, region=None, key=None, keyid=None, profile=None) Get the policy for the specified key. CLI example: salt myminion boto_kms.get_key_policy 'alias/mykey' mypolicy salt.modules.boto_kms.get_key_rotation_status(key_id, region=None, key=None, keyid=None, profile=None) Get status of whether or not key rotation is enabled for a key. CLI example: salt myminion boto_kms.get_key_rotation_status 'alias/mykey' salt.modules.boto_kms.key_exists(key_id, region=None, key=None, keyid=None, profile=None) Check for the existence of a key. CLI example: salt myminion boto_kms.key_exists 'alias/mykey' salt.modules.boto_kms.list_grants(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None) List grants for the specified key. CLI example: salt myminion boto_kms.list_grants 'alias/mykey' salt.modules.boto_kms.list_key_policies(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None) List key_policies for the specified key. CLI example: salt myminion boto_kms.list_key_policies 'alias/mykey' salt.modules.boto_kms.put_key_policy(key_id, policy_name, policy, region=None, key=None, keyid=None, profile=None) Attach a key policy to the specified key. CLI example: salt myminion boto_kms.put_key_policy 'alias/mykey' default '{"Statement":...}' salt.modules.boto_kms.re_encrypt(ciphertext_blob, destination_key_id, source_encryption_context=None, destination_encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None) Reencrypt encrypted data with a new master key. CLI example: salt myminion boto_kms.re_encrypt 'encrypted_data' 'alias/mynewkey' default '{"Statement":...}' salt.modules.boto_kms.revoke_grant(key_id, grant_id, region=None, key=None, keyid=None, profile=None) Revoke a grant from a key. CLI example: salt myminion boto_kms.revoke_grant 'alias/mykey' 8u89hf-j09j... salt.modules.boto_kms.update_key_description(key_id, description, region=None, key=None, keyid=None, profile=None) Update a key's description. CLI example: salt myminion boto_kms.update_key_description 'alias/mykey' 'My key' salt.modules.boto_rds Connection module for Amazon RDS New in version 2015.8.0. configuration This module accepts explicit rds credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: rds.keyid: GKTADJGHEIQSXMKKRBJ08H rds.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: rds.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_rds.create(name, allocated_storage, db_instance_class, engine, master_username, master_user_password, db_name=None, db_security_groups=None, vpc_security_group_ids=None, availability_zone=None, db_subnet_group_name=None, preferred_maintenance_window=None, db_parameter_group_name=None, backup_retention_period=None, preferred_backup_window=None, port=None, multi_az=None, engine_version=None, auto_minor_version_upgrade=None, license_model=None, iops=None, option_group_name=None, character_set_name=None, publicly_accessible=None, wait_status=None, tags=None, region=None, key=None, keyid=None, profile=None) Create an RDS CLI example to create an RDS: salt myminion boto_rds.create myrds 10 db.t2.micro MySQL sqlusr sqlpassw salt.modules.boto_rds.create_option_group(name, engine_name, major_engine_version, option_group_description, tags=None, region=None, key=None, keyid=None, profile=None) Create an RDS option group CLI example to create an RDS option group: salt myminion boto_rds.create_option_group my-opt-group mysql 5.6 "group description" salt.modules.boto_rds.create_parameter_group(name, db_parameter_group_family, description, tags=None, region=None, key=None, keyid=None, profile=None) Create an RDS parameter group CLI example to create an RDS parameter group: salt myminion boto_rds.create_parameter_group my-param-group mysql5.6 "group description" salt.modules.boto_rds.create_read_replica(name, source_name, db_instance_class=None, availability_zone=None, port=None, auto_minor_version_upgrade=None, iops=None, option_group_name=None, publicly_accessible=None, tags=None, region=None, key=None, keyid=None, profile=None) Create an RDS read replica CLI example to create an RDS read replica: salt myminion boto_rds.create_read_replica replicaname source_name salt.modules.boto_rds.create_subnet_group(name, description, subnet_ids, tags=None, region=None, key=None, keyid=None, profile=None) Create an RDS subnet group CLI example to create an RDS subnet group: salt myminion boto_rds.create_subnet_group my-subnet-group "group description" '[subnet-12345678, subnet-87654321]' region=us-east-1 salt.modules.boto_rds.delete(name, skip_final_snapshot=None, final_db_snapshot_identifier=None, region=None, key=None, keyid=None, profile=None) Delete an RDS instance. CLI example: salt myminion boto_rds.delete myrds skip_final_snapshot=True region=us-east-1 salt.modules.boto_rds.delete_option_group(name, region=None, key=None, keyid=None, profile=None) Delete an RDS option group. CLI example: salt myminion boto_rds.delete_option_group my-opt-group region=us-east-1 salt.modules.boto_rds.delete_parameter_group(name, region=None, key=None, keyid=None, profile=None) Delete an RDS parameter group. CLI example: salt myminion boto_rds.delete_parameter_group my-param-group region=us-east-1 salt.modules.boto_rds.delete_subnet_group(name, region=None, key=None, keyid=None, profile=None) Delete an RDS subnet group. CLI example: salt myminion boto_rds.delete_subnet_group my-subnet-group region=us-east-1 salt.modules.boto_rds.describe(name, tags=None, region=None, key=None, keyid=None, profile=None) Return RDS instance details. CLI example: salt myminion boto_rds.describe myrds salt.modules.boto_rds.exists(name, tags=None, region=None, key=None, keyid=None, profile=None) Check to see if an RDS exists. CLI example: salt myminion boto_rds.exists myrds region=us-east-1 salt.modules.boto_rds.get_endpoint(name, tags=None, region=None, key=None, keyid=None, profile=None) Return the enpoint of an RDS instance. CLI example: salt myminion boto_rds.get_endpoint myrds salt.modules.boto_rds.option_group_exists(name, tags=None, region=None, key=None, keyid=None, profile=None) Check to see if an RDS option group exists. CLI example: salt myminion boto_rds.option_group_exists myoptiongr region=us-east-1 salt.modules.boto_rds.parameter_group_exists(name, tags=None, region=None, key=None, keyid=None, profile=None) Check to see if an RDS parameter group exists. CLI example: salt myminion boto_rds.parameter_group_exists myparametergroup region=us-east-1 salt.modules.boto_rds.subnet_group_exists(name, tags=None, region=None, key=None, keyid=None, profile=None) Check to see if an RDS subnet group exists. CLI example: salt myminion boto_rds.subnet_group_exists my-param-group region=us-east-1 salt.modules.boto_rds.update_parameter_group(name, parameters, apply_method='pending-reboot', tags=None, region=None, key=None, keyid=None, profile=None) Update an RDS parameter group. CLI example: salt myminion boto_rds.update_parameter_group my-param-group parameters='{"back_log":1, "binlog_cache_size":4096}' region=us-east-1 salt.modules.boto_route53 Connection module for Amazon Route53 New in version 2014.7.0. configuration This module accepts explicit route53 credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: route53.keyid: GKTADJGHEIQSXMKKRBJ08H route53.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: route53.region: us-east-1 If a region is not specified, the default is 'universal', which is what the boto_route53 library expects, rather than None. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_route53.add_record(name, value, zone, record_type, identifier=None, ttl=None, region=None, key=None, keyid=None, profile=None, wait_for_sync=True, split_dns=False, private_zone=False) Add a record to a zone. CLI example: salt myminion boto_route53.add_record test.example.org 1.1.1.1 example.org A salt.modules.boto_route53.create_zone(zone, private=False, vpc_id=None, vpc_region=None, region=None, key=None, keyid=None, profile=None) Create a Route53 hosted zone. New in version 2015.8.0. zone DNZ zone to create private True/False if the zone will be a private zone vpc_id VPC ID to associate the zone to (required if private is True) vpc_region VPC Region (required if private is True) region region endpoint to connect to key AWS key keyid AWS keyid profile AWS pillar profile CLI Example: salt myminion boto_route53.create_zone example.org salt.modules.boto_route53.delete_record(name, zone, record_type, identifier=None, all_records=False, region=None, key=None, keyid=None, profile=None, wait_for_sync=True, split_dns=False, private_zone=False) Modify a record in a zone. CLI example: salt myminion boto_route53.delete_record test.example.org example.org A salt.modules.boto_route53.delete_zone(zone, region=None, key=None, keyid=None, profile=None) Delete a Route53 hosted zone. New in version 2015.8.0. CLI Example: salt myminion boto_route53.delete_zone example.org salt.modules.boto_route53.get_record(name, zone, record_type, fetch_all=False, region=None, key=None, keyid=None, profile=None, split_dns=False, private_zone=False) Get a record from a zone. CLI example: salt myminion boto_route53.get_record test.example.org example.org A salt.modules.boto_route53.update_record(name, value, zone, record_type, identifier=None, ttl=None, region=None, key=None, keyid=None, profile=None, wait_for_sync=True, split_dns=False, private_zone=False) Modify a record in a zone. CLI example: salt myminion boto_route53.modify_record test.example.org 1.1.1.1 example.org A salt.modules.boto_route53.zone_exists(zone, region=None, key=None, keyid=None, profile=None) Check for the existence of a Route53 hosted zone. New in version 2015.8.0. CLI Example: salt myminion boto_route53.zone_exists example.org salt.modules.boto_secgroup Connection module for Amazon Security Groups New in version 2014.7.0. configuration This module accepts explicit ec2 credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: secgroup.keyid: GKTADJGHEIQSXMKKRBJ08H secgroup.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: secgroup.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_secgroup.authorize(name=None, source_group_name=None, source_group_owner_id=None, ip_protocol=None, from_port=None, to_port=None, cidr_ip=None, group_id=None, source_group_group_id=None, region=None, key=None, keyid=None, profile=None, vpc_id=None, vpc_name=None, egress=False) Add a new rule to an existing security group. CLI example: salt myminion boto_secgroup.authorize mysecgroup ip_protocol=tcp from_port=80 to_port=80 cidr_ip='['10.0.0.0/8', '192.168.0.0/24']' salt.modules.boto_secgroup.convert_to_group_ids(groups, vpc_id, vpc_name=None, region=None, key=None, keyid=None, profile=None) Given a list of security groups and a vpc_id, convert_to_group_ids will convert all list items in the given list to security group ids. CLI example: salt myminion boto_secgroup.convert_to_group_ids mysecgroup vpc-89yhh7h salt.modules.boto_secgroup.create(name, description, vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Create a security group. CLI example: salt myminion boto_secgroup.create mysecgroup 'My Security Group' salt.modules.boto_secgroup.delete(name=None, group_id=None, region=None, key=None, keyid=None, profile=None, vpc_id=None, vpc_name=None) Delete a security group. CLI example: salt myminion boto_secgroup.delete mysecgroup salt.modules.boto_secgroup.exists(name=None, region=None, key=None, keyid=None, profile=None, vpc_id=None, vpc_name=None, group_id=None) Check to see if a security group exists. CLI example: salt myminion boto_secgroup.exists mysecgroup salt.modules.boto_secgroup.get_config(name=None, group_id=None, region=None, key=None, keyid=None, profile=None, vpc_id=None, vpc_name=None) Get the configuration for a security group. CLI example: salt myminion boto_secgroup.get_config mysecgroup salt.modules.boto_secgroup.get_group_id(name, vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Get a Group ID given a Group Name or Group Name and VPC ID CLI example: salt myminion boto_secgroup.get_group_id mysecgroup salt.modules.boto_secgroup.revoke(name=None, source_group_name=None, source_group_owner_id=None, ip_protocol=None, from_port=None, to_port=None, cidr_ip=None, group_id=None, source_group_group_id=None, region=None, key=None, keyid=None, profile=None, vpc_id=None, vpc_name=None, egress=False) Remove a rule from an existing security group. CLI example: salt myminion boto_secgroup.revoke mysecgroup ip_protocol=tcp from_port=80 to_port=80 cidr_ip='10.0.0.0/8' salt.modules.boto_sns Connection module for Amazon SNS configuration This module accepts explicit sns credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: sns.keyid: GKTADJGHEIQSXMKKRBJ08H sns.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: sns.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_sns.create(name, region=None, key=None, keyid=None, profile=None) Create an SNS topic. CLI example to create a topic: salt myminion boto_sns.create mytopic region=us-east-1 salt.modules.boto_sns.delete(name, region=None, key=None, keyid=None, profile=None) Delete an SNS topic. CLI example to delete a topic: salt myminion boto_sns.delete mytopic region=us-east-1 salt.modules.boto_sns.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if an SNS topic exists. CLI example: salt myminion boto_sns.exists mytopic region=us-east-1 salt.modules.boto_sns.get_all_subscriptions_by_topic(name, region=None, key=None, keyid=None, profile=None) Get list of all subscriptions to a specific topic. CLI example to delete a topic: salt myminion boto_sns.get_all_subscriptions_by_topic mytopic region=us-east-1 salt.modules.boto_sns.get_all_topics(region=None, key=None, keyid=None, profile=None) Returns a list of the all topics.. CLI example: salt myminion boto_sns.get_all_topics salt.modules.boto_sns.get_arn(name, region=None, key=None, keyid=None, profile=None) Returns the full ARN for a given topic name. CLI example: salt myminion boto_sns.get_arn mytopic salt.modules.boto_sns.subscribe(topic, protocol, endpoint, region=None, key=None, keyid=None, profile=None) Subscribe to a Topic. CLI example to delete a topic: salt myminion boto_sns.subscribe mytopic https https://www.example.com/sns-endpoint region=us-east-1 salt.modules.boto_sqs Connection module for Amazon SQS New in version 2014.7.0. configuration This module accepts explicit sqs credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: sqs.keyid: GKTADJGHEIQSXMKKRBJ08H sqs.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: sqs.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.modules.boto_sqs.create(name, region=None, key=None, keyid=None, profile=None) Create an SQS queue. CLI example to create a queue: salt myminion boto_sqs.create myqueue region=us-east-1 salt.modules.boto_sqs.delete(name, region=None, key=None, keyid=None, profile=None) Delete an SQS queue. CLI example to delete a queue: salt myminion boto_sqs.delete myqueue region=us-east-1 salt.modules.boto_sqs.exists(name, region=None, key=None, keyid=None, profile=None) Check to see if a queue exists. CLI example: salt myminion boto_sqs.exists myqueue region=us-east-1 salt.modules.boto_sqs.get_attributes(name, region=None, key=None, keyid=None, profile=None) Check to see if attributes are set on an SQS queue. CLI example: salt myminion boto_sqs.get_attributes myqueue salt.modules.boto_sqs.set_attributes(name, attributes, region=None, key=None, keyid=None, profile=None) Set attributes on an SQS queue. CLI example to set attributes on a queue: salt myminion boto_sqs.set_attributes myqueue '{ReceiveMessageWaitTimeSeconds: 20}' region=us-east-1 salt.modules.boto_vpc Connection module for Amazon VPC New in version 2014.7.0. configuration This module accepts explicit VPC credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: vpc.keyid: GKTADJGHEIQSXMKKRBJ08H vpc.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: vpc.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Changed in version 2015.8.0: All methods now return a dictionary. Create and delete methods return: created: true or created: false error: message: error message Request methods (e.g., describe_vpc) return: vpcs: - {...} - {...} or error: message: error message depends boto salt.modules.boto_vpc.associate_dhcp_options_to_vpc(dhcp_options_id, vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Given valid DHCP options id and a valid VPC id, associate the DHCP options record with the VPC. Returns True if the DHCP options record were associated and returns False if the DHCP options record was not associated. CLI Example: salt myminion boto_vpc.associate_dhcp_options_to_vpc 'dhcp-a0bl34pp' 'vpc-6b1fe402' salt.modules.boto_vpc.associate_network_acl_to_subnet(network_acl_id=None, subnet_id=None, network_acl_name=None, subnet_name=None, region=None, key=None, keyid=None, profile=None) Given a network acl and subnet ids or names, associate a network acl to a subnet. CLI Example: salt myminion boto_vpc.associate_network_acl_to_subnet \ network_acl_id='acl-5fb85d36' subnet_id='subnet-6a1fe403' salt myminion boto_vpc.associate_network_acl_to_subnet \ network_acl_id='myacl' subnet_id='mysubnet' salt.modules.boto_vpc.associate_new_dhcp_options_to_vpc(vpc_id, domain_name=None, domain_name_servers=None, ntp_servers=None, netbios_name_servers=None, netbios_node_type=None, region=None, key=None, keyid=None, profile=None) ..deprecated:: Boron This function has been deprecated in favor of boto_vpc.create_dhcp_options, which now takes vpc_id or vpc_name as kwargs. This function will be removed in the Salt Boron release. Given valid DHCP options and a valid VPC id, create and associate the DHCP options record with the VPC. CLI Example: salt myminion boto_vpc.associate_new_dhcp_options_to_vpc 'vpc-6b1fe402' domain_name='example.com' domain_name_servers='[1.2.3.4]' ntp_servers='[5.6.7.8]' netbios_name_servers='[10.0.0.1]' netbios_node_type=1 salt.modules.boto_vpc.associate_new_network_acl_to_subnet(vpc_id, subnet_id, network_acl_name=None, tags=None, region=None, key=None, keyid=None, profile=None) ..deprecated:: Boron This function has been deprecated in favor of boto_vpc.create_network_acl, which now takes subnet_id or subnet_name as kwargs. This function will be removed in the Salt Boron release. Given a vpc ID and a subnet ID, associates a new network act to a subnet. Returns a dictionary containing the network acl id and the new association id if successful. If unsuccessful, returns False. CLI Example: salt myminion boto_vpc.associate_new_network_acl_to_subnet 'vpc-6b1fe402' 'subnet-6a1fe403' salt.modules.boto_vpc.associate_route_table(route_table_id=None, subnet_id=None, route_table_name=None, subnet_name=None, region=None, key=None, keyid=None, profile=None) Given a route table and subnet name or id, associates the route table with the subnet. CLI Example: salt myminion boto_vpc.associate_route_table 'rtb-1f382e7d' 'subnet-6a1fe403' salt myminion boto_vpc.associate_route_table route_table_name='myrtb' \ subnet_name='mysubnet' salt.modules.boto_vpc.create(cidr_block, instance_tenancy=None, vpc_name=None, enable_dns_support=None, enable_dns_hostnames=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a valid CIDR block, create a VPC. An optional instance_tenancy argument can be provided. If provided, the valid values are 'default' or 'dedicated' An optional vpc_name argument can be provided. Returns {created: true} if the VPC was created and returns {created: False} if the VPC was not created. CLI Example: salt myminion boto_vpc.create '10.0.0.0/24' salt.modules.boto_vpc.create_customer_gateway(vpn_connection_type, ip_address, bgp_asn, customer_gateway_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a valid VPN connection type, a static IP address and a customer gateway’s Border Gateway Protocol (BGP) Autonomous System Number, create a customer gateway. Returns the customer gateway id if the customer gateway was created and returns False if the customer gateway was not created. CLI Example: salt myminion boto_vpc.create_customer_gateway 'ipsec.1', '12.1.2.3', 65534 salt.modules.boto_vpc.create_dhcp_options(domain_name=None, domain_name_servers=None, ntp_servers=None, netbios_name_servers=None, netbios_node_type=None, dhcp_options_name=None, tags=None, vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Given valid DHCP options, create a DHCP options record, optionally associating it with an existing VPC. Returns True if the DHCP options record was created and returns False if the DHCP options record was not deleted. Changed in version 2015.8.0: Added vpc_name and vpc_id arguments CLI Example: salt myminion boto_vpc.create_dhcp_options domain_name='example.com' \ domain_name_servers='[1.2.3.4]' ntp_servers='[5.6.7.8]' \ netbios_name_servers='[10.0.0.1]' netbios_node_type=1 \ vpc_name='myvpc' salt.modules.boto_vpc.create_internet_gateway(internet_gateway_name=None, vpc_id=None, vpc_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Create an Internet Gateway, optionally attaching it to an existing VPC. Returns the internet gateway id if the internet gateway was created and returns False if the internet gateways was not created. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.create_internet_gateway \ internet_gateway_name=myigw vpc_name=myvpc salt.modules.boto_vpc.create_network_acl(vpc_id=None, vpc_name=None, network_acl_name=None, subnet_id=None, subnet_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a vpc_id, creates a network acl. Returns the network acl id if successful, otherwise returns False. Changed in version 2015.8.0: Added vpc_name, subnet_id, and subnet_name arguments CLI Example: salt myminion boto_vpc.create_network_acl 'vpc-6b1fe402' salt.modules.boto_vpc.create_network_acl_entry(network_acl_id=None, rule_number=None, protocol=None, rule_action=None, cidr_block=None, egress=None, network_acl_name=None, icmp_code=None, icmp_type=None, port_range_from=None, port_range_to=None, region=None, key=None, keyid=None, profile=None) Creates a network acl entry. CLI Example: salt myminion boto_vpc.create_network_acl_entry 'acl-5fb85d36' '32767' \ 'all' 'deny' '0.0.0.0/0' egress=true salt.modules.boto_vpc.create_route(route_table_id=None, destination_cidr_block=None, route_table_name=None, gateway_id=None, internet_gateway_name=None, instance_id=None, interface_id=None, region=None, key=None, keyid=None, profile=None) Creates a route. CLI Example: salt myminion boto_vpc.create_route 'rtb-1f382e7d' '10.0.0.0/16' gateway_id='vgw-a1b2c3' salt.modules.boto_vpc.create_route_table(vpc_id=None, vpc_name=None, route_table_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Creates a route table. Changed in version 2015.8.0: Added vpc_name argument CLI Examples: salt myminion boto_vpc.create_route_table vpc_id='vpc-6b1fe402' \ route_table_name='myroutetable' salt myminion boto_vpc.create_route_table vpc_name='myvpc' \ route_table_name='myroutetable' salt.modules.boto_vpc.create_subnet(vpc_id=None, cidr_block=None, vpc_name=None, availability_zone=None, subnet_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a valid VPC ID or Name and a CIDR block, create a subnet for the VPC. An optional availability zone argument can be provided. Returns True if the VPC subnet was created and returns False if the VPC subnet was not created. Changed in version 2015.8.0: Added vpc_name argument CLI Examples: salt myminion boto_vpc.create_subnet vpc_id='vpc-6b1fe402' \ subnet_name='mysubnet' cidr_block='10.0.0.0/25' salt myminion boto_vpc.create_subnet vpc_name='myvpc' \ subnet_name='mysubnet', cidr_block='10.0.0.0/25' salt.modules.boto_vpc.customer_gateway_exists(customer_gateway_id=None, customer_gateway_name=None, region=None, key=None, keyid=None, profile=None) Given a customer gateway ID, check if the customer gateway ID exists. Returns True if the customer gateway ID exists; Returns False otherwise. CLI Example: salt myminion boto_vpc.customer_gateway_exists cgw-b6a247df salt myminion boto_vpc.customer_gateway_exists customer_gatway_name=mycgw salt.modules.boto_vpc.delete(vpc_id=None, name=None, vpc_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a VPC ID or VPC name, delete the VPC. Returns {deleted: true} if the VPC was deleted and returns {deleted: false} if the VPC was not deleted. CLI Example: salt myminion boto_vpc.delete vpc_id='vpc-6b1fe402' salt myminion boto_vpc.delete name='myvpc' salt.modules.boto_vpc.delete_customer_gateway(customer_gateway_id=None, customer_gateway_name=None, region=None, key=None, keyid=None, profile=None) Given a customer gateway ID or name, delete the customer gateway. Returns True if the customer gateway was deleted and returns False if the customer gateway was not deleted. Changed in version 2015.8.0: Added customer_gateway_name argument CLI Example: salt myminion boto_vpc.delete_customer_gateway 'cgw-b6a247df' salt.modules.boto_vpc.delete_dhcp_options(dhcp_options_id=None, dhcp_options_name=None, region=None, key=None, keyid=None, profile=None) Delete dhcp options by id or name. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.delete_dhcp_options 'dopt-b6a247df' salt.modules.boto_vpc.delete_internet_gateway(internet_gateway_id=None, internet_gateway_name=None, detach=False, region=None, key=None, keyid=None, profile=None) Delete an internet gateway (by name or id). Returns True if the internet gateway was deleted and otherwise False. New in version 2015.8.0. CLI Examples: salt myminion boto_vpc.delete_internet_gateway internet_gateway_id=igw-1a2b3c salt myminion boto_vpc.delete_internet_gateway internet_gateway_name=myigw salt.modules.boto_vpc.delete_network_acl(network_acl_id=None, network_acl_name=None, disassociate=False, region=None, key=None, keyid=None, profile=None) Delete a network acl based on the network_acl_id or network_acl_name provided. CLI Examples: salt myminion boto_vpc.delete_network_acl network_acl_id='acl-5fb85d36' \ disassociate=false salt myminion boto_vpc.delete_network_acl network_acl_name='myacl' \ disassociate=true salt.modules.boto_vpc.delete_network_acl_entry(network_acl_id=None, rule_number=None, egress=None, network_acl_name=None, region=None, key=None, keyid=None, profile=None) Deletes a network acl entry. CLI Example: salt myminion boto_vpc.delete_network_acl_entry 'acl-5fb85d36' '32767' salt.modules.boto_vpc.delete_route(route_table_id=None, destination_cidr_block=None, route_table_name=None, region=None, key=None, keyid=None, profile=None) Deletes a route. CLI Example: salt myminion boto_vpc.delete_route 'rtb-1f382e7d' '10.0.0.0/16' salt.modules.boto_vpc.delete_route_table(route_table_id=None, route_table_name=None, region=None, key=None, keyid=None, profile=None) Deletes a route table. CLI Examples: salt myminion boto_vpc.delete_route_table route_table_id='rtb-1f382e7d' salt myminion boto_vpc.delete_route_table route_table_name='myroutetable' salt.modules.boto_vpc.delete_subnet(subnet_id=None, subnet_name=None, region=None, key=None, keyid=None, profile=None) Given a subnet ID or name, delete the subnet. Returns True if the subnet was deleted and returns False if the subnet was not deleted. Changed in version 2015.8.0: Added subnet_name argument CLI Example: salt myminion boto_vpc.delete_subnet 'subnet-6a1fe403' salt.modules.boto_vpc.describe(vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Given a VPC ID describe its properties. Returns a dictionary of interesting properties. Changed in version 2015.8.0: Added vpc_name argument CLI Example: salt myminion boto_vpc.describe vpc_id=vpc-123456 salt myminion boto_vpc.describe vpc_name=myvpc salt.modules.boto_vpc.describe_route_table(route_table_id=None, route_table_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Given route table properties, return route table details if matching table(s) exist. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.describe_route_table route_table_id='rtb-1f382e7d' salt.modules.boto_vpc.describe_subnet(subnet_id=None, subnet_name=None, region=None, key=None, keyid=None, profile=None) Given a subnet id or name, describe its properties. Returns a dictionary of interesting properties. New in version 2015.8.0. CLI Examples: salt myminion boto_vpc.describe_subnet subnet_id=subnet-123456 salt myminion boto_vpc.describe_subnet subnet_name=mysubnet salt.modules.boto_vpc.describe_subnets(subnet_ids=None, subnet_names=None, vpc_id=None, cidr=None, region=None, key=None, keyid=None, profile=None) Given a VPC ID or subnet CIDR, returns a list of associated subnets and their details. Return all subnets if VPC ID or CIDR are not provided. If a subnet id or CIDR is provided, only its associated subnet details will be returned. New in version 2015.8.0. CLI Examples: salt myminion boto_vpc.describe_subnets salt myminion boto_vpc.describe_subnets subnet_ids=['subnet-ba1987ab', 'subnet-ba1987cd'] salt myminion boto_vpc.describe_subnets vpc_id=vpc-123456 salt myminion boto_vpc.describe_subnets cidr=10.0.0.0/21 salt.modules.boto_vpc.describe_vpcs(vpc_id=None, name=None, cidr=None, tags=None, region=None, key=None, keyid=None, profile=None) Describe all VPCs, matching the filter criteria if provided. Returns a a list of dictionaries with interesting properties. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.describe_vpcs salt.modules.boto_vpc.dhcp_options_exists(dhcp_options_id=None, name=None, dhcp_options_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Check if a dhcp option exists. Returns True if the dhcp option exists; Returns False otherwise. CLI Example: salt myminion boto_vpc.dhcp_options_exists dhcp_options_id='dhcp-a0bl34pp' salt.modules.boto_vpc.disassociate_network_acl(subnet_id=None, vpc_id=None, subnet_name=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Given a subnet ID, disassociates a network acl. CLI Example: salt myminion boto_vpc.disassociate_network_acl 'subnet-6a1fe403' salt.modules.boto_vpc.disassociate_route_table(association_id, region=None, key=None, keyid=None, profile=None) Dissassociates a route table. association_id The Route Table Association ID to disassociate CLI Example: salt myminion boto_vpc.disassociate_route_table 'rtbassoc-d8ccddba' salt.modules.boto_vpc.exists(vpc_id=None, name=None, cidr=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a VPC ID, check to see if the given VPC ID exists. Returns True if the given VPC ID exists and returns False if the given VPC ID does not exist. CLI Example: salt myminion boto_vpc.exists myvpc salt.modules.boto_vpc.get_id(name=None, cidr=None, tags=None, region=None, key=None, keyid=None, profile=None) Given VPC properties, return the VPC id if a match is found. CLI Example: salt myminion boto_vpc.get_id myvpc salt.modules.boto_vpc.get_resource_id(resource, name=None, resource_id=None, region=None, key=None, keyid=None, profile=None) Get an AWS id for a VPC resource by type and name. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.get_resource_id internet_gateway myigw salt.modules.boto_vpc.get_subnet_association(subnets, region=None, key=None, keyid=None, profile=None) Given a subnet (aka: a vpc zone identifier) or list of subnets, returns vpc association. Returns a VPC ID if the given subnets are associated with the same VPC ID. Returns False on an error or if the given subnets are associated with different VPC IDs. CLI Examples: salt myminion boto_vpc.get_subnet_association subnet-61b47516 salt myminion boto_vpc.get_subnet_association ['subnet-61b47516','subnet-2cb9785b'] salt.modules.boto_vpc.network_acl_exists(network_acl_id=None, name=None, network_acl_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Checks if a network acl exists. Returns True if the network acl exists or returns False if it doesn't exist. CLI Example: salt myminion boto_vpc.network_acl_exists network_acl_id='acl-5fb85d36' salt.modules.boto_vpc.replace_network_acl_entry(network_acl_id=None, rule_number=None, protocol=None, rule_action=None, cidr_block=None, egress=None, network_acl_name=None, icmp_code=None, icmp_type=None, port_range_from=None, port_range_to=None, region=None, key=None, keyid=None, profile=None) Replaces a network acl entry. CLI Example: salt myminion boto_vpc.replace_network_acl_entry 'acl-5fb85d36' '32767' \ 'all' 'deny' '0.0.0.0/0' egress=true salt.modules.boto_vpc.replace_route(route_table_id=None, destination_cidr_block=None, route_table_name=None, gateway_id=None, instance_id=None, interface_id=None, region=None, key=None, keyid=None, profile=None) Replaces a route. CLI Example: salt myminion boto_vpc.replace_route 'rtb-1f382e7d' '10.0.0.0/16' gateway_id='vgw-a1b2c3' salt.modules.boto_vpc.replace_route_table_association(association_id, route_table_id, region=None, key=None, keyid=None, profile=None) Replaces a route table association. CLI Example: salt myminion boto_vpc.replace_route_table_association 'rtbassoc-d8ccddba' 'rtb-1f382e7d' salt.modules.boto_vpc.resource_exists(resource, name=None, resource_id=None, tags=None, region=None, key=None, keyid=None, profile=None) Given a resource type and name, return {exists: true} if it exists, {exists: false} if it does not exist, or {error: {message: error text} on error. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.resource_exists internet_gateway myigw salt.modules.boto_vpc.route_exists(destination_cidr_block, route_table_name=None, route_table_id=None, gateway_id=None, instance_id=None, interface_id=None, tags=None, region=None, key=None, keyid=None, profile=None) Checks if a route exists. New in version 2015.8.0. CLI Example: salt myminion boto_vpc.route_exists destination_cidr_block='10.0.0.0/20' gateway_id='local' route_table_name='test' salt.modules.boto_vpc.route_table_exists(route_table_id=None, name=None, route_table_name=None, tags=None, region=None, key=None, keyid=None, profile=None) Checks if a route table exists. CLI Example: salt myminion boto_vpc.route_table_exists route_table_id='rtb-1f382e7d' salt.modules.boto_vpc.subnet_exists(subnet_id=None, name=None, subnet_name=None, cidr=None, tags=None, zones=None, region=None, key=None, keyid=None, profile=None) Check if a subnet exists. Returns True if the subnet exists, otherwise returns False. Changed in version 2015.8.0: Added subnet_name argument Deprecated name argument CLI Example: salt myminion boto_vpc.subnet_exists subnet_id='subnet-6a1fe403' salt.modules.bower Manage and query Bower packages This module manages the installed packages using Bower. Note that npm, git and bower must be installed for this module to be available. salt.modules.bower.install(pkg, dir, pkgs=None, runas=None, env=None) Install a Bower package. If no package is specified, the dependencies (from bower.json) of the package in the given directory will be installed. pkg A package name in any format accepted by Bower, including a version identifier dir The target directory in which to install the package pkgs A list of package names in the same format as the pkg parameter runas The user to run Bower with env Environment variables to set when invoking Bower. Uses the same env format as the cmd.run execution function. CLI Example: salt '*' bower.install underscore /path/to/project salt '*' bower.install jquery#2.0 /path/to/project salt.modules.bower.list(dir, runas=None, env=None) List installed Bower packages. dir The directory whose packages will be listed runas The user to run Bower with env Environment variables to set when invoking Bower. Uses the same env format as the cmd.run execution function. CLI Example: salt '*' bower.list /path/to/project salt.modules.bower.uninstall(pkg, dir, runas=None, env=None) Uninstall a Bower package. pkg A package name in any format accepted by Bower dir The target directory from which to uninstall the package runas The user to run Bower with env Environment variables to set when invoking Bower. Uses the same env format as the cmd.run execution function. CLI Example: salt '*' bower.uninstall underscore /path/to/project salt.modules.brew Homebrew for Mac OS X salt.modules.brew.install(name=None, pkgs=None, taps=None, options=None, **kwargs) Install the passed package(s) with brew install name The name of the formula to be installed. Note that this parameter is ignored if "pkgs" is passed. CLI Example: salt '*' pkg.install <package name> taps Unofficial GitHub repos to use when updating and installing formulas. CLI Example: salt '*' pkg.install <package name> tap='<tap>' salt '*' pkg.install zlib taps='homebrew/dupes' salt '*' pkg.install php54 taps='["josegonzalez/php", "homebrew/dupes"]' options Options to pass to brew. Only applies to initial install. Due to how brew works, modifying chosen options requires a full uninstall followed by a fresh install. Note that if "pkgs" is used, all options will be passed to all packages. Unrecognized options for a package will be silently ignored by brew. CLI Example: salt '*' pkg.install <package name> tap='<tap>' salt '*' pkg.install php54 taps='["josegonzalez/php", "homebrew/dupes"]' options='["--with-fpm"]' Multiple Package Installation Options: pkgs A list of formulas to install. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo","bar"]' Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.install 'package package package' salt.modules.brew.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation Note that this currently not fully implemented but needs to return something to avoid a traceback when calling pkg.latest. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> salt.modules.brew.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.brew.list_upgrades(refresh=True) Check whether or not an upgrade is available for all packages CLI Example: salt '*' pkg.list_upgrades salt.modules.brew.refresh_db() Update the homebrew package repository. CLI Example: salt '*' pkg.refresh_db salt.modules.brew.remove(name=None, pkgs=None, **kwargs) Removes packages with brew uninstall. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.brew.upgrade(refresh=True) Upgrade outdated, unpinned brews. refresh Fetch the newest version of Homebrew and all formulae from GitHub before installing. Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.brew.upgrade_available(pkg) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.brew.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> salt.modules.bridge Module for gathering and managing bridging information salt.modules.bridge.add(br=None) Creates a bridge CLI Example: salt '*' bridge.add br0 salt.modules.bridge.addif(br=None, iface=None) Adds an interface to a bridge CLI Example: salt '*' bridge.addif br0 eth0 salt.modules.bridge.delete(br=None) Deletes a bridge CLI Example: salt '*' bridge.delete br0 salt.modules.bridge.delif(br=None, iface=None) Removes an interface from a bridge CLI Example: salt '*' bridge.delif br0 eth0 salt.modules.bridge.find_interfaces(*args) Returns the bridge to which the interfaces are bond to CLI Example: salt '*' bridge.find_interfaces eth0 [eth1...] salt.modules.bridge.interfaces(br=None) Returns interfaces attached to a bridge CLI Example: salt '*' bridge.interfaces br0 salt.modules.bridge.list() Returns the machine's bridges list CLI Example: salt '*' bridge.list salt.modules.bridge.show(br=None) Returns bridges interfaces along with enslaved physical interfaces. If no interface is given, all bridges are shown, else only the specified bridge values are returned. CLI Example: salt '*' bridge.show salt '*' bridge.show br0 salt.modules.bridge.stp(br=None, state='disable', iface=None) Sets Spanning Tree Protocol state for a bridge CLI Example: salt '*' bridge.stp br0 enable salt '*' bridge.stp br0 disable For BSD-like operating systems, it is required to add the interface on which to enable the STP. CLI Example: salt '*' bridge.stp bridge0 enable fxp0 salt '*' bridge.stp bridge0 disable fxp0 salt.modules.bsd_shadow Manage the password database on BSD systems salt.modules.bsd_shadow.default_hash() Returns the default hash used for unset passwords CLI Example: salt '*' shadow.default_hash salt.modules.bsd_shadow.del_password(name) New in version 2015.8.2. Delete the password from name user CLI Example: salt '*' shadow.del_password username salt.modules.bsd_shadow.info(name) Return information for the specified user CLI Example: salt '*' shadow.info someuser salt.modules.bsd_shadow.set_change(name, change) Sets the time at which the password expires (in seconds since the EPOCH). See man usermod on NetBSD and OpenBSD or man pw on FreeBSD. "0" means the password never expires. CLI Example: salt '*' shadow.set_change username 1419980400 salt.modules.bsd_shadow.set_expire(name, expire) Sets the time at which the account expires (in seconds since the EPOCH). See man usermod on NetBSD and OpenBSD or man pw on FreeBSD. "0" means the account never expires. CLI Example: salt '*' shadow.set_expire username 1419980400 salt.modules.bsd_shadow.set_password(name, password) Set the password for a named user. The password must be a properly defined hash. The password hash can be generated with this command: python -c "import crypt; print crypt.crypt('password', ciphersalt)" NOTE: When constructing the ciphersalt string, you must escape any dollar signs, to avoid them being interpolated by the shell. 'password' is, of course, the password for which you want to generate a hash. ciphersalt is a combination of a cipher identifier, an optional number of rounds, and the cryptographic salt. The arrangement and format of these fields depends on the cipher and which flavor of BSD you are using. For more information on this, see the manpage for crpyt(3). On NetBSD, additional information is available in passwd.conf(5). It is important to make sure that a supported cipher is used. CLI Example: salt '*' shadow.set_password someuser '$1$UYCIxa628.9qXjpQCjM4a..' salt.modules.btrfs Module for managing BTRFS file systems. salt.modules.btrfs.add(mountpoint, *devices, **kwargs) Add a devices to a BTRFS filesystem. General options: • nodiscard: Do not perform whole device TRIM • force: Force overwrite existing filesystem on the disk CLI Example: salt '*' btrfs.add /mountpoint /dev/sda1 /dev/sda2 salt.modules.btrfs.convert(device, permanent=False, keeplf=False) Convert ext2/3/4 to BTRFS. Device should be mounted. Filesystem can be converted temporarily so the further processing and rollback is possible, or permanently, where previous extended filesystem image gets deleted. Please note, permanent conversion takes a while as BTRFS filesystem needs to be properly rebalanced afterwards. General options: • permanent: Specify if the migration should be permanent (false by default) • keeplf: Keep lost+found of the partition (removed by default, but still in the image, if not permanent migration) CLI Example: salt '*' btrfs.convert /dev/sda1 salt '*' btrfs.convert /dev/sda1 permanent=True salt.modules.btrfs.defragment(path) Defragment mounted BTRFS filesystem. In order to defragment a filesystem, device should be properly mounted and writable. If passed a device name, then defragmented whole filesystem, mounted on in. If passed a moun tpoint of the filesystem, then only this mount point is defragmented. CLI Example: salt '*' btrfs.defragment /dev/sda1 salt '*' btrfs.defragment /path/on/filesystem salt.modules.btrfs.delete(mountpoint, *devices, **kwargs) Remove devices from a BTRFS filesystem. CLI Example: salt '*' btrfs.delete /mountpoint /dev/sda1 /dev/sda2 salt.modules.btrfs.devices() Get known BTRFS formatted devices on the system. CLI Example: salt '*' btrfs.devices salt.modules.btrfs.features() List currently available BTRFS features. CLI Example: salt '*' btrfs.mkfs_features salt.modules.btrfs.info(device) Get BTRFS filesystem information. CLI Example: salt '*' btrfs.info /dev/sda1 salt.modules.btrfs.mkfs(*devices, **kwargs) Create a file system on the specified device. By default wipes out with force. General options: • allocsize: Specify the BTRFS offset from the start of the device. • bytecount: Specify the size of the resultant filesystem. • nodesize: Node size. • leafsize: Specify the nodesize, the tree block size in which btrfs stores data. • noforce: Prevent force overwrite when an existing filesystem is detected on the device. • sectorsize: Specify the sectorsize, the minimum data block allocation unit. • nodiscard: Do not perform whole device TRIM operation by default. • uuid: Pass UUID or pass True to generate one. Options: • dto: (raid0|raid1|raid5|raid6|raid10|single|dup) Specify how the data must be spanned across the devices specified. • mto: (raid0|raid1|raid5|raid6|raid10|single|dup) Specify how metadata must be spanned across the devices specified. • fts: Features (call salt <host> btrfs.features for full list of available features) See the mkfs.btrfs(8) manpage for a more complete description of corresponding options description. CLI Example: salt '*' btrfs.mkfs /dev/sda1 salt '*' btrfs.mkfs /dev/sda1 noforce=True salt.modules.btrfs.properties(obj, type=None, set=None) List properties for given btrfs object. The object can be path of BTRFS device, mount point, or any directories/files inside the BTRFS filesystem. General options: • type: Possible types are s[ubvol], f[ilesystem], i[node] and d[evice]. • force: Force overwrite existing filesystem on the disk • set: <key=value,key1=value1...> Options for a filesystem properties. CLI Example: salt '*' btrfs.properties /mountpoint salt '*' btrfs.properties /dev/sda1 type=subvol set='ro=false,label="My Storage"' salt.modules.btrfs.resize(mountpoint, size) Resize filesystem. General options: • mountpoint: Specify the BTRFS mountpoint to resize. • size: ([+/-]<newsize>[kKmMgGtTpPeE]|max) Specify the new size of the target. CLI Example: salt '*' btrfs.resize /mountpoint size=+1g salt '*' btrfs.resize /dev/sda1 size=max salt.modules.btrfs.usage(path) Show in which disk the chunks are allocated. CLI Example: salt '*' btrfs.usage /your/mountpoint salt.modules.btrfs.version() Return BTRFS version. CLI Example: salt '*' btrfs.version salt.modules.cabal Manage and query Cabal packages New in version 2015.8.0. salt.modules.cabal.install(pkg=None, pkgs=None, user=None, install_global=False, env=None) Install a cabal package. pkg A package name in format accepted by cabal-install. See: https://wiki.haskell.org/Cabal-Install pkgs A list of packages names in same format as pkg user The user to run cabal install with install_global Install package globally instead of locally env Environment variables to set when invoking cabal. Uses the same env format as the cmd.run execution function CLI Example: salt '*' cabal.install shellcheck salt '*' cabal.install shellcheck-0.3.5 salt.modules.cabal.list(pkg=None, user=None, installed=False, env=None) List packages matching a search string. pkg Search string for matching package names user The user to run cabal list with installed If True, only return installed packages. env Environment variables to set when invoking cabal. Uses the same env format as the cmd.run execution function CLI example: salt '*' cabal.list salt '*' cabal.list ShellCheck salt.modules.cabal.uninstall(pkg, user=None, env=None) Uninstall a cabal package. pkg The package to uninstall user The user to run ghc-pkg unregister with env Environment variables to set when invoking cabal. Uses the same env format as the cmd.run execution function salt.modules.cabal.update(user=None, env=None) Updates list of known packages. salt.modules.cassandra Cassandra NoSQL Database Module depends • pycassa Cassandra Python adapter configuration The location of the 'nodetool' command, host, and thrift port needs to be specified via pillar: cassandra.nodetool: /usr/local/bin/nodetool cassandra.host: localhost cassandra.thrift_port: 9160 salt.modules.cassandra.column_families(keyspace=None) Return existing column families for all keyspaces or just the provided one. CLI Example: salt '*' cassandra.column_families salt '*' cassandra.column_families <keyspace> salt.modules.cassandra.column_family_definition(keyspace, column_family) Return a dictionary of column family definitions for the given keyspace/column_family CLI Example: salt '*' cassandra.column_family_definition <keyspace> <column_family> salt.modules.cassandra.compactionstats() Return compactionstats info CLI Example: salt '*' cassandra.compactionstats salt.modules.cassandra.info() Return cassandra node info CLI Example: salt '*' cassandra.info salt.modules.cassandra.keyspaces() Return existing keyspaces CLI Example: salt '*' cassandra.keyspaces salt.modules.cassandra.netstats() Return netstats info CLI Example: salt '*' cassandra.netstats salt.modules.cassandra.ring() Return cassandra ring info CLI Example: salt '*' cassandra.ring salt.modules.cassandra.tpstats() Return tpstats info CLI Example: salt '*' cassandra.tpstats salt.modules.cassandra.version() Return the cassandra version CLI Example: salt '*' cassandra.version salt.modules.cassandra_cql Cassandra Database Module New in version 2015.5.0. depends DataStax Python Driver for Apache Cassandra https://github.com/datastax/python-driver pip install cassandra-driver referenced by Salt's cassandra_cql returner configuration The Cassandra cluster members and connection port can either be specified in the master or minion config, the minion's pillar or be passed to the module. Example configuration in the config for a single node: cassandra: cluster: 192.168.50.10 port: 9000 Example configuration in the config for a cluster: cassandra: cluster: - 192.168.50.10 - 192.168.50.11 - 192.168.50.12 port: 9000 username: cas_admin salt.modules.cassandra_cql.cql_query(query, contact_points=None, port=None, cql_user=None, cql_pass=None) Run a query on a Cassandra cluster and return a dictionary. Parameters • query (str) -- The query to execute. • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. • params (str) -- The parameters for the query, optional. Returns A dictionary from the return values of the query Return type list[dict] salt.modules.cassandra_cql.create_keyspace(keyspace, replication_strategy='SimpleStrategy', replication_factor=1, replication_datacenters=None, contact_points=None, port=None, cql_user=None, cql_pass=None) Create a new keyspace in Cassandra. Parameters • keyspace (str) -- The keyspace name • replication_strategy (str) -- either SimpleStrategy or NetworkTopologyStrategy • replication_factor (int) -- number of replicas of data on multiple nodes. not used if using NetworkTopologyStrategy • replication_datacenters (str | dict[str, int]) -- string or dict of datacenter names to replication factors, required if using NetworkTopologyStrategy (will be a dict if coming from state file). • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The info for the keyspace or False if it does not exist. Return type dict salt 'minion1' cassandra_cql.create_keyspace keyspace=newkeyspace salt 'minion1' cassandra_cql.create_keyspace keyspace=newkeyspace replication_strategy=NetworkTopologyStrategy replication_datacenters='{"datacenter_1": 3, "datacenter_2": 2}' salt.modules.cassandra_cql.create_user(username, password, superuser=False, contact_points=None, port=None, cql_user=None, cql_pass=None) Create a new cassandra user with credentials and superuser status. Parameters • username (str) -- The name of the new user. • password (str) -- The password of the new user. • superuser (bool) -- Is the new user going to be a superuser? default: False • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns Return type salt 'minion1' cassandra_cql.create_user username=joe password=secret salt 'minion1' cassandra_cql.create_user username=joe password=secret superuser=True salt 'minion1' cassandra_cql.create_user username=joe password=secret superuser=True contact_points=minion1 salt.modules.cassandra_cql.drop_keyspace(keyspace, contact_points=None, port=None, cql_user=None, cql_pass=None) Drop a keyspace if it exists in a Cassandra cluster. Parameters • keyspace (str) -- The keyspace to drop. • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The info for the keyspace or False if it does not exist. Return type dict CLI Example: salt 'minion1' cassandra_cql.drop_keyspace keyspace=test salt 'minion1' cassandra_cql.drop_keyspace keyspace=test contact_points=minion1 salt.modules.cassandra_cql.grant_permission(username, resource=None, resource_type='keyspace', permission=None, contact_points=None, port=None, cql_user=None, cql_pass=None) Grant permissions to a user. Parameters • username (str) -- The name of the user to grant permissions to. • resource (str) -- The resource (keyspace or table), if None, permissions for all resources are granted. • resource_type (str) -- The resource_type (keyspace or table), defaults to 'keyspace'. • permission (str) -- A permission name (e.g. select), if None, all permissions are granted. • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns Return type salt 'minion1' cassandra_cql.grant_permission salt 'minion1' cassandra_cql.grant_permission username=joe resource=test_keyspace permission=select salt 'minion1' cassandra_cql.grant_permission username=joe resource=test_table resource_type=table permission=select contact_points=minion1 salt.modules.cassandra_cql.info(contact_points=None, port=None, cql_user=None, cql_pass=None) Show the Cassandra information for this cluster. Parameters • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The information for this Cassandra cluster. Return type dict CLI Example: salt 'minion1' cassandra_cql.info salt 'minion1' cassandra_cql.info contact_points=minion1 salt.modules.cassandra_cql.keyspace_exists(keyspace, contact_points=None, port=None, cql_user=None, cql_pass=None) Check if a keyspace exists in a Cassandra cluster. :param keyspace The keyspace name to check for. :type keyspace: str :param contact_points: The Cassandra cluster addresses, can either be a string or a list of IPs. :type contact_points: str | list[str] :param cql_user: The Cassandra user if authentication is turned on. :type cql_user: str :param cql_pass: The Cassandra user password if authentication is turned on. :type cql_pass: str :param port: The Cassandra cluster port, defaults to None. :type port: int :return: The info for the keyspace or False if it does not exist. :rtype: dict CLI Example: salt 'minion1' cassandra_cql.keyspace_exists keyspace=system salt 'minion1' cassandra_cql.list_keyspaces keyspace=system contact_points=minion1 salt.modules.cassandra_cql.list_column_families(keyspace=None, contact_points=None, port=None, cql_user=None, cql_pass=None) List column families in a Cassandra cluster for all keyspaces or just the provided one. Parameters • keyspace (str) -- The keyspace to provide the column families for, optional. • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The column families in this Cassandra cluster. Return type list[dict] CLI Example: salt 'minion1' cassandra_cql.list_column_families salt 'minion1' cassandra_cql.list_column_families contact_points=minion1 salt 'minion1' cassandra_cql.list_column_families keyspace=system salt.modules.cassandra_cql.list_keyspaces(contact_points=None, port=None, cql_user=None, cql_pass=None) List keyspaces in a Cassandra cluster. Parameters • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The keyspaces in this Cassandra cluster. Return type list[dict] CLI Example: salt 'minion1' cassandra_cql.list_keyspaces salt 'minion1' cassandra_cql.list_keyspaces contact_points=minion1 port=9000 salt.modules.cassandra_cql.list_permissions(username=None, resource=None, resource_type='keyspace', permission=None, contact_points=None, port=None, cql_user=None, cql_pass=None) List permissions. Parameters • username (str) -- The name of the user to list permissions for. • resource (str) -- The resource (keyspace or table), if None, permissions for all resources are listed. • resource_type (str) -- The resource_type (keyspace or table), defaults to 'keyspace'. • permission (str) -- A permission name (e.g. select), if None, all permissions are listed. • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns Dictionary of permissions. Return type dict salt 'minion1' cassandra_cql.list_permissions salt 'minion1' cassandra_cql.list_permissions username=joe resource=test_keyspace permission=select salt 'minion1' cassandra_cql.list_permissions username=joe resource=test_table resource_type=table permission=select contact_points=minion1 salt.modules.cassandra_cql.list_users(contact_points=None, port=None, cql_user=None, cql_pass=None) List existing users in this Cassandra cluster. Parameters • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • port (int) -- The Cassandra cluster port, defaults to None. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. Returns The list of existing users. Return type dict salt 'minion1' cassandra_cql.list_users salt 'minion1' cassandra_cql.list_users contact_points=minion1 salt.modules.cassandra_cql.version(contact_points=None, port=None, cql_user=None, cql_pass=None) Show the Cassandra version. Parameters • contact_points (str | list[str]) -- The Cassandra cluster addresses, can either be a string or a list of IPs. • cql_user (str) -- The Cassandra user if authentication is turned on. • cql_pass (str) -- The Cassandra user password if authentication is turned on. • port (int) -- The Cassandra cluster port, defaults to None. Returns The version for this Cassandra cluster. Return type str CLI Example: salt 'minion1' cassandra_cql.version salt 'minion1' cassandra_cql.version contact_points=minion1 salt.modules.chassis Glue execution module to link to the fx2 proxymodule. Depends: iDRAC Remote execution module (salt.modules.dracr) For documentation on commands that you can direct to a Dell chassis via proxy, look in the documentation for salt.modules.dracr. This execution module calls through to a function in the fx2 proxy module called chconfig. That function looks up the function passed in the cmd parameter in salt.modules.dracr and calls it. New in version 2015.8.2. salt.modules.chassis.chassis_credentials() salt.modules.chassis.cmd(cmd, *args, **kwargs) salt.modules.chef Execute chef in server or solo mode salt.modules.chef.client(whyrun=False, localmode=False, logfile=None, **kwargs) Execute a chef client run and return a dict with the stderr, stdout, return code, and pid. CLI Example: salt '*' chef.client server=https://localhost server The chef server URL client_key Set the client key file location config The configuration file to use config-file-jail Directory under which config files are allowed to be loaded (no client.rb or knife.rb outside this path will be loaded). environment Set the Chef Environment on the node group Group to set privilege to json-attributes Load attributes from a JSON file or URL localmode Point chef-client at local repository if True log_level Set the log level (debug, info, warn, error, fatal) logfile Set the log file location node-name The node name for this client override-runlist Replace current run list with specified items for a single run pid Set the PID file location, defaults to /tmp/chef-client.pid run-lock-timeout Set maximum duration to wait for another client run to finish, default is indefinitely. runlist Permanently replace current run list with specified items user User to set privilege to validation_key Set the validation key file location, used for registering new clients whyrun Enable whyrun mode when set to True salt.modules.chef.solo(whyrun=False, logfile=None, **kwargs) Execute a chef solo run and return a dict with the stderr, stdout, return code, and pid. CLI Example: salt '*' chef.solo override-runlist=test config The configuration file to use environment Set the Chef Environment on the node group Group to set privilege to json-attributes Load attributes from a JSON file or URL log_level Set the log level (debug, info, warn, error, fatal) logfile Set the log file location node-name The node name for this client override-runlist Replace current run list with specified items for a single run recipe-url Pull down a remote gzipped tarball of recipes and untar it to the cookbook cache run-lock-timeout Set maximum duration to wait for another client run to finish, default is indefinitely. user User to set privilege to whyrun Enable whyrun mode when set to True salt.modules.chocolatey A dead simple module wrapping calls to the Chocolatey package manager (‐ http://chocolatey.org) New in version 2014.1.0. salt.modules.chocolatey.bootstrap(force=False) Download and install the latest version of the Chocolatey package manager via the official bootstrap. Chocolatey requires Windows PowerShell and the .NET v4.0 runtime. Depending on the host's version of Windows, chocolatey.bootstrap will attempt to ensure these prerequisites are met by downloading and executing the appropriate installers from Microsoft. Note that if PowerShell is installed, you may have to restart the host machine for Chocolatey to work. force Run the bootstrap process even if Chocolatey is found in the path. CLI Example: salt '*' chocolatey.bootstrap salt '*' chocolatey.bootstrap force=True salt.modules.chocolatey.chocolatey_version() New in version 2014.7.0. Returns the version of Chocolatey installed on the minion. CLI Example: salt '*' chocolatey.chocolatey_version salt.modules.chocolatey.install(name, version=None, source=None, force=False, install_args=None, override_args=False, force_x86=False) Instructs Chocolatey to install a package. name The name of the package to be installed. Only accepts a single argument. version Install a specific version of the package. Defaults to latest version. source Chocolatey repository (directory, share or remote URL feed) the package comes from. Defaults to the official Chocolatey feed. force Reinstall the current version of an existing package. install_args A list of install arguments you want to pass to the installation process i.e product key or feature list override_args Set to true if you want to override the original install arguments (for the native installer) in the package and use your own. When this is set to False install_args will be appended to the end of the default arguments force_x86 Force x86 (32bit) installation on 64 bit systems. Defaults to false. CLI Example: salt '*' chocolatey.install <package name> salt '*' chocolatey.install <package name> version=<package version> salt '*' chocolatey.install <package name> install_args=<args> override_args=True salt.modules.chocolatey.install_cygwin(name, install_args=None, override_args=False) Instructs Chocolatey to install a package via Cygwin. name The name of the package to be installed. Only accepts a single argument. install_args A list of install arguments you want to pass to the installation process i.e product key or feature list override_args Set to true if you want to override the original install arguments (for the native installer) in the package and use your own. When this is set to False install_args will be appended to the end of the default arguments CLI Example: salt '*' chocolatey.install_cygwin <package name> salt '*' chocolatey.install_cygwin <package name> install_args=<args> override_args=True salt.modules.chocolatey.install_gem(name, version=None, install_args=None, override_args=False) Instructs Chocolatey to install a package via Ruby's Gems. name The name of the package to be installed. Only accepts a single argument. version Install a specific version of the package. Defaults to latest version available. install_args A list of install arguments you want to pass to the installation process i.e product key or feature list override_args Set to true if you want to override the original install arguments (for the native installer) in the package and use your own. When this is set to False install_args will be appended to the end of the default arguments CLI Example: salt '*' chocolatey.install_gem <package name> salt '*' chocolatey.install_gem <package name> version=<package version> salt '*' chocolatey.install_gem <package name> install_args=<args> override_args=True salt.modules.chocolatey.install_missing(name, version=None, source=None) Instructs Chocolatey to install a package if it doesn't already exist. Changed in version 2014.7.0: If the minion has Chocolatey >= 0.9.8.24 installed, this function calls chocolatey.install instead, as installmissing is deprecated as of that version and will be removed in Chocolatey 1.0. name The name of the package to be installed. Only accepts a single argument. version Install a specific version of the package. Defaults to latest version available. source Chocolatey repository (directory, share or remote URL feed) the package comes from. Defaults to the official Chocolatey feed. CLI Example: salt '*' chocolatey.install_missing <package name> salt '*' chocolatey.install_missing <package name> version=<package version> salt.modules.chocolatey.install_python(name, version=None, install_args=None, override_args=False) Instructs Chocolatey to install a package via Python's easy_install. name The name of the package to be installed. Only accepts a single argument. version Install a specific version of the package. Defaults to latest version available. install_args A list of install arguments you want to pass to the installation process i.e product key or feature list override_args Set to true if you want to override the original install arguments (for the native installer) in the package and use your own. When this is set to False install_args will be appended to the end of the default arguments CLI Example: salt '*' chocolatey.install_python <package name> salt '*' chocolatey.install_python <package name> version=<package version> salt '*' chocolatey.install_python <package name> install_args=<args> override_args=True salt.modules.chocolatey.install_webpi(name, install_args=None, override_args=False) Instructs Chocolatey to install a package via the Microsoft Web PI service. name The name of the package to be installed. Only accepts a single argument. install_args A list of install arguments you want to pass to the installation process i.e product key or feature list override_args Set to true if you want to override the original install arguments (for the native installer) in the package and use your own. When this is set to False install_args will be appended to the end of the default arguments CLI Example: salt '*' chocolatey.install_webpi <package name> salt '*' chocolatey.install_webpi <package name> install_args=<args> override_args=True salt.modules.chocolatey.install_windowsfeatures(name) Instructs Chocolatey to install a Windows Feature via the Deployment Image Servicing and Management tool. name The name of the feature to be installed. Only accepts a single argument. CLI Example: salt '*' chocolatey.install_windowsfeatures <package name> salt.modules.chocolatey.list(narrow=None, all_versions=False, pre_versions=False, source=None, local_only=False) Instructs Chocolatey to pull a vague package list from the repository. narrow Term used to narrow down results. Searches against name/description/tag. all_versions Display all available package versions in results. Defaults to False. pre_versions Display pre-release packages in results. Defaults to False. source Chocolatey repository (directory, share or remote URL feed) the package comes from. Defaults to the official Chocolatey feed. local_only Display packages only installed locally CLI Example: salt '*' chocolatey.list <narrow> salt '*' chocolatey.list <narrow> all_versions=True salt.modules.chocolatey.list_webpi() Instructs Chocolatey to pull a full package list from the Microsoft Web PI repository. CLI Example: salt '*' chocolatey.list_webpi salt.modules.chocolatey.list_windowsfeatures() Instructs Chocolatey to pull a full package list from the Windows Features list, via the Deployment Image Servicing and Management tool. CLI Example: salt '*' chocolatey.list_windowsfeatures salt.modules.chocolatey.uninstall(name, version=None, uninstall_args=None, override_args=False) Instructs Chocolatey to uninstall a package. name The name of the package to be uninstalled. Only accepts a single argument. version Uninstalls a specific version of the package. Defaults to latest version installed. uninstall_args A list of uninstall arguments you want to pass to the uninstallation process i.e product key or feature list override_args Set to true if you want to override the original uninstall arguments (for the native uninstaller) in the package and use your own. When this is set to False uninstall_args will be appended to the end of the default arguments CLI Example: salt '*' chocolatey.uninstall <package name> salt '*' chocolatey.uninstall <package name> version=<package version> salt '*' chocolatey.uninstall <package name> version=<package version> uninstall_args=<args> override_args=True salt.modules.chocolatey.update(name, source=None, pre_versions=False) Instructs Chocolatey to update packages on the system. name The name of the package to update, or "all" to update everything installed on the system. source Chocolatey repository (directory, share or remote URL feed) the package comes from. Defaults to the official Chocolatey feed. pre_versions Include pre-release packages in comparison. Defaults to False. CLI Example: salt "*" chocolatey.update all salt "*" chocolatey.update <package name> pre_versions=True salt.modules.chocolatey.version(name, check_remote=False, source=None, pre_versions=False) Instructs Chocolatey to check an installed package version, and optionally compare it to one available from a remote feed. name The name of the package to check. check_remote Get the version number of the latest package from the remote feed. Defaults to False. source Chocolatey repository (directory, share or remote URL feed) the package comes from. Defaults to the official Chocolatey feed. pre_versions Include pre-release packages in comparison. Defaults to False. CLI Example: salt "*" chocolatey.version <package name> salt "*" chocolatey.version <package name> check_remote=True salt.modules.cloud Salt-specific interface for calling Salt Cloud directly salt.modules.cloud.action(fun=None, cloudmap=None, names=None, provider=None, instance=None, **kwargs) Execute a single action on the given provider/instance CLI Example: salt '*' cloud.action start instance=myinstance salt '*' cloud.action stop instance=myinstance salt '*' cloud.action show_image provider=my-ec2-config image=ami-1624987f salt.modules.cloud.create(provider, names, **kwargs) Create an instance using Salt Cloud CLI Example: salt minionname cloud.create my-ec2-config myinstance image=ami-1624987f size='t1.micro' ssh_username=ec2-user securitygroup=default delvol_on_destroy=True salt.modules.cloud.destroy(names) Destroy the named VM(s) CLI Example: salt '*' cloud.destroy myinstance salt.modules.cloud.full_query(query_type='list_nodes_full') List all available cloud provider data CLI Example: salt '*' cloud.full_query salt.modules.cloud.get_instance(name, provider=None) Return details on an instance. Similar to the cloud action show_instance but returns only the instance details. CLI Example: salt '*' cloud.get_instance myinstance SLS Example: {{ salt['cloud.get_instance']('myinstance')['mac_address'] }} salt.modules.cloud.has_instance(name, provider=None) Return true if the instance is found on a provider CLI Example: salt '*' cloud.has_instance myinstance salt.modules.cloud.list_images(provider='all') List cloud provider images for the given providers CLI Example: salt '*' cloud.list_images my-gce-config salt.modules.cloud.list_locations(provider='all') List cloud provider locations for the given providers CLI Example: salt '*' cloud.list_locations my-gce-config salt.modules.cloud.list_sizes(provider='all') List cloud provider sizes for the given providers CLI Example: salt '*' cloud.list_sizes my-gce-config salt.modules.cloud.network_create(provider, names, **kwargs) Create private network CLI Example: salt minionname cloud.network_create my-nova names=['salt'] cidr='192.168.100.0/24' salt.modules.cloud.network_list(provider) List private networks CLI Example: salt minionname cloud.network_list my-nova salt.modules.cloud.profile(profile, names, vm_overrides=None, **kwargs) Spin up an instance using Salt Cloud CLI Example: salt '*' cloud.profile my-gce-config myinstance salt.modules.cloud.query(query_type='list_nodes') List cloud provider data for all providers CLI Examples: salt '*' cloud.query salt '*' cloud.query list_nodes_full salt '*' cloud.query list_nodes_select salt.modules.cloud.select_query(query_type='list_nodes_select') List selected nodes CLI Example: salt '*' cloud.select_query salt.modules.cloud.virtual_interface_create(provider, names, **kwargs) Attach private interfaces to a server CLI Example: salt minionname cloud.virtual_interface_create my-nova names=['salt-master'] net_name='salt' salt.modules.cloud.virtual_interface_list(provider, names, **kwargs) List virtual interfaces on a server CLI Example: salt minionname cloud.virtual_interface_list my-nova names=['salt-master'] salt.modules.cloud.volume_attach(provider, names, **kwargs) Attach volume to a server CLI Example: salt minionname cloud.volume_attach my-nova myblock server_name=myserver device='/dev/xvdf' salt.modules.cloud.volume_create(provider, names, **kwargs) Create volume CLI Example: salt minionname cloud.volume_create my-nova myblock size=100 voltype=SSD salt.modules.cloud.volume_delete(provider, names, **kwargs) Delete volume CLI Example: salt minionname cloud.volume_delete my-nova myblock salt.modules.cloud.volume_detach(provider, names, **kwargs) Detach volume from a server CLI Example: salt minionname cloud.volume_detach my-nova myblock server_name=myserver salt.modules.cloud.volume_list(provider) List block storage volumes CLI Example: salt minionname cloud.volume_list my-nova salt.modules.cmdmod A module for shelling out. Keep in mind that this module is insecure, in that it can give whomever has access to the master root execution access to all salt minions. salt.modules.cmdmod.exec_code(lang, code, cwd=None) Pass in two strings, the first naming the executable language, aka - python2, python3, ruby, perl, lua, etc. the second string containing the code you wish to execute. The stdout will be returned. CLI Example: salt '*' cmd.exec_code ruby 'puts "cheese"' salt.modules.cmdmod.exec_code_all(lang, code, cwd=None) Pass in two strings, the first naming the executable language, aka - python2, python3, ruby, perl, lua, etc. the second string containing the code you wish to execute. All cmd artifacts (stdout, stderr, retcode, pid) will be returned. CLI Example: salt '*' cmd.exec_code_all ruby 'puts "cheese"' salt.modules.cmdmod.has_exec(cmd) Returns true if the executable is available on the minion, false otherwise CLI Example: salt '*' cmd.has_exec cat salt.modules.cmdmod.retcode(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, clean_env=False, template=None, umask=None, output_loglevel='debug', log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) Execute a shell command and return the command's return code. cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. Return type int Return type None Returns Return Code as an int or None if there was an exception. CLI Example: salt '*' cmd.retcode "file /bin/bash" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.retcode template=jinja "file {{grains.pythonpath[0]}}/python" A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.retcode "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.run(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='debug', log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) Execute the passed command and return the output as a string Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. WARNING: This function does not process commands through a shell unless the python_shell flag is set to True. This means that any shell-specific functionality such as 'echo' or the use of pipes, redirection or &&, should either be migrated to cmd.shell or have the python_shell=True flag set here. The use of python_shell=True means that the shell will accept _any_ input including potentially malicious commands such as 'good_command;rm -rf /'. Be absolutely certain that you have sanitized your input prior to using python_shell=True CLI Example: salt '*' cmd.run "ls -l | awk '/foo/{print \$2}'" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.run template=jinja "ls -l /tmp/{{grains.id}} | awk '/foo/{print \$2}'" Specify an alternate shell with the shell parameter: salt '*' cmd.run "Get-ChildItem C:\ " shell='powershell' A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.run "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' If an equal sign (=) appears in an argument to a Salt command it is interpreted as a keyword argument in the format key=val. That processing can be bypassed in order to pass an equal sign through to the remote shell command by manually specifying the kwarg: salt '*' cmd.run cmd='sed -e s/=/:/g' salt.modules.cmdmod.run_all(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='debug', log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, redirect_stderr=False, **kwargs) Execute the passed command and return a dict of return data cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. redirect_stderr False If set to True, then stderr will be redirected to stdout. This is helpful for cases where obtaining both the retcode and output is desired, but it is not desired to have the output separated into both stdout and stderr. New in version 2015.8.2. CLI Example: salt '*' cmd.run_all "ls -l | awk '/foo/{print \$2}'" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.run_all template=jinja "ls -l /tmp/{{grains.id}} | awk '/foo/{print \$2}'" A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.run_all "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.run_chroot(root, cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=True, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='quiet', log_callback=None, quiet=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) New in version 2014.7.0. This function runs cmd.run_all wrapped within a chroot, with dev and proc mounted in the chroot root: Path to the root of the jail to use. cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. CLI Example: salt '*' cmd.run_chroot /var/lib/lxc/container_name/rootfs 'sh /tmp/bootstrap.sh' salt.modules.cmdmod.run_stderr(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='debug', log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) Execute a command and only return the standard error cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. CLI Example: salt '*' cmd.run_stderr "ls -l | awk '/foo/{print \$2}'" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.run_stderr template=jinja "ls -l /tmp/{{grains.id}} | awk '/foo/{print \$2}'" A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.run_stderr "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.run_stdout(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='debug', log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) Execute a command, and only return the standard out cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. CLI Example: salt '*' cmd.run_stdout "ls -l | awk '/foo/{print \$2}'" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.run_stdout template=jinja "ls -l /tmp/{{grains.id}} | awk '/foo/{print \$2}'" A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.run_stdout "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.script(source, args=None, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, template=None, umask=None, output_loglevel='debug', log_callback=None, quiet=False, timeout=None, reset_system_locale=True, __env__=None, saltenv='base', use_vt=False, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. The script will be executed directly, so it can be written in any available programming language. source The location of the script to download. If the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs args String of command line args to pass to the script. Only used if no args are specified as part of the name argument. To pass a string containing spaces in YAML, you will need to doubly-quote it: "arg1 'arg two' arg3" cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. quiet The command will be executed quietly, meaning no log entries of the actual command or its return data. This is deprecated as of the 2014.1.0 release, and is being replaced with output_loglevel: quiet. timeout If the command has not terminated after timeout seconds, send the subprocess sigterm, and if sigterm is ignored, follow up with sigkill use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. CLI Example: salt '*' cmd.script salt://scripts/runme.sh salt '*' cmd.script salt://scripts/runme.sh 'arg1 arg2 "arg 3"' salt '*' cmd.script salt://scripts/windows_task.ps1 args=' -Input c:\tmp\infile.txt' shell='powershell' salt '*' cmd.script salt://scripts/runme.sh stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.script_retcode(source, args=None, cwd=None, stdin=None, runas=None, shell='/bin/sh', python_shell=None, env=None, template='jinja', umask=None, timeout=None, reset_system_locale=True, __env__=None, saltenv='base', output_loglevel='debug', log_callback=None, use_vt=False, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. The script will be executed directly, so it can be written in any available programming language. The script can also be formatted as a template, the default is jinja. Only evaluate the script return code and do not block for terminal output source The location of the script to download. If the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs args String of command line args to pass to the script. Only used if no args are specified as part of the name argument. To pass a string containing spaces in YAML, you will need to doubly-quote it: "arg1 'arg two' arg3" cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. python_shell If False, let python handle the positional arguments. Set to True to use shell features, such as pipes or redirection env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. quiet The command will be executed quietly, meaning no log entries of the actual command or its return data. This is deprecated as of the 2014.1.0 release, and is being replaced with output_loglevel: quiet. timeout If the command has not terminated after timeout seconds, send the subprocess sigterm, and if sigterm is ignored, follow up with sigkill use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. CLI Example: salt '*' cmd.script_retcode salt://scripts/runme.sh salt '*' cmd.script_retcode salt://scripts/runme.sh 'arg1 arg2 "arg 3"' salt '*' cmd.script_retcode salt://scripts/windows_task.ps1 args=' -Input c:\tmp\infile.txt' shell='powershell' A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.script_retcode salt://scripts/runme.sh stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.cmdmod.shell(cmd, cwd=None, stdin=None, runas=None, shell='/bin/sh', env=None, clean_env=False, template=None, rstrip=True, umask=None, output_loglevel='debug', log_callback=None, quiet=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv='base', use_vt=False, **kwargs) Execute the passed command and return the output as a string. New in version 2015.5.0. cmd: The command to run. ex: 'ls -lart /home' cwd The current working directory to execute the command in, defaults to /root stdin A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: runas User to run script as. shell Shell to execute under. Defaults to the system default shell. env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} clean_env: Attempt to clean out all other shell environment variables and set only those provided in the 'env' argument to this function. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported rstrip Strip all whitespace off the end of output before it is returned. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. timeout A timeout in seconds for the executed process to return. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. WARNING: This passes the cmd argument directly to the shell without any further processing! Be absolutely sure that you have properly santized the command passed to this function and do not use untrusted inputs. Note that env represents the environment variables for the command, and should be formatted as a dict, or a YAML string which resolves to a dict. CLI Example: salt '*' cmd.shell "ls -l | awk '/foo/{print \$2}'" The template arg can be set to 'jinja' or another supported template engine to render the command arguments before execution. For example: salt '*' cmd.shell template=jinja "ls -l /tmp/{{grains.id}} | awk '/foo/{print \$2}'" Specify an alternate shell with the shell parameter: salt '*' cmd.shell "Get-ChildItem C:\ " shell='powershell' A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input.: salt '*' cmd.shell "grep f" stdin='one\ntwo\nthree\nfour\nfive\n' If an equal sign (=) appears in an argument to a Salt command it is interpreted as a keyword argument in the format key=val. That processing can be bypassed in order to pass an equal sign through to the remote shell command by manually specifying the kwarg: salt '*' cmd.shell cmd='sed -e s/=/:/g' salt.modules.cmdmod.shells() Lists the valid shells on this system via the /etc/shells file New in version 2015.5.0. CLI Example: salt '*' cmd.shells salt.modules.cmdmod.tty(device, echo=None) Echo a string to a specific tty CLI Example: salt '*' cmd.tty tty0 'This is a test' salt '*' cmd.tty pts3 'This is a test' salt.modules.cmdmod.which(cmd) Returns the path of an executable available on the minion, None otherwise CLI Example: salt '*' cmd.which cat salt.modules.cmdmod.which_bin(cmds) Returns the first command found in a list of commands CLI Example: salt '*' cmd.which_bin '[pip2, pip, pip-python]' salt.modules.composer Use composer to install PHP dependencies for a directory salt.modules.composer.did_composer_install(dir) Test to see if the vendor directory exists in this directory dir Directory location of the composer.json file CLI Example: salt '*' composer.did_composer_install /var/www/application salt.modules.composer.install(dir, composer=None, php=None, runas=None, prefer_source=None, prefer_dist=None, no_scripts=None, no_plugins=None, optimize=None, no_dev=None, quiet=False, composer_home='/root') Install composer dependencies for a directory. If composer has not been installed globally making it available in the system PATH & making it executable, the composer and php parameters will need to be set to the location of the executables. dir Directory location of the composer.json file. composer Location of the composer.phar file. If not set composer will just execute "composer" as if it is installed globally. (i.e. /path/to/composer.phar) php Location of the php executable to use with composer. (i.e. /usr/bin/php) runas Which system user to run composer as. prefer_source --prefer-source option of composer. prefer_dist --prefer-dist option of composer. no_scripts --no-scripts option of composer. no_plugins --no-plugins option of composer. optimize --optimize-autoloader option of composer. Recommended for production. no_dev --no-dev option for composer. Recommended for production. quiet --quiet option for composer. Whether or not to return output from composer. composer_home $COMPOSER_HOME environment variable CLI Example: salt '*' composer.install /var/www/application salt '*' composer.install /var/www/application no_dev=True optimize=True salt.modules.composer.selfupdate(composer=None, php=None, runas=None, quiet=False, composer_home='/root') Update composer itself. If composer has not been installed globally making it available in the system PATH & making it executable, the composer and php parameters will need to be set to the location of the executables. composer Location of the composer.phar file. If not set composer will just execute "composer" as if it is installed globally. (i.e. /path/to/composer.phar) php Location of the php executable to use with composer. (i.e. /usr/bin/php) runas Which system user to run composer as. quiet --quiet option for composer. Whether or not to return output from composer. composer_home $COMPOSER_HOME environment variable CLI Example: salt '*' composer.selfupdate salt.modules.composer.update(dir, composer=None, php=None, runas=None, prefer_source=None, prefer_dist=None, no_scripts=None, no_plugins=None, optimize=None, no_dev=None, quiet=False, composer_home='/root') Update composer dependencies for a directory. If composer install has not yet been run, this runs composer install instead. If composer has not been installed globally making it available in the system PATH & making it executable, the composer and php parameters will need to be set to the location of the executables. dir Directory location of the composer.json file. composer Location of the composer.phar file. If not set composer will just execute "composer" as if it is installed globally. (i.e. /path/to/composer.phar) php Location of the php executable to use with composer. (i.e. /usr/bin/php) runas Which system user to run composer as. prefer_source --prefer-source option of composer. prefer_dist --prefer-dist option of composer. no_scripts --no-scripts option of composer. no_plugins --no-plugins option of composer. optimize --optimize-autoloader option of composer. Recommended for production. no_dev --no-dev option for composer. Recommended for production. quiet --quiet option for composer. Whether or not to return output from composer. composer_home $COMPOSER_HOME environment variable CLI Example: salt '*' composer.update /var/www/application salt '*' composer.update /var/www/application no_dev=True optimize=True salt.modules.config Return config information salt.modules.config.backup_mode(backup='') Return the backup mode CLI Example: salt '*' config.backup_mode salt.modules.config.dot_vals(value) Pass in a configuration value that should be preceded by the module name and a dot, this will return a list of all read key/value pairs CLI Example: salt '*' config.dot_vals host salt.modules.config.gather_bootstrap_script(bootstrap=None) Download the salt-bootstrap script, and return its location bootstrap URL of alternate bootstrap script CLI Example: salt '*' config.gather_bootstrap_script salt.modules.config.get(key, default='', delimiter=':', merge=None) Attempt to retrieve the named value from the minion config file, pillar, grains or the master config. If the named value is not available, return the value specified by default. If not specified, the default is an empty string. Values can also be retrieved from nested dictionaries. Assume the below data structure: {'pkg': {'apache': 'httpd'}} To retrieve the value associated with the apache key, in the sub-dictionary corresponding to the pkg key, the following command can be used: salt myminion config.get pkg:apache The : (colon) is used to represent a nested dictionary level. Changed in version 2015.5.0: The delimiter argument was added, to allow delimiters other than : to be used. This function traverses these data stores in this order, returning the first match found: • Minion config file • Minion's grains • Minion's pillar data • Master config file This means that if there is a value that is going to be the same for the majority of minions, it can be configured in the Master config file, and then overridden using the grains, pillar, or Minion config file. Arguments delimiter New in version 2015.5.0. Override the delimiter used to separate nested levels of a data structure. merge New in version 2015.5.0. If passed, this parameter will change the behavior of the function so that, instead of traversing each data store above in order and returning the first match, the data stores are first merged together and then searched. The pillar data is merged into the master config data, then the grains are merged, followed by the Minion config data. The resulting data structure is then searched for a match. This allows for configurations to be more flexible. NOTE: The merging described above does not mean that grain data will end up in the Minion's pillar data, or pillar data will end up in the master config data, etc. The data is just combined for the purposes of searching an amalgam of the different data stores. The supported merge strategies are as follows: • recurse - If a key exists in both dictionaries, and the new value is not a dictionary, it is replaced. Otherwise, the sub-dictionaries are merged together into a single dictionary, recursively on down, following the same criteria. For example: >>> dict1 = {'foo': {'bar': 1, 'qux': True}, 'hosts': ['a', 'b', 'c'], 'only_x': None} >>> dict2 = {'foo': {'baz': 2, 'qux': False}, 'hosts': ['d', 'e', 'f'], 'only_y': None} >>> merged {'foo': {'bar': 1, 'baz': 2, 'qux': False}, 'hosts': ['d', 'e', 'f'], 'only_dict1': None, 'only_dict2': None} • overwrite - If a key exists in the top level of both dictionaries, the new value completely overwrites the old. For example: >>> dict1 = {'foo': {'bar': 1, 'qux': True}, 'hosts': ['a', 'b', 'c'], 'only_x': None} >>> dict2 = {'foo': {'baz': 2, 'qux': False}, 'hosts': ['d', 'e', 'f'], 'only_y': None} >>> merged {'foo': {'baz': 2, 'qux': False}, 'hosts': ['d', 'e', 'f'], 'only_dict1': None, 'only_dict2': None} CLI Example: salt '*' config.get pkg:apache salt '*' config.get lxc.container_profile:centos merge=recurse salt.modules.config.manage_mode(mode) Return a mode value, normalized to a string CLI Example: salt '*' config.manage_mode salt.modules.config.merge(value, default='', omit_opts=False, omit_master=False, omit_pillar=False) Retrieves an option based on key, merging all matches. Same as option() except that it merges all matches, rather than taking the first match. CLI Example: salt '*' config.merge schedule salt.modules.config.option(value, default='', omit_opts=False, omit_master=False, omit_pillar=False) Pass in a generic option and receive the value that will be assigned CLI Example: salt '*' config.option redis.host salt.modules.config.valid_fileproto(uri) Returns a boolean value based on whether or not the URI passed has a valid remote file protocol designation CLI Example: salt '*' config.valid_fileproto salt://path/to/file salt.modules.consul Interact with Consul https://www.consul.io salt.modules.consul.acl_clone(consul_url=None, **kwargs) Information about an ACL token. Parameters • consul_url -- The Consul server URL. • id -- Unique identifier for the ACL to update. Returns Boolean, message of success or failure, and new ID of cloned ACL. CLI Example: salt '*' consul.acl_info id='c1c4d223-91cb-3d1f-1ee8-f2af9e7b6716' salt.modules.consul.acl_create(consul_url=None, **kwargs) Create a new ACL token. Parameters • consul_url -- The Consul server URL. • name -- Meaningful indicator of the ACL's purpose. • type -- Type is either client or management. A management token is comparable to a root user and has the ability to perform any action including creating, modifying, and deleting ACLs. • rules -- The Consul server URL. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.acl_create salt.modules.consul.acl_delete(consul_url=None, **kwargs) Delete an ACL token. Parameters • consul_url -- The Consul server URL. • id -- Unique identifier for the ACL to update. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.acl_delete id='c1c4d223-91cb-3d1f-1ee8-f2af9e7b6716' salt.modules.consul.acl_info(consul_url=None, **kwargs) Information about an ACL token. Parameters • consul_url -- The Consul server URL. • id -- Unique identifier for the ACL to update. Returns Information about the ACL requested. CLI Example: salt '*' consul.acl_info id='c1c4d223-91cb-3d1f-1ee8-f2af9e7b6716' salt.modules.consul.acl_list(consul_url=None, **kwargs) List the ACL tokens. Parameters consul_url -- The Consul server URL. Returns List of ACLs CLI Example: salt '*' consul.acl_list salt.modules.consul.acl_update(consul_url=None, **kwargs) Update an ACL token. Parameters • consul_url -- The Consul server URL. • name -- Meaningful indicator of the ACL's purpose. • id -- Unique identifier for the ACL to update. • type -- Type is either client or management. A management token is comparable to a root user and has the ability to perform any action including creating, modifying, and deleting ACLs. • rules -- The Consul server URL. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.acl_update salt.modules.consul.agent_check_deregister(consul_url=None, checkid=None) The agent will take care of deregistering the check from the Catalog. Parameters • consul_url -- The Consul server URL. • checkid -- The ID of the check to deregister from Consul. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_check_deregister checkid='Memory Utilization' salt.modules.consul.agent_check_fail(consul_url=None, checkid=None, **kwargs) This endpoint is used with a check that is of the TTL type. When this is called, the status of the check is set to critical and the TTL clock is reset. Parameters • consul_url -- The Consul server URL. • checkid -- The ID of the check to deregister from Consul. • note -- A human-readable message with the status of the check. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_check_fail checkid='redis_check1' note='Forcing check into critical state.' salt.modules.consul.agent_check_pass(consul_url=None, checkid=None, **kwargs) This endpoint is used with a check that is of the TTL type. When this is called, the status of the check is set to passing and the TTL clock is reset. Parameters • consul_url -- The Consul server URL. • checkid -- The ID of the check to mark as passing. • note -- A human-readable message with the status of the check. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_check_pass checkid='redis_check1' note='Forcing check into passing state.' salt.modules.consul.agent_check_register(consul_url=None, **kwargs) The register endpoint is used to add a new check to the local agent. Parameters • consul_url -- The Consul server URL. • name -- The description of what the check is for. • id -- The unique name to use for the check, if not provided 'name' is used. • notes -- Human readable description of the check. • script -- If script is provided, the check type is a script, and Consul will evaluate that script based on the interval parameter. • http -- Check will perform an HTTP GET request against the value of HTTP (expected to be a URL) based on the interval parameter. • ttl -- If a TTL type is used, then the TTL update endpoint must be used periodically to update the state of the check. • interval -- Interval at which the check should run. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_check_register name='Memory Utilization' script='/usr/local/bin/check_mem.py' interval='15s' salt.modules.consul.agent_check_warn(consul_url=None, checkid=None, **kwargs) This endpoint is used with a check that is of the TTL type. When this is called, the status of the check is set to warning and the TTL clock is reset. Parameters • consul_url -- The Consul server URL. • checkid -- The ID of the check to deregister from Consul. • note -- A human-readable message with the status of the check. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_check_warn checkid='redis_check1' note='Forcing check into warning state.' salt.modules.consul.agent_checks(consul_url=None) Returns the checks the local agent is managing Parameters consul_url -- The Consul server URL. Returns Returns the checks the local agent is managing CLI Example: salt '*' consul.agent_checks salt.modules.consul.agent_join(consul_url=None, address=None, **kwargs) Triggers the local agent to join a node Parameters • consul_url -- The Consul server URL. • address -- The address for the agent to connect to. • wan -- Causes the agent to attempt to join using the WAN pool. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_join address='192.168.1.1' salt.modules.consul.agent_leave(consul_url=None, node=None) Used to instruct the agent to force a node into the left state. Parameters • consul_url -- The Consul server URL. • node -- The node the agent will force into left state Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_leave node='web1.example.com' salt.modules.consul.agent_maintenance(consul_url=None, **kwargs) Manages node maintenance mode Parameters • consul_url -- The Consul server URL. • enable -- The enable flag is required. Acceptable values are either true (to enter maintenance mode) or false (to resume normal operation). • reason -- If provided, its value should be a text string explaining the reason for placing the node into maintenance mode. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_maintenance enable='False' reason='Upgrade in progress' salt.modules.consul.agent_members(consul_url=None, **kwargs) Returns the members as seen by the local serf agent Parameters consul_url -- The Consul server URL. Returns Returns the members as seen by the local serf agent CLI Example: salt '*' consul.agent_members salt.modules.consul.agent_self(consul_url=None) Returns the local node configuration Parameters consul_url -- The Consul server URL. Returns Returns the local node configuration CLI Example: salt '*' consul.agent_self salt.modules.consul.agent_service_deregister(consul_url=None, serviceid=None) Used to remove a service. Parameters • consul_url -- The Consul server URL. • serviceid -- A serviceid describing the service. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_service_deregister serviceid='redis' salt.modules.consul.agent_service_maintenance(consul_url=None, serviceid=None, **kwargs) Used to place a service into maintenance mode. Parameters • consul_url -- The Consul server URL. • serviceid -- A name of the service. • enable -- Whether the service should be enabled or disabled. • reason -- A human readable message of why the service was enabled or disabled. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_service_deregister serviceid='redis' enable='True' reason='Down for upgrade' salt.modules.consul.agent_service_register(consul_url=None, **kwargs) The used to add a new service, with an optional health check, to the local agent. Parameters • consul_url -- The Consul server URL. • name -- A name describing the service. • address -- The address used by the service, defaults to the address of the agent. • port -- The port used by the service. • id -- Unique ID to identify the service, if not provided the value of the name parameter is used. • tags -- Identifying tags for service, string or list. • script -- If script is provided, the check type is a script, and Consul will evaluate that script based on the interval parameter. • http -- Check will perform an HTTP GET request against the value of HTTP (expected to be a URL) based on the interval parameter. • check_ttl -- If a TTL type is used, then the TTL update endpoint must be used periodically to update the state of the check. • check_interval -- Interval at which the check should run. Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.agent_service_register name='redis' tags='["master", "v1"]' address="127.0.0.1" port="8080" check_script="/usr/local/bin/check_redis.py" interval="10s" salt.modules.consul.agent_services(consul_url=None) Returns the services the local agent is managing Parameters consul_url -- The Consul server URL. Returns Returns the services the local agent is managing CLI Example: salt '*' consul.agent_services salt.modules.consul.catalog_datacenters(consul_url=None) Return list of available datacenters from catalog. Parameters consul_url -- The Consul server URL. Returns The list of available datacenters. CLI Example: salt '*' consul.catalog_datacenters salt.modules.consul.catalog_deregister(consul_url=None, **kwargs) Deregisters a node, service, or check Parameters • consul_url -- The Consul server URL. • node -- The node to deregister. • datacenter -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • checkid -- The ID of the health check to deregister. • serviceid -- The ID of the service to deregister. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.catalog_register node='node1' serviceid='redis_server1' checkid='redis_check1' salt.modules.consul.catalog_node(consul_url=None, node=None, **kwargs) Information about the registered node. Parameters • consul_url -- The Consul server URL. • node -- The node to request information about. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns Information about the requested node. CLI Example: salt '*' consul.catalog_service service='redis' salt.modules.consul.catalog_nodes(consul_url=None, **kwargs) Return list of available nodes from catalog. Parameters • consul_url -- The Consul server URL. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns The list of available nodes. CLI Example: salt '*' consul.catalog_nodes salt.modules.consul.catalog_register(consul_url=None, **kwargs) Registers a new node, service, or check Parameters • consul_url -- The Consul server URL. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • node -- The node to register. • address -- The address of the node. • service -- The service that will be registered. • service_address -- The address that the service listens on. • service_port -- The port for the service. • service_id -- A unique identifier for the service, if this is not provided "name" will be used. • service_tags -- Any tags associated with the service. • check -- The name of the health check to register • check_status -- The initial status of the check, must be one of unknown, passing, warning, or critical. • check_service -- The service that the check is performed against. • check_id -- Unique identifier for the service. • check_notes -- An opaque field that is meant to hold human-readable text. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.catalog_register node='node1' address='192.168.1.1' service='redis' service_address='127.0.0.1' service_port='8080' service_id='redis_server1' salt.modules.consul.catalog_service(consul_url=None, service=None, **kwargs) Information about the registered service. Parameters • consul_url -- The Consul server URL. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • tag -- Filter returned services with tag parameter. Returns Information about the requested service. CLI Example: salt '*' consul.catalog_service service='redis' salt.modules.consul.catalog_services(consul_url=None, **kwargs) Return list of available services rom catalog. Parameters • consul_url -- The Consul server URL. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns The list of available services. CLI Example: salt '*' consul.catalog_services salt.modules.consul.delete(consul_url=None, key=None, **kwargs) Delete values from Consul Parameters • consul_url -- The Consul server URL. • key -- The key to use as the starting point for the list. • recurse -- Delete values recursively beginning at the value of key. • cas -- This flag is used to turn the DELETE into a Check-And-Set operation. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.delete key='web' salt '*' consul.delete key='web' recurse='True' salt.modules.consul.event_fire(consul_url=None, name=None, **kwargs) List the ACL tokens. Parameters • consul_url -- The Consul server URL. • name -- The name of the event to fire. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • node -- Filter by node name. • service -- Filter by service name. • tag -- Filter by tag name. Returns List of ACLs CLI Example: salt '*' consul.event_fire name='deploy' salt.modules.consul.event_list(consul_url=None, **kwargs) List the recent events. Parameters • consul_url -- The Consul server URL. • name -- The name of the event to fire. Returns List of ACLs CLI Example: salt '*' consul.event_list salt.modules.consul.get(consul_url=None, key=None, recurse=False, decode=False, raw=False) Get key from Consul Parameters • consul_url -- The Consul server URL. • key -- The key to use as the starting point for the list. • recurse -- Return values recursively beginning at the value of key. • decode -- By default values are stored as Base64 encoded values, decode will return the whole key with the value decoded. • raw -- Simply return the decoded value of the key. Returns The keys in Consul. CLI Example: salt '*' consul.get key='web/key1' salt '*' consul.list key='web' recurse='True salt '*' consul.list key='web' recurse='True' decode='True' By default values stored in Consul are base64 encoded, passing the decode option will show them as the decoded values. salt '*' consul.list key='web' recurse='True' decode='True' raw='True' By default Consult will return other information about the key, the raw option will return only the raw value. salt.modules.consul.health_checks(consul_url=None, service=None, **kwargs) Health information about the registered service. Parameters • consul_url -- The Consul server URL. • service -- The service to request health information about. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns Health information about the requested node. CLI Example: salt '*' consul.health_checks service='redis1' salt.modules.consul.health_node(consul_url=None, node=None, **kwargs) Health information about the registered node. Parameters • consul_url -- The Consul server URL. • node -- The node to request health information about. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns Health information about the requested node. CLI Example: salt '*' consul.health_node node='node1' salt.modules.consul.health_service(consul_url=None, service=None, **kwargs) Health information about the registered service. Parameters • consul_url -- The Consul server URL. • service -- The service to request health information about. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • tag -- Filter returned services with tag parameter. • passing -- Filter results to only nodes with all checks in the passing state. Returns Health information about the requested node. CLI Example: salt '*' consul.health_service service='redis1' salt '*' consul.health_service service='redis1' passing='True' salt.modules.consul.health_state(consul_url=None, state=None, **kwargs) Returns the checks in the state provided on the path. Parameters • consul_url -- The Consul server URL. • state -- The state to show checks for. The supported states are any, unknown, passing, warning, or critical. The any state is a wildcard that can be used to return all checks. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns The checks in the provided state. CLI Example: salt '*' consul.health_state state='redis1' salt '*' consul.health_state service='redis1' passing='True' salt.modules.consul.list(consul_url=None, key=None, **kwargs) List keys in Consul Parameters • consul_url -- The Consul server URL. • key -- The key to use as the starting point for the list. Returns The list of keys. CLI Example: salt '*' consul.list salt '*' consul.list key='web' salt.modules.consul.put(consul_url=None, key=None, value=None, **kwargs) Put values into Consul Parameters • consul_url -- The Consul server URL. • key -- The key to use as the starting point for the list. • value -- The value to set the key to. • flags -- This can be used to specify an unsigned value between 0 and 2^64-1. Clients can choose to use this however makes sense for their application. • cas -- This flag is used to turn the PUT into a Check-And-Set operation. • acquire -- This flag is used to turn the PUT into a lock acquisition operation. • release -- This flag is used to turn the PUT into a lock release operation. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.put key='web/key1' value="Hello there" salt '*' consul.put key='web/key1' value="Hello there" acquire='d5d371f4-c380-5280-12fd-8810be175592' salt '*' consul.put key='web/key1' value="Hello there" release='d5d371f4-c380-5280-12fd-8810be175592' salt.modules.consul.session_create(consul_url=None, **kwargs) Used to create a session. Parameters • consul_url -- The Consul server URL. • lockdelay -- Duration string using a "s" suffix for seconds. The default is 15s. • node -- Must refer to a node that is already registered, if specified. By default, the agent's own node name is used. • name -- A human-readable name for the session • checks -- A list of associated health checks. It is highly recommended that, if you override this list, you include the default "serfHealth". • behavior -- Can be set to either release or delete. This controls the behavior when a session is invalidated. By default, this is release, causing any locks that are held to be released. Changing this to delete causes any locks that are held to be deleted. delete is useful for creating ephemeral key/value entries. • ttl -- Session is invalidated if it is not renewed before the TTL expires Returns Boolean and message indicating success or failure. CLI Example: salt '*' consul.session_create node='node1' name='my-session' behavior='delete' ttl='3600s' salt.modules.consul.session_destroy(consul_url=None, session=None, **kwargs) Destroy session Parameters • consul_url -- The Consul server URL. • session -- The ID of the session to destroy. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.session_destroy session='c1c4d223-91cb-3d1f-1ee8-f2af9e7b6716' salt.modules.consul.session_info(consul_url=None, session=None, **kwargs) Information about a session Parameters • consul_url -- The Consul server URL. • session -- The ID of the session to return information about. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. Returns Boolean & message of success or failure. CLI Example: salt '*' consul.session_info session='c1c4d223-91cb-3d1f-1ee8-f2af9e7b6716' salt.modules.consul.session_list(consul_url=None, return_list=False, **kwargs) Used to list sessions. Parameters • consul_url -- The Consul server URL. • dc -- By default, the datacenter of the agent is queried; however, the dc can be provided using the "dc" parameter. • return_list -- By default, all information about the sessions is returned, using the return_list parameter will return a list of session IDs. Returns A list of all available sessions. CLI Example: salt '*' consul.session_list salt.modules.consul.status_leader(consul_url=None) Returns the current Raft leader Parameters consul_url -- The Consul server URL. Returns The address of the Raft leader. CLI Example: salt '*' consul.status_leader salt.modules.consul.status_peers(consul_url) Returns the current Raft peer set Parameters consul_url -- The Consul server URL. Returns Retrieves the Raft peers for the datacenter in which the the agent is running. CLI Example: salt '*' consul.status_peers salt.modules.container_resource Common resources for LXC and systemd-nspawn containers New in version 2015.8.0. These functions are not designed to be called directly, but instead from the lxc, nspawn, and dockerng execution modules. They provide for common logic to be re-used for common actions. salt.modules.container_resource.cache_file(source) Wrapper for cp.cache_file which raises an error if the file was unable to be cached. CLI Example: salt myminion container_resource.cache_file salt://foo/bar/baz.txt salt.modules.container_resource.copy_to(*args, **kwargs) Common logic for copying files to containers path path to the container parent (for LXC only) default: /var/lib/lxc (system default) CLI Example: salt myminion container_resource.copy_to mycontainer /local/file/path /container/file/path container_type=docker exec_driver=nsenter salt.modules.container_resource.run(*args, **kwargs) Common logic for running shell commands in containers path path to the container parent (for LXC only) default: /var/lib/lxc (system default) CLI Example: salt myminion container_resource.run mycontainer 'ps aux' container_type=docker exec_driver=nsenter output=stdout salt.modules.cp Minion side functions for salt-cp salt.modules.cp.cache_dir(path, saltenv='base', include_empty=False, include_pat=None, exclude_pat=None, env=None) Download and cache everything under a directory from the master include_pat None Glob or regex to narrow down the files cached from the given path. If matching with a regex, the regex must be prefixed with E@, otherwise the expression will be interpreted as a glob. New in version 2014.7.0. exclude_pat None Glob or regex to exclude certain files from being cached from the given path. If matching with a regex, the regex must be prefixed with E@, otherwise the expression will be interpreted as a glob. NOTE: If used with include_pat, files matching this pattern will be excluded from the subset of files defined by include_pat. New in version 2014.7.0. CLI Examples: salt '*' cp.cache_dir salt://path/to/dir salt '*' cp.cache_dir salt://path/to/dir include_pat='E@*.py$' salt.modules.cp.cache_file(path, saltenv='base', env=None) Used to cache a single file on the salt-minion Returns the location of the new cached file on the minion CLI Example: salt '*' cp.cache_file salt://path/to/file salt.modules.cp.cache_files(paths, saltenv='base', env=None) Used to gather many files from the master, the gathered files will be saved in the minion cachedir reflective to the paths retrieved from the master. CLI Example: salt '*' cp.cache_files salt://pathto/file1,salt://pathto/file1 salt.modules.cp.cache_local_file(path) Cache a local file on the minion in the localfiles cache CLI Example: salt '*' cp.cache_local_file /etc/hosts salt.modules.cp.cache_master(saltenv='base', env=None) Retrieve all of the files on the master and cache them locally CLI Example: salt '*' cp.cache_master salt.modules.cp.get_dir(path, dest, saltenv='base', template=None, gzip=None, env=None, **kwargs) Used to recursively copy a directory from the salt master CLI Example: salt '*' cp.get_dir salt://path/to/dir/ /minion/dest get_dir supports the same template and gzip arguments as get_file. salt.modules.cp.get_file(path, dest, saltenv='base', makedirs=False, template=None, gzip=None, env=None, **kwargs) Used to get a single file from the salt master CLI Example: salt '*' cp.get_file salt://path/to/file /minion/dest Template rendering can be enabled on both the source and destination file names like so: salt '*' cp.get_file "salt://{{grains.os}}/vimrc" /etc/vimrc template=jinja This example would instruct all Salt minions to download the vimrc from a directory with the same name as their os grain and copy it to /etc/vimrc For larger files, the cp.get_file module also supports gzip compression. Because gzip is CPU-intensive, this should only be used in scenarios where the compression ratio is very high (e.g. pretty-printed JSON or YAML files). Use the gzip named argument to enable it. Valid values are 1..9, where 1 is the lightest compression and 9 the heaviest. 1 uses the least CPU on the master (and minion), 9 uses the most. salt.modules.cp.get_file_str(path, saltenv='base', env=None) Return the contents of a file from a URL CLI Example: salt '*' cp.get_file_str salt://my/file salt.modules.cp.get_template(path, dest, template='jinja', saltenv='base', env=None, makedirs=False, **kwargs) Render a file as a template before setting it down. Warning, order is not the same as in fileclient.cp for non breaking old API. CLI Example: salt '*' cp.get_template salt://path/to/template /minion/dest salt.modules.cp.get_url(path, dest, saltenv='base', env=None) Used to get a single file from a URL. The default behaviuor is to write the fetched file to the given destination path. To simply return the text contents instead, set destination to None. CLI Example: salt '*' cp.get_url salt://my/file /tmp/mine salt '*' cp.get_url http://www.slashdot.org /tmp/index.html salt.modules.cp.hash_file(path, saltenv='base', env=None) Return the hash of a file, to get the hash of a file on the salt master file server prepend the path with salt://<file on server> otherwise, prepend the file with / for a local file. CLI Example: salt '*' cp.hash_file salt://path/to/file salt.modules.cp.is_cached(path, saltenv='base', env=None) Return a boolean if the given path on the master has been cached on the minion CLI Example: salt '*' cp.is_cached salt://path/to/file salt.modules.cp.list_master(saltenv='base', prefix='', env=None) List all of the files stored on the master CLI Example: salt '*' cp.list_master salt.modules.cp.list_master_dirs(saltenv='base', prefix='', env=None) List all of the directories stored on the master CLI Example: salt '*' cp.list_master_dirs salt.modules.cp.list_master_symlinks(saltenv='base', prefix='', env=None) List all of the symlinks stored on the master CLI Example: salt '*' cp.list_master_symlinks salt.modules.cp.list_minion(saltenv='base', env=None) List all of the files cached on the minion CLI Example: salt '*' cp.list_minion salt.modules.cp.list_states(saltenv='base', env=None) List all of the available state modules in an environment CLI Example: salt '*' cp.list_states salt.modules.cp.push(path, keep_symlinks=False, upload_path=None) Push a file from the minion up to the master, the file will be saved to the salt master in the master's minion files cachedir (defaults to /var/cache/salt/master/minions/minion-id/files) Since this feature allows a minion to push a file up to the master server it is disabled by default for security purposes. To enable, set file_recv to True in the master configuration file, and restart the master. keep_symlinks Keep the path value without resolving its canonical form upload_path Provide a different path inside the master's minion files cachedir CLI Example: salt '*' cp.push /etc/fstab salt '*' cp.push /etc/system-release keep_symlinks=True salt '*' cp.push /etc/fstab upload_path='/new/path/fstab' salt.modules.cp.push_dir(path, glob=None, upload_path=None) Push a directory from the minion up to the master, the files will be saved to the salt master in the master's minion files cachedir (defaults to /var/cache/salt/master/minions/minion-id/files). It also has a glob for matching specific files using globbing. New in version 2014.7.0. Since this feature allows a minion to push files up to the master server it is disabled by default for security purposes. To enable, set file_recv to True in the master configuration file, and restart the master. upload_path Provide a different path and directory name inside the master's minion files cachedir CLI Example: salt '*' cp.push /usr/lib/mysql salt '*' cp.push /usr/lib/mysql upload_path='/newmysql/path' salt '*' cp.push_dir /etc/modprobe.d/ glob='*.conf' salt.modules.cp.recv(files, dest) Used with salt-cp, pass the files dict, and the destination. This function receives small fast copy files from the master via salt-cp. It does not work via the CLI. salt.modules.cpan Manage Perl modules using CPAN New in version 2015.5.0. salt.modules.cpan.install(module) Install a Perl module from CPAN CLI Example: salt '*' cpan.install Template::Alloy salt.modules.cpan.list() List installed Perl modules, and the version installed CLI Example: salt '*' cpan.list salt.modules.cpan.remove(module, details=False) Attempt to remove a Perl module that was installed from CPAN. Because the cpan command doesn't actually support "uninstall"-like functionality, this function will attempt to do what it can, with what it has from CPAN. Until this function is declared stable, USE AT YOUR OWN RISK! CLI Example: salt '*' cpan.remove Old::Package salt.modules.cpan.show(module) Show information about a specific Perl module CLI Example: salt '*' cpan.show Template::Alloy salt.modules.cpan.show_config() Return a dict of CPAN configuration values CLI Example: salt '*' cpan.show_config salt.modules.cron Work with cron NOTE: Salt does not escape cron metacharacters automatically. You should backslash-escape percent characters and any other metacharacters that might be interpreted incorrectly by the shell. salt.modules.cron.list_tab(user) Return the contents of the specified user's crontab CLI Example: salt '*' cron.list_tab root salt.modules.cron.ls(user) This function is an alias of list_tab. Return the contents of the specified user's crontab CLI Example: salt '*' cron.list_tab root salt.modules.cron.raw_cron(user) Return the contents of the user's crontab CLI Example: salt '*' cron.raw_cron root salt.modules.cron.rm(user, cmd, minute=None, hour=None, daymonth=None, month=None, dayweek=None, identifier=None) This function is an alias of rm_job. Remove a cron job for a specified user. If any of the day/time params are specified, the job will only be removed if the specified params match. CLI Example: salt '*' cron.rm_job root /usr/local/weekly salt '*' cron.rm_job root /usr/bin/foo dayweek=1 salt.modules.cron.rm_env(user, name) Remove cron environment variable for a specified user. CLI Example: salt '*' cron.rm_env root MAILTO salt.modules.cron.rm_job(user, cmd, minute=None, hour=None, daymonth=None, month=None, dayweek=None, identifier=None) Remove a cron job for a specified user. If any of the day/time params are specified, the job will only be removed if the specified params match. CLI Example: salt '*' cron.rm_job root /usr/local/weekly salt '*' cron.rm_job root /usr/bin/foo dayweek=1 salt.modules.cron.rm_special(user, special, cmd) Remove a special cron job for a specified user. CLI Example: salt '*' cron.rm_job root @hourly /usr/bin/foo salt.modules.cron.set_env(user, name, value=None) Set up an environment variable in the crontab. CLI Example: salt '*' cron.set_env root MAILTO user@example.com salt.modules.cron.set_job(user, minute, hour, daymonth, month, dayweek, cmd, comment=None, identifier=None) Sets a cron job up for a specified user. CLI Example: salt '*' cron.set_job root '*' '*' '*' '*' 1 /usr/local/weekly salt.modules.cron.set_special(user, special, cmd) Set up a special command in the crontab. CLI Example: salt '*' cron.set_special root @hourly 'echo foobar' salt.modules.cron.write_cron_file(user, path) Writes the contents of a file to a user's crontab CLI Example: salt '*' cron.write_cron_file root /tmp/new_cron salt.modules.cron.write_cron_file_verbose(user, path) Writes the contents of a file to a user's crontab and return error message on error CLI Example: salt '*' cron.write_cron_file_verbose root /tmp/new_cron salt.modules.cyg Manage cygwin packages. Module file to accompany the cyg state. salt.modules.cyg.check_valid_package(package, cyg_arch='x86_64', mirrors=None) Check if the package is valid on the given mirrors. salt.modules.cyg.install(packages=None, cyg_arch='x86_64', mirrors=None) Install one or several packages. packages None The packages to install cyg_arch x86_64 Specify the architecture to install the package under Current options are x86 and x86_64 CLI Example: salt '*' cyg.install dos2unix salt '*' cyg.install dos2unix mirrors=[{'http://mirror': 'http://url/to/public/key}] salt.modules.cyg.list(package='', cyg_arch='x86_64') List locally installed packages. package '' package name to check. else all cyg_arch : Cygwin architecture to use Options are x86 and x86_64 CLI Example: salt '*' cyg.list salt.modules.cyg.uninstall(packages, cyg_arch='x86_64', mirrors=None) Uninstall one or several packages. packages The packages to uninstall. cyg_arch x86_64 Specify the architecture to remove the package from Current options are x86 and x86_64 CLI Example: salt '*' cyg.uninstall dos2unix salt '*' cyg.uninstall dos2unix mirrors=[{'http://mirror': 'http://url/to/public/key}] salt.modules.cyg.update(cyg_arch='x86_64', mirrors=None) Update all packages. cyg_arch x86_64 Specify the cygwin architecture update Current options are x86 and x86_64 CLI Example: salt '*' cyg.update salt '*' cyg.update dos2unix mirrors=[{'http://mirror': 'http://url/to/public/key}] salt.modules.daemontools daemontools service module. This module will create daemontools type service watcher. This module is compatible with the service states, so it can be used to maintain services using the provider argument: myservice: service.running: - provider: daemontools salt.modules.daemontools.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' daemontools.available foo salt.modules.daemontools.disabled(name) Return True if the named service is enabled, false otherwise New in version 2015.5.6. CLI Example: salt '*' daemontools.disabled <service name> salt.modules.daemontools.enabled(name, **kwargs) Return True if the named service is enabled, false otherwise A service is considered enabled if in your service directory: - an executable ./run file exist - a file named "down" does not exist New in version 2015.5.7. name Service name CLI Example: salt '*' daemontools.enabled <service name> salt.modules.daemontools.full_restart(name) Calls daemontools.restart() function CLI Example: salt '*' daemontools.full_restart <service name> salt.modules.daemontools.get_all() Return a list of all available services CLI Example: salt '*' daemontools.get_all salt.modules.daemontools.missing(name) The inverse of daemontools.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' daemontools.missing foo salt.modules.daemontools.reload(name) Wrapper for term() CLI Example: salt '*' daemontools.reload <service name> salt.modules.daemontools.restart(name) Restart service via daemontools. This will stop/start service CLI Example: salt '*' daemontools.restart <service name> salt.modules.daemontools.start(name) Starts service via daemontools CLI Example: salt '*' daemontools.start <service name> salt.modules.daemontools.status(name, sig=None) Return the status for a service via daemontools, return pid if running CLI Example: salt '*' daemontools.status <service name> salt.modules.daemontools.stop(name) Stops service via daemontools CLI Example: salt '*' daemontools.stop <service name> salt.modules.daemontools.term(name) Send a TERM to service via daemontools CLI Example: salt '*' daemontools.term <service name> salt.modules.darwin_pkgutil Installer support for OS X. Installer is the native .pkg/.mpkg package manager for OS X. salt.modules.darwin_pkgutil.install(source, package_id=None) Install a .pkg from an URI or an absolute path. CLI Example: salt '*' darwin_pkgutil.install source=/vagrant/build_essentials.pkg package_id=com.apple.pkg.gcc4.2Leo salt.modules.darwin_pkgutil.is_installed(package_id) Returns whether a given package id is installed. CLI Example: salt '*' darwin_pkgutil.is_installed com.apple.pkg.gcc4.2Leo salt.modules.darwin_pkgutil.list() List the installed packages. CLI Example: salt '*' darwin_pkgutil.list salt.modules.darwin_sysctl Module for viewing and modifying sysctl parameters salt.modules.darwin_sysctl.assign(name, value) Assign a single sysctl parameter for this minion name The name of the sysctl value to edit. value The sysctl value to apply. CLI Example: salt '*' sysctl.assign net.inet.icmp.icmplim 50 salt.modules.darwin_sysctl.get(name) Return a single sysctl parameter for this minion name The name of the sysctl value to display. CLI Example: salt '*' sysctl.get hw.physmem salt.modules.darwin_sysctl.persist(name, value, config='/etc/sysctl.conf', apply_change=False) Assign and persist a simple sysctl parameter for this minion name The name of the sysctl value to edit. value The sysctl value to apply. config The location of the sysctl configuration file. apply_change Default is False; Default behavior only creates or edits the sysctl.conf file. If apply is set to True, the changes are applied to the system. CLI Example: salt '*' sysctl.persist net.inet.icmp.icmplim 50 salt '*' sysctl.persist coretemp_load NO config=/etc/sysctl.conf salt.modules.darwin_sysctl.show(config_file=False) Return a list of sysctl parameters for this minion CLI Example: salt '*' sysctl.show salt.modules.data Manage a local persistent data structure that can hold any arbitrary data specific to the minion salt.modules.data.cas(key, value, old_value) Check and set a value in the minion datastore CLI Example: salt '*' data.cas <key> <value> <old_value> salt.modules.data.clear() Clear out all of the data in the minion datastore, this function is destructive! CLI Example: salt '*' data.clear salt.modules.data.dump(new_data) Replace the entire datastore with a passed data structure CLI Example: salt '*' data.dump '{'eggs': 'spam'}' salt.modules.data.get(key, default=None) Get a (list of) value(s) from the minion datastore New in version 2015.8.0. CLI Example: salt '*' data.get <key(s)> salt.modules.data.getval(key) Get a value from the minion datastore Deprecated since version Boron: Use get instead CLI Example: salt '*' data.getval <key> salt.modules.data.getvals(*keylist) Get values from the minion datastore Deprecated since version Boron: Use get instead CLI Example: salt '*' data.getvals <key> [<key> ...] salt.modules.data.has_key(key) Check if key is in the minion datastore New in version 2015.8.0. CLI Example: salt '*' data.has_key <mykey> salt.modules.data.items() Get items from the minion datastore New in version 2015.8.0. CLI Example: salt '*' data.items salt.modules.data.keys() Get all keys from the minion datastore New in version 2015.8.0. CLI Example: salt '*' data.keys salt.modules.data.load() Return all of the data in the minion datastore CLI Example: salt '*' data.load salt.modules.data.pop(key, default=None) Pop (return & delete) a value from the minion datastore New in version 2015.5.2. CLI Example: salt '*' data.pop <key> "there was no val" salt.modules.data.update(key, value) Update a key with a value in the minion datastore CLI Example: salt '*' data.update <key> <value> salt.modules.data.values() Get values from the minion datastore New in version 2015.8.0. CLI Example: salt '*' data.values salt.modules.ddns Support for RFC 2136 dynamic DNS updates. depends • dnspython Python module configuration If you want to use TSIG authentication for the server, there are a couple of optional configuration parameters made available to support this (the keyname is only needed if the keyring contains more than one key): keyring: keyring file (default=None) keyname: key name in file (default=None) The keyring file needs to be in json format and the key name needs to end with an extra period in the file, similar to this: {"keyname.": "keycontent"} salt.modules.ddns.add_host(zone, name, ttl, ip, nameserver='127.0.0.1', replace=True, **kwargs) Add, replace, or update the A and PTR (reverse) records for a host. CLI Example: salt ns1 ddns.add_host example.com host1 60 10.1.1.1 salt.modules.ddns.delete(zone, name, rdtype=None, data=None, nameserver='127.0.0.1', **kwargs) Delete a DNS record. CLI Example: salt ns1 ddns.delete example.com host1 A salt.modules.ddns.delete_host(zone, name, nameserver='127.0.0.1', **kwargs) Delete the forward and reverse records for a host. Returns true if any records are deleted. CLI Example: salt ns1 ddns.delete_host example.com host1 salt.modules.ddns.update(zone, name, ttl, rdtype, data, nameserver='127.0.0.1', replace=False, **kwargs) Add, replace, or update a DNS record. nameserver must be an IP address and the minion running this module must have update privileges on that server. If replace is true, first deletes all records for this name and type. CLI Example: salt ns1 ddns.update example.com host1 60 A 10.0.0.1 salt.modules.deb_apache Support for Apache Please note: The functions in here are Debian-specific. Placing them in this separate file will allow them to load only on Debian-based systems, while still loading under the apache namespace. salt.modules.deb_apache.a2dismod(mod) Runs a2dismod for the given mod. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.a2dismod vhost_alias salt.modules.deb_apache.a2dissite(site) Runs a2dissite for the given site. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.a2dissite example.com salt.modules.deb_apache.a2enmod(mod) Runs a2enmod for the given mod. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.a2enmod vhost_alias salt.modules.deb_apache.a2ensite(site) Runs a2ensite for the given site. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.a2ensite example.com salt.modules.deb_apache.check_mod_enabled(mod) Checks to see if the specific mod symlink is in /etc/apache2/mods-enabled. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.check_mod_enabled status.conf salt '*' apache.check_mod_enabled status.load salt.modules.deb_apache.check_site_enabled(site) Checks to see if the specific Site symlink is in /etc/apache2/sites-enabled. This will only be functional on Debian-based operating systems (Ubuntu, Mint, etc). CLI Examples: salt '*' apache.check_site_enabled example.com salt.modules.deb_postgres Module to provide Postgres compatibility to salt for debian family specific tools. salt.modules.deb_postgres.cluster_create(version, name='main', port=None, locale=None, encoding=None, datadir=None) Adds a cluster to the Postgres server. CLI Example: salt '*' postgres.cluster_create '9.3' salt '*' postgres.cluster_create '9.3' 'main' salt '*' postgres.cluster_create '9.3' locale='fr_FR' salt.modules.deb_postgres.cluster_exists(version, name='main') Checks if a given version and name of a cluster exists. CLI Example: salt '*' postgres.cluster_exists '9.3' salt '*' postgres.cluster_exists '9.3' 'main' salt.modules.deb_postgres.cluster_list(verbose=False) Return a list of cluster of Postgres server (tuples of version and name). CLI Example: salt '*' postgres.cluster_list salt '*' postgres.cluster_list verbose=True salt.modules.deb_postgres.cluster_remove(version, name='main', stop=False) Remove a cluster on a Postgres server. By default it doesn't try to stop the cluster. CLI Example: salt '*' postgres.cluster_remove '9.3' salt '*' postgres.cluster_remove '9.3' 'main' salt '*' postgres.cluster_remove '9.3' 'main' stop=True salt.modules.debbuild Debian Package builder system New in version 2015.8.0. This system allows for all of the components to build debs safely in chrooted environments. This also provides a function to generate debian repositories This module impliments the pkgbuild interface salt.modules.debbuild.build(runas, tgt, dest_dir, spec, sources, deps, env, template, saltenv='base', log_dir='/var/log/salt/pkgbuild') Given the package destination directory, the tarball containing debian files (e.g. control) and package sources, use pbuilder to safely build the platform package CLI Example: Debian salt '*' pkgbuild.make_src_pkg deb-8-x86_64 /var/www/html https://raw.githubusercontent.com/saltstack/libnacl/master/pkg/deb/python-libnacl.control https://pypi.python.org/packages/source/l/libnacl/libnacl-1.3.5.tar.gz This example command should build the libnacl package for Debian using pbuilder and place it in /var/www/html/ on the minion salt.modules.debbuild.make_repo(repodir, keyid=None, env=None) Given the repodir, create a Debian repository out of the dsc therein CLI Example: salt '*' pkgbuild.make_repo /var/www/html/ salt.modules.debbuild.make_src_pkg(dest_dir, spec, sources, env=None, template=None, saltenv='base') Create a platform specific source package from the given platform spec/control file and sources CLI Example: Debian salt '*' pkgbuild.make_src_pkg /var/www/html/ https://raw.githubusercontent.com/saltstack/libnacl/master/pkg/deb/python-libnacl.control.tar.xz https://pypi.python.org/packages/source/l/libnacl/libnacl-1.3.5.tar.gz This example command should build the libnacl SOURCE package and place it in /var/www/html/ on the minion salt.modules.debconfmod Support for Debconf salt.modules.debconfmod.get_selections(fetchempty=True) Answers to debconf questions for all packages in the following format: {'package': [['question', 'type', 'value'], ...]} CLI Example: salt '*' debconf.get_selections salt.modules.debconfmod.set(package, question, type, value, *extra) Set answers to debconf questions for a package. CLI Example: salt '*' debconf.set <package> <question> <type> <value> [<value> ...] salt.modules.debconfmod.set_file(path, saltenv='base', **kwargs) Set answers to debconf questions from a file. CLI Example: salt '*' debconf.set_file salt://pathto/pkg.selections salt.modules.debconfmod.set_template(path, template, context, defaults, saltenv='base', **kwargs) Set answers to debconf questions from a template. path location of the file containing the package selections template template format context variables to add to the template environment default default values for the template environment CLI Example: salt '*' debconf.set_template salt://pathto/pkg.selections.jinja jinja None None salt.modules.debconfmod.show(name) Answers to debconf questions for a package in the following format: [['question', 'type', 'value'], ...] If debconf doesn't know about a package, we return None. CLI Example: salt '*' debconf.show <package name> salt.modules.debian_ip The networking module for Debian based distros References: • http://www.debian.org/doc/manuals/debian-reference/ch05.en.html salt.modules.debian_ip.apply_network_settings(**settings) Apply global network configuration. CLI Example: salt '*' ip.apply_network_settings salt.modules.debian_ip.build_bond(iface, **settings) Create a bond script in /etc/modprobe.d with the passed settings and load the bonding kernel module. CLI Example: salt '*' ip.build_bond bond0 mode=balance-alb salt.modules.debian_ip.build_interface(iface, iface_type, enabled, **settings) Build an interface script for a network interface. CLI Example: salt '*' ip.build_interface eth0 eth <settings> salt.modules.debian_ip.build_network_settings(**settings) Build the global network script. CLI Example: salt '*' ip.build_network_settings <settings> salt.modules.debian_ip.build_routes(iface, **settings) Add route scripts for a network interface using up commands. CLI Example: salt '*' ip.build_routes eth0 <settings> salt.modules.debian_ip.down(iface, iface_type) Shutdown a network interface CLI Example: salt '*' ip.down eth0 eth salt.modules.debian_ip.get_bond(iface) Return the content of a bond script CLI Example: salt '*' ip.get_bond bond0 salt.modules.debian_ip.get_interface(iface) Return the contents of an interface script CLI Example: salt '*' ip.get_interface eth0 salt.modules.debian_ip.get_network_settings() Return the contents of the global network script. CLI Example: salt '*' ip.get_network_settings salt.modules.debian_ip.get_routes(iface) Return the routes for the interface CLI Example: salt '*' ip.get_routes eth0 salt.modules.debian_ip.up(iface, iface_type) Start up a network interface CLI Example: salt '*' ip.up eth0 eth salt.modules.debian_service Service support for Debian systems (uses update-rc.d and /sbin/service) salt.modules.debian_service.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.debian_service.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.debian_service.disabled(name) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.disabled <service name> salt.modules.debian_service.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.debian_service.enabled(name, **kwargs) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.enabled <service name> salt.modules.debian_service.force_reload(name) Force-reload the named service CLI Example: salt '*' service.force_reload <service name> salt.modules.debian_service.get_all() Return all available boot services CLI Example: salt '*' service.get_all salt.modules.debian_service.get_disabled() Return a set of services that are installed but disabled CLI Example: salt '*' service.get_disabled salt.modules.debian_service.get_enabled() Return a list of service that are enabled on boot CLI Example: salt '*' service.get_enabled salt.modules.debian_service.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.debian_service.reload(name) Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.debian_service.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.debian_service.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.debian_service.status(name, sig=None) Return the status for a service, pass a signature to use to find the service via ps CLI Example: salt '*' service.status <service name> salt.modules.debian_service.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.defaults salt.modules.defaults.get(key, default='') defaults.get is used much like pillar.get except that it will read a default value for a pillar from defaults.json or defaults.yaml files that are stored in the root of a salt formula. CLI Example: salt '*' defaults.get core:users:root The defaults is computed from pillar key. The first entry is considered as the formula namespace. For example, querying core:users:root will try to load salt://core/defaults.yaml and salt://core/defaults.json. salt.modules.devmap Device-Mapper module salt.modules.devmap.multipath_flush(device) Device-Mapper Multipath flush CLI Example: salt '*' devmap.multipath_flush mpath1 salt.modules.devmap.multipath_list() Device-Mapper Multipath list CLI Example: salt '*' devmap.multipath_list salt.modules.dig Compendium of generic DNS utilities. The 'dig' command line tool must be installed in order to use this module. salt.modules.dig.A(host, nameserver=None) Return the A record for host. Always returns a list. CLI Example: salt ns1 dig.A www.google.com salt.modules.dig.AAAA(host, nameserver=None) Return the AAAA record for host. Always returns a list. CLI Example: salt ns1 dig.AAAA www.google.com salt.modules.dig.MX(domain, resolve=False, nameserver=None) Return a list of lists for the MX of domain. If the resolve argument is True, resolve IPs for the servers. It's limited to one IP, because although in practice it's very rarely a round robin, it is an acceptable configuration and pulling just one IP lets the data be similar to the non-resolved version. If you think an MX has multiple IPs, don't use the resolver here, resolve them in a separate step. CLI Example: salt ns1 dig.MX google.com salt.modules.dig.NS(domain, resolve=True, nameserver=None) Return a list of IPs of the nameservers for domain If resolve is False, don't resolve names. CLI Example: salt ns1 dig.NS google.com salt.modules.dig.SPF(domain, record='SPF', nameserver=None) Return the allowed IPv4 ranges in the SPF record for domain. If record is SPF and the SPF record is empty, the TXT record will be searched automatically. If you know the domain uses TXT and not SPF, specifying that will save a lookup. CLI Example: salt ns1 dig.SPF google.com salt.modules.dig.TXT(host, nameserver=None) Return the TXT record for host. Always returns a list. CLI Example: salt ns1 dig.TXT google.com salt.modules.dig.check_ip(addr) Check if address is a valid IP. returns True if valid, otherwise False. CLI Example: salt ns1 dig.check_ip 127.0.0.1 salt ns1 dig.check_ip 1111:2222:3333:4444:5555:6666:7777:8888 salt.modules.disk Module for gathering disk information salt.modules.disk.blkid(device=None) Return block device attributes: UUID, LABEL, etc. This function only works on systems where blkid is available. CLI Example: salt '*' disk.blkid salt '*' disk.blkid /dev/sda salt.modules.disk.inodeusage(args=None) Return inode usage information for volumes mounted on this minion CLI Example: salt '*' disk.inodeusage salt.modules.disk.percent(args=None) Return partition information for volumes mounted on this minion CLI Example: salt '*' disk.percent /var salt.modules.disk.usage(args=None) Return usage information for volumes mounted on this minion CLI Example: salt '*' disk.usage salt.modules.djangomod Manage Django sites salt.modules.djangomod.collectstatic(settings_module, bin_env=None, no_post_process=False, ignore=None, dry_run=False, clear=False, link=False, no_default_ignore=False, pythonpath=None, env=None) Collect static files from each of your applications into a single location that can easily be served in production. CLI Example: salt '*' django.collectstatic <settings_module> salt.modules.djangomod.command(settings_module, command, bin_env=None, pythonpath=None, env=None, *args, **kwargs) Run arbitrary django management command CLI Example: salt '*' django.command <settings_module> <command> salt.modules.djangomod.createsuperuser(settings_module, username, email, bin_env=None, database=None, pythonpath=None, env=None) Create a super user for the database. This function defaults to use the --noinput flag which prevents the creation of a password for the superuser. CLI Example: salt '*' django.createsuperuser <settings_module> user user@example.com salt.modules.djangomod.loaddata(settings_module, fixtures, bin_env=None, database=None, pythonpath=None, env=None) Load fixture data Fixtures: comma separated list of fixtures to load CLI Example: salt '*' django.loaddata <settings_module> <comma delimited list of fixtures> salt.modules.djangomod.syncdb(settings_module, bin_env=None, migrate=False, database=None, pythonpath=None, env=None, noinput=True) Run syncdb Execute the Django-Admin syncdb command, if South is available on the minion the migrate option can be passed as True calling the migrations to run after the syncdb completes CLI Example: salt '*' django.syncdb <settings_module> salt.modules.dnsmasq Module for managing dnsmasq salt.modules.dnsmasq.fullversion() Shows installed version of dnsmasq and compile options. CLI Example: salt '*' dnsmasq.version salt.modules.dnsmasq.get_config(config_file='/etc/dnsmasq.conf') Dumps all options from the config file. CLI Examples: salt '*' dnsmasq.get_config salt '*' dnsmasq.get_config file=/etc/dnsmasq.conf salt.modules.dnsmasq.set_config(config_file='/etc/dnsmasq.conf', follow=True, **kwargs) Sets a value or a set of values in the specified file. By default, if conf-dir is configured in this file, salt will attempt to set the option in any file inside the conf-dir where it has already been enabled. If it does not find it inside any files, it will append it to the main config file. Setting follow to False will turn off this behavior. If a config option currently appears multiple times (such as dhcp-host, which is specified at least once per host), the new option will be added to the end of the main config file (and not to any includes). If you need an option added to a specific include file, specify it as the config_file. CLI Examples: salt '*' dnsmasq.set_config domain=mydomain.com salt '*' dnsmasq.set_config follow=False domain=mydomain.com salt '*' dnsmasq.set_config file=/etc/dnsmasq.conf domain=mydomain.com salt.modules.dnsmasq.version() Shows installed version of dnsmasq. CLI Example: salt '*' dnsmasq.version salt.modules.dnsutil Compendium of generic DNS utilities salt.modules.dnsutil.A(host, nameserver=None) Return the A record(s) for host. Always returns a list. CLI Example: salt ns1 dnsutil.A www.google.com salt.modules.dnsutil.AAAA(host, nameserver=None) Return the AAAA record(s) for host. Always returns a list. New in version 2014.7.5. CLI Example: salt ns1 dnsutil.AAAA www.google.com salt.modules.dnsutil.MX(domain, resolve=False, nameserver=None) Return a list of lists for the MX of domain. If the 'resolve' argument is True, resolve IPs for the servers. It's limited to one IP, because although in practice it's very rarely a round robin, it is an acceptable configuration and pulling just one IP lets the data be similar to the non-resolved version. If you think an MX has multiple IPs, don't use the resolver here, resolve them in a separate step. CLI Example: salt ns1 dig.MX google.com salt.modules.dnsutil.NS(domain, resolve=True, nameserver=None) Return a list of IPs of the nameservers for domain If 'resolve' is False, don't resolve names. CLI Example: salt ns1 dig.NS google.com salt.modules.dnsutil.SPF(domain, record='SPF', nameserver=None) Return the allowed IPv4 ranges in the SPF record for domain. If record is SPF and the SPF record is empty, the TXT record will be searched automatically. If you know the domain uses TXT and not SPF, specifying that will save a lookup. CLI Example: salt ns1 dig.SPF google.com salt.modules.dnsutil.check_ip(ip_addr) Check that string ip_addr is a valid IP CLI Example: salt ns1 dig.check_ip 127.0.0.1 salt.modules.dnsutil.hosts_append(hostsfile='/etc/hosts', ip_addr=None, entries=None) Append a single line to the /etc/hosts file. CLI Example: salt '*' dnsutil.hosts_append /etc/hosts 127.0.0.1 ad1.yuk.co,ad2.yuk.co salt.modules.dnsutil.hosts_remove(hostsfile='/etc/hosts', entries=None) Remove a host from the /etc/hosts file. If doing so will leave a line containing only an IP address, then the line will be deleted. This function will leave comments and blank lines intact. CLI Examples: salt '*' dnsutil.hosts_remove /etc/hosts ad1.yuk.co salt '*' dnsutil.hosts_remove /etc/hosts ad2.yuk.co,ad1.yuk.co salt.modules.dnsutil.parse_hosts(hostsfile='/etc/hosts', hosts=None) Parse /etc/hosts file. CLI Example: salt '*' dnsutil.parse_hosts salt.modules.dnsutil.parse_zone(zonefile=None, zone=None) Parses a zone file. Can be passed raw zone data on the API level. CLI Example: salt ns1 dnsutil.parse_zone /var/lib/named/example.com.zone salt.modules.dnsutil.serial(zone='', update=False) Return, store and update a dns serial for your zone files. zone: a keyword for a specific zone update: store an updated version of the serial in a grain If update is False, the function will retrieve an existing serial or return the current date if no serial is stored. Nothing will be stored If update is True, the function will set the serial to the current date if none exist or if the existing serial is for a previous date. If a serial for greater than the current date is already stored, the function will increment it. This module stores the serial in a grain, you can explicitly set the stored value as a grain named dnsserial_<zone_name>. CLI Example: salt ns1 dnsutil.serial example.com salt.modules.dockerio Management of Docker Containers New in version 2014.1.0. Deprecated since version 2015.8.0: Future feature development will be done only in dockerng. See the documentation for this module for information on the deprecation path. NOTE: The DockerIO integration is still in beta; the API is subject to change General Notes As we use states, we don't want to be continuously popping dockers, so we will map each container id (or image) with a grain whenever it is relevant. As a corollary, we will resolve a container id either directly by the id or try to find a container id matching something stocked in grain. Installation Prerequisites • You will need the docker-py python package in your python installation path that is running salt. Its version should support Docker Remote API v1.12. Currently, docker-py 0.6.0 is known to support Docker Remote API v1.12 pip install docker-py==0.6.0 Prerequisite Pillar Configuration for Authentication • To push or pull you will need to be authenticated as the docker-py bindings require it • For this to happen, you will need to configure a mapping in the pillar representing your per URL authentication bits: docker-registries: registry_url: email: foo@foo.com password: s3cr3t username: foo • You need at least an entry to the default docker index: docker-registries: https://index.docker.io/v1/: email: foo@foo.com password: s3cr3t username: foo • You can define multiple registry blocks for them to be aggregated. The only thing to keep in mind is that their ID must finish with -docker-registries: ac-docker-registries: https://index.bar.io/v1/: email: foo@foo.com password: s3cr3t username: foo ab-docker-registries: https://index.foo.io/v1/: email: foo@foo.com password: s3cr3t username: foo This could be also written as: docker-registries: https://index.bar.io/v1/: email: foo@foo.com password: s3cr3t username: foo https://index.foo.io/v1/: email: foo@foo.com password: s3cr3t username: foo Methods • Registry Dialog • login • push • pull • Docker Management • version • info • Image Management • search • inspect_image • get_images • remove_image • import_image • build • tag • save • load • Container Management • start • stop • restart • kill • wait • get_containers • inspect_container • remove_container • is_running • top • port • logs • diff • commit • create_container • export • get_container_root Runtime Execution within a specific, already existing/running container Idea is to use lxc-attach to execute inside the container context. We do not want to use docker run but want to execute something inside a running container. These are the available methods: • retcode • run • run_all • run_stderr • run_stdout • script • script_retcode salt.modules.dockerio.build(path=None, tag=None, quiet=False, fileobj=None, nocache=False, rm=True, timeout=None) Build a docker image from a dockerfile or an URL path url/branch/docker_dir or path on the filesystem to the dockerfile tag tag of the image quiet quiet mode, Default is False nocache do not use docker image cache, Default is False rm remove intermediate commits, Default is True timeout timeout value before aborting (in seconds) CLI Example: salt '*' docker.build vieux/apache salt '*' docker.build github.com/creack/docker-firefox salt.modules.dockerio.commit(container, repository=None, tag=None, message=None, author=None, conf=None) Commit a container (promotes it to an image) container container id repository repository/image to commit to tag tag of the image (Optional) message commit message (Optional) author author name (Optional) conf conf (Optional) CLI Example: salt '*' docker.commit <container id> salt.modules.dockerio.create_container(image, command=None, hostname=None, user=None, detach=True, stdin_open=False, tty=False, mem_limit=0, ports=None, environment=None, dns=None, volumes=None, volumes_from=None, name=None, cpu_shares=None, cpuset=None, binds=None) Create a new container image image to create the container from command command to execute while starting hostname hostname of the container user user to run docker as detach daemon mode, Default is True environment environment variable mapping ({'foo':'BAR'}) ports port redirections ({'222': {}}) volumes list of volume mappings in either local volume, bound volume, or read-only bound volume form: (['/var/lib/mysql/', '/usr/local/etc/ssl:/etc/ssl', '/etc/passwd:/etc/passwd:ro']) binds complete dictionary of bound volume mappings: { '/usr/local/etc/ssl/certs/internal.crt': { 'bind': '/etc/ssl/certs/com.example.internal.crt', 'ro': True }, '/var/lib/mysql': { 'bind': '/var/lib/mysql/', 'ro': False } } This dictionary is suitable for feeding directly into the Docker API, and all keys are required. (see http://docker-py.readthedocs.org/en/latest/volumes/) tty attach ttys, Default is False stdin_open let stdin open, Default is False name name given to container cpu_shares CPU shares (relative weight) cpuset CPUs in which to allow execution ('0-3' or '0,1') CLI Example: salt '*' docker.create_container o/ubuntu volumes="['/s','/m:/f']" salt.modules.dockerio.diff(container) Get container diffs container container id CLI Example: salt '*' docker.diff <container id> salt.modules.dockerio.exists(container) Check if a given container exists container container id Returns True if container exists otherwise returns False CLI Example: salt '*' docker.exists <container id> salt.modules.dockerio.export(container, path) Export a container to a file container container id path path to which file is to be exported CLI Example: salt '*' docker.export <container id> salt.modules.dockerio.get_container_root(container) Get the container rootfs path container container id or grain CLI Example: salt '*' docker.get_container_root <container id> salt.modules.dockerio.get_containers(all=True, trunc=False, since=None, before=None, limit=-1, host=False, inspect=False) Get a list of mappings representing all containers all return all containers, Default is True trunc set it to True to have the short ID, Default is False host include the Docker host's ipv4 and ipv6 address in return, Default is False inspect Get more granular information about each container by running a docker inspect CLI Example: salt '*' docker.get_containers salt '*' docker.get_containers host=True salt '*' docker.get_containers host=True inspect=True salt.modules.dockerio.get_images(name=None, quiet=False, all=True) List docker images name repository name quiet only show image id, Default is False all show all images, Default is True CLI Example: salt '*' docker.get_images <name> [quiet=True|False] [all=True|False] salt.modules.dockerio.import_image(src, repo, tag=None) Import content from a local tarball or a URL to a docker image src content to import (URL or absolute path to a tarball) repo repository to import to tag set tag of the image (Optional) CLI Example: salt '*' docker.import_image <src> <repo> [tag] salt.modules.dockerio.info() Get the version information about docker. This is similar to docker info command CLI Example: salt '*' docker.info salt.modules.dockerio.inspect_container(container) Get container information. This is similar to docker inspect command but only for containers container container id CLI Example: salt '*' docker.inspect_container <container id> salt.modules.dockerio.inspect_image(image) Inspect the status of an image and return relative data. This is similar to docker inspect command but only for images. image name of the image CLI Example: salt '*' docker.inspect_image <image> salt.modules.dockerio.is_running(container) Check if the specified container is running container container id Returns True if container is running otherwise returns False CLI Example: salt '*' docker.is_running <container id> salt.modules.dockerio.kill(container, signal=None) Kill a running container container container id signal signal to send New in version 2015.8.0. CLI Example: salt '*' docker.kill <container id> salt.modules.dockerio.load(imagepath) Load the specified file at imagepath into docker that was generated from a docker save command e.g. docker load < imagepath imagepath imagepath to docker tar file CLI Example: salt '*' docker.load /path/to/image salt.modules.dockerio.login(url=None, username=None, password=None, email=None) Wrapper to the docker.py login method (does not do much yet) url registry url to authenticate to username username to authenticate password password to authenticate email email to authenticate CLI Example: salt '*' docker.login <url> <username> <password> <email> salt.modules.dockerio.logs(container) Return logs for a specified container container container id CLI Example: salt '*' docker.logs <container id> salt.modules.dockerio.port(container, private_port) Private port mapping allocation information. This method is broken on docker-py side. Just use the result of inspect to mangle port allocation container container id private_port private port on the container to query for CLI Example: salt '*' docker.port <container id> <private port> salt.modules.dockerio.pull(repo, tag=None, insecure_registry=False) Pulls an image from any registry. See documentation at top of this page to configure authenticated access repo name of repository tag specific tag to pull (Optional) insecure_registry set as True to use insecure (non HTTPS) registry. Default is False (only available if using docker-py >= 0.5.0) CLI Example: salt '*' docker.pull <repository> [tag] salt.modules.dockerio.push(repo, tag=None, quiet=False, insecure_registry=False) Pushes an image to any registry. See documentation at top of this page to configure authenticated access repo name of repository tag specific tag to push (Optional) quiet set as True to quiet output, Default is False insecure_registry set as True to use insecure (non HTTPS) registry. Default is False (only available if using docker-py >= 0.5.0) CLI Example: salt '*' docker.push <repository> [tag] [quiet=True|False] salt.modules.dockerio.remove_container(container, force=False, v=False) Remove a container from a docker installation container container id force remove a running container, Default is False v remove the volumes associated to the container, Default is False CLI Example: salt '*' docker.remove_container <container id> [force=True|False] [v=True|False] salt.modules.dockerio.remove_image(image) Remove an image from a system. image name of image CLI Example: salt '*' docker.remove_image <image> salt.modules.dockerio.restart(container, timeout=10) Restart a running container container container id timeout timeout for container to exit gracefully before killing it, Default is 10 seconds CLI Example: salt '*' docker.restart <container id> [timeout=20] salt.modules.dockerio.retcode(container, cmd) Wrapper for cmdmod.retcode inside a container context container container id (or grain) cmd command to execute NOTE: The return is True or False depending on the commands success. WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.retcode <container id> 'ls -l /etc' salt.modules.dockerio.run(container, cmd) Wrapper for cmdmod.run inside a container context container container id (or grain) cmd command to execute NOTE: The return is a bit different as we use the docker struct. Output of the command is in 'out' and result is always True. WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.run <container id> 'ls -l /etc' salt.modules.dockerio.run_all(container, cmd) Wrapper for cmdmod.run_all inside a container context container container id (or grain) cmd command to execute NOTE: The return is a bit different as we use the docker struct. Output of the command is in 'out' and result is False if command failed to execute. WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.run_all <container id> 'ls -l /etc' salt.modules.dockerio.run_stderr(container, cmd) Wrapper for cmdmod.run_stderr inside a container context container container id (or grain) cmd command to execute NOTE: The return is a bit different as we use the docker struct. Output of the command is in 'out' and result is always True. WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.run_stderr <container id> 'ls -l /etc' salt.modules.dockerio.run_stdout(container, cmd) Wrapper for cmdmod.run_stdout inside a container context container container id (or grain) cmd command to execute NOTE: The return is a bit different as we use the docker struct. Output of the command is in 'out' and result is always True. WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.run_stdout <container id> 'ls -l /etc' salt.modules.dockerio.save(image, filename) New in version 2015.5.0. Save the specified image to filename from docker e.g. docker save image > filename image name of image filename The filename of the saved docker image CLI Example: salt '*' docker.save arch_image /path/to/save/image salt.modules.dockerio.script(container, source, args=None, cwd=None, stdin=None, runas=None, shell='/bin/sh', env=None, template='jinja', umask=None, timeout=None, reset_system_locale=True, no_clean=False, saltenv='base') Wrapper for cmdmod.script inside a container context container container id (or grain) additional parameters See cmd.script WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! Download a script from a remote location and execute the script in the container. The script can be located on the salt master file server or on an HTTP/FTP server. The script will be executed directly, so it can be written in any available programming language. The script can also be formatted as a template, the default is jinja. Arguments for the script can be specified as well. CLI Example: salt '*' docker.script <container id> salt://docker_script.py salt '*' docker.script <container id> salt://scripts/runme.sh 'arg1 arg2 "arg 3"' salt '*' docker.script <container id> salt://scripts/windows_task.ps1 args=' -Input c:\tmp\infile.txt' shell='powershell' A string of standard input can be specified for the command to be run using the stdin parameter. This can be useful in cases where sensitive information must be read from standard input: CLI Example: salt '*' docker.script <container id> salt://scripts/runme.sh stdin='one\ntwo\nthree\nfour\nfive\n' salt.modules.dockerio.script_retcode(container, source, cwd=None, stdin=None, runas=None, shell='/bin/sh', env=None, template='jinja', umask=None, timeout=None, reset_system_locale=True, no_clean=False, saltenv='base') Wrapper for cmdmod.script_retcode inside a container context container container id (or grain) additional parameters See cmd.script_retcode WARNING: Be advised that this function allows for raw shell access to the named container! If allowing users to execute this directly it may allow more rights than intended! CLI Example: salt '*' docker.script_retcode <container id> salt://docker_script.py salt.modules.dockerio.search(term) Search for an image on the registry term search keyword CLI Example: salt '*' docker.search <term> salt.modules.dockerio.start(container, binds=None, port_bindings=None, lxc_conf=None, publish_all_ports=None, links=None, privileged=False, dns=None, volumes_from=None, network_mode=None, restart_policy=None, cap_add=None, cap_drop=None) Start the specified container container container id CLI Example: salt '*' docker.start <container id> salt.modules.dockerio.stop(container, timeout=10) Stop a running container container container id timeout timeout for container to exit gracefully before killing it, Default is 10 seconds CLI Example: salt '*' docker.stop <container id> [timeout=20] salt.modules.dockerio.tag(image, repository, tag=None, force=False) Tag an image into a repository image name of image repository name of repository tag tag to apply (Optional) force force apply tag, Default is False CLI Example: salt '*' docker.tag <image> <repository> [tag] [force=True|False] salt.modules.dockerio.top(container) Run the docker top command on a specific container container container id CLI Example: salt '*' docker.top <container id> salt.modules.dockerio.version() Get docker version CLI Example: salt '*' docker.version salt.modules.dockerio.wait(container) Wait for a container to exit gracefully container container id CLI Example: salt '*' docker.wait <container id> salt.modules.dockerng Management of Docker Containers New in version 2015.8.0. Why Make a Second Docker Execution Module? We have received a lot of feedback on our Docker support. In the process of implementing recommended improvements, it became obvious that major changes needed to be made to the functions and return data. In the end, a complete rewrite was done. The changes being too significant, it was decided that making a separate execution module and state module (called dockerng) would be the best option. This will give users a couple release cycles to modify their scripts, SLS files, etc. to use the new functionality, rather than forcing users to change everything immediately. In the Carbon release of Salt (due in 2016), this execution module will take the place of the default Docker execution module, and backwards-compatible naming will be maintained for a couple releases after that to allow users time to replace references to dockerng with docker. Installation Prerequisites This execution module requires at least version 1.4.0 of both docker-py and Docker. docker-py can easily be installed using pip.install: salt myminion pip.install docker-py>=1.4.0 Authentication To push or pull images, credentials must be configured. Because a password must be used, it is recommended to place this configuration in Pillar data. The configuration schema is as follows: docker-registries: <registry_url>: email: <email_address> password: <password> username: <username> For example: docker-registries: https://index.docker.io/v1/: email: foo@foo.com password: s3cr3t username: foo Mulitiple registries can be configured. This can be done in one of two ways. The first way is to configure each registry under the docker-registries pillar key. docker-registries: https://index.foo.io/v1/: email: foo@foo.com password: s3cr3t username: foo https://index.bar.io/v1/: email: foo@foo.com password: s3cr3t username: foo The second way is to use separate pillar variables ending in -docker-registries: foo-docker-registries: https://index.foo.io/v1/: email: foo@foo.com password: s3cr3t username: foo bar-docker-registries: https://index.bar.io/v1/: email: foo@foo.com password: s3cr3t username: foo Both methods can be combined; any registry configured under docker-registries or *-docker-registries will be detected. Configuration Options The following options can be set in the minion config: • docker.url: URL to the docker service (default: local socket). • docker.version: API version to use (default: currently 1.4 API). • docker.exec_driver: Execution driver to use, one of the following: • nsenter • lxc-attach • docker-exec See Executing Commands Within a Running Container. Functions • Information Gathering • dockerng.depends • dockerng.diff • dockerng.exists • dockerng.history • dockerng.images • dockerng.info • dockerng.inspect • dockerng.inspect_container • dockerng.inspect_image • dockerng.list_containers • dockerng.list_tags • dockerng.logs • dockerng.pid • dockerng.port • dockerng.ps • dockerng.state • dockerng.search • dockerng.top • dockerng.version • Container Management • dockerng.create • dockerng.copy_from • dockerng.copy_to • dockerng.export • dockerng.rm • Management of Container State • dockerng.kill • dockerng.pause • dockerng.restart • dockerng.start • dockerng.stop • dockerng.unpause • dockerng.wait • Image Management • dockerng.build • dockerng.commit • dockerng.dangling • dockerng.import • dockerng.load • dockerng.pull • dockerng.push • dockerng.rmi • dockerng.save • dockerng.tag • Network Management • dockerng.networks • dockerng.create_network • dockerng.remove_network • dockerng.inspect_network • dockerng.connect_container_to_network • dockerng.disconnect_container_from_network Executing Commands Within a Running Container Multiple methods exist for executing commands within Docker containers: • lxc-attach: Default for older versions of docker • nsenter: Enters container namespace to run command • docker-exec: Native support for executing commands in Docker containers (added in Docker 1.3) Adding a configuration option (see config.get) called docker.exec_driver will tell Salt which execution driver to use: docker.exec_driver: docker-exec If this configuration option is not found, Salt will use the appropriate interface (either nsenter or lxc-attach) based on the Execution Driver value returned from docker info. docker-exec will not be used by default, as it is presently (as of version 1.6.2) only able to execute commands as the effective user of the container. Thus, if a USER directive was used to run as a non-privileged user, docker-exec would be unable to perform the action as root. Salt can still use docker-exec as an execution driver, but must be explicitly configured (as in the example above) to do so at this time. If possible, try to manually specify the execution driver, as it will save Salt a little work. This execution module provides functions that shadow those from the cmd module. They are as follows: • dockerng.retcode • dockerng.run • dockerng.run_all • dockerng.run_stderr • dockerng.run_stdout • dockerng.script • dockerng.script_retcode Detailed Function Documentation salt.modules.dockerng.build(path=None, image=None, cache=True, rm=True, api_response=False, fileobj=None) Builds a docker image from a Dockerfile or a URL path Path to directory on the Minion containing a Dockerfile image Image to be built, in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. If building from a URL, this parameted can be omitted. cache True Set to False to force the build process not to use the Docker image cache, and pull all required intermediate image layers rm True Remove intermediate containers created during build api_response False If True: an API_Response key will be present in the return data, containing the raw output from the Docker API. fileobj Allows for a file-like object containing the contents of the Dockerfile to be passed in place of a file path argument. This argument should not be used from the CLI, only from other Salt code. RETURN DATA A dictionary containing one or more of the following keys: • Id - ID of the newly-built image • Time_Elapsed - Time in seconds taken to perform the build • Intermediate_Containers - IDs of containers created during the course of the build process (Only present if rm=False) • Images - A dictionary containing one or more of the following keys: • Already_Pulled - Layers that that were already present on the Minion • Pulled - Layers that that were pulled (Only present if the image specified by the "image" argument was not present on the Minion, or if cache=False) • Status - A string containing a summary of the pull action (usually a message saying that an image was downloaded, or that it was up to date). (Only present if the image specified by the "image" argument was not present on the Minion, or if cache=False) CLI Example: salt myminion dockerng.build /path/to/docker/build/dir image=myimage:dev salt myminion dockerng.build https://github.com/myuser/myrepo.git image=myimage:latest salt.modules.dockerng.commit(name, image, message=None, author=None) Commits a container, thereby promoting it to an image. Equivalent to running the docker commit Docker CLI command. name Container name or ID to commit image Image to be committed, in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. message Commit message (Optional) author Author name (Optional) RETURN DATA A dictionary containing the following keys: • Id - ID of the newly-created image • Image - Name of the newly-created image • Time_Elapsed - Time in seconds taken to perform the commit CLI Example: salt myminion dockerng.commit mycontainer myuser/myimage salt myminion dockerng.commit mycontainer myuser/myimage:mytag salt.modules.dockerng.connect_container_to_network(container, network_id) Connect container to network. container Container name or ID network_id ID of network CLI Example: salt myminion dockerng.connect_container_from_network web-1 1f9d2454d0872b68dd9e8744c6e7a4c66b86f10abaccc21e14f7f014f729b2bc salt.modules.dockerng.copy_from(name, *args, **kwargs) Copy a file from inside a container to the Minion name Container name source Path of the file on the container's filesystem dest Destination on the Minion. Must be an absolute path. If the destination is a directory, the file will be copied into that directory. overwrite False Unless this option is set to True, then if a file exists at the location specified by the dest argument, an error will be raised. makedirs False Create the parent directory on the container if it does not already exist. RETURN DATA A boolean (True if successful, otherwise False) CLI Example: salt myminion dockerng.copy_from mycontainer /var/log/nginx/access.log /home/myuser salt.modules.dockerng.copy_to(name, *args, **kwargs) Copy a file from the host into a container name Container name source File to be copied to the container. Can be a local path on the Minion or a remote file from the Salt fileserver. dest Destination on the container. Must be an absolute path. If the destination is a directory, the file will be copied into that directory. exec_driver None If not passed, the execution driver will be detected as described above. overwrite False Unless this option is set to True, then if a file exists at the location specified by the dest argument, an error will be raised. makedirs False Create the parent directory on the container if it does not already exist. RETURN DATA A boolean (True if successful, otherwise False) CLI Example: salt myminion dockerng.copy_to mycontainer /tmp/foo /root/foo salt.modules.dockerng.create(*args, **kwargs) Create a new container name Name for the new container. If not provided, Docker will randomly generate one for you. image Image from which to create the container command or cmd Command to run in the container Example: command=bash or cmd=bash Changed in version 2015.8.1: cmd is now also accepted hostname Hostname of the container. If not provided, and if a name has been provided, the hostname will default to the name that was passed. Example: hostname=web1 WARNING: If the container is started with network_mode=host, the hostname will be overridden by the hostname of the Minion. domainname Domain name of the container Example: domainname=domain.tld interactive False Leave stdin open Example: interactive=True tty False Attach TTYs Example: tty=True detach True If True, run command in the background (daemon mode) Example: detach=False user User under which to run docker Example: user=foo memory 0 Memory limit. Can be specified in bytes or using single-letter units (i.e. 512M, 2G, etc.). A value of 0 (the default) means no memory limit. Example: memory=512M, memory=1073741824 memory_swap -1 Total memory limit (memory plus swap). Set to -1 to disable swap. A value of 0 means no swap limit. Example: memory_swap=1G, memory_swap=2147483648 mac_address MAC address to use for the container. If not specified, a random MAC address will be used. Example: mac_address=01:23:45:67:89:0a network_disabled False If True, networking will be disabled within the container Example: network_disabled=True working_dir Working directory inside the container Example: working_dir=/var/log/nginx entrypoint Entrypoint for the container. Either a string (e.g. "mycmd --arg1 --arg2") or a Python list (e.g. "['mycmd', '--arg1', '--arg2']") Example: entrypoint="cat access.log" environment Either a dictionary of environment variable names and their values, or a Python list of strings in the format VARNAME=value. Example: "{'VAR1': 'value', 'VAR2': 'value'}", "['VAR1=value', 'VAR2=value']" ports A list of ports to expose on the container. Can be passed as comma-separated list or a Python list. If the protocol is omitted, the port will be assumed to be a TCP port. Example: 1111,2222/udp, "['1111/tcp', '2222/udp']" volumes None List of directories to expose as volumes. Can be passed as a comma-separated list or a Python list. Example: volumes=/mnt/vol1,/mnt/vol2, volumes="[/mnt/vol1, /mnt/vol2]" cpu_shares CPU shares (relative weight) Example: cpu_shares=0.5, cpu_shares=1 cpuset CPUs on which which to allow execution, specified as a string containing a range (e.g. 0-3) or a comma-separated list of CPUs (e.g. 0,1). Example: cpuset="0-3", cpuset="0,1" client_timeout Timeout in seconds for the Docker client. This is not a timeout for this function, but for receiving a response from the API. NOTE: This is only used if Salt needs to pull the requested image. labels Add Metadata to the container. Can be a list of strings/dictionaries or a dictionary of strings (keys and values). Example: labels=LABEL1,LABEL2, labels="{'LABEL1': 'value1', 'LABEL2': 'value2'}" validate_ip_addrs True For parameters which accept IP addresses as input, IP address validation will be performed. To disable, set this to False binds Files/directories to bind mount. Each bind mount should be passed in the format <host_path>:<container_path>:<read_only>, where <read_only> is one of rw (for read-write access) or ro (for read-only access). Optionally, the read-only information can be left off the end and the bind mount will be assumed to be read-write. Examples 2 and 3 below are equivalent. Example 1: binds=/srv/www:/var/www:ro Example 2: binds=/srv/www:/var/www:rw Example 3: binds=/srv/www:/var/www port_bindings Bind exposed ports which were exposed using the ports argument to dockerng.create. These should be passed in the same way as the --publish argument to the docker run CLI command: • ip:hostPort:containerPort - Bind a specific IP and port on the host to a specific port within the container. • ip::containerPort - Bind a specific IP and an ephemeral port to a specific port within the container. • hostPort:containerPort - Bind a specific port on all of the host's interfaces to a specific port within the container. • containerPort - Bind an ephemeral port on all of the host's interfaces to a specific port within the container. Multiple bindings can be separated by commas, or passed as a Python list. The below two examples are equivalent: Example 1: port_bindings="5000:5000,2123:2123/udp,8080" Example 2: port_bindings="['5000:5000', '2123:2123/udp', '8080']" NOTE: When configuring bindings for UDP ports, the protocol must be passed in the containerPort value, as seen in the examples above. lxc_conf Additional LXC configuration parameters to set before starting the container. Example: lxc_conf="{lxc.utsname: docker}" NOTE: These LXC configuration parameters will only have the desired effect if the container is using the LXC execution driver, which has not been the default for some time. publish_all_ports False Allocates a random host port for each port exposed using the ports argument to dockerng.create. Example: publish_all_ports=True links Link this container to another. Links should be specified in the format <container_name_or_id>:<link_alias>. Multiple links can be passed, ether as a comma separated list or a Python list. Example 1: links=mycontainer:myalias, links=web1:link1,web2:link2 Example 2: links="['mycontainer:myalias']" links="['web1:link1', 'web2:link2']" dns List of DNS nameservers. Can be passed as a comma-separated list or a Python list. Example: dns=8.8.8.8,8.8.4.4 or dns="[8.8.8.8, 8.8.4.4]" NOTE: To skip IP address validation, use validate_ip_addrs=False dns_search List of DNS search domains. Can be passed as a comma-separated list or a Python list. Example: dns_search=foo1.domain.tld,foo2.domain.tld or dns_search="[foo1.domain.tld, foo2.domain.tld]" volumes_from Container names or IDs from which the container will get volumes. Can be passed as a comma-separated list or a Python list. Example: volumes_from=foo, volumes_from=foo,bar, volumes_from="[foo, bar]" network_mode bridge One of the following: • bridge - Creates a new network stack for the container on the docker bridge • null - No networking (equivalent of the Docker CLI argument --net=none) • container:<name_or_id> - Reuses another container's network stack • host - Use the host's network stack inside the container WARNING: Using host mode gives the container full access to the hosts system's services (such as D-bus), and is therefore considered insecure. Example: network_mode=null, network_mode=container:web1 restart_policy Set a restart policy for the container. Must be passed as a string in the format policy[:retry_count] where policy is one of always or on-failure, and retry_count is an optional limit to the number of retries. The retry count is ignored when using the always restart policy. Example 1: restart_policy=on-failure:5 Example 2: restart_policy=always cap_add List of capabilities to add within the container. Can be passed as a comma-separated list or a Python list. Requires Docker 1.2.0 or newer. Example: cap_add=SYS_ADMIN,MKNOD, cap_add="[SYS_ADMIN, MKNOD]" cap_drop List of capabilities to drop within the container. Can be passed as a comma-separated string or a Python list. Requires Docker 1.2.0 or newer. Example: cap_drop=SYS_ADMIN,MKNOD, cap_drop="[SYS_ADMIN, MKNOD]" extra_hosts Additional hosts to add to the container's /etc/hosts file. Can be passed as a comma-separated list or a Python list. Requires Docker 1.3.0 or newer. Example: extra_hosts=web1:10.9.8.7,web2:10.9.8.8 NOTE: To skip IP address validation, use validate_ip_addrs=False pid_mode Set to host to use the host container's PID namespace within the container. Requires Docker 1.5.0 or newer. Example: pid_mode=host RETURN DATA A dictionary containing the following keys: • Id - ID of the newly-created container • Name - Name of the newly-created container CLI Example: # Create a data-only container salt myminion dockerng.create myuser/mycontainer volumes="/mnt/vol1,/mnt/vol2" # Create a CentOS 7 container that will stay running once started salt myminion dockerng.create centos:7 name=mycent7 interactive=True tty=True command=bash salt.modules.dockerng.create_network(name, driver=None) Create a new network network_id ID of network driver Driver of the network CLI Example: salt myminion dockerng.create_network web_network driver=bridge salt.modules.dockerng.create_volume(name, driver=None, driver_opts=None) Create a new volume New in version 2015.8.4. name name of volume driver Driver of the volume driver_opts Options for the driver volume CLI Example: salt myminion dockerng.create_volume my_volume driver=local salt.modules.dockerng.dangling(prune=False, force=False) Return top-level images (those on which no other images depend) which do not have a tag assigned to them. These include: • Images which were once tagged but were later untagged, such as those which were superseded by committing a new copy of an existing tagged image. • Images which were loaded using docker.load (or the docker load Docker CLI command), but not tagged. prune False Remove these images force False If True, and if prune=True, then forcibly remove these images. RETURN DATA If prune=False, the return data will be a list of dangling image IDs. If prune=True, the return data will be a dictionary with each key being the ID of the dangling image, and the following information for each image: • Comment - Any error encountered when trying to prune a dangling image (Only present if prune failed) • Removed - A boolean (True if prune was successful, False if not) CLI Example: salt myminion dockerng.dangling salt myminion dockerng.dangling prune=True salt.modules.dockerng.depends(name) Returns the containers and images, if any, which depend on the given image name Name or ID of image RETURN DATA A dictionary containing the following keys: • Containers - A list of containers which depend on the specified image • Images - A list of IDs of images which depend on the specified image CLI Example: salt myminion dockerng.depends myimage salt myminion dockerng.depends 0123456789ab salt.modules.dockerng.diff(name, *args, **kwargs) Get information on changes made to container's filesystem since it was created. Equivalent to running the docker diff Docker CLI command. name Container name or ID RETURN DATA A dictionary containing any of the following keys: • Added - A list of paths that were added. • Changed - A list of paths that were changed. • Deleted - A list of paths that were deleted. These keys will only be present if there were changes, so if the container has no differences the return dict will be empty. CLI Example: salt myminion dockerng.diff mycontainer salt.modules.dockerng.disconnect_container_from_network(container, network_id) Disconnect container from network. container Container name or ID network_id ID of network CLI Example: salt myminion dockerng.disconnect_container_from_network web-1 1f9d2454d0872b68dd9e8744c6e7a4c66b86f10abaccc21e14f7f014f729b2bc salt.modules.dockerng.exists(name) Check if a given container exists name Container name or ID RETURN DATA A boolean (True if the container exists, otherwise False) CLI Example: salt myminion dockerng.exists mycontainer salt.modules.dockerng.export(name, *args, **kwargs) Exports a container to a tar archive. It can also optionally compress that tar archive, and push it up to the Master. name Container name or ID path Absolute path on the Minion where the container will be exported overwrite False Unless this option is set to True, then if a file exists at the location specified by the path argument, an error will be raised. makedirs False If True, then if the parent directory of the file specified by the path argument does not exist, Salt will attempt to create it. compression None Can be set to any of the following: • gzip or gz for gzip compression • bzip2 or bz2 for bzip2 compression • xz or lzma for XZ compression (requires xz-utils, as well as the lzma module from Python 3.3, available in Python 2 and Python 3.0-3.2 as backports.lzma) This parameter can be omitted and Salt will attempt to determine the compression type by examining the filename passed in the path parameter. push False If True, the container will be pushed to the master using cp.push. NOTE: This requires file_recv to be set to True on the Master. RETURN DATA A dictionary will containing the following keys: • Path - Path of the file that was exported • Push - Reports whether or not the file was successfully pushed to the Master (Only present if push=True) • Size - Size of the file, in bytes • Size_Human - Size of the file, in human-readable units • Time_Elapsed - Time in seconds taken to perform the export CLI Examples: salt myminion dockerng.export mycontainer /tmp/mycontainer.tar salt myminion dockerng.export mycontainer /tmp/mycontainer.tar.xz push=True salt.modules.dockerng.history(name, quiet=False) Return the history for an image. Equivalent to running the docker history Docker CLI command. name Container name or ID quiet False If True, the return data will simply be a list of the commands run to build the container. $ salt myminion dockerng.history nginx:latest quiet=True myminion: - FROM scratch - ADD file:ef063ed0ae9579362871b9f23d2bc0781ef7cd4de6ac822052cf6c9c5a12b1e2 in / - CMD [/bin/bash] - MAINTAINER NGINX Docker Maintainers "docker-maint@nginx.com" - apt-key adv --keyserver pgp.mit.edu --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 - echo "deb http://nginx.org/packages/mainline/debian/ wheezy nginx" >> /etc/apt/sources.list - ENV NGINX_VERSION=1.7.10-1~wheezy - apt-get update && apt-get install -y ca-certificates nginx=${NGINX_VERSION} && rm -rf /var/lib/apt/lists/* - ln -sf /dev/stdout /var/log/nginx/access.log - ln -sf /dev/stderr /var/log/nginx/error.log - VOLUME [/var/cache/nginx] - EXPOSE map[80/tcp:{} 443/tcp:{}] - CMD [nginx -g daemon off;] https://github.com/saltstack/salt/pull/22421 RETURN DATA If quiet=False, the return value will be a list of dictionaries containing information about each step taken to build the image. The keys in each step include the following: • Command - The command executed in this build step • Id - Layer ID • Size - Cumulative image size, in bytes • Size_Human - Cumulative image size, in human-readable units • Tags - Tag(s) assigned to this layer • Time_Created_Epoch - Time this build step was completed (Epoch time) • Time_Created_Local - Time this build step was completed (Minion's local timezone) CLI Example: salt myminion dockerng.exists mycontainer salt.modules.dockerng.images(verbose=False, **kwargs) Returns information about the Docker images on the Minion. Equivalent to running the docker images Docker CLI command. all False If True, untagged images will also be returned verbose False If True, a docker inspect will be run on each image returned. RETURN DATA A dictionary with each key being an image ID, and each value some general info about that image (time created, size, tags associated with the image, etc.) CLI Example: salt myminion dockerng.images salt myminion dockerng.images all=True salt.modules.dockerng.import(source, image, api_response=False) Imports content from a local tarball or a URL as a new docker image source Content to import (URL or absolute path to a tarball). URL can be a file on the Salt fileserver (i.e. salt://path/to/rootfs/tarball.tar.xz. To import a file from a saltenv other than base (e.g. dev), pass it at the end of the URL (ex. salt://path/to/rootfs/tarball.tar.xz?saltenv=dev). image Image to be created by the import, in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. api_response False If True an api_response key will be present in the return data, containing the raw output from the Docker API. RETURN DATA A dictionary containing the following keys: • Id - ID of the newly-created image • Image - Name of the newly-created image • Time_Elapsed - Time in seconds taken to perform the commit CLI Example: salt myminion dockerng.import /tmp/cent7-minimal.tar.xz myuser/centos salt myminion dockerng.import /tmp/cent7-minimal.tar.xz myuser/centos:7 salt myminion dockerng.import salt://dockerimages/cent7-minimal.tar.xz myuser/centos:7 salt.modules.dockerng.info(*args, **kwargs) Returns a dictionary of system-wide information. Equivalent to running the docker info Docker CLI command. CLI Example: salt myminion dockerng.info salt.modules.dockerng.inspect(name) This is a generic container/image inspecton function. It will first attempt to get container information for the passed name/ID using docker.inspect_container, and then will try to get image information for the passed name/ID using docker.inspect_image. If it is already known that the name/ID is an image, it is slightly more efficient to use docker.inspect_image. name Container/image name or ID RETURN DATA A dictionary of container/image information CLI Example: salt myminion dockerng.inspect mycontainer salt myminion dockerng.inspect busybox salt.modules.dockerng.inspect_container(name, *args, **kwargs) Retrieves container information. Equivalent to running the docker inspect Docker CLI command, but will only look for container information. name Container name or ID RETURN DATA A dictionary of container information CLI Example: salt myminion dockerng.inspect_container mycontainer salt myminion dockerng.inspect_container 0123456789ab salt.modules.dockerng.inspect_image(name) Retrieves image information. Equivalent to running the docker inspect Docker CLI command, but will only look for image information. NOTE: To inspect an image, it must have been pulled from a registry or built locally. Images on a Docker registry which have not been pulled cannot be inspected. name Image name or ID RETURN DATA A dictionary of image information CLI Examples: salt myminion dockerng.inspect_image busybox salt myminion dockerng.inspect_image centos:6 salt myminion dockerng.inspect_image 0123456789ab salt.modules.dockerng.inspect_network(network_id) Inspect Network network_id ID of network CLI Example: salt myminion dockerng.inspect_network 1f9d2454d0872b68dd9e8744c6e7a4c66b86f10abaccc21e14f7f014f729b2bc salt.modules.dockerng.inspect_volume(name) Inspect Volume New in version 2015.8.4. name Name of volume CLI Example: salt myminion dockerng.inspect_volume my_volume salt.modules.dockerng.kill(*args, **kwargs) Kill all processes in a running container instead of performing a graceful shutdown name Container name or ID RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • comment - Only present if the container cannot be killed CLI Example: salt myminion dockerng.kill mycontainer salt.modules.dockerng.layers(name) Returns a list of the IDs of layers belonging to the specified image, with the top-most layer (the one correspnding to the passed name) appearing last. name Image name or ID CLI Example: salt myminion dockerng.layers centos:7 salt.modules.dockerng.list_containers(**kwargs) Returns a list of containers by name. This is different from dockerng.ps in that dockerng.ps returns its results organized by container ID. all False If True, stopped containers will be included in return data CLI Example: salt myminion dockerng.inspect_image <image> salt.modules.dockerng.list_tags() Returns a list of tagged images CLI Example: salt myminion dockerng.list_tags salt.modules.dockerng.load(path, image=None) Load a tar archive that was created using dockerng.save (or via the Docker CLI using docker save). path Path to docker tar archive. Path can be a file on the Minion, or the URL of a file on the Salt fileserver (i.e. salt://path/to/docker/saved/image.tar). To load a file from a saltenv other than base (e.g. dev), pass it at the end of the URL (ex. salt://path/to/rootfs/tarball.tar.xz?saltenv=dev). image None If specified, the topmost layer of the newly-loaded image will be tagged with the specified repo and tag using dockerng.tag. The image name should be specified in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. RETURN DATA A dictionary will be returned, containing the following keys: • Path - Path of the file that was saved • Layers - A list containing the IDs of the layers which were loaded. Any layers in the file that was loaded, which were already present on the Minion, will not be included. • Image - Name of tag applied to topmost layer (Only present if tag was specified and tagging was successful) • Time_Elapsed - Time in seconds taken to load the file • Warning - Message describing any problems encountered in attemp to tag the topmost layer (Only present if tag was specified and tagging failed) CLI Example: salt myminion dockerng.load /path/to/image.tar salt myminion dockerng.load salt://path/to/docker/saved/image.tar image=myuser/myimage:mytag salt.modules.dockerng.logs(name) Returns the logs for the container. Equivalent to running the docker logs Docker CLI command. name Container name or ID CLI Example: salt myminion dockerng.logs mycontainer salt.modules.dockerng.networks(names=None, ids=None) List existing networks names Filter by name ids Filter by id CLI Example: salt myminion dockerng.networks names="['network-web']" salt myminion dockerng.networks ids="['1f9d2454d0872b68dd9e8744c6e7a4c66b86f10abaccc21e14f7f014f729b2bc']" salt.modules.dockerng.pause(*args, **kwargs) Pauses a container name Container name or ID RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • comment - Only present if the container cannot be paused CLI Example: salt myminion dockerng.pause mycontainer salt.modules.dockerng.pid(name, *args, **kwargs) Returns the PID of a container name Container name or ID CLI Example: salt myminion dockerng.pid mycontainer salt myminion dockerng.pid 0123456789ab salt.modules.dockerng.port(name, *args, **kwargs) Returns port mapping information for a given container. Equivalent to running the docker port Docker CLI command. name Container name or ID private_port None If specified, get information for that specific port. Can be specified either as a port number (i.e. 5000), or as a port number plus the protocol (i.e. 5000/udp). If this argument is omitted, all port mappings will be returned. RETURN DATA A dictionary of port mappings, with the keys being the port and the values being the mapping(s) for that port. CLI Examples: salt myminion dockerng.port mycontainer salt myminion dockerng.port mycontainer 5000 salt myminion dockerng.port mycontainer 5000/udp salt.modules.dockerng.ps(filters=None, **kwargs) Returns information about the Docker containers on the Minion. Equivalent to running the docker ps Docker CLI command. all False If True, stopped containers will also be returned host: False If True, local host's network topology will be included verbose False If True, a docker inspect will be run on each container returned. filters: None A dictionary of filters to be processed on the container list. Available filters: • exited (int): Only containers with specified exit code • status (str): One of restarting, running, paused, exited • label (str): format either "key" or "key=value" RETURN DATA A dictionary with each key being an container ID, and each value some general info about that container (time created, name, command, etc.) CLI Example: salt myminion dockerng.ps salt myminion dockerng.ps all=True salt myminion dockerng.ps filters="{'label': 'role=web'}" salt.modules.dockerng.pull(image, insecure_registry=False, api_response=False, client_timeout=60) Pulls an image from a Docker registry. See the documentation at the top of this page to configure authenticated access. image Image to be pulled, in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. insecure_registry False If True, the Docker client will permit the use of insecure (non-HTTPS) registries. api_response False If True, an API_Response key will be present in the return data, containing the raw output from the Docker API. NOTE: This may result in a lot of additional return data, especially for larger images. client_timeout Timeout in seconds for the Docker client. This is not a timeout for this function, but for receiving a response from the API. RETURN DATA A dictionary will be returned, containing the following keys: • Layers - A dictionary containing one or more of the following keys: • Already_Pulled - Layers that that were already present on the Minion • Pulled - Layers that that were pulled • Status - A string containing a summary of the pull action (usually a message saying that an image was downloaded, or that it was up to date). • Time_Elapsed - Time in seconds taken to perform the pull CLI Example: salt myminion dockerng.pull centos salt myminion dockerng.pull centos:6 salt.modules.dockerng.push(image, insecure_registry=False, api_response=False, client_timeout=60) Changed in version 2015.8.4: The Id and Image keys are no longer present in the return data. This is due to changes in the Docker Remote API. Pushes an image to a Docker registry. See the documentation at top of this page to configure authenticated access. image Image to be pushed, in repo:tag notation. Changed in version 2015.8.4: If just the repository name is passed, then all tagged images for the specified repo will be pushed. In prior releases, a tag of latest was assumed if the tag was omitted. insecure_registry False If True, the Docker client will permit the use of insecure (non-HTTPS) registries. api_response False If True, an API_Response key will be present in the return data, containing the raw output from the Docker API. client_timeout Timeout in seconds for the Docker client. This is not a timeout for this function, but for receiving a response from the API. RETURN DATA A dictionary will be returned, containing the following keys: • Layers - A dictionary containing one or more of the following keys: • Already_Pushed - Layers that that were already present on the Minion • Pushed - Layers that that were pushed • Time_Elapsed - Time in seconds taken to perform the push CLI Example: salt myminion dockerng.push myuser/mycontainer salt myminion dockerng.push myuser/mycontainer:mytag salt.modules.dockerng.remove_network(network_id) Remove a network network_id ID of network CLI Example: salt myminion dockerng.remove_network 1f9d2454d0872b68dd9e8744c6e7a4c66b86f10abaccc21e14f7f014f729b2bc salt.modules.dockerng.remove_volume(name) Remove a volume New in version 2015.8.4. name Name of volume CLI Example: salt myminion dockerng.remove_volume my_volume salt.modules.dockerng.restart(name, *args, **kwargs) Restarts a container name Container name or ID timeout 10 Timeout in seconds after which the container will be killed (if it has not yet gracefully shut down) RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • restarted - If restart was successful, this key will be present and will be set to True. CLI Examples: salt myminion dockerng.restart mycontainer salt myminion dockerng.restart mycontainer timeout=20 salt.modules.dockerng.retcode(name, cmd, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.retcode within a container name Container name or ID in which to run the command cmd Command to run exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.retcode mycontainer 'ls -l /etc' salt.modules.dockerng.rm(*args, **kwargs) Removes a container name Container name or ID force False If True, the container will be killed first before removal, as the Docker API will not permit a running container to be removed. This option is set to False by default to prevent accidental removal of a running container. volumes False Also remove volumes associated with container RETURN DATA A list of the IDs of containers which were removed CLI Example: salt myminion dockerng.rm mycontainer salt myminion dockerng.rm mycontainer force=True salt.modules.dockerng.rmi(*names, **kwargs) Removes an image name Name (in repo:tag notation) or ID of image. force False If True, the image will be removed even if the Minion has containers created from that image prune True If True, untagged parent image layers will be removed as well, set this to False to keep them. RETURN DATA A dictionary will be returned, containing the following two keys: • Layers - A list of the IDs of image layers that were removed • Tags - A list of the tags that were removed • Errors - A list of any errors that were encountered CLI Examples: salt myminion dockerng.rmi busybox salt myminion dockerng.rmi busybox force=True salt myminion dockerng.rmi foo bar baz salt.modules.dockerng.run(name, cmd, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run within a container name Container name or ID in which to run the command cmd Command to run exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.run mycontainer 'ls -l /etc' salt.modules.dockerng.run_all(name, cmd, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_all within a container NOTE: While the command is run within the container, it is initiated from the host. Therefore, the PID in the return dict is from the host, not from the container. name Container name or ID in which to run the command cmd Command to run exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.run_all mycontainer 'ls -l /etc' salt.modules.dockerng.run_stderr(name, cmd, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_stderr within a container name Container name or ID in which to run the command cmd Command to run exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.run_stderr mycontainer 'ls -l /etc' salt.modules.dockerng.run_stdout(name, cmd, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_stdout within a container name Container name or ID in which to run the command cmd Command to run exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.run_stdout mycontainer 'ls -l /etc' salt.modules.dockerng.save(name, path, overwrite=False, makedirs=False, compression=None, **kwargs) Saves an image and to a file on the minion. Equivalent to running the docker save Docker CLI command, but unlike docker save this will also work on named images instead of just images IDs. name Name or ID of image. Specify a specific tag by using the repo:tag notation. path Absolute path on the Minion where the image will be exported overwrite False Unless this option is set to True, then if the destination file exists an error will be raised. makedirs False If True, then if the parent directory of the file specified by the path argument does not exist, Salt will attempt to create it. compression None Can be set to any of the following: • gzip or gz for gzip compression • bzip2 or bz2 for bzip2 compression • xz or lzma for XZ compression (requires xz-utils, as well as the lzma module from Python 3.3, available in Python 2 and Python 3.0-3.2 as backports.lzma) This parameter can be omitted and Salt will attempt to determine the compression type by examining the filename passed in the path parameter. NOTE: Since the Docker API does not support docker save, compression will be a bit slower with this function than with docker.export since the image(s) will first be saved and then the compression done afterwards. push False If True, the container will be pushed to the master using cp.push. NOTE: This requires file_recv to be set to True on the Master. RETURN DATA A dictionary will be returned, containing the following keys: • Path - Path of the file that was saved • Push - Reports whether or not the file was successfully pushed to the Master (Only present if push=True) • Size - Size of the file, in bytes • Size_Human - Size of the file, in human-readable units • Time_Elapsed - Time in seconds taken to perform the save CLI Examples: salt myminion dockerng.save centos:7 /tmp/cent7.tar salt myminion dockerng.save 0123456789ab cdef01234567 /tmp/saved.tar salt.modules.dockerng.script(name, source, saltenv='base', args=None, template=None, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', ignore_retcode=False, use_vt=False, keep_env=None) Run cmd.script within a container NOTE: While the command is run within the container, it is initiated from the host. Therefore, the PID in the return dict is from the host, not from the container. name Container name or ID source Path to the script. Can be a local path on the Minion or a remote file from the Salt fileserver. args A string containing additional command-line options to pass to the script. template None Templating engine to use on the script before running. exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the script output_loglevel debug Level at which to log the output from the script. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.script mycontainer salt://docker_script.py salt myminion dockerng.script mycontainer salt://scripts/runme.sh 'arg1 arg2 "arg 3"' salt myminion dockerng.script mycontainer salt://scripts/runme.sh stdin='one\ntwo\nthree\nfour\nfive\n' output_loglevel=quiet salt.modules.dockerng.script_retcode(name, source, saltenv='base', args=None, template=None, exec_driver=None, stdin=None, python_shell=True, output_loglevel='debug', ignore_retcode=False, use_vt=False, keep_env=None) Run cmd.script_retcode within a container name Container name or ID source Path to the script. Can be a local path on the Minion or a remote file from the Salt fileserver. args A string containing additional command-line options to pass to the script. template None Templating engine to use on the script before running. exec_driver None If not passed, the execution driver will be detected as described above. stdin None Standard input to be used for the script output_loglevel debug Level at which to log the output from the script. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion dockerng.script_retcode mycontainer salt://docker_script.py salt myminion dockerng.script_retcode mycontainer salt://scripts/runme.sh 'arg1 arg2 "arg 3"' salt myminion dockerng.script_retcode mycontainer salt://scripts/runme.sh stdin='one\ntwo\nthree\nfour\nfive\n' output_loglevel=quiet salt.modules.dockerng.search(name, official=False, trusted=False) Searches the registry for an image name Search keyword official False Limit results to official builds trusted False Limit results to trusted builds RETURN DATA A dictionary with each key being the name of an image, and the following information for each image: • Description - Image description • Official - A boolean (True if an official build, False if not) • Stars - Number of stars the image has on the registry • Trusted - A boolean (True if a trusted build, False if not) CLI Example: salt myminion dockerng.search centos salt myminion dockerng.search centos official=True salt.modules.dockerng.signal(*args, **kwargs) Send a signal to a container. Signals can be either strings or numbers, and are defined in the Standard Signals section of the signal(7) manpage. Run man 7 signal on a Linux host to browse this manpage. name Container name or ID signal Signal to send to container RETURN DATA If the signal was successfully sent, True will be returned. Otherwise, an error will be raised. CLI Example: salt myminion dockerng.signal mycontainer SIGHUP salt.modules.dockerng.start(*args, **kwargs) Start a container name Container name or ID RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • comment - Only present if the container cannot be started CLI Example: salt myminion dockerng.start mycontainer salt.modules.dockerng.state(name, *args, **kwargs) Returns the state of the container name Container name or ID RETURN DATA A string representing the current state of the container (either running, paused, or stopped) CLI Example: salt myminion dockerng.state mycontainer salt.modules.dockerng.stop(*args, **kwargs) Stops a running container name Container name or ID unpause False If True and the container is paused, it will be unpaused before attempting to stop the container. timeout 10 Timeout in seconds after which the container will be killed (if it has not yet gracefully shut down) RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • comment - Only present if the container can not be stopped CLI Examples: salt myminion dockerng.stop mycontainer salt myminion dockerng.stop mycontainer unpause=True salt myminion dockerng.stop mycontainer timeout=20 salt.modules.dockerng.tag(name, image, force=False) Tag an image into a repository and return True. If the tag was unsuccessful, an error will be raised. name ID of image image Tag to apply to the image, in repo:tag notation. If just the repository name is passed, a tag name of latest will be assumed. force False Force apply tag CLI Example: salt myminion dockerng.tag 0123456789ab myrepo/mycontainer salt myminion dockerng.tag 0123456789ab myrepo/mycontainer:mytag salt.modules.dockerng.top(name, *args, **kwargs) Runs the docker top command on a specific container name Container name or ID CLI Example: RETURN DATA A list of dictionaries containing information about each process salt myminion dockerng.top mycontainer salt myminion dockerng.top 0123456789ab salt.modules.dockerng.unpause(*args, **kwargs) Unpauses a container name Container name or ID RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • comment - Only present if the container can not be unpaused CLI Example: salt myminion dockerng.pause mycontainer salt.modules.dockerng.version() Returns a dictionary of Docker version information. Equivalent to running the docker version Docker CLI command. CLI Example: salt myminion dockerng.version salt.modules.dockerng.volumes(filters=None) List existing volumes New in version 2015.8.4. filters There is one available filter: dangling=true CLI Example: salt myminion dockerng.volumes filters="{'dangling': True}" salt.modules.dockerng.wait(name) Wait for the container to exit gracefully, and return its exit code NOTE: This function will block until the container is stopped. name Container name or ID RETURN DATA A dictionary will be returned, containing the following keys: • status - A dictionary showing the prior state of the container as well as the new state • result - A boolean noting whether or not the action was successful • exit_status - Exit status for the container • comment - Only present if the container is already stopped CLI Example: salt myminion dockerng.wait mycontainer salt.modules.dpkg Support for DEB packages salt.modules.dpkg.bin_pkg_info(path, saltenv='base') New in version 2015.8.0. Parses RPM metadata and returns a dictionary of information about the package (name, version, etc.). path Path to the file. Can either be an absolute path to a file on the minion, or a salt fileserver URL (e.g. salt://path/to/file.rpm). If a salt fileserver URL is passed, the file will be cached to the minion so that it can be examined. saltenv base Salt fileserver envrionment from which to retrieve the package. Ignored if path is a local file path on the minion. CLI Example: salt '*' lowpkg.bin_pkg_info /root/foo-1.2.3-1ubuntu1_all.deb salt '*' lowpkg.bin_pkg_info salt://foo-1.2.3-1ubuntu1_all.deb salt.modules.dpkg.file_dict(*packages) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' lowpkg.file_list httpd salt '*' lowpkg.file_list httpd postfix salt '*' lowpkg.file_list salt.modules.dpkg.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' lowpkg.file_list httpd salt '*' lowpkg.file_list httpd postfix salt '*' lowpkg.file_list salt.modules.dpkg.info(*packages) Returns a detailed summary of package information for provided package names. If no packages are specified, all packages will be returned. New in version 2015.8.1. packages The names of the packages for which to return information. CLI example: salt '*' lowpkg.info salt '*' lowpkg.info apache2 bash salt.modules.dpkg.list_pkgs(*packages) List the packages currently installed in a dict: {'<package_name>': '<version>'} External dependencies: Virtual package resolution requires aptitude. Because this function uses dpkg, virtual packages will be reported as not installed. CLI Example: salt '*' lowpkg.list_pkgs salt '*' lowpkg.list_pkgs httpd salt.modules.dpkg.unpurge(*packages) Change package selection for each package specified to 'install' CLI Example: salt '*' lowpkg.unpurge curl salt.modules.drac Manage Dell DRAC salt.modules.drac.change_password(username, password, uid=None) Change users password CLI Example: salt dell drac.change_password [USERNAME] [PASSWORD] [UID - optional] salt dell drac.change_password diana secret salt.modules.drac.create_user(username, password, permissions, users=None) Create user accounts CLI Example: salt dell drac.create_user [USERNAME] [PASSWORD] [PRIVELEGES] salt dell drac.create_user diana secret login,test_alerts,clear_logs DRAC Privileges • login : Login to iDRAC • drac : Configure iDRAC • user_management : Configure Users • clear_logs : Clear Logs • server_control_commands : Execute Server Control Commands • console_redirection : Access Console Redirection • virtual_media : Access Virtual Media • test_alerts : Test Alerts • debug_commands : Execute Debug Commands salt.modules.drac.delete_user(username, uid=None) Delete a user CLI Example: salt dell drac.delete_user [USERNAME] [UID - optional] salt dell drac.delete_user diana 4 salt.modules.drac.email_alerts(action) Enable/Disable email alerts CLI Example: salt dell drac.email_alerts True salt dell drac.email_alerts False salt.modules.drac.list_users() List all DRAC users CLI Example: salt dell drac.list_users salt.modules.drac.nameservers(*ns) Configure the nameservers on the DRAC CLI Example: salt dell drac.nameservers [NAMESERVERS] salt dell drac.nameservers ns1.example.com ns2.example.com salt.modules.drac.network_info() Return Network Configuration CLI Example: salt dell drac.network_info salt.modules.drac.server_hardreset() Performs a reset (reboot) operation on the managed server. CLI Example: salt dell drac.server_hardreset salt.modules.drac.server_poweroff() Powers down the managed server. CLI Example: salt dell drac.server_poweroff salt.modules.drac.server_poweron() Powers up the managed server. CLI Example: salt dell drac.server_poweron salt.modules.drac.server_pxe() Configure server to PXE perform a one off PXE boot CLI Example: salt dell drac.server_pxe salt.modules.drac.server_reboot() Issues a power-cycle operation on the managed server. This action is similar to pressing the power button on the system's front panel to power down and then power up the system. CLI Example: salt dell drac.server_reboot salt.modules.drac.set_network(ip, netmask, gateway) Configure Network CLI Example: salt dell drac.set_network [DRAC IP] [NETMASK] [GATEWAY] salt dell drac.set_network 192.168.0.2 255.255.255.0 192.168.0.1 salt.modules.drac.set_permissions(username, permissions, uid=None) Configure users permissions CLI Example: salt dell drac.set_permissions [USERNAME] [PRIVELEGES] [USER INDEX - optional] salt dell drac.set_permissions diana login,test_alerts,clear_logs 4 DRAC Privileges • login : Login to iDRAC • drac : Configure iDRAC • user_management : Configure Users • clear_logs : Clear Logs • server_control_commands : Execute Server Control Commands • console_redirection : Access Console Redirection • virtual_media : Access Virtual Media • test_alerts : Test Alerts • debug_commands : Execute Debug Commands salt.modules.drac.set_snmp(community) Configure SNMP community string CLI Example: salt dell drac.set_snmp [COMMUNITY] salt dell drac.set_snmp public salt.modules.drac.syslog(server, enable=True) Configure syslog remote logging, by default syslog will automatically be enabled if a server is specified. However, if you want to disable syslog you will need to specify a server followed by False CLI Example: salt dell drac.syslog [SYSLOG IP] [ENABLE/DISABLE] salt dell drac.syslog 0.0.0.0 False salt.modules.drac.system_info() Return System information CLI Example: salt dell drac.system_info salt.modules.dracr Manage Dell DRAC. New in version 2015.8.2. salt.modules.dracr.bare_rac_cmd(cmd, host=None, admin_username=None, admin_password=None) salt.modules.dracr.change_password(username, password, uid=None, host=None, admin_username=None, admin_password=None, module=None) Change user's password CLI Example: salt dell dracr.change_password [USERNAME] [PASSWORD] uid=[OPTIONAL] host=<remote DRAC> admin_username=<DRAC user> admin_password=<DRAC PW> salt dell dracr.change_password diana secret Note that if only a username is specified then this module will look up details for all 16 possible DRAC users. This is time consuming, but might be necessary if one is not sure which user slot contains the one you want. Many late-model Dell chassis have 'root' as UID 1, so if you can depend on that then setting the password is much quicker. Raises an error if the supplied password is greater than 20 chars. salt.modules.dracr.create_user(username, password, permissions, users=None, host=None, admin_username=None, admin_password=None) Create user accounts CLI Example: salt dell dracr.create_user [USERNAME] [PASSWORD] [PRIVELEGES] salt dell dracr.create_user diana secret login,test_alerts,clear_logs DRAC Privileges • login : Login to iDRAC • drac : Configure iDRAC • user_management : Configure Users • clear_logs : Clear Logs • server_control_commands : Execute Server Control Commands • console_redirection : Access Console Redirection • virtual_media : Access Virtual Media • test_alerts : Test Alerts • debug_commands : Execute Debug Commands salt.modules.dracr.delete_user(username, uid=None, host=None, admin_username=None, admin_password=None) Delete a user CLI Example: salt dell dracr.delete_user [USERNAME] [UID - optional] salt dell dracr.delete_user diana 4 salt.modules.dracr.deploy_password(username, password, host=None, admin_username=None, admin_password=None, module=None) Change the QuickDeploy password, used for switches as well CLI Example: salt dell dracr.deploy_password [USERNAME] [PASSWORD] host=<remote DRAC> admin_username=<DRAC user> admin_password=<DRAC PW> salt dell dracr.change_password diana secret Note that if only a username is specified then this module will look up details for all 16 possible DRAC users. This is time consuming, but might be necessary if one is not sure which user slot contains the one you want. Many late-model Dell chassis have 'root' as UID 1, so if you can depend on that then setting the password is much quicker. salt.modules.dracr.deploy_snmp(snmp, host=None, admin_username=None, admin_password=None, module=None) Change the QuickDeploy SNMP community string, used for switches as well CLI Example: salt dell dracr.deploy_snmp SNMP_STRING host=<remote DRAC or CMC> admin_username=<DRAC user> admin_password=<DRAC PW> salt dell dracr.deploy_password diana secret salt.modules.dracr.email_alerts(action, host=None, admin_username=None, admin_password=None) Enable/Disable email alerts CLI Example: salt dell dracr.email_alerts True salt dell dracr.email_alerts False salt.modules.dracr.get_chassis_datacenter(host=None, admin_username=None, admin_password=None) Get the datacenter of the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_chassis_location host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.get_chassis_location(host=None, admin_username=None, admin_password=None) Get the location of the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_chassis_location host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.get_chassis_name(host=None, admin_username=None, admin_password=None) Get the name of a chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.get_chassis_name host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.get_dns_dracname(host=None, admin_username=None, admin_password=None) salt.modules.dracr.get_general(cfg_sec, cfg_var, host=None, admin_username=None, admin_password=None) salt.modules.dracr.get_slotname(slot, host=None, admin_username=None, admin_password=None) Get the name of a slot number in the chassis. slot The number of the slot for which to obtain the name. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt-call --local dracr.get_slotname 0 host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.idrac_general(blade_name, command, idrac_password=None, host=None, admin_username=None, admin_password=None) Run a generic racadm command against a particular blade in a chassis. Blades are usually named things like 'server-1', 'server-2', etc. If the iDRAC has a different password than the CMC, then you can pass it with the idrac_password kwarg. Parameters • blade_name -- Name of the blade to run the command on • command -- Command like to pass to racadm • idrac_password -- Password for the iDRAC if different from the CMC • host -- Chassis hostname • admin_username -- CMC username • admin_password -- CMC password Returns stdout if the retcode is 0, otherwise a standard cmd.run_all dictionary CLI Example: salt fx2 chassis.cmd idrac_general server-1 'get BIOS.SysProfileSettings' salt.modules.dracr.inventory(host=None, admin_username=None, admin_password=None) salt.modules.dracr.list_slotnames(host=None, admin_username=None, admin_password=None) List the names of all slots in the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt-call --local dracr.list_slotnames host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.list_users(host=None, admin_username=None, admin_password=None, module=None) List all DRAC users CLI Example: salt dell dracr.list_users salt.modules.dracr.nameservers(ns, host=None, admin_username=None, admin_password=None, module=None) Configure the nameservers on the DRAC CLI Example: salt dell dracr.nameservers [NAMESERVERS] salt dell dracr.nameservers ns1.example.com ns2.example.com admin_username=root admin_password=calvin module=server-1 host=192.168.1.1 salt.modules.dracr.network_info(host=None, admin_username=None, admin_password=None, module=None) Return Network Configuration CLI Example: salt dell dracr.network_info salt.modules.dracr.server_hardreset(host=None, admin_username=None, admin_password=None, module=None) Performs a reset (reboot) operation on the managed server. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. module The element to hard reset on the chassis such as a blade. If not provided, the chassis will be reset. CLI Example: salt dell dracr.server_hardreset salt dell dracr.server_hardreset module=server-1 salt.modules.dracr.server_power(status, host=None, admin_username=None, admin_password=None, module=None) status One of 'powerup', 'powerdown', 'powercycle', 'hardreset', 'graceshutdown' host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. module The element to reboot on the chassis such as a blade. If not provided, the chassis will be rebooted. CLI Example: salt dell dracr.server_reboot salt dell dracr.server_reboot module=server-1 salt.modules.dracr.server_poweroff(host=None, admin_username=None, admin_password=None, module=None) Powers down the managed server. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. module The element to power off on the chassis such as a blade. If not provided, the chassis will be powered off. CLI Example: salt dell dracr.server_poweroff salt dell dracr.server_poweroff module=server-1 salt.modules.dracr.server_poweron(host=None, admin_username=None, admin_password=None, module=None) Powers up the managed server. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. module The element to power on located on the chassis such as a blade. If not provided, the chassis will be powered on. CLI Example: salt dell dracr.server_poweron salt dell dracr.server_poweron module=server-1 salt.modules.dracr.server_powerstatus(host=None, admin_username=None, admin_password=None, module=None) return the power status for the passed module CLI Example: salt dell drac.server_powerstatus salt.modules.dracr.server_pxe(host=None, admin_username=None, admin_password=None) Configure server to PXE perform a one off PXE boot CLI Example: salt dell dracr.server_pxe salt.modules.dracr.server_reboot(host=None, admin_username=None, admin_password=None, module=None) Issues a power-cycle operation on the managed server. This action is similar to pressing the power button on the system's front panel to power down and then power up the system. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. module The element to reboot on the chassis such as a blade. If not provided, the chassis will be rebooted. CLI Example: salt dell dracr.server_reboot salt dell dracr.server_reboot module=server-1 salt.modules.dracr.set_chassis_datacenter(location, host=None, admin_username=None, admin_password=None) Set the location of the chassis. location The name of the datacenter to be set on the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_chassis_datacenter datacenter-name host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.set_chassis_location(location, host=None, admin_username=None, admin_password=None) Set the location of the chassis. location The name of the location to be set on the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_chassis_location location-name host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.set_chassis_name(name, host=None, admin_username=None, admin_password=None) Set the name of the chassis. name The name to be set on the chassis. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_chassis_name my-chassis host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.set_dns_dracname(name, host=None, admin_username=None, admin_password=None) salt.modules.dracr.set_general(cfg_sec, cfg_var, val, host=None, admin_username=None, admin_password=None) salt.modules.dracr.set_network(ip, netmask, gateway, host=None, admin_username=None, admin_password=None) Configure Network on the CMC or individual iDRAC. Use set_niccfg for blade and switch addresses. CLI Example: salt dell dracr.set_network [DRAC IP] [NETMASK] [GATEWAY] salt dell dracr.set_network 192.168.0.2 255.255.255.0 192.168.0.1 admin_username=root admin_password=calvin host=192.168.1.1 salt.modules.dracr.set_niccfg(ip=None, netmask=None, gateway=None, dhcp=False, host=None, admin_username=None, admin_password=None, module=None) salt.modules.dracr.set_nicvlan(vlan=None, host=None, admin_username=None, admin_password=None, module=None) salt.modules.dracr.set_permissions(username, permissions, uid=None, host=None, admin_username=None, admin_password=None) Configure users permissions CLI Example: salt dell dracr.set_permissions [USERNAME] [PRIVELEGES] [USER INDEX - optional] salt dell dracr.set_permissions diana login,test_alerts,clear_logs 4 DRAC Privileges • login : Login to iDRAC • drac : Configure iDRAC • user_management : Configure Users • clear_logs : Clear Logs • server_control_commands : Execute Server Control Commands • console_redirection : Access Console Redirection • virtual_media : Access Virtual Media • test_alerts : Test Alerts • debug_commands : Execute Debug Commands salt.modules.dracr.set_slotname(slot, name, host=None, admin_username=None, admin_password=None) Set the name of a slot in a chassis. slot The slot number to change. name The name to set. Can only be 15 characters long. host The chassis host. admin_username The username used to access the chassis. admin_password The password used to access the chassis. CLI Example: salt '*' dracr.set_slotname 2 my-slotname host=111.222.333.444 admin_username=root admin_password=secret salt.modules.dracr.set_snmp(community, host=None, admin_username=None, admin_password=None) Configure CMC or individual iDRAC SNMP community string. Use deploy_snmp for configuring chassis switch SNMP. CLI Example: salt dell dracr.set_snmp [COMMUNITY] salt dell dracr.set_snmp public salt.modules.dracr.syslog(server, enable=True, host=None, admin_username=None, admin_password=None, module=None) Configure syslog remote logging, by default syslog will automatically be enabled if a server is specified. However, if you want to disable syslog you will need to specify a server followed by False CLI Example: salt dell dracr.syslog [SYSLOG IP] [ENABLE/DISABLE] salt dell dracr.syslog 0.0.0.0 False salt.modules.dracr.system_info(host=None, admin_username=None, admin_password=None, module=None) Return System information CLI Example: salt dell dracr.system_info salt.modules.dracr.update_firmware(filename, host=None, admin_username=None, admin_password=None) Updates firmware using local firmware file salt dell dracr.update_firmware firmware.exe This executes the following command on your FX2 (using username and password stored in the pillar data) racadm update –f firmware.exe -u user –p pass salt.modules.dracr.update_firmware_nfs_or_cifs(filename, share, host=None, admin_username=None, admin_password=None) Executes the following for CIFS (using username and password stored in the pillar data) racadm update -f <updatefile> -u user –p pass -l //IP-Address/share Or for NFS (using username and password stored in the pillar data) racadm update -f <updatefile> -u user –p pass -l IP-address:/share Salt command for CIFS: salt dell dracr.update_firmware_nfs_or_cifs firmware.exe //IP-Address/share Salt command for NFS: salt dell dracr.update_firmware_nfs_or_cifs firmware.exe IP-address:/share salt.modules.drbd DRBD administration module salt.modules.drbd.overview() Show status of the DRBD devices CLI Example: salt '*' drbd.overview salt.modules.ebuild Support for Portage optdepends • portage Python adapter For now all package names MUST include the package category, i.e. 'vim' will not work, 'app-editors/vim' will. salt.modules.ebuild.check_db(*names, **kwargs) New in version 0.17.0. Returns a dict containing the following information for each specified package: 1. A key found, which will be a boolean value denoting if a match was found in the package database. 2. If found is False, then a second key called suggestions will be present, which will contain a list of possible matches. This list will be empty if the package name was specified in category/pkgname format, since the suggestions are only intended to disambiguate ambiguous package names (ones submitted without a category). CLI Examples: salt '*' pkg.check_db <package1> <package2> <package3> salt.modules.ebuild.check_extra_requirements(pkgname, pkgver) Check if the installed package already has the given requirements. CLI Example: salt '*' pkg.check_extra_requirements 'sys-devel/gcc' '~>4.1.2:4.1::gentoo[nls,fortran]' salt.modules.ebuild.depclean(name=None, slot=None, fromrepo=None, pkgs=None) Portage has a function to remove unused dependencies. If a package is provided, it will only removed the package if no other package depends on it. name The name of the package to be cleaned. slot Restrict the remove to a specific slot. Ignored if name is None. fromrepo Restrict the remove to a specific slot. Ignored if name is None. pkgs Clean multiple packages. slot and fromrepo arguments are ignored if this argument is present. Must be passed as a python list. Return a list containing the removed packages: CLI Example: salt '*' pkg.depclean <package name> salt.modules.ebuild.ex_mod_init(low) If the config option ebuild.enforce_nice_config is set to True, this module will enforce a nice tree structure for /etc/portage/package.* configuration files. New in version 0.17.0: Initial automatic enforcement added when pkg is used on a Gentoo system. Changed in version 2014.1.0-Hydrogen: Configure option added to make this behaviour optional, defaulting to off. SEE ALSO: ebuild.ex_mod_init is called automatically when a state invokes a pkg state on a Gentoo system. salt.states.pkg.mod_init() ebuild.ex_mod_init uses portage_config.enforce_nice_config to do the lifting. salt.modules.portage_config.enforce_nice_config() CLI Example: salt '*' pkg.ex_mod_init salt.modules.ebuild.install(name=None, refresh=False, pkgs=None, sources=None, slot=None, fromrepo=None, uses=None, binhost=None, **kwargs) Install the passed package(s), add refresh=True to sync the portage tree before package is installed. name The name of the package to be installed. Note that this parameter is ignored if either "pkgs" or "sources" is passed. Additionally, please note that this option can only be used to emerge a package from the portage tree. To install a tbz2 package manually, use the "sources" option described below. CLI Example: salt '*' pkg.install <package name> refresh Whether or not to sync the portage tree before installing. version Install a specific version of the package, e.g. 1.0.9-r1. Ignored if "pkgs" or "sources" is passed. slot Similar to version, but specifies a valid slot to be installed. It will install the latest available version in the specified slot. Ignored if "pkgs" or "sources" or "version" is passed. CLI Example: salt '*' pkg.install sys-devel/gcc slot='4.4' fromrepo Similar to slot, but specifies the repository from the package will be installed. It will install the latest available version in the specified repository. Ignored if "pkgs" or "sources" or "version" is passed. CLI Example: salt '*' pkg.install salt fromrepo='gentoo' uses Similar to slot, but specifies a list of use flag. Ignored if "pkgs" or "sources" or "version" is passed. CLI Example: salt '*' pkg.install sys-devel/gcc uses='["nptl","-nossp"]' Multiple Package Installation Options: pkgs A list of packages to install from the portage tree. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo","bar","~category/package:slot::repository[use]"]' sources A list of tbz2 packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.tbz2"},{"bar": "salt://bar.tbz2"}]' binhost has two options try and force. try - tells emerge to try and install the package from a configured binhost. force - forces emerge to install the package from a binhost otherwise it fails out. Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.ebuild.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.ebuild.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.ebuild.list_upgrades(refresh=True, backtrack=3) List all available package upgrades. refresh Whether or not to sync the portage tree before checking for upgrades. backtrack Specifies an integer number of times to backtrack if dependency calculation fails due to a conflict or an unsatisfied dependency (default: ´3´). CLI Example: salt '*' pkg.list_upgrades salt.modules.ebuild.porttree_matches(name) Returns a list containing the matches for a given package name from the portage tree. Note that the specific version of the package will not be provided for packages that have several versions in the portage tree, but rather the name of the package (i.e. "dev-python/paramiko"). salt.modules.ebuild.purge(name=None, slot=None, fromrepo=None, pkgs=None, **kwargs) Portage does not have a purge, this function calls remove followed by depclean to emulate a purge process name The name of the package to be deleted. slot Restrict the remove to a specific slot. Ignored if name is None. fromrepo Restrict the remove to a specific slot. Ignored if name is None. Multiple Package Options: pkgs Uninstall multiple packages. slot and fromrepo arguments are ignored if this argument is present. Must be passed as a python list. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package name> slot=4.4 salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.ebuild.refresh_db() Updates the portage tree (emerge --sync). Uses eix-sync if available. CLI Example: salt '*' pkg.refresh_db salt.modules.ebuild.remove(name=None, slot=None, fromrepo=None, pkgs=None, **kwargs) Remove packages via emerge --unmerge. name The name of the package to be deleted. slot Restrict the remove to a specific slot. Ignored if name is None. fromrepo Restrict the remove to a specific slot. Ignored if name is None. Multiple Package Options: pkgs Uninstall multiple packages. slot and fromrepo arguments are ignored if this argument is present. Must be passed as a python list. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package name> slot=4.4 fromrepo=gentoo salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.ebuild.update(pkg, slot=None, fromrepo=None, refresh=False, binhost=None) Updates the passed package (emerge --update package) slot Restrict the update to a particular slot. It will update to the latest version within the slot. fromrepo Restrict the update to a particular repository. It will update to the latest version within the repository. binhost has two options try and force. try - tells emerge to try and install the package from a configured binhost. force - forces emerge to install the package from a binhost otherwise it fails out. Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.update <package name> salt.modules.ebuild.upgrade(refresh=True, binhost=None, backtrack=3) Run a full system upgrade (emerge -uDN @world) binhost has two options try and force. try - tells emerge to try and install the package from a configured binhost. force - forces emerge to install the package from a binhost otherwise it fails out. backtrack Specifies an integer number of times to backtrack if dependency calculation fails due to a conflict or an unsatisfied dependency (default: ´3´). Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.ebuild.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.ebuild.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.ebuild.version_clean(version) Clean the version string removing extra data. CLI Example: salt '*' pkg.version_clean <version_string> salt.modules.ebuild.version_cmp(pkg1, pkg2) Do a cmp-style comparison on two packages. Return -1 if pkg1 < pkg2, 0 if pkg1 == pkg2, and 1 if pkg1 > pkg2. Return None if there was a problem making the comparison. CLI Example: salt '*' pkg.version_cmp '0.2.4-0' '0.2.4.1-0' salt.modules.eix Support for Eix salt.modules.eix.sync() Sync portage/overlay trees and update the eix database CLI Example: salt '*' eix.sync salt.modules.eix.update() Update the eix database CLI Example: salt '*' eix.update salt.modules.elasticsearch Elasticsearch - A distributed RESTful search and analytics server Module to provide Elasticsearch compatibility to Salt (compatible with Elasticsearch version 1.5.2+) New in version 2015.8.0. depends elasticsearch-py configuration This module accepts connection configuration details either as parameters or as configuration settings in /etc/salt/minion on the relevant minions: elasticsearch: host: '10.10.10.100:9200' elasticsearch: hosts: - '10.10.10.100:9200' - '10.10.10.101:9200' - '10.10.10.102:9200' elasticsearch: hosts: - '10.10.10.100:9200' number_of_shards: 1 number_of_replicas: 0 functions_blacklist: - 'saltutil.find_job' - 'pillar.items' - 'grains.items' This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar. salt.modules.elasticsearch.alias_create(indices, alias, hosts=None, body=None, profile=None) Create an alias for a specific index/indices CLI example: salt myminion elasticsearch.alias_create testindex_v1 testindex salt.modules.elasticsearch.alias_delete(indices, aliases, hosts=None, body=None, profile=None) Delete an alias of an index CLI example: salt myminion elasticsearch.alias_delete testindex_v1 testindex salt.modules.elasticsearch.alias_exists(aliases, indices=None, hosts=None, profile=None) Return a boolean indicating whether given alias exists CLI example: salt myminion elasticsearch.alias_exists testindex salt.modules.elasticsearch.alias_get(indices=None, aliases=None, hosts=None, profile=None) Check for the existence of an alias and if it exists, return it CLI example: salt myminion elasticsearch.alias_get testindex salt.modules.elasticsearch.document_create(index, doc_type, body=None, id=None, hosts=None, profile=None) Create a document in a specified index CLI example: salt myminion elasticsearch.document_create testindex doctype1 '{}' salt.modules.elasticsearch.document_delete(index, doc_type, id, hosts=None, profile=None) Delete a document from an index CLI example: salt myminion elasticsearch.document_delete testindex doctype1 AUx-384m0Bug_8U80wQZ salt.modules.elasticsearch.document_exists(index, id, doc_type='_all', hosts=None, profile=None) Return a boolean indicating whether given document exists CLI example: salt myminion elasticsearch.document_exists testindex AUx-384m0Bug_8U80wQZ salt.modules.elasticsearch.document_get(index, id, doc_type='_all', hosts=None, profile=None) Check for the existence of a document and if it exists, return it CLI example: salt myminion elasticsearch.document_get testindex AUx-384m0Bug_8U80wQZ salt.modules.elasticsearch.index_create(index, body=None, hosts=None, profile=None) Create an index CLI example: salt myminion elasticsearch.index_create testindex salt.modules.elasticsearch.index_delete(index, hosts=None, profile=None) Delete an index CLI example: salt myminion elasticsearch.index_delete testindex salt.modules.elasticsearch.index_exists(index, hosts=None, profile=None) Return a boolean indicating whether given index exists CLI example: salt myminion elasticsearch.index_exists testindex salt.modules.elasticsearch.index_get(index, hosts=None, profile=None) Check for the existence of an index and if it exists, return it CLI example: salt myminion elasticsearch.index_get testindex salt.modules.elasticsearch.index_template_create(name, body, hosts=None, profile=None) Create an index template CLI example: salt myminion elasticsearch.index_template_create testindex_templ '{ "template": "logstash-*", "order": 1, "settings": { "number_of_shards": 1 } }' salt.modules.elasticsearch.index_template_delete(name, hosts=None, profile=None) Delete an index template (type) along with its data CLI example: salt myminion elasticsearch.index_template_delete testindex_templ user salt.modules.elasticsearch.index_template_exists(name, hosts=None, profile=None) Return a boolean indicating whether given index template exists CLI example: salt myminion elasticsearch.index_template_exists testindex_templ salt.modules.elasticsearch.index_template_get(name, hosts=None, profile=None) Retrieve template definition of index or index/type CLI example: salt myminion elasticsearch.index_template_get testindex_templ user salt.modules.elasticsearch.mapping_create(index, doc_type, body, hosts=None, profile=None) Create a mapping in a given index CLI example: salt myminion elasticsearch.mapping_create testindex user '{ "user" : { "properties" : { "message" : {"type" : "string", "store" : true } } } }' salt.modules.elasticsearch.mapping_delete(index, doc_type, hosts=None, profile=None) Delete a mapping (type) along with its data CLI example: salt myminion elasticsearch.mapping_delete testindex user salt.modules.elasticsearch.mapping_get(index, doc_type, hosts=None, profile=None) Retrieve mapping definition of index or index/type CLI example: salt myminion elasticsearch.mapping_get testindex user salt.modules.environ Support for getting and setting the environment variables of the current salt process. salt.modules.environ.get(key, default='') Get a single salt process environment variable. key String used as the key for environment lookup. default If the key is not found in the environment, return this value. Default: '' CLI Example: salt '*' environ.get foo salt '*' environ.get baz default=False salt.modules.environ.has_value(key, value=None) Determine whether the key exists in the current salt process environment dictionary. Optionally compare the current value of the environment against the supplied value string. key Must be a string. Used as key for environment lookup. value: Optional. If key exists in the environment, compare the current value with this value. Return True if they are equal. CLI Example: salt '*' environ.has_value foo salt.modules.environ.item(keys, default='') Get one or more salt process environment variables. Returns a dict. keys Either a string or a list of strings that will be used as the keys for environment lookup. default If the key is not found in the environment, return this value. Default: '' CLI Example: salt '*' environ.item foo salt '*' environ.item '[foo, baz]' default=None salt.modules.environ.items() Return a dict of the entire environment set for the salt process CLI Example: salt '*' environ.items salt.modules.environ.setenv(environ, false_unsets=False, clear_all=False, update_minion=False) Set multiple salt process environment variables from a dict. Returns a dict. environ Must be a dict. The top-level keys of the dict are the names of the environment variables to set. Each key's value must be a string or False. Refer to the 'false_unsets' parameter for behavior when a value set to False. false_unsets If a key's value is False and false_unsets is True, then the key will be removed from the salt processes environment dict entirely. If a key's value is False and false_unsets is not True, then the key's value will be set to an empty string. Default: False clear_all USE WITH CAUTION! This option can unset environment variables needed for salt to function properly. If clear_all is True, then any environment variables not defined in the environ dict will be deleted. Default: False update_minion If True, apply these environ changes to the main salt-minion process. If False, the environ changes will only affect the current salt subprocess. Default: False CLI Example: salt '*' environ.setenv '{"foo": "bar", "baz": "quux"}' salt '*' environ.setenv '{"a": "b", "c": False}' false_unsets=True salt.modules.environ.setval(key, val, false_unsets=False) Set a single salt process environment variable. Returns True on success. key The environment key to set. Must be a string. val The value to set. Must be a string or False. Refer to the 'false_unsets' parameter for behavior when set to False. false_unsets If val is False and false_unsets is True, then the key will be removed from the salt processes environment dict entirely. If val is False and false_unsets is not True, then the key's value will be set to an empty string. Default: False. CLI Example: salt '*' environ.setval foo bar salt '*' environ.setval baz val=False false_unsets=True salt.modules.eselect Support for eselect, Gentoo's configuration and management tool. salt.modules.eselect.exec_action(module, action, module_parameter=None, action_parameter=None, state_only=False) Execute an arbitrary action on a module. module name of the module to be executed action name of the module's action to be run module_parameter additional params passed to the defined module action_parameter additional params passed to the defined action state_only don't return any output but only the success/failure of the operation CLI Example (updating the php implementation used for apache2): salt '*' eselect.exec_action php update action_parameter='apache2' salt.modules.eselect.get_current_target(module, module_parameter=None, action_parameter=None) Get the currently selected target for the given module. module name of the module to be queried for its current target module_parameter additional params passed to the defined module action_parameter additional params passed to the 'show' action CLI Example (current target of system-wide java-vm): salt '*' eselect.get_current_target java-vm action_parameter='system' CLI Example (current target of kernel symlink): salt '*' eselect.get_current_target kernel salt.modules.eselect.get_modules() List available eselect modules. CLI Example: salt '*' eselect.get_modules salt.modules.eselect.get_target_list(module) List available targets for the given module. module name of the module to be queried for its targets CLI Example: salt '*' eselect.get_target_list kernel salt.modules.eselect.set_target(module, target, module_parameter=None, action_parameter=None) Set the target for the given module. Target can be specified by index or name. module name of the module for which a target should be set target name of the target to be set for this module module_parameter additional params passed to the defined module action_parameter additional params passed to the defined action CLI Example (setting target of system-wide java-vm): salt '*' eselect.set_target java-vm icedtea-bin-7 action_parameter='system' CLI Example (setting target of kernel symlink): salt '*' eselect.set_target kernel linux-3.17.5-gentoo salt.modules.esxi Glues the VMware vSphere Execution Module to the VMware ESXi Proxy Minions to the esxi proxymodule. New in version 2015.8.4. Depends: vSphere Remote Execution Module (salt.modules.vsphere) For documentation on commands that you can direct to an ESXi host via proxy, look in the documentation for salt.modules.vsphere. This execution module calls through to a function in the ESXi proxy module called ch_config, which looks up the function passed in the command parameter in salt.modules.vsphere and calls it. To execute commands with an ESXi Proxy Minion using the vSphere Execution Module, use the esxi.cmd <vsphere-function-name> syntax. Both args and kwargs needed for various vsphere execution module functions must be passed through in a kwarg- type manor. salt 'esxi-proxy' esxi.cmd system_info salt 'exsi-proxy' esxi.cmd get_service_policy service_name='ssh' salt.modules.esxi.cmd(command, *args, **kwargs) salt.modules.etcd_mod Execution module to work with etcd depends • python-etcd In order to use an etcd server, a profile should be created in the master configuration file: my_etd_config: etcd.host: 127.0.0.1 etcd.port: 4001 It is technically possible to configure etcd without using a profile, but this is not considered to be a best practice, especially when multiple etcd servers or clusters are available. etcd.host: 127.0.0.1 etcd.port: 4001 salt.modules.etcd_mod.get(key, recurse=False, profile=None) New in version 2014.7.0. Get a value from etcd, by direct path CLI Examples: salt myminion etcd.get /path/to/key salt myminion etcd.get /path/to/key profile=my_etcd_config salt myminion etcd.get /path/to/key recurse=True profile=my_etcd_config salt.modules.etcd_mod.ls(path='/', profile=None) New in version 2014.7.0. Return all keys and dirs inside a specific path CLI Example: salt myminion etcd.ls /path/to/dir/ salt myminion etcd.ls /path/to/dir/ profile=my_etcd_config salt.modules.etcd_mod.rm(key, recurse=False, profile=None) New in version 2014.7.0. Delete a key from etcd CLI Example: salt myminion etcd.rm /path/to/key salt myminion etcd.rm /path/to/key profile=my_etcd_config salt myminion etcd.rm /path/to/dir recurse=True profile=my_etcd_config salt.modules.etcd_mod.set(key, value, profile=None) New in version 2014.7.0. Set a value in etcd, by direct path CLI Example: salt myminion etcd.set /path/to/key value salt myminion etcd.set /path/to/key value profile=my_etcd_config salt.modules.etcd_mod.tree(path='/', profile=None) New in version 2014.7.0. Recurse through etcd and return all values CLI Example: salt myminion etcd.tree salt myminion etcd.tree profile=my_etcd_config salt myminion etcd.tree /path/to/keys profile=my_etcd_config salt.modules.event Use the Salt Event System to fire events from the master to the minion and vice-versa. salt.modules.event.fire(data, tag) Fire an event on the local minion event bus. Data must be formed as a dict. CLI Example: salt '*' event.fire '{"data":"my event data"}' 'tag' salt.modules.event.fire_master(data, tag, preload=None) Fire an event off up to the master server CLI Example: salt '*' event.fire_master '{"data":"my event data"}' 'tag' salt.modules.event.send(tag, data=None, preload=None, with_env=False, with_grains=False, with_pillar=False, **kwargs) Send an event to the Salt Master New in version 2014.7.0. Parameters • tag -- A tag to give the event. Use slashes to create a namespace for related events. E.g., myco/build/buildserver1/start, myco/build/buildserver1/success, myco/build/buildserver1/failure. • data -- A dictionary of data to send in the event. This is free-form. Send any data points that are needed for whoever is consuming the event. Arguments on the CLI are interpreted as YAML so complex data structures are possible. • with_env (Specify True to include all environment variables, or specify a list of strings of variable names to include.) -- Include environment variables from the current shell environment in the event data as environ.. This is a short-hand for working with systems that seed the environment with relevant data such as Jenkins. • with_grains (Specify True to include all grains, or specify a list of strings of grain names to include.) -- Include grains from the current minion in the event data as grains. • with_pillar (Specify True to include all Pillar values, or specify a list of strings of Pillar keys to include. It is a best-practice to only specify a relevant subset of Pillar data.) -- Include Pillar values from the current minion in the event data as pillar. Remember Pillar data is often sensitive data so be careful. This is useful for passing ephemeral Pillar values through an event. Such as passing the pillar={} kwarg in state.sls from the Master, through an event on the Minion, then back to the Master. • kwargs -- Any additional keyword arguments passed to this function will be interpreted as key-value pairs and included in the event data. This provides a convenient alternative to YAML for simple values. CLI Example: salt-call event.send myco/mytag foo=Foo bar=Bar salt-call event.send 'myco/mytag' '{foo: Foo, bar: Bar}' A convenient way to allow Jenkins to execute salt-call is via sudo. The following rule in sudoers will allow the jenkins user to run only the following command. /etc/sudoers (allow preserving the environment): jenkins ALL=(ALL) NOPASSWD:SETENV: /usr/bin/salt-call event.send* Call Jenkins via sudo (preserve the environment): sudo -E salt-call event.send myco/jenkins/build/success with_env=[BUILD_ID, BUILD_URL, GIT_BRANCH, GIT_COMMIT] salt.modules.extfs Module for managing ext2/3/4 file systems salt.modules.extfs.attributes(device, args=None) Return attributes from dumpe2fs for a specified device CLI Example: salt '*' extfs.attributes /dev/sda1 salt.modules.extfs.blocks(device, args=None) Return block and inode info from dumpe2fs for a specified device CLI Example: salt '*' extfs.blocks /dev/sda1 salt.modules.extfs.dump(device, args=None) Return all contents of dumpe2fs for a specified device CLI Example: salt '*' extfs.dump /dev/sda1 salt.modules.extfs.mkfs(device, fs_type, **kwargs) Create a file system on the specified device CLI Example: salt '*' extfs.mkfs /dev/sda1 fs_type=ext4 opts='acl,noexec' Valid options are: • block_size: 1024, 2048 or 4096 • check: check for bad blocks • direct: use direct IO • ext_opts: extended file system options (comma-separated) • fragment_size: size of fragments • force: setting force to True will cause mke2fs to specify the -F option twice (it is already set once); this is truly dangerous • blocks_per_group: number of blocks in a block group • number_of_groups: ext4 option for a virtual block group • bytes_per_inode: set the bytes/inode ratio • inode_size: size of the inode • journal: set to True to create a journal (default on ext3/4) • journal_opts: options for the fs journal (comma separated) • blocks_file: read bad blocks from file • label: label to apply to the file system • reserved: percentage of blocks reserved for super-user • last_dir: last mounted directory • test: set to True to not actually create the file system (mke2fs -n) • number_of_inodes: override default number of inodes • creator_os: override "creator operating system" field • opts: mount options (comma separated) • revision: set the filesystem revision (default 1) • super: write superblock and group descriptors only • fs_type: set the filesystem type (REQUIRED) • usage_type: how the filesystem is going to be used • uuid: set the UUID for the file system See the mke2fs(8) manpage for a more complete description of these options. salt.modules.extfs.tune(device, **kwargs) Set attributes for the specified device (using tune2fs) CLI Example: salt '*' extfs.tune /dev/sda1 force=True label=wildstallyns opts='acl,noexec' Valid options are: • max: max mount count • count: mount count • error: error behavior • extended_opts: extended options (comma separated) • force: force, even if there are errors (set to True) • group: group name or gid that can use the reserved blocks • interval: interval between checks • journal: set to True to create a journal (default on ext3/4) • journal_opts: options for the fs journal (comma separated) • label: label to apply to the file system • reserved: percentage of blocks reserved for super-user • last_dir: last mounted directory • opts: mount options (comma separated) • feature: set or clear a feature (comma separated) • mmp_check: mmp check interval • reserved: reserved blocks count • quota_opts: quota options (comma separated) • time: time last checked • user: user or uid who can use the reserved blocks • uuid: set the UUID for the file system See the mke2fs(8) manpage for a more complete description of these options. salt.modules.file Manage information about regular files, directories, and special files on the minion, set/read user, group, mode, and data salt.modules.file.access(path, mode) New in version 2014.1.0. Test whether the Salt process has the specified access to the file. One of the following modes must be specified: CLI Example: salt '*' file.access /path/to/file f salt '*' file.access /path/to/file x salt.modules.file.append(path, *args, **kwargs) New in version 0.9.5. Append text to the end of a file path path to file *args strings to append to file CLI Example: salt '*' file.append /etc/motd \ "With all thine offerings thou shalt offer salt." \ "Salt is what makes things taste bad when it isn't in them." Attention If you need to pass a string to append and that string contains an equal sign, you must include the argument name, args. For example: salt '*' file.append /etc/motd args='cheese=spam' salt '*' file.append /etc/motd args="['cheese=spam','spam=cheese']" salt.modules.file.apply_template_on_contents(contents, template, context, defaults, saltenv) Return the contents after applying the templating engine contents template string template template format context Overrides default context variables passed to the template. defaults Default context passed to the template. CLI Example: salt '*' file.apply_template_on_contents \ contents='This is a {{ template }} string.' \ template=jinja \ "context={}" "defaults={'template': 'cool'}" \ saltenv=base salt.modules.file.basename(path) Returns the final component of a pathname New in version 2015.5.0. This can be useful at the CLI but is frequently useful when scripting. {%- set filename = salt['file.basename'](source_file) %} CLI Example: salt '*' file.basename 'test/test.config' salt.modules.file.blockreplace(path, marker_start='#-- start managed zone --', marker_end='#-- end managed zone --', content='', append_if_not_found=False, prepend_if_not_found=False, backup='.bak', dry_run=False, show_changes=True) New in version 2014.1.0. Replace content of a text block in a file, delimited by line markers A block of content delimited by comments can help you manage several lines entries without worrying about old entries removal. NOTE: This function will store two copies of the file in-memory (the original version and the edited version) in order to detect changes and only edit the targeted file if necessary. path Filesystem path to the file to be edited marker_start The line content identifying a line as the start of the content block. Note that the whole line containing this marker will be considered, so whitespace or extra content before or after the marker is included in final output marker_end The line content identifying a line as the end of the content block. Note that the whole line containing this marker will be considered, so whitespace or extra content before or after the marker is included in final output content The content to be used between the two lines identified by marker_start and marker_stop. append_if_not_found False If markers are not found and set to True then, the markers and content will be appended to the file. prepend_if_not_found False If markers are not found and set to True then, the markers and content will be prepended to the file. backup The file extension to use for a backup of the file if any edit is made. Set to False to skip making a backup. dry_run Don't make any edits to the file. show_changes Output a unified diff of the old file and the new file. If False, return a boolean if any changes were made. CLI Example: salt '*' file.blockreplace /etc/hosts '#-- start managed zone foobar : DO NOT EDIT --' \ '#-- end managed zone foobar --' $'10.0.1.1 foo.foobar\n10.0.1.2 bar.foobar' True salt.modules.file.check_file_meta(name, sfn, source, source_sum, user, group, mode, saltenv, contents=None) Check for the changes in the file metadata. CLI Example: salt '*' file.check_file_meta /etc/httpd/conf.d/httpd.conf salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' root, root, '755' base NOTE: Supported hash types include sha512, sha384, sha256, sha224, sha1, and md5. name Path to file destination sfn Template-processed source file contents source URL to file source source_sum File checksum information as a dictionary {hash_type: md5, hsum: <md5sum>} user Destination file user owner group Destination file group owner mode Destination file permissions mode saltenv Salt environment used to resolve source files contents File contents salt.modules.file.check_hash(path, file_hash) Check if a file matches the given hash string Returns true if the hash matched, otherwise false. Raises ValueError if the hash was not formatted correctly. path A file path hash A string in the form <hash_type>:<hash_value>. For example: md5:e138491e9d5b97023cea823fe17bac22 CLI Example: salt '*' file.check_hash /etc/fstab md5:<md5sum> salt.modules.file.check_managed(name, source, source_hash, user, group, mode, template, context, defaults, saltenv, contents=None, **kwargs) Check to see what changes need to be made for a file CLI Example: salt '*' file.check_managed /etc/httpd/conf.d/httpd.conf salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' root, root, '755' jinja True None None base salt.modules.file.check_managed_changes(name, source, source_hash, user, group, mode, template, context, defaults, saltenv, contents=None, **kwargs) Return a dictionary of what changes need to be made for a file CLI Example: salt '*' file.check_managed_changes /etc/httpd/conf.d/httpd.conf salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' root, root, '755' jinja True None None base salt.modules.file.check_perms(name, ret, user, group, mode, follow_symlinks=False) Check the permissions on files and chown if needed CLI Example: salt '*' file.check_perms /etc/sudoers '{}' root root 400 Changed in version 2014.1.3: follow_symlinks option added salt.modules.file.chgrp(path, group) Change the group of a file path path to the file or directory group group owner CLI Example: salt '*' file.chgrp /etc/passwd root salt.modules.file.chown(path, user, group) Chown a file, pass the file the desired user and group path path to the file or directory user user owner group group owner CLI Example: salt '*' file.chown /etc/passwd root root salt.modules.file.comment(path, regex, char='#', backup='.bak') Deprecated since version 0.17.0: Use replace() instead. Comment out specified lines in a file path The full path to the file to be edited regex A regular expression used to find the lines that are to be commented; this pattern will be wrapped in parenthesis and will move any preceding/trailing ^ or $ characters outside the parenthesis (e.g., the pattern ^foo$ will be rewritten as ^(foo)$) char # The character to be inserted at the beginning of a line in order to comment it out backup .bak The file will be backed up before edit with this file extension WARNING: This backup will be overwritten each time sed / comment / uncomment is called. Meaning the backup will only be useful after the first invocation. CLI Example: salt '*' file.comment /etc/modules pcspkr salt.modules.file.comment_line(path, regex, char='#', cmnt=True, backup='.bak') Comment or Uncomment a line in a text file. Parameters • path -- string The full path to the text file. • regex -- string A regex expression that begins with ^ that will find the line you wish to comment. Can be as simple as ^color = • char -- string The character used to comment a line in the type of file you're referencing. Default is # • cmnt -- boolean True to comment the line. False to uncomment the line. Default is True. • backup -- string The file extension to give the backup file. Default is .bak Returns boolean Returns True if successful, False if not CLI Example: The following example will comment out the pcspkr line in the /etc/modules file using the default # character and create a backup file named modules.bak salt '*' file.comment_line '/etc/modules' '^pcspkr' CLI Example: The following example will uncomment the log_level setting in minion config file if it is set to either warning, info, or debug using the # character and create a backup file named minion.bk salt '*' file.comment_line 'C:\salt\conf\minion' '^log_level: (warning|info|debug)' '#' False '.bk' salt.modules.file.contains(path, text) Deprecated since version 0.17.0: Use search() instead. Return True if the file at path contains text CLI Example: salt '*' file.contains /etc/crontab 'mymaintenance.sh' salt.modules.file.contains_glob(path, glob_expr) Deprecated since version 0.17.0: Use search() instead. Return True if the given glob matches a string in the named file CLI Example: salt '*' file.contains_glob /etc/foobar '*cheese*' salt.modules.file.contains_regex(path, regex, lchar='') Deprecated since version 0.17.0: Use search() instead. Return True if the given regular expression matches on any line in the text of a given file. If the lchar argument (leading char) is specified, it will strip lchar from the left side of each line before trying to match CLI Example: salt '*' file.contains_regex /etc/crontab salt.modules.file.contains_regex_multiline(path, regex) Deprecated since version 0.17.0: Use search() instead. Return True if the given regular expression matches anything in the text of a given file Traverses multiple lines at a time, via the salt BufferedReader (reads in chunks) CLI Example: salt '*' file.contains_regex_multiline /etc/crontab '^maint' salt.modules.file.copy(src, dst, recurse=False, remove_existing=False) Copy a file or directory from source to dst In order to copy a directory, the recurse flag is required, and will by default overwrite files in the destination with the same path, and retain all other existing files. (similar to cp -r on unix) remove_existing will remove all files in the target directory, and then copy files from the source. CLI Example: salt '*' file.copy /path/to/src /path/to/dst salt '*' file.copy /path/to/src_dir /path/to/dst_dir recurse=True salt '*' file.copy /path/to/src_dir /path/to/dst_dir recurse=True remove_existing=True salt.modules.file.delete_backup(path, backup_id) New in version 0.17.0. Delete a previous version of a file that was backed up using Salt's file state backup system. path The path on the minion to check for backups backup_id The numeric id for the backup you wish to delete, as found using file.list_backups CLI Example: salt '*' file.restore_backup /foo/bar/baz.txt 0 salt.modules.file.directory_exists(path) Tests to see if path is a valid directory. Returns True/False. CLI Example: salt '*' file.directory_exists /etc salt.modules.file.dirname(path) Returns the directory component of a pathname New in version 2015.5.0. This can be useful at the CLI but is frequently useful when scripting. {%- from salt['file.dirname'](tpldir) + '/vars.jinja' import parent_vars %} CLI Example: salt '*' file.dirname 'test/path/filename.config' salt.modules.file.diskusage(path) Recursively calculate disk usage of path and return it in bytes CLI Example: salt '*' file.diskusage /path/to/check salt.modules.file.extract_hash(hash_fn, hash_type='sha256', file_name='') This routine is called from the file.managed state to pull a hash from a remote file. Regular expressions are used line by line on the source_hash file, to find a potential candidate of the indicated hash type. This avoids many problems of arbitrary file lay out rules. It specifically permits pulling hash codes from debian *.dsc files. For example: openerp_7.0-latest-1.tar.gz: file.managed: - name: /tmp/openerp_7.0-20121227-075624-1_all.deb - source: http://nightly.openerp.com/7.0/nightly/deb/openerp_7.0-20121227-075624-1.tar.gz - source_hash: http://nightly.openerp.com/7.0/nightly/deb/openerp_7.0-20121227-075624-1.dsc CLI Example: salt '*' file.extract_hash /etc/foo sha512 /path/to/hash/file salt.modules.file.file_exists(path) Tests to see if path is a valid file. Returns True/False. CLI Example: salt '*' file.file_exists /etc/passwd salt.modules.file.find(path, *args, **kwargs) Approximate the Unix find(1) command and return a list of paths that meet the specified criteria. The options include match criteria: name = path-glob # case sensitive iname = path-glob # case insensitive regex = path-regex # case sensitive iregex = path-regex # case insensitive type = file-types # match any listed type user = users # match any listed user group = groups # match any listed group size = [+-]number[size-unit] # default unit = byte mtime = interval # modified since date grep = regex # search file contents and/or actions: delete [= file-types] # default type = 'f' exec = command [arg ...] # where {} is replaced by pathname print [= print-opts] and/or depth criteria: maxdepth = maximum depth to transverse in path mindepth = minimum depth to transverse before checking files or directories The default action is print=path path-glob: * = match zero or more chars ? = match any char [abc] = match a, b, or c [!abc] or [^abc] = match anything except a, b, and c [x-y] = match chars x through y [!x-y] or [^x-y] = match anything except chars x through y {a,b,c} = match a or b or c path-regex: a Python Regex (regular expression) pattern to match pathnames file-types: a string of one or more of the following: a: all file types b: block device c: character device d: directory p: FIFO (named pipe) f: plain file l: symlink s: socket users: a space and/or comma separated list of user names and/or uids groups: a space and/or comma separated list of group names and/or gids size-unit: b: bytes k: kilobytes m: megabytes g: gigabytes t: terabytes interval: [<num>w] [<num>d] [<num>h] [<num>m] [<num>s] where: w: week d: day h: hour m: minute s: second print-opts: a comma and/or space separated list of one or more of the following: group: group name md5: MD5 digest of file contents mode: file permissions (as integer) mtime: last modification time (as time_t) name: file basename path: file absolute path size: file size in bytes type: file type user: user name CLI Examples: salt '*' file.find / type=f name=\*.bak size=+10m salt '*' file.find /var mtime=+30d size=+10m print=path,size,mtime salt '*' file.find /var/log name=\*.[0-9] mtime=+30d size=+10m delete salt.modules.file.get_devmm(name) Get major/minor info from a device CLI Example: salt '*' file.get_devmm /dev/chr salt.modules.file.get_diff(minionfile, masterfile, env=None, saltenv='base') Return unified diff of file compared to file on master CLI Example: salt '*' file.get_diff /home/fred/.vimrc salt://users/fred/.vimrc salt.modules.file.get_gid(path, follow_symlinks=True) Return the id of the group that owns a given file path file or directory of which to get the gid follow_symlinks indicated if symlinks should be followed CLI Example: salt '*' file.get_gid /etc/passwd Changed in version 0.16.4: follow_symlinks option added salt.modules.file.get_group(path, follow_symlinks=True) Return the group that owns a given file path file or directory of which to get the group follow_symlinks indicated if symlinks should be followed CLI Example: salt '*' file.get_group /etc/passwd Changed in version 0.16.4: follow_symlinks option added salt.modules.file.get_hash(path, form='sha256', chunk_size=65536) Get the hash sum of a file This is better than get_sum for the following reasons: • It does not read the entire file into memory. • It does not return a string on error. The returned value of get_sum cannot really be trusted since it is vulnerable to collisions: get_sum(..., 'xyz') == 'Hash xyz not supported' path path to the file or directory form desired sum format chunk_size amount to sum at once CLI Example: salt '*' file.get_hash /etc/shadow salt.modules.file.get_managed(name, template, source, source_hash, user, group, mode, saltenv, context, defaults, **kwargs) Return the managed file data for file.managed name location where the file lives on the server template template format source managed source file source_hash hash of the source file user user owner group group owner mode file mode context variables to add to the environment default default values of for context_dict CLI Example: salt '*' file.get_managed /etc/httpd/conf.d/httpd.conf jinja salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' root root '755' base None None salt.modules.file.get_mode(path, follow_symlinks=True) Return the mode of a file path file or directory of which to get the mode follow_symlinks indicated if symlinks should be followed CLI Example: salt '*' file.get_mode /etc/passwd Changed in version 2014.1.0: follow_symlinks option added salt.modules.file.get_selinux_context(path) Get an SELinux context from a given path CLI Example: salt '*' file.get_selinux_context /etc/hosts salt.modules.file.get_sum(path, form='sha256') Return the checksum for the given file. The following checksum algorithms are supported: • md5 • sha1 • sha224 • sha256 (default) • sha384 • sha512 path path to the file or directory form desired sum format CLI Example: salt '*' file.get_sum /etc/passwd sha512 salt.modules.file.get_uid(path, follow_symlinks=True) Return the id of the user that owns a given file path file or directory of which to get the uid follow_symlinks indicated if symlinks should be followed CLI Example: salt '*' file.get_uid /etc/passwd Changed in version 0.16.4: follow_symlinks option added salt.modules.file.get_user(path, follow_symlinks=True) Return the user that owns a given file path file or directory of which to get the user follow_symlinks indicated if symlinks should be followed CLI Example: salt '*' file.get_user /etc/passwd Changed in version 0.16.4: follow_symlinks option added salt.modules.file.gid_to_group(gid) Convert the group id to the group name on this system gid gid to convert to a group name CLI Example: salt '*' file.gid_to_group 0 salt.modules.file.grep(path, pattern, *args) Grep for a string in the specified file NOTE: This function's return value is slated for refinement in future versions of Salt path A file path pattern A string. For example: test a[0-5] args grep options. For example: " -v" " -i -B2" CLI Example: salt '*' file.grep /etc/passwd nobody salt '*' file.grep /etc/sysconfig/network-scripts/ifcfg-eth0 ipaddr " -i" salt '*' file.grep /etc/sysconfig/network-scripts/ifcfg-eth0 ipaddr " -i -B2" salt '*' file.grep "/etc/sysconfig/network-scripts/*" ipaddr " -i -l" salt.modules.file.group_to_gid(group) Convert the group to the gid on this system group group to convert to its gid CLI Example: salt '*' file.group_to_gid root salt.modules.file.is_blkdev(name) Check if a file exists and is a block device. CLI Example: salt '*' file.is_blkdev /dev/blk salt.modules.file.is_chrdev(name) Check if a file exists and is a character device. CLI Example: salt '*' file.is_chrdev /dev/chr salt.modules.file.is_fifo(name) Check if a file exists and is a FIFO. CLI Example: salt '*' file.is_fifo /dev/fifo salt.modules.file.is_link(path) Check if the path is a symbolic link CLI Example: salt '*' file.is_link /path/to/link salt.modules.file.join(*args) Return a normalized file system path for the underlying OS New in version 2014.7.0. This can be useful at the CLI but is frequently useful when scripting combining path variables: {% set www_root = '/var' %} {% set app_dir = 'myapp' %} myapp_config: file: - managed - name: {{ salt['file.join'](www_root, app_dir, 'config.yaml') }} CLI Example: salt '*' file.join '/' 'usr' 'local' 'bin' salt.modules.file.lchown(path, user, group) Chown a file, pass the file the desired user and group without following symlinks. path path to the file or directory user user owner group group owner CLI Example: salt '*' file.chown /etc/passwd root root salt.modules.file.line(path, content, match=None, mode=None, location=None, before=None, after=None, show_changes=True, backup=False, quiet=False, indent=True) New in version 2015.8.0. Edit a line in the configuration file. Parameters • path -- Filesystem path to the file to be edited. • content -- Content of the line. • match -- Match the target line for an action by a fragment of a string or regular expression. • mode -- .INDENT 2.0 Ensure If line does not exist, it will be added. Replace If line already exist, it will be replaced. Delete Delete the line, once found. Insert Insert a line. • location -- .INDENT 2.0 start Place the content at the beginning of the file. end Place the content at the end of the file. • before -- Regular expression or an exact case-sensitive fragment of the string. • after -- Regular expression or an exact case-sensitive fragment of the string. • show_changes -- Output a unified diff of the old file and the new file. If False return a boolean if any changes were made. Default is True NOTE: Using this option will store two copies of the file in-memory (the original version and the edited version) in order to generate the diff. • backup -- Create a backup of the original file with the extension: "Year-Month-Day-Hour-Minutes-Seconds". • quiet -- Do not raise any exceptions. E.g. ignore the fact that the file that is tried to be edited does not exist and nothing really happened. • indent -- Keep indentation with the previous line. If an equal sign (=) appears in an argument to a Salt command, it is interpreted as a keyword argument in the format of key=val. That processing can be bypassed in order to pass an equal sign salt '*' file.line /path/to/file content="CREATEMAIL_SPOOL=no" match="CREATE_MAIL_SPOOL=yes" mode="replace" CLI Examples: salt '*' file.line /etc/nsswitch.conf "networks: files dns", after="hosts:.*?", mode='ensure' salt.modules.file.link(src, path) New in version 2014.1.0. Create a hard link to a file CLI Example: salt '*' file.link /path/to/file /path/to/link salt.modules.file.list_backups(path, limit=None) New in version 0.17.0. Lists the previous versions of a file backed up using Salt's file state backup system. path The path on the minion to check for backups limit Limit the number of results to the most recent N backups CLI Example: salt '*' file.list_backups /foo/bar/baz.txt salt.modules.file.list_backups_dir(path, limit=None) Lists the previous versions of a directory backed up using Salt's file state backup system. path The directory on the minion to check for backups limit Limit the number of results to the most recent N backups CLI Example: salt '*' file.list_backups_dir /foo/bar/baz/ salt.modules.file.lstat(path) New in version 2014.1.0. Returns the lstat attributes for the given file or dir. Does not support symbolic links. CLI Example: salt '*' file.lstat /path/to/file salt.modules.file.makedirs(path, user=None, group=None, mode=None) Ensure that the directory containing this path is available. NOTE: The path must end with a trailing slash otherwise the directory/directories will be created up to the parent directory. For example if path is /opt/code, then it would be treated as /opt/ but if the path ends with a trailing slash like /opt/code/, then it would be treated as /opt/code/. CLI Example: salt '*' file.makedirs /opt/code/ salt.modules.file.makedirs_perms(name, user=None, group=None, mode='0755') Taken and modified from os.makedirs to set user, group and mode for each directory created. CLI Example: salt '*' file.makedirs_perms /opt/code salt.modules.file.manage_file(name, sfn, ret, source, source_sum, user, group, mode, saltenv, backup, makedirs=False, template=None, show_diff=True, contents=None, dir_mode=None, follow_symlinks=True) Checks the destination against what was retrieved with get_managed and makes the appropriate modifications (if necessary). name location to place the file sfn location of cached file on the minion This is the path to the file stored on the minion. This file is placed on the minion using cp.cache_file. If the hash sum of that file matches the source_sum, we do not transfer the file to the minion again. This file is then grabbed and if it has template set, it renders the file to be placed into the correct place on the system using salt.files.utils.copyfile() ret The initial state return data structure. Pass in None to use the default structure. source file reference on the master source_hash sum hash for source user user owner group group owner backup backup_mode makedirs make directories if they do not exist template format of templating show_diff Include diff in state return contents: contents to be placed in the file dir_mode mode for directories created with makedirs CLI Example: salt '*' file.manage_file /etc/httpd/conf.d/httpd.conf '' '{}' salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' root root '755' base '' Changed in version 2014.7.0: follow_symlinks option added salt.modules.file.mkdir(dir_path, user=None, group=None, mode=None) Ensure that a directory is available. CLI Example: salt '*' file.mkdir /opt/jetty/context salt.modules.file.mknod(name, ntype, major=0, minor=0, user=None, group=None, mode='0600') New in version 0.17.0. Create a block device, character device, or fifo pipe. Identical to the gnu mknod. CLI Examples: salt '*' file.mknod /dev/chr c 180 31 salt '*' file.mknod /dev/blk b 8 999 salt '*' file.nknod /dev/fifo p salt.modules.file.mknod_blkdev(name, major, minor, user=None, group=None, mode='0660') New in version 0.17.0. Create a block device. CLI Example: salt '*' file.mknod_blkdev /dev/blk 8 999 salt.modules.file.mknod_chrdev(name, major, minor, user=None, group=None, mode='0660') New in version 0.17.0. Create a character device. CLI Example: salt '*' file.mknod_chrdev /dev/chr 180 31 salt.modules.file.mknod_fifo(name, user=None, group=None, mode='0660') New in version 0.17.0. Create a FIFO pipe. CLI Example: salt '*' file.mknod_fifo /dev/fifo salt.modules.file.move(src, dst) Move a file or directory CLI Example: salt '*' file.move /path/to/src /path/to/dst salt.modules.file.normpath(path) Returns Normalize path, eliminating double slashes, etc. New in version 2015.5.0. This can be useful at the CLI but is frequently useful when scripting. {%- from salt['file.normpath'](tpldir + '/../vars.jinja') import parent_vars %} CLI Example: salt '*' file.normpath 'a/b/c/..' salt.modules.file.open_files(by_pid=False) Return a list of all physical open files on the system. CLI Examples: salt '*' file.open_files salt '*' file.open_files by_pid=True salt.modules.file.pardir() Return the relative parent directory path symbol for underlying OS New in version 2014.7.0. This can be useful when constructing Salt Formulas. {% set pardir = salt['file.pardir']() %} {% set final_path = salt['file.join']('subdir', pardir, 'confdir') %} CLI Example: salt '*' file.pardir salt.modules.file.patch(originalfile, patchfile, options='', dry_run=False) New in version 0.10.4. Apply a patch to a file Equivalent to: patch <options> <originalfile> <patchfile> originalfile The full path to the file or directory to be patched patchfile A patch file to apply to originalfile options Options to pass to patch. CLI Example: salt '*' file.patch /opt/file.txt /tmp/file.txt.patch salt.modules.file.path_exists_glob(path) Tests to see if path after expansion is a valid path (file or directory). Expansion allows usage of ? * and character ranges []. Tilde expansion is not supported. Returns True/False. New in version Hellium. CLI Example: salt '*' file.path_exists_glob /etc/pam*/pass* salt.modules.file.prepend(path, *args, **kwargs) New in version 2014.7.0. Prepend text to the beginning of a file path path to file *args strings to prepend to the file CLI Example: salt '*' file.prepend /etc/motd \ "With all thine offerings thou shalt offer salt." \ "Salt is what makes things taste bad when it isn't in them." Attention If you need to pass a string to append and that string contains an equal sign, you must include the argument name, args. For example: salt '*' file.prepend /etc/motd args='cheese=spam' salt '*' file.prepend /etc/motd args="['cheese=spam','spam=cheese']" salt.modules.file.psed(path, before, after, limit='', backup='.bak', flags='gMS', escape_all=False, multi=False) Deprecated since version 0.17.0: Use replace() instead. Make a simple edit to a file (pure Python version) Equivalent to: sed <backup> <options> "/<limit>/ s/<before>/<after>/<flags> <file>" path The full path to the file to be edited before A pattern to find in order to replace with after after Text that will replace before limit '' An initial pattern to search for before searching for before backup .bak The file will be backed up before edit with this file extension; WARNING: each time sed/comment/uncomment is called will overwrite this backup flags gMS.INDENT 7.0 Flags to modify the search. Valid values are: • g: Replace all occurrences of the pattern, not just the first. • I: Ignore case. • L: Make \w, \W, \b, \B, \s and \S dependent on the locale. • M: Treat multiple lines as a single line. • S: Make . match all characters, including newlines. • U: Make \w, \W, \b, \B, \d, \D, \s and \S dependent on Unicode. • X: Verbose (whitespace is ignored). multi: False If True, treat the entire file as a single line Forward slashes and single quotes will be escaped automatically in the before and after patterns. CLI Example: salt '*' file.sed /etc/httpd/httpd.conf 'LogLevel warn' 'LogLevel info' salt.modules.file.readdir(path) New in version 2014.1.0. Return a list containing the contents of a directory CLI Example: salt '*' file.readdir /path/to/dir/ salt.modules.file.readlink(path, canonicalize=False) New in version 2014.1.0. Return the path that a symlink points to If canonicalize is set to True, then it return the final target CLI Example: salt '*' file.readlink /path/to/link salt.modules.file.remove(path) Remove the named file. If a directory is supplied, it will be recursively deleted. CLI Example: salt '*' file.remove /tmp/foo salt.modules.file.rename(src, dst) Rename a file or directory CLI Example: salt '*' file.rename /path/to/src /path/to/dst salt.modules.file.replace(path, pattern, repl, count=0, flags=8, bufsize=1, append_if_not_found=False, prepend_if_not_found=False, not_found_content=None, backup='.bak', dry_run=False, search_only=False, show_changes=True, ignore_if_missing=False, preserve_inode=True) New in version 0.17.0. Replace occurrences of a pattern in a file. If show_changes is True, then a diff of what changed will be returned, otherwise a True will be returnd when changes are made, and False when no changes are made. This is a pure Python implementation that wraps Python's sub(). path Filesystem path to the file to be edited pattern A regular expression, to be matched using Python's search(). repl The replacement text count 0 Maximum number of pattern occurrences to be replaced. If count is a positive integer n, only n occurrences will be replaced, otherwise all occurrences will be replaced. flags (list or int) A list of flags defined in the re module documentation. Each list item should be a string that will correlate to the human-friendly flag name. E.g., ['IGNORECASE', 'MULTILINE']. Optionally, flags may be an int, with a value corresponding to the XOR (|) of all the desired flags. Defaults to 8 (which supports 'MULTILINE'). bufsize (int or str) How much of the file to buffer into memory at once. The default value 1 processes one line at a time. The special value file may be specified which will read the entire file into memory before processing. append_if_not_found False New in version 2014.7.0. If set to True, and pattern is not found, then the content will be appended to the file. prepend_if_not_found False New in version 2014.7.0. If set to True and pattern is not found, then the content will be prepended to the file. not_found_content New in version 2014.7.0. Content to use for append/prepend if not found. If None (default), uses repl. Useful when repl uses references to group in pattern. backup .bak The file extension to use for a backup of the file before editing. Set to False to skip making a backup. dry_run False If set to True, no changes will be made to the file, the function will just return the changes that would have been made (or a True/False value if show_changes is set to False). search_only False If set to true, this no changes will be perfomed on the file, and this function will simply return True if the pattern was matched, and False if not. show_changes True If True, return a diff of changes made. Otherwise, return True if changes were made, and False if not. NOTE: Using this option will store two copies of the file in memory (the original version and the edited version) in order to generate the diff. This may not normally be a concern, but could impact performance if used with large files. ignore_if_missing False New in version 2015.8.0. If set to True, this function will simply return False if the file doesn't exist. Otherwise, an error will be thrown. preserve_inode True New in version 2015.8.0. Preserve the inode of the file, so that any hard links continue to share the inode with the original filename. This works by copying the file, reading from the copy, and writing to the file at the original inode. If False, the file will be moved rather than copied, and a new file will be written to a new inode, but using the original filename. Hard links will then share an inode with the backup, instead (if using backup to create a backup copy). If an equal sign (=) appears in an argument to a Salt command it is interpreted as a keyword argument in the format key=val. That processing can be bypassed in order to pass an equal sign through to the remote shell command by manually specifying the kwarg: salt '*' file.replace /path/to/file pattern='=' repl=':' salt '*' file.replace /path/to/file pattern="bind-address\s*=" repl='bind-address:' CLI Examples: salt '*' file.replace /etc/httpd/httpd.conf pattern='LogLevel warn' repl='LogLevel info' salt '*' file.replace /some/file pattern='before' repl='after' flags='[MULTILINE, IGNORECASE]' salt.modules.file.restore_backup(path, backup_id) New in version 0.17.0. Restore a previous version of a file that was backed up using Salt's file state backup system. path The path on the minion to check for backups backup_id The numeric id for the backup you wish to restore, as found using file.list_backups CLI Example: salt '*' file.restore_backup /foo/bar/baz.txt 0 salt.modules.file.restorecon(path, recursive=False) Reset the SELinux context on a given path CLI Example: salt '*' file.restorecon /home/user/.ssh/authorized_keys salt.modules.file.rmdir(path) New in version 2014.1.0. Remove the specified directory. Fails if a directory is not empty. CLI Example: salt '*' file.rmdir /tmp/foo/ salt.modules.file.search(path, pattern, flags=8, bufsize=1, ignore_if_missing=False, multiline=False) New in version 0.17.0. Search for occurrences of a pattern in a file Except for multiline, params are identical to replace(). multiline If true, inserts 'MULTILINE' into flags and sets bufsize to 'file'. New in version 2015.8.0. CLI Example: salt '*' file.search /etc/crontab 'mymaintenance.sh' salt.modules.file.sed(path, before, after, limit='', backup='.bak', options='-r -e', flags='g', escape_all=False, negate_match=False) Deprecated since version 0.17.0: Use replace() instead. Make a simple edit to a file Equivalent to: sed <backup> <options> "/<limit>/ s/<before>/<after>/<flags> <file>" path The full path to the file to be edited before A pattern to find in order to replace with after after Text that will replace before limit '' An initial pattern to search for before searching for before backup .bak The file will be backed up before edit with this file extension; WARNING: each time sed/comment/uncomment is called will overwrite this backup options -r -e Options to pass to sed flags g Flags to modify the sed search; e.g., i for case-insensitive pattern matching negate_match False Negate the search command (!) New in version 0.17.0. Forward slashes and single quotes will be escaped automatically in the before and after patterns. CLI Example: salt '*' file.sed /etc/httpd/httpd.conf 'LogLevel warn' 'LogLevel info' salt.modules.file.sed_contains(path, text, limit='', flags='g') Deprecated since version 0.17.0: Use search() instead. Return True if the file at path contains text. Utilizes sed to perform the search (line-wise search). Note: the p flag will be added to any flags you pass in. CLI Example: salt '*' file.contains /etc/crontab 'mymaintenance.sh' salt.modules.file.seek_read(path, size, offset) New in version 2014.1.0. Seek to a position on a file and read it path path to file seek amount to read at once offset offset to start into the file CLI Example: salt '*' file.seek_read /path/to/file 4096 0 salt.modules.file.seek_write(path, data, offset) New in version 2014.1.0. Seek to a position on a file and write to it path path to file data data to write to file offset position in file to start writing CLI Example: salt '*' file.seek_write /path/to/file 'some data' 4096 salt.modules.file.set_mode(path, mode) Set the mode of a file path file or directory of which to set the mode mode mode to set the path to CLI Example: salt '*' file.set_mode /etc/passwd 0644 salt.modules.file.set_selinux_context(path, user=None, role=None, type=None, range=None) Set a specific SELinux label on a given path CLI Example: salt '*' file.set_selinux_context path <role> <type> <range> salt.modules.file.source_list(source, source_hash, saltenv) Check the source list and return the source to use CLI Example: salt '*' file.source_list salt://http/httpd.conf '{hash_type: 'md5', 'hsum': <md5sum>}' base salt.modules.file.stats(path, hash_type=None, follow_symlinks=True) Return a dict containing the stats for a given file CLI Example: salt '*' file.stats /etc/passwd salt.modules.file.statvfs(path) New in version 2014.1.0. Perform a statvfs call against the filesystem that the file resides on CLI Example: salt '*' file.statvfs /path/to/file salt.modules.file.symlink(src, path) Create a symbolic link (symlink, soft link) to a file CLI Example: salt '*' file.symlink /path/to/file /path/to/link salt.modules.file.touch(name, atime=None, mtime=None) New in version 0.9.5. Just like the touch command, create a file if it doesn't exist or simply update the atime and mtime if it already does. atime: Access time in Unix epoch time mtime: Last modification in Unix epoch time CLI Example: salt '*' file.touch /var/log/emptyfile salt.modules.file.truncate(path, length) New in version 2014.1.0. Seek to a position on a file and delete everything after that point path path to file length offset into file to truncate CLI Example: salt '*' file.truncate /path/to/file 512 salt.modules.file.uid_to_user(uid) Convert a uid to a user name uid uid to convert to a username CLI Example: salt '*' file.uid_to_user 0 salt.modules.file.uncomment(path, regex, char='#', backup='.bak') Deprecated since version 0.17.0: Use replace() instead. Uncomment specified commented lines in a file path The full path to the file to be edited regex A regular expression used to find the lines that are to be uncommented. This regex should not include the comment character. A leading ^ character will be stripped for convenience (for easily switching between comment() and uncomment()). char # The character to remove in order to uncomment a line backup .bak The file will be backed up before edit with this file extension; WARNING: each time sed/comment/uncomment is called will overwrite this backup CLI Example: salt '*' file.uncomment /etc/hosts.deny 'ALL: PARANOID' salt.modules.file.user_to_uid(user) Convert user name to a uid user user name to convert to its uid CLI Example: salt '*' file.user_to_uid root salt.modules.file.write(path, *args, **kwargs) New in version 2014.7.0. Write text to a file, overwriting any existing contents. path path to file *args strings to write to the file CLI Example: salt '*' file.write /etc/motd \ "With all thine offerings thou shalt offer salt." Attention If you need to pass a string to append and that string contains an equal sign, you must include the argument name, args. For example: salt '*' file.write /etc/motd args='cheese=spam' salt '*' file.write /etc/motd args="['cheese=spam','spam=cheese']" salt.modules.firewalld Support for firewalld. New in version 2015.2.0. salt.modules.firewalld.add_masquerade(zone) Enable masquerade on a zone. New in version 2015.8.0. CLI Example: salt '*' firewalld.add_masquerade salt.modules.firewalld.add_port(zone, port, permanent=True) Allow specific ports in a zone. New in version 2015.8.0. CLI Example: salt '*' firewalld.add_port internal 443/tcp salt.modules.firewalld.add_port_fwd(zone, src, dest, proto='tcp', dstaddr='') Add port forwarding. New in version 2015.8.0. CLI Example: salt '*' firewalld.add_port_fwd public 80 443 tcp salt.modules.firewalld.add_service(name, zone=None, permanent=True) Add a service for zone. If zone is omitted, default zone will be used. CLI Example: salt '*' firewalld.add_service ssh To assign a service to a specific zone: salt '*' firewalld.add_service ssh my_zone salt.modules.firewalld.allow_icmp(zone, icmp) Allow a specific ICMP type on a zone New in version 2015.8.0. CLI Example: salt '*' firewalld.allow_icmp zone echo-reply salt.modules.firewalld.block_icmp(zone, icmp) Block a specific ICMP type on a zone New in version 2015.8.0. CLI Example: salt '*' firewalld.block_icmp zone echo-reply salt.modules.firewalld.default_zone() Print default zone for connections and interfaces CLI Example: salt '*' firewalld.default_zone salt.modules.firewalld.delete_service(name, restart=True) Delete an existing service CLI Example: salt '*' firewalld.delete_service my_service By default firewalld will be reloaded. However, to avoid reloading you need to specify the restart as False salt '*' firewalld.delete_service my_service False salt.modules.firewalld.delete_zone(zone, restart=True) Delete an existing zone CLI Example: salt '*' firewalld.delete_zone my_zone By default firewalld will be reloaded. However, to avoid reloading you need to specify the restart as False salt '*' firewalld.delete_zone my_zone False salt.modules.firewalld.get_icmp_types() Print predefined icmptypes CLI Example: salt '*' firewalld.get_icmp_types salt.modules.firewalld.get_masquerade(zone) Show if masquerading is enabled on a zone CLI Example: salt '*' firewalld.get_masquerade zone salt.modules.firewalld.get_services() Print predefined services CLI Example: salt '*' firewalld.get_services salt.modules.firewalld.get_zones() Print predefined zones CLI Example: salt '*' firewalld.get_zones salt.modules.firewalld.list_all(zone=None) List everything added for or enabled in a zone CLI Example: salt '*' firewalld.list_all List a specific zone salt '*' firewalld.list_all my_zone salt.modules.firewalld.list_icmp_block(zone) List ICMP blocks on a zone New in version 2015.8.0. CLI Example: salt '*' firewlld.list_icmp_block zone salt.modules.firewalld.list_port_fwd(zone) List port forwarding New in version 2015.8.0. CLI Example: salt '*' firewalld.list_port_fwd public salt.modules.firewalld.list_ports(zone) List all ports in a zone. New in version 2015.8.0. CLI Example: salt '*' firewalld.list_ports salt.modules.firewalld.list_services(zone=None) List services added for zone as a space separated list. If zone is omitted, default zone will be used. CLI Example: salt '*' firewalld.list_services List a specific zone salt '*' firewalld.list_services my_zone salt.modules.firewalld.list_zones() List everything added for or enabled in all zones CLI Example: salt '*' firewalld.list_zones salt.modules.firewalld.new_service(name, restart=True) Add a new service CLI Example: salt '*' firewalld.new_service my_service By default firewalld will be reloaded. However, to avoid reloading you need to specify the restart as False salt '*' firewalld.new_service my_service False salt.modules.firewalld.new_zone(zone, restart=True) Add a new zone CLI Example: salt '*' firewalld.new_zone my_zone By default firewalld will be reloaded. However, to avoid reloading you need to specify the restart as False salt '*' firewalld.new_zone my_zone False salt.modules.firewalld.remove_masquerade(zone) Remove masquerade on a zone. New in version 2015.8.0. CLI Example: salt '*' firewalld.remove_masquerade salt.modules.firewalld.remove_port(zone, port, permanent=True) Remove a specific port from a zone. New in version 2015.8.0. CLI Example: salt '*' firewalld.remove_port internal 443/tcp salt.modules.firewalld.remove_port_fwd(zone, src, dest, proto='tcp') Remove Port Forwarding. New in version 2015.8.0. CLI Example: salt '*' firewalld.remove_port_fwd public 80 443 tcp salt.modules.firewalld.remove_service(name, zone=None, permanent=True) Remove a service from zone. This option can be specified multiple times. If zone is omitted, default zone will be used. CLI Example: salt '*' firewalld.remove_service ssh To remove a service from a specific zone salt '*' firewalld.remove_service ssh dmz salt.modules.firewalld.set_default_zone(zone) Set default zone CLI Example: salt '*' firewalld.set_default_zone damian salt.modules.firewalld.version() Return version from firewall-cmd CLI Example: salt '*' firewalld.version salt.modules.freebsd_sysctl Module for viewing and modifying sysctl parameters salt.modules.freebsd_sysctl.assign(name, value) Assign a single sysctl parameter for this minion CLI Example: salt '*' sysctl.assign net.inet.icmp.icmplim 50 salt.modules.freebsd_sysctl.get(name) Return a single sysctl parameter for this minion CLI Example: salt '*' sysctl.get hw.physmem salt.modules.freebsd_sysctl.persist(name, value, config='/etc/sysctl.conf') Assign and persist a simple sysctl parameter for this minion CLI Example: salt '*' sysctl.persist net.inet.icmp.icmplim 50 salt '*' sysctl.persist coretemp_load NO config=/boot/loader.conf salt.modules.freebsd_sysctl.show(config_file=False) Return a list of sysctl parameters for this minion CLI Example: salt '*' sysctl.show salt.modules.freebsdjail The jail module for FreeBSD salt.modules.freebsdjail.fstab(jail) Display contents of a fstab(5) file defined in specified jail's configuration. If no file is defined, return False. CLI Example: salt '*' jail.fstab <jail name> salt.modules.freebsdjail.get_enabled() Return which jails are set to be run CLI Example: salt '*' jail.get_enabled salt.modules.freebsdjail.is_enabled() See if jail service is actually enabled on boot CLI Example: salt '*' jail.is_enabled <jail name> salt.modules.freebsdjail.restart(jail='') Restart the specified jail or all, if none specified CLI Example: salt '*' jail.restart [<jail name>] salt.modules.freebsdjail.show_config(jail) Display specified jail's configuration CLI Example: salt '*' jail.show_config <jail name> salt.modules.freebsdjail.start(jail='') Start the specified jail or all, if none specified CLI Example: salt '*' jail.start [<jail name>] salt.modules.freebsdjail.status(jail) See if specified jail is currently running CLI Example: salt '*' jail.status <jail name> salt.modules.freebsdjail.stop(jail='') Stop the specified jail or all, if none specified CLI Example: salt '*' jail.stop [<jail name>] salt.modules.freebsdjail.sysctl() Dump all jail related kernel states (sysctl) CLI Example: salt '*' jail.sysctl salt.modules.freebsdkmod Module to manage FreeBSD kernel modules salt.modules.freebsdkmod.available() Return a list of all available kernel modules CLI Example: salt '*' kmod.available salt.modules.freebsdkmod.check_available(mod) Check to see if the specified kernel module is available CLI Example: salt '*' kmod.check_available vmm salt.modules.freebsdkmod.is_loaded(mod) Check to see if the specified kernel module is loaded CLI Example: salt '*' kmod.is_loaded vmm salt.modules.freebsdkmod.load(mod, persist=False) Load the specified kernel module mod Name of the module to add persist Write the module to sysrc kld_modules to make it load on system reboot CLI Example: salt '*' kmod.load bhyve salt.modules.freebsdkmod.lsmod() Return a dict containing information about currently loaded modules CLI Example: salt '*' kmod.lsmod salt.modules.freebsdkmod.mod_list(only_persist=False) Return a list of the loaded module names CLI Example: salt '*' kmod.mod_list salt.modules.freebsdkmod.remove(mod, persist=False) Remove the specified kernel module CLI Example: salt '*' kmod.remove vmm salt.modules.freebsdpkg Remote package support using pkg_add(1) WARNING: This module has been completely rewritten. Up to and including version 0.17.0, it supported pkg_add(1), but checked for the existence of a pkgng local database and, if found, would provide some of pkgng's functionality. The rewrite of this module has removed all pkgng support, and moved it to the pkgng execution module. For versions <= 0.17.0, the documentation here should not be considered accurate. If your Minion is running one of these versions, then the documentation for this module can be viewed using the sys.doc function: salt bsdminion sys.doc pkg This module acts as the default package provider for FreeBSD 9 and older. If you need to use pkgng on a FreeBSD 9 system, you will need to override the pkg provider by setting the providers parameter in your Minion config file, in order to use pkgng. providers: pkg: pkgng More information on pkgng support can be found in the documentation for the pkgng module. This module will respect the PACKAGEROOT and PACKAGESITE environment variables, if set, but these values can also be overridden in several ways: 1. Salt configuration parameters. The configuration parameters freebsdpkg.PACKAGEROOT and freebsdpkg.PACKAGESITE are recognized. These config parameters are looked up using config.get and can thus be specified in the Master config file, Grains, Pillar, or in the Minion config file. Example: freebsdpkg.PACKAGEROOT: ftp://ftp.freebsd.org/ freebsdpkg.PACKAGESITE: ftp://ftp.freebsd.org/pub/FreeBSD/ports/ia64/packages-9-stable/Latest/ 2. CLI arguments. Both the packageroot (used interchangeably with fromrepo for API compatibility) and packagesite CLI arguments are recognized, and override their config counterparts from section 1 above. salt -G 'os:FreeBSD' pkg.install zsh fromrepo=ftp://ftp2.freebsd.org/ salt -G 'os:FreeBSD' pkg.install zsh packageroot=ftp://ftp2.freebsd.org/ salt -G 'os:FreeBSD' pkg.install zsh packagesite=ftp://ftp2.freebsd.org/pub/FreeBSD/ports/ia64/packages-9-stable/Latest/ .. note:: These arguments can also be passed through in states: .. code-block:: yaml zsh: pkg.installed: - fromrepo: ftp://ftp2.freebsd.org/ salt.modules.freebsdpkg.file_dict(*packages) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.freebsdpkg.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.freebsdpkg.install(name=None, refresh=False, fromrepo=None, pkgs=None, sources=None, **kwargs) Install package(s) using pkg_add(1) name The name of the package to be installed. refresh Whether or not to refresh the package database before installing. fromrepo or packageroot Specify a package repository from which to install. Overrides the system default, as well as the PACKAGEROOT environment variable. packagesite Specify the exact directory from which to install the remote package. Overrides the PACKAGESITE environment variable, if present. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo", "bar"]' sources A list of packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.deb"}, {"bar": "salt://bar.deb"}]' Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.install <package name> salt.modules.freebsdpkg.latest_version(*names, **kwargs) pkg_add(1) is not capable of querying for remote packages, so this function will always return results as if there is no package available for install or upgrade. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.freebsdpkg.list_pkgs(versions_as_list=False, with_origin=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} with_origin False Return a nested dictionary containing both the origin name and version for each installed package. New in version 2014.1.0. CLI Example: salt '*' pkg.list_pkgs salt.modules.freebsdpkg.refresh_db() pkg_add(1) does not use a local database of available packages, so this function simply returns True. it exists merely for API compatibility. CLI Example: salt '*' pkg.refresh_db salt.modules.freebsdpkg.remove(name=None, pkgs=None, **kwargs) Remove packages using pkg_delete(1) name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.freebsdpkg.upgrade() Upgrades are not supported with pkg_add(1). This function is included for API compatibility only and always returns an empty dict. CLI Example: salt '*' pkg.upgrade salt.modules.freebsdpkg.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. with_origin False Return a nested dictionary containing both the origin name and version for each specified package. New in version 2014.1.0. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.freebsdports Install software from the FreeBSD ports(7) system New in version 2014.1.0. This module allows you to install ports using BATCH=yes to bypass configuration prompts. It is recommended to use the ports state to install ports, but it it also possible to use this module exclusively from the command line. salt minion-id ports.config security/nmap IPV6=off salt minion-id ports.install security/nmap salt.modules.freebsdports.config(name, reset=False, **kwargs) Modify configuration options for a given port. Multiple options can be specified. To see the available options for a port, use ports.showconfig. name The port name, in category/name format reset False If True, runs a make rmconfig for the port, clearing its configuration before setting the desired options CLI Examples: salt '*' ports.config security/nmap IPV6=off salt.modules.freebsdports.deinstall(name) De-install a port. CLI Example: salt '*' ports.deinstall security/nmap salt.modules.freebsdports.install(name, clean=True) Install a port from the ports tree. Installs using BATCH=yes for non-interactive building. To set config options for a given port, use ports.config. clean True If True, cleans after installation. Equivalent to running make install clean BATCH=yes. NOTE: It may be helpful to run this function using the -t option to set a higher timeout, since compiling a port may cause the Salt command to exceed the default timeout. CLI Example: salt -t 1200 '*' ports.install security/nmap salt.modules.freebsdports.list_all() Lists all ports available. CLI Example: salt '*' ports.list_all WARNING: Takes a while to run, and returns a LOT of output salt.modules.freebsdports.rmconfig(name) Clear the cached options for the specified port; run a make rmconfig name The name of the port to clear CLI Example: salt '*' ports.rmconfig security/nmap salt.modules.freebsdports.search(name) Search for matches in the ports tree. Globs are supported, and the category is optional CLI Examples: salt '*' ports.search 'security/*' salt '*' ports.search 'security/n*' salt '*' ports.search nmap WARNING: Takes a while to run salt.modules.freebsdports.showconfig(name, default=False, dict_return=False) Show the configuration options for a given port. default False Show the default options for a port (not necessarily the same as the current configuration) dict_return False Instead of returning the output of make showconfig, return the data in an dictionary CLI Example: salt '*' ports.showconfig security/nmap salt '*' ports.showconfig security/nmap default=True salt.modules.freebsdports.update(extract=False) Update the ports tree extract False If True, runs a portsnap extract after fetching, should be used for first-time installation of the ports tree. CLI Example: salt '*' ports.update salt.modules.freebsdservice The service module for FreeBSD salt.modules.freebsdservice.available(name) Check that the given service is available. CLI Example: salt '*' service.available sshd salt.modules.freebsdservice.disable(name, **kwargs) Disable the named service to start at boot Arguments the same as for enable() CLI Example: salt '*' service.disable <service name> salt.modules.freebsdservice.disabled(name) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.disabled <service name> salt.modules.freebsdservice.enable(name, **kwargs) Enable the named service to start at boot name service name config /etc/rc.conf Config file for managing service. If config value is empty string, then /etc/rc.conf.d/<service> used. See man rc.conf(5) for details. Also service.config variable can be used to change default. CLI Example: salt '*' service.enable <service name> salt.modules.freebsdservice.enabled(name, **kwargs) Return True if the named service is enabled, false otherwise name Service name CLI Example: salt '*' service.enabled <service name> salt.modules.freebsdservice.get_all() Return a list of all available services CLI Example: salt '*' service.get_all salt.modules.freebsdservice.get_disabled() Return what services are available but not enabled to start at boot CLI Example: salt '*' service.get_disabled salt.modules.freebsdservice.get_enabled() Return what services are set to run on boot CLI Example: salt '*' service.get_enabled salt.modules.freebsdservice.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.freebsdservice.reload(name) Restart the named service CLI Example: salt '*' service.reload <service name> salt.modules.freebsdservice.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.freebsdservice.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.freebsdservice.status(name, sig=None) Return the status for a service (True or False). name Name of service CLI Example: salt '*' service.status <service name> salt.modules.freebsdservice.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.gem Manage ruby gems. salt.modules.gem.install(gems, ruby=None, gem_bin=None, runas=None, version=None, rdoc=False, ri=False, pre_releases=False, proxy=None) Installs one or several gems. Parameters • gems -- string The gems to install • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. • version -- string : None Specify the version to install for the gem. Doesn't play nice with multiple gems at once • rdoc -- boolean : False Generate RDoc documentation for the gem(s). • ri -- boolean : False Generate RI documentation for the gem(s). • pre_releases -- boolean : False Include pre-releases in the available versions • proxy -- string : None Use the specified HTTP proxy server for all outgoing traffic. Format: http://hostname[:port] CLI Example: salt '*' gem.install vagrant salt '*' gem.install redphone gem_bin=/opt/sensu/embedded/bin/gem salt.modules.gem.list(prefix='', ruby=None, runas=None, gem_bin=None) List locally installed gems. Parameters • prefix -- string : Only list gems when the name matches this prefix. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.list salt.modules.gem.list_upgrades(ruby=None, runas=None, gem_bin=None) New in version 2015.8.0. Check if an upgrade is available for installed gems gem_bin None Full path to gem binary to use. ruby None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. runas None The user to run gem as. CLI Example: salt '*' gem.list_upgrades salt.modules.gem.sources_add(source_uri, ruby=None, runas=None, gem_bin=None) Add a gem source. Parameters • source_uri -- string The source URI to add. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.sources_add http://rubygems.org/ salt.modules.gem.sources_list(ruby=None, runas=None, gem_bin=None) List the configured gem sources. Parameters • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.sources_list salt.modules.gem.sources_remove(source_uri, ruby=None, runas=None, gem_bin=None) Remove a gem source. Parameters • source_uri -- string The source URI to remove. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.sources_remove http://rubygems.org/ salt.modules.gem.uninstall(gems, ruby=None, runas=None, gem_bin=None) Uninstall one or several gems. Parameters • gems -- string The gems to uninstall. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.uninstall vagrant salt.modules.gem.update(gems, ruby=None, runas=None, gem_bin=None) Update one or several gems. Parameters • gems -- string The gems to update. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.update vagrant salt.modules.gem.update_system(version='', ruby=None, runas=None, gem_bin=None) Update rubygems. Parameters • version -- string : (newest) The version of rubygems to install. • gem_bin -- string : None Full path to gem binary to use. • ruby -- string : None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. • runas -- string : None The user to run gem as. CLI Example: salt '*' gem.update_system salt.modules.genesis Module for managing container and VM images New in version 2014.7.0. salt.modules.genesis.avail_platforms() Return which platforms are available CLI Example: salt myminion genesis.avail_platforms salt.modules.genesis.bootstrap(platform, root, img_format='dir', fs_format='ext2', arch=None, flavor=None, repo_url=None, static_qemu=None) Create an image for a specific platform. Please note that this function MUST be run as root, as images that are created make files belonging to root. platform Which platform to use to create the image. Currently supported platforms are rpm, deb and pacman. root Local path to create the root of the image filesystem. img_format Which format to create the image in. By default, just copies files into a directory on the local filesystem (dir). Future support will exist for sparse. fs_format When using a non-dir img_format, which filesystem to format the image to. By default, ext2. arch Architecture to install packages for, if supported by the underlying bootstrap tool. Currently only used for deb. flavor Which flavor of operating system to install. This correlates to a specific directory on the distribution repositories. For instance, wheezy on Debian. repo_url Mainly important for Debian-based repos. Base URL for the mirror to install from. (e.x.: http://ftp.debian.org/debian/) static_qemu Local path to the static qemu binary required for this arch. (e.x.: /usr/bin/qemu-amd64-static) pkg_confs The location of the conf files to copy into the image, to point the installer to the right repos and configuration. CLI Examples: salt myminion genesis.bootstrap pacman /root/arch salt myminion genesis.bootstrap rpm /root/redhat salt myminion genesis.bootstrap deb /root/wheezy arch=amd64 flavor=wheezy static_qemu=/usr/bin/qemu-x86_64-static salt.modules.genesis.pack(name, root, path=None, pack_format='tar', compress='bzip2') Pack up a directory structure, into a specific format CLI Examples: salt myminion genesis.pack centos /root/centos salt myminion genesis.pack centos /root/centos pack_format='tar' salt.modules.genesis.unpack(name, dest=None, path=None, pack_format='tar', compress='bz2') Unpack an image into a directory structure CLI Example: salt myminion genesis.unpack centos /root/centos salt.modules.gentoo_service Top level package command wrapper, used to translate the os detected by grains to the correct service manager salt.modules.gentoo_service.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.gentoo_service.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.gentoo_service.disabled(name) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.disabled <service name> salt.modules.gentoo_service.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.gentoo_service.enabled(name, **kwargs) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.enabled <service name> salt.modules.gentoo_service.get_all() Return all available boot services CLI Example: salt '*' service.get_all salt.modules.gentoo_service.get_disabled() Return a set of services that are installed but disabled CLI Example: salt '*' service.get_disabled salt.modules.gentoo_service.get_enabled() Return a list of service that are enabled on boot CLI Example: salt '*' service.get_enabled salt.modules.gentoo_service.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.gentoo_service.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.gentoo_service.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.gentoo_service.status(name, sig=None) Return the status for a service, returns the PID or an empty string if the service is running or not, pass a signature to use to find the service via ps CLI Example: salt '*' service.status <service name> [service signature] salt.modules.gentoo_service.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.gentoolkitmod Support for Gentoolkit salt.modules.gentoolkitmod.eclean_dist(destructive=False, package_names=False, size_limit=0, time_limit=0, fetch_restricted=False, exclude_file='/etc/eclean/distfiles.exclude') Clean obsolete portage sources destructive Only keep minimum for reinstallation package_names Protect all versions of installed packages. Only meaningful if used with destructive=True size_limit <size> Don't delete distfiles bigger than <size>. <size> is a size specification: "10M" is "ten megabytes", "200K" is "two hundreds kilobytes", etc. Units are: G, M, K and B. time_limit <time> Don't delete distfiles files modified since <time> <time> is an amount of time: "1y" is "one year", "2w" is "two weeks", etc. Units are: y (years), m (months), w (weeks), d (days) and h (hours). fetch_restricted Protect fetch-restricted files. Only meaningful if used with destructive=True exclude_file Path to exclusion file. Default is /etc/eclean/distfiles.exclude This is the same default eclean-dist uses. Use None if this file exists and you want to ignore. Returns a dict containing the cleaned, saved, and deprecated dists: {'cleaned': {<dist file>: <size>}, 'deprecated': {<package>: <dist file>}, 'saved': {<package>: <dist file>}, 'total_cleaned': <size>} CLI Example: salt '*' gentoolkit.eclean_dist destructive=True salt.modules.gentoolkitmod.eclean_pkg(destructive=False, package_names=False, time_limit=0, exclude_file='/etc/eclean/packages.exclude') Clean obsolete binary packages destructive Only keep minimum for reinstallation package_names Protect all versions of installed packages. Only meaningful if used with destructive=True time_limit <time> Don't delete distfiles files modified since <time> <time> is an amount of time: "1y" is "one year", "2w" is "two weeks", etc. Units are: y (years), m (months), w (weeks), d (days) and h (hours). exclude_file Path to exclusion file. Default is /etc/eclean/packages.exclude This is the same default eclean-pkg uses. Use None if this file exists and you want to ignore. Returns a dict containing the cleaned binary packages: {'cleaned': {<dist file>: <size>}, 'total_cleaned': <size>} CLI Example: salt '*' gentoolkit.eclean_pkg destructive=True salt.modules.gentoolkitmod.glsa_check_list(glsa_list) List the status of Gentoo Linux Security Advisories glsa_list can contain an arbitrary number of GLSA ids, filenames containing GLSAs or the special identifiers 'all' and 'affected' Returns a dict containing glsa ids with a description, status, and CVEs: {<glsa_id>: {'description': <glsa_description>, 'status': <glsa status>, 'CVEs': [<list of CVEs>]}} CLI Example: salt '*' gentoolkit.glsa_check_list 'affected' salt.modules.gentoolkitmod.revdep_rebuild(lib=None) Fix up broken reverse dependencies lib Search for reverse dependencies for a particular library rather than every library on the system. It can be a full path to a library or basic regular expression. CLI Example: salt '*' gentoolkit.revdep_rebuild salt.modules.git Support for the Git SCM salt.modules.git.add(cwd, filename, opts='', user=None, ignore_retcode=False) Changed in version 2015.8.0: The --verbose command line argument is now implied Interface to git-add(1) cwd The path to the git checkout filename The location of the file/directory to add, relative to cwd opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.add /path/to/repo foo/bar.py salt myminion git.add /path/to/repo foo/bar.py opts='--dry-run' salt.modules.git.archive(cwd, output, rev='HEAD', fmt=None, prefix=None, user=None, ignore_retcode=False, **kwargs) Changed in version 2015.8.0: Returns True if successful, raises an error if not. Interface to git-archive(1), exports a tarball/zip file of the repository cwd The path to be archived NOTE: git archive permits a partial archive to be created. Thus, this path does not need to be the root of the git repository. Only the files within the directory specified by cwd (and its subdirectories) will be in the resulting archive. For example, if there is a git checkout at /tmp/foo, then passing /tmp/foo/bar as the cwd will result in just the files underneath /tmp/foo/bar to be exported as an archive. output The path of the archive to be created overwrite False Unless set to True, Salt will over overwrite an existing archive at the path specified by the output argument. New in version 2015.8.0. rev HEAD The revision from which to create the archive format Manually specify the file format of the resulting archive. This argument can be omitted, and git archive will attempt to guess the archive type (and compression) from the filename. zip, tar, tar.gz, and tgz are extensions that are recognized automatically, and git can be configured to support other archive types with the addition of git configuration keys. See the git-archive(1) manpage explanation of the --format argument (as well as the CONFIGURATION section of the manpage) for further information. New in version 2015.8.0. fmt Replaced by format in version 2015.8.0 Deprecated since version 2015.8.0. prefix Prepend <prefix> to every filename in the archive. If unspecified, the name of the directory at the top level of the repository will be used as the prefix (e.g. if cwd is set to /foo/bar/baz, the prefix will be baz, and the resulting archive will contain a top-level directory by that name). NOTE: The default behavior if the --prefix option for git archive is not specified is to not prepend a prefix, so Salt's behavior differs slightly from git archive in this respect. Use prefix='' to create an archive with no prefix. Changed in version 2015.8.0: The behavior of this argument has been changed slightly. As of this version, it is necessary to include the trailing slash when specifying a prefix, if the prefix is intended to create a top-level directory. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.archive /path/to/repo /path/to/archive.tar salt.modules.git.branch(cwd, name=None, opts='', user=None, ignore_retcode=False) Interface to git-branch(1) cwd The path to the git checkout name Name of the branch on which to operate. If not specified, the current branch will be assumed. opts Any additional options to add to the command line, in a single string NOTE: To create a branch based on something other than HEAD, pass the name of the revision as opts. If the revision is in the format remotename/branch, then this will also set the remote tracking branch. Additionally, on the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: # Set remote tracking branch salt myminion git.branch /path/to/repo mybranch opts='--set-upstream-to origin/mybranch' # Create new branch salt myminion git.branch /path/to/repo mybranch upstream/somebranch # Delete branch salt myminion git.branch /path/to/repo mybranch opts='-d' # Rename branch (2015.8.0 and later) salt myminion git.branch /path/to/repo newbranch opts='-m oldbranch' salt.modules.git.checkout(cwd, rev=None, force=False, opts='', user=None, ignore_retcode=False) Interface to git-checkout(1) cwd The path to the git checkout opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. rev The remote branch or revision to checkout. Changed in version 2015.8.0: Optional when using -b or -B in opts. force False Force a checkout even if there might be overwritten changes user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: # Checking out local local revisions salt myminion git.checkout /path/to/repo somebranch user=jeff salt myminion git.checkout /path/to/repo opts='testbranch -- conf/file1 file2' salt myminion git.checkout /path/to/repo rev=origin/mybranch opts='--track' # Checking out remote revision into new branch salt myminion git.checkout /path/to/repo upstream/master opts='-b newbranch' # Checking out current revision into new branch (2015.8.0 and later) salt myminion git.checkout /path/to/repo opts='-b newbranch' salt.modules.git.clone(cwd, url=None, name=None, opts='', user=None, identity=None, https_user=None, https_pass=None, ignore_retcode=False, repository=None) Interface to git-clone(1) cwd Location of git clone Changed in version 2015.8.0: If name is passed, then the clone will be made within this directory. url The URL of the repository to be cloned Changed in version 2015.8.0: Argument renamed from repository to url name Optional alternate name for the top-level directory to be created by the clone New in version 2015.8.0. opts Any additional options to add to the command line, in a single string user User under which to run the git command. By default, the command is run by the user under which the minion is running. Run git as a user other than what the minion runs as identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. https_user Set HTTP Basic Auth username. Only accepted for HTTPS URLs. New in version 20515.5.0. https_pass Set HTTP Basic Auth password. Only accepted for HTTPS URLs. New in version 2015.5.0. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.clone /path/to/repo_parent_dir git://github.com/saltstack/salt.git salt.modules.git.commit(cwd, message, opts='', user=None, filename=None, ignore_retcode=False) Interface to git-commit(1) cwd The path to the git checkout message Commit message opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. The -m option should not be passed here, as the commit message will be defined by the message argument. user User under which to run the git command. By default, the command is run by the user under which the minion is running. filename The location of the file/directory to commit, relative to cwd. This argument is optional, and can be used to commit a file without first staging it. NOTE: This argument only works on files which are already tracked by the git repository. New in version 2015.8.0. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.commit /path/to/repo 'The commit message' salt myminion git.commit /path/to/repo 'The commit message' filename=foo/bar.py salt.modules.git.config_get(key, cwd=None, user=None, ignore_retcode=False, **kwargs) Get the value of a key in the git configuration file key The name of the configuration key to get Changed in version 2015.8.0: Argument renamed from setting_name to key cwd The path to the git checkout Changed in version 2015.8.0: Now optional if global is set to True global False If True, query the global git configuraton. Otherwise, only the local git configuration will be queried. New in version 2015.8.0. all False If True, return a list of all values set for key. If the key does not exist, None will be returned. New in version 2015.8.0. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.config_get user.name cwd=/path/to/repo salt myminion git.config_get user.email global=True salt myminion git.config_get core.gitproxy cwd=/path/to/repo all=True salt.modules.git.config_get_regexp(key, value_regex=None, cwd=None, user=None, ignore_retcode=False, **kwargs) New in version 2015.8.0. Get the value of a key or keys in the git configuration file using regexes for more flexible matching. The return data is a dictionary mapping keys to lists of values matching the value_regex. If no values match, an empty dictionary will be returned. key Regex on which key names will be matched value_regex If specified, return all values matching this regex. The return data will be a dictionary mapping keys to lists of values matching the regex. IMPORTANT: Only values matching the value_regex will be part of the return data. So, if key matches a multivar, then it is possible that not all of the values will be returned. To get all values set for a multivar, simply omit the value_regex argument. cwd The path to the git checkout global False If True, query the global git configuraton. Otherwise, only the local git configuration will be queried. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Examples: # Matches any values for key 'foo.bar' salt myminion git.config_get_regexp /path/to/repo foo.bar # Matches any value starting with 'baz' set for key 'foo.bar' salt myminion git.config_get_regexp /path/to/repo foo.bar 'baz.*' # Matches any key starting with 'user.' salt myminion git.config_get_regexp '^user\.' global=True salt.modules.git.config_set(key, value=None, multivar=None, cwd=None, user=None, ignore_retcode=False, **kwargs) Changed in version 2015.8.0: Return the value(s) of the key being set Set a key in the git configuration file cwd The path to the git checkout. Must be an absolute path, or the word global to indicate that a global key should be set. Changed in version 2014.7.0: Made cwd argument optional if is_global=True key The name of the configuration key to set Changed in version 2015.8.0: Argument renamed from setting_name to key value The value to set for the specified key. Incompatible with the multivar argument. Changed in version 2015.8.0: Argument renamed from setting_value to value add False Add a value to a key, creating/updating a multivar New in version 2015.8.0. multivar Set a multivar all at once. Values can be comma-separated or passed as a Python list. Incompatible with the value argument. New in version 2015.8.0. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. global False If True, set a global variable is_global False If True, set a global variable Deprecated since version 2015.8.0: Use global instead CLI Example: salt myminion git.config_set user.email me@example.com cwd=/path/to/repo salt myminion git.config_set user.email foo@bar.com global=True salt.modules.git.config_unset(key, value_regex=None, cwd=None, user=None, ignore_retcode=False, **kwargs) New in version 2015.8.0. Unset a key in the git configuration file cwd The path to the git checkout. Must be an absolute path, or the word global to indicate that a global key should be unset. key The name of the configuration key to unset value_regex Regular expression that matches exactly one key, used to delete a single value from a multivar. Ignored if all is set to True. all False If True unset all values for a multivar. If False, and key is a multivar, an error will be raised. global False If True, unset set a global variable. Otherwise, a local variable will be unset. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Example: salt myminion git.config_unset /path/to/repo foo.bar salt myminion git.config_unset /path/to/repo foo.bar all=True salt.modules.git.current_branch(cwd, user=None, ignore_retcode=False) Returns the current branch name of a local checkout. If HEAD is detached, return the SHA1 of the revision which is currently checked out. cwd The path to the git checkout user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.current_branch /path/to/repo salt.modules.git.describe(cwd, rev='HEAD', user=None, ignore_retcode=False) Returns the git-describe(1) string (or the SHA1 hash if there are no tags) for the given revision. cwd The path to the git checkout rev HEAD The revision to describe user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.describe /path/to/repo salt myminion git.describe /path/to/repo develop salt.modules.git.fetch(cwd, remote=None, force=False, refspecs=None, opts='', user=None, identity=None, ignore_retcode=False) Changed in version 2015.8.2: Return data is now a dictionary containing information on branches and tags that were added/updated Interface to git-fetch(1) cwd The path to the git checkout remote Optional remote name to fetch. If not passed, then git will use its default behavior (as detailed in git-fetch(1)). New in version 2015.8.0. force Force the fetch even when it is not a fast-forward. New in version 2015.8.0. refspecs Override the refspec(s) configured for the remote with this argument. Multiple refspecs can be passed, comma-separated. New in version 2015.8.0. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.fetch /path/to/repo upstream salt myminion git.fetch /path/to/repo identity=/root/.ssh/id_rsa salt.modules.git.init(cwd, bare=False, template=None, separate_git_dir=None, shared=None, opts='', user=None, ignore_retcode=False) Interface to git-init(1) cwd The path to the directory to be initialized bare False If True, init a bare repository New in version 2015.8.0. template Set this argument to specify an alternate template directory New in version 2015.8.0. separate_git_dir Set this argument to specify an alternate $GIT_DIR New in version 2015.8.0. shared Set sharing permissions on git repo. See git-init(1) for more details. New in version 2015.8.0. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.init /path/to/repo # Init a bare repo (before 2015.8.0) salt myminion git.init /path/to/bare/repo.git opts='--bare' # Init a bare repo (2015.8.0 and later) salt myminion git.init /path/to/bare/repo.git bare=True salt.modules.git.is_worktree(cwd, user=None) New in version 2015.8.0. This function will attempt to determine if cwd is part of a worktree by checking its .git to see if it is a file containing a reference to another gitdir. cwd path to the worktree to be removed user User under which to run the git command. By default, the command is run by the user under which the minion is running. CLI Example: salt myminion git.is_worktree /path/to/repo salt.modules.git.list_branches(cwd, remote=False, user=None, ignore_retcode=False) New in version 2015.8.0. Return a list of branches cwd The path to the git checkout remote False If True, list remote branches. Otherwise, local branches will be listed. WARNING: This option will only return remote branches of which the local checkout is aware, use git.fetch to update remotes. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.list_branches /path/to/repo salt myminion git.list_branches /path/to/repo remote=True salt.modules.git.list_tags(cwd, user=None, ignore_retcode=False) New in version 2015.8.0. Return a list of tags cwd The path to the git checkout user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.list_tags /path/to/repo salt.modules.git.list_worktrees(cwd, stale=False, user=None, **kwargs) New in version 2015.8.0. Returns information on worktrees Changed in version 2015.8.4: Version 2.7.0 added the list subcommand to git-worktree(1) which provides a lot of additional information. The return data has been changed to include this information, even for pre-2.7.0 versions of git. In addition, if a worktree has a detached head, then any tags which point to the worktree's HEAD will be included in the return data. NOTE: By default, only worktrees for which the worktree directory is still present are returned, but this can be changed using the all and stale arguments (described below). cwd The path to the git checkout user User under which to run the git command. By default, the command is run by the user under which the minion is running. all False If True, then return all worktrees tracked under $GIT_DIR/worktrees, including ones for which the gitdir is no longer present. stale False If True, return only worktrees whose gitdir is no longer present. NOTE: Only one of all and stale can be set to True. CLI Examples: salt myminion git.list_worktrees /path/to/repo salt myminion git.list_worktrees /path/to/repo all=True salt myminion git.list_worktrees /path/to/repo stale=True salt.modules.git.ls_remote(cwd=None, remote='origin', ref=None, opts='', user=None, identity=None, https_user=None, https_pass=None, ignore_retcode=False) Interface to git-ls-remote(1). Returns the upstream hash for a remote reference. cwd The path to the git checkout. Optional (and ignored if present) when remote is set to a URL instead of a remote name. remote origin The name of the remote to query. Can be the name of a git remote (which exists in the git checkout defined by the cwd parameter), or the URL of a remote repository. Changed in version 2015.8.0: Argument renamed from repository to remote ref The name of the ref to query. Optional, if not specified, all refs are returned. Can be a branch or tag name, or the full name of the reference (for example, to get the hash for a Github pull request number 1234, ref can be set to refs/pull/1234/head Changed in version 2015.8.0: Argument renamed from branch to ref Changed in version 2015.8.4: Defaults to returning all refs instead of master. opts Any additional options to add to the command line, in a single string New in version 2015.8.0. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. https_user Set HTTP Basic Auth username. Only accepted for HTTPS URLs. New in version 2015.5.0. https_pass Set HTTP Basic Auth password. Only accepted for HTTPS URLs. New in version 2015.5.0. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.ls_remote /path/to/repo origin master salt myminion git.ls_remote remote=https://mydomain.tld/repo.git ref=mytag opts='--tags' salt.modules.git.merge(cwd, rev=None, opts='', user=None, ignore_retcode=False, **kwargs) Interface to git-merge(1) cwd The path to the git checkout rev Revision to merge into the current branch. If not specified, the remote tracking branch will be merged. New in version 2015.8.0. branch The remote branch or revision to merge into the current branch Revision to merge into the current branch Deprecated since version 2015.8.0: Use rev instead. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: # Fetch first... salt myminion git.fetch /path/to/repo # ... then merge the remote tracking branch salt myminion git.merge /path/to/repo # .. or merge another rev salt myminion git.merge /path/to/repo rev=upstream/foo salt.modules.git.merge_base(cwd, refs=None, octopus=False, is_ancestor=False, independent=False, fork_point=None, opts='', user=None, ignore_retcode=False, **kwargs) New in version 2015.8.0. Interface to git-merge-base(1). cwd The path to the git checkout refs Any refs/commits to check for a merge base. Can be passed as a comma-separated list or a Python list. all False Return a list of all matching merge bases. Not compatible with any of the below options except for octopus. octopus False If True, then this function will determine the best common ancestors of all specified commits, in preparation for an n-way merge. See here for a description of how these bases are determined. Set all to True with this option to return all computed merge bases, otherwise only the "best" will be returned. is_ancestor False If True, then instead of returning the merge base, return a boolean telling whether or not the first commit is an ancestor of the second commit. NOTE: This option requires two commits to be passed. Changed in version 2015.8.2: Works properly in git versions older than 1.8.0, where the --is-ancestor CLI option is not present. independent False If True, this function will return the IDs of the refs/commits passed which cannot be reached by another commit. fork_point If passed, then this function will return the commit where the commit diverged from the ref specified by fork_point. If no fork point is found, None is returned. NOTE: At most one commit is permitted to be passed if a fork_point is specified. If no commits are passed, then HEAD is assumed. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. This option should not be necessary unless new CLI arguments are added to git-merge-base(1) and are not yet supported in Salt. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False if True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Examples: salt myminion git.merge_base /path/to/repo HEAD upstream/mybranch salt myminion git.merge_base /path/to/repo 8f2e542,4ad8cab,cdc9886 octopus=True salt myminion git.merge_base /path/to/repo refs=8f2e542,4ad8cab,cdc9886 independent=True salt myminion git.merge_base /path/to/repo refs=8f2e542,4ad8cab is_ancestor=True salt myminion git.merge_base /path/to/repo fork_point=upstream/master salt myminion git.merge_base /path/to/repo refs=mybranch fork_point=upstream/master salt.modules.git.merge_tree(cwd, ref1, ref2, base=None, user=None, ignore_retcode=False) New in version 2015.8.0. Interface to git-merge-tree(1), shows the merge results and conflicts from a 3-way merge without touching the index. cwd The path to the git checkout ref1 First ref/commit to compare ref2 Second ref/commit to compare base The base tree to use for the 3-way-merge. If not provided, then git.merge_base will be invoked on ref1 and ref2 to determine the merge base to use. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False if True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Examples: salt myminion git.merge_tree /path/to/repo HEAD upstream/dev salt myminion git.merge_tree /path/to/repo HEAD upstream/dev base=aaf3c3d salt.modules.git.pull(cwd, opts='', user=None, identity=None, ignore_retcode=False) Interface to git-pull(1) cwd The path to the git checkout opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.pull /path/to/repo opts='--rebase origin master' salt.modules.git.push(cwd, remote=None, ref=None, opts='', user=None, identity=None, ignore_retcode=False, **kwargs) Interface to git-push(1) cwd The path to the git checkout remote Name of the remote to which the ref should being pushed New in version 2015.8.0. ref master Name of the ref to push NOTE: Being a refspec, this argument can include a colon to define local and remote ref names. branch Name of the ref to push Deprecated since version 2015.8.0: Use ref instead opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: # Push master as origin/master salt myminion git.push /path/to/repo origin master # Push issue21 as upstream/develop salt myminion git.push /path/to/repo upstream issue21:develop # Delete remote branch 'upstream/temp' salt myminion git.push /path/to/repo upstream :temp salt.modules.git.rebase(cwd, rev='master', opts='', user=None, ignore_retcode=False) Interface to git-rebase(1) cwd The path to the git checkout rev master The revision to rebase onto the current branch opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.rebase /path/to/repo master salt myminion git.rebase /path/to/repo 'origin master' salt myminion git.rebase /path/to/repo origin/master opts='--onto newbranch' salt.modules.git.remote_get(cwd, remote='origin', user=None, redact_auth=True, ignore_retcode=False) Get the fetch and push URL for a specific remote cwd The path to the git checkout remote origin Name of the remote to query user User under which to run the git command. By default, the command is run by the user under which the minion is running. redact_auth True Set to False to include the username/password if the remote uses HTTPS Basic Auth. Otherwise, this information will be redacted. WARNING: Setting this to False will not only reveal any HTTPS Basic Auth that is configured, but the return data will also be written to the job cache. When possible, it is recommended to use SSH for authentication. New in version 2015.5.6. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.remote_get /path/to/repo salt myminion git.remote_get /path/to/repo upstream salt.modules.git.remote_refs(url, heads=False, tags=False, user=None, identity=None, https_user=None, https_pass=None, ignore_retcode=False) New in version 2015.8.0. Return the remote refs for the specified URL url URL of the remote repository heads False Restrict output to heads. Can be combined with tags. tags False Restrict output to tags. Can be combined with heads. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. https_user Set HTTP Basic Auth username. Only accepted for HTTPS URLs. https_pass Set HTTP Basic Auth password. Only accepted for HTTPS URLs. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Example: salt myminion git.remote_refs https://github.com/saltstack/salt.git salt.modules.git.remote_set(cwd, url, remote='origin', user=None, https_user=None, https_pass=None, push_url=None, push_https_user=None, push_https_pass=None, ignore_retcode=False) cwd The path to the git checkout url Remote URL to set remote origin Name of the remote to set push_url If unset, the push URL will be identical to the fetch URL. New in version 2015.8.0. user User under which to run the git command. By default, the command is run by the user under which the minion is running. https_user Set HTTP Basic Auth username. Only accepted for HTTPS URLs. New in version 2015.5.0. https_pass Set HTTP Basic Auth password. Only accepted for HTTPS URLs. New in version 2015.5.0. push_https_user Set HTTP Basic Auth user for push_url. Ignored if push_url is unset. Only accepted for HTTPS URLs. New in version 2015.8.0. push_https_pass Set HTTP Basic Auth password for push_url. Ignored if push_url is unset. Only accepted for HTTPS URLs. New in version 2015.8.0. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.remote_set /path/to/repo git@github.com:user/repo.git salt myminion git.remote_set /path/to/repo git@github.com:user/repo.git remote=upstream salt myminion git.remote_set /path/to/repo https://github.com/user/repo.git remote=upstream push_url=git@github.com:user/repo.git salt.modules.git.remotes(cwd, user=None, redact_auth=True, ignore_retcode=False) Get fetch and push URLs for each remote in a git checkout cwd The path to the git checkout user User under which to run the git command. By default, the command is run by the user under which the minion is running. redact_auth True Set to False to include the username/password for authenticated remotes in the return data. Otherwise, this information will be redacted. WARNING: Setting this to False will not only reveal any HTTPS Basic Auth that is configured, but the return data will also be written to the job cache. When possible, it is recommended to use SSH for authentication. New in version 2015.5.6. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.remotes /path/to/repo salt.modules.git.reset(cwd, opts='', user=None, ignore_retcode=False) Interface to git-reset(1), returns the stdout from the git command cwd The path to the git checkout opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: # Soft reset to a specific commit ID salt myminion git.reset /path/to/repo ac3ee5c # Hard reset salt myminion git.reset /path/to/repo opts='--hard origin/master' salt.modules.git.rev_parse(cwd, rev=None, opts='', user=None, ignore_retcode=False) New in version 2015.8.0. Interface to git-rev-parse(1) cwd The path to the git checkout rev Revision to parse. See the SPECIFYING REVISIONS section of the git-rev-parse(1) manpage for details on how to format this argument. This argument is optional when using the options in the Options for Files section of the git-rev-parse(1) manpage. opts Any additional options to add to the command line, in a single string user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. CLI Examples: # Get the full SHA1 for HEAD salt myminion git.rev_parse /path/to/repo HEAD # Get the short SHA1 for HEAD salt myminion git.rev_parse /path/to/repo HEAD opts='--short' # Get the develop branch's upstream tracking branch salt myminion git.rev_parse /path/to/repo 'develop@{upstream}' opts='--abbrev-ref' # Get the SHA1 for the commit corresponding to tag v1.2.3 salt myminion git.rev_parse /path/to/repo 'v1.2.3^{commit}' # Find out whether or not the repo at /path/to/repo is a bare repository salt myminion git.rev_parse /path/to/repo opts='--is-bare-repository' salt.modules.git.revision(cwd, rev='HEAD', short=False, user=None, ignore_retcode=False) Returns the SHA1 hash of a given identifier (hash, branch, tag, HEAD, etc.) cwd The path to the git checkout rev HEAD The revision short False If True, return an abbreviated SHA1 git hash user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.revision /path/to/repo mybranch salt.modules.git.rm(cwd, filename, opts='', user=None, ignore_retcode=False) Interface to git-rm(1) cwd The path to the git checkout filename The location of the file/directory to remove, relative to cwd NOTE: To remove a directory, -r must be part of the opts parameter. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.rm /path/to/repo foo/bar.py salt myminion git.rm /path/to/repo foo/bar.py opts='--dry-run' salt myminion git.rm /path/to/repo foo/baz opts='-r' salt.modules.git.stash(cwd, action='save', opts='', user=None, ignore_retcode=False) Interface to git-stash(1), returns the stdout from the git command cwd The path to the git checkout opts Any additional options to add to the command line, in a single string. Use this to complete the git stash command by adding the remaining arguments (i.e. 'save <stash comment>', 'apply stash@{2}', 'show', etc.). Omitting this argument will simply run git stash. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.stash /path/to/repo save opts='work in progress' salt myminion git.stash /path/to/repo apply opts='stash@{1}' salt myminion git.stash /path/to/repo drop opts='stash@{1}' salt myminion git.stash /path/to/repo list salt.modules.git.status(cwd, user=None, ignore_retcode=False) Changed in version 2015.8.0: Return data has changed from a list of lists to a dictionary Returns the changes to the repository cwd The path to the git checkout user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: salt myminion git.status /path/to/repo salt.modules.git.submodule(cwd, command, opts='', user=None, identity=None, ignore_retcode=False, **kwargs) Changed in version 2015.8.0: Added the command argument to allow for operations other than update to be run on submodules, and deprecated the init argument. To do a submodule update with init=True moving forward, use command=update opts='--init' Interface to git-submodule(1) cwd The path to the submodule command Submodule command to run, see git-submodule(1) <git submodule> for more information. Any additional arguments after the command (such as the URL when adding a submodule) must be passed in the opts parameter. New in version 2015.8.0. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= (as in the CLI examples below) to avoid causing errors with Salt's own argument parsing. init False If True, ensures that new submodules are initialized Deprecated since version 2015.8.0: Pass init as the command parameter, or include --init in the opts param with command set to update. user User under which to run the git command. By default, the command is run by the user under which the minion is running. identity Path to a private key to use for ssh URLs WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Example: # Update submodule and ensure it is initialized (before 2015.8.0) salt myminion git.submodule /path/to/repo/sub/repo init=True # Update submodule and ensure it is initialized (2015.8.0 and later) salt myminion git.submodule /path/to/repo/sub/repo update opts='--init' # Rebase submodule (2015.8.0 and later) salt myminion git.submodule /path/to/repo/sub/repo update opts='--rebase' # Add submodule (2015.8.0 and later) salt myminion git.submodule /path/to/repo/sub/repo add opts='https://mydomain.tld/repo.git' # Unregister submodule (2015.8.0 and later) salt myminion git.submodule /path/to/repo/sub/repo deinit salt.modules.git.symbolic_ref(cwd, ref, value=None, opts='', user=None, ignore_retcode=False) New in version 2015.8.0. Interface to git-symbolic-ref(1) cwd The path to the git checkout ref Symbolic ref to read/modify value If passed, then the symbolic ref will be set to this value and an empty string will be returned. If not passed, then the ref to which ref points will be returned, unless --delete is included in opts (in which case the symbolic ref will be deleted). opts Any additional options to add to the command line, in a single string user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: # Get ref to which HEAD is pointing salt myminion git.symbolic_ref /path/to/repo HEAD # Set/overwrite symbolic ref 'FOO' to local branch 'foo' salt myminion git.symbolic_ref /path/to/repo FOO refs/heads/foo # Delete symbolic ref 'FOO' salt myminion git.symbolic_ref /path/to/repo FOO opts='--delete' salt.modules.git.version(versioninfo=False) New in version 2015.8.0. Returns the version of Git installed on the minion versioninfo False If True, return the version in a versioninfo list (e.g. [2, 5, 0]) CLI Example: salt myminion git.version salt.modules.git.worktree_add(cwd, worktree_path, ref=None, reset_branch=None, force=None, detach=False, opts='', user=None, ignore_retcode=False, **kwargs) New in version 2015.8.0. Interface to git-worktree(1), adds a worktree cwd The path to the git checkout worktree_path Path to the new worktree. Can be either absolute, or relative to cwd. branch Name of new branch to create. If omitted, will be set to the basename of the worktree_path. For example, if the worktree_path is /foo/bar/baz, then branch will be baz. ref Name of the ref on which to base the new worktree. If omitted, then HEAD is use, and a new branch will be created, named for the basename of the worktree_path. For example, if the worktree_path is /foo/bar/baz then a new branch baz will be created, and pointed at HEAD. reset_branch False If False, then git-worktree(1) will fail to create the worktree if the targeted branch already exists. Set this argument to True to reset the targeted branch to point at ref, and checkout the newly-reset branch into the new worktree. force False By default, git-worktree(1) will not permit the same branch to be checked out in more than one worktree. Set this argument to True to override this. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= to avoid causing errors with Salt's own argument parsing. All CLI options for adding worktrees as of Git 2.5.0 are already supported by this function as of Salt 2015.8.0, so using this argument is unnecessary unless new CLI arguments are added to git-worktree(1) and are not yet supported in Salt. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.worktree_add /path/to/repo/main ../hotfix ref=origin/master salt myminion git.worktree_add /path/to/repo/main ../hotfix branch=hotfix21 ref=v2.1.9.3 salt.modules.git.worktree_prune(cwd, dry_run=False, verbose=True, expire=None, opts='', user=None, ignore_retcode=False) New in version 2015.8.0. Interface to git-worktree(1), prunes stale worktree administrative data from the gitdir cwd The path to the main git checkout or a linked worktree dry_run False If True, then this function will report what would have been pruned, but no changes will be made. verbose True Report all changes made. Set to False to suppress this output. expire Only prune unused worktree data older than a specific period of time. The date format for this parameter is described in the documentation for the gc.pruneWorktreesExpire config param in the git-config(1) manpage. opts Any additional options to add to the command line, in a single string NOTE: On the Salt CLI, if the opts are preceded with a dash, it is necessary to precede them with opts= to avoid causing errors with Salt's own argument parsing. All CLI options for pruning worktrees as of Git 2.5.0 are already supported by this function as of Salt 2015.8.0, so using this argument is unnecessary unless new CLI arguments are added to git-worktree(1) and are not yet supported in Salt. user User under which to run the git command. By default, the command is run by the user under which the minion is running. ignore_retcode False If True, do not log an error to the minion log if the git command returns a nonzero exit status. New in version 2015.8.0. CLI Examples: salt myminion git.worktree_prune /path/to/repo salt myminion git.worktree_prune /path/to/repo dry_run=True salt myminion git.worktree_prune /path/to/repo expire=1.day.ago salt.modules.git.worktree_rm(cwd, user=None) New in version 2015.8.0. Recursively removes the worktree located at cwd, returning True if successful. This function will attempt to determine if cwd is actually a worktree by invoking git.is_worktree. If the path does not correspond to a worktree, then an error will be raised and no action will be taken. WARNING: There is no undoing this action. Be VERY careful before running this function. cwd Path to the worktree to be removed user User under which to run the git command. By default, the command is run by the user under which the minion is running. CLI Examples: salt myminion git.worktree_rm /path/to/worktree salt.modules.glance Module for handling openstack glance calls. optdepends • glanceclient Python adapter configuration This module is not usable until the following are specified either in a pillar or in the minion's config file: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.insecure: False #(optional) keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' If configuration for multiple openstack accounts is required, they can be set up as different configuration profiles: For example: openstack1: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' openstack2: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.2:5000/v2.0/' With this configuration in place, any of the glance functions can make use of a configuration profile by declaring it explicitly. For example: salt '*' glance.image_list profile=openstack1 salt.modules.glance.image_create(name, location=None, profile=None, visibility=None, container_format='bare', disk_format='raw', protected=None, copy_from=None, is_public=None) Create an image (glance image-create) CLI Example, old format: salt '*' glance.image_create name=f16-jeos is_public=true \ disk_format=qcow2 container_format=ovf \ copy_from=http://berrange.fedorapeople.org/ images/2012-02-29/f16-x86_64-openstack-sda.qcow2 CLI Example, new format resembling Glance API v2: salt '*' glance.image_create name=f16-jeos visibility=public \ disk_format=qcow2 container_format=ovf \ copy_from=http://berrange.fedorapeople.org/ images/2012-02-29/f16-x86_64-openstack-sda.qcow2 The parameter 'visibility' defaults to 'public' if neither 'visibility' nor 'is_public' is specified. salt.modules.glance.image_delete(id=None, name=None, profile=None) Delete an image (glance image-delete) CLI Examples: salt '*' glance.image_delete c2eb2eb0-53e1-4a80-b990-8ec887eae7df salt '*' glance.image_delete id=c2eb2eb0-53e1-4a80-b990-8ec887eae7df salt '*' glance.image_delete name=f16-jeos salt.modules.glance.image_list(id=None, profile=None, name=None) Return a list of available images (glance image-list) CLI Example: salt '*' glance.image_list salt.modules.glance.image_schema(profile=None) Returns names and descriptions of the schema "image"'s properties for this profile's instance of glance salt.modules.glance.image_show(id=None, name=None, profile=None) Return details about a specific image (glance image-show) CLI Example: salt '*' glance.image_show salt.modules.glance.image_update(id=None, name=None, profile=None, **kwargs) Update properties of given image. Known to work for: - min_ram (in MB) - protected (bool) - visibility ('public' or 'private') salt.modules.glance.schema_get(name, profile=None) Known valid names of schemas are: • image • images • member • members salt.modules.glusterfs Manage a glusterfs pool salt.modules.glusterfs.add_volume_bricks(name, bricks) Add brick(s) to an existing volume name Volume name bricks List of bricks to add to the volume salt.modules.glusterfs.create(name, bricks, stripe=False, replica=False, device_vg=False, transport='tcp', start=False, force=False) Create a glusterfs volume. name Name of the gluster volume bricks Bricks to create volume from, in <peer>:<brick path> format. For multiple bricks use list format: '["<peer1>:<brick1>", "<peer2>:<brick2>"]' stripe Stripe count, the number of bricks should be a multiple of the stripe count for a distributed striped volume replica Replica count, the number of bricks should be a multiple of the replica count for a distributed replicated volume device_vg If true, specifies volume should use block backend instead of regular posix backend. Block device backend volume does not support multiple bricks transport Transport protocol to use, can be 'tcp', 'rdma' or 'tcp,rdma' start Start the volume after creation force Force volume creation, this works even if creating in root FS CLI Example: salt host1 glusterfs.create newvolume host1:/brick salt gluster1 glusterfs.create vol2 '["gluster1:/export/vol2/brick", "gluster2:/export/vol2/brick"]' replica=2 start=True salt.modules.glusterfs.delete(target, stop=True) Deletes a gluster volume target Volume to delete stop Stop volume before delete if it is started, True by default salt.modules.glusterfs.info(name) New in version 2015.8.4. Return the gluster volume info. name Volume name CLI Example: salt '*' glusterfs.info myvolume salt.modules.glusterfs.list_peers() Return a list of gluster peers CLI Example: salt '*' glusterfs.list_peers GLUSTER direct CLI example (to show what salt is sending to gluster): $ gluster peer status GLUSTER CLI 3.4.4 return example (so we know what we are parsing): Number of Peers: 2 Hostname: ftp2 Port: 24007 Uuid: cbcb256b-e66e-4ec7-a718-21082d396c24 State: Peer in Cluster (Connected) Hostname: ftp3 Uuid: 5ea10457-6cb2-427b-a770-7897509625e9 State: Peer in Cluster (Connected) salt.modules.glusterfs.list_volumes() List configured volumes CLI Example: salt '*' glusterfs.list_volumes salt.modules.glusterfs.peer(name) Add another node into the peer list. name The remote host to probe. CLI Example: salt 'one.gluster.*' glusterfs.peer two GLUSTER direct CLI example (to show what salt is sending to gluster): $ gluster peer probe ftp2 GLUSTER CLI 3.4.4 return example (so we know what we are parsing): #if the "peer" is the local host: peer probe: success: on localhost not needed #if the peer was just added: peer probe: success #if the peer was already part of the cluster: peer probe: success: host ftp2 port 24007 already in peer list salt.modules.glusterfs.start_volume(name, force=False) Start a gluster volume. name Volume name force Force the volume start even if the volume is started CLI Example: salt '*' glusterfs.start mycluster salt.modules.glusterfs.status(name) Check the status of a gluster volume. name Volume name CLI Example: salt '*' glusterfs.status myvolume salt.modules.glusterfs.stop_volume(name, force=False) Stop a gluster volume. name Volume name force Force stop the volume CLI Example: salt '*' glusterfs.stop_volume mycluster salt.modules.gnomedesktop GNOME implementations salt.modules.gnomedesktop.get(schema=None, key=None, user=None, **kwargs) Get key in a particular GNOME schema CLI Example: salt '*' gnome.get user=<username> schema=org.gnome.desktop.screensaver key=idle-activation-enabled salt.modules.gnomedesktop.getClockFormat(**kwargs) Return the current clock format, either 12h or 24h format. CLI Example: salt '*' gnome.getClockFormat user=<username> salt.modules.gnomedesktop.getClockShowDate(**kwargs) Return the current setting, if the date is shown in the clock CLI Example: salt '*' gnome.getClockShowDate user=<username> salt.modules.gnomedesktop.getIdleActivation(**kwargs) Get whether the idle activation is enabled CLI Example: salt '*' gnome.getIdleActivation user=<username> salt.modules.gnomedesktop.getIdleDelay(**kwargs) Return the current idle delay setting in seconds CLI Example: salt '*' gnome.getIdleDelay user=<username> salt.modules.gnomedesktop.ping(**kwargs) A test to ensure the GNOME module is loaded CLI Example: salt '*' gnome.ping user=<username> salt.modules.gnomedesktop.setClockFormat(clockFormat, **kwargs) Set the clock format, either 12h or 24h format. CLI Example: salt '*' gnome.setClockFormat <12h|24h> user=<username> salt.modules.gnomedesktop.setClockShowDate(kvalue, **kwargs) Set whether the date is visible in the clock CLI Example: salt '*' gnome.setClockShowDate <True|False> user=<username> salt.modules.gnomedesktop.setIdleActivation(kvalue, **kwargs) Set whether the idle activation is enabled CLI Example: salt '*' gnome.setIdleActivation <True|False> user=<username> salt.modules.gnomedesktop.setIdleDelay(delaySeconds, **kwargs) Set the current idle delay setting in seconds CLI Example: salt '*' gnome.setIdleDelay <seconds> user=<username> salt.modules.gnomedesktop.set(schema=None, key=None, user=None, value=None, **kwargs) Set key in a particular GNOME schema CLI Example: salt '*' gnome.set user=<username> schema=org.gnome.desktop.screensaver key=idle-activation-enabled value=False salt.modules.gpg Manage a GPG keychains, add keys, create keys, retrieve keys from keyservers. Sign, encrypt and sign & encrypt text and files. New in version 2015.5.0. NOTE: The python-gnupg library and gpg binary are required to be installed. salt.modules.gpg.create_key(key_type='RSA', key_length=1024, name_real='Autogenerated Key', name_comment='Generated by SaltStack', name_email=None, subkey_type=None, subkey_length=None, expire_date=None, use_passphrase=False, user=None, gnupghome=None) Create a key in the GPG keychain NOTE: GPG key generation requires a lot of entropy and randomness. Difficult to do over a remote connection, consider having another process available which is generating randomness for the machine. Also especially difficult on virtual machines, consider the rng-tools package. The create_key process takes awhile so increasing the timeout may be necessary, e.g. -t 15. key_type The type of the primary key to generate. It must be capable of signing. 'RSA' or 'DSA'. key_length The length of the primary key in bits. name_real The real name of the user identity which is represented by the key. name_comment A comment to attach to the user id. name_email An email address for the user. subkey_type The type of the secondary key to generate. subkey_length The length of the secondary key in bits. expire_date The expiration date for the primary and any secondary key. You can specify an ISO date, A number of days/weeks/months/years, an epoch value, or 0 for a non-expiring key. use_passphrase Whether to use a passphrase with the signing key. Passphrase is received from pillar. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt -t 15 '*' gpg.create_key salt.modules.gpg.decrypt(user=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None, bare=False) Decrypt a message or file user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. text The encrypted text to decrypt. filename The encrypted filename to decrypt. output The filename where the decrypted data will be written, default is standard out. use_passphrase Whether to use a passphrase with the signing key. Passphrase is received from pillar. gnupghome Specify the location where GPG related files are stored. bare If True, return the (armored) decrypted block as a string without the standard comment/res dict CLI Example: salt '*' gpg.decrypt filename='/path/to/important.file.gpg' salt '*' gpg.decrypt filename='/path/to/important.file.gpg' use_pasphrase=True salt.modules.gpg.delete_key(keyid=None, fingerprint=None, delete_secret=False, user=None, gnupghome=None) Get a key from the GPG keychain keyid The keyid of the key to be deleted. fingerprint The fingerprint of the key to be deleted. delete_secret Whether to delete a corresponding secret key prior to deleting the public key. Secret keys must be deleted before deleting any corresponding public keys. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.delete_key keyid=3FAD9F1E salt '*' gpg.delete_key fingerprint=53C96788253E58416D20BCD352952C84C3252192 salt '*' gpg.delete_key keyid=3FAD9F1E user=username salt '*' gpg.delete_key keyid=3FAD9F1E user=username delete_secret=True salt.modules.gpg.encrypt(user=None, recipients=None, text=None, filename=None, output=None, sign=None, use_passphrase=False, gnupghome=None, bare=False) Encrypt a message or file user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. recipients The fingerprints for those recipient whom the data is being encrypted for. text The text to encrypt. filename The filename to encrypt. output The filename where the signed file will be written, default is standard out. sign Whether to sign, in addition to encrypt, the data. True to use default key or fingerprint to specify a different key to sign with. use_passphrase Whether to use a passphrase with the signing key. Passphrase is received from pillar. gnupghome Specify the location where GPG related files are stored. bare If True, return the (armored) encrypted block as a string without the standard comment/res dict CLI Example: salt '*' gpg.encrypt text='Hello there. How are you?' salt '*' gpg.encrypt filename='/path/to/important.file' salt '*' gpg.encrypt filename='/path/to/important.file' use_pasphrase=True salt.modules.gpg.export_key(keyids=None, secret=False, user=None, gnupghome=None) Export a key from the GPG keychain keyids The keyid(s) of the key(s) to be exported. Can be specified as a comma separated string or a list. Anything which GnuPG itself accepts to identify a key - for example, the keyid or the fingerprint could be used. secret Export the secret key identified by the keyid information passed. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.export_key keyids=3FAD9F1E salt '*' gpg.export_key keyids=3FAD9F1E secret=True salt '*' gpg.export_key keyid="['3FAD9F1E','3FBD8F1E']" user=username salt.modules.gpg.get_key(keyid=None, fingerprint=None, user=None, gnupghome=None) Get a key from the GPG keychain keyid The keyid of the key to be retrieved. fingerprint The fingerprint of the key to be retrieved. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.get_key keyid=3FAD9F1E salt '*' gpg.get_key fingerprint=53C96788253E58416D20BCD352952C84C3252192 salt '*' gpg.get_key keyid=3FAD9F1E user=username salt.modules.gpg.get_secret_key(keyid=None, fingerprint=None, user=None, gnupghome=None) Get a key from the GPG keychain keyid The keyid of the key to be retrieved. fingerprint The fingerprint of the key to be retrieved. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.get_secret_key keyid=3FAD9F1E salt '*' gpg.get_secret_key fingerprint=53C96788253E58416D20BCD352952C84C3252192 salt '*' gpg.get_secret_key keyid=3FAD9F1E user=username salt.modules.gpg.import_key(user=None, text=None, filename=None, gnupghome=None) Import a key from text or file user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. text The text containing to import. filename The filename containing the key to import. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.import_key text='-----BEGIN PGP PUBLIC KEY BLOCK-----\n ... -----END PGP PUBLIC KEY BLOCK-----' salt '*' gpg.import_key filename='/path/to/public-key-file' salt.modules.gpg.list_keys(user=None, gnupghome=None) List keys in GPG keychain user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.list_keys salt.modules.gpg.list_secret_keys(user=None, gnupghome=None) List secret keys in GPG keychain user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.list_secret_keys salt.modules.gpg.receive_keys(keyserver=None, keys=None, user=None, gnupghome=None) Receive key(s) from keyserver and add them to keychain keyserver Keyserver to use for searching for GPG keys, defaults to pgp.mit.edu keys The keyID(s) to retrieve from the keyserver. Can be specified as a comma separated string or a list. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. CLI Example: salt '*' gpg.receive_key keys='3FAD9F1E' salt '*' gpg.receive_key keys="['3FAD9F1E','3FBD9F2E']" salt '*' gpg.receive_key keys=3FAD9F1E user=username salt.modules.gpg.search_keys(text, keyserver=None, user=None) Search keys from keyserver text Text to search the keyserver for, e.g. email address, keyID or fingerprint. keyserver Keyserver to use for searching for GPG keys, defaults to pgp.mit.edu user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. CLI Example: salt '*' gpg.search_keys user@example.com salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com salt '*' gpg.search_keys user@example.com keyserver=keyserver.ubuntu.com user=username salt.modules.gpg.sign(user=None, keyid=None, text=None, filename=None, output=None, use_passphrase=False, gnupghome=None) Sign message or file user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. keyid The keyid of the key to set the trust level for, defaults to first key in the secret keyring. text The text to sign. filename The filename to sign. output The filename where the signed file will be written, default is standard out. use_passphrase Whether to use a passphrase with the signing key. Passphrase is received from pillar. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.sign text='Hello there. How are you?' salt '*' gpg.sign filename='/path/to/important.file' salt '*' gpg.sign filename='/path/to/important.file' use_pasphrase=True salt.modules.gpg.trust_key(keyid=None, fingerprint=None, trust_level=None, user=None) Set the trust level for a key in GPG keychain keyid The keyid of the key to set the trust level for. fingerprint The fingerprint of the key to set the trust level for. trust_level The trust level to set for the specified key, must be one of the following: expired, unknown, not_trusted, marginally, fully, ultimately user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. CLI Example: salt '*' gpg.trust_key keyid='3FAD9F1E' trust_level='marginally' salt '*' gpg.trust_key fingerprint='53C96788253E58416D20BCD352952C84C3252192' trust_level='not_trusted' salt '*' gpg.trust_key keys=3FAD9F1E trust_level='ultimately' user='username' salt.modules.gpg.verify(text=None, user=None, filename=None, gnupghome=None) Verify a message or file text The text to verify. filename The filename to verify. user Which user's keychain to access, defaults to user Salt is running as. Passing the user as 'salt' will set the GPG home directory to /etc/salt/gpgkeys. gnupghome Specify the location where GPG related files are stored. CLI Example: salt '*' gpg.verify text='Hello there. How are you?' salt '*' gpg.verify filename='/path/to/important.file' salt '*' gpg.verify filename='/path/to/important.file' use_pasphrase=True salt.modules.grains Return/control aspects of the grains data salt.modules.grains.append(key, val, convert=False, delimiter=':') New in version 0.17.0. Append a value to a list in the grains config file. If the grain doesn't exist, the grain key is added and the value is appended to the new grain as a list item. key The grain key to be appended to val The value to append to the grain key Parameters • convert -- If convert is True, convert non-list contents into a list. If convert is False and the grain contains non-list contents, an error is given. Defaults to False. • delimiter -- The key can be a nested dict key. Use this parameter to specify the delimiter you use, instead of the default :. You can now append values to a list in nested dictionary grains. If the list doesn't exist at this level, it will be created. New in version 2014.7.6. CLI Example: salt '*' grains.append key val salt.modules.grains.delval(key, destructive=False) New in version 0.17.0. Delete a grain from the grains config file Parameters destructive -- Delete the key, too. Defaults to False. CLI Example: salt '*' grains.delval key salt.modules.grains.filter_by(lookup_dict, grain='os_family', merge=None, default='default', base=None) New in version 0.17.0. Look up the given grain in a given dictionary for the current OS and return the result Although this may occasionally be useful at the CLI, the primary intent of this function is for use in Jinja to make short work of creating lookup tables for OS-specific data. For example: {% set apache = salt['grains.filter_by']({ 'Debian': {'pkg': 'apache2', 'srv': 'apache2'}, 'RedHat': {'pkg': 'httpd', 'srv': 'httpd'}, }, default='Debian') %} myapache: pkg.installed: - name: {{ apache.pkg }} service.running: - name: {{ apache.srv }} Values in the lookup table may be overridden by values in Pillar. An example Pillar to override values in the example above could be as follows: apache: lookup: pkg: apache_13 srv: apache The call to filter_by() would be modified as follows to reference those Pillar values: {% set apache = salt['grains.filter_by']({ ... }, merge=salt['pillar.get']('apache:lookup')) %} Parameters • lookup_dict -- A dictionary, keyed by a grain, containing a value or values relevant to systems matching that grain. For example, a key could be the grain for an OS and the value could the name of a package on that particular OS. • grain -- The name of a grain to match with the current system's grains. For example, the value of the "os_family" grain for the current system could be used to pull values from the lookup_dict dictionary. • merge -- A dictionary to merge with the results of the grain selection from lookup_dict. This allows Pillar to override the values in the lookup_dict. This could be useful, for example, to override the values for non-standard package names such as when using a different Python version from the default Python version provided by the OS (e.g., python26-mysql instead of python-mysql). • default -- default lookup_dict's key used if the grain does not exists or if the grain value has no match on lookup_dict. If unspecified the value is "default". New in version 2014.1.0. • base -- A lookup_dict key to use for a base dictionary. The grain-selected lookup_dict is merged over this and then finally the merge dictionary is merged. This allows common values for each case to be collected in the base and overridden by the grain selection dictionary and the merge dictionary. Default is unset. New in version 2015.5.0. CLI Example: salt '*' grains.filter_by '{Debian: Debheads rule, RedHat: I love my hat}' # this one will render {D: {E: I, G: H}, J: K} salt '*' grains.filter_by '{A: B, C: {D: {E: F,G: H}}}' 'xxx' '{D: {E: I},J: K}' 'C' # next one renders {A: {B: G}, D: J} salt '*' grains.filter_by '{default: {A: {B: C}, D: E}, F: {A: {B: G}}, H: {D: I}}' 'xxx' '{D: J}' 'F' 'default' # next same as above when default='H' instead of 'F' renders {A: {B: C}, D: J} salt.modules.grains.get(key, default='', delimiter=':') Attempt to retrieve the named value from grains, if the named value is not available return the passed default. The default return is an empty string. The value can also represent a value in a nested dict using a ":" delimiter for the dict. This means that if a dict in grains looks like this: {'pkg': {'apache': 'httpd'}} To retrieve the value associated with the apache key in the pkg dict this key can be passed: pkg:apache Parameters delimiter -- Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. CLI Example: salt '*' grains.get pkg:apache salt.modules.grains.get_or_set_hash(name, length=8, chars='abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)') Perform a one-time generation of a hash and write it to the local grains. If that grain has already been set return the value instead. This is useful for generating passwords or keys that are specific to a single minion that don't need to be stored somewhere centrally. State Example: some_mysql_user: mysql_user: - present - host: localhost - password: {{ salt['grains.get_or_set_hash']('mysql:some_mysql_user') }} CLI Example: salt '*' grains.get_or_set_hash 'django:SECRET_KEY' 50 WARNING: This function could return strings which may contain characters which are reserved as directives by the YAML parser, such as strings beginning with %. To avoid issues when using the output of this function in an SLS file containing YAML+Jinja, surround the call with single quotes. salt.modules.grains.has_value(key) Determine whether a named value exists in the grains dictionary. Given a grains dictionary that contains the following structure: {'pkg': {'apache': 'httpd'}} One would determine if the apache key in the pkg dict exists by: pkg:apache CLI Example: salt '*' grains.has_value pkg:apache salt.modules.grains.item(*args, **kwargs) Return one or more grains CLI Example: salt '*' grains.item os salt '*' grains.item os osrelease oscodename Sanitized CLI Example: salt '*' grains.item host sanitize=True salt.modules.grains.items(sanitize=False) Return all of the minion's grains CLI Example: salt '*' grains.items Sanitized CLI Example: salt '*' grains.items sanitize=True salt.modules.grains.ls() Return a list of all available grains CLI Example: salt '*' grains.ls salt.modules.grains.remove(key, val, delimiter=':') New in version 0.17.0. Remove a value from a list in the grains config file Parameters delimiter -- The key can be a nested dict key. Use this parameter to specify the delimiter you use, instead of the default :. You can now append values to a list in nested dictionary grains. If the list doesn't exist at this level, it will be created. New in version Boron. CLI Example: salt '*' grains.remove key val salt.modules.grains.set(key, val='', force=False, destructive=False, delimiter=':') Set a key to an arbitrary value. It is used like setval but works with nested keys. This function is conservative. It will only overwrite an entry if its value and the given one are not a list or a dict. The force parameter is used to allow overwriting in all cases. New in version 2015.8.0. Parameters • force -- Force writing over existing entry if given or existing values are list or dict. Defaults to False. • destructive -- If an operation results in a key being removed, delete the key, too. Defaults to False. • delimiter -- Specify an alternate delimiter to use when traversing a nested dict, the default being : CLI Example: salt '*' grains.set 'apps:myApp:port' 2209 salt '*' grains.set 'apps:myApp' '{port: 2209}' salt.modules.grains.setval(key, val, destructive=False) Set a grains value in the grains config file Parameters Destructive -- If an operation results in a key being removed, delete the key, too. Defaults to False. CLI Example: salt '*' grains.setval key val salt '*' grains.setval key "{'sub-key': 'val', 'sub-key2': 'val2'}" salt.modules.grains.setvals(grains, destructive=False) Set new grains values in the grains config file Parameters Destructive -- If an operation results in a key being removed, delete the key, too. Defaults to False. CLI Example: salt '*' grains.setvals "{'key1': 'val1', 'key2': 'val2'}" salt.modules.groupadd Manage groups on Linux, OpenBSD and NetBSD salt.modules.groupadd.add(name, gid=None, system=False) Add the specified group CLI Example: salt '*' group.add foo 3456 salt.modules.groupadd.adduser(name, username) Add a user in the group. CLI Example: salt '*' group.adduser foo bar Verifies if a valid username 'bar' as a member of an existing group 'foo', if not then adds it. salt.modules.groupadd.chgid(name, gid) Change the gid for a named group CLI Example: salt '*' group.chgid foo 4376 salt.modules.groupadd.delete(name) Remove the named group CLI Example: salt '*' group.delete foo salt.modules.groupadd.deluser(name, username) Remove a user from the group. CLI Example: salt '*' group.deluser foo bar Removes a member user 'bar' from a group 'foo'. If group is not present then returns True. salt.modules.groupadd.getent(refresh=False) Return info on all groups CLI Example: salt '*' group.getent salt.modules.groupadd.info(name) Return information about a group CLI Example: salt '*' group.info foo salt.modules.groupadd.members(name, members_list) Replaces members of the group with a provided list. CLI Example: salt '*' group.members foo 'user1,user2,user3,...' Replaces a membership list for a local group 'foo'. foo:x:1234:user1,user2,user3,... salt.modules.grub_legacy Support for GRUB Legacy salt.modules.grub_legacy.conf() Parse GRUB conf file CLI Example: salt '*' grub.conf salt.modules.grub_legacy.version() Return server version from grub --version CLI Example: salt '*' grub.version salt.modules.guestfs Interact with virtual machine images via libguestfs depends • libguestfs salt.modules.guestfs.mount(location, access='rw') Mount an image CLI Example: salt '*' guest.mount /srv/images/fedora.qcow salt.modules.hadoop Support for hadoop maintainer Yann Jouanin <yann.jouanin@intelunix.fr> maturity new depends platform linux salt.modules.hadoop.dfs(command=None, *args) Execute a command on DFS CLI Example: salt '*' hadoop.dfs ls / salt.modules.hadoop.dfs_absent(path) Check if a file or directory is absent on the distributed FS. CLI Example: salt '*' hadoop.dfs_absent /some_random_file Returns True if the file is absent salt.modules.hadoop.dfs_present(path) Check if a file or directory is present on the distributed FS. CLI Example: salt '*' hadoop.dfs_present /some_random_file Returns True if the file is present salt.modules.hadoop.namenode_format(force=None) Format a name node salt '*' hadoop.namenode_format force=True salt.modules.hadoop.version() Return version from hadoop version CLI Example: salt '*' hadoop.version salt.modules.haproxyconn Support for haproxy New in version 2014.7.0. salt.modules.haproxyconn.disable_server(name, backend, socket='/var/run/haproxy.sock') Disable server in haproxy. name Server to disable backend haproxy backend socket haproxy stats socket CLI Example: salt '*' haproxy.disable_server db1.example.com mysql salt.modules.haproxyconn.enable_server(name, backend, socket='/var/run/haproxy.sock') Enable Server in haproxy name Server to enable backend haproxy backend socket haproxy stats socket CLI Example: salt '*' haproxy.enable_server web1.example.com www salt.modules.haproxyconn.get_weight(name, backend, socket='/var/run/haproxy.sock') Get server weight name Server name backend haproxy backend socket haproxy stats socket CLI Example: salt '*' haproxy.get_weight web1.example.com www salt.modules.haproxyconn.list_servers(backend, socket='/var/run/haproxy.sock', objectify=False) List servers in haproxy backend. backend haproxy backend socket haproxy stats socket CLI Example: salt '*' haproxy.list_servers mysql salt.modules.haproxyconn.set_weight(name, backend, weight=0, socket='/var/run/haproxy.sock') Set server weight name Server name backend haproxy backend weight Server Weight socket haproxy stats socket CLI Example: salt '*' haproxy.set_weight web1.example.com www 13 salt.modules.haproxyconn.show_backends(socket='/var/run/haproxy.sock') Show HaProxy Backends socket haproxy stats socket CLI Example: salt '*' haproxy.show_backends salt.modules.haproxyconn.show_frontends(socket='/var/run/haproxy.sock') Show HaProxy frontends socket haproxy stats socket CLI Example: salt '*' haproxy.show_frontends salt.modules.hashutil A collection of hashing and encoding functions salt.modules.hashutil.base64_decodestring(instr) Decode a base64-encoded string New in version 2014.7.0. CLI Example: salt '*' hashutil.base64_decodestring 'Z2V0IHNhbHRlZA==\n' salt.modules.hashutil.base64_encodestring(instr) Encode a string as base64 New in version 2014.7.0. CLI Example: salt '*' hashutil.base64_encodestring 'get salted' salt.modules.hashutil.hmac_signature(string, shared_secret, challenge_hmac) Verify a challenging hmac signature against a string / shared-secret New in version 2014.7.0. Returns a boolean if the verification succeeded or failed. CLI Example: salt '*' hashutil.hmac_signature 'get salted' 'shared secret' 'eBWf9bstXg+NiP5AOwppB5HMvZiYMPzEM9W5YMm/AmQ=' salt.modules.hashutil.md5_digest(instr) Generate an md5 hash of a given string New in version 2014.7.0. CLI Example: salt '*' hashutil.md5_digest 'get salted' salt.modules.hashutil.sha256_digest(instr) Generate an sha256 hash of a given string New in version 2014.7.0. CLI Example: salt '*' hashutil.sha256_digest 'get salted' salt.modules.hashutil.sha512_digest(instr) Generate an sha512 hash of a given string New in version 2014.7.0. CLI Example: salt '*' hashutil.sha512_digest 'get salted' salt.modules.hg Support for the Mercurial SCM salt.modules.hg.archive(cwd, output, rev='tip', fmt=None, prefix=None, user=None) Export a tarball from the repository cwd The path to the Mercurial repository output The path to the archive tarball rev: tip The revision to create an archive from fmt: None Format of the resulting archive. Mercurial supports: tar, tbz2, tgz, zip, uzip, and files formats. prefix None Prepend <prefix>/ to every filename in the archive user None Run hg as a user other than what the minion runs as If prefix is not specified it defaults to the basename of the repo directory. CLI Example: salt '*' hg.archive /path/to/repo output=/tmp/archive.tgz fmt=tgz salt.modules.hg.clone(cwd, repository, opts=None, user=None, identity=None) Clone a new repository cwd The path to the Mercurial repository repository The hg URI of the repository opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as identity None Private SSH key on the minion server for authentication (ssh://) New in version 2015.5.0. CLI Example: salt '*' hg.clone /path/to/repo https://bitbucket.org/birkenfeld/sphinx salt.modules.hg.describe(cwd, rev='tip', user=None) Mimic git describe and return an identifier for the given revision cwd The path to the Mercurial repository rev: tip The path to the archive tarball user None Run hg as a user other than what the minion runs as CLI Example: salt '*' hg.describe /path/to/repo salt.modules.hg.pull(cwd, opts=None, user=None, identity=None, repository=None) Perform a pull on the given repository cwd The path to the Mercurial repository repository None Perform pull from the repository different from .hg/hgrc:[paths]:default opts None Any additional options to add to the command line user None Run hg as a user other than what the minion runs as identity None Private SSH key on the minion server for authentication (ssh://) New in version 2015.5.0. CLI Example: salt '*' hg.pull /path/to/repo opts=-u salt.modules.hg.revision(cwd, rev='tip', short=False, user=None) Returns the long hash of a given identifier (hash, branch, tag, HEAD, etc) cwd The path to the Mercurial repository rev: tip The revision short: False Return an abbreviated commit hash user None Run hg as a user other than what the minion runs as CLI Example: salt '*' hg.revision /path/to/repo mybranch salt.modules.hg.update(cwd, rev, force=False, user=None) Update to a given revision cwd The path to the Mercurial repository rev The revision to update to force False Force an update user None Run hg as a user other than what the minion runs as CLI Example: salt devserver1 hg.update /path/to/repo somebranch salt.modules.hipchat Module for sending messages to hipchat. New in version 2015.5.0. configuration This module can be used by either passing an api key and version directly or by specifying both in a configuration profile in the salt master/minion config. For example: hipchat: api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version: v1 salt.modules.hipchat.find_room(name, api_key=None, api_version=None) Find a room by name and return it. :param name: The room name. :param api_key: The HipChat admin api key. :param api_version: The HipChat api version, if not specified in the configuration. :return: The room object. CLI Example: salt '*' hipchat.find_room name="Development Room" salt '*' hipchat.find_room name="Development Room" api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version=v1 salt.modules.hipchat.find_user(name, api_key=None, api_version=None) Find a user by name and return it. :param name: The user name. :param api_key: The HipChat admin api key. :param api_version: The HipChat api version, if not specified in the configuration. :return: The user object. CLI Example: salt '*' hipchat.find_user name="Thomas Hatch" salt '*' hipchat.find_user name="Thomas Hatch" api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version=v1 salt.modules.hipchat.list_rooms(api_key=None, api_version=None) List all HipChat rooms. Parameters • api_key -- The HipChat admin api key. • api_version -- The HipChat api version, if not specified in the configuration. Returns The room list. CLI Example: salt '*' hipchat.list_rooms salt '*' hipchat.list_rooms api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version=v1 salt.modules.hipchat.list_users(api_key=None, api_version=None) List all HipChat users. :param api_key: The HipChat admin api key. :param api_version: The HipChat api version, if not specified in the configuration. :return: The user list. CLI Example: salt '*' hipchat.list_users salt '*' hipchat.list_users api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version=v1 salt.modules.hipchat.send_message(room_id, message, from_name, api_key=None, api_version=None, color='yellow', notify=False) Send a message to a HipChat room. :param room_id: The room id or room name, either will work. :param message: The message to send to the HipChat room. :param from_name: Specify who the message is from. :param api_key: The HipChat api key, if not specified in the configuration. :param api_version: The HipChat api version, if not specified in the configuration. :param color: The color for the message, default: yellow. :param notify: Whether to notify the room, default: False. :return: Boolean if message was sent successfully. CLI Example: salt '*' hipchat.send_message room_id="Development Room" message="Build is done" from_name="Build Server" salt '*' hipchat.send_message room_id="Development Room" message="Build failed" from_name="Build Server" color="red" notify=True salt.modules.hosts Manage the information in the hosts file salt.modules.hosts.add_host(ip, alias) Add a host to an existing entry, if the entry is not in place then create it with the given host CLI Example: salt '*' hosts.add_host <ip> <alias> salt.modules.hosts.get_alias(ip) Return the list of aliases associated with an ip CLI Example: salt '*' hosts.get_alias <ip addr> salt.modules.hosts.get_ip(host) Return the ip associated with the named host CLI Example: salt '*' hosts.get_ip <hostname> salt.modules.hosts.has_pair(ip, alias) Return true if the alias is set CLI Example: salt '*' hosts.has_pair <ip> <alias> salt.modules.hosts.list_hosts() Return the hosts found in the hosts file in this format: {'<ip addr>': ['alias1', 'alias2', ...]} CLI Example: salt '*' hosts.list_hosts salt.modules.hosts.rm_host(ip, alias) Remove a host entry from the hosts file CLI Example: salt '*' hosts.rm_host <ip> <alias> salt.modules.hosts.set_host(ip, alias) Set the host entry in the hosts file for the given ip, this will overwrite any previous entry for the given ip CLI Example: salt '*' hosts.set_host <ip> <alias> salt.modules.htpasswd Support for htpasswd command. Requires the apache2-utils package for Debian-based distros. New in version 2014.1.0. The functions here will load inside the webutil module. This allows other functions that don't use htpasswd to use the webutil module name. salt.modules.htpasswd.useradd(pwfile, user, password, opts='', runas=None) Add a user to htpasswd file using the htpasswd command. If the htpasswd file does not exist, it will be created. pwfile Path to htpasswd file user User name password User password opts Valid options that can be passed are: • n Don't update file; display results on stdout. • m Force MD5 encryption of the password (default). • d Force CRYPT encryption of the password. • p Do not encrypt the password (plaintext). • s Force SHA encryption of the password. runas The system user to run htpasswd command with CLI Examples: salt '*' webutil.useradd /etc/httpd/htpasswd larry badpassword salt '*' webutil.useradd /etc/httpd/htpasswd larry badpass opts=ns salt.modules.htpasswd.useradd_all(pwfile, user, password, opts='', runas=None) Add a user to htpasswd file using the htpasswd command. If the htpasswd file does not exist, it will be created. pwfile Path to htpasswd file user User name password User password opts Valid options that can be passed are: • n Don't update file; display results on stdout. • m Force MD5 encryption of the password (default). • d Force CRYPT encryption of the password. • p Do not encrypt the password (plaintext). • s Force SHA encryption of the password. runas The system user to run htpasswd command with CLI Examples: salt '*' webutil.useradd /etc/httpd/htpasswd larry badpassword salt '*' webutil.useradd /etc/httpd/htpasswd larry badpass opts=ns salt.modules.htpasswd.userdel(pwfile, user, runas=None) Delete a user from the specified htpasswd file. pwfile Path to htpasswd file user User name runas The system user to run htpasswd command with CLI Examples: salt '*' webutil.userdel /etc/httpd/htpasswd larry salt.modules.http Module for making various web calls. Primarily designed for webhooks and the like, but also useful for basic http testing. New in version 2015.5.0. salt.modules.http.query(url, **kwargs) Query a resource, and decode the return data New in version 2015.5.0. CLI Example: salt '*' http.query http://somelink.com/ salt '*' http.query http://somelink.com/ method=POST params='key1=val1&key2=val2' salt '*' http.query http://somelink.com/ method=POST data='<xml>somecontent</xml>' salt.modules.http.update_ca_bundle(target=None, source=None, merge_files=None) Update the local CA bundle file from a URL New in version 2015.5.0. CLI Example: salt '*' http.update_ca_bundle salt '*' http.update_ca_bundle target=/path/to/cacerts.pem salt '*' http.update_ca_bundle source=https://example.com/cacerts.pem If the target is not specified, it will be pulled from the ca_cert configuration variable available to the minion. If it cannot be found there, it will be placed at <<FILE_ROOTS>>/cacerts.pem. If the source is not specified, it will be pulled from the ca_cert_url configuration variable available to the minion. If it cannot be found, it will be downloaded from the cURL website, using an http (not https) URL. USING THE DEFAULT URL SHOULD BE AVOIDED! merge_files may also be specified, which includes a string or list of strings representing a file or files to be appended to the end of the CA bundle, once it is downloaded. CLI Example: salt '*' http.update_ca_bundle merge_files=/path/to/mycert.pem salt.modules.ifttt Support for IFTTT New in version 2015.8.0. Requires an api_key in /etc/salt/minion: salt.modules.ifttt.trigger_event(event=None, **kwargs) Trigger a configured event in IFTTT. Parameters event -- The name of the event to trigger. Returns A dictionary with status, text, and error if result was failure. salt.modules.ilo Manage HP ILO depends hponcfg (SmartStart Scripting Toolkit Linux Edition) salt.modules.ilo.change_password(username, password) Reset a users password CLI Example: salt '*' ilo.change_password damianMyerscough salt.modules.ilo.change_username(old_username, new_username) Change a username CLI Example: salt '*' ilo.change_username damian diana salt.modules.ilo.configure_network(ip, netmask, gateway) Configure Network Interface CLI Example: salt '*' ilo.configure_network [IP ADDRESS] [NETMASK] [GATEWAY] salt.modules.ilo.configure_snmp(community, snmp_port=161, snmp_trapport=161) Configure SNMP CLI Example: salt '*' ilo.configure_snmp [COMMUNITY STRING] [SNMP PORT] [SNMP TRAP PORT] salt.modules.ilo.create_user(name, password, *privileges) Create user CLI Example: salt '*' ilo.create_user damian secretagent VIRTUAL_MEDIA_PRIV If no permissions are specify the user will only have a read-only account. Supported privelges: • ADMIN_PRIV Enables the user to administer user accounts. • REMOTE_CONS_PRIV Enables the user to access the Remote Console functionality. • RESET_SERVER_PRIV Enables the user to remotely manipulate the server power setting. • VIRTUAL_MEDIA_PRIV Enables the user permission to access the virtual media functionality. • CONFIG_ILO_PRIV Enables the user to configure iLO settings. salt.modules.ilo.delete_ssh_key(username) Delete a users SSH key from the ILO CLI Example: salt '*' ilo.delete_user_sshkey damian salt.modules.ilo.delete_user(username) Delete a user CLI Example: salt '*' ilo.delete_user damian salt.modules.ilo.disable_dhcp() Disable DHCP CLI Example: salt '*' ilo.disable_dhcp salt.modules.ilo.disable_ssh() Disable the SSH daemon CLI Example: salt '*' ilo.disable_ssh salt.modules.ilo.enable_dhcp() Enable DHCP CLI Example: salt '*' ilo.enable_dhcp salt.modules.ilo.enable_ssh() Enable the SSH daemon CLI Example: salt '*' ilo.enable_ssh salt.modules.ilo.get_user(username) Returns local user information, excluding the password CLI Example: salt '*' ilo.get_user damian salt.modules.ilo.global_settings() Show global settings CLI Example: salt '*' ilo.global_settings salt.modules.ilo.list_users() List all users CLI Example: salt '*' ilo.list_users salt.modules.ilo.list_users_info() List all users in detail CLI Example: salt '*' ilo.list_users_info salt.modules.ilo.network() Grab the current network settings CLI Example: salt '*' ilo.network salt.modules.ilo.set_http_port(port=80) Configure the port HTTP should listen on CLI Example: salt '*' ilo.set_http_port 8080 salt.modules.ilo.set_https_port(port=443) Configure the port HTTPS should listen on CLI Example: salt '*' ilo.set_https_port 4334 salt.modules.ilo.set_ssh_key(public_key) Configure SSH public keys for specific users CLI Example: salt '*' ilo.set_ssh_key "ssh-dss AAAAB3NzaC1kc3MAAACBA... damian" The SSH public key needs to be DSA and the last argument in the key needs to be the username (case-senstive) of the ILO username. salt.modules.ilo.set_ssh_port(port=22) Enable SSH on a user defined port CLI Example: salt '*' ilo.set_ssh_port 2222 salt.modules.img Virtual machine image management tools salt.modules.img.bootstrap(location, size, fmt) HIGHLY EXPERIMENTAL Bootstrap a virtual machine image location: The location to create the image size: The size of the image to create in megabytes fmt: The image format, raw or qcow2 CLI Example: salt '*' img.bootstrap /srv/salt-images/host.qcow 4096 qcow2 salt.modules.img.mount_image(location) Mount the named image and return the mount point CLI Example: salt '*' img.mount_image /tmp/foo salt.modules.img.umount_image(mnt) Unmount an image mountpoint CLI Example: salt '*' img.umount_image /mnt/foo salt.modules.incron Work with incron salt.modules.incron.list_tab(user) Return the contents of the specified user's incrontab CLI Example: salt '*' incron.list_tab root salt.modules.incron.ls(user) This function is an alias of list_tab. Return the contents of the specified user's incrontab CLI Example: salt '*' incron.list_tab root salt.modules.incron.raw_incron(user) Return the contents of the user's incrontab CLI Example: salt '*' incron.raw_incron root salt.modules.incron.raw_system_incron() Return the contents of the system wide incrontab CLI Example: salt '*' incron.raw_system_incron salt.modules.incron.rm(user, path, mask, cmd) This function is an alias of rm_job. Remove a incron job for a specified user. If any of the day/time params are specified, the job will only be removed if the specified params match. CLI Example: salt '*' incron.rm_job root /path salt.modules.incron.rm_job(user, path, mask, cmd) Remove a incron job for a specified user. If any of the day/time params are specified, the job will only be removed if the specified params match. CLI Example: salt '*' incron.rm_job root /path salt.modules.incron.set_job(user, path, mask, cmd) Sets an incron job up for a specified user. CLI Example: salt '*' incron.set_job root '/root' 'IN_MODIFY' 'echo "$$ $@ $# $% $&"' salt.modules.incron.write_incron_file(user, path) Writes the contents of a file to a user's incrontab CLI Example: salt '*' incron.write_incron_file root /tmp/new_incron salt.modules.incron.write_incron_file_verbose(user, path) Writes the contents of a file to a user's incrontab and return error message on error CLI Example: salt '*' incron.write_incron_file_verbose root /tmp/new_incron salt.modules.influx InfluxDB - A distributed time series database Module to provide InfluxDB compatibility to Salt (compatible with InfluxDB version 0.5+) New in version 2014.7.0. depends • influxdb Python module configuration This module accepts connection configuration details either as parameters or as configuration settings in /etc/salt/minion on the relevant minions: influxdb.host: 'localhost' influxdb.port: 8086 influxdb.user: 'root' influxdb.password: 'root' This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar. salt.modules.influx.db_create(name, user=None, password=None, host=None, port=None) Create a database name Database name to create user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.db_create <name> salt '*' influxdb.db_create <name> <user> <password> <host> <port> salt.modules.influx.db_exists(name, user=None, password=None, host=None, port=None) Checks if a database exists in InfluxDB name Database name to create user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.db_exists <name> salt '*' influxdb.db_exists <name> <user> <password> <host> <port> salt.modules.influx.db_list(user=None, password=None, host=None, port=None) List all InfluxDB databases user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.db_list salt '*' influxdb.db_list <user> <password> <host> <port> salt.modules.influx.db_remove(name, user=None, password=None, host=None, port=None) Remove a database name Database name to remove user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.db_remove <name> salt '*' influxdb.db_remove <name> <user> <password> <host> <port> salt.modules.influx.login_test(name, password, database=None, host=None, port=None) Checks if a credential pair can log in at all. If a database is specified: it will check for database user existence. If a database is not specified: it will check for cluster admin existence. name The user to connect as password The password of the user database The database to try to log in to host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.login_test <name> salt '*' influxdb.login_test <name> <database> salt '*' influxdb.login_test <name> <database> <user> <password> <host> <port> salt.modules.influx.query(database, query, time_precision='s', chunked=False, user=None, password=None, host=None, port=None) Querying data database The database to query query Query to be executed time_precision Time precision to use ('s', 'm', or 'u') chunked Whether is chunked or not user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.query <database> <query> salt '*' influxdb.query <database> <query> <time_precision> <chunked> <user> <password> <host> <port> salt.modules.influx.retention_policy_add(database, name, duration, replication, default=False, user=None, password=None, host=None, port=None) Add a retention policy. database The database to operate on. name Name of the policy to modify. duration How long InfluxDB keeps the data. replication How many copies of the data are stored in the cluster. default Whether this policy should be the default or not. Default is False. CLI Example: salt '*' influxdb.retention_policy_add metrics default 1d 1 salt.modules.influx.retention_policy_alter(database, name, duration, replication, default=False, user=None, password=None, host=None, port=None) Modify an existing retention policy. database The database to operate on. name Name of the policy to modify. duration How long InfluxDB keeps the data. replication How many copies of the data are stored in the cluster. default Whether this policy should be the default or not. Default is False. CLI Example: salt '*' influxdb.retention_policy_modify metrics default 1d 1 salt.modules.influx.retention_policy_exists(database, name, user=None, password=None, host=None, port=None) Check if a retention policy exists. database The database to operate on. name Name of the policy to modify. CLI Example: salt '*' influxdb.retention_policy_exists metrics default salt.modules.influx.retention_policy_get(database, name, user=None, password=None, host=None, port=None) Get an existing retention policy. database The database to operate on. name Name of the policy to modify. CLI Example: salt '*' influxdb.retention_policy_get metrics default salt.modules.influx.user_chpass(name, passwd, database=None, user=None, password=None, host=None, port=None) Change password for a cluster admin or a database user. If a database is specified: it will update database user password. If a database is not specified: it will update cluster admin password. name User name for whom to change the password passwd New password database The database on which to operate user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.user_chpass <name> <passwd> salt '*' influxdb.user_chpass <name> <passwd> <database> salt '*' influxdb.user_chpass <name> <passwd> <database> <user> <password> <host> <port> salt.modules.influx.user_create(name, passwd, database=None, user=None, password=None, host=None, port=None) Create a cluster admin or a database user. If a database is specified: it will create database user. If a database is not specified: it will create a cluster admin. name User name for the new user to create passwd Password for the new user to create database The database to create the user in user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.user_create <name> <passwd> salt '*' influxdb.user_create <name> <passwd> <database> salt '*' influxdb.user_create <name> <passwd> <database> <user> <password> <host> <port> salt.modules.influx.user_exists(name, database=None, user=None, password=None, host=None, port=None) Checks if a cluster admin or database user exists. If a database is specified: it will check for database user existence. If a database is not specified: it will check for cluster admin existence. name User name database The database to check for the user to exist user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.user_exists <name> salt '*' influxdb.user_exists <name> <database> salt '*' influxdb.user_exists <name> <database> <user> <password> <host> <port> salt.modules.influx.user_list(database=None, user=None, password=None, host=None, port=None) List cluster admins or database users. If a database is specified: it will return database users list. If a database is not specified: it will return cluster admins list. database The database to list the users from user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.user_list salt '*' influxdb.user_list <database> salt '*' influxdb.user_list <database> <user> <password> <host> <port> salt.modules.influx.user_remove(name, database=None, user=None, password=None, host=None, port=None) Remove a cluster admin or a database user. If a database is specified: it will remove the database user. If a database is not specified: it will remove the cluster admin. name User name to remove database The database to remove the user from user User name for the new user to delete user The user to connect as password The password of the user host The host to connect to port The port to connect to CLI Example: salt '*' influxdb.user_remove <name> salt '*' influxdb.user_remove <name> <database> salt '*' influxdb.user_remove <name> <database> <user> <password> <host> <port> salt.modules.ini_manage Edit ini files maintainer <akilesh1597@gmail.com> maturity new depends re platform all Use section as DEFAULT_IMPLICIT if your ini file does not have any section (for example /etc/sysctl.conf) salt.modules.ini_manage.get_option(file_name, section, option) Get value of a key from a section in an ini file. Returns None if no matching key was found. API Example: import salt sc = salt.client.get_local_client() sc.cmd('target', 'ini.get_option', [path_to_ini_file, section_name, option]) CLI Example: salt '*' ini.get_option /path/to/ini section_name option_name salt.modules.ini_manage.get_section(file_name, section) Retrieve a section from an ini file. Returns the section as dictionary. If the section is not found, an empty dictionary is returned. API Example: import salt sc = salt.client.get_local_client() sc.cmd('target', 'ini.get_section', [path_to_ini_file, section_name]) CLI Example: salt '*' ini.get_section /path/to/ini section_name salt.modules.ini_manage.remove_option(file_name, section, option) Remove a key/value pair from a section in an ini file. Returns the value of the removed key, or None if nothing was removed. API Example: import salt sc = salt.client.get_local_client() sc.cmd('target', 'ini.remove_option', [path_to_ini_file, section_name, option]) CLI Example: salt '*' ini.remove_option /path/to/ini section_name option_name salt.modules.ini_manage.remove_section(file_name, section) Remove a section in an ini file. Returns the removed section as dictionary, or None if nothing was removed. API Example: import salt sc = salt.client.get_local_client() sc.cmd('target', 'ini.remove_section', [path_to_ini_file, section_name]) CLI Example: salt '*' ini.remove_section /path/to/ini section_name salt.modules.ini_manage.set_option(file_name, sections=None, summary=True) Edit an ini file, replacing one or more sections. Returns a dictionary containing the changes made. file_name path of ini_file sections None A dictionary representing the sections to be edited ini file Set summary=False if return data need not have previous option value API Example: import salt sc = salt.client.get_local_client() sc.cmd('target', 'ini.set_option', ['path_to_ini_file', '{"section_to_change": {"key": "value"}}']) CLI Example: salt '*' ini.set_option /path/to/ini '{section_foo: {key: value}}' salt.modules.inspectlib package Submodules salt.modules.inspectlib.collector module class salt.modules.inspectlib.collector.Inspector(db_path=None, pid_file=None) IGNORE_FS_TYPES = ['autofs', 'cifs', 'nfs', 'nfs4'] IGNORE_MOUNTS = ['proc', 'sysfs', 'devtmpfs', 'tmpfs', 'fuse.gvfs-fuse-daemon'] IGNORE_PATHS = ['/tmp', '/var/tmp', '/lost+found', '/var/run', '/var/lib/rpm', '/.snapshots', '/.zfs', '/etc/ssh', '/root', '/home'] MODE = ['configuration', 'payload', 'all'] request_snapshot(mode, priority=19, **kwargs) Take a snapshot of the system. snapshot(mode) Take a snapshot of the system. salt.modules.inspectlib.collector.is_alive(pidfile) Check if PID is still alive. salt.modules.inspectlib.collector.main(dbfile, pidfile, mode) Main analyzer routine. salt.modules.inspectlib.dbhandle module class salt.modules.inspectlib.dbhandle.DBHandle(path) class salt.modules.inspectlib.dbhandle.DBHandleBase(path) Handle for the volatile database, which serves the purpose of caching the inspected data. This database can be destroyed or corrupted, so it should be simply re-created from scratch. close() Close the database connection. flush(table) Flush the table. open(new=False) Init the database, if required. purge() Purge whole database. salt.modules.inspectlib.exceptions module exception salt.modules.inspectlib.exceptions.InspectorQueryException Exception that is only for the inspector query. exception salt.modules.inspectlib.exceptions.InspectorSnapshotException Snapshot exception. exception salt.modules.inspectlib.exceptions.SIException System information exception. salt.modules.inspectlib.query module class salt.modules.inspectlib.query.Query(scope) Query the system. This class is actually puts all Salt features together, so there would be no need to pick it from various places. SCOPES = ['changes', 'configuration', 'identity', 'system', 'software', 'services', 'payload', 'all'] class salt.modules.inspectlib.query.SysInfo(systype) System information. Module contents salt.modules.introspect Functions to perform introspection on a minion, and return data in a format usable by Salt States salt.modules.introspect.enabled_service_owners() Return which packages own each of the services that are currently enabled. CLI Example: salt myminion introspect.enabled_service_owners salt.modules.introspect.running_service_owners(exclude=('/dev', '/home', '/media', '/proc', '/run', '/sys/', '/tmp', '/var')) Determine which packages own the currently running services. By default, excludes files whose full path starts with /dev, /home, /media, /proc, /run, /sys, /tmp and /var. This can be overridden by passing in a new list to exclude. CLI Example: salt myminion introspect.running_service_owners salt.modules.introspect.service_highstate(requires=True) Return running and enabled services in a highstate structure. By default also returns package dependencies for those services, which means that package definitions must be created outside this function. To drop the package dependencies, set requires to False. CLI Example: salt myminion introspect.service_highstate salt myminion introspect.service_highstate requires=False salt.modules.ipmi Support IPMI commands over LAN. This module does not talk to the local systems hardware through IPMI drivers. It uses a python module pyghmi. depends Python module pyghmi. You can install pyghmi using pip: pip install pyghmi configuration The following configuration defaults can be define (pillar or config files): ipmi.config: api_host: 127.0.0.1 api_user: admin api_pass: apassword api_port: 623 api_kg: None Usage can override the config defaults: salt-call ipmi.get_user api_host=myipmienabled.system api_user=admin api_pass=pass uid=1 salt.modules.ipmi.create_user(uid, name, password, channel=14, callback=False, link_auth=True, ipmi_msg=True, privilege_level='administrator', **kwargs) create/ensure a user is created with provided settings. Parameters • privilege_level -- User Privilege Limit. (Determines the maximum privilege level that the user is allowed to switch to on the specified channel.) * callback * user * operator * administrator * proprietary * no_access • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.create_user uid=2 name=steverweber api_host=172.168.0.7 api_pass=nevertell salt.modules.ipmi.fast_connect_test(**kwargs) Returns True if connection success. This uses an aggressive timeout value! Parameters kwargs -- .INDENT 7.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.fast_connect_test api_host=172.168.0.9 salt.modules.ipmi.get_bootdev(**kwargs) Get current boot device override information. Provides the current requested boot device. Be aware that not all IPMI devices support this. Even in BMCs that claim to, occasionally the BIOS or UEFI fail to honor it. This is usually only applicable to the next reboot. Parameters kwargs -- .INDENT 7.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Example: salt-call ipmi.get_bootdev api_host=127.0.0.1 api_user=admin api_pass=pass salt.modules.ipmi.get_channel_access(channel=14, read_mode='non_volatile', **kwargs) :param kwargs:api_host='127.0.0.1' api_user='admin' api_pass='example' api_port=623 Parameters • channel -- number [1:7] • read_mode -- .INDENT 2.0 • non_volatile = get non-volatile Channel Access • volatile = get present volatile (active) setting of Channel Access • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None return A Python dict with the following keys/values: { alerting: per_msg_auth: user_level_auth: access_mode:{ (ONE OF) 0: 'disabled', 1: 'pre_boot', 2: 'always', 3: 'shared' } privilege_level: { (ONE OF) 1: 'callback', 2: 'user', 3: 'operator', 4: 'administrator', 5: 'proprietary', } } CLI Examples: salt-call ipmi.get_channel_access channel=1 salt.modules.ipmi.get_channel_info(channel=14, **kwargs) Get channel info Parameters • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None return channel session supports: - no_session: channel is session-less - single: channel is single-session - multi: channel is multi-session - auto: channel is session-based (channel could alternate between single- and multi-session operation, as can occur with a serial/modem channel that supports connection mode auto-detect) CLI Examples: salt-call ipmi.get_channel_info salt.modules.ipmi.get_channel_max_user_count(channel=14, **kwargs) Get max users in channel Parameters • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns int -- often 16 CLI Examples: salt-call ipmi.get_channel_max_user_count salt.modules.ipmi.get_health(**kwargs) Get Summarize health This provides a summary of the health of the managed system. It additionally provides an iterable list of reasons for warning, critical, or failed assessments. good health: {'badreadings': [], 'health': 0} Parameters kwargs -- .INDENT 7.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Example: salt-call ipmi.get_health api_host=127.0.0.1 api_user=admin api_pass=pass salt.modules.ipmi.get_power(**kwargs) Get current power state The response, if successful, should contain 'powerstate' key and either 'on' or 'off' to indicate current state. Parameters kwargs -- .INDENT 7.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Example: salt-call ipmi.get_power api_host=127.0.0.1 api_user=admin api_pass=pass salt.modules.ipmi.get_sensor_data(**kwargs) Get sensor readings Iterates sensor reading objects Parameters kwargs -- .INDENT 7.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Example: salt-call ipmi.get_sensor_data api_host=127.0.0.1 api_user=admin api_pass=pass salt.modules.ipmi.get_user(uid, channel=14, **kwargs) Get user from uid and access on channel Parameters • uid -- user number [1:16] • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None return name: (str) uid: (int) channel: (int) access: - callback (bool) - link_auth (bool) - ipmi_msg (bool) - privilege_level: (str)[callback, user, operatorm administrator, proprietary, no_access] CLI Examples: salt-call ipmi.get_user uid=2 salt.modules.ipmi.get_user_access(uid, channel=14, **kwargs) Get user access Parameters • uid -- user number [1:16] • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None return channel_info: - max_user_count = maximum number of user IDs on this channel - enabled_users = count of User ID slots presently in use - users_with_fixed_names = count of user IDs with fixed names access: - callback - link_auth - ipmi_msg - privilege_level: [reserved, callback, user, operator administrator, proprietary, no_access] CLI Examples: salt-call ipmi.get_user_access uid=2 salt.modules.ipmi.get_user_name(uid, return_none_on_error=True, **kwargs) Get user name Parameters • uid -- user number [1:16] • return_none_on_error -- return None on error • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.get_user_name uid=2 salt.modules.ipmi.get_users(channel=14, **kwargs) get list of users and access information Parameters • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns • name: (str) • uid: (int) • channel: (int) • access: • callback (bool) • link_auth (bool) • ipmi_msg (bool) • privilege_level: (str)[callback, user, operatorm administrator, proprietary, no_access] CLI Examples: salt-call ipmi.get_users api_host=172.168.0.7 salt.modules.ipmi.raw_command(netfn, command, bridge_request=None, data=(), retry=True, delay_xmit=None, **kwargs) Send raw ipmi command This allows arbitrary IPMI bytes to be issued. This is commonly used for certain vendor specific commands. Parameters • netfn -- Net function number • command -- Command value • bridge_request -- The target slave address and channel number for the bridge request. • data -- Command data as a tuple or list • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns dict -- The response from IPMI device CLI Examples: salt-call ipmi.raw_command netfn=0x06 command=0x46 data=[0x02] # this will return the name of the user with id 2 in bytes salt.modules.ipmi.set_bootdev(bootdev='default', persist=False, uefiboot=False, **kwargs) Set boot device to use on next reboot Parameters • bootdev -- .INDENT 2.0 • network: Request network boot • hd: Boot from hard drive • safe: Boot from hard drive, requesting 'safe mode' • optical: boot from CD/DVD/BD drive • setup: Boot into setup utility • default: remove any IPMI directed boot device request • persist -- If true, ask that system firmware use this device beyond next boot. Be aware many systems do not honor this • uefiboot -- If true, request UEFI boot explicitly. Strictly speaking, the spec sugests that if not set, the system should BIOS boot and offers no "don't care" option. In practice, this flag not being set does not preclude UEFI boot on any system I've encountered. • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns dict or True -- If callback is not provided, the response salt-call ipmi.set_bootdev bootdev=network persist=True salt.modules.ipmi.set_channel_access(channel=14, access_update_mode='non_volatile', alerting=False, per_msg_auth=False, user_level_auth=False, access_mode='always', privilege_update_mode='non_volatile', privilege_level='administrator', **kwargs) Set channel access Parameters • channel -- number [1:7] • access_update_mode -- .INDENT 2.0 • 'dont_change' = don't set or change Channel Access • 'non_volatile' = set non-volatile Channel Access • 'volatile' = set volatile (active) setting of Channel Access • alerting -- PEF Alerting Enable/Disable • True = enable PEF Alerting • False = disable PEF Alerting on this channel (Alert Immediate command can still be used to generate alerts) • per_msg_auth -- Per-message Authentication • True = enable • False = disable Per-message Authentication. [Authentication required to activate any session on this channel, but authentication not used on subsequent packets for the session.] • user_level_auth -- User Level Authentication Enable/Disable. • True = enable User Level Authentication. All User Level commands are to be authenticated per the Authentication Type that was negotiated when the session was activated. • False = disable User Level Authentication. Allow User Level commands to be executed without being authenticated. If the option to disable User Level Command authentication is accepted, the BMC will accept packets with Authentication Type set to None if they contain user level commands. For outgoing packets, the BMC returns responses with the same Authentication Type that was used for the request. • access_mode -- Access Mode for IPMI messaging (PEF Alerting is enabled/disabled separately from IPMI messaging) • disabled = disabled for IPMI messaging • pre_boot = pre-boot only channel only available when system is in a powered down state or in BIOS prior to start of boot. • always = channel always available regardless of system mode. BIOS typically dedicates the serial connection to the BMC. • shared = same as always available, but BIOS typically leaves the serial port available for software use. • privilege_update_mode -- Channel Privilege Level Limit. This value sets the maximum privilege level that can be accepted on the specified channel. • dont_change = don't set or change channel Privilege Level Limit • non_volatile = non-volatile Privilege Level Limit according • volatile = volatile setting of Privilege Level Limit • privilege_level -- Channel Privilege Level Limit • reserved = unused • callback • user • operator • administrator • proprietary = used by OEM • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None salt-call ipmi.set_channel_access privilege_level='administrator' salt.modules.ipmi.set_identify(on=True, duration=600, **kwargs) Request identify light Request the identify light to turn off, on for a duration, or on indefinitely. Other than error exceptions, Parameters • on -- Set to True to force on or False to force off • duration -- Set if wanting to request turn on for a duration in seconds, None = indefinitely. • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.set_identify salt.modules.ipmi.set_power(state='power_on', wait=True, **kwargs) Request power state change Parameters • name -- .INDENT 2.0 • power_on -- system turn on • power_off -- system turn off (without waiting for OS) • shutdown -- request OS proper shutdown • reset -- reset (without waiting for OS) • boot -- If system is off, then 'on', else 'reset' • ensure -- If (bool True), do not return until system actually completes requested state change for 300 seconds. If a non-zero (int), adjust the wait time to the requested number of seconds • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns dict -- A dict describing the response retrieved salt-call ipmi.set_power state=shutdown wait=True salt.modules.ipmi.set_user_access(uid, channel=14, callback=True, link_auth=True, ipmi_msg=True, privilege_level='administrator', **kwargs) Set user access Parameters • uid -- user number [1:16] • channel -- number [1:7] • link_auth -- User Link authentication enable/disable (used to enable whether this user's name and password information will be used for link authentication, e.g. PPP CHAP) for the given channel. Link authentication itself is a global setting for the channel and is enabled/disabled via the serial/modem configuration parameters. • ipmi_msg -- User IPMI Messaging: (used to enable/disable whether this user's name and password information will be used for IPMI Messaging. In this case, 'IPMI Messaging' refers to the ability to execute generic IPMI commands that are not associated with a particular payload type. For example, if IPMI Messaging is disabled for a user, but that user is enabled for activating the SOL payload type, then IPMI commands associated with SOL and session management, such as Get SOL Configuration Parameters and Close Session are available, but generic IPMI commands such as Get SEL Time are unavailable.) • privilege_level -- User Privilege Limit. (Determines the maximum privilege level that the user is allowed to switch to on the specified channel.) • callback • user • operator • administrator • proprietary • no_access • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Parm callback User Restricted to Callback • False = User Privilege Limit is determined by the User Privilege Limit parameter, below, for both callback and non-callback connections. • True = User Privilege Limit is determined by the User Privilege Limit parameter for callback connections, but is restricted to Callback level for non-callback connections. Thus, a user can only initiate a Callback when they 'call in' to the BMC, but once the callback connection has been made, the user could potentially establish a session as an Operator. CLI Examples: salt-call ipmi.set_user_access uid=2 privilege_level='operator' salt.modules.ipmi.set_user_name(uid, name, **kwargs) Set user name Parameters • uid -- user number [1:16] • name -- username (limit of 16bytes) • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.set_user_name uid=2 name='steverweber' salt.modules.ipmi.set_user_password(uid, mode='set_password', password=None, **kwargs) Set user password and (modes) Parameters • uid -- id number of user. see: get_names_uid()['name'] • mode -- .INDENT 2.0 • disable = disable user connections • enable = enable user connections • set_password = set or ensure password • test_password = test password is correct • password -- max 16 char string (optional when mode is [disable or enable]) • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None Returns True on success when mode = test_password, return False on bad password salt-call ipmi.set_user_password api_host=127.0.0.1 api_user=admin api_pass=pass uid=1 password=newPass salt-call ipmi.set_user_password uid=1 mode=enable salt.modules.ipmi.user_delete(uid, channel=14, **kwargs) Delete user (helper) Parameters • uid -- user number [1:16] • channel -- number [1:7] • kwargs -- .INDENT 2.0 • api_host=127.0.0.1 • api_user=admin • api_pass=example • api_port=623 • api_kg=None CLI Examples: salt-call ipmi.user_delete uid=2 salt.modules.ipset Support for ipset salt.modules.ipset.add(set=None, entry=None, family='ipv4', **kwargs) Append an entry to the specified set. CLI Example: salt '*' ipset.add setname 192.168.1.26 salt '*' ipset.add setname 192.168.0.3,AA:BB:CC:DD:EE:FF salt.modules.ipset.check(set=None, entry=None, family='ipv4') Check that an entry exists in the specified set. set The ipset name entry An entry in the ipset. This parameter can be a single IP address, a range of IP addresses, or a subnet block. Example: 192.168.0.1 192.168.0.2-192.168.0.19 192.168.0.0/25 family IP protocol version: ipv4 or ipv6 CLI Example: salt '*' ipset.check setname '192.168.0.1 comment "Hello"' salt.modules.ipset.check_set(set=None, family='ipv4') Check that given ipset set exists. New in version 2014.7.0. CLI Example: salt '*' ipset.check_set setname salt.modules.ipset.delete(set=None, entry=None, family='ipv4', **kwargs) Delete an entry from the specified set. CLI Example: salt '*' ipset.delete setname 192.168.0.3,AA:BB:CC:DD:EE:FF salt.modules.ipset.delete_set(set=None, family='ipv4') New in version 2014.7.0. Delete ipset set. CLI Example: salt '*' ipset.delete_set custom_set IPv6: salt '*' ipset.delete_set custom_set family=ipv6 salt.modules.ipset.flush(set=None, family='ipv4') Flush entries in the specified set, Flush all sets if set is not specified. CLI Example: salt '*' ipset.flush salt '*' ipset.flush set IPv6: salt '*' ipset.flush salt '*' ipset.flush set salt.modules.ipset.list_sets(family='ipv4') New in version 2014.7.0. List all ipset sets. CLI Example: salt '*' ipset.list_sets salt.modules.ipset.new_set(set=None, set_type=None, family='ipv4', comment=False, **kwargs) New in version 2014.7.0. Create new custom set CLI Example: salt '*' ipset.new_set custom_set list:set salt '*' ipset.new_set custom_set list:set comment=True IPv6: salt '*' ipset.new_set custom_set list:set family=ipv6 salt.modules.ipset.rename_set(set=None, new_set=None, family='ipv4') New in version 2014.7.0. Delete ipset set. CLI Example: salt '*' ipset.rename_set custom_set new_set=new_set_name IPv6: salt '*' ipset.rename_set custom_set new_set=new_set_name family=ipv6 salt.modules.ipset.test(set=None, entry=None, family='ipv4', **kwargs) Test if an entry is in the specified set. CLI Example: salt '*' ipset.test setname 192.168.0.2 IPv6: salt '*' ipset.test setname fd81:fc56:9ac7::/48 salt.modules.ipset.version() Return version from ipset --version CLI Example: salt '*' ipset.version salt.modules.iptables Support for iptables salt.modules.iptables.append(table='filter', chain=None, rule=None, family='ipv4') Append a rule to the specified table/chain. This function accepts a rule in a standard iptables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Example: salt '*' iptables.append filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.append filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6 salt.modules.iptables.build_rule(table='filter', chain=None, command=None, position='', full=None, family='ipv4', **kwargs) Build a well-formatted iptables rule based on kwargs. A table and chain are not required, unless full is True. If full is True, then table, chain and command are required. command may be specified as either a short option ('I') or a long option (--insert). This will return the iptables command, exactly as it would be used from the command line. If a position is required (as with -I or -D), it may be specified as position. This will only be useful if full is True. If connstate is passed in, it will automatically be changed to state. To pass in jump options that doesn't take arguments, pass in an empty string. CLI Examples: salt '*' iptables.build_rule match=state \ connstate=RELATED,ESTABLISHED jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=I position=3 \ full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state state=RELATED,ESTABLISHED \ source='127.0.0.1' jump=ACCEPT .. Invert Rules salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state state=RELATED,ESTABLISHED \ source='! 127.0.0.1' jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state state=RELATED,ESTABLISHED \ destination='not 127.0.0.1' jump=ACCEPT IPv6: salt '*' iptables.build_rule match=state \ connstate=RELATED,ESTABLISHED jump=ACCEPT \ family=ipv6 salt '*' iptables.build_rule filter INPUT command=I position=3 \ full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT \ family=ipv6 salt.modules.iptables.check(table='filter', chain=None, rule=None, family='ipv4') Check for the existence of a rule in the table and chain This function accepts a rule in a standard iptables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Example: salt '*' iptables.check filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.check filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6 salt.modules.iptables.check_chain(table='filter', chain=None, family='ipv4') New in version 2014.1.0. Check for the existence of a chain in the table CLI Example: salt '*' iptables.check_chain filter INPUT IPv6: salt '*' iptables.check_chain filter INPUT family=ipv6 salt.modules.iptables.delete(table, chain=None, position=None, rule=None, family='ipv4') Delete a rule from the specified table/chain, specifying either the rule in its entirety, or the rule's position in the chain. This function accepts a rule in a standard iptables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Examples: salt '*' iptables.delete filter INPUT position=3 salt '*' iptables.delete filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.delete filter INPUT position=3 family=ipv6 salt '*' iptables.delete filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6 salt.modules.iptables.delete_chain(table='filter', chain=None, family='ipv4') New in version 2014.1.0. Delete custom chain to the specified table. CLI Example: salt '*' iptables.delete_chain filter CUSTOM_CHAIN IPv6: salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6 salt.modules.iptables.flush(table='filter', chain='', family='ipv4') Flush the chain in the specified table, flush all chains in the specified table if not specified chain. CLI Example: salt '*' iptables.flush filter INPUT IPv6: salt '*' iptables.flush filter INPUT family=ipv6 salt.modules.iptables.get_policy(table='filter', chain=None, family='ipv4') Return the current policy for the specified table/chain CLI Example: salt '*' iptables.get_policy filter INPUT IPv6: salt '*' iptables.get_policy filter INPUT family=ipv6 salt.modules.iptables.get_rules(family='ipv4') Return a data structure of the current, in-memory rules CLI Example: salt '*' iptables.get_rules IPv6: salt '*' iptables.get_rules family=ipv6 salt.modules.iptables.get_saved_policy(table='filter', chain=None, conf_file=None, family='ipv4') Return the current policy for the specified table/chain CLI Examples: salt '*' iptables.get_saved_policy filter INPUT salt '*' iptables.get_saved_policy filter INPUT \ conf_file=/etc/iptables.saved IPv6: salt '*' iptables.get_saved_policy filter INPUT family=ipv6 salt '*' iptables.get_saved_policy filter INPUT \ conf_file=/etc/iptables.saved family=ipv6 salt.modules.iptables.get_saved_rules(conf_file=None, family='ipv4') Return a data structure of the rules in the conf file CLI Example: salt '*' iptables.get_saved_rules IPv6: salt '*' iptables.get_saved_rules family=ipv6 salt.modules.iptables.insert(table='filter', chain=None, position=None, rule=None, family='ipv4') Insert a rule into the specified table/chain, at the specified position. This function accepts a rule in a standard iptables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. If the position specified is a negative number, then the insert will be performed counting from the end of the list. For instance, a position of -1 will insert the rule as the second to last rule. To insert a rule in the last position, use the append function instead. CLI Examples: salt '*' iptables.insert filter INPUT position=3 \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.insert filter INPUT position=3 \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6 salt.modules.iptables.new_chain(table='filter', chain=None, family='ipv4') New in version 2014.1.0. Create new custom chain to the specified table. CLI Example: salt '*' iptables.new_chain filter CUSTOM_CHAIN IPv6: salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6 salt.modules.iptables.save(filename=None, family='ipv4') Save the current in-memory rules to disk CLI Example: salt '*' iptables.save /etc/sysconfig/iptables IPv6: salt '*' iptables.save /etc/sysconfig/iptables family=ipv6 salt.modules.iptables.set_policy(table='filter', chain=None, policy=None, family='ipv4') Set the current policy for the specified table/chain CLI Example: salt '*' iptables.set_policy filter INPUT ACCEPT IPv6: salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6 salt.modules.iptables.version(family='ipv4') Return version from iptables --version CLI Example: salt '*' iptables.version IPv6: salt '*' iptables.version family=ipv6 salt.modules.jboss7 Module for managing JBoss AS 7 through the CLI interface. New in version 2015.5.0. In order to run each function, jboss_config dictionary with the following properties must be passed: • cli_path: the path to jboss-cli script, for example: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' • controller: the IP address and port of controller, for example: 10.11.12.13:9999 • cli_user: username to connect to jboss administration console if necessary • cli_password: password to connect to jboss administration console if necessary Example: jboss_config: cli_path: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' controller: 10.11.12.13:9999 cli_user: 'jbossadm' cli_password: 'jbossadm' salt.modules.jboss7.create_datasource(jboss_config, name, datasource_properties) Create datasource in running jboss instance jboss_config Configuration dictionary with properties specified above. name Datasource name datasource_properties A dictionary of datasource properties to be created: • driver-name: mysql • connection-url: 'jdbc:mysql://localhost:3306/sampleDatabase' • jndi-name: 'java:jboss/datasources/sampleDS' • user-name: sampleuser • password: secret • min-pool-size: 3 • use-java-context: True CLI Example: salt '*' jboss7.create_datasource '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' 'my_datasource' '{"driver-name": "mysql", "connection-url": "jdbc:mysql://localhost:3306/sampleDatabase", "jndi-name": "java:jboss/datasources/sampleDS", "user-name": "sampleuser", "password": "secret", "min-pool-size": 3, "use-java-context": True}' salt.modules.jboss7.create_simple_binding(jboss_config, binding_name, value) Create a simple jndi binding in the running jboss instance jboss_config Configuration dictionary with properties specified above. binding_name Binding name to be created value Binding value CLI Example: salt '*' jboss7.create_simple_binding \ '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", \ "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' \ my_binding_name my_binding_value salt.modules.jboss7.deploy(jboss_config, source_file) Deploy the application on the jboss instance from the local file system where minion is running. jboss_config Configuration dictionary with properties specified above. source_file Source file to deploy from CLI Example: salt '*' jboss7.deploy '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' /opt/deploy_files/my_deploy salt.modules.jboss7.list_deployments(jboss_config) List all deployments on the jboss instance jboss_config Configuration dictionary with properties specified above. CLI Example: salt '*' jboss7.list_deployments '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' salt.modules.jboss7.read_datasource(jboss_config, name) Read datasource properties in the running jboss instance. jboss_config Configuration dictionary with properties specified above. name Datasource name CLI Example: salt '*' jboss7.read_datasource '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' salt.modules.jboss7.read_simple_binding(jboss_config, binding_name) Read jndi binding in the running jboss instance jboss_config Configuration dictionary with properties specified above. binding_name Binding name to be created CLI Example: salt '*' jboss7.read_simple_binding '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_binding_name salt.modules.jboss7.reload(jboss_config) Reload running jboss instance jboss_config Configuration dictionary with properties specified above. CLI Example: salt '*' jboss7.reload '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' salt.modules.jboss7.remove_datasource(jboss_config, name) Remove an existing datasource from the running jboss instance. jboss_config Configuration dictionary with properties specified above. name Datasource name CLI Example: salt '*' jboss7.remove_datasource '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_datasource_name salt.modules.jboss7.status(jboss_config) Get status of running jboss instance. jboss_config Configuration dictionary with properties specified above. CLI Example: salt '*' jboss7.status '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' salt.modules.jboss7.stop_server(jboss_config) Stop running jboss instance jboss_config Configuration dictionary with properties specified above. CLI Example: salt '*' jboss7.stop_server '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' salt.modules.jboss7.undeploy(jboss_config, deployment) Undeploy the application from jboss instance jboss_config Configuration dictionary with properties specified above. deployment Deployment name to undeploy CLI Example: salt '*' jboss7.undeploy '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_deployment salt.modules.jboss7.update_datasource(jboss_config, name, new_properties) Update an existing datasource in running jboss instance. If the property doesn't exist if will be created, if it does, it will be updated with the new value jboss_config Configuration dictionary with properties specified above. name Datasource name new_properties A dictionary of datasource properties to be updated. For example: • driver-name: mysql • connection-url: 'jdbc:mysql://localhost:3306/sampleDatabase' • jndi-name: 'java:jboss/datasources/sampleDS' • user-name: sampleuser • password: secret • min-pool-size: 3 • use-java-context: True CLI Example: salt '*' jboss7.update_datasource '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' 'my_datasource' '{"driver-name": "mysql", "connection-url": "jdbc:mysql://localhost:3306/sampleDatabase", "jndi-name": "java:jboss/datasources/sampleDS", "user-name": "sampleuser", "password": "secret", "min-pool-size": 3, "use-java-context": True}' salt.modules.jboss7.update_simple_binding(jboss_config, binding_name, value) Update the simple jndi binding in the running jboss instance jboss_config Configuration dictionary with properties specified above. binding_name Binding name to be updated value New binding value CLI Example: salt '*' jboss7.update_simple_binding '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_binding_name my_binding_value salt.modules.jboss7_cli Module for low-level interaction with JbossAS7 through CLI. This module exposes two ways of interaction with the CLI, either through commands or operations. NOTE: Following JBoss documentation (https://developer.jboss.org/wiki/CommandLineInterface): "Operations are considered a low level but comprehensive way to manage the AS controller, i.e. if it can't be done with operations it can't be done in any other way. Commands, on the other hand, are more user-friendly in syntax, although most of them still translate into operation requests and some of them even into a few composite operation requests, i.e. commands also simplify some management operations from the user's point of view." The difference between calling a command or operation is in handling the result. Commands return a zero return code if operation is successful or return non-zero return code and print an error to standard output in plain text, in case of an error. Operations return a json-like structure, that contain more information about the result. In case of a failure, they also return a specific return code. This module parses the output from the operations and returns it as a dictionary so that an execution of an operation can then be verified against specific errors. In order to run each function, jboss_config dictionary with the following properties must be passed: • cli_path: the path to jboss-cli script, for example: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' • controller: the IP address and port of controller, for example: 10.11.12.13:9999 • cli_user: username to connect to jboss administration console if necessary • cli_password: password to connect to jboss administration console if necessary Example: jboss_config: cli_path: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' controller: 10.11.12.13:9999 cli_user: 'jbossadm' cli_password: 'jbossadm' salt.modules.jboss7_cli.run_command(jboss_config, command, fail_on_error=True) Execute a command against jboss instance through the CLI interface. jboss_config Configuration dictionary with properties specified above. command Command to execute against jboss instance fail_on_error (default=True) Is true, raise CommandExecutionException exception if execution fails. If false, 'success' property of the returned dictionary is set to False CLI Example: salt '*' jboss7_cli.run_command '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_command salt.modules.jboss7_cli.run_operation(jboss_config, operation, fail_on_error=True, retries=1) Execute an operation against jboss instance through the CLI interface. jboss_config Configuration dictionary with properties specified above. operation An operation to execute against jboss instance fail_on_error (default=True) Is true, raise CommandExecutionException exception if execution fails. If false, 'success' property of the returned dictionary is set to False retries: Number of retries in case of "JBAS012144: Could not connect to remote" error. CLI Example: salt '*' jboss7_cli.run_operation '{"cli_path": "integration.modules.sysmod.SysModuleTest.test_valid_docs", "controller": "10.11.12.13:9999", "cli_user": "jbossadm", "cli_password": "jbossadm"}' my_operation salt.modules.junos Module for interfacing to Junos devices ALPHA QUALITY code. salt.modules.junos.call_rpc() salt.modules.junos.cli(command) salt.modules.junos.commit() salt.modules.junos.diff() salt.modules.junos.facts_refresh() Reload the facts dictionary from the device. Usually only needed if the device configuration is changed by some other actor. salt.modules.junos.ping() salt.modules.junos.rollback() salt.modules.junos.set_hostname(hostname=None, commit_change=True) salt.modules.kerberos Manage Kerberos KDC configuration In order to manage your KDC you will need to generate a keytab that can authenticate without requiring a password. # ktadd -k /root/secure.keytab kadmin/admin kadmin/changepw On the KDC minion you will need to add the following to the minion configuration file so Salt knows what keytab to use and what principal to authenticate as. auth_keytab: /root/auth.keytab auth_principal: kadmin/admin salt.modules.kerberos.create_keytab(name, keytab, enctypes=None) Create keytab CLI Example: salt 'kdc.example.com' host/host1.example.com host1.example.com.keytab salt.modules.kerberos.create_principal(name, enctypes=None) Create Principal CLI Example: salt 'kdc.example.com' kerberos.create_principal host/example.com salt.modules.kerberos.delete_principal(name) Delete Principal CLI Example: salt 'kdc.example.com' kerberos.delete_principal host/example.com@EXAMPLE.COM salt.modules.kerberos.get_policy(name) Get policy details CLI Example: salt 'kdc.example.com' kerberos.get_policy my_policy salt.modules.kerberos.get_principal(name) Get princial details CLI Example: salt 'kdc.example.com' kerberos.get_principal root/admin salt.modules.kerberos.get_privs() Current privileges CLI Example: salt 'kdc.example.com' kerberos.get_privs salt.modules.kerberos.list_policies() List policies CLI Example: salt 'kdc.example.com' kerberos.list_policies salt.modules.kerberos.list_principals() Get all principals CLI Example: salt 'kde.example.com' kerberos.list_principals salt.modules.key Functions to view the minion's public key information salt.modules.key.finger() Return the minion's public key fingerprint CLI Example: salt '*' key.finger salt.modules.key.finger_master() Return the fingerprint of the master's public key on the minion. CLI Example: salt '*' key.finger_master salt.modules.keyboard Module for managing keyboards on supported POSIX-like systems using systemd, or such as Redhat, Debian and Gentoo. salt.modules.keyboard.get_sys() Get current system keyboard setting CLI Example: salt '*' keyboard.get_sys salt.modules.keyboard.get_x() Get current X keyboard setting CLI Example: salt '*' keyboard.get_x salt.modules.keyboard.set_sys(layout) Set current system keyboard setting CLI Example: salt '*' keyboard.set_sys dvorak salt.modules.keyboard.set_x(layout) Set current X keyboard setting CLI Example: salt '*' keyboard.set_x dvorak salt.modules.keystone Module for handling openstack keystone calls. optdepends • keystoneclient Python adapter configuration This module is not usable until the following are specified either in a pillar or in the minion's config file: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.tenant_id: f80919baedab48ec8931f200c65a50df keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' OR (for token based authentication) keystone.token: 'ADMIN' keystone.endpoint: 'http://127.0.0.1:35357/v2.0' If configuration for multiple openstack accounts is required, they can be set up as different configuration profiles. For example: openstack1: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.tenant_id: f80919baedab48ec8931f200c65a50df keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' openstack2: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.tenant_id: f80919baedab48ec8931f200c65a50df keystone.auth_url: 'http://127.0.0.2:5000/v2.0/' With this configuration in place, any of the keystone functions can make use of a configuration profile by declaring it explicitly. For example: salt '*' keystone.tenant_list profile=openstack1 salt.modules.keystone.auth(profile=None, **connection_args) Set up keystone credentials. Only intended to be used within Keystone-enabled modules. CLI Example: salt '*' keystone.auth salt.modules.keystone.ec2_credentials_create(user_id=None, name=None, tenant_id=None, tenant=None, profile=None, **connection_args) Create EC2-compatible credentials for user per tenant CLI Examples: salt '*' keystone.ec2_credentials_create name=admin tenant=admin salt '*' keystone.ec2_credentials_create user_id=c965f79c4f864eaaa9c3b41904e67082 tenant_id=722787eb540849158668370dc627ec5f salt.modules.keystone.ec2_credentials_delete(user_id=None, name=None, access_key=None, profile=None, **connection_args) Delete EC2-compatible credentials CLI Examples: salt '*' keystone.ec2_credentials_delete 860f8c2c38ca4fab989f9bc56a061a64 access_key=5f66d2f24f604b8bb9cd28886106f442 salt '*' keystone.ec2_credentials_delete name=admin access_key=5f66d2f24f604b8bb9cd28886106f442 salt.modules.keystone.ec2_credentials_get(user_id=None, name=None, access=None, profile=None, **connection_args) Return ec2_credentials for a user (keystone ec2-credentials-get) CLI Examples: salt '*' keystone.ec2_credentials_get c965f79c4f864eaaa9c3b41904e67082 access=722787eb540849158668370dc627ec5f salt '*' keystone.ec2_credentials_get user_id=c965f79c4f864eaaa9c3b41904e67082 access=722787eb540849158668370dc627ec5f salt '*' keystone.ec2_credentials_get name=nova access=722787eb540849158668370dc627ec5f salt.modules.keystone.ec2_credentials_list(user_id=None, name=None, profile=None, **connection_args) Return a list of ec2_credentials for a specific user (keystone ec2-credentials-list) CLI Examples: salt '*' keystone.ec2_credentials_list 298ce377245c4ec9b70e1c639c89e654 salt '*' keystone.ec2_credentials_list user_id=298ce377245c4ec9b70e1c639c89e654 salt '*' keystone.ec2_credentials_list name=jack salt.modules.keystone.endpoint_create(service, publicurl=None, internalurl=None, adminurl=None, region=None, profile=None, **connection_args) Create an endpoint for an Openstack service CLI Examples: salt '*' keystone.endpoint_create nova 'http://public/url' 'http://internal/url' 'http://adminurl/url' region salt.modules.keystone.endpoint_delete(service, profile=None, **connection_args) Delete endpoints of an Openstack service CLI Examples: salt '*' keystone.endpoint_delete nova salt.modules.keystone.endpoint_get(service, profile=None, **connection_args) Return a specific endpoint (keystone endpoint-get) CLI Example: salt '*' keystone.endpoint_get nova salt.modules.keystone.endpoint_list(profile=None, **connection_args) Return a list of available endpoints (keystone endpoints-list) CLI Example: salt '*' keystone.endpoint_list salt.modules.keystone.role_create(name, profile=None, **connection_args) Create a named role. CLI Example: salt '*' keystone.role_create admin salt.modules.keystone.role_delete(role_id=None, name=None, profile=None, **connection_args) Delete a role (keystone role-delete) CLI Examples: salt '*' keystone.role_delete c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.role_delete role_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.role_delete name=admin salt.modules.keystone.role_get(role_id=None, name=None, profile=None, **connection_args) Return a specific roles (keystone role-get) CLI Examples: salt '*' keystone.role_get c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.role_get role_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.role_get name=nova salt.modules.keystone.role_list(profile=None, **connection_args) Return a list of available roles (keystone role-list) CLI Example: salt '*' keystone.role_list salt.modules.keystone.service_create(name, service_type, description=None, profile=None, **connection_args) Add service to Keystone service catalog CLI Examples: salt '*' keystone.service_create nova compute 'OpenStack Compute Service' salt.modules.keystone.service_delete(service_id=None, name=None, profile=None, **connection_args) Delete a service from Keystone service catalog CLI Examples: salt '*' keystone.service_delete c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.service_delete name=nova salt.modules.keystone.service_get(service_id=None, name=None, profile=None, **connection_args) Return a specific services (keystone service-get) CLI Examples: salt '*' keystone.service_get c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.service_get service_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.service_get name=nova salt.modules.keystone.service_list(profile=None, **connection_args) Return a list of available services (keystone services-list) CLI Example: salt '*' keystone.service_list salt.modules.keystone.tenant_create(name, description=None, enabled=True, profile=None, **connection_args) Create a keystone tenant CLI Examples: salt '*' keystone.tenant_create nova description='nova tenant' salt '*' keystone.tenant_create test enabled=False salt.modules.keystone.tenant_delete(tenant_id=None, name=None, profile=None, **connection_args) Delete a tenant (keystone tenant-delete) CLI Examples: salt '*' keystone.tenant_delete c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.tenant_delete tenant_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.tenant_delete name=demo salt.modules.keystone.tenant_get(tenant_id=None, name=None, profile=None, **connection_args) Return a specific tenants (keystone tenant-get) CLI Examples: salt '*' keystone.tenant_get c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.tenant_get tenant_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.tenant_get name=nova salt.modules.keystone.tenant_list(profile=None, **connection_args) Return a list of available tenants (keystone tenants-list) CLI Example: salt '*' keystone.tenant_list salt.modules.keystone.tenant_update(tenant_id=None, name=None, description=None, enabled=None, profile=None, **connection_args) Update a tenant's information (keystone tenant-update) The following fields may be updated: name, email, enabled. Can only update name if targeting by ID CLI Examples: salt '*' keystone.tenant_update name=admin enabled=True salt '*' keystone.tenant_update c965f79c4f864eaaa9c3b41904e67082 name=admin email=admin@domain.com salt.modules.keystone.token_get(profile=None, **connection_args) Return the configured tokens (keystone token-get) CLI Example: salt '*' keystone.token_get c965f79c4f864eaaa9c3b41904e67082 salt.modules.keystone.user_create(name, password, email, tenant_id=None, enabled=True, profile=None, **connection_args) Create a user (keystone user-create) CLI Examples: salt '*' keystone.user_create name=jack password=zero email=jack@halloweentown.org tenant_id=a28a7b5a999a455f84b1f5210264375e enabled=True salt.modules.keystone.user_delete(user_id=None, name=None, profile=None, **connection_args) Delete a user (keystone user-delete) CLI Examples: salt '*' keystone.user_delete c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.user_delete user_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.user_delete name=nova salt.modules.keystone.user_get(user_id=None, name=None, profile=None, **connection_args) Return a specific users (keystone user-get) CLI Examples: salt '*' keystone.user_get c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.user_get user_id=c965f79c4f864eaaa9c3b41904e67082 salt '*' keystone.user_get name=nova salt.modules.keystone.user_list(profile=None, **connection_args) Return a list of available users (keystone user-list) CLI Example: salt '*' keystone.user_list salt.modules.keystone.user_password_update(user_id=None, name=None, password=None, profile=None, **connection_args) Update a user's password (keystone user-password-update) CLI Examples: salt '*' keystone.user_password_update c965f79c4f864eaaa9c3b41904e67082 password=12345 salt '*' keystone.user_password_update user_id=c965f79c4f864eaaa9c3b41904e67082 password=12345 salt '*' keystone.user_password_update name=nova password=12345 salt.modules.keystone.user_role_add(user_id=None, user=None, tenant_id=None, tenant=None, role_id=None, role=None, profile=None, **connection_args) Add role for user in tenant (keystone user-role-add) CLI Examples: salt '*' keystone.user_role_add user_id=298ce377245c4ec9b70e1c639c89e654 tenant_id=7167a092ece84bae8cead4bf9d15bb3b role_id=ce377245c4ec9b70e1c639c89e8cead4 salt '*' keystone.user_role_add user=admin tenant=admin role=admin salt.modules.keystone.user_role_list(user_id=None, tenant_id=None, user_name=None, tenant_name=None, profile=None, **connection_args) Return a list of available user_roles (keystone user-roles-list) CLI Examples: salt '*' keystone.user_role_list user_id=298ce377245c4ec9b70e1c639c89e654 tenant_id=7167a092ece84bae8cead4bf9d15bb3b salt '*' keystone.user_role_list user_name=admin tenant_name=admin salt.modules.keystone.user_role_remove(user_id=None, user=None, tenant_id=None, tenant=None, role_id=None, role=None, profile=None, **connection_args) Remove role for user in tenant (keystone user-role-remove) CLI Examples: salt '*' keystone.user_role_remove user_id=298ce377245c4ec9b70e1c639c89e654 tenant_id=7167a092ece84bae8cead4bf9d15bb3b role_id=ce377245c4ec9b70e1c639c89e8cead4 salt '*' keystone.user_role_remove user=admin tenant=admin role=admin salt.modules.keystone.user_update(user_id=None, name=None, email=None, enabled=None, tenant=None, profile=None, **connection_args) Update a user's information (keystone user-update) The following fields may be updated: name, email, enabled, tenant. Because the name is one of the fields, a valid user id is required. CLI Examples: salt '*' keystone.user_update user_id=c965f79c4f864eaaa9c3b41904e67082 name=newname salt '*' keystone.user_update c965f79c4f864eaaa9c3b41904e67082 name=newname email=newemail@domain.com salt.modules.keystone.user_verify_password(user_id=None, name=None, password=None, profile=None, **connection_args) Verify a user's password CLI Examples: salt '*' keystone.user_verify_password name=test password=foobar salt '*' keystone.user_verify_password user_id=c965f79c4f864eaaa9c3b41904e67082 password=foobar salt.modules.kmod Module to manage Linux kernel modules salt.modules.kmod.available() Return a list of all available kernel modules CLI Example: salt '*' kmod.available salt.modules.kmod.check_available(mod) Check to see if the specified kernel module is available CLI Example: salt '*' kmod.check_available kvm salt.modules.kmod.is_loaded(mod) Check to see if the specified kernel module is loaded CLI Example: salt '*' kmod.is_loaded kvm salt.modules.kmod.load(mod, persist=False) Load the specified kernel module mod Name of module to add persist Write module to /etc/modules to make it load on system reboot CLI Example: salt '*' kmod.load kvm salt.modules.kmod.lsmod() Return a dict containing information about currently loaded modules CLI Example: salt '*' kmod.lsmod salt.modules.kmod.mod_list(only_persist=False) Return a list of the loaded module names CLI Example: salt '*' kmod.mod_list salt.modules.kmod.remove(mod, persist=False, comment=True) Remove the specified kernel module mod Name of module to remove persist Also remove module from /etc/modules comment If persist is set don't remove line from /etc/modules but only comment it CLI Example: salt '*' kmod.remove kvm salt.modules.launchctl Module for the management of MacOS systems that use launchd/launchctl depends • plistlib Python module salt.modules.launchctl.available(job_label) Check that the given service is available. CLI Example: salt '*' service.available com.openssh.sshd salt.modules.launchctl.get_all() Return all installed services CLI Example: salt '*' service.get_all salt.modules.launchctl.missing(job_label) The inverse of service.available Check that the given service is not available. CLI Example: salt '*' service.missing com.openssh.sshd salt.modules.launchctl.restart(job_label, runas=None) Restart the named service CLI Example: salt '*' service.restart <service label> salt.modules.launchctl.start(job_label, runas=None) Start the specified service CLI Example: salt '*' service.start <service label> salt '*' service.start org.ntp.ntpd salt '*' service.start /System/Library/LaunchDaemons/org.ntp.ntpd.plist salt.modules.launchctl.status(job_label, runas=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service label> salt.modules.launchctl.stop(job_label, runas=None) Stop the specified service CLI Example: salt '*' service.stop <service label> salt '*' service.stop org.ntp.ntpd salt '*' service.stop /System/Library/LaunchDaemons/org.ntp.ntpd.plist salt.modules.layman Support for Layman salt.modules.layman.add(overlay) Add the given overlay from the cached remote list to your locally installed overlays. Specify 'ALL' to add all overlays from the remote list. Return a list of the new overlay(s) added: CLI Example: salt '*' layman.add <overlay name> salt.modules.layman.delete(overlay) Remove the given overlay from the your locally installed overlays. Specify 'ALL' to remove all overlays. Return a list of the overlays(s) that were removed: CLI Example: salt '*' layman.delete <overlay name> salt.modules.layman.list_all() List all overlays, including remote ones. Return a list of available overlays: CLI Example: salt '*' layman.list_all salt.modules.layman.list_local() List the locally installed overlays. Return a list of installed overlays: CLI Example: salt '*' layman.list_local salt.modules.layman.sync(overlay='ALL') Update the specified overlay. Use 'ALL' to synchronize all overlays. This is the default if no overlay is specified. overlay Name of the overlay to sync. (Defaults to 'ALL') CLI Example: salt '*' layman.sync salt.modules.ldapmod Salt interface to LDAP commands depends • ldap Python module configuration In order to connect to LDAP, certain configuration is required in the minion config on the LDAP server. The minimum configuration items that must be set are: ldap.basedn: dc=acme,dc=com (example values, adjust to suit) If your LDAP server requires authentication then you must also set: ldap.anonymous: False ldap.binddn: admin ldap.bindpw: password In addition, the following optional values may be set: ldap.server: localhost (default=localhost, see warning below) ldap.port: 389 (default=389, standard port) ldap.tls: False (default=False, no TLS) ldap.no_verify: False (default=False, verify TLS) ldap.anonymous: True (default=True, bind anonymous) ldap.scope: 2 (default=2, ldap.SCOPE_SUBTREE) ldap.attrs: [saltAttr] (default=None, return all attributes) WARNING: At the moment this module only recommends connection to LDAP services listening on localhost. This is deliberate to avoid the potentially dangerous situation of multiple minions sending identical update commands to the same LDAP server. It's easy enough to override this behavior, but badness may ensue - you have been warned. salt.modules.ldapmod.search(filter, dn=None, scope=None, attrs=None, **kwargs) Run an arbitrary LDAP query and return the results. CLI Example: salt 'ldaphost' ldap.search "filter=cn=myhost" Return data: {'myhost': {'count': 1, 'results': [['cn=myhost,ou=hosts,o=acme,c=gb', {'saltKeyValue': ['ntpserver=ntp.acme.local', 'foo=myfoo'], 'saltState': ['foo', 'bar']}]], 'time': {'human': '1.2ms', 'raw': '0.00123'}}} Search and connection options can be overridden by specifying the relevant option as key=value pairs, for example: salt 'ldaphost' ldap.search filter=cn=myhost dn=ou=hosts,o=acme,c=gb scope=1 attrs='' server='localhost' port='7393' tls=True bindpw='ssh' salt.modules.linux_acl Support for Linux File Access Control Lists salt.modules.linux_acl.delfacl(acl_type, acl_name='', *args, **kwargs) Remove specific FACL from the specified file(s) CLI Examples: salt '*' acl.delfacl user myuser /tmp/house/kitchen salt '*' acl.delfacl default:group mygroup /tmp/house/kitchen salt '*' acl.delfacl d:u myuser /tmp/house/kitchen salt '*' acl.delfacl g myuser /tmp/house/kitchen /tmp/house/livingroom salt '*' acl.delfacl user myuser /tmp/house/kitchen recursive=True salt.modules.linux_acl.getfacl(*args, **kwargs) Return (extremely verbose) map of FACLs on specified file(s) CLI Examples: salt '*' acl.getfacl /tmp/house/kitchen salt '*' acl.getfacl /tmp/house/kitchen /tmp/house/livingroom salt '*' acl.getfacl /tmp/house/kitchen /tmp/house/livingroom recursive=True salt.modules.linux_acl.modfacl(acl_type, acl_name='', perms='', *args, **kwargs) Add or modify a FACL for the specified file(s) CLI Examples: salt '*' acl.modfacl user myuser rwx /tmp/house/kitchen salt '*' acl.modfacl default:group mygroup rx /tmp/house/kitchen salt '*' acl.modfacl d:u myuser 7 /tmp/house/kitchen salt '*' acl.modfacl g mygroup 0 /tmp/house/kitchen /tmp/house/livingroom salt '*' acl.modfacl user myuser rwx /tmp/house/kitchen recursive=True salt.modules.linux_acl.version() Return facl version from getfacl --version CLI Example: salt '*' acl.version salt.modules.linux_acl.wipefacls(*args, **kwargs) Remove all FACLs from the specified file(s) CLI Examples: salt '*' acl.wipefacls /tmp/house/kitchen salt '*' acl.wipefacls /tmp/house/kitchen /tmp/house/livingroom salt '*' acl.wipefacls /tmp/house/kitchen /tmp/house/livingroom recursive=True salt.modules.linux_lvm Support for Linux LVM2 salt.modules.linux_lvm.fullversion() Return all version info from lvm version CLI Example: salt '*' lvm.fullversion salt.modules.linux_lvm.lvcreate(lvname, vgname, size=None, extents=None, snapshot=None, pv=None, **kwargs) Create a new logical volume, with option for which physical volume to be used CLI Examples: salt '*' lvm.lvcreate new_volume_name vg_name size=10G salt '*' lvm.lvcreate new_volume_name vg_name extents=100 pv=/dev/sdb salt '*' lvm.lvcreate new_snapshot vg_name snapshot=volume_name size=3G salt.modules.linux_lvm.lvdisplay(lvname='') Return information about the logical volume(s) CLI Examples: salt '*' lvm.lvdisplay salt '*' lvm.lvdisplay /dev/vg_myserver/root salt.modules.linux_lvm.lvremove(lvname, vgname) Remove a given existing logical volume from a named existing volume group CLI Example: salt '*' lvm.lvremove lvname vgname force=True salt.modules.linux_lvm.lvresize(size, lvpath) Return information about the logical volume(s) CLI Examples: salt '*' lvm.lvresize +12M /dev/mapper/vg1-test salt.modules.linux_lvm.pvcreate(devices, override=True, **kwargs) Set a physical device to be used as an LVM physical volume override Skip devices, if they are already an LVM physical volumes CLI Examples: salt mymachine lvm.pvcreate /dev/sdb1,/dev/sdb2 salt mymachine lvm.pvcreate /dev/sdb1 dataalignmentoffset=7s salt.modules.linux_lvm.pvdisplay(pvname='', real=False) Return information about the physical volume(s) pvname physical device name real dereference any symlinks and report the real device New in version 2015.8.7. CLI Examples: salt '*' lvm.pvdisplay salt '*' lvm.pvdisplay /dev/md0 salt.modules.linux_lvm.pvremove(devices, override=True) Remove a physical device being used as an LVM physical volume override Skip devices, if they are already not used as an LVM physical volumes CLI Examples: salt mymachine lvm.pvremove /dev/sdb1,/dev/sdb2 salt.modules.linux_lvm.version() Return LVM version from lvm version CLI Example: salt '*' lvm.version salt.modules.linux_lvm.vgcreate(vgname, devices, **kwargs) Create an LVM volume group CLI Examples: salt mymachine lvm.vgcreate my_vg /dev/sdb1,/dev/sdb2 salt mymachine lvm.vgcreate my_vg /dev/sdb1 clustered=y salt.modules.linux_lvm.vgdisplay(vgname='') Return information about the volume group(s) CLI Examples: salt '*' lvm.vgdisplay salt '*' lvm.vgdisplay nova-volumes salt.modules.linux_lvm.vgextend(vgname, devices) Add physical volumes to an LVM volume group CLI Examples: salt mymachine lvm.vgextend my_vg /dev/sdb1,/dev/sdb2 salt mymachine lvm.vgextend my_vg /dev/sdb1 salt.modules.linux_lvm.vgremove(vgname) Remove an LVM volume group CLI Examples: salt mymachine lvm.vgremove vgname salt mymachine lvm.vgremove vgname force=True salt.modules.linux_sysctl Module for viewing and modifying sysctl parameters salt.modules.linux_sysctl.assign(name, value) Assign a single sysctl parameter for this minion CLI Example: salt '*' sysctl.assign net.ipv4.ip_forward 1 salt.modules.linux_sysctl.default_config() Linux hosts using systemd 207 or later ignore /etc/sysctl.conf and only load from /etc/sysctl.d/*.conf. This function will do the proper checks and return a default config file which will be valid for the Minion. Hosts running systemd >= 207 will use /etc/sysctl.d/99-salt.conf. CLI Example: salt -G 'kernel:Linux' sysctl.default_config salt.modules.linux_sysctl.get(name) Return a single sysctl parameter for this minion CLI Example: salt '*' sysctl.get net.ipv4.ip_forward salt.modules.linux_sysctl.persist(name, value, config=None) Assign and persist a simple sysctl parameter for this minion. If config is not specified, a sensible default will be chosen using sysctl.default_config. CLI Example: salt '*' sysctl.persist net.ipv4.ip_forward 1 salt.modules.linux_sysctl.show(config_file=False) Return a list of sysctl parameters for this minion config: Pull the data from the system configuration file instead of the live data. CLI Example: salt '*' sysctl.show salt.modules.localemod Module for managing locales on POSIX-like systems. salt.modules.localemod.avail(locale) Check if a locale is available. New in version 2014.7.0. CLI Example: salt '*' locale.avail 'en_US.UTF-8' salt.modules.localemod.gen_locale(locale, **kwargs) Generate a locale. Options: New in version 2014.7.0. Parameters locale -- Any locale listed in /usr/share/i18n/locales or /usr/share/i18n/SUPPORTED for Debian and Gentoo based distributions, which require the charmap to be specified as part of the locale when generating it. verbose Show extra warnings about errors that are normally ignored. CLI Example: salt '*' locale.gen_locale en_US.UTF-8 salt '*' locale.gen_locale 'en_IE.UTF-8 UTF-8' # Debian/Gentoo only salt.modules.localemod.get_locale() Get the current system locale CLI Example: salt '*' locale.get_locale salt.modules.localemod.list_avail() Lists available (compiled) locales CLI Example: salt '*' locale.list_avail salt.modules.localemod.set_locale(locale) Sets the current system locale CLI Example: salt '*' locale.set_locale 'en_US.UTF-8' salt.modules.locate Module for using the locate utilities salt.modules.locate.locate(pattern, database='', limit=0, **kwargs) Performs a file lookup. Valid options (and their defaults) are: basename=False count=False existing=False follow=True ignore=False nofollow=False wholename=True regex=False database=<locate's default database> limit=<integer, not set by default> See the manpage for locate(1) for further explanation of these options. CLI Example: salt '*' locate.locate salt.modules.locate.stats() Returns statistics about the locate database CLI Example: salt '*' locate.stats salt.modules.locate.updatedb() Updates the locate database CLI Example: salt '*' locate.updatedb salt.modules.locate.version() Returns the version of locate CLI Example: salt '*' locate.version salt.modules.logadm Module for managing Solaris logadm based log rotations. salt.modules.logadm.remove(name, conf_file='/etc/logadm.conf') Remove log pattern from logadm CLI Example: salt '*' logadm.remove myapplog salt.modules.logadm.rotate(name, pattern=False, count=False, age=False, size=False, copy=True, conf_file='/etc/logadm.conf') Set up pattern for logging. CLI Example: salt '*' logadm.rotate myapplog pattern='/var/log/myapp/*.log' count=7 salt.modules.logadm.show_conf(conf_file='/etc/logadm.conf') Show parsed configuration CLI Example: salt '*' logadm.show_conf salt.modules.logrotate Module for managing logrotate. salt.modules.logrotate.set(key, value, setting=None, conf_file='/etc/logrotate.conf') Set a new value for a specific configuration line CLI Example: salt '*' logrotate.set rotate 2 Can also be used to set a single value inside a multiline configuration block. For instance, to change rotate in the following block: /var/log/wtmp { monthly create 0664 root root rotate 1 } Use the following command: salt '*' logrotate.set /var/log/wtmp rotate 2 This module also has the ability to scan files inside an include directory, and make changes in the appropriate file. salt.modules.logrotate.show_conf(conf_file='/etc/logrotate.conf') Show parsed configuration CLI Example: salt '*' logrotate.show_conf salt.modules.lvs Support for LVS (Linux Virtual Server) salt.modules.lvs.add_server(protocol=None, service_address=None, server_address=None, packet_forward_method='dr', weight=1, **kwargs) Add a real server to a virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. server_address The real server address. packet_forward_method The LVS packet forwarding method(dr for direct routing, tunnel for tunneling, nat for network access translation). weight The capacity of a server relative to the others in the pool. CLI Example: salt '*' lvs.add_server tcp 1.1.1.1:80 192.168.0.11:8080 nat 1 salt.modules.lvs.add_service(protocol=None, service_address=None, scheduler='wlc') Add a virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. scheduler Algorithm for allocating TCP connections and UDP datagrams to real servers. CLI Example: salt '*' lvs.add_service tcp 1.1.1.1:80 rr salt.modules.lvs.check_server(protocol=None, service_address=None, server_address=None, **kwargs) Check the real server exists in the specified service. CLI Example: salt '*' lvs.check_server tcp 1.1.1.1:80 192.168.0.11:8080 salt.modules.lvs.check_service(protocol=None, service_address=None, **kwargs) Check the virtual service exists. CLI Example: salt '*' lvs.check_service tcp 1.1.1.1:80 salt.modules.lvs.clear() Clear the virtual server table CLI Example: salt '*' lvs.clear salt.modules.lvs.delete_server(protocol=None, service_address=None, server_address=None) Delete the realserver from the virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. server_address The real server address. CLI Example: salt '*' lvs.delete_server tcp 1.1.1.1:80 192.168.0.11:8080 salt.modules.lvs.delete_service(protocol=None, service_address=None) Delete the virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. CLI Example: salt '*' lvs.delete_service tcp 1.1.1.1:80 salt.modules.lvs.edit_server(protocol=None, service_address=None, server_address=None, packet_forward_method=None, weight=None, **kwargs) Edit a real server to a virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. server_address The real server address. packet_forward_method The LVS packet forwarding method(dr for direct routing, tunnel for tunneling, nat for network access translation). weight The capacity of a server relative to the others in the pool. CLI Example: salt '*' lvs.edit_server tcp 1.1.1.1:80 192.168.0.11:8080 nat 1 salt.modules.lvs.edit_service(protocol=None, service_address=None, scheduler=None) Edit the virtual service. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. scheduler Algorithm for allocating TCP connections and UDP datagrams to real servers. CLI Example: salt '*' lvs.edit_service tcp 1.1.1.1:80 rr salt.modules.lvs.get_rules() Get the virtual server rules CLI Example: salt '*' lvs.get_rules salt.modules.lvs.list(protocol=None, service_address=None) List the virtual server table if service_address is not specified. If a service_address is selected, list this service only. CLI Example: salt '*' lvs.list salt.modules.lvs.zero(protocol=None, service_address=None) Zero the packet, byte and rate counters in a service or all services. CLI Example: salt '*' lvs.zero salt.modules.lxc Control Linux Containers via Salt depends lxc package for distribution lxc >= 1.0 (even beta alpha) is required salt.modules.lxc.apply_network_profile(name, network_profile, nic_opts=None, path=None) New in version 2015.5.0. Apply a network profile to a container network_profile profile name or default values (dict) nic_opts values to override in defaults (dict) indexed by nic card names path path to the container parent New in version 2015.8.0. CLI Examples: salt 'minion' lxc.apply_network_profile web1 centos salt 'minion' lxc.apply_network_profile web1 centos \ nic_opts="{'eth0': {'mac': 'xx:xx:xx:xx:xx:xx'}}" salt 'minion' lxc.apply_network_profile web1 \ "{'eth0': {'mac': 'xx:xx:xx:xx:xx:yy'}}" nic_opts="{'eth0': {'mac': 'xx:xx:xx:xx:xx:xx'}}" The special case to disable use of ethernet nics: salt 'minion' lxc.apply_network_profile web1 centos \ "{eth0: {disable: true}}" salt.modules.lxc.attachable(name, path=None) Return True if the named container can be attached to via the lxc-attach command path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt 'minion' lxc.attachable ubuntu salt.modules.lxc.bootstrap(name, config=None, approve_key=True, install=True, pub_key=None, priv_key=None, bootstrap_url=None, force_install=False, unconditional_install=False, path=None, bootstrap_delay=None, bootstrap_args=None, bootstrap_shell=None) Install and configure salt in a container. config Minion configuration options. By default, the master option is set to the target host's master. approve_key Request a pre-approval of the generated minion key. Requires that the salt-master be configured to either auto-accept all keys or expect a signing request from the target host. Default: True path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. pub_key Explicit public key to pressed the minion with (optional). This can be either a filepath or a string representing the key priv_key Explicit private key to pressed the minion with (optional). This can be either a filepath or a string representing the key bootstrap_delay Delay in seconds between end of container creation and bootstrapping. Useful when waiting for container to obtain a DHCP lease. New in version 2015.5.0. bootstrap_url url, content or filepath to the salt bootstrap script bootstrap_args salt bootstrap script arguments bootstrap_shell shell to execute the script into install Whether to attempt a full installation of salt-minion if needed. force_install Force installation even if salt-minion is detected, this is the way to run vendor bootstrap scripts even if a salt minion is already present in the container unconditional_install Run the script even if the container seems seeded CLI Examples: salt 'minion' lxc.bootstrap container_name [config=config_data] \ [approve_key=(True|False)] [install=(True|False)] salt.modules.lxc.clone(name, orig, profile=None, network_profile=None, nic_opts=None, **kwargs) Create a new container as a clone of another container name Name of the container orig Name of the original container to be cloned profile Profile to use in container cloning (see lxc.get_container_profile). Values in a profile will be overridden by the Container Cloning Arguments listed below. path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. Container Cloning Arguments snapshot Use Copy On Write snapshots (LVM) size 1G Size of the volume to create. Only applicable if backing=lvm. backing The type of storage to use. Set to lvm to use an LVM group. Defaults to filesystem within /var/lib/lxc. network_profile Network profile to use for container New in version 2015.8.0. nic_opts give extra opts overriding network profile values New in version 2015.8.0. CLI Examples: salt '*' lxc.clone myclone orig=orig_container salt '*' lxc.clone myclone orig=orig_container snapshot=True salt.modules.lxc.cloud_init(name, vm_=None, **kwargs) Thin wrapper to lxc.init to be used from the saltcloud lxc driver name Name of the container may be None and then guessed from saltcloud mapping vm_ saltcloud mapping defaults for the vm CLI Example: salt '*' lxc.cloud_init foo salt.modules.lxc.cloud_init_interface(name, vm_=None, **kwargs) Interface between salt.cloud.lxc driver and lxc.init vm_ is a mapping of vm opts in the salt.cloud format as documented for the lxc driver. This can be used either: • from the salt cloud driver • because you find the argument to give easier here than using directly lxc.init WARNING: BE REALLY CAREFUL CHANGING DEFAULTS !!! IT'S A RETRO COMPATIBLE INTERFACE WITH THE SALT CLOUD DRIVER (ask kiorky). name name of the lxc container to create pub_key public key to preseed the minion with. Can be the keycontent or a filepath priv_key private key to preseed the minion with. Can be the keycontent or a filepath path path to the container parent directory (default: /var/lib/lxc) New in version 2015.8.0. profile profile selection network_profile network profile selection nic_opts per interface settings compatibles with network profile (ipv4/ipv6/link/gateway/mac/netmask) eg: - {'eth0': {'mac': '00:16:3e:01:29:40', 'gateway': None, (default) 'link': 'br0', (default) 'gateway': None, (default) 'netmask': '', (default) 'ip': '22.1.4.25'}} unconditional_install given to lxc.bootstrap (see relative doc) force_install given to lxc.bootstrap (see relative doc) config any extra argument for the salt minion config dnsservers dns servers to set inside the container autostart autostart the container at boot time password administrative password for the container bootstrap_delay delay before launching bootstrap script at Container init WARNING: Legacy but still supported options: from_container which container we use as a template when running lxc.clone image which template do we use when we are using lxc.create. This is the default mode unless you specify something in from_container backing which backing store to use. Values can be: overlayfs, dir(default), lvm, zfs, brtfs fstype When using a blockdevice level backing store, which filesystem to use on size When using a blockdevice level backing store, which size for the filesystem to use on snapshot Use snapshot when cloning the container source vgname if using LVM: vgname lvname if using LVM: lvname ip ip for the primary nic mac mac address for the primary nic netmask netmask for the primary nic (24) = vm_.get('netmask', '24') bridge bridge for the primary nic (lxcbr0) gateway network gateway for the container additional_ips additional ips which will be wired on the main bridge (br0) which is connected to internet. Be aware that you may use manual virtual mac addresses providen by you provider (online, ovh, etc). This is a list of mappings {ip: '', mac: '', netmask:''} Set gateway to None and an interface with a gateway to escape from another interface that eth0. eg: - {'mac': '00:16:3e:01:29:40', 'gateway': None, (default) 'link': 'br0', (default) 'netmask': '', (default) 'ip': '22.1.4.25'} users administrative users for the container default: [root] and [root, ubuntu] on ubuntu default_nic name of the first interface, you should really not override this CLI Example: salt '*' lxc.cloud_init_interface foo salt.modules.lxc.copy_to(name, source, dest, overwrite=False, makedirs=False, path=None) Changed in version 2015.8.0: Function renamed from lxc.cp to lxc.copy_to for consistency with other container types. lxc.cp will continue to work, however. For versions 2015.2.x and earlier, use lxc.cp. Copy a file or directory from the host into a container name Container name source File to be copied to the container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. dest Destination on the container. Must be an absolute path. Changed in version 2015.5.0: If the destination is a directory, the file will be copied into that directory. overwrite False Unless this option is set to True, then if a file exists at the location specified by the dest argument, an error will be raised. New in version 2015.8.0. makedirs : False Create the parent directory on the container if it does not already exist. New in version 2015.5.0. CLI Example: salt 'minion' lxc.copy_to /tmp/foo /root/foo salt 'minion' lxc.cp /tmp/foo /root/foo salt.modules.lxc.create(name, config=None, profile=None, network_profile=None, nic_opts=None, **kwargs) Create a new container. name Name of the container config The config file to use for the container. Defaults to system-wide config (usually in /etc/lxc/lxc.conf). profile Profile to use in container creation (see lxc.get_container_profile). Values in a profile will be overridden by the Container Creation Arguments listed below. network_profile Network profile to use for container New in version 2015.5.0. Container Creation Arguments template The template to use. For example, ubuntu or fedora. Conflicts with the image argument. NOTE: The download template requires the following three parameters to be defined in options: • dist - The name of the distribution • release - Release name/version • arch - Architecture of the container The available images can be listed using the lxc.images function. options Template-specific options to pass to the lxc-create command. These correspond to the long options (ones beginning with two dashes) that the template script accepts. For example: options='{"dist": "centos", "release": "6", "arch": "amd64"}' image A tar archive to use as the rootfs for the container. Conflicts with the template argument. backing The type of storage to use. Set to lvm to use an LVM group. Defaults to filesystem within /var/lib/lxc. fstype Filesystem type to use on LVM logical volume size 1G Size of the volume to create. Only applicable if backing=lvm. vgname lxc Name of the LVM volume group in which to create the volume for this container. Only applicable if backing=lvm. lvname Name of the LVM logical volume in which to create the volume for this container. Only applicable if backing=lvm. nic_opts give extra opts overriding network profile values path parent path for the container creation (default: /var/lib/lxc) New in version 2015.8.0. salt.modules.lxc.destroy(name, stop=False, path=None) Destroy the named container. WARNING: Destroys all data associated with the container. path path to the container parent directory (default: /var/lib/lxc) New in version 2015.8.0. stop False If True, the container will be destroyed even if it is running/frozen. Changed in version 2015.5.0: Default value changed to False. This more closely matches the behavior of lxc-destroy(1), and also makes it less likely that an accidental command will destroy a running container that was being used for important things. CLI Examples: salt '*' lxc.destroy foo salt '*' lxc.destroy foo stop=True salt.modules.lxc.edit_conf(conf_file, out_format='simple', read_only=False, lxc_config=None, **kwargs) Edit an LXC configuration file. If a setting is already present inside the file, its value will be replaced. If it does not exist, it will be appended to the end of the file. Comments and blank lines will be kept in-tact if they already exist in the file. out_format: Set to simple if you need backward compatibility (multiple items for a simple key is not supported) read_only: return only the edited configuration without applying it to the underlying lxc configuration file lxc_config: List of dict containning lxc configuration items For network configuration, you also need to add the device it belongs to, otherwise it will default to eth0. Also, any change to a network parameter will result in the whole network reconfiguration to avoid mismatchs, be aware of that ! After the file is edited, its contents will be returned. By default, it will be returned in simple format, meaning an unordered dict (which may not represent the actual file order). Passing in an out_format of commented will return a data structure which accurately represents the order and content of the file. CLI Example: salt 'minion' lxc.edit_conf /etc/lxc/mycontainer.conf \ out_format=commented lxc.network.type=veth salt 'minion' lxc.edit_conf /etc/lxc/mycontainer.conf \ out_format=commented \ lxc_config="[{'lxc.network.name': 'eth0', \ 'lxc.network.ipv4': '1.2.3.4'}, {'lxc.network.name': 'eth2', \ 'lxc.network.ipv4': '1.2.3.5',\ 'lxc.network.gateway': '1.2.3.1'}]" salt.modules.lxc.exists(name, path=None) Returns whether the named container exists. path path to the container parent directory (default: /var/lib/lxc) New in version 2015.8.0. CLI Example: salt '*' lxc.exists name salt.modules.lxc.freeze(name, **kwargs) Freeze the named container path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. start False If True and the container is stopped, the container will be started before attempting to freeze. New in version 2015.5.0. use_vt run the command through VT New in version 2015.8.0. CLI Example: salt '*' lxc.freeze name salt.modules.lxc.get_container_profile(name=None, **kwargs) New in version 2015.5.0. Gather a pre-configured set of container configuration parameters. If no arguments are passed, an empty profile is returned. Profiles can be defined in the minion or master config files, or in pillar or grains, and are loaded using config.get. The key under which LXC profiles must be configured is lxc.container_profile.profile_name. An example container profile would be as follows: lxc.container_profile: ubuntu: template: ubuntu backing: lvm vgname: lxc size: 1G Parameters set in a profile can be overridden by passing additional container creation arguments (such as the ones passed to lxc.create) to this function. A profile can be defined either as the name of the profile, or a dictionary of variable names and values. See the LXC Tutorial for more information on how to use LXC profiles. CLI Example: salt-call lxc.get_container_profile centos salt-call lxc.get_container_profile ubuntu template=ubuntu backing=overlayfs salt.modules.lxc.get_network_profile(name=None, **kwargs) New in version 2015.5.0. Gather a pre-configured set of network configuration parameters. If no arguments are passed, the following default profile is returned: {'eth0': {'link': 'br0', 'type': 'veth', 'flags': 'up'}} Profiles can be defined in the minion or master config files, or in pillar or grains, and are loaded using config.get. The key under which LXC profiles must be configured is lxc.network_profile. An example network profile would be as follows: lxc.network_profile.centos: eth0: link: br0 type: veth flags: up To disable networking entirely: lxc.network_profile.centos: eth0: disable: true Parameters set in a profile can be overridden by passing additional arguments to this function. A profile can be passed either as the name of the profile, or a dictionary of variable names and values. See the LXC Tutorial for more information on how to use network profiles. WARNING: The ipv4, ipv6, gateway, and link (bridge) settings in network profiles will only work if the container doesn't redefine the network configuration (for example in /etc/sysconfig/network-scripts/ifcfg-<interface_name> on RHEL/CentOS, or /etc/network/interfaces on Debian/Ubuntu/etc.) CLI Example: salt-call lxc.get_network_profile default salt.modules.lxc.get_parameter(name, parameter, path=None) Returns the value of a cgroup parameter for a container path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. CLI Example: salt '*' lxc.get_parameter container_name memory.limit_in_bytes salt.modules.lxc.get_root_path(path) Get the configured lxc root for containers New in version 2015.8.0. CLI Example: salt '*' lxc.get_root_path salt.modules.lxc.images(dist=None) New in version 2015.5.0. List the available images for LXC's download template. dist None Filter results to a single Linux distribution CLI Examples: salt myminion lxc.images salt myminion lxc.images dist=centos salt.modules.lxc.info(name, path=None) Returns information about a container path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. CLI Example: salt '*' lxc.info name salt.modules.lxc.init(name, config=None, cpuset=None, cpushare=None, memory=None, profile=None, network_profile=None, nic=<object object>, nic_opts=None, cpu=None, autostart=True, password=None, password_encrypted=None, users=None, dnsservers=None, searchdomains=None, bridge=None, gateway=None, pub_key=None, priv_key=None, force_install=False, unconditional_install=False, bootstrap_delay=None, bootstrap_args=None, bootstrap_shell=None, bootstrap_url=None, **kwargs) Initialize a new container. This is a partial idempotent function as if it is already provisioned, we will reset a bit the lxc configuration file but much of the hard work will be escaped as markers will prevent re-execution of harmful tasks. name Name of the container image A tar archive to use as the rootfs for the container. Conflicts with the template argument. cpus Select a random number of cpu cores and assign it to the cpuset, if the cpuset option is set then this option will be ignored cpuset Explicitly define the cpus this container will be bound to cpushare cgroups cpu shares autostart autostart container on reboot memory cgroups memory limit, in MB Changed in version 2015.5.0: If no value is passed, no limit is set. In earlier Salt versions, not passing this value causes a 1024MB memory limit to be set, and it was necessary to pass memory=0 to set no limit. gateway the ipv4 gateway to use the default does nothing more than lxcutils does bridge the bridge to use the default does nothing more than lxcutils does network_profile Network profile to use for the container New in version 2015.5.0. nic Deprecated since version 2015.5.0: Use network_profile instead nic_opts Extra options for network interfaces, will override {"eth0": {"hwaddr": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1", "ipv6": "2001:db8::ff00:42:8329"}} or {"eth0": {"hwaddr": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1/24", "ipv6": "2001:db8::ff00:42:8329"}} users Users for which the password defined in the password param should be set. Can be passed as a comma separated list or a python list. Defaults to just the root user. password Set the initial password for the users defined in the users parameter password_encrypted False Set to True to denote a password hash instead of a plaintext password New in version 2015.5.0. profile A LXC profile (defined in config or pillar). This can be either a real profile mapping or a string to retrieve it in configuration start Start the newly-created container dnsservers list of dns servers to set in the container, default [] (no setting) seed Seed the container with the minion config. Default: True install If salt-minion is not already installed, install it. Default: True config Optional config parameters. By default, the id is set to the name of the container. master salt master (default to minion's master) master_port salt master port (default to minion's master port) pub_key Explicit public key to preseed the minion with (optional). This can be either a filepath or a string representing the key priv_key Explicit private key to preseed the minion with (optional). This can be either a filepath or a string representing the key approve_key If explicit preseeding is not used; Attempt to request key approval from the master. Default: True path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. clone Deprecated since version 2015.5.0: Use clone_from instead clone_from Original from which to use a clone operation to create the container. Default: None bootstrap_delay Delay in seconds between end of container creation and bootstrapping. Useful when waiting for container to obtain a DHCP lease. New in version 2015.5.0. bootstrap_url See lxc.bootstrap bootstrap_shell See lxc.bootstrap bootstrap_args See lxc.bootstrap force_install Force installation even if salt-minion is detected, this is the way to run vendor bootstrap scripts even if a salt minion is already present in the container unconditional_install Run the script even if the container seems seeded CLI Example: salt 'minion' lxc.init name [cpuset=cgroups_cpuset] \ [cpushare=cgroups_cpushare] [memory=cgroups_memory] \ [nic=nic_profile] [profile=lxc_profile] \ [nic_opts=nic_opts] [start=(True|False)] \ [seed=(True|False)] [install=(True|False)] \ [config=minion_config] [approve_key=(True|False) \ [clone_from=original] [autostart=True] \ [priv_key=/path_or_content] [pub_key=/path_or_content] \ [bridge=lxcbr0] [gateway=10.0.3.1] \ [dnsservers[dns1,dns2]] \ [users=[foo]] [password='secret'] \ [password_encrypted=(True|False)] salt.modules.lxc.list(extra=False, limit=None, path=None) List containers classified by state extra Also get per-container specific info. This will change the return data. Instead of returning a list of containers, a dictionary of containers and each container's output from lxc.info. path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. limit Return output matching a specific state (frozen, running, or stopped). New in version 2015.5.0. CLI Examples: salt '*' lxc.list salt '*' lxc.list extra=True salt '*' lxc.list limit=running salt.modules.lxc.ls(active=None, cache=True, path=None) Return a list of the containers available on the minion path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. active If True, return only active (i.e. running) containers New in version 2015.5.0. CLI Example: salt '*' lxc.ls salt '*' lxc.ls active=True salt.modules.lxc.read_conf(conf_file, out_format='simple') Read in an LXC configuration file. By default returns a simple, unsorted dict, but can also return a more detailed structure including blank lines and comments. out_format: set to 'simple' if you need the old and unsupported behavior. This won't support the multiple lxc values (eg: multiple network nics) CLI Examples: salt 'minion' lxc.read_conf /etc/lxc/mycontainer.conf salt 'minion' lxc.read_conf /etc/lxc/mycontainer.conf out_format=commented salt.modules.lxc.reboot(name, path=None) Reboot a container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Examples: salt 'minion' lxc.reboot myvm salt.modules.lxc.reconfigure(name, cpu=None, cpuset=None, cpushare=None, memory=None, profile=None, network_profile=None, nic_opts=None, bridge=None, gateway=None, autostart=None, path=None, **kwargs) Reconfigure a container. This only applies to a few property name Name of the container. cpu Select a random number of cpu cores and assign it to the cpuset, if the cpuset option is set then this option will be ignored cpuset Explicitly define the cpus this container will be bound to cpushare cgroups cpu shares. autostart autostart container on reboot memory cgroups memory limit, in MB. (0 for nolimit, None for old default 1024MB) gateway the ipv4 gateway to use the default does nothing more than lxcutils does bridge the bridge to use the default does nothing more than lxcutils does nic Network interfaces profile (defined in config or pillar). nic_opts Extra options for network interfaces, will override {"eth0": {"mac": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1", "ipv6": "2001:db8::ff00:42:8329"}} or {"eth0": {"mac": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1/24", "ipv6": "2001:db8::ff00:42:8329"}} path path to the container parent New in version 2015.8.0. CLI Example: salt-call -lall mc_lxc_fork.reconfigure foobar nic_opts="{'eth1': {'mac': '00:16:3e:dd:ee:44'}}" memory=4 salt.modules.lxc.restart(name, path=None, lxc_config=None, force=False) New in version 2015.5.0. Restart the named container. If the container was not running, the container will merely be started. name The name of the container path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. lxc_config path to a lxc config file config file will be guessed from container name otherwise New in version 2015.8.0. force False If True, the container will be force-stopped instead of gracefully shut down CLI Example: salt myminion lxc.restart name salt.modules.lxc.retcode(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') New in version 2015.5.0. Run cmd.retcode within a container WARNING: Many shell builtins do not work, failing with stderr similar to the following: lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If the retcode is nonzero and not what was expected, try using lxc.run_stderr or lxc.run_all. name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console output=all. keep_env http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: salt myminion lxc.retcode mycontainer 'ip addr show' salt.modules.lxc.run(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') New in version 2015.8.0. Run cmd.run within a container WARNING: Many shell builtins do not work, failing with stderr similar to the following: lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If no output is returned using this function, try using lxc.run_stderr or lxc.run_all. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. Assumes output=all. chroot_fallback if the container is not running, try to run the command using chroot default: false keep_env http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. CLI Example: salt myminion lxc.run mycontainer 'ifconfig -a' salt.modules.lxc.run_all(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') New in version 2015.5.0. Run cmd.run_all within a container NOTE: While the command is run within the container, it is initiated from the host. Therefore, the PID in the return dict is from the host, not from the container. WARNING: Many shell builtins do not work, failing with stderr similar to the following: lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. name Name of the container in which to run the command path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console output=all. keep_env http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: salt myminion lxc.run_all mycontainer 'ip addr show' salt.modules.lxc.run_cmd(name, cmd, no_start=False, preserve_state=True, stdin=None, stdout=True, stderr=False, python_shell=True, path=None, output_loglevel='debug', use_vt=False, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. Deprecated since version 2015.5.0: Use lxc.run instead salt.modules.lxc.run_stderr(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') New in version 2015.5.0. Run cmd.run_stderr within a container WARNING: Many shell builtins do not work, failing with stderr similar to the following: lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed if the command being run does not exist. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console output=all. keep_env http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: salt myminion lxc.run_stderr mycontainer 'ip addr show' salt.modules.lxc.run_stdout(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env='http_proxy, https_proxy, no_proxy') New in version 2015.5.0. Run cmd.run_stdout within a container WARNING: Many shell builtins do not work, failing with stderr similar to the following: lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If no output is returned using this function, try using lxc.run_stderr or lxc.run_all. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console output=all. keep_env http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: salt myminion lxc.run_stdout mycontainer 'ifconfig -a' salt.modules.lxc.running_systemd(name, cache=True, path=None) Determine if systemD is running path path to the container parent New in version 2015.8.0. CLI Example: salt '*' lxc.running_systemd ubuntu salt.modules.lxc.search_lxc_bridge() Search the first bridge which is potentially available as LXC bridge CLI Example: salt '*' lxc.search_lxc_bridge salt.modules.lxc.search_lxc_bridges() Search which bridges are potentially available as LXC bridges CLI Example: salt '*' lxc.search_lxc_bridges salt.modules.lxc.set_dns(name, dnsservers=None, searchdomains=None, path=None) Changed in version 2015.5.0: The dnsservers and searchdomains parameters can now be passed as a comma-separated list. Update /etc/resolv.confo path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.set_dns ubuntu "['8.8.8.8', '4.4.4.4']" salt.modules.lxc.set_parameter(name, parameter, value, path=None) Set the value of a cgroup parameter for a container. path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. CLI Example: salt '*' lxc.set_parameter name parameter value salt.modules.lxc.set_password(name, users, password, encrypted=True, path=None) Changed in version 2015.5.0: Function renamed from set_pass to set_password. Additionally, this function now supports (and defaults to using) a password hash instead of a plaintext password. Set the password of one or more system users inside containers users Comma-separated list (or python list) of users to change password password Password to set for the specified user(s) encrypted True If true, password must be a password hash. Set to False to set a plaintext password (not recommended). New in version 2015.5.0. path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. CLI Example: salt '*' lxc.set_pass container-name root '$6$uJ2uAyLU$KoI67t8As/0fXtJOPcHKGXmUpcoYUcVR2K6x93walnShTCQvjRwq25yIkiCBOqgbfdKQSFnAo28/ek6716vEV1' salt '*' lxc.set_pass container-name root foo encrypted=False salt.modules.lxc.start(name, **kwargs) Start the named container restart False Deprecated since version 2015.5.0: Use lxc.restart Restart the container if it is already running path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. lxc_config path to a lxc config file config file will be guessed from container name otherwise New in version 2015.8.0. use_vt run the command through VT New in version 2015.8.0. CLI Example: salt myminion lxc.start name salt.modules.lxc.state(name, path=None) Returns the state of a container. path path to the container parent directory (default: /var/lib/lxc) New in version 2015.8.0. CLI Example: salt '*' lxc.state name salt.modules.lxc.stop(name, kill=False, path=None, use_vt=None) Stop the named container path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. kill: False Do not wait for the container to stop, kill all tasks in the container. Older LXC versions will stop containers like this irrespective of this argument. Changed in version 2015.5.0: Default value changed to False use_vt run the command through VT New in version 2015.8.0. CLI Example: salt myminion lxc.stop name salt.modules.lxc.systemd_running_state(name, path=None) Get the operational state of a systemd based container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.systemd_running_state ubuntu salt.modules.lxc.templates() New in version 2015.5.0. List the available LXC template scripts installed on the minion CLI Examples: salt myminion lxc.templates salt.modules.lxc.test_bare_started_state(name, path=None) Test if a non systemd container is fully started For now, it consists only to test if the container is attachable path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.test_bare_started_state ubuntu salt.modules.lxc.test_sd_started_state(name, path=None) Test if a systemd container is fully started path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.test_sd_started_state ubuntu salt.modules.lxc.unfreeze(name, path=None, use_vt=None) Unfreeze the named container. path path to the container parent directory default: /var/lib/lxc (system) New in version 2015.8.0. use_vt run the command through VT New in version 2015.8.0. CLI Example: salt '*' lxc.unfreeze name salt.modules.lxc.update_lxc_conf(name, lxc_conf, lxc_conf_unset, path=None) Edit LXC configuration options path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.update_lxc_conf ubuntu \ lxc_conf="[{'network.ipv4.ip':'10.0.3.5'}]" \ lxc_conf_unset="['lxc.utsname']" salt.modules.lxc.version() Return the actual lxc client version New in version 2015.8.0. CLI Example: salt '*' lxc.version salt.modules.lxc.wait_started(name, path=None, timeout=300) Check that the system has fully inited This is actually very important for systemD based containers see https://github.com/saltstack/salt/issues/23847 path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. CLI Example: salt myminion lxc.wait_started ubuntu salt.modules.lxc.write_conf(conf_file, conf) Write out an LXC configuration file This is normally only used internally. The format of the data structure must match that which is returned from lxc.read_conf(), with out_format set to commented. An example might look like: [ {'lxc.utsname': '$CONTAINER_NAME'}, '# This is a commented line\n', '\n', {'lxc.mount': '$CONTAINER_FSTAB'}, {'lxc.rootfs': {'comment': 'This is another test', 'value': 'This is another test'}}, '\n', {'lxc.network.type': 'veth'}, {'lxc.network.flags': 'up'}, {'lxc.network.link': 'br0'}, {'lxc.network.mac': '$CONTAINER_MACADDR'}, {'lxc.network.ipv4': '$CONTAINER_IPADDR'}, {'lxc.network.name': '$CONTAINER_DEVICENAME'}, ] CLI Example: salt 'minion' lxc.write_conf /etc/lxc/mycontainer.conf \ out_format=commented salt.modules.mac_group Manage groups on Mac OS 10.7+ salt.modules.mac_group.add(name, gid=None, **kwargs) Add the specified group CLI Example: salt '*' group.add foo 3456 salt.modules.mac_group.chgid(name, gid) Change the gid for a named group CLI Example: salt '*' group.chgid foo 4376 salt.modules.mac_group.delete(name) Remove the named group CLI Example: salt '*' group.delete foo salt.modules.mac_group.getent(refresh=False) Return info on all groups CLI Example: salt '*' group.getent salt.modules.mac_group.info(name) Return information about a group CLI Example: salt '*' group.info foo salt.modules.mac_user Manage users on Mac OS 10.7+ salt.modules.mac_user.add(name, uid=None, gid=None, groups=None, home=None, shell=None, fullname=None, createhome=True, **kwargs) Add a user to the minion CLI Example: salt '*' user.add name <uid> <gid> <groups> <home> <shell> salt.modules.mac_user.chfullname(name, fullname) Change the user's Full Name CLI Example: salt '*' user.chfullname foo 'Foo Bar' salt.modules.mac_user.chgid(name, gid) Change the default group of the user CLI Example: salt '*' user.chgid foo 4376 salt.modules.mac_user.chgroups(name, groups, append=False) Change the groups to which the user belongs. Note that the user's primary group does not have to be one of the groups passed, membership in the user's primary group is automatically assumed. groups Groups to which the user should belong, can be passed either as a python list or a comma-separated string append Instead of removing user from groups not included in the groups parameter, just add user to any groups for which they are not members CLI Example: salt '*' user.chgroups foo wheel,root salt.modules.mac_user.chhome(name, home) Change the home directory of the user CLI Example: salt '*' user.chhome foo /Users/foo salt.modules.mac_user.chshell(name, shell) Change the default shell of the user CLI Example: salt '*' user.chshell foo /bin/zsh salt.modules.mac_user.chuid(name, uid) Change the uid for a named user CLI Example: salt '*' user.chuid foo 4376 salt.modules.mac_user.delete(name, *args) Remove a user from the minion CLI Example: salt '*' user.delete foo salt.modules.mac_user.getent(refresh=False) Return the list of all info for all users CLI Example: salt '*' user.getent salt.modules.mac_user.info(name) Return user information CLI Example: salt '*' user.info root salt.modules.mac_user.list_groups(name) Return a list of groups the named user belongs to CLI Example: salt '*' user.list_groups foo salt.modules.mac_user.list_users() Return a list of all users CLI Example: salt '*' user.list_users salt.modules.mac_user.rename(name, new_name) Change the username for a named user CLI Example: salt '*' user.rename name new_name salt.modules.macports Support for MacPorts under Mac OSX. This module has some caveats. 1. Updating the database of available ports is quite resource-intensive. However, refresh=True is the default for all operations that need an up-to-date copy of available ports. Consider refresh=False when you are sure no db update is needed. 2. In some cases MacPorts doesn't always realize when another copy of itself is running and will gleefully tromp all over the available ports database. This makes MacPorts behave in undefined ways until a fresh complete copy is retrieved. Because of 1 and 2 it is possible to get the salt-minion into a state where salt mac-machine pkg./something/ won't want to return. Use salt-run jobs.active on the master to check for potentially long-running calls to port. Finally, ports database updates are always handled with port selfupdate as opposed to port sync. This makes sense in the MacPorts user commmunity but may confuse experienced Linux admins as Linux package managers don't upgrade the packaging software when doing a package database update. In other words salt mac-machine pkg.refresh_db is more like apt-get update; apt-get upgrade dpkg apt-get than simply apt-get update. salt.modules.macports.available_version(*names, **kwargs) This function is an alias of latest_version. Return the latest version of the named package available for upgrade or installation Options: refresh Update ports with port selfupdate CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> salt.modules.macports.install(name=None, refresh=False, pkgs=None, **kwargs) Install the passed package(s) with port install name The name of the formula to be installed. Note that this parameter is ignored if "pkgs" is passed. CLI Example: salt '*' pkg.install <package name> version Specify a version to pkg to install. Ignored if pkgs is specified. CLI Example: salt '*' pkg.install <package name> salt '*' pkg.install git-core version='1.8.5.5' variant Specify a variant to pkg to install. Ignored if pkgs is specified. CLI Example: salt '*' pkg.install <package name> salt '*' pkg.install git-core version='1.8.5.5' variant='+credential_osxkeychain+doc+pcre' Multiple Package Installation Options: pkgs A list of formulas to install. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo","bar"]' salt '*' pkg.install pkgs='["foo@1.2","bar"]' salt '*' pkg.install pkgs='["foo@1.2+ssl","bar@2.3"]' Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.install 'package package package' salt.modules.macports.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation Options: refresh Update ports with port selfupdate CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> salt.modules.macports.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.macports.list_upgrades(refresh=True) Check whether or not an upgrade is available for all packages Options: refresh Update ports with port selfupdate CLI Example: salt '*' pkg.list_upgrades salt.modules.macports.refresh_db() Update ports with port selfupdate salt.modules.macports.remove(name=None, pkgs=None, **kwargs) Removes packages with port uninstall. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.macports.upgrade(refresh=True) Run a full upgrade using MacPorts 'port upgrade outdated' Options: refresh Update ports with port selfupdate Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.macports.upgrade_available(pkg, refresh=True) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.macports.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> salt.modules.makeconf Support for modifying make.conf under Gentoo salt.modules.makeconf.append_cflags(value) Add to or create a new CFLAGS in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_cflags '-pipe' salt.modules.makeconf.append_cxxflags(value) Add to or create a new CXXFLAGS in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_cxxflags '-pipe' salt.modules.makeconf.append_emerge_default_opts(value) Add to or create a new EMERGE_DEFAULT_OPTS in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_emerge_default_opts '--jobs' salt.modules.makeconf.append_features(value) Add to or create a new FEATURES in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_features 'webrsync-gpg' salt.modules.makeconf.append_gentoo_mirrors(value) Add to or create a new GENTOO_MIRRORS in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_gentoo_mirrors 'http://distfiles.gentoo.org' salt.modules.makeconf.append_makeopts(value) Add to or create a new MAKEOPTS in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_makeopts '-j3' salt.modules.makeconf.append_var(var, value) Add to or create a new variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.append_var 'LINGUAS' 'en' salt.modules.makeconf.cflags_contains(value) Verify if CFLAGS variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.cflags_contains '-pipe' salt.modules.makeconf.chost_contains(value) Verify if CHOST variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.chost_contains 'x86_64-pc-linux-gnu' salt.modules.makeconf.cxxflags_contains(value) Verify if CXXFLAGS variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.cxxflags_contains '-pipe' salt.modules.makeconf.emerge_default_opts_contains(value) Verify if EMERGE_DEFAULT_OPTS variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.emerge_default_opts_contains '--jobs' salt.modules.makeconf.features_contains(value) Verify if FEATURES variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.features_contains 'webrsync-gpg' salt.modules.makeconf.gentoo_mirrors_contains(value) Verify if GENTOO_MIRRORS variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.gentoo_mirrors_contains 'http://distfiles.gentoo.org' salt.modules.makeconf.get_cflags() Get the value of CFLAGS variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_cflags salt.modules.makeconf.get_chost() Get the value of CHOST variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_chost salt.modules.makeconf.get_cxxflags() Get the value of CXXFLAGS variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_cxxflags salt.modules.makeconf.get_emerge_default_opts() Get the value of EMERGE_DEFAULT_OPTS variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_emerge_default_opts salt.modules.makeconf.get_features() Get the value of FEATURES variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_features salt.modules.makeconf.get_gentoo_mirrors() Get the value of GENTOO_MIRRORS variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_gentoo_mirrors salt.modules.makeconf.get_makeopts() Get the value of MAKEOPTS variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_makeopts salt.modules.makeconf.get_sync() Get the value of SYNC variable in the make.conf Return the value of the variable or None if the variable is not in the make.conf CLI Example: salt '*' makeconf.get_sync salt.modules.makeconf.get_var(var) Get the value of a variable in make.conf Return the value of the variable or None if the variable is not in make.conf CLI Example: salt '*' makeconf.get_var 'LINGUAS' salt.modules.makeconf.makeopts_contains(value) Verify if MAKEOPTS variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.makeopts_contains '-j3' salt.modules.makeconf.remove_var(var) Remove a variable from the make.conf Return a dict containing the new value for the variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.remove_var 'LINGUAS' salt.modules.makeconf.set_cflags(value) Set the CFLAGS variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_cflags '-march=native -O2 -pipe' salt.modules.makeconf.set_chost(value) Set the CHOST variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_chost 'x86_64-pc-linux-gnu' salt.modules.makeconf.set_cxxflags(value) Set the CXXFLAGS variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_cxxflags '-march=native -O2 -pipe' salt.modules.makeconf.set_emerge_default_opts(value) Set the EMERGE_DEFAULT_OPTS variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_emerge_default_opts '--jobs' salt.modules.makeconf.set_gentoo_mirrors(value) Set the GENTOO_MIRRORS variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_gentoo_mirrors 'http://distfiles.gentoo.org' salt.modules.makeconf.set_makeopts(value) Set the MAKEOPTS variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_makeopts '-j3' salt.modules.makeconf.set_sync(value) Set the SYNC variable Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_sync 'rsync://rsync.namerica.gentoo.org/gentoo-portage' salt.modules.makeconf.set_var(var, value) Set a variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.set_var 'LINGUAS' 'en' salt.modules.makeconf.sync_contains(value) Verify if SYNC variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.sync_contains 'rsync://rsync.namerica.gentoo.org/gentoo-portage' salt.modules.makeconf.trim_cflags(value) Remove a value from CFLAGS variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_cflags '-pipe' salt.modules.makeconf.trim_cxxflags(value) Remove a value from CXXFLAGS variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_cxxflags '-pipe' salt.modules.makeconf.trim_emerge_default_opts(value) Remove a value from EMERGE_DEFAULT_OPTS variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_emerge_default_opts '--jobs' salt.modules.makeconf.trim_features(value) Remove a value from FEATURES variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_features 'webrsync-gpg' salt.modules.makeconf.trim_gentoo_mirrors(value) Remove a value from GENTOO_MIRRORS variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_gentoo_mirrors 'http://distfiles.gentoo.org' salt.modules.makeconf.trim_makeopts(value) Remove a value from MAKEOPTS variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_makeopts '-j3' salt.modules.makeconf.trim_var(var, value) Remove a value from a variable in the make.conf Return a dict containing the new value for variable: {'<variable>': {'old': '<old-value>', 'new': '<new-value>'}} CLI Example: salt '*' makeconf.trim_var 'LINGUAS' 'en' salt.modules.makeconf.var_contains(var, value) Verify if variable contains a value in make.conf Return True if value is set for var CLI Example: salt '*' makeconf.var_contains 'LINGUAS' 'en' salt.modules.match The match module allows for match routines to be run and determine target specs salt.modules.match.compound(tgt, minion_id=None) Return True if the minion ID matches the given compound target minion_id Specify the minion ID to match against the target expression New in version 2014.7.0. CLI Example: salt '*' match.compound 'L@cheese,foo and *' salt.modules.match.data(tgt) Return True if the minion matches the given data target CLI Example: salt '*' match.data 'spam:eggs' salt.modules.match.filter_by(lookup, expr_form='compound', minion_id=None) Return the first match in a dictionary of target patterns New in version 2014.7.0. CLI Example: salt '*' match.filter_by '{foo*: Foo!, bar*: Bar!}' minion_id=bar03 Pillar Example: {% set roles = salt['match.filter_by']({ 'web*': ['app', 'caching'], 'db*': ['db'], }) %} salt.modules.match.glob(tgt, minion_id=None) Return True if the minion ID matches the given glob target minion_id Specify the minion ID to match against the target expression New in version 2014.7.0. CLI Example: salt '*' match.glob '*' salt.modules.match.grain(tgt, delimiter=':') Return True if the minion matches the given grain target. The delimiter argument can be used to specify a different delimiter. CLI Example: salt '*' match.grain 'os:Ubuntu' salt '*' match.grain 'ipv6|2001:db8::ff00:42:8329' delimiter='|' delimiter Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. delim Specify an alternate delimiter to use when traversing a nested dict New in version 0.16.4. Deprecated since version 2015.8.0. salt.modules.match.grain_pcre(tgt, delimiter=':') Return True if the minion matches the given grain_pcre target. The delimiter argument can be used to specify a different delimiter. CLI Example: salt '*' match.grain_pcre 'os:Fedo.*' salt '*' match.grain_pcre 'ipv6|2001:.*' delimiter='|' delimiter Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. delim Specify an alternate delimiter to use when traversing a nested dict New in version 0.16.4. Deprecated since version 2015.8.0. salt.modules.match.ipcidr(tgt) Return True if the minion matches the given ipcidr target CLI Example: salt '*' match.ipcidr '192.168.44.0/24' delimiter Pillar Example: '172.16.0.0/12': - match: ipcidr - nodeclass: internal salt.modules.match.list(tgt, minion_id=None) Return True if the minion ID matches the given list target minion_id Specify the minion ID to match against the target expression New in version 2014.7.0. CLI Example: salt '*' match.list 'server1,server2' salt.modules.match.pcre(tgt, minion_id=None) Return True if the minion ID matches the given pcre target minion_id Specify the minion ID to match against the target expression New in version 2014.7.0. CLI Example: salt '*' match.pcre '.*' salt.modules.match.pillar(tgt, delimiter=':') Return True if the minion matches the given pillar target. The delimiter argument can be used to specify a different delimiter. CLI Example: salt '*' match.pillar 'cheese:foo' salt '*' match.pillar 'clone_url|https://github.com/saltstack/salt.git' delimiter='|' delimiter Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. delim Specify an alternate delimiter to use when traversing a nested dict New in version 0.16.4. Deprecated since version 2015.8.0. salt.modules.match.pillar_pcre(tgt, delimiter=':') Return True if the minion matches the given pillar_pcre target. The delimiter argument can be used to specify a different delimiter. CLI Example: salt '*' match.pillar_pcre 'cheese:(swiss|american)' salt '*' match.pillar_pcre 'clone_url|https://github\.com/.*\.git' delimiter='|' delimiter Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. delim Specify an alternate delimiter to use when traversing a nested dict New in version 0.16.4. Deprecated since version 2015.8.0. salt.modules.mdadm Salt module to manage RAID arrays with mdadm salt.modules.mdadm.assemble(name, devices, test_mode=False, **kwargs) Assemble a RAID device. CLI Examples: salt '*' raid.assemble /dev/md0 ['/dev/xvdd', '/dev/xvde'] NOTE: Adding test_mode=True as an argument will print out the mdadm command that would have been run. name The name of the array to assemble. devices The list of devices comprising the array to assemble. kwargs Optional arguments to be passed to mdadm. returns test_mode=True: Prints out the full command. test_mode=False (Default): Executes command on the host(s) and prints out the mdadm output. For more info, read the mdadm manpage. salt.modules.mdadm.create(name, level, devices, metadata='default', test_mode=False, **kwargs) Create a RAID device. Changed in version 2014.7.0. WARNING: Use with CAUTION, as this function can be very destructive if not used properly! CLI Examples: salt '*' raid.create /dev/md0 level=1 chunk=256 devices="['/dev/xvdd', '/dev/xvde']" test_mode=True NOTE: Adding test_mode=True as an argument will print out the mdadm command that would have been run. name The name of the array to create. level The RAID level to use when creating the raid. devices A list of devices used to build the array. metadata Version of metadata to use when creating the array. kwargs Optional arguments to be passed to mdadm. returns test_mode=True: Prints out the full command. test_mode=False (Default): Executes command on remote the host(s) and Prints out the mdadm output. NOTE: It takes time to create a RAID array. You can check the progress in "resync_status:" field of the results from the following command: salt '*' raid.detail /dev/md0 For more info, read the mdadm(8) manpage salt.modules.mdadm.destroy(device) Destroy a RAID device. WARNING This will zero the superblock of all members of the RAID array.. CLI Example: salt '*' raid.destroy /dev/md0 salt.modules.mdadm.detail(device='/dev/md0') Show detail for a specified RAID device CLI Example: salt '*' raid.detail '/dev/md0' salt.modules.mdadm.list() List the RAID devices. CLI Example: salt '*' raid.list salt.modules.mdadm.save_config() Save RAID configuration to config file. Same as: mdadm --detail --scan >> /etc/mdadm/mdadm.conf Fixes this issue with Ubuntu REF: http://askubuntu.com/questions/209702/why-is-my-raid-dev-md1-showing-up-as-dev-md126-is-mdadm-conf-being-ignored CLI Example: salt '*' raid.save_config salt.modules.mdadm.stop() Shut down all arrays that can be shut down (i.e. are not currently in use). CLI Example: salt '*' raid.stop salt.modules.memcached Module for Management of Memcached Keys New in version 2014.1.0. salt.modules.memcached.add(key, value, host='127.0.0.1', port=11211, time=0, min_compress_len=0) Add a key to the memcached server, but only if it does not exist. Returns False if the key already exists. CLI Example: salt '*' memcached.add <key> <value> salt.modules.memcached.decrement(key, delta=1, host='127.0.0.1', port=11211) Decrement the value of a key CLI Example: salt '*' memcached.decrement <key> salt '*' memcached.decrement <key> 2 salt.modules.memcached.delete(key, host='127.0.0.1', port=11211, time=0) Delete a key from memcache server CLI Example: salt '*' memcached.delete <key> salt.modules.memcached.get(key, host='127.0.0.1', port=11211) Retrieve value for a key CLI Example: salt '*' memcached.get <key> salt.modules.memcached.increment(key, delta=1, host='127.0.0.1', port=11211) Increment the value of a key CLI Example: salt '*' memcached.increment <key> salt '*' memcached.increment <key> 2 salt.modules.memcached.replace(key, value, host='127.0.0.1', port=11211, time=0, min_compress_len=0) Replace a key on the memcached server. This only succeeds if the key already exists. This is the opposite of memcached.add CLI Example: salt '*' memcached.replace <key> <value> salt.modules.memcached.set(key, value, host='127.0.0.1', port=11211, time=0, min_compress_len=0) Set a key on the memcached server, overwriting the value if it exists. CLI Example: salt '*' memcached.set <key> <value> salt.modules.memcached.status(host='127.0.0.1', port=11211) Get memcached status CLI Example: salt '*' memcached.status salt.modules.mine The function cache system allows for data to be stored on the master so it can be easily read by other minions salt.modules.mine.delete(fun) Remove specific function contents of minion. Returns True on success. CLI Example: salt '*' mine.delete 'network.interfaces' salt.modules.mine.flush() Remove all mine contents of minion. Returns True on success. CLI Example: salt '*' mine.flush salt.modules.mine.get(tgt, fun, expr_form='glob') Get data from the mine based on the target, function and expr_form Targets can be matched based on any standard matching system that can be matched on the master via these keywords: glob pcre grain grain_pcre compound pillar pillar_pcre Note that all pillar matches, whether using the compound matching system or the pillar matching system, will be exact matches, with globbing disabled. CLI Example: salt '*' mine.get '*' network.interfaces salt '*' mine.get 'os:Fedora' network.interfaces grain salt '*' mine.get 'os:Fedora and S@192.168.5.0/24' network.ipaddrs compound salt.modules.mine.get_docker(interfaces=None, cidrs=None, with_container_id=False) Get all mine data for 'docker.get_containers' and run an aggregation routine. The "interfaces" parameter allows for specifying which network interfaces to select ip addresses from. The "cidrs" parameter allows for specifying a list of cidrs which the ip address must match. with_container_id Boolean, to expose container_id in the list of results New in version 2015.8.2. CLI Example: salt '*' mine.get_docker salt '*' mine.get_docker interfaces='eth0' salt '*' mine.get_docker interfaces='["eth0", "eth1"]' salt '*' mine.get_docker cidrs='107.170.147.0/24' salt '*' mine.get_docker cidrs='["107.170.147.0/24", "172.17.42.0/24"]' salt '*' mine.get_docker interfaces='["eth0", "eth1"]' cidrs='["107.170.147.0/24", "172.17.42.0/24"]' salt.modules.mine.send(func, *args, **kwargs) Send a specific function to the mine. CLI Example: salt '*' mine.send network.ip_addrs eth0 salt '*' mine.send eth0_ip_addrs mine_function=network.ip_addrs eth0 salt.modules.mine.update(clear=False) Execute the configured functions and send the data back up to the master The functions to be executed are merged from the master config, pillar and minion config under the option "function_cache": mine_functions: network.ip_addrs: - eth0 disk.usage: [] The function cache will be populated with information from executing these functions CLI Example: salt '*' mine.update salt.modules.mod_random Provides access to randomness generators. New in version 2014.7.0. salt.modules.mod_random.get_str(length=20) New in version 2014.7.0. Returns a random string of the specified length. length 20 Any valid number of bytes. CLI Example: salt '*' random.get_str 128 salt.modules.mod_random.hash(value, algorithm='sha512') New in version 2014.7.0. Encodes a value with the specified encoder. value The value to be hashed. algorithm sha512 The algorithm to use. May be any valid algorithm supported by hashlib. CLI Example: salt '*' random.hash 'I am a string' md5 salt.modules.mod_random.rand_int(start=1, end=10) Returns a random integer number between the start and end number. start 1 Any valid integer number end 10 Any valid integer number CLI Example: salt '*' random.rand_int 1 10 salt.modules.mod_random.seed(range=10, hash=None) Returns a random number within a range. Optional hash argument can be any hashable object. If hash is omitted or None, the id of the minion is used. hash: None Any hashable object. range: 10 Any valid integer number CLI Example: salt '*' random.seed 10 hash=None salt.modules.mod_random.shadow_hash(crypt_salt=None, password=None, algorithm='sha512') Generates a salted hash suitable for /etc/shadow. crypt_salt None Salt to be used in the generation of the hash. If one is not provided, a random salt will be generated. password None Value to be salted and hashed. If one is not provided, a random password will be generated. algorithm sha512 Hash algorithm to use. CLI Example: salt '*' random.shadow_hash 'My5alT' 'MyP@asswd' md5 salt.modules.mod_random.str_encode(value, encoder='base64') New in version 2014.7.0. value The value to be encoded. encoder base64 The encoder to use on the subsequent string. CLI Example: salt '*' random.str_encode 'I am a new string' base64 salt.modules.modjk Control Modjk via the Apache Tomcat "Status" worker (‐ http://tomcat.apache.org/connectors-doc/reference/status.html) Below is an example of the configuration needed for this module. This configuration data can be placed either in grains or pillar. If using grains, this can be accomplished statically or via a grain module. If using pillar, the yaml configuration can be placed directly into a pillar SLS file, making this both the easier and more dynamic method of configuring this module. modjk: default: url: http://localhost/jkstatus user: modjk pass: secret realm: authentication realm for digest passwords timeout: 5 otherVhost: url: http://otherVhost/jkstatus user: modjk pass: secret2 realm: authentication realm2 for digest passwords timeout: 600 salt.modules.modjk.bulk_activate(workers, lbn, profile='default') Activate all the given workers in the specific load balancer CLI Examples: salt '*' modjk.bulk_activate node1,node2,node3 loadbalancer1 salt '*' modjk.bulk_activate node1,node2,node3 loadbalancer1 other-profile salt '*' modjk.bulk_activate ["node1","node2","node3"] loadbalancer1 salt '*' modjk.bulk_activate ["node1","node2","node3"] loadbalancer1 other-profile salt.modules.modjk.bulk_disable(workers, lbn, profile='default') Disable all the given workers in the specific load balancer CLI Examples: salt '*' modjk.bulk_disable node1,node2,node3 loadbalancer1 salt '*' modjk.bulk_disable node1,node2,node3 loadbalancer1 other-profile salt '*' modjk.bulk_disable ["node1","node2","node3"] loadbalancer1 salt '*' modjk.bulk_disable ["node1","node2","node3"] loadbalancer1 other-profile salt.modules.modjk.bulk_recover(workers, lbn, profile='default') Recover all the given workers in the specific load balancer CLI Examples: salt '*' modjk.bulk_recover node1,node2,node3 loadbalancer1 salt '*' modjk.bulk_recover node1,node2,node3 loadbalancer1 other-profile salt '*' modjk.bulk_recover ["node1","node2","node3"] loadbalancer1 salt '*' modjk.bulk_recover ["node1","node2","node3"] loadbalancer1 other-profile salt.modules.modjk.bulk_stop(workers, lbn, profile='default') Stop all the given workers in the specific load balancer CLI Examples: salt '*' modjk.bulk_stop node1,node2,node3 loadbalancer1 salt '*' modjk.bulk_stop node1,node2,node3 loadbalancer1 other-profile salt '*' modjk.bulk_stop ["node1","node2","node3"] loadbalancer1 salt '*' modjk.bulk_stop ["node1","node2","node3"] loadbalancer1 other-profile salt.modules.modjk.dump_config(profile='default') Dump the original configuration that was loaded from disk CLI Examples: salt '*' modjk.dump_config salt '*' modjk.dump_config other-profile salt.modules.modjk.get_running(profile='default') Get the current running config (not from disk) CLI Examples: salt '*' modjk.get_running salt '*' modjk.get_running other-profile salt.modules.modjk.lb_edit(lbn, settings, profile='default') Edit the loadbalancer settings Note: http://tomcat.apache.org/connectors-doc/reference/status.html Data Parameters for the standard Update Action CLI Examples: salt '*' modjk.lb_edit loadbalancer1 "{'vlr': 1, 'vlt': 60}" salt '*' modjk.lb_edit loadbalancer1 "{'vlr': 1, 'vlt': 60}" other-profile salt.modules.modjk.list_configured_members(lbn, profile='default') Return a list of member workers from the configuration files CLI Examples: salt '*' modjk.list_configured_members loadbalancer1 salt '*' modjk.list_configured_members loadbalancer1 other-profile salt.modules.modjk.recover_all(lbn, profile='default') Set the all the workers in lbn to recover and activate them if they are not CLI Examples: salt '*' modjk.recover_all loadbalancer1 salt '*' modjk.recover_all loadbalancer1 other-profile salt.modules.modjk.reset_stats(lbn, profile='default') Reset all runtime statistics for the load balancer CLI Examples: salt '*' modjk.reset_stats loadbalancer1 salt '*' modjk.reset_stats loadbalancer1 other-profile salt.modules.modjk.version(profile='default') Return the modjk version CLI Examples: salt '*' modjk.version salt '*' modjk.version other-profile salt.modules.modjk.worker_activate(worker, lbn, profile='default') Set the worker to activate state in the lbn load balancer CLI Examples: salt '*' modjk.worker_activate node1 loadbalancer1 salt '*' modjk.worker_activate node1 loadbalancer1 other-profile salt.modules.modjk.worker_disable(worker, lbn, profile='default') Set the worker to disable state in the lbn load balancer CLI Examples: salt '*' modjk.worker_disable node1 loadbalancer1 salt '*' modjk.worker_disable node1 loadbalancer1 other-profile salt.modules.modjk.worker_edit(worker, lbn, settings, profile='default') Edit the worker settings Note: http://tomcat.apache.org/connectors-doc/reference/status.html Data Parameters for the standard Update Action CLI Examples: salt '*' modjk.worker_edit node1 loadbalancer1 "{'vwf': 500, 'vwd': 60}" salt '*' modjk.worker_edit node1 loadbalancer1 "{'vwf': 500, 'vwd': 60}" other-profile salt.modules.modjk.worker_recover(worker, lbn, profile='default') Set the worker to recover this module will fail if it is in OK state CLI Examples: salt '*' modjk.worker_recover node1 loadbalancer1 salt '*' modjk.worker_recover node1 loadbalancer1 other-profile salt.modules.modjk.worker_status(worker, profile='default') Return the state of the worker CLI Examples: salt '*' modjk.worker_status node1 salt '*' modjk.worker_status node1 other-profile salt.modules.modjk.worker_stop(worker, lbn, profile='default') Set the worker to stopped state in the lbn load balancer CLI Examples: salt '*' modjk.worker_activate node1 loadbalancer1 salt '*' modjk.worker_activate node1 loadbalancer1 other-profile salt.modules.modjk.workers(profile='default') Return a list of member workers and their status CLI Examples: salt '*' modjk.workers salt '*' modjk.workers other-profile salt.modules.mongodb Module to provide MongoDB functionality to Salt configuration This module uses PyMongo, and accepts configuration details as parameters as well as configuration settings: mongodb.host: 'localhost' mongodb.port: 27017 mongodb.user: '' mongodb.password: '' This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar. salt.modules.mongodb.db_exists(name, user=None, password=None, host=None, port=None) Checks if a database exists in Mongodb CLI Example: salt '*' mongodb.db_exists <name> <user> <password> <host> <port> salt.modules.mongodb.db_list(user=None, password=None, host=None, port=None) List all Mongodb databases CLI Example: salt '*' mongodb.db_list <user> <password> <host> <port> salt.modules.mongodb.db_remove(name, user=None, password=None, host=None, port=None) Remove a Mongodb database CLI Example: salt '*' mongodb.db_remove <name> <user> <password> <host> <port> salt.modules.mongodb.find(collection, query=None, user=None, password=None, host=None, port=None, database='admin') salt.modules.mongodb.insert(objects, collection, user=None, password=None, host=None, port=None, database='admin') Insert an object or list of objects into a collection CLI Example: salt '*' mongodb.insert '[{"foo": "FOO", "bar": "BAR"}, {"foo": "BAZ", "bar": "BAM"}]' mycollection <user> <password> <host> <port> <database> salt.modules.mongodb.remove(collection, query=None, user=None, password=None, host=None, port=None, database='admin', w=1) Remove an object or list of objects into a collection CLI Example: salt '*' mongodb.remove mycollection '[{"foo": "FOO", "bar": "BAR"}, {"foo": "BAZ", "bar": "BAM"}]' <user> <password> <host> <port> <database> salt.modules.mongodb.user_create(name, passwd, user=None, password=None, host=None, port=None, database='admin') Create a Mongodb user CLI Example: salt '*' mongodb.user_create <name> <user> <password> <host> <port> <database> salt.modules.mongodb.user_exists(name, user=None, password=None, host=None, port=None, database='admin') Checks if a user exists in Mongodb CLI Example: salt '*' mongodb.user_exists <name> <user> <password> <host> <port> <database> salt.modules.mongodb.user_grant_roles(name, roles, database, user=None, password=None, host=None, port=None) Grant one or many roles to a Mongodb user CLI Examples: salt '*' mongodb.user_grant_roles johndoe '["readWrite"]' dbname admin adminpwd localhost 27017 salt '*' mongodb.user_grant_roles janedoe '[{"role": "readWrite", "db": "dbname" }, {"role": "read", "db": "otherdb"}]' dbname admin adminpwd localhost 27017 salt.modules.mongodb.user_list(user=None, password=None, host=None, port=None, database='admin') List users of a Mongodb database CLI Example: salt '*' mongodb.user_list <user> <password> <host> <port> <database> salt.modules.mongodb.user_remove(name, user=None, password=None, host=None, port=None, database='admin') Remove a Mongodb user CLI Example: salt '*' mongodb.user_remove <name> <user> <password> <host> <port> <database> salt.modules.mongodb.user_revoke_roles(name, roles, database, user=None, password=None, host=None, port=None) Revoke one or many roles to a Mongodb user CLI Examples: salt '*' mongodb.user_revoke_roles johndoe '["readWrite"]' dbname admin adminpwd localhost 27017 salt '*' mongodb.user_revoke_roles janedoe '[{"role": "readWrite", "db": "dbname" }, {"role": "read", "db": "otherdb"}]' dbname admin adminpwd localhost 27017 salt.modules.mongodb.user_roles_exists(name, roles, database, user=None, password=None, host=None, port=None) Checks if a user of a Mongodb database has specified roles CLI Examples: salt '*' mongodb.user_roles_exists johndoe '["readWrite"]' dbname admin adminpwd localhost 27017 salt '*' mongodb.user_roles_exists johndoe '[{"role": "readWrite", "db": "dbname" }, {"role": "read", "db": "otherdb"}]' dbname admin adminpwd localhost 27017 salt.modules.monit Monit service module. This module will create a monit type service watcher. salt.modules.monit.monitor(name) monitor service via monit CLI Example: salt '*' monit.monitor <service name> salt.modules.monit.restart(name) Restart service via monit CLI Example: salt '*' monit.restart <service name> salt.modules.monit.start(name) CLI Example: salt '*' monit.start <service name> salt.modules.monit.status(svc_name='') Display a process status from monit CLI Example: salt '*' monit.status salt '*' monit.status <service name> salt.modules.monit.stop(name) Stops service via monit CLI Example: salt '*' monit.stop <service name> salt.modules.monit.summary(svc_name='') Display a summary from monit CLI Example: salt '*' monit.summary salt '*' monit.summary <service name> salt.modules.monit.unmonitor(name) Unmonitor service via monit CLI Example: salt '*' monit.unmonitor <service name> salt.modules.moosefs Module for gathering and managing information about MooseFS salt.modules.moosefs.dirinfo(path, opts=None) Return information on a directory located on the Moose CLI Example: salt '*' moosefs.dirinfo /path/to/dir/ [-[n][h|H]] salt.modules.moosefs.fileinfo(path) Return information on a file located on the Moose CLI Example: salt '*' moosefs.fileinfo /path/to/dir/ salt.modules.moosefs.getgoal(path, opts=None) Return goal(s) for a file or directory CLI Example: salt '*' moosefs.getgoal /path/to/file [-[n][h|H]] salt '*' moosefs.getgoal /path/to/dir/ [-[n][h|H][r]] salt.modules.moosefs.mounts() Return a list of current MooseFS mounts CLI Example: salt '*' moosefs.mounts salt.modules.mount Salt module to manage Unix mounts and the fstab file salt.modules.mount.active(extended=False) List the active mounts. CLI Example: salt '*' mount.active salt.modules.mount.automaster(config='/etc/auto_salt') List the contents of the auto master CLI Example: salt '*' mount.automaster salt.modules.mount.fstab(config='/etc/fstab') List the contents of the fstab CLI Example: salt '*' mount.fstab salt.modules.mount.is_fuse_exec(cmd) Returns true if the command passed is a fuse mountable application. CLI Example: salt '*' mount.is_fuse_exec sshfs salt.modules.mount.is_mounted(name) New in version 2014.7.0. Provide information if the path is mounted CLI Example: salt '*' mount.is_mounted /mnt/share salt.modules.mount.mount(name, device, mkmnt=False, fstype='', opts='defaults', user=None) Mount a device CLI Example: salt '*' mount.mount /mnt/foo /dev/sdz1 True salt.modules.mount.remount(name, device, mkmnt=False, fstype='', opts='defaults', user=None) Attempt to remount a device, if the device is not already mounted, mount is called CLI Example: salt '*' mount.remount /mnt/foo /dev/sdz1 True salt.modules.mount.rm_automaster(name, device, config='/etc/auto_salt') Remove the mount point from the auto_master CLI Example: salt '*' mount.rm_automaster /mnt/foo /dev/sdg salt.modules.mount.rm_fstab(name, device, config='/etc/fstab') Remove the mount point from the fstab CLI Example: salt '*' mount.rm_fstab /mnt/foo /dev/sdg salt.modules.mount.set_automaster(name, device, fstype, opts='', config='/etc/auto_salt', test=False, **kwargs) Verify that this mount is represented in the auto_salt, change the mount to match the data passed, or add the mount if it is not present. CLI Example: salt '*' mount.set_automaster /mnt/foo /dev/sdz1 ext4 salt.modules.mount.set_fstab(name, device, fstype, opts='defaults', dump=0, pass_num=0, config='/etc/fstab', test=False, match_on='auto', **kwargs) Verify that this mount is represented in the fstab, change the mount to match the data passed, or add the mount if it is not present. CLI Example: salt '*' mount.set_fstab /mnt/foo /dev/sdz1 ext4 salt.modules.mount.swapoff(name) Deactivate a named swap mount CLI Example: salt '*' mount.swapoff /root/swapfile salt.modules.mount.swapon(name, priority=None) Activate a swap disk CLI Example: salt '*' mount.swapon /root/swapfile salt.modules.mount.swaps() Return a dict containing information on active swap CLI Example: salt '*' mount.swaps salt.modules.mount.umount(name, device=None, user=None) Attempt to unmount a device by specifying the directory it is mounted on CLI Example: salt '*' mount.umount /mnt/foo New in version 2015.5.0. salt '*' mount.umount /mnt/foo /dev/xvdc1 salt.modules.mssql Module to provide MS SQL Server compatibility to salt. depends • FreeTDS • pymssql Python module configuration In order to connect to MS SQL Server, certain configuration is required in minion configs/pillars on the relevant minions. Some sample pillars might look like: mssql.server: 'localhost' mssql.port: 1433 mssql.user: 'sysdba' mssql.password: 'Some preferable complex password' mssql.database: '' The default for the port is '1433' and for the database is '' (empty string); in most cases they can be left at the default setting. Options that are directly passed into functions will overwrite options from configs or pillars. salt.modules.mssql.db_exists(database_name, **kwargs) Find if a specific database exists on the MS SQL server. CLI Example: salt minion mssql.db_exists database_name='DBNAME' salt.modules.mssql.db_list(**kwargs) Return the databse list created on a MS SQL server. CLI Example: salt minion mssql.db_list salt.modules.mssql.db_remove(database_name, **kwargs) Drops a specific database from the MS SQL server. It will not drop any of 'master', 'model', 'msdb' or 'tempdb'. CLI Example: salt minion mssql.db_remove database_name='DBNAME' salt.modules.mssql.login_exists(login, **kwargs) Find if a login exists in the MS SQL server. CLI Example: salt minion mssql.login_exists 'LOGIN' salt.modules.mssql.role_create(role, owner=None, **kwargs) Creates a new database role. If no owner is specified, the role will be owned by the user that executes CREATE ROLE, which is the user argument or mssql.user option. CLI Example: salt minion mssql.role_create role=product01 owner=sysdba salt.modules.mssql.role_exists(role, **kwargs) Checks if a role exists. CLI Example: salt minion mssql.role_exists db_owner salt.modules.mssql.role_list(**kwargs) Lists database roles. CLI Example: salt minion mssql.role_list salt.modules.mssql.role_remove(role, **kwargs) Remove a database role. CLI Example: salt minion mssql.role_create role=test_role01 salt.modules.mssql.tsql_query(query, **kwargs) Run a SQL query and return query result as list of tuples, or a list of dictionaries if as_dict was passed, or an empty list if no data is available. CLI Example: salt minion mssql.tsql_query 'SELECT @@version as version' as_dict=True salt.modules.mssql.user_create(username, new_login_password=None, **kwargs) Creates a new user. If new_login_password is not specified, the user will be created without a login. CLI Example: salt minion mssql.user_create USERNAME database=DBNAME [new_login_password=PASSWORD] salt.modules.mssql.user_exists(username, **kwargs) Find if an user exists in a specific database on the MS SQL server. Note: database argument is mandatory CLI Example: salt minion mssql.user_exists 'USERNAME' [database='DBNAME'] salt.modules.mssql.user_list(**kwargs) Get the user list for a specific database on the MS SQL server. CLI Example: salt minion mssql.user_list [database='DBNAME'] salt.modules.mssql.user_remove(username, **kwargs) Removes an user. CLI Example: salt minion mssql.user_remove USERNAME database=DBNAME salt.modules.mssql.version(**kwargs) Return the version of a MS SQL server. CLI Example: salt minion mssql.version salt.modules.munin Run munin plugins/checks from salt and format the output as data. salt.modules.munin.list_plugins() List all the munin plugins CLI Example: salt '*' munin.list_plugins salt.modules.munin.run(plugins) Run one or more named munin plugins CLI Example: salt '*' munin.run uptime salt '*' munin.run uptime,cpu,load,memory salt.modules.munin.run_all() Run all the munin plugins CLI Example: salt '*' munin.run_all salt.modules.mysql Module to provide MySQL compatibility to salt. depends • MySQLdb Python module NOTE: On CentOS 5 (and possibly RHEL 5) both MySQL-python and python26-mysqldb need to be installed. configuration In order to connect to MySQL, certain configuration is required in /etc/salt/minion on the relevant minions. Some sample configs might look like: mysql.host: 'localhost' mysql.port: 3306 mysql.user: 'root' mysql.pass: '' mysql.db: 'mysql' mysql.unix_socket: '/tmp/mysql.sock' mysql.charset: 'utf8' You can also use a defaults file: mysql.default_file: '/etc/mysql/debian.cnf' Changed in version 2014.1.0: charset connection argument added. This is a MySQL charset, not a python one Changed in version 0.16.2: Connection arguments from the minion config file can be overridden on the CLI by using the arguments defined here. Additionally, it is now possible to setup a user with no password. salt.modules.mysql.db_check(name, table=None, **connection_args) Repairs the full database or just a given table CLI Example: salt '*' mysql.db_check dbname salt '*' mysql.db_check dbname dbtable salt.modules.mysql.db_create(name, character_set=None, collate=None, **connection_args) Adds a databases to the MySQL server. name The name of the database to manage character_set The character set, if left empty the MySQL default will be used collate The collation, if left empty the MySQL default will be used CLI Example: salt '*' mysql.db_create 'dbname' salt '*' mysql.db_create 'dbname' 'utf8' 'utf8_general_ci' salt.modules.mysql.db_exists(name, **connection_args) Checks if a database exists on the MySQL server. CLI Example: salt '*' mysql.db_exists 'dbname' salt.modules.mysql.db_list(**connection_args) Return a list of databases of a MySQL server using the output from the SHOW DATABASES query. CLI Example: salt '*' mysql.db_list salt.modules.mysql.db_optimize(name, table=None, **connection_args) Optimizes the full database or just a given table CLI Example: salt '*' mysql.db_optimize dbname salt.modules.mysql.db_remove(name, **connection_args) Removes a databases from the MySQL server. CLI Example: salt '*' mysql.db_remove 'dbname' salt.modules.mysql.db_repair(name, table=None, **connection_args) Repairs the full database or just a given table CLI Example: salt '*' mysql.db_repair dbname salt.modules.mysql.db_tables(name, **connection_args) Shows the tables in the given MySQL database (if exists) CLI Example: salt '*' mysql.db_tables 'database' salt.modules.mysql.free_slave(**connection_args) Frees a slave from its master. This is a WIP, do not use. CLI Example: salt '*' mysql.free_slave salt.modules.mysql.get_master_status(**connection_args) Retrieves the master status from the minion. Returns: {'host.domain.com': {'Binlog_Do_DB': '', 'Binlog_Ignore_DB': '', 'File': 'mysql-bin.000021', 'Position': 107}} CLI Example: salt '*' mysql.get_master_status salt.modules.mysql.get_slave_status(**connection_args) Retrieves the slave status from the minion. Returns: {'host.domain.com': {'Connect_Retry': 60, 'Exec_Master_Log_Pos': 107, 'Last_Errno': 0, 'Last_Error': '', 'Last_IO_Errno': 0, 'Last_IO_Error': '', 'Last_SQL_Errno': 0, 'Last_SQL_Error': '', 'Master_Host': 'comet.scion-eng.com', 'Master_Log_File': 'mysql-bin.000021', 'Master_Port': 3306, 'Master_SSL_Allowed': 'No', 'Master_SSL_CA_File': '', 'Master_SSL_CA_Path': '', 'Master_SSL_Cert': '', 'Master_SSL_Cipher': '', 'Master_SSL_Key': '', 'Master_SSL_Verify_Server_Cert': 'No', 'Master_Server_Id': 1, 'Master_User': 'replu', 'Read_Master_Log_Pos': 107, 'Relay_Log_File': 'klo-relay-bin.000071', 'Relay_Log_Pos': 253, 'Relay_Log_Space': 553, 'Relay_Master_Log_File': 'mysql-bin.000021', 'Replicate_Do_DB': '', 'Replicate_Do_Table': '', 'Replicate_Ignore_DB': '', 'Replicate_Ignore_Server_Ids': '', 'Replicate_Ignore_Table': '', 'Replicate_Wild_Do_Table': '', 'Replicate_Wild_Ignore_Table': '', 'Seconds_Behind_Master': 0, 'Skip_Counter': 0, 'Slave_IO_Running': 'Yes', 'Slave_IO_State': 'Waiting for master to send event', 'Slave_SQL_Running': 'Yes', 'Until_Condition': 'None', 'Until_Log_File': '', 'Until_Log_Pos': 0}} CLI Example: salt '*' mysql.get_slave_status salt.modules.mysql.grant_add(grant, database, user, host='localhost', grant_option=False, escape=True, ssl_option=False, **connection_args) Adds a grant to the MySQL server. For database, make sure you specify database.table or database.* CLI Example: salt '*' mysql.grant_add 'SELECT,INSERT,UPDATE,...' 'database.*' 'frank' 'localhost' salt.modules.mysql.grant_exists(grant, database, user, host='localhost', grant_option=False, escape=True, **connection_args) Checks to see if a grant exists in the database CLI Example: salt '*' mysql.grant_exists 'SELECT,INSERT,UPDATE,...' 'database.*' 'frank' 'localhost' salt.modules.mysql.grant_revoke(grant, database, user, host='localhost', grant_option=False, escape=True, **connection_args) Removes a grant from the MySQL server. CLI Example: salt '*' mysql.grant_revoke 'SELECT,INSERT,UPDATE' 'database.*' 'frank' 'localhost' salt.modules.mysql.processlist(**connection_args) Retrieves the processlist from the MySQL server via "SHOW FULL PROCESSLIST". Returns: a list of dicts, with each dict representing a process: {'Command': 'Query', 'Host': 'localhost', 'Id': 39, 'Info': 'SHOW FULL PROCESSLIST', 'Rows_examined': 0, 'Rows_read': 1, 'Rows_sent': 0, 'State': None, 'Time': 0, 'User': 'root', 'db': 'mysql'} CLI Example: salt '*' mysql.processlist salt.modules.mysql.query(database, query, **connection_args) Run an arbitrary SQL query and return the results or the number of affected rows. CLI Example: salt '*' mysql.query mydb "UPDATE mytable set myfield=1 limit 1" Return data: {'query time': {'human': '39.0ms', 'raw': '0.03899'}, 'rows affected': 1L} CLI Example: salt '*' mysql.query mydb "SELECT id,name,cash from users limit 3" Return data: {'columns': ('id', 'name', 'cash'), 'query time': {'human': '1.0ms', 'raw': '0.001'}, 'results': ((1L, 'User 1', Decimal('110.000000')), (2L, 'User 2', Decimal('215.636756')), (3L, 'User 3', Decimal('0.040000'))), 'rows returned': 3L} CLI Example: salt '*' mysql.query mydb 'INSERT into users values (null,"user 4", 5)' Return data: {'query time': {'human': '25.6ms', 'raw': '0.02563'}, 'rows affected': 1L} CLI Example: salt '*' mysql.query mydb 'DELETE from users where id = 4 limit 1' Return data: {'query time': {'human': '39.0ms', 'raw': '0.03899'}, 'rows affected': 1L} Jinja Example: Run a query on mydb and use row 0, column 0's data. {{ salt['mysql.query']('mydb', 'SELECT info from mytable limit 1')['results'][0][0] }} salt.modules.mysql.quote_identifier(identifier, for_grants=False) Return an identifier name (column, table, database, etc) escaped for MySQL This means surrounded by "`" character and escaping this character inside. It also means doubling the '%' character for MySQLdb internal usage. Parameters • identifier -- the table, column or database identifier • for_grants -- is False by default, when using database names on grant queries you should set it to True to also escape "_" and "%" characters as requested by MySQL. Note that theses characters should only be escaped when requesting grants on the database level (my_%db.*) but not for table level grants (my_%db.`foo`) CLI Example: salt '*' mysql.quote_identifier 'foo`bar' salt.modules.mysql.showglobal(**connection_args) Retrieves the show global variables from the minion. Returns:: show global variables full dict CLI Example: salt '*' mysql.showglobal salt.modules.mysql.showvariables(**connection_args) Retrieves the show variables from the minion. Returns:: show variables full dict CLI Example: salt '*' mysql.showvariables salt.modules.mysql.slave_lag(**connection_args) Return the number of seconds that a slave SQL server is lagging behind the master, if the host is not a slave it will return -1. If the server is configured to be a slave for replication but slave IO is not running then -2 will be returned. If there was an error connecting to the database or checking the slave status, -3 will be returned. CLI Example: salt '*' mysql.slave_lag salt.modules.mysql.status(**connection_args) Return the status of a MySQL server using the output from the SHOW STATUS query. CLI Example: salt '*' mysql.status salt.modules.mysql.tokenize_grant(grant) External wrapper function :param grant: :return: dict CLI Example: salt '*' mysql.tokenize_grant "GRANT SELECT, INSERT ON testdb.* TO 'testuser'@'localhost'" salt.modules.mysql.user_chpass(user, host='localhost', password=None, password_hash=None, allow_passwordless=False, unix_socket=None, **connection_args) Change password for a MySQL user host Host for which this user/password combo applies password The password to set for the new user. Will take precedence over the password_hash option if both are specified. password_hash The password in hashed form. Be sure to quote the password because YAML doesn't like the *. A password hash can be obtained from the mysql command-line client like so: mysql> SELECT PASSWORD('mypass'); +-------------------------------------------+ | PASSWORD('mypass') | +-------------------------------------------+ | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | +-------------------------------------------+ 1 row in set (0.00 sec) allow_passwordless If True, then password and password_hash can be omitted (or set to None) to permit a passwordless login. New in version 0.16.2: The allow_passwordless option was added. CLI Examples: salt '*' mysql.user_chpass frank localhost newpassword salt '*' mysql.user_chpass frank localhost password_hash='hash' salt '*' mysql.user_chpass frank localhost allow_passwordless=True salt.modules.mysql.user_create(user, host='localhost', password=None, password_hash=None, allow_passwordless=False, unix_socket=False, **connection_args) Creates a MySQL user host Host for which this user/password combo applies password The password to use for the new user. Will take precedence over the password_hash option if both are specified. password_hash The password in hashed form. Be sure to quote the password because YAML doesn't like the *. A password hash can be obtained from the mysql command-line client like so: mysql> SELECT PASSWORD('mypass'); +-------------------------------------------+ | PASSWORD('mypass') | +-------------------------------------------+ | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | +-------------------------------------------+ 1 row in set (0.00 sec) allow_passwordless If True, then password and password_hash can be omitted (or set to None) to permit a passwordless login. unix_socket If True and allow_passwordless is True then will be used unix_socket auth plugin. New in version 0.16.2: The allow_passwordless option was added. CLI Examples: salt '*' mysql.user_create 'username' 'hostname' 'password' salt '*' mysql.user_create 'username' 'hostname' password_hash='hash' salt '*' mysql.user_create 'username' 'hostname' allow_passwordless=True salt.modules.mysql.user_exists(user, host='localhost', password=None, password_hash=None, passwordless=False, unix_socket=False, **connection_args) Checks if a user exists on the MySQL server. A login can be checked to see if passwordless login is permitted by omitting password and password_hash, and using passwordless=True. New in version 0.16.2: The passwordless option was added. CLI Example: salt '*' mysql.user_exists 'username' 'hostname' 'password' salt '*' mysql.user_exists 'username' 'hostname' password_hash='hash' salt '*' mysql.user_exists 'username' passwordless=True salt.modules.mysql.user_grants(user, host='localhost', **connection_args) Shows the grants for the given MySQL user (if it exists) CLI Example: salt '*' mysql.user_grants 'frank' 'localhost' salt.modules.mysql.user_info(user, host='localhost', **connection_args) Get full info on a MySQL user CLI Example: salt '*' mysql.user_info root localhost salt.modules.mysql.user_list(**connection_args) Return a list of users on a MySQL server CLI Example: salt '*' mysql.user_list salt.modules.mysql.user_remove(user, host='localhost', **connection_args) Delete MySQL user CLI Example: salt '*' mysql.user_remove frank localhost salt.modules.mysql.version(**connection_args) Return the version of a MySQL server using the output from the SELECT VERSION() query. CLI Example: salt '*' mysql.version salt.modules.nacl This module helps include encrypted passwords in pillars, grains and salt state files. depends libnacl, https://github.com/saltstack/libnacl This is often useful if you wish to store your pillars in source control or share your pillar data with others that you trust. I don't advise making your pillars public regardless if they are encrypted or not. When generating keys and encrypting passwords use --local when using salt-call for extra security. Also consider using just the salt runner nacl when encrypting pillar passwords. The nacl lib uses 32byte keys, these keys are base64 encoded to make your life more simple. To generate your key or keyfile you can use: salt-call --local nacl.keygen keyfile=/root/.nacl Now with your key, you can encrypt some data: salt-call --local nacl.enc mypass keyfile=/root/.nacl DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4= To decrypt the data: salt-call --local nacl.dec data='DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4=' keyfile=/root/.nacl mypass The following optional configurations can be defined in the minion or master config. Avoid storing the config in pillars! cat /etc/salt/master.d/nacl.conf nacl.config: key: None keyfile: /root/.nacl When the key is defined in the master config you can use it from the nacl runner: salt-run nacl.enc 'myotherpass' Now you can create a pillar with protected data like: pillarexample: user: root password: {{ salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hXO5LnlJIIJ4ivbmUlbWj0llUA+uaVyvou3vJ4=') }} Or do something interesting with grains like: salt-call nacl.enc minionname:dbrole AL24Z2C5OlkReer3DuQTFdrNLchLuz3NGIhGjZkLtKRYry/b/CksWM8O9yskLwH2AGVLoEXI5jAa salt minionname grains.setval role 'AL24Z2C5OlkReer3DuQTFdrNLchLuz3NGIhGjZkLtKRYry/b/CksWM8O9yskLwH2AGVLoEXI5jAa' {%- set r = grains.get('role') %} {%- set role = None %} {%- if r and 'nacl.dec' in salt %} {%- set r = salt['nacl.dec'](r,keyfile='/root/.nacl').split(':') %} {%- if opts['id'] == r[0] %} {%- set role = r[1] %} {%- endif %} {%- endif %} base: {%- if role %} '{{ opts['id'] }}': - {{ role }} {%- endif %} salt.modules.nacl.dec(data, **kwargs) Takes a key generated from nacl.keygen and decrypt some data. CLI Examples: salt-call --local nacl.dec pEXHQM6cuaF7A= salt-call --local nacl.dec data='pEXHQM6cuaF7A=' keyfile=/root/.nacl salt-call --local nacl.dec data='pEXHQM6cuaF7A=' key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k=' salt.modules.nacl.enc(data, **kwargs) Takes a key generated from nacl.keygen and encrypt some data. CLI Examples: salt-call --local nacl.enc datatoenc salt-call --local nacl.enc datatoenc keyfile=/root/.nacl salt-call --local nacl.enc datatoenc key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k=' salt.modules.nacl.keygen(keyfile=None) Use libnacl to generate a private key CLI Examples: salt-call --local nacl.keygen salt-call --local nacl.keygen keyfile=/root/.nacl salt-call --local --out=newline_values_only nacl.keygen > /root/.nacl salt.modules.nagios Run nagios plugins/checks from salt and get the return as data. salt.modules.nagios.list_plugins() List all the nagios plugins CLI Example: salt '*' nagios.list_plugins salt.modules.nagios.retcode(plugin, args='', key_name=None) Run one nagios plugin and return retcode of the execution CLI Example: salt '*' nagios.run check_apt salt '*' nagios.run check_icmp '8.8.8.8' salt.modules.nagios.retcode_pillar(pillar_name) Run one or more nagios plugins from pillar data and get the result of cmd.retcode The pillar have to be in this format: ------ webserver: Ping_google: - check_icmp: 8.8.8.8 - check_icmp: google.com Load: - check_load: -w 0.8 -c 1 APT: - check_apt ------- webserver is the role to check, the next keys are the group and the items the check with the arguments if needed You must to group different checks(one o more) and always it will return the highest value of all the checks CLI Example: salt '*' nagios.retcode webserver salt.modules.nagios.run(plugin, args='') Run nagios plugin and return all the data execution with cmd.run salt.modules.nagios.run_all(plugin, args='') Run nagios plugin and return all the data execution with cmd.run_all salt.modules.nagios.run_all_pillar(pillar_name) Run one or more nagios plugins from pillar data and get the result of cmd.run_all The pillar have to be in this format: ------ webserver: Ping_google: - check_icmp: 8.8.8.8 - check_icmp: google.com Load: - check_load: -w 0.8 -c 1 APT: - check_apt ------- webserver is the role to check, the next keys are the group and the items the check with the arguments if needed You have to group different checks in a group CLI Example: salt '*' nagios.run webserver salt.modules.nagios.run_pillar(pillar_name) Run one or more nagios plugins from pillar data and get the result of cmd.run The pillar have to be in this format: ------ webserver: Ping_google: - check_icmp: 8.8.8.8 - check_icmp: google.com Load: - check_load: -w 0.8 -c 1 APT: - check_apt ------- webserver is the role to check, the next keys are the group and the items the check with the arguments if needed You have to group different checks in a group CLI Example: salt '*' nagios.run webserver salt.modules.nagios_rpc Check Host & Service status from Nagios via JSON RPC. New in version 2015.8.0. salt.modules.nagios_rpc.host_status(hostname=None, **kwargs) Check status of a particular host By default statuses are returned in a numeric format. Parameters: hostname The hostname to check the status of the service in Nagios. numeric Turn to false in order to return status in text format ('OK' instead of 0, 'Warning' instead of 1 etc) Returns status: 'OK', 'Warning', 'Critical' or 'Unknown' CLI Example: salt '*' nagios_rpc.host_status hostname=webserver.domain.com salt '*' nagios_rpc.host_status hostname=webserver.domain.com numeric=False salt.modules.nagios_rpc.service_status(hostname=None, service=None, **kwargs) Check status of a particular service on a host on it in Nagios. By default statuses are returned in a numeric format. Parameters: hostname The hostname to check the status of the service in Nagios. service The service to check the status of in Nagios. numeric Turn to false in order to return status in text format ('OK' instead of 0, 'Warning' instead of 1 etc) Returns status: 'OK', 'Warning', 'Critical' or 'Unknown' CLI Example: salt '*' nagios_rpc.service_status hostname=webserver.domain.com service='HTTP' salt '*' nagios_rpc.service_status hostname=webserver.domain.com service='HTTP' numeric=False salt.modules.netbsd_sysctl Module for viewing and modifying sysctl parameters salt.modules.netbsd_sysctl.assign(name, value) Assign a single sysctl parameter for this minion CLI Example: salt '*' sysctl.assign net.inet.icmp.icmplim 50 salt.modules.netbsd_sysctl.get(name) Return a single sysctl parameter for this minion CLI Example: salt '*' sysctl.get hw.physmem salt.modules.netbsd_sysctl.persist(name, value, config='/etc/sysctl.conf') Assign and persist a simple sysctl parameter for this minion CLI Example: salt '*' sysctl.persist net.inet.icmp.icmplim 50 salt.modules.netbsd_sysctl.show(config_file=False) Return a list of sysctl parameters for this minion CLI Example: salt '*' sysctl.show salt.modules.netbsdservice The service module for NetBSD salt.modules.netbsdservice.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.netbsdservice.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.netbsdservice.disabled(name) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.disabled <service name> salt.modules.netbsdservice.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.netbsdservice.enabled(name, **kwargs) Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.enabled <service name> salt.modules.netbsdservice.force_reload(name) Force-reload the named service CLI Example: salt '*' service.force_reload <service name> salt.modules.netbsdservice.get_all() Return all available boot services CLI Example: salt '*' service.get_all salt.modules.netbsdservice.get_disabled() Return a set of services that are installed but disabled CLI Example: salt '*' service.get_disabled salt.modules.netbsdservice.get_enabled() Return a list of service that are enabled on boot CLI Example: salt '*' service.get_enabled salt.modules.netbsdservice.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.netbsdservice.reload(name) Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.netbsdservice.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.netbsdservice.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.netbsdservice.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.netbsdservice.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.netscaler Module to provide Citrix Netscaler compatibility to Salt (compatible with netscaler 9.2+) New in version 2015.2.0. depends • nsnitro Python module NOTE: You can install nsnitro using: pip install nsnitro configuration This module accepts connection configuration details either as parameters, or as configuration settings in /etc/salt/minion on the relevant minions netscaler.host: 1.2.3.4 netscaler.user: user netscaler.pass: password This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar. CLI Examples Calls relying on configuration passed using /etc/salt/minion, grains, or pillars: salt-call netscaler.server_exists server_name Calls passing configuration as opts salt-call netscaler.server_exists server_name netscaler_host=1.2.3.4 netscaler_user=username netscaler_pass=password salt-call netscaler.server_exists server_name netscaler_host=1.2.3.5 netscaler_user=username2 netscaler_pass=password2 salt-call netscaler.server_enable server_name2 netscaler_host=1.2.3.5 salt.modules.netscaler.server_add(s_name, s_ip, s_state=None, **connection_args) Add a server Note: The default server state is ENABLED CLI Example: salt '*' netscaler.server_add 'serverName' 'serverIpAddress' salt '*' netscaler.server_add 'serverName' 'serverIpAddress' 'serverState' salt.modules.netscaler.server_delete(s_name, **connection_args) Delete a server CLI Example: salt '*' netscaler.server_delete 'serverName' salt.modules.netscaler.server_disable(s_name, **connection_args) Disable a server globally CLI Example: salt '*' netscaler.server_disable 'serverName' salt.modules.netscaler.server_enable(s_name, **connection_args) Enables a server globally CLI Example: salt '*' netscaler.server_enable 'serverName' salt.modules.netscaler.server_enabled(s_name, **connection_args) Check if a server is enabled globally CLI Example: salt '*' netscaler.server_enabled 'serverName' salt.modules.netscaler.server_exists(s_name, ip=None, s_state=None, **connection_args) Checks if a server exists CLI Example: salt '*' netscaler.server_exists 'serverName' salt.modules.netscaler.server_update(s_name, s_ip, **connection_args) Update a server's attributes CLI Example: salt '*' netscaler.server_update 'serverName' 'serverIP' salt.modules.netscaler.service_disable(s_name, s_delay=None, **connection_args) Disable a service CLI Example: salt '*' netscaler.service_disable 'serviceName' salt '*' netscaler.service_disable 'serviceName' 'delayInSeconds' salt.modules.netscaler.service_enable(s_name, **connection_args) Enable a service CLI Example: salt '*' netscaler.service_enable 'serviceName' salt.modules.netscaler.service_exists(s_name, **connection_args) Checks if a service exists CLI Example: salt '*' netscaler.service_exists 'serviceName' salt.modules.netscaler.service_up(s_name, **connection_args) Checks if a service is UP CLI Example: salt '*' netscaler.service_up 'serviceName' salt.modules.netscaler.servicegroup_add(sg_name, sg_type='HTTP', **connection_args) Add a new service group If no service type is specified, HTTP will be used. Most common service types: HTTP, SSL, and SSL_BRIDGE CLI Example: salt '*' netscaler.servicegroup_add 'serviceGroupName' salt '*' netscaler.servicegroup_add 'serviceGroupName' 'serviceGroupType' salt.modules.netscaler.servicegroup_delete(sg_name, **connection_args) Delete a new service group CLI Example: salt '*' netscaler.servicegroup_delete 'serviceGroupName' salt.modules.netscaler.servicegroup_exists(sg_name, sg_type=None, **connection_args) Checks if a service group exists CLI Example: salt '*' netscaler.servicegroup_exists 'serviceGroupName' salt.modules.netscaler.servicegroup_server_add(sg_name, s_name, s_port, **connection_args) Add a server:port member to a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_add 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.servicegroup_server_delete(sg_name, s_name, s_port, **connection_args) Remove a server:port member from a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_delete 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.servicegroup_server_disable(sg_name, s_name, s_port, **connection_args) Disable a server:port member of a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_disable 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.servicegroup_server_enable(sg_name, s_name, s_port, **connection_args) Enable a server:port member of a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_enable 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.servicegroup_server_exists(sg_name, s_name, s_port=None, **connection_args) Check if a server:port combination is a member of a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_exists 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.servicegroup_server_up(sg_name, s_name, s_port, **connection_args) Check if a server:port combination is in state UP in a servicegroup CLI Example: salt '*' netscaler.servicegroup_server_up 'serviceGroupName' 'serverName' 'serverPort' salt.modules.netscaler.vserver_add(v_name, v_ip, v_port, v_type, **connection_args) Add a new lb vserver CLI Example: salt '*' netscaler.vserver_add 'vserverName' 'vserverIP' 'vserverPort' 'vserverType' salt '*' netscaler.vserver_add 'alex.patate.chaude.443' '1.2.3.4' '443' 'SSL' salt.modules.netscaler.vserver_delete(v_name, **connection_args) Delete a lb vserver CLI Example: salt '*' netscaler.vserver_delete 'vserverName' salt.modules.netscaler.vserver_exists(v_name, v_ip=None, v_port=None, v_type=None, **connection_args) Checks if a vserver exists CLI Example: salt '*' netscaler.vserver_exists 'vserverName' salt.modules.netscaler.vserver_servicegroup_add(v_name, sg_name, **connection_args) Bind a servicegroup to a vserver CLI Example: salt '*' netscaler.vserver_servicegroup_add 'vserverName' 'serviceGroupName' salt.modules.netscaler.vserver_servicegroup_delete(v_name, sg_name, **connection_args) Unbind a servicegroup from a vserver CLI Example: salt '*' netscaler.vserver_servicegroup_delete 'vserverName' 'serviceGroupName' salt.modules.netscaler.vserver_servicegroup_exists(v_name, sg_name, **connection_args) Checks if a servicegroup is tied to a vserver CLI Example: salt '*' netscaler.vserver_servicegroup_exists 'vserverName' 'serviceGroupName' salt.modules.netscaler.vserver_sslcert_add(v_name, sc_name, **connection_args) Binds a SSL certificate to a vserver CLI Example: salt '*' netscaler.vserver_sslcert_add 'vserverName' 'sslCertificateName' salt.modules.netscaler.vserver_sslcert_delete(v_name, sc_name, **connection_args) Unbinds a SSL certificate from a vserver CLI Example: salt '*' netscaler.vserver_sslcert_delete 'vserverName' 'sslCertificateName' salt.modules.netscaler.vserver_sslcert_exists(v_name, sc_name, **connection_args) Checks if a SSL certificate is tied to a vserver CLI Example: salt '*' netscaler.vserver_sslcert_exists 'vserverName' 'sslCertificateName' salt.modules.network Module for gathering and managing network information salt.modules.network.active_tcp() Return a dict containing information on all of the running TCP connections (currently linux and solaris only) Changed in version 2015.8.4: Added support for SunOS CLI Example: salt '*' network.active_tcp salt.modules.network.arp() Return the arp table from the minion Changed in version 2015.8.0: Added support for SunOS CLI Example: salt '*' network.arp salt.modules.network.calc_net(ip_addr, netmask=None) Returns the CIDR of a subnet based on an IP address (CIDR notation supported) and optional netmask. CLI Example: salt '*' network.calc_net 172.17.0.5 255.255.255.240 salt '*' network.calc_net 2a02:f6e:a000:80:84d8:8332:7866:4e07/64 New in version 2015.8.0. salt.modules.network.connect(host, port=None, **kwargs) Test connectivity to a host using a particular port from the minion. New in version 2014.7.0. CLI Example: salt '*' network.connect archlinux.org 80 salt '*' network.connect archlinux.org 80 timeout=3 salt '*' network.connect archlinux.org 80 timeout=3 family=ipv4 salt '*' network.connect google-public-dns-a.google.com port=53 proto=udp timeout=3 salt.modules.network.default_route(family=None) Return default route(s) from routing table Changed in version 2015.8.0: Added support for SunOS (Solaris 10, Illumos, SmartOS) CLI Example: salt '*' network.default_route salt.modules.network.dig(host) Performs a DNS lookup with dig CLI Example: salt '*' network.dig archlinux.org salt.modules.network.get_bufsize(iface) Return network buffer sizes as a dict (currently linux only) CLI Example: salt '*' network.get_bufsize salt.modules.network.get_hostname() Get hostname CLI Example: salt '*' network.get_hostname salt.modules.network.get_route(ip) Return routing information for given destination ip New in version 2015.5.3. Changed in version 2015.8.0: Added support for SunOS (Solaris 10, Illumos, SmartOS) Added support for OpenBSD CLI Example: salt '*' network.get_route 10.10.10.10 salt.modules.network.hw_addr(iface) Return the hardware address (a.k.a. MAC address) for a given interface CLI Example: salt '*' network.hw_addr eth0 salt.modules.network.hwaddr(iface) This function is an alias of hw_addr. Return the hardware address (a.k.a. MAC address) for a given interface CLI Example: salt '*' network.hw_addr eth0 salt.modules.network.in_subnet(cidr) Returns True if host is within specified subnet, otherwise False. CLI Example: salt '*' network.in_subnet 10.0.0.0/16 salt.modules.network.interface(iface) Return the inet address for a given interface New in version 2014.7.0. CLI Example: salt '*' network.interface eth0 salt.modules.network.interface_ip(iface) Return the inet address for a given interface New in version 2014.7.0. CLI Example: salt '*' network.interface_ip eth0 salt.modules.network.interfaces() Return a dictionary of information about all the interfaces on the minion CLI Example: salt '*' network.interfaces salt.modules.network.ip_addrs(interface=None, include_loopback=False, cidr=None) Returns a list of IPv4 addresses assigned to the host. 127.0.0.1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. Providing a CIDR via 'cidr="10.0.0.0/8"' will return only the addresses which are within that subnet. CLI Example: salt '*' network.ip_addrs salt.modules.network.ip_addrs6(interface=None, include_loopback=False, cidr=None) Returns a list of IPv6 addresses assigned to the host. ::1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. Providing a CIDR via 'cidr="2000::/3"' will return only the addresses which are within that subnet. CLI Example: salt '*' network.ip_addrs6 salt.modules.network.ip_in_subnet(ip_addr, cidr) Returns True if given IP is within specified subnet, otherwise False. CLI Example: salt '*' network.ip_in_subnet 172.17.0.4 172.16.0.0/12 salt.modules.network.ipaddrs(interface=None, include_loopback=False, cidr=None) This function is an alias of ip_addrs. Returns a list of IPv4 addresses assigned to the host. 127.0.0.1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. Providing a CIDR via 'cidr="10.0.0.0/8"' will return only the addresses which are within that subnet. CLI Example: salt '*' network.ip_addrs salt.modules.network.ipaddrs6(interface=None, include_loopback=False, cidr=None) This function is an alias of ip_addrs6. Returns a list of IPv6 addresses assigned to the host. ::1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. Providing a CIDR via 'cidr="2000::/3"' will return only the addresses which are within that subnet. CLI Example: salt '*' network.ip_addrs6 salt.modules.network.is_loopback(ip_addr) Check if the given IP address is a loopback address New in version 2014.7.0. Changed in version 2015.8.0: IPv6 support CLI Example: salt '*' network.is_loopback 127.0.0.1 salt.modules.network.is_private(ip_addr) Check if the given IP address is a private address New in version 2014.7.0. Changed in version 2015.8.0: IPv6 support CLI Example: salt '*' network.is_private 10.0.0.3 salt.modules.network.mod_bufsize(iface, *args, **kwargs) Modify network interface buffers (currently linux only) CLI Example: salt '*' network.mod_bufsize tx=<val> rx=<val> rx-mini=<val> rx-jumbo=<val> salt.modules.network.mod_hostname(hostname) Modify hostname Changed in version 2015.8.0: Added support for SunOS (Solaris 10, Illumos, SmartOS) CLI Example: salt '*' network.mod_hostname master.saltstack.com salt.modules.network.netstat() Return information on open ports and states NOTE: On BSD minions, the output contains PID info (where available) for each netstat entry, fetched from sockstat/fstat output. Changed in version 2014.1.4: Added support for OpenBSD, FreeBSD, and NetBSD Changed in version 2015.8.0: Added support for SunOS CLI Example: salt '*' network.netstat salt.modules.network.ping(host, timeout=False, return_boolean=False) Performs an ICMP ping to a host Changed in version 2015.8.0: Added support for SunOS CLI Example: salt '*' network.ping archlinux.org New in version 2015.5.0. Return a True or False instead of ping output. salt '*' network.ping archlinux.org return_boolean=True Set the time to wait for a response in seconds. salt '*' network.ping archlinux.org timeout=3 salt.modules.network.reverse_ip(ip_addr) Returns the reversed IP address Changed in version 2015.8.0: IPv6 support CLI Example: salt '*' network.reverse_ip 172.17.0.4 salt.modules.network.routes(family=None) Return currently configured routes from routing table Changed in version 2015.8.0: Added support for SunOS (Solaris 10, Illumos, SmartOS) CLI Example: salt '*' network.routes salt.modules.network.subnets(interfaces=None) Returns a list of IPv4 subnets to which the host belongs CLI Example: salt '*' network.subnets salt '*' network.subnets interfaces=eth1 salt.modules.network.subnets6() Returns a list of IPv6 subnets to which the host belongs CLI Example: salt '*' network.subnets salt.modules.network.traceroute(host) Performs a traceroute to a 3rd party host Changed in version 2015.8.0: Added support for SunOS CLI Example: salt '*' network.traceroute archlinux.org salt.modules.network.wol(mac, bcast='255.255.255.255', destport=9) Send Wake On Lan packet to a host CLI Example: salt '*' network.wol 08-00-27-13-69-77 salt '*' network.wol 080027136977 255.255.255.255 7 salt '*' network.wol 08:00:27:13:69:77 255.255.255.255 7 salt.modules.neutron Module for handling OpenStack Neutron calls depends • neutronclient Python module configuration This module is not usable until the user, password, tenant, and auth URL are specified either in a pillar or in the minion's config file. For example: keystone.user: 'admin' keystone.password: 'password' keystone.tenant: 'admin' keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' keystone.region_name: 'RegionOne' keystone.service_type: 'network' If configuration for multiple OpenStack accounts is required, they can be set up as different configuration profiles: For example: openstack1: keystone.user: 'admin' keystone.password: 'password' keystone.tenant: 'admin' keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' keystone.region_name: 'RegionOne' keystone.service_type: 'network' openstack2: keystone.user: 'admin' keystone.password: 'password' keystone.tenant: 'admin' keystone.auth_url: 'http://127.0.0.2:5000/v2.0/' keystone.region_name: 'RegionOne' keystone.service_type: 'network' With this configuration in place, any of the neutron functions can make use of a configuration profile by declaring it explicitly. For example: salt '*' neutron.network_list profile=openstack1 salt.modules.neutron.add_gateway_router(router, ext_network, profile=None) Adds an external network gateway to the specified router CLI Example: salt '*' neutron.add_gateway_router router-name ext-network-name Parameters • router -- ID or name of the router • ext_network -- ID or name of the external network the gateway • profile -- Profile to build on (Optional) Returns Added Gateway router information salt.modules.neutron.add_interface_router(router, subnet, profile=None) Adds an internal network interface to the specified router CLI Example: salt '*' neutron.add_interface_router router-name subnet-name Parameters • router -- ID or name of the router • subnet -- ID or name of the subnet • profile -- Profile to build on (Optional) Returns Added interface information salt.modules.neutron.create_floatingip(floating_network, port=None, profile=None) Creates a new floatingIP CLI Example: salt '*' neutron.create_floatingip network-name port-name Parameters • floating_network -- Network name or ID to allocate floatingIP from • port -- Of the port to be associated with the floatingIP (Optional) • profile -- Profile to build on (Optional) Returns Created floatingIP information salt.modules.neutron.create_ikepolicy(name, profile=None, **kwargs) Creates a new IKEPolicy CLI Example: salt '*' neutron.create_ikepolicy ikepolicy-name phase1_negotiation_mode=main auth_algorithm=sha1 encryption_algorithm=aes-128 pfs=group5 Parameters • name -- Name of the IKE policy • phase1_negotiation_mode -- IKE Phase1 negotiation mode in lowercase, default: main (Optional) • auth_algorithm -- Authentication algorithm in lowercase, default: sha1 (Optional) • encryption_algorithm -- Encryption algorithm in lowercase. default:aes-128 (Optional) • pfs -- Prefect Forward Security in lowercase, default: group5 (Optional) • units -- IKE lifetime attribute. default: seconds (Optional) • value -- IKE lifetime attribute. default: 3600 (Optional) • ike_version -- IKE version in lowercase, default: v1 (Optional) • profile -- Profile to build on (Optional) • kwargs -- Returns Created IKE policy information salt.modules.neutron.create_ipsec_site_connection(name, ipsecpolicy, ikepolicy, vpnservice, peer_cidrs, peer_address, peer_id, psk, admin_state_up=True, profile=None, **kwargs) Creates a new IPsecSiteConnection CLI Example: salt '*' neutron.show_ipsec_site_connection connection-name ipsec-policy-name ikepolicy-name vpnservice-name 192.168.XXX.XXX/24 192.168.XXX.XXX 192.168.XXX.XXX secret Parameters • name -- Set friendly name for the connection • ipsecpolicy -- IPSec policy ID or name associated with this connection • ikepolicy -- IKE policy ID or name associated with this connection • vpnservice -- VPN service instance ID or name associated with this connection • peer_cidrs -- Remote subnet(s) in CIDR format • peer_address -- Peer gateway public IPv4/IPv6 address or FQDN • peer_id -- Peer router identity for authentication Can be IPv4/IPv6 address, e-mail address, key id, or FQDN • psk -- Pre-shared key string • initiator -- Initiator state in lowercase, default:bi-directional • admin_state_up -- Set admin state up to true or false, default: True (Optional) • mtu -- size for the connection, default:1500 (Optional) • dpd_action -- Dead Peer Detection attribute: hold/clear/disabled/ restart/restart-by-peer (Optional) • dpd_interval -- Dead Peer Detection attribute (Optional) • dpd_timeout -- Dead Peer Detection attribute (Optional) • profile -- Profile to build on (Optional) Returns Created IPSec site connection information salt.modules.neutron.create_ipsecpolicy(name, profile=None, **kwargs) Creates a new IPsecPolicy CLI Example: salt '*' neutron.create_ipsecpolicy ipsecpolicy-name transform_protocol=esp auth_algorithm=sha1 encapsulation_mode=tunnel encryption_algorithm=aes-128 Parameters • name -- Name of the IPSec policy • transform_protocol -- Transform protocol in lowercase, default: esp (Optional) • auth_algorithm -- Authentication algorithm in lowercase, default: sha1 (Optional) • encapsulation_mode -- Encapsulation mode in lowercase, default: tunnel (Optional) • encryption_algorithm -- Encryption algorithm in lowercase, default:aes-128 (Optional) • pfs -- Prefect Forward Security in lowercase, default: group5 (Optional) • units -- IPSec lifetime attribute. default: seconds (Optional) • value -- IPSec lifetime attribute. default: 3600 (Optional) • profile -- Profile to build on (Optional) Returns Created IPSec policy information salt.modules.neutron.create_network(name, router_ext=None, admin_state_up=True, network_type=None, physical_network=None, segmentation_id=None, shared=None, profile=None) Creates a new network CLI Example: salt '*' neutron.create_network network-name salt '*' neutron.create_network network-name profile=openstack1 Parameters • name -- Name of network to create • admin_state_up -- should the state of the network be up? default: True (Optional) • router_ext -- True then if create the external network (Optional) • network_type -- the Type of network that the provider is such as GRE, VXLAN, VLAN, FLAT, or LOCAL (Optional) • physical_network -- the name of the physical network as neutron knows it (Optional) • segmentation_id -- the vlan id or GRE id (Optional) • shared -- is the network shared or not (Optional) • profile -- Profile to build on (Optional) Returns Created network information salt.modules.neutron.create_port(name, network, device_id=None, admin_state_up=True, profile=None) Creates a new port CLI Example: salt '*' neutron.create_port network-name port-name Parameters • name -- Name of port to create • network -- Network name or ID • device_id -- ID of device (Optional) • admin_state_up -- Set admin state up to true or false, default: true (Optional) • profile -- Profile to build on (Optional) Returns Created port information salt.modules.neutron.create_router(name, ext_network=None, admin_state_up=True, profile=None) Creates a new router CLI Example: salt '*' neutron.create_router new-router-name Parameters • name -- Name of router to create (must be first) • ext_network -- ID or name of the external for the gateway (Optional) • admin_state_up -- Set admin state up to true or false, default:true (Optional) • profile -- Profile to build on (Optional) Returns Created router information salt.modules.neutron.create_security_group(name=None, description=None, profile=None) Creates a new security group CLI Example: salt '*' neutron.create_security_group security-group-name description='Security group for servers' Parameters • name -- Name of security group (Optional) • description -- Description of security group (Optional) • profile -- Profile to build on (Optional) Returns Created security group information salt.modules.neutron.create_security_group_rule(security_group, remote_group_id=None, direction='ingress', protocol=None, port_range_min=None, port_range_max=None, ethertype='IPv4', profile=None) Creates a new security group rule CLI Example: salt '*' neutron.show_security_group_rule security-group-rule-id Parameters • security_group -- Security group name or ID to add rule • remote_group_id -- Remote security group name or ID to apply rule (Optional) • direction -- Direction of traffic: ingress/egress, default: ingress (Optional) • protocol -- Protocol of packet: null/icmp/tcp/udp, default: null (Optional) • port_range_min -- Starting port range (Optional) • port_range_max -- Ending port range (Optional) • ethertype -- IPv4/IPv6, default: IPv4 (Optional) • profile -- Profile to build on (Optional) Returns Created security group rule information salt.modules.neutron.create_subnet(network, cidr, name=None, ip_version=4, profile=None) Creates a new subnet CLI Example: salt '*' neutron.create_subnet network-name 192.168.1.0/24 Parameters • network -- Network ID or name this subnet belongs to • cidr -- CIDR of subnet to create (Ex. '192.168.1.0/24') • name -- Name of the subnet to create (Optional) • ip_version -- Version to use, default is 4(IPv4) (Optional) • profile -- Profile to build on (Optional) Returns Created subnet information salt.modules.neutron.create_vpnservice(subnet, router, name, admin_state_up=True, profile=None) Creates a new VPN service CLI Example: salt '*' neutron.create_vpnservice router-name name Parameters • subnet -- Subnet unique identifier for the VPN service deployment • router -- Router unique identifier for the VPN service • name -- Set a name for the VPN service • admin_state_up -- Set admin state up to true or false, default:True (Optional) • profile -- Profile to build on (Optional) Returns Created VPN service information salt.modules.neutron.delete_floatingip(floatingip_id, profile=None) Deletes the specified floating IP CLI Example: salt '*' neutron.delete_floatingip floatingip-id Parameters • floatingip_id -- ID of floatingIP to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_ikepolicy(ikepolicy, profile=None) Deletes the specified IKEPolicy CLI Example: salt '*' neutron.delete_ikepolicy ikepolicy-name Parameters • ikepolicy -- ID or name of IKE policy to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_ipsec_site_connection(ipsec_site_connection, profile=None) Deletes the specified IPsecSiteConnection CLI Example: salt '*' neutron.delete_ipsec_site_connection connection-name Parameters • ipsec_site_connection -- ID or name of ipsec site connection to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_ipsecpolicy(ipsecpolicy, profile=None) Deletes the specified IPsecPolicy CLI Example: salt '*' neutron.delete_ipsecpolicy ipsecpolicy-name Parameters • ipsecpolicy -- ID or name of IPSec policy to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_network(network, profile=None) Deletes the specified network CLI Example: salt '*' neutron.delete_network network-name salt '*' neutron.delete_network network-name profile=openstack1 Parameters • network -- ID or name of network to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_port(port, profile=None) Deletes the specified port CLI Example: salt '*' neutron.delete_network port-name salt '*' neutron.delete_network port-name profile=openstack1 Parameters • port -- port name or ID • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_quota(tenant_id, profile=None) Delete the specified tenant's quota value CLI Example: salt '*' neutron.update_quota tenant-id salt '*' neutron.update_quota tenant-id profile=openstack1 Parameters • tenant_id -- ID of tenant to quota delete • profile -- Profile to build on (Optional) Returns True(Delete succeed) or False(Delete failed) salt.modules.neutron.delete_router(router, profile=None) Delete the specified router CLI Example: salt '*' neutron.delete_router router-name Parameters • router -- ID or name of router to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_security_group(security_group, profile=None) Deletes the specified security group CLI Example: salt '*' neutron.delete_security_group security-group-name Parameters • security_group -- ID or name of security group to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_security_group_rule(security_group_rule_id, profile=None) Deletes the specified security group rule CLI Example: salt '*' neutron.delete_security_group_rule security-group-rule-id Parameters • security_group_rule_id -- ID of security group rule to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_subnet(subnet, profile=None) Deletes the specified subnet CLI Example: salt '*' neutron.delete_subnet subnet-name salt '*' neutron.delete_subnet subnet-name profile=openstack1 Parameters • subnet -- ID or name of subnet to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.delete_vpnservice(vpnservice, profile=None) Deletes the specified VPN service CLI Example: salt '*' neutron.delete_vpnservice vpnservice-name Parameters • vpnservice -- ID or name of vpn service to delete • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.get_quotas_tenant(profile=None) Fetches tenant info in server's context for following quota operation CLI Example: salt '*' neutron.get_quotas_tenant salt '*' neutron.get_quotas_tenant profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns Quotas information salt.modules.neutron.list_extensions(profile=None) Fetches a list of all extensions on server side CLI Example: salt '*' neutron.list_extensions salt '*' neutron.list_extensions profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of extensions salt.modules.neutron.list_floatingips(profile=None) Fetch a list of all floatingIPs for a tenant CLI Example: salt '*' neutron.list_floatingips salt '*' neutron.list_floatingips profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of floatingIP salt.modules.neutron.list_ikepolicies(profile=None) Fetches a list of all configured IKEPolicies for a tenant CLI Example: salt '*' neutron.list_ikepolicies salt '*' neutron.list_ikepolicies profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of IKE policy salt.modules.neutron.list_ipsec_site_connections(profile=None) Fetches all configured IPsec Site Connections for a tenant CLI Example: salt '*' neutron.list_ipsec_site_connections salt '*' neutron.list_ipsec_site_connections profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of IPSec site connection salt.modules.neutron.list_ipsecpolicies(profile=None) Fetches a list of all configured IPsecPolicies for a tenant CLI Example: salt '*' neutron.list_ipsecpolicies ipsecpolicy-name salt '*' neutron.list_ipsecpolicies ipsecpolicy-name profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of IPSec policy salt.modules.neutron.list_networks(profile=None) Fetches a list of all networks for a tenant CLI Example: salt '*' neutron.list_networks salt '*' neutron.list_networks profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of network salt.modules.neutron.list_ports(profile=None) Fetches a list of all networks for a tenant CLI Example: salt '*' neutron.list_ports salt '*' neutron.list_ports profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of port salt.modules.neutron.list_quotas(profile=None) Fetches all tenants quotas CLI Example: salt '*' neutron.list_quotas salt '*' neutron.list_quotas profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of quotas salt.modules.neutron.list_routers(profile=None) Fetches a list of all routers for a tenant CLI Example: salt '*' neutron.list_routers salt '*' neutron.list_routers profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of router salt.modules.neutron.list_security_group_rules(profile=None) Fetches a list of all security group rules for a tenant CLI Example: salt '*' neutron.list_security_group_rules salt '*' neutron.list_security_group_rules profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of security group rule salt.modules.neutron.list_security_groups(profile=None) Fetches a list of all security groups for a tenant CLI Example: salt '*' neutron.list_security_groups salt '*' neutron.list_security_groups profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of security group salt.modules.neutron.list_subnets(profile=None) Fetches a list of all networks for a tenant CLI Example: salt '*' neutron.list_subnets salt '*' neutron.list_subnets profile=openstack1 Parameters profile -- Profile to build on (Optional) Returns List of subnet salt.modules.neutron.list_vpnservices(retrive_all=True, profile=None, **kwargs) Fetches a list of all configured VPN services for a tenant CLI Example: salt '*' neutron.list_vpnservices Parameters • retrive_all -- True or False, default: True (Optional) • profile -- Profile to build on (Optional) Returns List of VPN service salt.modules.neutron.remove_gateway_router(router, profile=None) Removes an external network gateway from the specified router CLI Example: salt '*' neutron.remove_gateway_router router-name Parameters • router -- ID or name of router • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.remove_interface_router(router, subnet, profile=None) Removes an internal network interface from the specified router CLI Example: salt '*' neutron.remove_interface_router router-name subnet-name Parameters • router -- ID or name of the router • subnet -- ID or name of the subnet • profile -- Profile to build on (Optional) Returns True(Succeed) or False salt.modules.neutron.show_floatingip(floatingip_id, profile=None) Fetches information of a certain floatingIP CLI Example: salt '*' neutron.show_floatingip floatingip-id Parameters • floatingip_id -- ID of floatingIP to look up • profile -- Profile to build on (Optional) Returns Floating IP information salt.modules.neutron.show_ikepolicy(ikepolicy, profile=None) Fetches information of a specific IKEPolicy CLI Example: salt '*' neutron.show_ikepolicy ikepolicy-name Parameters • ikepolicy -- ID or name of ikepolicy to look up • profile -- Profile to build on (Optional) Returns IKE policy information salt.modules.neutron.show_ipsec_site_connection(ipsec_site_connection, profile=None) Fetches information of a specific IPsecSiteConnection CLI Example: salt '*' neutron.show_ipsec_site_connection connection-name Parameters • ipsec_site_connection -- ID or name of ipsec site connection to look up • profile -- Profile to build on (Optional) Returns IPSec site connection information salt.modules.neutron.show_ipsecpolicy(ipsecpolicy, profile=None) Fetches information of a specific IPsecPolicy CLI Example: salt '*' neutron.show_ipsecpolicy ipsecpolicy-name Parameters • ipsecpolicy -- ID or name of IPSec policy to look up • profile -- Profile to build on (Optional) Returns IPSec policy information salt.modules.neutron.show_network(network, profile=None) Fetches information of a certain network CLI Example: salt '*' neutron.show_network network-name salt '*' neutron.show_network network-name profile=openstack1 Parameters • network -- ID or name of network to look up • profile -- Profile to build on (Optional) Returns Network information salt.modules.neutron.show_port(port, profile=None) Fetches information of a certain port CLI Example: salt '*' neutron.show_port port-id salt '*' neutron.show_port port-id profile=openstack1 Parameters • port -- ID or name of port to look up • profile -- Profile to build on (Optional) Returns Port information salt.modules.neutron.show_quota(tenant_id, profile=None) Fetches information of a certain tenant's quotas CLI Example: salt '*' neutron.show_quota tenant-id salt '*' neutron.show_quota tenant-id profile=openstack1 Parameters • tenant_id -- ID of tenant • profile -- Profile to build on (Optional) Returns Quota information salt.modules.neutron.show_router(router, profile=None) Fetches information of a certain router CLI Example: salt '*' neutron.show_router router-name Parameters • router -- ID or name of router to look up • profile -- Profile to build on (Optional) Returns Router information salt.modules.neutron.show_security_group(security_group, profile=None) Fetches information of a certain security group CLI Example: salt '*' neutron.show_security_group security-group-name Parameters • security_group -- ID or name of security group to look up • profile -- Profile to build on (Optional) Returns Security group information salt.modules.neutron.show_security_group_rule(security_group_rule_id, profile=None) Fetches information of a certain security group rule CLI Example: salt '*' neutron.show_security_group_rule security-group-rule-id Parameters • security_group_rule_id -- ID of security group rule to look up • profile -- Profile to build on (Optional) Returns Security group rule information salt.modules.neutron.show_subnet(subnet, profile=None) Fetches information of a certain subnet CLI Example: salt '*' neutron.show_subnet subnet-name Parameters • subnet -- ID or name of subnet to look up • profile -- Profile to build on (Optional) Returns Subnet information salt.modules.neutron.show_vpnservice(vpnservice, profile=None, **kwargs) Fetches information of a specific VPN service CLI Example: salt '*' neutron.show_vpnservice vpnservice-name Parameters • vpnservice -- ID or name of vpn service to look up • profile -- Profile to build on (Optional) Returns VPN service information salt.modules.neutron.update_floatingip(floatingip_id, port, profile=None) Updates a floatingIP CLI Example: salt '*' neutron.update_floatingip network-name port-name Parameters • floatingip_id -- ID of floatingIP • port -- ID or name of port • profile -- Profile to build on (Optional) Returns Value of updated floating IP information salt.modules.neutron.update_network(network, name, profile=None) Updates a network CLI Example: salt '*' neutron.update_network network-name new-network-name Parameters • network -- ID or name of network to update • name -- Name of this network • profile -- Profile to build on (Optional) Returns Value of updated network information salt.modules.neutron.update_port(port, name, admin_state_up=True, profile=None) Updates a port CLI Example: salt '*' neutron.update_port port-name network-name new-port-name Parameters • port -- Port name or ID • name -- Name of this port • admin_state_up -- Set admin state up to true or false, default: true (Optional) • profile -- Profile to build on (Optional) Returns Value of updated port information salt.modules.neutron.update_quota(tenant_id, subnet=None, router=None, network=None, floatingip=None, port=None, security_group=None, security_group_rule=None, profile=None) Update a tenant's quota CLI Example: salt '*' neutron.update_quota tenant-id subnet=40 router=50 network=10 floatingip=30 port=30 Parameters • tenant_id -- ID of tenant • subnet -- Value of subnet quota (Optional) • router -- Value of router quota (Optional) • network -- Value of network quota (Optional) • floatingip -- Value of floatingip quota (Optional) • port -- Value of port quota (Optional) • security_group -- Value of security group (Optional) • security_group_rule -- Value of security group rule (Optional) • profile -- Profile to build on (Optional) Returns Value of updated quota salt.modules.neutron.update_router(router, name=None, admin_state_up=None, profile=None, **kwargs) Updates a router CLI Example: salt '*' neutron.update_router router_id name=new-router-name admin_state_up=True Parameters • router -- ID or name of router to update • name -- Name of this router • ext_network -- ID or name of the external for the gateway (Optional) • admin_state_up -- Set admin state up to true or false, default: true (Optional) • profile -- Profile to build on (Optional) • kwargs -- Returns Value of updated router information salt.modules.neutron.update_security_group(security_group, name=None, description=None, profile=None) Updates a security group CLI Example: salt '*' neutron.update_security_group security-group-name new-security-group-name Parameters • security_group -- ID or name of security group to update • name -- Name of this security group (Optional) • description -- Description of security group (Optional) • profile -- Profile to build on (Optional) Returns Value of updated security group information salt.modules.neutron.update_subnet(subnet, name, profile=None) Updates a subnet CLI Example: salt '*' neutron.update_subnet subnet-name new-subnet-name Parameters • subnet -- ID or name of subnet to update • name -- Name of this subnet • profile -- Profile to build on (Optional) Returns Value of updated subnet information salt.modules.neutron.update_vpnservice(vpnservice, desc, profile=None) Updates a VPN service CLI Example: salt '*' neutron.update_vpnservice vpnservice-name desc='VPN Service1' Parameters • vpnservice -- ID or name of vpn service to update • desc -- Set a description for the VPN service • profile -- Profile to build on (Optional) Returns Value of updated VPN service information salt.modules.nfs3 Module for managing NFS version 3. salt.modules.nfs3.del_export(exports='/etc/exports', path=None) Remove an export CLI Example: salt '*' nfs.del_export /media/storage salt.modules.nfs3.list_exports(exports='/etc/exports') List configured exports CLI Example: salt '*' nfs.list_exports salt.modules.nftables Support for nftables salt.modules.nftables.append(table='filter', chain=None, rule=None, family='ipv4') Append a rule to the specified table & chain. This function accepts a rule in a standard nftables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Example: salt '*' nftables.append filter input \ rule='input tcp dport 22 log accept' IPv6: salt '*' nftables.append filter input \ rule='input tcp dport 22 log accept' \ family=ipv6 salt.modules.nftables.build_rule(table=None, chain=None, command=None, position='', full=None, family='ipv4', **kwargs) Build a well-formatted nftables rule based on kwargs. A table and chain are not required, unless full is True. If full is True, then table, chain and command are required. command may be specified as either insert, append, or delete. This will return the nftables command, exactly as it would be used from the command line. If a position is required (as with insert or delete), it may be specified as position. This will only be useful if full is True. If connstate is passed in, it will automatically be changed to state. CLI Examples: salt '*' nftables.build_rule match=state \ connstate=RELATED,ESTABLISHED jump=ACCEPT salt '*' nftables.build_rule filter input command=insert position=3 \ full=True match=state state=related,established jump=accept IPv6: salt '*' nftables.build_rule match=state \ connstate=related,established jump=accept \ family=ipv6 salt '*' nftables.build_rule filter input command=insert position=3 \ full=True match=state state=related,established jump=accept \ family=ipv6 salt.modules.nftables.check(table='filter', chain=None, rule=None, family='ipv4') Check for the existence of a rule in the table and chain This function accepts a rule in a standard nftables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Example: salt '*' nftables.check filter input \ rule='input tcp dport 22 log accept' IPv6: salt '*' nftables.check filter input \ rule='input tcp dport 22 log accept' \ family=ipv6 salt.modules.nftables.check_chain(table='filter', chain=None, family='ipv4') New in version 2014.7.0. Check for the existence of a chain in the table CLI Example: salt '*' nftables.check_chain filter input IPv6: salt '*' nftables.check_chain filter input family=ipv6 salt.modules.nftables.check_table(table=None, family='ipv4') Check for the existence of a table CLI Example: salt '*' nftables.check_table nat salt.modules.nftables.delete(table, chain=None, position=None, rule=None, family='ipv4') Delete a rule from the specified table & chain, specifying either the rule in its entirety, or the rule's position in the chain. This function accepts a rule in a standard nftables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Examples: salt '*' nftables.delete filter input position=3 salt '*' nftables.delete filter input \ rule='input tcp dport 22 log accept' IPv6: salt '*' nftables.delete filter input position=3 family=ipv6 salt '*' nftables.delete filter input \ rule='input tcp dport 22 log accept' \ family=ipv6 salt.modules.nftables.delete_chain(table='filter', chain=None, family='ipv4') New in version 2014.7.0. Delete the chain from the specified table. CLI Example: salt '*' nftables.delete_chain filter input salt '*' nftables.delete_chain filter foo IPv6: salt '*' nftables.delete_chain filter input family=ipv6 salt '*' nftables.delete_chain filter foo family=ipv6 salt.modules.nftables.delete_table(table, family='ipv4') New in version 2014.7.0. Create new custom table. CLI Example: salt '*' nftables.delete_table filter IPv6: salt '*' nftables.delete_table filter family=ipv6 salt.modules.nftables.flush(table='filter', chain='', family='ipv4') Flush the chain in the specified table, flush all chains in the specified table if chain is not specified. CLI Example: salt '*' nftables.flush filter salt '*' nftables.flush filter input IPv6: salt '*' nftables.flush filter input family=ipv6 salt.modules.nftables.get_rule_handle(table='filter', chain=None, rule=None, family='ipv4') Get the handle for a particular rule This function accepts a rule in a standard nftables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Example: salt '*' nftables.get_rule_handle filter input \ rule='input tcp dport 22 log accept' IPv6: salt '*' nftables.get_rule_handle filter input \ rule='input tcp dport 22 log accept' \ family=ipv6 salt.modules.nftables.get_rules(family='ipv4') Return a data structure of the current, in-memory rules CLI Example: salt '*' nftables.get_rules salt '*' nftables.get_rules family=ipv6 salt.modules.nftables.get_saved_rules(conf_file=None, family='ipv4') Return a data structure of the rules in the conf file CLI Example: salt '*' nftables.get_saved_rules salt.modules.nftables.insert(table='filter', chain=None, position=None, rule=None, family='ipv4') Insert a rule into the specified table & chain, at the specified position. If position is not specified, rule will be inserted in first position. This function accepts a rule in a standard nftables command format, starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it. CLI Examples: salt '*' nftables.insert filter input \ rule='input tcp dport 22 log accept' salt '*' nftables.insert filter input position=3 \ rule='input tcp dport 22 log accept' IPv6: salt '*' nftables.insert filter input \ rule='input tcp dport 22 log accept' \ family=ipv6 salt '*' nftables.insert filter input position=3 \ rule='input tcp dport 22 log accept' \ family=ipv6 salt.modules.nftables.new_chain(table='filter', chain=None, table_type=None, hook=None, priority=None, family='ipv4') New in version 2014.7.0. Create new chain to the specified table. CLI Example: salt '*' nftables.new_chain filter input salt '*' nftables.new_chain filter input \ table_type=filter hook=input priority=0 salt '*' nftables.new_chain filter foo IPv6: salt '*' nftables.new_chain filter input family=ipv6 salt '*' nftables.new_chain filter input \ table_type=filter hook=input priority=0 family=ipv6 salt '*' nftables.new_chain filter foo family=ipv6 salt.modules.nftables.new_table(table, family='ipv4') New in version 2014.7.0. Create new custom table. CLI Example: salt '*' nftables.new_table filter IPv6: salt '*' nftables.new_table filter family=ipv6 salt.modules.nftables.save(filename=None, family='ipv4') Save the current in-memory rules to disk CLI Example: salt '*' nftables.save /etc/nftables salt.modules.nftables.version() Return version from nftables --version CLI Example: salt '*' nftables.version salt.modules.nginx Support for nginx salt.modules.nginx.build_info() Return server and build arguments CLI Example: salt '*' nginx.build_info salt.modules.nginx.configtest() test configuration and exit CLI Example: salt '*' nginx.configtest salt.modules.nginx.signal(signal=None) Signals nginx to start, reload, reopen or stop. CLI Example: salt '*' nginx.signal reload salt.modules.nginx.status(url='http://127.0.0.1/status') Return the data from an Nginx status page as a dictionary. http://wiki.nginx.org/HttpStubStatusModule url The URL of the status page. Defaults to 'http://127.0.0.1/status' CLI Example: salt '*' nginx.status salt.modules.nginx.version() Return server version from nginx -v CLI Example: salt '*' nginx.version salt.modules.node Module for full system inspection. salt.modules.node.inspect(mode='all', priority=19, **kwargs) Start node inspection and save the data to the database for further query. Parameters: • mode: Clarify inspection mode: configuration, payload, all (default) payload • filter: Comma-separated directories to track payload. • priority: (advanced) Set priority of the inspection. Default is low priority. CLI Example: salt '*' node.inspect salt '*' node.inspect configuration salt '*' node.inspect payload filter=/opt,/ext/oracle salt.modules.node.query(scope, **kwargs) Query the node for specific information. Parameters: • scope: Specify scope of the query. • System: Return system data. • Software: Return software information. • Services: Return known services. • Identity: Return user accounts information for this system. accounts Can be either 'local', 'remote' or 'all' (equal to "local,remote"). Remote accounts cannot be resolved on all systems, but only those, which supports 'passwd -S -a'. disabled True (or False, default) to return only disabled accounts. • payload: Payload scope parameters: filter Include only results which path starts from the filter string. time Display time in Unix ticks or format according to the configured TZ (default) Values: ticks, tz (default) size Format size. Values: B, KB, MB, GB type Include payload type. Values (comma-separated): directory (or dir), link, file (default) Example (returns everything): type=directory,link,file owners Resolve UID/GID to an actual names or leave them numeric (default). Values: name (default), id brief Return just a list of payload elements, if True. Default: False. • all: Return all information (default). CLI Example: salt '*' node.query scope=os salt '*' node.query payload type=file,link filter=/etc size=Kb brief=False salt.modules.nova Module for handling OpenStack Nova calls depends • novaclient Python module configuration This module is not usable until the user, password, tenant, and auth URL are specified either in a pillar or in the minion's config file. For example: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' # Optional keystone.region_name: 'regionOne' If configuration for multiple OpenStack accounts is required, they can be set up as different configuration profiles: For example: openstack1: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' openstack2: keystone.user: admin keystone.password: verybadpass keystone.tenant: admin keystone.auth_url: 'http://127.0.0.2:5000/v2.0/' With this configuration in place, any of the nova functions can make use of a configuration profile by declaring it explicitly. For example: salt '*' nova.flavor_list profile=openstack1 salt.modules.nova.boot(name, flavor_id=0, image_id=0, profile=None, timeout=300) Boot (create) a new instance name Name of the new instance (must be first) flavor_id Unique integer ID for the flavor image_id Unique integer ID for the image timeout How long to wait, after creating the instance, for the provider to return information about it (default 300 seconds). New in version 2014.1.0. CLI Example: salt '*' nova.boot myinstance flavor_id=4596 image_id=2 The flavor_id and image_id are obtained from nova.flavor_list and nova.image_list salt '*' nova.flavor_list salt '*' nova.image_list salt.modules.nova.delete(instance_id, profile=None) Delete an instance instance_id ID of the instance to be deleted CLI Example: salt '*' nova.delete 1138 salt.modules.nova.flavor_create(name, flavor_id=0, ram=0, disk=0, vcpus=1, profile=None) Add a flavor to nova (nova flavor-create). The following parameters are required: name Name of the new flavor (must be first) flavor_id Unique integer ID for the new flavor ram Memory size in MB disk Disk size in GB vcpus Number of vcpus CLI Example: salt '*' nova.flavor_create myflavor flavor_id=6 ram=4096 disk=10 vcpus=1 salt.modules.nova.flavor_delete(flavor_id, profile=None) Delete a flavor from nova by id (nova flavor-delete) CLI Example: salt '*' nova.flavor_delete 7 salt.modules.nova.flavor_list(profile=None) Return a list of available flavors (nova flavor-list) CLI Example: salt '*' nova.flavor_list salt.modules.nova.image_list(name=None, profile=None) Return a list of available images (nova images-list + nova image-show) If a name is provided, only that image will be displayed. CLI Examples: salt '*' nova.image_list salt '*' nova.image_list myimage salt.modules.nova.image_meta_delete(image_id=None, name=None, keys=None, profile=None) Delete a key=value pair from the metadata for an image (nova image-meta set) CLI Examples: salt '*' nova.image_meta_delete 6f52b2ff-0b31-4d84-8fd1-af45b84824f6 keys=cheese salt '*' nova.image_meta_delete name=myimage keys=salad,beans salt.modules.nova.image_meta_set(image_id=None, name=None, profile=None, **kwargs) Sets a key=value pair in the metadata for an image (nova image-meta set) CLI Examples: salt '*' nova.image_meta_set 6f52b2ff-0b31-4d84-8fd1-af45b84824f6 cheese=gruyere salt '*' nova.image_meta_set name=myimage salad=pasta beans=baked salt.modules.nova.keypair_add(name, pubfile=None, pubkey=None, profile=None) Add a keypair to nova (nova keypair-add) CLI Examples: salt '*' nova.keypair_add mykey pubfile='/home/myuser/.ssh/id_rsa.pub' salt '*' nova.keypair_add mykey pubkey='ssh-rsa <key> myuser@mybox' salt.modules.nova.keypair_delete(name, profile=None) Add a keypair to nova (nova keypair-delete) CLI Example: salt '*' nova.keypair_delete mykey' salt.modules.nova.keypair_list(profile=None) Return a list of available keypairs (nova keypair-list) CLI Example: salt '*' nova.keypair_list salt.modules.nova.list(profile=None) To maintain the feel of the nova command line, this function simply calls the server_list function. salt.modules.nova.lock(instance_id, profile=None) Lock an instance instance_id ID of the instance to be locked CLI Example: salt '*' nova.lock 1138 salt.modules.nova.resume(instance_id, profile=None) Resume an instance instance_id ID of the instance to be resumed CLI Example: salt '*' nova.resume 1138 salt.modules.nova.secgroup_create(name, description, profile=None) Add a secgroup to nova (nova secgroup-create) CLI Example: salt '*' nova.secgroup_create mygroup 'This is my security group' salt.modules.nova.secgroup_delete(name, profile=None) Delete a secgroup to nova (nova secgroup-delete) CLI Example: salt '*' nova.secgroup_delete mygroup salt.modules.nova.secgroup_list(profile=None) Return a list of available security groups (nova items-list) CLI Example: salt '*' nova.secgroup_list salt.modules.nova.server_by_name(name, profile=None) Return information about a server name Server Name CLI Example: salt '*' nova.server_by_name myserver profile=openstack salt.modules.nova.server_list(profile=None) Return list of active servers CLI Example: salt '*' nova.show salt.modules.nova.server_list_detailed(profile=None) Return detailed list of active servers CLI Example: salt '*' nova.server_list_detailed salt.modules.nova.server_show(server_id, profile=None) Return detailed information for an active server CLI Example: salt '*' nova.server_show <server_id> salt.modules.nova.show(server_id, profile=None) To maintain the feel of the nova command line, this function simply calls the server_show function. CLI Example: salt '*' nova.show salt.modules.nova.suspend(instance_id, profile=None) Suspend an instance instance_id ID of the instance to be suspended CLI Example: salt '*' nova.suspend 1138 salt.modules.nova.volume_attach(name, server_name, device='/dev/xvdb', profile=None, timeout=300) Attach a block storage volume name Name of the new volume to attach server_name Name of the server to attach to device Name of the device on the server profile Profile to build on CLI Example: salt '*' nova.volume_attach myblock slice.example.com profile=openstack salt '*' nova.volume_attach myblock server.example.com device='/dev/xvdb' profile=openstack salt.modules.nova.volume_create(name, size=100, snapshot=None, voltype=None, profile=None) Create a block storage volume name Name of the new volume (must be first) size Volume size snapshot Block storage snapshot id voltype Type of storage profile Profile to build on CLI Example: salt '*' nova.volume_create myblock size=300 profile=openstack salt.modules.nova.volume_delete(name, profile=None) Destroy the volume name Name of the volume profile Profile to build on CLI Example: salt '*' nova.volume_delete myblock profile=openstack salt.modules.nova.volume_detach(name, profile=None, timeout=300) Attach a block storage volume name Name of the new volume to attach server_name Name of the server to detach from profile Profile to build on CLI Example: salt '*' nova.volume_detach myblock profile=openstack salt.modules.nova.volume_list(search_opts=None, profile=None) List storage volumes search_opts Dictionary of search options profile Profile to use CLI Example: salt '*' nova.volume_list search_opts='{"display_name": "myblock"}' profile=openstack salt.modules.nova.volume_show(name, profile=None) Create a block storage volume name Name of the volume profile Profile to use CLI Example: salt '*' nova.volume_show myblock profile=openstack salt.modules.npm Manage and query NPM packages. salt.modules.npm.install(pkg=None, pkgs=None, dir=None, runas=None, registry=None, env=None, dry_run=False, silent=True) Install an NPM package. If no directory is specified, the package will be installed globally. If no package is specified, the dependencies (from package.json) of the package in the given directory will be installed. pkg A package name in any format accepted by NPM, including a version identifier pkgs A list of package names in the same format as the name parameter New in version 2014.7.0. dir The target directory in which to install the package, or None for global installation runas The user to run NPM with registry The NPM registry to install the package from. New in version 2014.7.0. env Environment variables to set when invoking npm. Uses the same env format as the cmd.run execution function. New in version 2014.7.0. dry_run Whether or not to run NPM install with --dry-run flag. New in version 2015.8.4. silent Wether or not to run NPM install with --silent flag. New in version 2015.8.5. CLI Example: salt '*' npm.install coffee-script salt '*' npm.install coffee-script@1.0.1 salt.modules.npm.list(pkg=None, dir=None, runas=None, env=None) List installed NPM packages. If no directory is specified, this will return the list of globally- installed packages. pkg Limit package listing by name dir The directory whose packages will be listed, or None for global installation runas The user to run NPM with New in version 2014.7.0. env Environment variables to set when invoking npm. Uses the same env format as the cmd.run execution function. New in version 2014.7.0. CLI Example: salt '*' npm.list salt.modules.npm.uninstall(pkg, dir=None, runas=None, env=None) Uninstall an NPM package. If no directory is specified, the package will be uninstalled globally. pkg A package name in any format accepted by NPM dir The target directory from which to uninstall the package, or None for global installation runas The user to run NPM with env Environment variables to set when invoking npm. Uses the same env format as the cmd.run execution function. New in version 2015.5.3. CLI Example: salt '*' npm.uninstall coffee-script salt.modules.nspawn Manage nspawn containers New in version 2015.8.0. systemd-nspawn(1) is a tool used to manage lightweight namespace containers. This execution module provides several functions to help manage these containers. Minions running systemd >= 219 will place new containers in /var/lib/machines, while those running systemd < 219 will place them in /var/lib/container. salt.modules.nspawn.bootstrap_container(name, dist=None, version=None) Bootstrap a container from package servers, if dist is None the os the minion is running as will be created, otherwise the needed bootstrapping tools will need to be available on the host. CLI Example: salt myminion nspawn.bootstrap_container <name> salt.modules.nspawn.bootstrap_salt(name, config=None, approve_key=True, install=True, pub_key=None, priv_key=None, bootstrap_url=None, force_install=False, unconditional_install=False, bootstrap_delay=None, bootstrap_args=None, bootstrap_shell=None) Bootstrap a container from package servers, if dist is None the os the minion is running as will be created, otherwise the needed bootstrapping tools will need to be available on the host. CLI Example: salt '*' nspawn.bootstrap_salt arch1 salt.modules.nspawn.copy_to(name, *args, **kwargs) Copy a file from the host into a container name Container name source File to be copied to the container dest Destination on the container. Must be an absolute path. overwrite False Unless this option is set to True, then if a file exists at the location specified by the dest argument, an error will be raised. makedirs : False Create the parent directory on the container if it does not already exist. CLI Example: salt 'minion' nspawn.copy_to /tmp/foo /root/foo salt.modules.nspawn.disable(name, *args, **kwargs) Set the named container to not be launched at boot CLI Example: salt myminion nspawn.enable <name> salt.modules.nspawn.enable(name, *args, **kwargs) Set the named container to be launched at boot CLI Example: salt myminion nspawn.enable <name> salt.modules.nspawn.exists(name) Returns true if the named container exists CLI Example: salt myminion nspawn.exists <name> salt.modules.nspawn.info(name, **kwargs) Return info about a container NOTE: The container must be running for machinectl to gather information about it. If the container is stopped, then this function will start it. start False If True, then the container will be started to retrieve the info. A Started key will be in the return data if the container was started. CLI Example: salt myminion nspawn.info arch1 salt myminion nspawn.info arch1 force_start=False salt.modules.nspawn.list_all() Lists all nspawn containers CLI Example: salt myminion nspawn.list_all salt.modules.nspawn.list_running() Lists running nspawn containers NOTE: nspawn.list also works to list running containers CLI Example: salt myminion nspawn.list_running salt myminion nspawn.list salt.modules.nspawn.list_stopped() Lists stopped nspawn containers CLI Example: salt myminion nspawn.list_stopped salt.modules.nspawn.pid(name, *args, **kwargs) Returns the PID of a container name Container name CLI Example: salt myminion nspawn.pid arch1 salt.modules.nspawn.poweroff(name) Issue a clean shutdown to the container. Equivalent to running machinectl poweroff on the named container. For convenience, running nspawn.stop``(as shown in the CLI examples below) is equivalent to running ``nspawn.poweroff. NOTE: machinectl poweroff is only supported in systemd >= 219. On earlier systemd versions, running this function will simply issue a clean shutdown via systemctl. CLI Examples: salt myminion nspawn.poweroff arch1 salt myminion nspawn.stop arch1 salt.modules.nspawn.pull_dkr(url, name, index) Execute a machinectl pull-dkr to download a docker image and add it to /var/lib/machines as a new container. NOTE: Requires systemd >= 219 url URL from which to download the container name Name for the new container index URL of the Docker index server from which to pull (must be an http:// or https:// URL). CLI Examples: salt myminion nspawn.pull_dkr centos/centos6 cent6 index=https://get.docker.com salt myminion nspawn.pull_docker centos/centos6 cent6 index=https://get.docker.com salt.modules.nspawn.pull_raw(url, name, verify=False) Execute a machinectl pull-raw to download a .qcow2 or raw disk image, and add it to /var/lib/machines as a new container. NOTE: Requires systemd >= 219 url URL from which to download the container name Name for the new container verify False Perform signature or checksum verification on the container. See the machinectl(1) man page (section titled "Image Transfer Commands") for more information on requirements for image verification. To perform signature verification, use verify=signature. For checksum verification, use verify=checksum. By default, no verification will be performed. CLI Examples: salt myminion nspawn.pull_raw http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz fedora21 salt.modules.nspawn.pull_tar(url, name, verify=False) Execute a machinectl pull-raw to download a .tar container image, and add it to /var/lib/machines as a new container. NOTE: Requires systemd >= 219 url URL from which to download the container name Name for the new container verify False Perform signature or checksum verification on the container. See the machinectl(1) man page (section titled "Image Transfer Commands") for more information on requirements for image verification. To perform signature verification, use verify=signature. For checksum verification, use verify=checksum. By default, no verification will be performed. CLI Examples: salt myminion nspawn.pull_tar http://foo.domain.tld/containers/archlinux-2015.02.01.tar.gz arch2 salt.modules.nspawn.reboot(name, *args, **kwargs) Reboot the container by sending a SIGINT to its init process. Equivalent to running machinectl reboot on the named container. For convenience, running nspawn.restart (as shown in the CLI examples below) is equivalent to running nspawn.reboot. NOTE: machinectl reboot is only supported in systemd >= 219. On earlier systemd versions, running this function will instead restart the container via systemctl. CLI Examples: salt myminion nspawn.reboot arch1 salt myminion nspawn.restart arch1 salt.modules.nspawn.remove(name, *args, **kwargs) Remove the named container WARNING: This function will remove all data associated with the container. It will not, however, remove the btrfs subvolumes created by pulling container images (‐ nspawn.pull_raw, nspawn.pull_tar, nspawn.pull_dkr). stop False If True, the container will be destroyed even if it is running/frozen. CLI Examples: salt '*' nspawn.remove foo salt '*' nspawn.remove foo stop=True salt.modules.nspawn.retcode(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.retcode within a container name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. Assumes output=all. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion nspawn.retcode mycontainer 'ip addr show' salt.modules.nspawn.run(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run within a container name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion nspawn.run mycontainer 'ifconfig -a' salt.modules.nspawn.run_all(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_all within a container NOTE: While the command is run within the container, it is initiated from the host. Therefore, the PID in the return dict is from the host, not from the container. name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. Assumes output=all. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion nspawn.run_all mycontainer 'ip addr show' salt.modules.nspawn.run_stderr(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_stderr within a container name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. Assumes output=all. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion nspawn.run_stderr mycontainer 'ip addr show' salt.modules.nspawn.run_stdout(name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel='debug', use_vt=False, ignore_retcode=False, keep_env=None) Run cmd.run_stdout within a container name Name of the container in which to run the command cmd Command to run no_start False If the container is not running, don't start it preserve_state True After running the command, return the container to its previous state stdin None Standard input to be used for the command output_loglevel debug Level at which to log the output from the command. Set to quiet to suppress logging. use_vt False Use SaltStack's utils.vt to stream output to console. Assumes output=all. keep_env None If not passed, only a sane default PATH environment variable will be set. If True, all environment variables from the container's host will be kept. Otherwise, a comma-separated list (or Python list) of environment variable names can be passed, and those environment variables will be kept. CLI Example: salt myminion nspawn.run_stdout mycontainer 'ifconfig -a' salt.modules.nspawn.start(name, *args, **kwargs) Start the named container CLI Example: salt myminion nspawn.start <name> salt.modules.nspawn.state(name, *args, **kwargs) Return state of container (running or stopped) CLI Example: salt myminion nspawn.state <name> salt.modules.nspawn.terminate(name) Kill all processes in the container without issuing a clean shutdown. Equivalent to running machinectl terminate on the named container. For convenience, running nspawn.stop and passing kill=True (as shown in the CLI examples below) is equivalent to running nspawn.terminate. NOTE: machinectl terminate is only supported in systemd >= 219. On earlier systemd versions, running this function will simply issue a clean shutdown via systemctl. CLI Examples: salt myminion nspawn.terminate arch1 salt myminion nspawn.stop arch1 kill=True salt.modules.omapi This module interacts with an ISC DHCP Server via OMAPI. server_ip and server_port params may be set in the minion config or pillar: omapi.server_ip: 127.0.0.1 omapi.server_port: 7991 depends pypureomapi Python module salt.modules.omapi.add_host(mac, name=None, ip=None, ddns=False, group=None, supersede_host=False) Add a host object for the given mac. CLI Example: salt dhcp-server omapi.add_host ab:ab:ab:ab:ab:ab name=host1 Add ddns-hostname and a fixed-ip statements: salt dhcp-server omapi.add_host ab:ab:ab:ab:ab:ab name=host1 ip=10.1.1.1 ddns=true salt.modules.omapi.delete_host(mac=None, name=None) Delete the host with the given mac or name. CLI Examples: salt dhcp-server omapi.delete_host name=host1 salt dhcp-server omapi.delete_host mac=ab:ab:ab:ab:ab:ab salt.modules.openbsd_sysctl Module for viewing and modifying OpenBSD sysctl parameters salt.modules.openbsd_sysctl.assign(name, value) Assign a single sysctl parameter for this minion CLI Example: salt '*' sysctl.assign net.inet.ip.forwarding 1 salt.modules.openbsd_sysctl.get(name) Return a single sysctl parameter for this minion CLI Example: salt '*' sysctl.get hw.physmem salt.modules.openbsd_sysctl.persist(name, value, config='/etc/sysctl.conf') Assign and persist a simple sysctl parameter for this minion CLI Example: salt '*' sysctl.persist net.inet.ip.forwarding 1 salt.modules.openbsd_sysctl.show(config_file=False) Return a list of sysctl parameters for this minion CLI Example: salt '*' sysctl.show salt.modules.openbsdpkg Package support for OpenBSD salt.modules.openbsdpkg.install(name=None, pkgs=None, sources=None, **kwargs) Install the passed package Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example, Install one package: salt '*' pkg.install <package name> CLI Example, Install more than one package: salt '*' pkg.install pkgs='["<package name>", "<package name>"]' CLI Example, Install more than one package from a alternate source (e.g. salt file-server, HTTP, FTP, local filesystem): salt '*' pkg.install sources='[{"<pkg name>": "salt://pkgs/<pkg filename>"}]' salt.modules.openbsdpkg.latest_version(*names, **kwargs) The available version of the package in the repository CLI Example: salt '*' pkg.latest_version <package name> salt.modules.openbsdpkg.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.openbsdpkg.purge(name=None, pkgs=None, **kwargs) Package purges are not supported, this function is identical to remove(). name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.openbsdpkg.remove(name=None, pkgs=None, **kwargs) Remove a single package with pkg_delete Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.openbsdpkg.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.openbsdrcctl The rcctl service module for OpenBSD salt.modules.openbsdrcctl.available(name) Return True if the named service is available. CLI Example: salt '*' service.available sshd salt.modules.openbsdrcctl.disable(name, **kwargs) Disable the named service to not start at boot. CLI Example: salt '*' service.disable <service name> salt.modules.openbsdrcctl.disabled(name) Return True if the named service is disabled at boot, False otherwise. CLI Example: salt '*' service.disabled <service name> salt.modules.openbsdrcctl.enable(name, **kwargs) Enable the named service to start at boot. flags None Set optional flags to run the service with. service.flags can be used to change the default flags. CLI Example: salt '*' service.enable <service name> salt '*' service.enable <service name> flags=<flags> salt.modules.openbsdrcctl.enabled(name, **kwargs) Return True if the named service is enabled at boot and the provided flags match the configured ones (if any). Return False otherwise. name Service name CLI Example: salt '*' service.enabled <service name> salt '*' service.enabled <service name> flags=<flags> salt.modules.openbsdrcctl.get_all() Return all installed services. CLI Example: salt '*' service.get_all salt.modules.openbsdrcctl.get_disabled() Return what services are available but not enabled to start at boot. CLI Example: salt '*' service.get_disabled salt.modules.openbsdrcctl.get_enabled() Return what services are set to run on boot. CLI Example: salt '*' service.get_enabled salt.modules.openbsdrcctl.missing(name) The inverse of service.available. Return True if the named service is not available. CLI Example: salt '*' service.missing sshd salt.modules.openbsdrcctl.reload(name) Reload the named service. CLI Example: salt '*' service.reload <service name> salt.modules.openbsdrcctl.restart(name) Restart the named service. CLI Example: salt '*' service.restart <service name> salt.modules.openbsdrcctl.start(name) Start the named service. CLI Example: salt '*' service.start <service name> salt.modules.openbsdrcctl.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.openbsdrcctl.stop(name) Stop the named service. CLI Example: salt '*' service.stop <service name> salt.modules.openbsdservice The service module for OpenBSD salt.modules.openbsdservice.available(name) New in version 2014.7.0. Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.openbsdservice.disabled(name) New in version 2014.7.0. Return True if the named service is disabled, false otherwise CLI Example: salt '*' service.disabled <service name> salt.modules.openbsdservice.enabled(name, **kwargs) New in version 2014.7.0. Return True if the named service is enabled, false otherwise CLI Example: salt '*' service.enabled <service name> salt.modules.openbsdservice.get_all() New in version 2014.7.0. Return all available boot services CLI Example: salt '*' service.get_all salt.modules.openbsdservice.get_disabled() New in version 2014.7.0. Return a set of services that are installed but disabled CLI Example: salt '*' service.get_disabled salt.modules.openbsdservice.get_enabled() New in version 2014.7.0. Return a list of service that are enabled on boot CLI Example: salt '*' service.get_enabled salt.modules.openbsdservice.missing(name) New in version 2014.7.0. The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.openbsdservice.reload(name) New in version 2014.7.0. Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.openbsdservice.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.openbsdservice.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.openbsdservice.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.openbsdservice.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.openstack_config Modify, retrieve, or delete values from OpenStack configuration files. maintainer Jeffrey C. Ollie <jeff@ocjtech.us> maturity new depends platform linux salt.modules.openstack_config.delete(filename, section, parameter) Delete a value from an OpenStack configuration file. filename The full path to the configuration file section The section from which to delete the parameter parameter The parameter to delete CLI Example: salt-call openstack_config.delete /etc/keystone/keystone.conf sql connection salt.modules.openstack_config.get(filename, section, parameter) Get a value from an OpenStack configuration file. filename The full path to the configuration file section The section from which to search for the parameter parameter The parameter to return CLI Example: salt-call openstack_config.get /etc/keystone/keystone.conf sql connection salt.modules.openstack_config.set(filename, section, parameter, value) Set a value in an OpenStack configuration file. filename The full path to the configuration file section The section in which the parameter will be set parameter The parameter to change value The value to set CLI Example: salt-call openstack_config.set /etc/keystone/keystone.conf sql connection foo salt.modules.oracle Oracle DataBase connection module maintainer Vladimir Bormotov <bormotov@gmail.com> maturity new depends cx_Oracle platform all configuration module provide connections for multiple Oracle DB instances. OS Environment ORACLE_HOME: path to oracle product PATH: path to Oracle Client libs need to be in PATH pillar oracle.dbs: list of known based oracle.dbs.<db>.uri: connection credentials in format: user/password@host[:port]/sid[ as {sysdba|sysoper}] salt.modules.oracle.client_version() Oracle Client Version CLI Example: salt '*' oracle.client_version salt.modules.oracle.run_query(db, query) Run SQL query and return result CLI Example: salt '*' oracle.run_query my_db "select * from my_table" salt.modules.oracle.show_dbs(*dbs) Show databases configuration from pillar. Filter by *args CLI Example: salt '*' oracle.show_dbs salt '*' oracle.show_dbs my_db salt.modules.oracle.show_env() Show Environment used by Oracle Client CLI Example: salt '*' oracle.show_env NOTE: at first _connect() NLS_LANG will forced to '.AL32UTF8' salt.modules.oracle.show_pillar(item=None) Show Pillar segment oracle.* and subitem with notation "item:subitem" CLI Example: salt '*' oracle.show_pillar salt '*' oracle.show_pillar dbs:my_db salt.modules.oracle.version(*dbs) Server Version (select banner from v$version) CLI Example: salt '*' oracle.version salt '*' oracle.version my_db salt.modules.osquery Support for OSQuery - https://osquery.io. New in version 2015.8.0. salt.modules.osquery.acpi_tables(attrs=None, where=None) Return acpi_tables information from osquery CLI Example: salt '*' osquery.acpi_tables salt.modules.osquery.alf(attrs=None, where=None) Return alf information from osquery CLI Example: salt '*' osquery.alf salt.modules.osquery.alf_exceptions(attrs=None, where=None) Return alf_exceptions information from osquery CLI Example: salt '*' osquery.alf_exceptions salt.modules.osquery.alf_explicit_auths(attrs=None, where=None) Return alf_explicit_auths information from osquery CLI Example: salt '*' osquery.alf_explicit_auths salt.modules.osquery.alf_services(attrs=None, where=None) Return alf_services information from osquery CLI Example: salt '*' osquery.alf_services salt.modules.osquery.apps(attrs=None, where=None) Return apps information from osquery CLI Example: salt '*' osquery.apps salt.modules.osquery.apt_sources(attrs=None, where=None) Return apt_sources information from osquery CLI Example: salt '*' osquery.apt_sources salt.modules.osquery.arp_cache(attrs=None, where=None) Return arp_cache information from osquery CLI Example: salt '*' osquery.arp_cache salt.modules.osquery.block_devices(attrs=None, where=None) Return block_devices information from osquery CLI Example: salt '*' osquery.block_devices salt.modules.osquery.certificates(attrs=None, where=None) Return certificates information from osquery CLI Example: salt '*' osquery.certificates salt.modules.osquery.chrome_extensions(attrs=None, where=None) Return chrome_extensions information from osquery CLI Example: salt '*' osquery.chrome_extensions salt.modules.osquery.cpuid(attrs=None, where=None) Return cpuid information from osquery CLI Example: salt '*' osquery.cpuid salt.modules.osquery.crontab(attrs=None, where=None) Return crontab information from osquery CLI Example: salt '*' osquery.crontab salt.modules.osquery.deb_packages(attrs=None, where=None) Return deb_packages information from osquery CLI Example: salt '*' osquery.deb_packages salt.modules.osquery.etc_hosts(attrs=None, where=None) Return etc_hosts information from osquery CLI Example: salt '*' osquery.etc_hosts salt.modules.osquery.etc_services(attrs=None, where=None) Return etc_services information from osquery CLI Example: salt '*' osquery.etc_services salt.modules.osquery.file(attrs=None, where=None) Return file information from osquery CLI Example: salt '*' osquery.file salt.modules.osquery.file_changes(attrs=None, where=None) Return file_changes information from osquery CLI Example: salt '*' osquery.file_changes salt.modules.osquery.firefox_addons(attrs=None, where=None) Return firefox_addons information from osquery CLI Example: salt '*' osquery.firefox_addons salt.modules.osquery.groups(attrs=None, where=None) Return groups information from osquery CLI Example: salt '*' osquery.groups salt.modules.osquery.hardware_events(attrs=None, where=None) Return hardware_events information from osquery CLI Example: salt '*' osquery.hardware_events salt.modules.osquery.hash(attrs=None, where=None) Return hash information from osquery CLI Example: salt '*' osquery.hash salt.modules.osquery.homebrew_packages(attrs=None, where=None) Return homebrew_packages information from osquery CLI Example: salt '*' osquery.homebrew_packages salt.modules.osquery.interface_addresses(attrs=None, where=None) Return interface_addresses information from osquery CLI Example: salt '*' osquery.interface_addresses salt.modules.osquery.interface_details(attrs=None, where=None) Return interface_details information from osquery CLI Example: salt '*' osquery.interface_details salt.modules.osquery.iokit_devicetree(attrs=None, where=None) Return iokit_devicetree information from osquery CLI Example: salt '*' osquery.iokit_devicetree salt.modules.osquery.iokit_registry(attrs=None, where=None) Return iokit_registry information from osquery CLI Example: salt '*' osquery.iokit_registry salt.modules.osquery.kernel_extensions(attrs=None, where=None) Return kernel_extensions information from osquery CLI Example: salt '*' osquery.kernel_extensions salt.modules.osquery.kernel_info(attrs=None, where=None) Return kernel_info information from osquery CLI Example: salt '*' osquery.kernel_info salt.modules.osquery.kernel_integrity(attrs=None, where=None) Return kernel_integrity information from osquery CLI Example: salt '*' osquery.kernel_integrity salt.modules.osquery.kernel_modules(attrs=None, where=None) Return kernel_modules information from osquery CLI Example: salt '*' osquery.kernel_modules salt.modules.osquery.keychain_items(attrs=None, where=None) Return keychain_items information from osquery CLI Example: salt '*' osquery.keychain_items salt.modules.osquery.last(attrs=None, where=None) Return last information from osquery CLI Example: salt '*' osquery.last salt.modules.osquery.launchd(attrs=None, where=None) Return launchd information from osquery CLI Example: salt '*' osquery.launchd salt.modules.osquery.listening_ports(attrs=None, where=None) Return listening_ports information from osquery CLI Example: salt '*' osquery.listening_ports salt.modules.osquery.logged_in_users(attrs=None, where=None) Return logged_in_users information from osquery CLI Example: salt '*' osquery.logged_in_users salt.modules.osquery.memory_map(attrs=None, where=None) Return memory_map information from osquery CLI Example: salt '*' osquery.memory_map salt.modules.osquery.mounts(attrs=None, where=None) Return mounts information from osquery CLI Example: salt '*' osquery.mounts salt.modules.osquery.nfs_shares(attrs=None, where=None) Return nfs_shares information from osquery CLI Example: salt '*' osquery.nfs_shares salt.modules.osquery.nvram(attrs=None, where=None) Return nvram information from osquery CLI Example: salt '*' osquery.nvram salt.modules.osquery.os_version(attrs=None, where=None) Return os_version information from osquery CLI Example: salt '*' osquery.os_version salt.modules.osquery.osquery_extensions(attrs=None, where=None) Return osquery_extensions information from osquery CLI Example: salt '*' osquery.osquery_extensions salt.modules.osquery.osquery_flags(attrs=None, where=None) Return osquery_flags information from osquery CLI Example: salt '*' osquery.osquery_flags salt.modules.osquery.osquery_info(attrs=None, where=None) Return osquery_info information from osquery CLI Example: salt '*' osquery.osquery_info salt.modules.osquery.osquery_registry(attrs=None, where=None) Return osquery_registry information from osquery CLI Example: salt '*' osquery.osquery_registry salt.modules.osquery.passwd_changes(attrs=None, where=None) Return passwd_changes information from osquery CLI Example: salt '*' osquery.passwd_changes salt.modules.osquery.pci_devices(attrs=None, where=None) Return pci_devices information from osquery CLI Example: salt '*' osquery.pci_devices salt.modules.osquery.preferences(attrs=None, where=None) Return preferences information from osquery CLI Example: salt '*' osquery.preferences salt.modules.osquery.process_envs(attrs=None, where=None) Return process_envs information from osquery CLI Example: salt '*' osquery.process_envs salt.modules.osquery.process_memory_map(attrs=None, where=None) Return process_memory_map information from osquery CLI Example: salt '*' osquery.process_memory_map salt.modules.osquery.process_open_files(attrs=None, where=None) Return process_open_files information from osquery CLI Example: salt '*' osquery.process_open_files salt.modules.osquery.process_open_sockets(attrs=None, where=None) Return process_open_sockets information from osquery CLI Example: salt '*' osquery.process_open_sockets salt.modules.osquery.processes(attrs=None, where=None) Return processes information from osquery CLI Example: salt '*' osquery.processes salt.modules.osquery.quarantine(attrs=None, where=None) Return quarantine information from osquery CLI Example: salt '*' osquery.quarantine salt.modules.osquery.query(sql=None) Return time information from osquery CLI Example: salt '*' osquery.query "select * from users;" salt.modules.osquery.routes(attrs=None, where=None) Return routes information from osquery CLI Example: salt '*' osquery.routes salt.modules.osquery.rpm_packages(attrs=None, where=None) Return cpuid information from osquery CLI Example: salt '*' osquery.rpm_packages salt.modules.osquery.safari_extensions(attrs=None, where=None) Return safari_extensions information from osquery CLI Example: salt '*' osquery.safari_extensions salt.modules.osquery.shared_memory(attrs=None, where=None) Return shared_memory information from osquery CLI Example: salt '*' osquery.shared_memory salt.modules.osquery.shell_history(attrs=None, where=None) Return shell_history information from osquery CLI Example: salt '*' osquery.shell_history salt.modules.osquery.smbios_tables(attrs=None, where=None) Return smbios_tables information from osquery CLI Example: salt '*' osquery.smbios_tables salt.modules.osquery.startup_items(attrs=None, where=None) Return startup_items information from osquery CLI Example: salt '*' osquery.startup_items salt.modules.osquery.suid_bin(attrs=None, where=None) Return suid_bin information from osquery CLI Example: salt '*' osquery.suid_bin salt.modules.osquery.system_controls(attrs=None, where=None) Return system_controls information from osquery CLI Example: salt '*' osquery.system_controls salt.modules.osquery.time(attrs=None) Return time information from osquery CLI Example: salt '*' osquery.time salt.modules.osquery.usb_devices(attrs=None, where=None) Return usb_devices information from osquery CLI Example: salt '*' osquery.usb_devices salt.modules.osquery.users(attrs=None, where=None) Return users information from osquery CLI Example: salt '*' osquery.users salt.modules.osquery.version() Return version of osquery CLI Example: salt '*' osquery.version salt.modules.osquery.xattr_where_from(attrs=None, where=None) Return xattr_where_from information from osquery CLI Example: salt '*' osquery.xattr_where_from salt.modules.osquery.xprotect_entries(attrs=None, where=None) Return xprotect_entries information from osquery CLI Example: salt '*' osquery.xprotect_entries salt.modules.osquery.xprotect_reports(attrs=None, where=None) Return xprotect_reports information from osquery CLI Example: salt '*' osquery.xprotect_reports salt.modules.osxdesktop Mac OS X implementations of various commands in the "desktop" interface salt.modules.osxdesktop.get_output_volume() Get the output volume (range 0 to 100) CLI Example: salt '*' desktop.get_output_volume salt.modules.osxdesktop.lock() Lock the desktop session CLI Example: salt '*' desktop.lock salt.modules.osxdesktop.say(*words) Say some words. CLI Example: salt '*' desktop.say <word0> <word1> ... <wordN> salt.modules.osxdesktop.screensaver() Launch the screensaver CLI Example: salt '*' desktop.screensaver salt.modules.osxdesktop.set_output_volume(volume) Set the volume of sound (range 0 to 100) CLI Example: salt '*' desktop.set_output_volume <volume> salt.modules.pacman A module to wrap pacman calls, since Arch is the best (‐ https://wiki.archlinux.org/index.php/Arch_is_the_best) salt.modules.pacman.file_dict(*packages) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.pacman.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of _every_ file on the system's package database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.pacman.install(name=None, refresh=False, sysupgrade=False, pkgs=None, sources=None, **kwargs) Install (pacman -S) the passed package, add refresh=True to install with -y, add sysupgrade=True to install with -u. name The name of the package to be installed. Note that this parameter is ignored if either "pkgs" or "sources" is passed. Additionally, please note that this option can only be used to install packages from a software repository. To install a package file manually, use the "sources" option. CLI Example: salt '*' pkg.install <package name> refresh Whether or not to refresh the package database before installing. sysupgrade Whether or not to upgrade the system packages before installing. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. A specific version number can be specified by using a single-element dict representing the package and its version. As with the version parameter above, comparison operators can be used to target a specific version of a package. CLI Examples: salt '*' pkg.install pkgs='["foo", "bar"]' salt '*' pkg.install pkgs='["foo", {"bar": "1.2.3-4"}]' salt '*' pkg.install pkgs='["foo", {"bar": "<1.2.3-4"}]' sources A list of packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.pkg.tar.xz"}, {"bar": "salt://bar.pkg.tar.xz"}]' Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.pacman.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.pacman.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.pacman.list_upgrades(refresh=False) List all available package upgrades on this system CLI Example: salt '*' pkg.list_upgrades salt.modules.pacman.owner(*paths) New in version 2014.7.0. Return the name of the package that owns the file. Multiple file paths can be passed. Like pkg.version <salt.modules.yumpkg.version, if a single path is passed, a string will be returned, and if multiple paths are passed, a dictionary of file/package name pairs will be returned. If the file is not owned by a package, or is not present on the minion, then an empty string will be returned for that path. CLI Example: salt '*' pkg.owner /usr/bin/apachectl salt '*' pkg.owner /usr/bin/apachectl /usr/bin/zsh salt.modules.pacman.purge(name=None, pkgs=None, **kwargs) Recursively remove a package and all dependencies which were installed with it, this will call a pacman -Rsc name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.pacman.refresh_db() Just run a pacman -Sy, return a dict: {'<database name>': Bool} CLI Example: salt '*' pkg.refresh_db salt.modules.pacman.remove(name=None, pkgs=None, **kwargs) Remove packages with pacman -R. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.pacman.upgrade(refresh=False, **kwargs) Run a full system upgrade, a pacman -Syu refresh Whether or not to refresh the package database before installing. Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.pacman.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.pacman.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.pagerduty Module for Firing Events via PagerDuty New in version 2014.1.0. configuration This module can be used by specifying the name of a configuration profile in the minion config, minion pillar, or master config. For example: my-pagerduty-account: pagerduty.api_key: F3Rbyjbve43rfFWf2214 pagerduty.subdomain: mysubdomain salt.modules.pagerduty.create_event(service_key=None, description=None, details=None, incident_key=None, profile=None) Create an event in PagerDuty. Designed for use in states. CLI Example: salt myminion pagerduty.create_event <service_key> <description> <details> profile=my-pagerduty-account The following parameters are required: service_key This key can be found by using pagerduty.list_services. description This is a short description of the event. details This can be a more detailed description of the event. profile This refers to the configuration profile to use to connect to the PagerDuty service. salt.modules.pagerduty.list_escalation_policies(profile=None, api_key=None) This function is an alias of list_policies. List escalation policies belonging to this account CLI Example: salt myminion pagerduty.list_policies my-pagerduty-account salt myminion pagerduty.list_escalation_policies my-pagerduty-account salt.modules.pagerduty.list_incidents(profile=None, api_key=None) List incidents belonging to this account CLI Example: salt myminion pagerduty.list_incidents my-pagerduty-account salt.modules.pagerduty.list_maintenance_windows(profile=None, api_key=None) This function is an alias of list_windows. List maintenance windows belonging to this account CLI Example: salt myminion pagerduty.list_windows my-pagerduty-account salt myminion pagerduty.list_maintenance_windows my-pagerduty-account salt.modules.pagerduty.list_policies(profile=None, api_key=None) List escalation policies belonging to this account CLI Example: salt myminion pagerduty.list_policies my-pagerduty-account salt myminion pagerduty.list_escalation_policies my-pagerduty-account salt.modules.pagerduty.list_schedules(profile=None, api_key=None) List schedules belonging to this account CLI Example: salt myminion pagerduty.list_schedules my-pagerduty-account salt.modules.pagerduty.list_services(profile=None, api_key=None) List services belonging to this account CLI Example: salt myminion pagerduty.list_services my-pagerduty-account salt.modules.pagerduty.list_users(profile=None, api_key=None) List users belonging to this account CLI Example: salt myminion pagerduty.list_users my-pagerduty-account salt.modules.pagerduty.list_windows(profile=None, api_key=None) List maintenance windows belonging to this account CLI Example: salt myminion pagerduty.list_windows my-pagerduty-account salt myminion pagerduty.list_maintenance_windows my-pagerduty-account salt.modules.pagerduty_util Module for manageing PagerDuty resource configuration This module can be used by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The default configuration profile name is 'pagerduty.' For example: pagerduty: pagerduty.api_key: F3Rbyjbve43rfFWf2214 pagerduty.subdomain: mysubdomain For PagerDuty API details, see https://developer.pagerduty.com/documentation/rest salt.modules.pagerduty_util.create_or_update_resource(resource_name, identifier_fields, data, diff=None, profile='pagerduty', subdomain=None, api_key=None) create or update any pagerduty resource Helper method for present(). Determining if two resources are the same is different for different PD resource, so this method accepts a diff function. The diff function will be invoked as diff(state_information, object_returned_from_pagerduty), and should return a dict of data to pass to the PagerDuty update API method, or None if no update is to be performed. If no diff method is provided, the default behavor is to scan the keys in the state_information, comparing the matching values in the object_returned_from_pagerduty, and update any values that differ. examples: create_or_update_resource("user", ["id","name","email"]) create_or_update_resource("escalation_policies", ["id","name"], diff=my_diff_function) salt.modules.pagerduty_util.delete_resource(resource_name, key, identifier_fields, profile='pagerduty', subdomain=None, api_key=None) delete any pagerduty resource Helper method for absent() example: delete_resource("users", key, ["id","name","email"]) # delete by id or name or email salt.modules.pagerduty_util.get_escalation_policies(profile='pagerduty', subdomain=None, api_key=None) List escalation_policies belonging to this account CLI Example: salt myminion pagerduty.get_escalation_policies salt.modules.pagerduty_util.get_resource(resource_name, key, identifier_fields, profile='pagerduty', subdomain=None, api_key=None) Get any single pagerduty resource by key. We allow flexible lookup by any of a list of identifier_fields. So, for example, you can look up users by email address or name by calling: get_resource('users', key, ['name', 'email'], ...) This method is mainly used to translate state sls into pagerduty id's for dependent objects. For example, a pagerduty escalation policy contains one or more schedules, which must be passed by their pagerduty id. We look up the schedules by name (using this method), and then translate the names into id's. This method is implemented by getting all objects of the resource type (cached into __context__), then brute force searching through the list and trying to match any of the identifier_fields. The __context__ cache is purged after any create, update or delete to the resource. salt.modules.pagerduty_util.get_schedules(profile='pagerduty', subdomain=None, api_key=None) List schedules belonging to this account CLI Example: salt myminion pagerduty.get_schedules salt.modules.pagerduty_util.get_services(profile='pagerduty', subdomain=None, api_key=None) List services belonging to this account CLI Example: salt myminion pagerduty.get_services salt.modules.pagerduty_util.get_users(profile='pagerduty', subdomain=None, api_key=None) List users belonging to this account CLI Example: salt myminion pagerduty.get_users salt.modules.pagerduty_util.resource_absent(resource, identifier_fields, profile='pagerduty', subdomain=None, api_key=None, **kwargs) Generic resource.absent state method. Pagerduty state modules should be a thin wrapper over this method, with a custom diff function. This method calls delete_resource() and formats the result as a salt state return value. example: resource_absent("users", ["id","name","email"]) salt.modules.pagerduty_util.resource_present(resource, identifier_fields, diff=None, profile='pagerduty', subdomain=None, api_key=None, **kwargs) Generic resource.present state method. Pagerduty state modules should be a thin wrapper over this method, with a custom diff function. This method calls create_or_update_resource() and formats the result as a salt state return value. example: resource_present("users", ["id","name","email"]) salt.modules.pam Support for pam salt.modules.pam.read_file(file_name) This is just a test function, to make sure parsing works CLI Example: salt '*' pam.read_file /etc/pam.d/login salt.modules.parted Module for managing partitions on POSIX-like systems. depends • parted, partprobe, lsblk (usually parted and util-linux packages) Some functions may not be available, depending on your version of parted. Check the manpage for parted(8) for more information, or the online docs at: http://www.gnu.org/software/parted/manual/html_chapter/parted_2.html In light of parted not directly supporting partition IDs, some of this module has been written to utilize sfdisk instead. For further information, please reference the man page for sfdisk(8). salt.modules.parted.align_check(device, part_type, partition) Check if partition satisfies the alignment constraint of part_type. Type must be "minimal" or "optimal". CLI Example: salt '*' partition.align_check /dev/sda minimal 1 salt.modules.parted.check(device, minor) Checks if the file system on partition <minor> has any errors. CLI Example: salt '*' partition.check 1 salt.modules.parted.cp(device, from_minor, to_minor) Copies the file system on the partition <from-minor> to partition <to-minor>, deleting the original contents of the destination partition. CLI Example: salt '*' partition.cp /dev/sda 2 3 salt.modules.parted.exists(device='') Check to see if the partition exists CLI Example: salt '*' partition.exists /dev/sdb1 salt.modules.parted.get_block_device() Retrieve a list of disk devices New in version 2014.7.0. CLI Example: salt '*' partition.get_block_device salt.modules.parted.get_id(device, minor) Prints the system ID for the partition. Some typical values are: b: FAT32 (vfat) 7: HPFS/NTFS 82: Linux Swap 83: Linux 8e: Linux LVM fd: Linux RAID Auto CLI Example: salt '*' partition.get_id /dev/sda 1 salt.modules.parted.list(device, unit=None) Prints partition information of given <device> CLI Examples: salt '*' partition.list /dev/sda salt '*' partition.list /dev/sda unit=s salt '*' partition.list /dev/sda unit=kB salt.modules.parted.mkfs(device, fs_type) Makes a file system <fs_type> on partition <device>, destroying all data that resides on that partition. <fs_type> must be one of "ext2", "fat32", "fat16", "linux-swap" or "reiserfs" (if libreiserfs is installed) CLI Example: salt '*' partition.mkfs /dev/sda2 fat32 salt.modules.parted.mklabel(device, label_type) Create a new disklabel (partition table) of label_type. Type should be one of "aix", "amiga", "bsd", "dvh", "gpt", "loop", "mac", "msdos", "pc98", or "sun". CLI Example: salt '*' partition.mklabel /dev/sda msdos salt.modules.parted.mkpart(device, part_type, fs_type=None, start=None, end=None) Make a part_type partition for filesystem fs_type, beginning at start and ending at end (by default in megabytes). part_type should be one of "primary", "logical", or "extended". CLI Examples: salt '*' partition.mkpart /dev/sda primary fs_type=fat32 start=0 end=639 salt '*' partition.mkpart /dev/sda primary start=0 end=639 salt.modules.parted.mkpartfs(device, part_type, fs_type, start, end) Make a <part_type> partition with a new filesystem of <fs_type>, beginning at <start> and ending at <end> (by default in megabytes). <part_type> should be one of "primary", "logical", or "extended". <fs_type> must be one of "ext2", "fat32", "fat16", "linux-swap" or "reiserfs" (if libreiserfs is installed) CLI Example: salt '*' partition.mkpartfs /dev/sda logical ext2 440 670 salt.modules.parted.name(device, partition, name) Set the name of partition to name. This option works only on Mac, PC98, and GPT disklabels. The name can be placed in quotes, if necessary. CLI Example: salt '*' partition.name /dev/sda 1 'My Documents' salt.modules.parted.probe(*devices) Ask the kernel to update its local partition data. When no args are specified all block devices are tried. Caution: Generally only works on devices with no mounted partitions and may take a long time to return if specified devices are in use. CLI Examples: salt '*' partition.probe salt '*' partition.probe /dev/sda salt '*' partition.probe /dev/sda /dev/sdb salt.modules.parted.rescue(device, start, end) Rescue a lost partition that was located somewhere between start and end. If a partition is found, parted will ask if you want to create an entry for it in the partition table. CLI Example: salt '*' partition.rescue /dev/sda 0 8056 salt.modules.parted.resize(device, minor, start, end) Resizes the partition with number <minor>. The partition will start <start> from the beginning of the disk, and end <end> from the beginning of the disk. resize never changes the minor number. Extended partitions can be resized, so long as the new extended partition completely contains all logical partitions. CLI Example: salt '*' partition.resize /dev/sda 3 200 850 salt.modules.parted.rm(device, minor) Removes the partition with number <minor>. CLI Example: salt '*' partition.rm /dev/sda 5 salt.modules.parted.set(device, minor, flag, state) Changes a flag on the partition with number <minor>. A flag can be either "on" or "off". Some or all of these flags will be available, depending on what disk label you are using. CLI Example: salt '*' partition.set /dev/sda 1 boot on salt.modules.parted.set_id(device, minor, system_id) Sets the system ID for the partition. Some typical values are: b: FAT32 (vfat) 7: HPFS/NTFS 82: Linux Swap 83: Linux 8e: Linux LVM fd: Linux RAID Auto CLI Example: salt '*' partition.set_id /dev/sda 1 83 salt.modules.parted.system_types() List the system types that are supported by the installed version of sfdisk CLI Example: salt '*' partition.system_types salt.modules.parted.toggle(device, partition, flag) Toggle the state of <flag> on <partition> CLI Example: salt '*' partition.name /dev/sda 1 boot salt.modules.pecl Manage PHP pecl extensions. salt.modules.pecl.install(pecls, defaults=False, force=False, preferred_state='stable') New in version 0.17.0. Installs one or several pecl extensions. pecls The pecl extensions to install. defaults Use default answers for extensions such as pecl_http which ask questions before installation. Without this option, the pecl.installed state will hang indefinitely when trying to install these extensions. force Whether to force the installed version or not CLI Example: salt '*' pecl.install fuse salt.modules.pecl.list(channel=None) List installed pecl extensions. CLI Example: salt '*' pecl.list salt.modules.pecl.uninstall(pecls) Uninstall one or several pecl extensions. pecls The pecl extensions to uninstall. CLI Example: salt '*' pecl.uninstall fuse salt.modules.pecl.update(pecls) Update one or several pecl extensions. pecls The pecl extensions to update. CLI Example: salt '*' pecl.update fuse salt.modules.pillar Extract the pillar data for this minion salt.modules.pillar.ext(external, pillar=None) Generate the pillar and apply an explicit external pillar CLI Example: pillar None If specified, allows for a dictionary of pillar data to be made available to pillar and ext_pillar rendering. These pillar variables will also override any variables of the same name in pillar or ext_pillar. New in version 2015.5.0. salt '*' pillar.ext '{libvirt: _}' salt.modules.pillar.get(key, default=<type 'exceptions.KeyError'>, merge=False, delimiter=':') New in version 0.14. Attempt to retrieve the named value from pillar, if the named value is not available return the passed default. The default return is an empty string except __opts__['pillar_raise_on_missing'] is set to True, in which case a KeyError will be raised. If the merge parameter is set to True, the default will be recursively merged into the returned pillar data. The value can also represent a value in a nested dict using a ":" delimiter for the dict. This means that if a dict in pillar looks like this: {'pkg': {'apache': 'httpd'}} To retrieve the value associated with the apache key in the pkg dict this key can be passed: pkg:apache merge Specify whether or not the retrieved values should be recursively merged into the passed default. New in version 2014.7.0. delimiter Specify an alternate delimiter to use when traversing a nested dict New in version 2014.7.0. CLI Example: salt '*' pillar.get pkg:apache salt.modules.pillar.item(*args, **kwargs) New in version 0.16.2. Return one or more pillar entries pillar none if specified, allows for a dictionary of pillar data to be made available to pillar and ext_pillar rendering. these pillar variables will also override any variables of the same name in pillar or ext_pillar. New in version 2015.5.0. CLI Examples: salt '*' pillar.item foo salt '*' pillar.item foo bar baz salt.modules.pillar.items(*args, **kwargs) Calls the master for a fresh pillar and generates the pillar data on the fly Contrast with raw() which returns the pillar data that is currently loaded into the minion. pillar none if specified, allows for a dictionary of pillar data to be made available to pillar and ext_pillar rendering. these pillar variables will also override any variables of the same name in pillar or ext_pillar. New in version 2015.5.0. CLI Example: salt '*' pillar.items salt.modules.pillar.keys(key, delimiter=':') New in version 2015.8.0. Attempt to retrieve a list of keys from the named value from the pillar. The value can also represent a value in a nested dict using a ":" delimiter for the dict, similar to how pillar.get works. delimiter Specify an alternate delimiter to use when traversing a nested dict CLI Example: salt '*' pillar.keys web:sites salt.modules.pillar.ls(*args) New in version 2015.8.0. Calls the master for a fresh pillar, generates the pillar data on the fly (same as items()), but only shows the available main keys. CLI Examples: salt '*' pillar.ls salt.modules.pillar.obfuscate(*args) New in version 2015.8.0. Same as items(), but replace pillar values with a simple type indication. This is useful to avoid displaying sensitive information on console or flooding the console with long output, such as certificates. For many debug or control purposes, the stakes lie more in dispatching than in actual values. In case the value is itself a collection type, obfuscation occurs within the value. For mapping types, keys are not obfuscated. Here are some examples: • 'secret password' becomes '<str>' • ['secret', 1] becomes ['<str>', '<int>'] • {'login': 'somelogin', 'pwd': 'secret'} becomes {'login': '<str>', 'pwd': '<str>'} CLI Examples: salt '*' pillar.obfuscate salt.modules.pillar.raw(key=None) Return the raw pillar data that is currently loaded into the minion. Contrast with items() which calls the master to fetch the most up-to-date Pillar. CLI Example: salt '*' pillar.raw With the optional key argument, you can select a subtree of the pillar raw data.: salt '*' pillar.raw key='roles' salt.modules.pip Install Python packages with pip to either the system or a virtualenv Windows Support New in version 2014.7.4. Salt now uses a portable python. As a result the entire pip module is now functional on the salt installation itself. You can pip install dependencies for your custom modules. You can even upgrade salt itself using pip. For this to work properly, you must specify the Current Working Directory (cwd) and the Pip Binary (bin_env) salt should use. The variable pip_bin can be either a virtualenv path or the path to the pip binary itself. For example, the following command will list all software installed using pip to your current salt environment: salt <minion> pip.list cwd='C:\salt\bin\Scripts' bin_env='C:\salt\bin\Scripts\pip.exe' Specifying the cwd and bin_env options ensures you're modifying the salt environment. If these are omitted, it will default to the local installation of python. If python is not installed locally it will fail saying it couldn't find pip. State File Support This functionality works in states as well. If you need to pip install colorama with a state, for example, the following will work: install_colorama: pip.installed: - name: colorama - cwd: 'C:\salt\bin\scripts' - bin_env: 'C:\salt\bin\scripts\pip.exe' - upgrade: True Upgrading Salt using Pip You can now update salt using pip to any version from the 2014.7 branch forward. Previous version require recompiling some of the dependencies which is painful in windows. To do this you just use pip with git to update to the version you want and then restart the service. Here is a sample state file that upgrades salt to the head of the 2015.5 branch: install_salt: pip.installed: - cwd: 'C:\salt\bin\scripts' - bin_env: 'C:\salt\bin\scripts\pip.exe' - editable: git+https://github.com/saltstack/salt@2015.5#egg=salt - upgrade: True restart_service: service.running: - name: salt-minion - enable: True - watch: - pip: install_salt NOTE: If you're having problems, you might try doubling the back slashes. For example, cwd: 'C:\salt\bin\scripts'. Sometimes python thinks the single back slash is an escape character. salt.modules.pip.freeze(bin_env=None, user=None, cwd=None, use_vt=False) Return a list of installed packages either globally or in the specified virtualenv bin_env path to pip bin or path to virtualenv. If doing an uninstall from the system python and want to use a specific pip bin (pip-2.7, pip-2.6, etc..) just specify the pip bin you want. If uninstalling from a virtualenv, just use the path to the virtualenv (/home/code/path/to/virtualenv/) user The user under which to run pip cwd Current working directory to run pip from CLI Example: salt '*' pip.freeze /home/code/path/to/virtualenv/ salt.modules.pip.install(pkgs=None, requirements=None, env=None, bin_env=None, use_wheel=False, no_use_wheel=False, log=None, proxy=None, timeout=None, editable=None, find_links=None, index_url=None, extra_index_url=None, no_index=False, mirrors=None, build=None, target=None, download=None, download_cache=None, source=None, upgrade=False, force_reinstall=False, ignore_installed=False, exists_action=None, no_deps=False, no_install=False, no_download=False, global_options=None, install_options=None, user=None, no_chown=False, cwd=None, activate=False, pre_releases=False, cert=None, allow_all_external=False, allow_external=None, allow_unverified=None, process_dependency_links=False, __env__=None, saltenv='base', env_vars=None, use_vt=False, trusted_host=None) Install packages with pip Install packages individually or from a pip requirements file. Install packages globally or to a virtualenv. pkgs Comma separated list of packages to install requirements Path to requirements bin_env Path to pip bin or path to virtualenv. If doing a system install, and want to use a specific pip bin (pip-2.7, pip-2.6, etc..) just specify the pip bin you want. NOTE: If installing into a virtualenv, just use the path to the virtualenv (e.g. /home/code/path/to/virtualenv/) env Deprecated, use bin_env now use_wheel Prefer wheel archives (requires pip>=1.4) no_use_wheel Force to not use wheel archives (requires pip>=1.4) log Log file where a complete (maximum verbosity) record will be kept proxy Specify a proxy in the form user:passwd@proxy.server:port. Note that the user:password@ is optional and required only if you are behind an authenticated proxy. If you provide user@proxy.server:port then you will be prompted for a password. timeout Set the socket timeout (default 15 seconds) editable install something editable (e.g. git+https://github.com/worldcompany/djangoembed.git#egg=djangoembed) find_links URL to search for packages index_url Base URL of Python Package Index extra_index_url Extra URLs of package indexes to use in addition to index_url no_index Ignore package index mirrors Specific mirror URL(s) to query (automatically adds --use-mirrors) build Unpack packages into build dir target Install packages into target dir download Download packages into download instead of installing them download_cache Cache downloaded packages in download_cache dir source Check out editable packages into source dir upgrade Upgrade all packages to the newest available version force_reinstall When upgrading, reinstall all packages even if they are already up-to-date. ignore_installed Ignore the installed packages (reinstalling instead) exists_action Default action when a path already exists: (s)witch, (i)gnore, (w)ipe, (b)ackup no_deps Ignore package dependencies no_install Download and unpack all packages, but don't actually install them no_download Don't download any packages, just install the ones already downloaded (completes an install run with --no-install) install_options Extra arguments to be supplied to the setup.py install command (e.g. like --install-option='--install-scripts=/usr/local/bin'). Use multiple --install-option options to pass multiple options to setup.py install. If you are using an option with a directory path, be sure to use absolute path. global_options Extra global options to be supplied to the setup.py call before the install command. user The user under which to run pip no_chown When user is given, do not attempt to copy and chown a requirements file cwd Current working directory to run pip from activate Activates the virtual environment, if given via bin_env, before running install. Deprecated since version 2014.7.2: If bin_env is given, pip will already be sourced from that virualenv, making activate effectively a noop. pre_releases Include pre-releases in the available versions cert Provide a path to an alternate CA bundle allow_all_external Allow the installation of all externally hosted files allow_external Allow the installation of externally hosted files (comma separated list) allow_unverified Allow the installation of insecure and unverifiable files (comma separated list) process_dependency_links Enable the processing of dependency links env_vars Set environment variables that some builds will depend on. For example, a Python C-module may have a Makefile that needs INCLUDE_PATH set to pick up a header file while compiling. This must be in the form of a dictionary or a mapping. Example: salt '*' pip.install django_app env_vars="{'CUSTOM_PATH': '/opt/django_app'}" trusted_host Mark this host as trusted, even though it does not have valid or any HTTPS. use_vt Use VT terminal emulation (see ouptut while installing) CLI Example: salt '*' pip.install <package name>,<package2 name> salt '*' pip.install requirements=/path/to/requirements.txt salt '*' pip.install <package name> bin_env=/path/to/virtualenv salt '*' pip.install <package name> bin_env=/path/to/pip_bin Complicated CLI example: salt '*' pip.install markdown,django editable=git+https://github.com/worldcompany/djangoembed.git#egg=djangoembed upgrade=True no_deps=True salt.modules.pip.list(prefix=None, bin_env=None, user=None, cwd=None) Filter list of installed apps from freeze and check to see if prefix exists in the list of packages installed. CLI Example: salt '*' pip.list salt salt.modules.pip.list_upgrades(bin_env=None, user=None, cwd=None) Check whether or not an upgrade is available for all packages CLI Example: salt '*' pip.list_upgrades salt.modules.pip.uninstall(pkgs=None, requirements=None, bin_env=None, log=None, proxy=None, timeout=None, user=None, no_chown=False, cwd=None, __env__=None, saltenv='base', use_vt=False) Uninstall packages with pip Uninstall packages individually or from a pip requirements file. Uninstall packages globally or from a virtualenv. pkgs comma separated list of packages to install requirements path to requirements. bin_env path to pip bin or path to virtualenv. If doing an uninstall from the system python and want to use a specific pip bin (pip-2.7, pip-2.6, etc..) just specify the pip bin you want. If uninstalling from a virtualenv, just use the path to the virtualenv (/home/code/path/to/virtualenv/) log Log file where a complete (maximum verbosity) record will be kept proxy Specify a proxy in the form user:passwd@proxy.server:port. Note that the user:password@ is optional and required only if you are behind an authenticated proxy. If you provide user@proxy.server:port then you will be prompted for a password. timeout Set the socket timeout (default 15 seconds) user The user under which to run pip no_chown When user is given, do not attempt to copy and chown a requirements file (needed if the requirements file refers to other files via relative paths, as the copy-and-chown procedure does not account for such files) cwd Current working directory to run pip from use_vt Use VT terminal emulation (see ouptut while installing) CLI Example: salt '*' pip.uninstall <package name>,<package2 name> salt '*' pip.uninstall requirements=/path/to/requirements.txt salt '*' pip.uninstall <package name> bin_env=/path/to/virtualenv salt '*' pip.uninstall <package name> bin_env=/path/to/pip_bin salt.modules.pip.upgrade(bin_env=None, user=None, cwd=None, use_vt=False) New in version 2015.5.0. Upgrades outdated pip packages Returns a dict containing the changes. {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pip.upgrade salt.modules.pip.upgrade_available(pkg, bin_env=None, user=None, cwd=None) New in version 2015.5.0. Check whether or not an upgrade is available for a given package CLI Example: salt '*' pip.upgrade_available <package name> salt.modules.pip.version(bin_env=None) New in version 0.17.0. Returns the version of pip. Use bin_env to specify the path to a virtualenv and get the version of pip in that virtualenv. If unable to detect the pip version, returns None. CLI Example: salt '*' pip.version salt.modules.pkg_resource Resources needed by pkg providers salt.modules.pkg_resource.add_pkg(pkgs, name, pkgver) Add a package to a dict of installed packages. CLI Example: salt '*' pkg_resource.add_pkg '{}' bind 9 salt.modules.pkg_resource.check_extra_requirements(pkgname, pkgver) Check if the installed package already has the given requirements. This function will return the result of pkg.check_extra_requirements if this function exists for the minion, otherwise it will return True. CLI Example: salt '*' pkg_resource.check_extra_requirements <pkgname> <extra_requirements> salt.modules.pkg_resource.pack_sources(sources, normalize=True) Accepts list of dicts (or a string representing a list of dicts) and packs the key/value pairs into a single dict. '[{"foo": "salt://foo.rpm"}, {"bar": "salt://bar.rpm"}]' would become {"foo": "salt://foo.rpm", "bar": "salt://bar.rpm"} normalize True Normalize the package name by removing the architecture, if the architecture of the package is different from the architecture of the operating system. The ability to disable this behavior is useful for poorly-created packages which include the architecture as an actual part of the name, such as kernel modules which match a specific kernel version. New in version 2015.8.0. CLI Example: salt '*' pkg_resource.pack_sources '[{"foo": "salt://foo.rpm"}, {"bar": "salt://bar.rpm"}]' salt.modules.pkg_resource.parse_targets(name=None, pkgs=None, sources=None, saltenv='base', normalize=True, **kwargs) Parses the input to pkg.install and returns back the package(s) to be installed. Returns a list of packages, as well as a string noting whether the packages are to come from a repository or a binary package. CLI Example: salt '*' pkg_resource.parse_targets salt.modules.pkg_resource.sort_pkglist(pkgs) Accepts a dict obtained from pkg.list_pkgs() and sorts in place the list of versions for any packages that have multiple versions installed, so that two package lists can be compared to one another. CLI Example: salt '*' pkg_resource.sort_pkglist '["3.45", "2.13"]' salt.modules.pkg_resource.stringify(pkgs) Takes a dict of package name/version information and joins each list of installed versions into a string. CLI Example: salt '*' pkg_resource.stringify 'vim: 7.127' salt.modules.pkg_resource.version(*names, **kwargs) Common interface for obtaining the version of installed packages. CLI Example: salt '*' pkg_resource.version vim salt '*' pkg_resource.version foo bar baz salt '*' pkg_resource.version 'python*' salt.modules.pkg_resource.version_clean(verstr) Clean the version string removing extra data. This function will simply try to call pkg.version_clean. CLI Example: salt '*' pkg_resource.version_clean <version_string> salt.modules.pkgin Package support for pkgin based systems, inspired from freebsdpkg module salt.modules.pkgin.available_version(*names, **kwargs) This function is an alias of latest_version. Return the latest version of the named package available for upgrade or installation. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> ... salt.modules.pkgin.file_dict(package) List the files that belong to a package. CLI Examples: salt '*' pkg.file_list nginx salt.modules.pkgin.file_list(package) List the files that belong to a package. CLI Examples: salt '*' pkg.file_list nginx salt.modules.pkgin.install(name=None, refresh=False, fromrepo=None, pkgs=None, sources=None, **kwargs) Install the passed package name The name of the package to be installed. refresh Whether or not to refresh the package database before installing. fromrepo Specify a package repository to install from. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo","bar"]' sources A list of packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.deb"},{"bar": "salt://bar.deb"}]' Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.install <package name> salt.modules.pkgin.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> ... salt.modules.pkgin.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.pkgin.purge(name=None, pkgs=None, **kwargs) Package purges are not supported, this function is identical to remove(). name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.pkgin.refresh_db() Use pkg update to get latest pkg_summary CLI Example: salt '*' pkg.refresh_db salt.modules.pkgin.remove(name=None, pkgs=None, **kwargs) name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a list containing the removed packages. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.pkgin.search(pkg_name) Searches for an exact match using pkgin ^package$ CLI Example: salt '*' pkg.search 'mysql-server' salt.modules.pkgin.upgrade() Run pkg upgrade, if pkgin used. Otherwise do nothing Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.pkgin.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.pkgng Support for pkgng, the new package manager for FreeBSD WARNING: This module has been completely rewritten. Up to and including version 0.17.x, it was available as the pkgng module, (pkgng.install, pkgng.delete, etc.), but moving forward this module will no longer be available as pkgng, as it will behave like a normal Salt pkg provider. The documentation below should not be considered to apply to this module in versions <= 0.17.x. If your minion is running a 0.17.x release or older, then the documentation for this module can be viewed using the sys.doc function: salt bsdminion sys.doc pkgng This module provides an interface to pkg(8). It acts as the default package provider for FreeBSD 10 and newer. For FreeBSD hosts which have been upgraded to use pkgng, you will need to override the pkg provider by setting the providers parameter in your Minion config file, in order to use this module to manage packages, like so: providers: pkg: pkgng salt.modules.pkgng.audit(jail=None, chroot=None) Audits installed packages against known vulnerabilities CLI Example: salt '*' pkg.audit jail Audit packages within the specified jail CLI Example: salt '*' pkg.audit jail=<jail name or id> chroot Audit packages within the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.audit chroot=/path/to/chroot salt.modules.pkgng.autoremove(jail=None, chroot=None, dryrun=False) Delete packages which were automatically installed as dependencies and are not required anymore. dryrun Dry-run mode. The list of changes to packages is always printed, but no changes are actually made. CLI Example: salt '*' pkg.autoremove salt '*' pkg.autoremove jail=<jail name or id> salt '*' pkg.autoremove dryrun=True salt '*' pkg.autoremove jail=<jail name or id> dryrun=True salt.modules.pkgng.backup(file_name, jail=None, chroot=None) Export installed packages into yaml+mtree file CLI Example: salt '*' pkg.backup /tmp/pkg jail Backup packages from the specified jail. Note that this will run the command within the jail, and so the path to the backup file will be relative to the root of the jail CLI Example: salt '*' pkg.backup /tmp/pkg jail=<jail name or id> chroot Backup packages from the specified chroot (ignored if jail is specified). Note that this will run the command within the chroot, and so the path to the backup file will be relative to the root of the chroot. CLI Example: salt '*' pkg.backup /tmp/pkg chroot=/path/to/chroot salt.modules.pkgng.check(jail=None, chroot=None, depends=False, recompute=False, checksum=False) Sanity checks installed packages jail Perform the sanity check in the specified jail CLI Example: salt '*' pkg.check jail=<jail name or id> chroot Perform the sanity check in the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.check chroot=/path/to/chroot Of the below, at least one must be set to True. depends Check for and install missing dependencies. CLI Example: salt '*' pkg.check recompute=True recompute Recompute sizes and checksums of installed packages. CLI Example: salt '*' pkg.check depends=True checksum Find invalid checksums for installed packages. CLI Example: salt '*' pkg.check checksum=True salt.modules.pkgng.clean(jail=None, chroot=None) Cleans the local cache of fetched remote packages CLI Example: salt '*' pkg.clean salt '*' pkg.clean jail=<jail name or id> salt '*' pkg.clean chroot=/path/to/chroot salt.modules.pkgng.fetch(name, jail=None, chroot=None, fetch_all=False, quiet=False, fromrepo=None, glob=True, regex=False, pcre=False, local=False, depends=False) Fetches remote packages CLI Example: salt '*' pkg.fetch <package name> jail Fetch package in the specified jail CLI Example: salt '*' pkg.fetch <package name> jail=<jail name or id> chroot Fetch package in the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.fetch <package name> chroot=/path/to/chroot fetch_all Fetch all packages. CLI Example: salt '*' pkg.fetch <package name> fetch_all=True quiet Quiet mode. Show less output. CLI Example: salt '*' pkg.fetch <package name> quiet=True fromrepo Fetches packages from the given repo if multiple repo support is enabled. See pkg.conf(5). CLI Example: salt '*' pkg.fetch <package name> fromrepo=repo glob Treat pkg_name as a shell glob pattern. CLI Example: salt '*' pkg.fetch <package name> glob=True regex Treat pkg_name as a regular expression. CLI Example: salt '*' pkg.fetch <regular expression> regex=True pcre Treat pkg_name is an extended regular expression. CLI Example: salt '*' pkg.fetch <extended regular expression> pcre=True local Skip updating the repository catalogs with pkg-update(8). Use the local cache only. CLI Example: salt '*' pkg.fetch <package name> local=True depends Fetch the package and its dependencies as well. CLI Example: salt '*' pkg.fetch <package name> depends=True salt.modules.pkgng.install(name=None, fromrepo=None, pkgs=None, sources=None, jail=None, chroot=None, orphan=False, force=False, glob=False, local=False, dryrun=False, quiet=False, reinstall_requires=False, regex=False, pcre=False, **kwargs) Install package(s) from a repository name The name of the package to install CLI Example: salt '*' pkg.install <package name> jail Install the package into the specified jail chroot Install the package into the specified chroot (ignored if jail is specified) orphan Mark the installed package as orphan. Will be automatically removed if no other packages depend on them. For more information please refer to pkg-autoremove(8). CLI Example: salt '*' pkg.install <package name> orphan=True force Force the reinstallation of the package if already installed. CLI Example: salt '*' pkg.install <package name> force=True glob Treat the package names as shell glob patterns. CLI Example: salt '*' pkg.install <package name> glob=True local Do not update the repository catalogs with pkg-update(8). A value of True here is equivalent to using the -U flag with pkg install. CLI Example: salt '*' pkg.install <package name> local=True dryrun Dru-run mode. The list of changes to packages is always printed, but no changes are actually made. CLI Example: salt '*' pkg.install <package name> dryrun=True quiet Force quiet output, except when dryrun is used, where pkg install will always show packages to be installed, upgraded or deleted. CLI Example: salt '*' pkg.install <package name> quiet=True reinstall_requires When used with force, reinstalls any packages that require the given package. CLI Example: salt '*' pkg.install <package name> reinstall_requires=True force=True Changed in version 2014.7.0: require kwarg renamed to reinstall_requires fromrepo In multi-repo mode, override the pkg.conf ordering and only attempt to download packages from the named repository. CLI Example: salt '*' pkg.install <package name> fromrepo=repo regex Treat the package names as a regular expression CLI Example: salt '*' pkg.install <regular expression> regex=True pcre Treat the package names as extended regular expressions. CLI Example: salt '*' pkg.install <extended regular expression> pcre=True salt.modules.pkgng.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package name> jail=<jail name or id> salt '*' pkg.latest_version <package name> chroot=/path/to/chroot salt.modules.pkgng.list_pkgs(versions_as_list=False, jail=None, chroot=None, with_origin=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} jail List the packages in the specified jail chroot List the packages in the specified chroot (ignored if jail is specified) with_origin False Return a nested dictionary containing both the origin name and version for each installed package. New in version 2014.1.0. CLI Example: salt '*' pkg.list_pkgs salt '*' pkg.list_pkgs jail=<jail name or id> salt '*' pkg.list_pkgs chroot=/path/to/chroot salt.modules.pkgng.parse_config(file_name='/usr/local/etc/pkg.conf') Return dict of uncommented global variables. CLI Example: salt '*' pkg.parse_config NOTE: not working properly right now salt.modules.pkgng.refresh_db(jail=None, chroot=None, force=False) Refresh PACKAGESITE contents NOTE: This function can accessed using pkg.update in addition to pkg.refresh_db, to more closely match the CLI usage of pkg(8). CLI Example: salt '*' pkg.refresh_db jail Refresh the pkg database within the specified jail chroot Refresh the pkg database within the specified chroot (ignored if jail is specified) force Force a full download of the repository catalog without regard to the respective ages of the local and remote copies of the catalog. CLI Example: salt '*' pkg.refresh_db force=True salt.modules.pkgng.remove(name=None, pkgs=None, jail=None, chroot=None, all_installed=False, force=False, glob=False, dryrun=False, recurse=False, regex=False, pcre=False, **kwargs) Remove a package from the database and system NOTE: This function can accessed using pkg.delete in addition to pkg.remove, to more closely match the CLI usage of pkg(8). name The package to remove CLI Example: salt '*' pkg.remove <package name> jail Delete the package from the specified jail chroot Delete the package from the specified chroot (ignored if jail is specified) all_installed Deletes all installed packages from the system and empties the database. USE WITH CAUTION! CLI Example: salt '*' pkg.remove all all_installed=True force=True force Forces packages to be removed despite leaving unresolved dependencies. CLI Example: salt '*' pkg.remove <package name> force=True glob Treat the package names as shell glob patterns. CLI Example: salt '*' pkg.remove <package name> glob=True dryrun Dry run mode. The list of packages to delete is always printed, but no packages are actually deleted. CLI Example: salt '*' pkg.remove <package name> dryrun=True recurse Delete all packages that require the listed package as well. CLI Example: salt '*' pkg.remove <package name> recurse=True regex Treat the package names as regular expressions. CLI Example: salt '*' pkg.remove <regular expression> regex=True pcre Treat the package names as extended regular expressions. CLI Example: salt '*' pkg.remove <extended regular expression> pcre=True salt.modules.pkgng.restore(file_name, jail=None, chroot=None) Reads archive created by pkg backup -d and recreates the database. CLI Example: salt '*' pkg.restore /tmp/pkg jail Restore database to the specified jail. Note that this will run the command within the jail, and so the path to the file from which the pkg database will be restored is relative to the root of the jail. CLI Example: salt '*' pkg.restore /tmp/pkg jail=<jail name or id> chroot Restore database to the specified chroot (ignored if jail is specified). Note that this will run the command within the chroot, and so the path to the file from which the pkg database will be restored is relative to the root of the chroot. CLI Example: salt '*' pkg.restore /tmp/pkg chroot=/path/to/chroot salt.modules.pkgng.search(name, jail=None, chroot=None, exact=False, glob=False, regex=False, pcre=False, comment=False, desc=False, full=False, depends=False, size=False, quiet=False, origin=False, prefix=False) Searches in remote package repositories CLI Example: salt '*' pkg.search pattern jail Perform the search using the pkg.conf(5) from the specified jail CLI Example: salt '*' pkg.search pattern jail=<jail name or id> chroot Perform the search using the pkg.conf(5) from the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.search pattern chroot=/path/to/chroot exact Treat pattern as exact pattern. CLI Example: salt '*' pkg.search pattern exact=True glob Treat pattern as a shell glob pattern. CLI Example: salt '*' pkg.search pattern glob=True regex Treat pattern as a regular expression. CLI Example: salt '*' pkg.search pattern regex=True pcre Treat pattern as an extended regular expression. CLI Example: salt '*' pkg.search pattern pcre=True comment Search for pattern in the package comment one-line description. CLI Example: salt '*' pkg.search pattern comment=True desc Search for pattern in the package description. CLI Example: salt '*' pkg.search pattern desc=True full Displays full information about the matching packages. CLI Example: salt '*' pkg.search pattern full=True depends Displays the dependencies of pattern. CLI Example: salt '*' pkg.search pattern depends=True size Displays the size of the package CLI Example: salt '*' pkg.search pattern size=True quiet Be quiet. Prints only the requested information without displaying many hints. CLI Example: salt '*' pkg.search pattern quiet=True origin Displays pattern origin. CLI Example: salt '*' pkg.search pattern origin=True prefix Displays the installation prefix for each package matching pattern. CLI Example: salt '*' pkg.search pattern prefix=True salt.modules.pkgng.stats(local=False, remote=False, jail=None, chroot=None) Return pkgng stats. CLI Example: salt '*' pkg.stats local Display stats only for the local package database. CLI Example: salt '*' pkg.stats local=True remote Display stats only for the remote package database(s). CLI Example: salt '*' pkg.stats remote=True jail Retrieve stats from the specified jail. CLI Example: salt '*' pkg.stats jail=<jail name or id> salt '*' pkg.stats jail=<jail name or id> local=True salt '*' pkg.stats jail=<jail name or id> remote=True chroot Retrieve stats from the specified chroot (ignored if jail is specified). CLI Example: salt '*' pkg.stats chroot=/path/to/chroot salt '*' pkg.stats chroot=/path/to/chroot local=True salt '*' pkg.stats chroot=/path/to/chroot remote=True salt.modules.pkgng.update_package_site(new_url) Updates remote package repo URL, PACKAGESITE var to be exact. Must use http://, ftp://, or https:// protocol CLI Example: salt '*' pkg.update_package_site http://127.0.0.1/ salt.modules.pkgng.updating(name, jail=None, chroot=None, filedate=None, filename=None) ' Displays UPDATING entries of software packages CLI Example: salt '*' pkg.updating foo jail Perform the action in the specified jail CLI Example: salt '*' pkg.updating foo jail=<jail name or id> chroot Perform the action in the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.updating foo chroot=/path/to/chroot filedate Only entries newer than date are shown. Use a YYYYMMDD date format. CLI Example: salt '*' pkg.updating foo filedate=20130101 filename Defines an alternative location of the UPDATING file. CLI Example: salt '*' pkg.updating foo filename=/tmp/UPDATING salt.modules.pkgng.upgrade(*names, **kwargs) Upgrade named or all packages (run a pkg upgrade). If <package name> is omitted, the operation is executed on all packages. CLI Example: salt '*' pkg.upgrade <package name> jail Audit packages within the specified jail CLI Example: salt '*' pkg.upgrade <package name> jail=<jail name or id> chroot Audit packages within the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.upgrade <package name> chroot=/path/to/chroot Any of the below options can also be used with jail or chroot. force Force reinstalling/upgrading the whole set of packages. CLI Example: salt '*' pkg.upgrade <package name> force=True local Do not update the repository catalogs with pkg-update(8). A value of True here is equivalent to using the -U flag with pkg upgrade. CLI Example: salt '*' pkg.upgrade <package name> local=True dryrun Dry-run mode: show what packages have updates available, but do not perform any upgrades. Repository catalogs will be updated as usual unless the local option is also given. CLI Example: salt '*' pkg.upgrade <package name> dryrun=True salt.modules.pkgng.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. NOTE: This function can accessed using pkg.info in addition to pkg.version, to more closely match the CLI usage of pkg(8). jail Get package version information for the specified jail chroot Get package version information for the specified chroot (ignored if jail is specified) with_origin False Return a nested dictionary containing both the origin name and version for each specified package. New in version 2014.1.0. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package name> jail=<jail name or id> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.pkgng.which(path, jail=None, chroot=None, origin=False, quiet=False) Displays which package installed a specific file CLI Example: salt '*' pkg.which <file name> jail Perform the check in the specified jail CLI Example: salt '*' pkg.which <file name> jail=<jail name or id> chroot Perform the check in the specified chroot (ignored if jail is specified) CLI Example: salt '*' pkg.which <file name> chroot=/path/to/chroot origin Shows the origin of the package instead of name-version. CLI Example: salt '*' pkg.which <file name> origin=True quiet Quiet output. CLI Example: salt '*' pkg.which <file name> quiet=True salt.modules.pkgutil Pkgutil support for Solaris salt.modules.pkgutil.install(name=None, refresh=False, version=None, pkgs=None, **kwargs) Install packages using the pkgutil tool. CLI Example: salt '*' pkg.install <package_name> salt '*' pkg.install SMClgcc346 Multiple Package Installation Options: pkgs A list of packages to install from OpenCSW. Must be passed as a python list. CLI Example: salt '*' pkg.install pkgs='["foo", "bar"]' salt '*' pkg.install pkgs='["foo", {"bar": "1.2.3"}]' Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.pkgutil.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkgutil.latest_version CSWpython salt '*' pkgutil.latest_version <package1> <package2> <package3> ... salt.modules.pkgutil.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt '*' pkg.list_pkgs versions_as_list=True salt.modules.pkgutil.list_upgrades(refresh=True) List all available package upgrades on this system CLI Example: salt '*' pkgutil.list_upgrades salt.modules.pkgutil.purge(name=None, pkgs=None, **kwargs) Package purges are not supported, this function is identical to remove(). name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.pkgutil.refresh_db() Updates the pkgutil repo database (pkgutil -U) CLI Example: salt '*' pkgutil.refresh_db salt.modules.pkgutil.remove(name=None, pkgs=None, **kwargs) Remove a package and all its dependencies which are not in use by other packages. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.pkgutil.upgrade(refresh=True) Upgrade all of the packages to the latest available version. Returns a dict containing the changes: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkgutil.upgrade salt.modules.pkgutil.upgrade_available(name) Check if there is an upgrade available for a certain package CLI Example: salt '*' pkgutil.upgrade_available CSWpython salt.modules.pkgutil.version(*names, **kwargs) Returns a version if the package is installed, else returns an empty string CLI Example: salt '*' pkgutil.version CSWpython salt.modules.portage_config Configure portage(5) salt.modules.portage_config.append_to_package_conf(conf, atom='', flags=None, string='', overwrite=False) Append a string or a list of flags for a given package or DEPEND atom to a given configuration file. CLI Example: salt '*' portage_config.append_to_package_conf use string="app-admin/salt ldap -libvirt" salt '*' portage_config.append_to_package_conf use atom="> = app-admin/salt-0.14.1" flags="['ldap', '-libvirt']" salt.modules.portage_config.append_use_flags(atom, uses=None, overwrite=False) Append a list of use flags for a given package or DEPEND atom CLI Example: salt '*' portage_config.append_use_flags "app-admin/salt[ldap, -libvirt]" salt '*' portage_config.append_use_flags ">=app-admin/salt-0.14.1" "['ldap', '-libvirt']" salt.modules.portage_config.enforce_nice_config() Enforce a nice tree structure for /etc/portage/package.* configuration files. SEE ALSO: salt.modules.ebuild.ex_mod_init() for information on automatically running this when pkg is used. CLI Example: salt '*' portage_config.enforce_nice_config salt.modules.portage_config.filter_flags(use, use_expand_hidden, usemasked, useforced) New in version 2015.8.0. Filter function to remove hidden or otherwise not normally visible USE flags from a list. @type use: list @param use: the USE flag list to be filtered. @type use_expand_hidden: list @param use_expand_hidden: list of flags hidden. @type usemasked: list @param usemasked: list of masked USE flags. @type useforced: list @param useforced: the forced USE flags. @rtype: list @return the filtered USE flags. salt.modules.portage_config.get_all_cpv_use(cp) New in version 2015.8.0. Uses portage to determine final USE flags and settings for an emerge. @type cp: string @param cp: eg cat/pkg @rtype: lists @return use, use_expand_hidden, usemask, useforce salt.modules.portage_config.get_cleared_flags(cp) New in version 2015.8.0. Uses portage for compare use flags which is used for installing package and use flags which now exist int /etc/portage/package.use/ @type cp: string @param cp: eg cat/pkg @rtype: tuple @rparam: tuple with two lists - list of used flags and list of flags which will be used salt.modules.portage_config.get_flags_from_package_conf(conf, atom) Get flags for a given package or DEPEND atom. Warning: This only works if the configuration files tree is in the correct format (the one enforced by enforce_nice_config) CLI Example: salt '*' portage_config.get_flags_from_package_conf license salt salt.modules.portage_config.get_installed_use(cp, use='USE') New in version 2015.8.0. Gets the installed USE flags from the VARDB. @type: cp: string @param cp: cat/pkg @type use: string @param use: 1 of ["USE", "PKGUSE"] @rtype list @returns [] or the list of IUSE flags salt.modules.portage_config.get_iuse(cp) New in version 2015.8.0. Gets the current IUSE flags from the tree. @type: cpv: string @param cpv: cat/pkg @rtype list @returns [] or the list of IUSE flags salt.modules.portage_config.get_missing_flags(conf, atom, flags) Find out which of the given flags are currently not set. CLI Example: salt '*' portage_config.get_missing_flags use salt "['ldap', '-libvirt', 'openssl']" salt.modules.portage_config.has_flag(conf, atom, flag) Verify if the given package or DEPEND atom has the given flag. Warning: This only works if the configuration files tree is in the correct format (the one enforced by enforce_nice_config) CLI Example: salt '*' portage_config.has_flag license salt Apache-2.0 salt.modules.portage_config.has_use(atom, use) Verify if the given package or DEPEND atom has the given use flag. Warning: This only works if the configuration files tree is in the correct format (the one enforced by enforce_nice_config) CLI Example: salt '*' portage_config.has_use salt libvirt salt.modules.portage_config.is_changed_uses(cp) New in version 2015.8.0. Uses portage for determine if the use flags of installed package is compatible with use flags in portage configs. @type cp: string @param cp: eg cat/pkg salt.modules.portage_config.is_present(conf, atom) Tell if a given package or DEPEND atom is present in the configuration files tree. Warning: This only works if the configuration files tree is in the correct format (the one enforced by enforce_nice_config) CLI Example: salt '*' portage_config.is_present unmask salt salt.modules.postfix Support for Postfix This module is currently little more than a config file viewer and editor. It is able to read the master.cf file (which is one style) and files in the style of main.cf (which is a different style, that is used in multiple postfix configuration files). The design of this module is such that when files are edited, a minimum of changes are made to them. Each file should look as if it has been edited by hand; order, comments and whitespace are all preserved. salt.modules.postfix.delete(queue_id) Delete message(s) from the mail queue CLI Example: salt '*' postfix.delete 5C33CA0DEA salt '*' postfix.delete ALL salt.modules.postfix.hold(queue_id) Put message(s) on hold from the mail queue CLI Example: salt '*' postfix.hold 5C33CA0DEA salt '*' postfix.hold ALL salt.modules.postfix.requeue(queue_id) Requeue message(s) in the mail queue CLI Example: salt '*' postfix.requeue 5C33CA0DEA salt '*' postfix.requeue ALL salt.modules.postfix.set_main(key, value, path='/etc/postfix/main.cf') Set a single config value in the main.cf file. If the value does not already exist, it will be appended to the end. CLI Example: salt <minion> postfix.set_main mailq_path /usr/bin/mailq salt.modules.postfix.set_master(service, conn_type, private='y', unpriv='y', chroot='y', wakeup='n', maxproc='100', command='', write_conf=True, path='/etc/postfix/master.cf') Set a single config value in the master.cf file. If the value does not already exist, it will be appended to the end. Because of shell parsing issues, '-' cannot be set as a value, as is normal in the master.cf file; either 'y', 'n' or a number should be used when calling this function from the command line. If the value used matches the default, it will internally be converted to a '-'. Calling this function from the Python API is not affected by this limitation The settings and their default values, in order, are: service (required), conn_type (required), private (y), unpriv (y), chroot (y), wakeup (n), maxproc (100), command (required). By default, this function will write out the changes to the master.cf file, and then returns the full contents of the file. By setting the write_conf option to False, it will skip writing the file. CLI Example: salt <minion> postfix.set_master smtp inet n y n n 100 smtpd salt.modules.postfix.show_main(path='/etc/postfix/main.cf') Return a dict of active config values. This does not include comments, spacing or order. Bear in mind that order is functionally important in the main.cf file, since keys can be referred to as variables. This means that the data returned from this function should not be used for direct modification of the main.cf file; other functions are available for that. CLI Examples: salt <minion> postfix.show_main salt <minion> postfix.show_main path=/path/to/main.cf salt.modules.postfix.show_master(path='/etc/postfix/master.cf') Return a dict of active config values. This does not include comments, spacing or order. The data returned from this function should not be used for direct modification of the main.cf file; other functions are available for that. CLI Examples: salt <minion> postfix.show_master salt <minion> postfix.show_master path=/path/to/master.cf salt.modules.postfix.show_queue() Show contents of the mail queue CLI Example: salt '*' postfix.show_queue salt.modules.postfix.unhold(queue_id) Set held message(s) in the mail queue to unheld CLI Example: salt '*' postfix.unhold 5C33CA0DEA salt '*' postfix.unhold ALL salt.modules.postgres Module to provide Postgres compatibility to salt. configuration In order to connect to Postgres, certain configuration is required in /etc/salt/minion on the relevant minions. Some sample configs might look like: postgres.host: 'localhost' postgres.port: '5432' postgres.user: 'postgres' -> db user postgres.pass: '' postgres.maintenance_db: 'postgres' The default for the maintenance_db is 'postgres' and in most cases it can be left at the default setting. This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar note This module uses MD5 hashing which may not be compliant with certain security audits. salt.modules.postgres.available_extensions(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) List available postgresql extensions CLI Example: salt '*' postgres.available_extensions salt.modules.postgres.create_extension(name, if_not_exists=None, schema=None, ext_version=None, from_version=None, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Install a postgresql extension CLI Example: salt '*' postgres.create_extension 'adminpack' salt.modules.postgres.create_metadata(name, ext_version=None, schema=None, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Get lifecycle information about an extension CLI Example: salt '*' postgres.create_metadata adminpack salt.modules.postgres.db_alter(name, user=None, host=None, port=None, maintenance_db=None, password=None, tablespace=None, owner=None, owner_recurse=False, runas=None) Change tablespace or/and owner of database. CLI Example: salt '*' postgres.db_alter dbname owner=otheruser salt.modules.postgres.db_create(name, user=None, host=None, port=None, maintenance_db=None, password=None, tablespace=None, encoding=None, lc_collate=None, lc_ctype=None, owner=None, template=None, runas=None) Adds a databases to the Postgres server. CLI Example: salt '*' postgres.db_create 'dbname' salt '*' postgres.db_create 'dbname' template=template_postgis salt.modules.postgres.db_exists(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Checks if a database exists on the Postgres server. CLI Example: salt '*' postgres.db_exists 'dbname' salt.modules.postgres.db_list(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Return dictionary with information about databases of a Postgres server. CLI Example: salt '*' postgres.db_list salt.modules.postgres.db_remove(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Removes a databases from the Postgres server. CLI Example: salt '*' postgres.db_remove 'dbname' salt.modules.postgres.drop_extension(name, if_exists=None, restrict=None, cascade=None, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Drop an installed postgresql extension CLI Example: salt '*' postgres.drop_extension 'adminpack' salt.modules.postgres.get_available_extension(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Get info about an available postgresql extension CLI Example: salt '*' postgres.get_available_extension plpgsql salt.modules.postgres.get_installed_extension(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Get info about an installed postgresql extension CLI Example: salt '*' postgres.get_installed_extension plpgsql salt.modules.postgres.group_create(groupname, user=None, host=None, port=None, maintenance_db=None, password=None, createdb=None, createuser=None, createroles=None, encrypted=None, login=None, inherit=None, superuser=None, replication=None, rolepassword=None, groups=None, runas=None) Creates a Postgres group. A group is postgres is similar to a user, but cannot login. CLI Example: salt '*' postgres.group_create 'groupname' user='user' \ host='hostname' port='port' password='password' \ rolepassword='rolepassword' salt.modules.postgres.group_remove(groupname, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Removes a group from the Postgres server. CLI Example: salt '*' postgres.group_remove 'groupname' salt.modules.postgres.group_update(groupname, user=None, host=None, port=None, maintenance_db=None, password=None, createdb=None, createroles=None, createuser=None, encrypted=None, inherit=None, login=None, superuser=None, replication=None, rolepassword=None, groups=None, runas=None) Updates a postgres group CLI Examples: salt '*' postgres.group_update 'username' user='user' \ host='hostname' port='port' password='password' \ rolepassword='rolepassword' salt.modules.postgres.installed_extensions(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) List installed postgresql extensions CLI Example: salt '*' postgres.installed_extensions salt.modules.postgres.is_available_extension(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Test if a specific extension is available CLI Example: salt '*' postgres.is_available_extension salt.modules.postgres.is_installed_extension(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Test if a specific extension is installed CLI Example: salt '*' postgres.is_installed_extension salt.modules.postgres.owner_to(dbname, ownername, user=None, host=None, port=None, password=None, runas=None) Set the owner of all schemas, functions, tables, views and sequences to the given username. CLI Example: salt '*' postgres.owner_to 'dbname' 'username' salt.modules.postgres.psql_query(query, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Run an SQL-Query and return the results as a list. This command only supports SELECT statements. This limitation can be worked around with a query like this: WITH updated AS (UPDATE pg_authid SET rolconnlimit = 2000 WHERE rolname = 'rolename' RETURNING rolconnlimit) SELECT * FROM updated; CLI Example: salt '*' postgres.psql_query 'select * from pg_stat_activity' salt.modules.postgres.role_get(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None, return_password=False) Return a dict with information about users of a Postgres server. Set return_password to True to get password hash in the result. CLI Example: salt '*' postgres.role_get postgres salt.modules.postgres.schema_create(dbname, name, owner=None, user=None, db_user=None, db_password=None, db_host=None, db_port=None) Creates a Postgres schema. CLI Example: salt '*' postgres.schema_create dbname name owner='owner' \ user='user' \ db_user='user' db_password='password' db_host='hostname' db_port='port' salt.modules.postgres.schema_exists(dbname, name, db_user=None, db_password=None, db_host=None, db_port=None) Checks if a schema exists on the Postgres server. CLI Example: salt '*' postgres.schema_exists dbname schemaname dbname Database name we query on name Schema name we look for db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.modules.postgres.schema_get(dbname, name, db_user=None, db_password=None, db_host=None, db_port=None) Return a dict with information about schemas in a database. CLI Example: salt '*' postgres.schema_get dbname name dbname Database name we query on name Schema name we look for db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.modules.postgres.schema_list(dbname, db_user=None, db_password=None, db_host=None, db_port=None) Return a dict with information about schemas in a Postgres database. CLI Example: salt '*' postgres.schema_list dbname dbname Database name we query on db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.modules.postgres.schema_remove(dbname, name, user=None, db_user=None, db_password=None, db_host=None, db_port=None) Removes a schema from the Postgres server. CLI Example: salt '*' postgres.schema_remove dbname schemaname dbname Database name we work on schemaname The schema's name we'll remove user System user all operations should be performed on behalf of db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.modules.postgres.tablespace_alter(name, user=None, host=None, port=None, maintenance_db=None, password=None, new_name=None, new_owner=None, set_option=None, reset_option=None, runas=None) Change tablespace name, owner, or options. CLI Example: salt '*' postgres.tablespace_alter tsname new_owner=otheruser salt '*' postgres.tablespace_alter index_space new_name=fast_raid salt '*' postgres.tablespace_alter test set_option="{'seq_page_cost': '1.1'}" salt '*' postgres.tablespace_alter tsname reset_option=seq_page_cost New in version 2015.8.0. salt.modules.postgres.tablespace_create(name, location, options=None, owner=None, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Adds a tablespace to the Postgres server. CLI Example: salt '*' postgres.tablespace_create tablespacename '/path/datadir' New in version 2015.8.0. salt.modules.postgres.tablespace_exists(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Checks if a tablespace exists on the Postgres server. CLI Example: salt '*' postgres.tablespace_exists 'dbname' New in version 2015.8.0. salt.modules.postgres.tablespace_list(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Return dictionary with information about tablespaces of a Postgres server. CLI Example: salt '*' postgres.tablespace_list New in version 2015.8.0. salt.modules.postgres.tablespace_remove(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Removes a tablespace from the Postgres server. CLI Example: salt '*' postgres.tablespace_remove tsname New in version 2015.8.0. salt.modules.postgres.user_create(username, user=None, host=None, port=None, maintenance_db=None, password=None, createdb=None, createuser=None, createroles=None, inherit=None, login=None, connlimit=None, encrypted=None, superuser=None, replication=None, rolepassword=None, groups=None, runas=None) Creates a Postgres user. CLI Examples: salt '*' postgres.user_create 'username' user='user' \ host='hostname' port='port' password='password' \ rolepassword='rolepassword' salt.modules.postgres.user_exists(name, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Checks if a user exists on the Postgres server. CLI Example: salt '*' postgres.user_exists 'username' salt.modules.postgres.user_list(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None, return_password=False) Return a dict with information about users of a Postgres server. Set return_password to True to get password hash in the result. CLI Example: salt '*' postgres.user_list salt.modules.postgres.user_remove(username, user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Removes a user from the Postgres server. CLI Example: salt '*' postgres.user_remove 'username' salt.modules.postgres.user_update(username, user=None, host=None, port=None, maintenance_db=None, password=None, createdb=None, createuser=None, createroles=None, encrypted=None, superuser=None, inherit=None, login=None, connlimit=None, replication=None, rolepassword=None, groups=None, runas=None) Updates a Postgres user. CLI Examples: salt '*' postgres.user_update 'username' user='user' \ host='hostname' port='port' password='password' \ rolepassword='rolepassword' salt.modules.postgres.version(user=None, host=None, port=None, maintenance_db=None, password=None, runas=None) Return the version of a Postgres server. CLI Example: salt '*' postgres.version salt.modules.poudriere Support for poudriere salt.modules.poudriere.bulk_build(jail, pkg_file, keep=False) Run bulk build on poudriere server. Return number of pkg builds, failures, and errors, on error dump to CLI CLI Example: salt -N buildbox_group poudriere.bulk_build 90amd64 /root/pkg_list salt.modules.poudriere.create_jail(name, arch, version='9.0-RELEASE') Creates a new poudriere jail if one does not exist NOTE creating a new jail will take some time the master is not hanging CLI Example: salt '*' poudriere.create_jail 90amd64 amd64 salt.modules.poudriere.create_ports_tree() Not working need to run portfetch non interactive salt.modules.poudriere.delete_jail(name) Deletes poudriere jail with name CLI Example: salt '*' poudriere.delete_jail 90amd64 salt.modules.poudriere.is_jail(name) Return True if jail exists False if not CLI Example: salt '*' poudriere.is_jail <jail name> salt.modules.poudriere.list_jails() Return a list of current jails managed by poudriere CLI Example: salt '*' poudriere.list_jails salt.modules.poudriere.list_ports() Return a list of current port trees managed by poudriere CLI Example: salt '*' poudriere.list_ports salt.modules.poudriere.make_pkgng_aware(jname) Make jail jname pkgng aware CLI Example: salt '*' poudriere.make_pkgng_aware <jail name> salt.modules.poudriere.parse_config(config_file=None) Returns a dict of poudriere main configuration definitions CLI Example: salt '*' poudriere.parse_config salt.modules.poudriere.update_jail(name) Run freebsd-update on name poudriere jail CLI Example: salt '*' poudriere.update_jail freebsd:10:x86:64 salt.modules.poudriere.update_ports_tree(ports_tree) Updates the ports tree, either the default or the ports_tree specified CLI Example: salt '*' poudriere.update_ports_tree staging salt.modules.poudriere.version() Return poudriere version CLI Example: salt '*' poudriere.version salt.modules.powerpath powerpath support. Assumes RedHat salt.modules.powerpath.add_license(key) Add a license salt.modules.powerpath.has_powerpath() salt.modules.powerpath.list_licenses() returns a list of applied powerpath license keys salt.modules.powerpath.remove_license(key) Remove a license salt.modules.ps A salt interface to psutil, a system and process library. See http://code.google.com/p/psutil. depends • psutil Python module, version 0.3.0 or later • python-utmp package (optional) salt.modules.ps.boot_time(time_format=None) Return the boot time in number of seconds since the epoch began. CLI Example: time_format Optionally specify a strftime format string. Use time_format='%c' to get a nicely-formatted locale specific date and time (i.e. Fri May 2 19:08:32 2014). New in version 2014.1.4. salt '*' ps.boot_time salt.modules.ps.cpu_percent(interval=0.1, per_cpu=False) Return the percent of time the CPU is busy. interval the number of seconds to sample CPU usage over per_cpu if True return an array of CPU percent busy for each CPU, otherwise aggregate all percents into one number CLI Example: salt '*' ps.cpu_percent salt.modules.ps.cpu_times(per_cpu=False) Return the percent of time the CPU spends in each state, e.g. user, system, idle, nice, iowait, irq, softirq. per_cpu if True return an array of percents for each CPU, otherwise aggregate all percents into one number CLI Example: salt '*' ps.cpu_times salt.modules.ps.disk_io_counters(device=None) Return disk I/O statistics. CLI Example: salt '*' ps.disk_io_counters salt '*' ps.disk_io_counters device=sda1 salt.modules.ps.disk_partition_usage(all=False) Return a list of disk partitions plus the mount point, filesystem and usage statistics. CLI Example: salt '*' ps.disk_partition_usage salt.modules.ps.disk_partitions(all=False) Return a list of disk partitions and their device, mount point, and filesystem type. all if set to False, only return local, physical partitions (hard disk, USB, CD/DVD partitions). If True, return all filesystems. CLI Example: salt '*' ps.disk_partitions salt.modules.ps.disk_usage(path) Given a path, return a dict listing the total available space as well as the free space, and used space. CLI Example: salt '*' ps.disk_usage /home salt.modules.ps.get_pid_list() Return a list of process ids (PIDs) for all running processes. CLI Example: salt '*' ps.get_pid_list salt.modules.ps.get_users() Return logged-in users. CLI Example: salt '*' ps.get_users salt.modules.ps.kill_pid(pid, signal=15) Kill a process by PID. salt 'minion' ps.kill_pid pid [signal=signal_number] pid PID of process to kill. signal Signal to send to the process. See manpage entry for kill for possible values. Default: 15 (SIGTERM). Example: Send SIGKILL to process with PID 2000: salt 'minion' ps.kill_pid 2000 signal=9 salt.modules.ps.network_io_counters(interface=None) Return network I/O statistics. CLI Example: salt '*' ps.network_io_counters salt '*' ps.network_io_counters interface=eth0 salt.modules.ps.num_cpus() Return the number of CPUs. CLI Example: salt '*' ps.num_cpus salt.modules.ps.pgrep(pattern, user=None, full=False) Return the pids for processes matching a pattern. If full is true, the full command line is searched for a match, otherwise only the name of the command is searched. salt '*' ps.pgrep pattern [user=username] [full=(true|false)] pattern Pattern to search for in the process list. user Limit matches to the given username. Default: All users. full A boolean value indicating whether only the name of the command or the full command line should be matched against the pattern. Examples: Find all httpd processes on all 'www' minions: salt 'www.*' ps.pgrep httpd Find all bash processes owned by user 'tom': salt '*' ps.pgrep bash user=tom salt.modules.ps.pkill(pattern, user=None, signal=15, full=False) Kill processes matching a pattern. salt '*' ps.pkill pattern [user=username] [signal=signal_number] \ [full=(true|false)] pattern Pattern to search for in the process list. user Limit matches to the given username. Default: All users. signal Signal to send to the process(es). See manpage entry for kill for possible values. Default: 15 (SIGTERM). full A boolean value indicating whether only the name of the command or the full command line should be matched against the pattern. Examples: Send SIGHUP to all httpd processes on all 'www' minions: salt 'www.*' ps.pkill httpd signal=1 Send SIGKILL to all bash processes owned by user 'tom': salt '*' ps.pkill bash signal=9 user=tom salt.modules.ps.proc_info(pid, attrs=None) Return a dictionary of information for a process id (PID). CLI Example: salt '*' ps.proc_info 2322 salt '*' ps.proc_info 2322 attrs='["pid", "name"]' pid PID of process to query. attrs Optional list of desired process attributes. The list of possible attributes can be found here: http://pythonhosted.org/psutil/#psutil.Process salt.modules.ps.swap_memory() New in version 2014.7.0. Return a dict that describes swap memory statistics. NOTE: This function is only available in psutil version 0.6.0 and above. CLI Example: salt '*' ps.swap_memory salt.modules.ps.top(num_processes=5, interval=3) Return a list of top CPU consuming processes during the interval. num_processes = return the top N CPU consuming processes interval = the number of seconds to sample CPU usage over CLI Examples: salt '*' ps.top salt '*' ps.top 5 10 salt.modules.ps.total_physical_memory() Return the total number of bytes of physical memory. CLI Example: salt '*' ps.total_physical_memory salt.modules.ps.virtual_memory() New in version 2014.7.0. Return a dict that describes statistics about system memory usage. NOTE: This function is only available in psutil version 0.6.0 and above. CLI Example: salt '*' ps.virtual_memory salt.modules.publish Publish a command from a minion to a target salt.modules.publish.full_data(tgt, fun, arg=None, expr_form='glob', returner='', timeout=5) Return the full data about the publication, this is invoked in the same way as the publish function CLI Example: salt system.example.com publish.full_data '*' cmd.run 'ls -la /tmp' Attention If you need to pass a value to a function argument and that value contains an equal sign, you must include the argument name. For example: salt '*' publish.full_data test.kwarg arg='cheese=spam' salt.modules.publish.publish(tgt, fun, arg=None, expr_form='glob', returner='', timeout=5) Publish a command from the minion out to other minions. Publications need to be enabled on the Salt master and the minion needs to have permission to publish the command. The Salt master will also prevent a recursive publication loop, this means that a minion cannot command another minion to command another minion as that would create an infinite command loop. The expr_form argument is used to pass a target other than a glob into the execution, the available options are: • glob • pcre • grain • grain_pcre • pillar • pillar_pcre • ipcidr • range • compound Note that for pillar matches must be exact, both in the pillar matcher and the compound matcher. No globbing is supported. The arguments sent to the minion publish function are separated with commas. This means that for a minion executing a command with multiple args it will look like this: salt system.example.com publish.publish '*' user.add 'foo,1020,1020' salt system.example.com publish.publish 'os:Fedora' network.interfaces '' grain CLI Example: salt system.example.com publish.publish '*' cmd.run 'ls -la /tmp' Attention If you need to pass a value to a function argument and that value contains an equal sign, you must include the argument name. For example: salt '*' publish.publish test.kwarg arg='cheese=spam' Multiple keyword arguments should be passed as a list. salt '*' publish.publish test.kwarg arg="['cheese=spam','spam=cheese']" salt.modules.publish.runner(fun, arg=None, timeout=5) Execute a runner on the master and return the data from the runner function CLI Example: salt publish.runner manage.down salt.modules.puppet Execute puppet routines salt.modules.puppet.disable(message=None) New in version 2014.7.0. Disable the puppet agent message New in version 2015.5.2. Disable message to send to puppet CLI Example: salt '*' puppet.disable salt '*' puppet.disable 'Disabled, contact XYZ before enabling' salt.modules.puppet.enable() New in version 2014.7.0. Enable the puppet agent CLI Example: salt '*' puppet.enable salt.modules.puppet.fact(name, puppet=False) Run facter for a specific fact CLI Example: salt '*' puppet.fact kernel salt.modules.puppet.facts(puppet=False) Run facter and return the results CLI Example: salt '*' puppet.facts salt.modules.puppet.noop(*args, **kwargs) Execute a puppet noop run and return a dict with the stderr, stdout, return code, etc. Usage is the same as for puppet.run. CLI Example: salt '*' puppet.noop salt '*' puppet.noop tags=basefiles::edit,apache::server salt '*' puppet.noop debug salt '*' puppet.noop apply /a/b/manifest.pp modulepath=/a/b/modules tags=basefiles::edit,apache::server salt.modules.puppet.plugin_sync() Runs a plugin synch between the puppet master and agent CLI Example: salt '*' puppet.plugin_sync salt.modules.puppet.run(*args, **kwargs) Execute a puppet run and return a dict with the stderr, stdout, return code, etc. The first positional argument given is checked as a subcommand. Following positional arguments should be ordered with arguments required by the subcommand first, followed by non-keyword arguments. Tags are specified by a tag keyword and comma separated list of values. -- http://docs.puppetlabs.com/puppet/latest/reference/lang_tags.html CLI Examples: salt '*' puppet.run salt '*' puppet.run tags=basefiles::edit,apache::server salt '*' puppet.run agent onetime no-daemonize no-usecacheonfailure no-splay ignorecache salt '*' puppet.run debug salt '*' puppet.run apply /a/b/manifest.pp modulepath=/a/b/modules tags=basefiles::edit,apache::server salt.modules.puppet.status() New in version 2014.7.0. Display puppet agent status CLI Example: salt '*' puppet.status salt.modules.puppet.summary() New in version 2014.7.0. Show a summary of the last puppet agent run CLI Example: salt '*' puppet.summary salt.modules.pushover_notify Module for sending messages to Pushover (https://www.pushover.net) New in version Boron. configuration This module can be used by either passing an api key and version directly or by specifying both in a configuration profile in the salt master/minion config. For example: pushover: token: abAHuZyCLtdH8P4zhmFZmgUHUsv1ei8 salt.modules.pushover_notify.post_message(user=None, device=None, message=None, title=None, priority=None, expire=None, retry=None, sound=None, api_version=1, token=None) Send a message to a Pushover user or group. Parameters • user -- The user or group to send to, must be key of user or group not email address. • message -- The message to send to the PushOver user or group. • title -- Specify who the message is from. • priority -- The priority of the message, defaults to 0. • expire -- The message should expire after N number of seconds. • retry -- The number of times the message should be retried. • sound -- The sound to associate with the message. • api_version -- The PushOver API version, if not specified in the configuration. • token -- The PushOver token, if not specified in the configuration. Returns Boolean if message was sent successfully. CLI Example: salt '*' pushover.post_message user='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' title='Message from Salt' message='Build is done' salt '*' pushover.post_message user='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' title='Message from Salt' message='Build is done' priority='2' expire='720' retry='5' salt.modules.pw_group Manage groups on FreeBSD salt.modules.pw_group.add(name, gid=None, **kwargs) Add the specified group CLI Example: salt '*' group.add foo 3456 salt.modules.pw_group.chgid(name, gid) Change the gid for a named group CLI Example: salt '*' group.chgid foo 4376 salt.modules.pw_group.delete(name) Remove the named group CLI Example: salt '*' group.delete foo salt.modules.pw_group.getent(refresh=False) Return info on all groups CLI Example: salt '*' group.getent salt.modules.pw_group.info(name) Return information about a group CLI Example: salt '*' group.info foo salt.modules.pw_group.members(name, members_list) Replaces members of the group with a provided list. New in version 2015.5.4. CLI Example: salt '*' group.members foo 'user1,user2,user3,...' Replaces a membership list for a local group 'foo'. foo:x:1234:user1,user2,user3,... salt.modules.pw_user Manage users with the useradd command salt.modules.pw_user.add(name, uid=None, gid=None, groups=None, home=None, shell=None, unique=True, fullname='', roomnumber='', workphone='', homephone='', createhome=True, **kwargs) Add a user to the minion CLI Example: salt '*' user.add name <uid> <gid> <groups> <home> <shell> salt.modules.pw_user.chfullname(name, fullname) Change the user's Full Name CLI Example: salt '*' user.chfullname foo "Foo Bar" salt.modules.pw_user.chgid(name, gid) Change the default group of the user CLI Example: salt '*' user.chgid foo 4376 salt.modules.pw_user.chgroups(name, groups, append=False) Change the groups this user belongs to, add append to append the specified groups CLI Example: salt '*' user.chgroups foo wheel,root True salt.modules.pw_user.chhome(name, home, persist=False) Change the home directory of the user, pass true for persist to copy files to the new home dir CLI Example: salt '*' user.chhome foo /home/users/foo True salt.modules.pw_user.chhomephone(name, homephone) Change the user's Home Phone CLI Example: salt '*' user.chhomephone foo "7735551234" salt.modules.pw_user.chroomnumber(name, roomnumber) Change the user's Room Number CLI Example: salt '*' user.chroomnumber foo 123 salt.modules.pw_user.chshell(name, shell) Change the default shell of the user CLI Example: salt '*' user.chshell foo /bin/zsh salt.modules.pw_user.chuid(name, uid) Change the uid for a named user CLI Example: salt '*' user.chuid foo 4376 salt.modules.pw_user.chworkphone(name, workphone) Change the user's Work Phone CLI Example: salt '*' user.chworkphone foo "7735550123" salt.modules.pw_user.delete(name, remove=False, force=False) Remove a user from the minion CLI Example: salt '*' user.delete name remove=True force=True salt.modules.pw_user.getent(refresh=False) Return the list of all info for all users CLI Example: salt '*' user.getent salt.modules.pw_user.info(name) Return user information CLI Example: salt '*' user.info root salt.modules.pw_user.list_groups(name) Return a list of groups the named user belongs to CLI Example: salt '*' user.list_groups foo salt.modules.pw_user.list_users() Return a list of all users CLI Example: salt '*' user.list_users salt.modules.pw_user.rename(name, new_name) Change the username for a named user CLI Example: salt '*' user.rename name new_name salt.modules.pyenv Manage python installations with pyenv. New in version v2014.04. salt.modules.pyenv.default(python=None, runas=None) Returns or sets the currently defined default python. python=None The version to set as the default. Should match one of the versions listed by pyenv.versions. Leave blank to return the current default. CLI Example: salt '*' pyenv.default salt '*' pyenv.default 2.0.0-p0 salt.modules.pyenv.do(cmdline=None, runas=None) Execute a python command with pyenv's shims from the user or the system. CLI Example: salt '*' pyenv.do 'gem list bundler' salt '*' pyenv.do 'gem list bundler' deploy salt.modules.pyenv.do_with_python(python, cmdline, runas=None) Execute a python command with pyenv's shims using a specific python version. CLI Example: salt '*' pyenv.do_with_python 2.0.0-p0 'gem list bundler' salt '*' pyenv.do_with_python 2.0.0-p0 'gem list bundler' deploy salt.modules.pyenv.install(runas=None, path=None) Install pyenv systemwide CLI Example: salt '*' pyenv.install salt.modules.pyenv.install_python(python, runas=None) Install a python implementation. python The version of python to install, should match one of the versions listed by pyenv.list CLI Example: salt '*' pyenv.install_python 2.0.0-p0 salt.modules.pyenv.is_installed(runas=None) Check if pyenv is installed. CLI Example: salt '*' pyenv.is_installed salt.modules.pyenv.list(runas=None) List the installable versions of python. CLI Example: salt '*' pyenv.list salt.modules.pyenv.rehash(runas=None) Run pyenv rehash to update the installed shims. CLI Example: salt '*' pyenv.rehash salt.modules.pyenv.uninstall_python(python, runas=None) Uninstall a python implementation. python The version of python to uninstall. Should match one of the versions listed by pyenv.versions CLI Example: salt '*' pyenv.uninstall_python 2.0.0-p0 salt.modules.pyenv.update(runas=None, path=None) Updates the current versions of pyenv and python-Build CLI Example: salt '*' pyenv.update salt.modules.pyenv.versions(runas=None) List the installed versions of python. CLI Example: salt '*' pyenv.versions salt.modules.qemu_img Qemu-img Command Wrapper The qemu img command is wrapped for specific functions depends qemu-img salt.modules.qemu_img.make_image(location, size, fmt) Create a blank virtual machine image file of the specified size in megabytes. The image can be created in any format supported by qemu CLI Example: salt '*' qemu_img.make_image /tmp/image.qcow 2048 qcow2 salt '*' qemu_img.make_image /tmp/image.raw 10240 raw salt.modules.qemu_nbd Qemu Command Wrapper The qemu system comes with powerful tools, such as qemu-img and qemu-nbd which are used here to build up kvm images. salt.modules.qemu_nbd.clear(mnt) Pass in the mnt dict returned from nbd_mount to unmount and disconnect the image from nbd. If all of the partitions are unmounted return an empty dict, otherwise return a dict containing the still mounted partitions CLI Example: salt '*' qemu_nbd.clear '{"/mnt/foo": "/dev/nbd0p1"}' salt.modules.qemu_nbd.connect(image) Activate nbd for an image file. CLI Example: salt '*' qemu_nbd.connect /tmp/image.raw salt.modules.qemu_nbd.init(image) Mount the named image via qemu-nbd and return the mounted roots CLI Example: salt '*' qemu_nbd.init /srv/image.qcow2 salt.modules.qemu_nbd.mount(nbd) Pass in the nbd connection device location, mount all partitions and return a dict of mount points CLI Example: salt '*' qemu_nbd.mount /dev/nbd0 salt.modules.quota Module for managing quotas on POSIX-like systems. salt.modules.quota.get_mode(device) Report whether the quota system for this device is on or off CLI Example: salt '*' quota.get_mode salt.modules.quota.off(device) Turns off the quota system CLI Example: salt '*' quota.off salt.modules.quota.on(device) Turns on the quota system CLI Example: salt '*' quota.on salt.modules.quota.report(mount) Report on quotas for a specific volume CLI Example: salt '*' quota.report /media/data salt.modules.quota.set(device, **kwargs) Calls out to setquota, for a specific user or group CLI Example: salt '*' quota.set /media/data user=larry block-soft-limit=1048576 salt '*' quota.set /media/data group=painters file-hard-limit=1000 salt.modules.quota.stats() Runs the quotastats command, and returns the parsed output CLI Example: salt '*' quota.stats salt.modules.quota.warn() Runs the warnquota command, to send warning emails to users who are over their quota limit. CLI Example: salt '*' quota.warn salt.modules.rabbitmq Module to provide RabbitMQ compatibility to Salt. Todo: A lot, need to add cluster support, logging, and minion configuration data. salt.modules.rabbitmq.add_user(name, password=None, runas=None) Add a rabbitMQ user via rabbitmqctl user_add <user> <password> CLI Example: salt '*' rabbitmq.add_user rabbit_user password salt.modules.rabbitmq.add_vhost(vhost, runas=None) Adds a vhost via rabbitmqctl add_vhost. CLI Example: salt '*' rabbitmq add_vhost '<vhost_name>' salt.modules.rabbitmq.change_password(name, password, runas=None) Changes a user's password. CLI Example: salt '*' rabbitmq.change_password rabbit_user password salt.modules.rabbitmq.clear_password(name, runas=None) Removes a user's password. CLI Example: salt '*' rabbitmq.clear_password rabbit_user salt.modules.rabbitmq.cluster_status(runas=None) return rabbitmq cluster_status CLI Example: salt '*' rabbitmq.cluster_status salt.modules.rabbitmq.delete_policy(vhost, name, runas=None) Delete a policy based on rabbitmqctl clear_policy. Reference: http://www.rabbitmq.com/ha.html CLI Example: salt '*' rabbitmq.delete_policy / HA' salt.modules.rabbitmq.delete_user(name, runas=None) Deletes a user via rabbitmqctl delete_user. CLI Example: salt '*' rabbitmq.delete_user rabbit_user salt.modules.rabbitmq.delete_vhost(vhost, runas=None) Deletes a vhost rabbitmqctl delete_vhost. CLI Example: salt '*' rabbitmq.delete_vhost '<vhost_name>' salt.modules.rabbitmq.disable_plugin(name, runas=None) Disable a RabbitMQ plugin via the rabbitmq-plugins command. CLI Example: salt '*' rabbitmq.disable_plugin foo salt.modules.rabbitmq.enable_plugin(name, runas=None) Enable a RabbitMQ plugin via the rabbitmq-plugins command. CLI Example: salt '*' rabbitmq.enable_plugin foo salt.modules.rabbitmq.force_reset(runas=None) Forcefully Return a RabbitMQ node to its virgin state CLI Example: salt '*' rabbitmq.force_reset salt.modules.rabbitmq.join_cluster(host, user='rabbit', ram_node=None, runas=None) Join a rabbit cluster CLI Example: salt '*' rabbitmq.join_cluster 'rabbit.example.com' 'rabbit' salt.modules.rabbitmq.list_permissions(vhost, runas=None) Lists permissions for vhost via rabbitmqctl list_permissions CLI Example: salt '*' rabbitmq.list_permissions '/myvhost' salt.modules.rabbitmq.list_policies(vhost='/', runas=None) Return a dictionary of policies nested by vhost and name based on the data returned from rabbitmqctl list_policies. Reference: http://www.rabbitmq.com/ha.html CLI Example: salt '*' rabbitmq.list_policies' salt.modules.rabbitmq.list_queues(runas=None, *kwargs) Returns queue details of the / virtual host CLI Example: salt '*' rabbitmq.list_queues messages consumers salt.modules.rabbitmq.list_queues_vhost(vhost, runas=None, *kwargs) Returns queue details of specified virtual host. This command will consider first parameter as the vhost name and rest will be treated as queueinfoitem. For getting details on vhost /, use list_queues instead). CLI Example: salt '*' rabbitmq.list_queues messages consumers salt.modules.rabbitmq.list_user_permissions(name, runas=None) List permissions for a user via rabbitmqctl list_user_permissions CLI Example: salt '*' rabbitmq.list_user_permissions 'user'. salt.modules.rabbitmq.list_users(runas=None) Return a list of users based off of rabbitmqctl user_list. CLI Example: salt '*' rabbitmq.list_users salt.modules.rabbitmq.list_vhosts(runas=None) Return a list of vhost based on rabbitmqctl list_vhosts. CLI Example: salt '*' rabbitmq.list_vhosts salt.modules.rabbitmq.plugin_is_enabled(name, runas=None) Return whether the plugin is enabled. CLI Example: salt '*' rabbitmq.plugin_is_enabled foo salt.modules.rabbitmq.policy_exists(vhost, name, runas=None) Return whether the policy exists based on rabbitmqctl list_policies. Reference: http://www.rabbitmq.com/ha.html CLI Example: salt '*' rabbitmq.policy_exists / HA salt.modules.rabbitmq.reset(runas=None) Return a RabbitMQ node to its virgin state CLI Example: salt '*' rabbitmq.reset salt.modules.rabbitmq.set_permissions(vhost, user, conf='.*', write='.*', read='.*', runas=None) Sets permissions for vhost via rabbitmqctl set_permissions CLI Example: salt '*' rabbitmq.set_permissions 'myvhost' 'myuser' salt.modules.rabbitmq.set_policy(vhost, name, pattern, definition, priority=None, runas=None) Set a policy based on rabbitmqctl set_policy. Reference: http://www.rabbitmq.com/ha.html CLI Example: salt '*' rabbitmq.set_policy / HA '.*' '{"ha-mode":"all"}' salt.modules.rabbitmq.set_user_tags(name, tags, runas=None) Add user tags via rabbitmqctl set_user_tags CLI Example: salt '*' rabbitmq.set_user_tags 'myadmin' 'administrator' salt.modules.rabbitmq.start_app(runas=None) Start the RabbitMQ application. CLI Example: salt '*' rabbitmq.start_app salt.modules.rabbitmq.status(runas=None) return rabbitmq status CLI Example: salt '*' rabbitmq.status salt.modules.rabbitmq.stop_app(runas=None) Stops the RabbitMQ application, leaving the Erlang node running. CLI Example: salt '*' rabbitmq.stop_app salt.modules.rabbitmq.user_exists(name, runas=None) Return whether the user exists based on rabbitmqctl list_users. CLI Example: salt '*' rabbitmq.user_exists rabbit_user salt.modules.rabbitmq.vhost_exists(name, runas=None) Return whether the vhost exists based on rabbitmqctl list_vhosts. CLI Example: salt '*' rabbitmq.vhost_exists rabbit_host salt.modules.raet_publish Publish a command from a minion to a target salt.modules.raet_publish.full_data(tgt, fun, arg=None, expr_form='glob', returner='', timeout=5) Return the full data about the publication, this is invoked in the same way as the publish function CLI Example: salt system.example.com publish.full_data '*' cmd.run 'ls -la /tmp' Attention If you need to pass a value to a function argument and that value contains an equal sign, you must include the argument name. For example: salt '*' publish.full_data test.kwarg arg='cheese=spam' salt.modules.raet_publish.publish(tgt, fun, arg=None, expr_form='glob', returner='', timeout=5) Publish a command from the minion out to other minions. Publications need to be enabled on the Salt master and the minion needs to have permission to publish the command. The Salt master will also prevent a recursive publication loop, this means that a minion cannot command another minion to command another minion as that would create an infinite command loop. The expr_form argument is used to pass a target other than a glob into the execution, the available options are: • glob • pcre • grain • grain_pcre • pillar • pillar_pcre • ipcidr • range • compound The arguments sent to the minion publish function are separated with commas. This means that for a minion executing a command with multiple args it will look like this: salt system.example.com publish.publish '*' user.add 'foo,1020,1020' salt system.example.com publish.publish 'os:Fedora' network.interfaces '' grain CLI Example: salt system.example.com publish.publish '*' cmd.run 'ls -la /tmp' Attention If you need to pass a value to a function argument and that value contains an equal sign, you must include the argument name. For example: salt '*' publish.publish test.kwarg arg='cheese=spam' salt.modules.raet_publish.runner(fun, arg=None, timeout=5) Execute a runner on the master and return the data from the runner function CLI Example: salt publish.runner manage.down salt.modules.rallydev Support for RallyDev New in version 2015.8.0. Requires a username and a password in /etc/salt/minion: salt.modules.rallydev.list_items(name) List items of a particular type CLI Examples: salt myminion rallydev.list_<item name>s salt myminion rallydev.list_users salt myminion rallydev.list_artifacts salt.modules.rallydev.list_users() List the users CLI Example: salt myminion rallydev.list_users salt.modules.rallydev.query_item(name, query_string, order='Rank') Query a type of record for one or more items. Requires a valid query string. See https://rally1.rallydev.com/slm/doc/webservice/introduction.jsp for information on query syntax. CLI Example: salt myminion rallydev.query_<item name> <query string> [<order>] salt myminion rallydev.query_task '(Name contains github)' salt myminion rallydev.query_task '(Name contains reactor)' Rank salt.modules.rallydev.query_user(query_string, order='UserName') Update a user CLI Example: salt myminion rallydev.query_user '(Name contains Jo)' salt.modules.rallydev.show_artifact(id_) Show an artifact CLI Example: salt myminion rallydev.show_artifact <artifact id> salt.modules.rallydev.show_item(name, id_) Show an item CLI Example: salt myminion rallydev.show_<item name> <item id> salt.modules.rallydev.show_user(id_) Show a user CLI Example: salt myminion rallydev.show_user <user id> salt.modules.rallydev.update_item(name, id_, field=None, value=None, postdata=None) Update an item. Either a field and a value, or a chunk of POST data, may be used, but not both. CLI Example: salt myminion rallydev.update_<item name> <item id> field=<field> value=<value> salt myminion rallydev.update_<item name> <item id> postdata=<post data> salt.modules.rallydev.update_user(id_, field, value) Update a user CLI Example: salt myminion rallydev.update_user <user id> <field> <new value> salt.modules.random_org Module for retrieving random information from Random.org New in version 2015.5.0. configuration This module can be used by either passing an api key and version directly or by specifying both in a configuration profile in the salt master/minion config. For example: random_org: api_key: 7be1402d-5719-5bd3-a306-3def9f135da5 api_version: 1 salt.modules.random_org.generateBlobs(api_key=None, api_version=None, **kwargs) List all Slack users. Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • format -- Specifies the format in which the blobs will be returned. Values allowed are base64 and hex. Returns The user list. CLI Example: salt '*' get_integers number=5 min=1 max=6 salt '*' get_integers number=5 min=1 max=6 salt.modules.random_org.generateDecimalFractions(api_key=None, api_version=None, **kwargs) Generates true random decimal fractions Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • number -- How many random decimal fractions you need. Must be within the [1,1e4] range. • decimalPlaces -- The number of decimal places to use. Must be within the [1,20] range. • replacement -- Specifies whether the random numbers should be picked with replacement. The default (true) will cause the numbers to be picked with replacement, i.e., the resulting numbers may contain duplicate values (like a series of dice rolls). If you want the numbers picked to be unique (like raffle tickets drawn from a container), set this value to false. Returns A list of decimal fraction CLI Example: salt '*' random_org.generateDecimalFractions number=10 decimalPlaces=4 salt '*' random_org.generateDecimalFractions number=10 decimalPlaces=4 replacement=True salt.modules.random_org.generateGaussians(api_key=None, api_version=None, **kwargs) This method generates true random numbers from a Gaussian distribution (also known as a normal distribution). Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • number -- How many random numbers you need. Must be within the [1,1e4] range. • mean -- The distribution's mean. Must be within the [-1e6,1e6] range. • standardDeviation -- The distribution's standard deviation. Must be within the [-1e6,1e6] range. • significantDigits -- The number of significant digits to use. Must be within the [2,20] range. Returns The user list. CLI Example: salt '*' random_org.generateGaussians number=10 mean=0.0 standardDeviation=1.0 significantDigits=8 salt.modules.random_org.generateIntegers(api_key=None, api_version=None, **kwargs) Generate random integers Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • number -- The number of integers to generate • minimum -- The lower boundary for the range from which the random numbers will be picked. Must be within the [-1e9,1e9] range. • maximum -- The upper boundary for the range from which the random numbers will be picked. Must be within the [-1e9,1e9] range. • replacement -- Specifies whether the random numbers should be picked with replacement. The default (true) will cause the numbers to be picked with replacement, i.e., the resulting numbers may contain duplicate values (like a series of dice rolls). If you want the numbers picked to be unique (like raffle tickets drawn from a container), set this value to false. • base -- Specifies the base that will be used to display the numbers. Values allowed are 2, 8, 10 and 16. This affects the JSON types and formatting of the resulting data as discussed below. Returns A list of integers. CLI Example: salt '*' random_org.generateIntegers number=5 minimum=1 maximum=6 salt '*' random_org.generateIntegers number=5 minimum=2 maximum=255 base=2 salt.modules.random_org.generateStrings(api_key=None, api_version=None, **kwargs) Generate random strings. Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • number -- The number of strings to generate. • length -- The length of each string. Must be within the [1,20] range. All strings will be of the same length • characters -- A string that contains the set of characters that are allowed to occur in the random strings. The maximum number of characters is 80. • replacement -- Specifies whether the random strings should be picked with replacement. The default (true) will cause the strings to be picked with replacement, i.e., the resulting list of strings may contain duplicates (like a series of dice rolls). If you want the strings to be unique (like raffle tickets drawn from a container), set this value to false. Returns A list of strings. CLI Example: salt '*' random_org.generateStrings number=5 length=8 characters='abcdefghijklmnopqrstuvwxyz' salt '*' random_org.generateStrings number=10 length=16 characters'abcdefghijklmnopqrstuvwxyz' salt.modules.random_org.generateUUIDs(api_key=None, api_version=None, **kwargs) Generate a list of random UUIDs Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. • number -- How many random UUIDs you need. Must be within the [1,1e3] range. Returns A list of UUIDs CLI Example: salt '*' random_org.generateUUIDs number=5 salt.modules.random_org.getUsage(api_key=None, api_version=None) Show current usages statistics Parameters • api_key -- The Random.org api key. • api_version -- The Random.org api version. Returns The current usage statistics. CLI Example: salt '*' random_org.getUsage salt '*' random_org.getUsage api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version=1 salt.modules.rbenv Manage ruby installations with rbenv. Rbenv is supported on Linux and Mac OS X. Rbenv doesn't work on Windows (and isn't really necessary on Windows as there is no system Ruby on Windows). On Windows, the RubyInstaller and/or Pik are both good alternatives to work with multiple versions of Ruby on the same box. http://misheska.com/blog/2013/06/15/using-rbenv-to-manage-multiple-versions-of-ruby/ New in version 0.16.0. salt.modules.rbenv.default(ruby=None, runas=None) Returns or sets the currently defined default ruby. ruby=None The version to set as the default. Should match one of the versions listed by rbenv.versions. Leave blank to return the current default. CLI Example: salt '*' rbenv.default salt '*' rbenv.default 2.0.0-p0 salt.modules.rbenv.do(cmdline=None, runas=None, env=None) Execute a ruby command with rbenv's shims from the user or the system. CLI Example: salt '*' rbenv.do 'gem list bundler' salt '*' rbenv.do 'gem list bundler' deploy salt.modules.rbenv.do_with_ruby(ruby, cmdline, runas=None) Execute a ruby command with rbenv's shims using a specific ruby version. CLI Example: salt '*' rbenv.do_with_ruby 2.0.0-p0 'gem list bundler' salt '*' rbenv.do_with_ruby 2.0.0-p0 'gem list bundler' deploy salt.modules.rbenv.install(runas=None, path=None) Install Rbenv systemwide CLI Example: salt '*' rbenv.install salt.modules.rbenv.install_ruby(ruby, runas=None) Install a ruby implementation. ruby The version of Ruby to install, should match one of the versions listed by rbenv.list Additional environment variables can be configured in pillar / grains / master: rbenv: build_env: 'CONFIGURE_OPTS="--no-tcmalloc" CFLAGS="-fno-tree-dce"' CLI Example: salt '*' rbenv.install_ruby 2.0.0-p0 salt.modules.rbenv.is_installed(runas=None) Check if Rbenv is installed. CLI Example: salt '*' rbenv.is_installed salt.modules.rbenv.list(runas=None) List the installable versions of ruby. CLI Example: salt '*' rbenv.list salt.modules.rbenv.rehash(runas=None) Run rbenv rehash to update the installed shims. CLI Example: salt '*' rbenv.rehash salt.modules.rbenv.uninstall_ruby(ruby, runas=None) Uninstall a ruby implementation. ruby The version of ruby to uninstall. Should match one of the versions listed by rbenv.versions CLI Example: salt '*' rbenv.uninstall_ruby 2.0.0-p0 salt.modules.rbenv.update(runas=None, path=None) Updates the current versions of Rbenv and Ruby-Build CLI Example: salt '*' rbenv.update salt.modules.rbenv.versions(runas=None) List the installed versions of ruby. CLI Example: salt '*' rbenv.versions salt.modules.rdp Manage RDP Service on Windows servers salt.modules.rdp.disable() Disable RDP the service on the server CLI Example: salt '*' rdp.disable salt.modules.rdp.enable() Enable RDP the service on the server CLI Example: salt '*' rdp.enable salt.modules.rdp.status() Show if rdp is enabled on the server CLI Example: salt '*' rdp.status salt.modules.redis Module to provide redis functionality to Salt New in version 2014.7.0. configuration This module requires the redis python module and uses the following defaults which may be overridden in the minion configuration: redis.host: 'localhost' redis.port: 6379 redis.db: 0 redis.password: None salt.modules.redismod.bgrewriteaof(host=None, port=None, db=None, password=None) Asynchronously rewrite the append-only file CLI Example: salt '*' redis.bgrewriteaof salt.modules.redismod.bgsave(host=None, port=None, db=None, password=None) Asynchronously save the dataset to disk CLI Example: salt '*' redis.bgsave salt.modules.redismod.config_get(pattern='*', host=None, port=None, db=None, password=None) Get redis server configuration values CLI Example: salt '*' redis.config_get salt '*' redis.config_get port salt.modules.redismod.config_set(name, value, host=None, port=None, db=None, password=None) Set redis server configuration values CLI Example: salt '*' redis.config_set masterauth luv_kittens salt.modules.redismod.dbsize(host=None, port=None, db=None, password=None) Return the number of keys in the selected database CLI Example: salt '*' redis.dbsize salt.modules.redismod.delete(*keys, **connection_args) Deletes the keys from redis, returns number of keys deleted CLI Example: salt '*' redis.delete foo salt.modules.redismod.exists(key, host=None, port=None, db=None, password=None) Return true if the key exists in redis CLI Example: salt '*' redis.exists foo salt.modules.redismod.expire(key, seconds, host=None, port=None, db=None, password=None) Set a keys time to live in seconds CLI Example: salt '*' redis.expire foo 300 salt.modules.redismod.expireat(key, timestamp, host=None, port=None, db=None, password=None) Set a keys expire at given UNIX time CLI Example: salt '*' redis.expireat foo 1400000000 salt.modules.redismod.flushall(host=None, port=None, db=None, password=None) Remove all keys from all databases CLI Example: salt '*' redis.flushall salt.modules.redismod.flushdb(host=None, port=None, db=None, password=None) Remove all keys from the selected database CLI Example: salt '*' redis.flushdb salt.modules.redismod.get_key(key, host=None, port=None, db=None, password=None) Get redis key value CLI Example: salt '*' redis.get_key foo salt.modules.redismod.hget(key, field, host=None, port=None, db=None, password=None) Get specific field value from a redis hash, returns dict CLI Example: salt '*' redis.hget foo_hash bar_field salt.modules.redismod.hgetall(key, host=None, port=None, db=None, password=None) Get all fields and values from a redis hash, returns dict CLI Example: salt '*' redis.hgetall foo_hash salt.modules.redismod.info(host=None, port=None, db=None, password=None) Get information and statistics about the server CLI Example: salt '*' redis.info salt.modules.redismod.key_type(key, host=None, port=None, db=None, password=None) Get redis key type CLI Example: salt '*' redis.type foo salt.modules.redismod.keys(pattern='*', host=None, port=None, db=None, password=None) Get redis keys, supports glob style patterns CLI Example: salt '*' redis.keys salt '*' redis.keys test* salt.modules.redismod.lastsave(host=None, port=None, db=None, password=None) Get the UNIX time in seconds of the last successful save to disk CLI Example: salt '*' redis.lastsave salt.modules.redismod.llen(key, host=None, port=None, db=None, password=None) Get the length of a list in Redis CLI Example: salt '*' redis.llen foo_list salt.modules.redismod.lrange(key, start, stop, host=None, port=None, db=None, password=None) Get a range of values from a list in Redis CLI Example: salt '*' redis.lrange foo_list 0 10 salt.modules.redismod.ping(host=None, port=None, db=None, password=None) Ping the server, returns False on connection errors CLI Example: salt '*' redis.ping salt.modules.redismod.save(host=None, port=None, db=None, password=None) Synchronously save the dataset to disk CLI Example: salt '*' redis.save salt.modules.redismod.set_key(key, value, host=None, port=None, db=None, password=None) Set redis key value CLI Example: salt '*' redis.set_key foo bar salt.modules.redismod.shutdown(host=None, port=None, db=None, password=None) Synchronously save the dataset to disk and then shut down the server CLI Example: salt '*' redis.shutdown salt.modules.redismod.slaveof(master_host=None, master_port=None, host=None, port=None, db=None, password=None) Make the server a slave of another instance, or promote it as master CLI Example: # Become slave of redis-n01.example.com:6379 salt '*' redis.slaveof redis-n01.example.com 6379 salt '*' redis.slaveof redis-n01.example.com # Become master salt '*' redis.slaveof salt.modules.redismod.smembers(key, host=None, port=None, db=None, password=None) Get members in a Redis set CLI Example: salt '*' redis.smembers foo_set salt.modules.redismod.time(host=None, port=None, db=None, password=None) Return the current server UNIX time in seconds CLI Example: salt '*' redis.time salt.modules.redismod.zcard(key, host=None, port=None, db=None, password=None) Get the length of a sorted set in Redis CLI Example: salt '*' redis.zcard foo_sorted salt.modules.redismod.zrange(key, start, stop, host=None, port=None, db=None, password=None) Get a range of values from a sorted set in Redis by index CLI Example: salt '*' redis.zrange foo_sorted 0 10 salt.modules.reg Manage the Windows registry The read_key and set_key functions will be updated in Boron to reflect proper registry usage. The registry has three main components. Hives, Keys, and Values. Hives Hives are the main sections of the registry and all begin with the word HKEY. - HKEY_LOCAL_MACHINE - HKEY_CURRENT_USER - HKEY_USER Keys Keys are the folders in the registry. Keys can have many nested subkeys. Keys can have a value assigned to them under the (Default) Values or Entries Values/Entries are name/data pairs. There can be many values in a key. The (Default) value corresponds to the Key, the rest are their own value pairs. depends • winreg Python module class salt.modules.reg.Registry Delay '_winreg' usage until this module is used salt.modules.reg.broadcast_change() Refresh the windows environment. :return: salt.modules.reg.create_key(hkey, path, key=None, value=None, reflection=True, use_32bit_registry=False) IMPORTANT: The name of this function is misleading and will be changed to reflect proper usage in the Boron release of Salt. The path option will be removed and the key will be the actual key. See the following issue: https://github.com/saltstack/salt/issues/25618 In order to not break existing state files this function will call the set_value function if key is passed. Key will be passed as the value name. If key is not passed, this function will return the default value for the key. In the Boron release path will be removed and key will be the path. You will not pass value. Create a registry key CLI Example: salt '*' reg.create_key HKEY_CURRENT_USER 'SOFTWARE\Salt' 'version' '0.97' salt.modules.reg.delete_key(hkey, path, key=None, reflection=True, force=False, use_32bit_registry=False) IMPORTANT: The name of this function is misleading and will be changed to reflect proper usage in the Boron release of Salt. The path option will be removed and the key will be the actual key. See the following issue: https://github.com/saltstack/salt/issues/25618 In order to not break existing state files this function will call the delete_value function if a key is passed. Key will be passed as the value name. If key is not passed, this function will return the default value for the key. In the Boron release path will be removed and key will be the path. reflection will also be removed. Delete a registry key CLI Example: salt '*' reg.delete_key HKEY_CURRENT_USER 'SOFTWARE\Salt' Parameters hkey (str) -- (will be changed to hive) The name of the hive. Can be one of the following • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters path (str) -- (will be changed to key) The key (looks like a path) to remove. Parameters • key (str) -- (used incorrectly) Will be removed in Boron • reflection (bool) -- A boolean value indicating that the value should also be removed from the Wow6432Node portion of the registry. Only applies to 64 bit Windows. This setting is ignored for 32 bit Windows. Only applies to delete value. If the key parameter is passed, this function calls delete_value instead. Will be changed in Boron. Parameters force (bool) -- A boolean value indicating that all subkeys should be removed as well. If this is set to False (default) and there are subkeys, the delete_key function will fail. Returns Returns True if successful, False if not. If force=True, the results of delete_key_recursive are returned. :rtype: bool salt.modules.reg.delete_key_recursive(hive, key, use_32bit_registry=False) New in version 2015.5.4. Delete a registry key to include all subkeys. Parameters hive -- The name of the hive. Can be one of the following • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters key -- The key to remove (looks like a path) Returns A dictionary listing the keys that deleted successfully as well as those that failed to delete. :rtype: dict The following example will remove salt and all its subkeys from the SOFTWARE key in HKEY_LOCAL_MACHINE: CLI Example: salt '*' reg.delete_key_recursive HKLM SOFTWARE\salt salt.modules.reg.delete_value(hive, key, vname=None, reflection=True, use_32bit_registry=False) Delete a registry value entry or the default value for a key. Parameters hive (str) -- The name of the hive. Can be one of the following • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters • key (str) -- The key (looks like a path) to the value name. • vname (str) -- The value name. These are the individual name/data pairs under the key. If not passed, the key (Default) value will be deleted. Parameters reflection (bool) -- A boolean value indicating that the value should also be set in the Wow6432Node portion of the registry. Only applies to 64 bit Windows. This setting is ignored for 32 bit Windows. Deprecated since version 2015.8.2: Use use_32bit_registry instead. The parameter seems to have no effect since Windows 7 / Windows 2008R2 removed support for reflection. The parameter will be removed in Boron. Returns Returns True if successful, False if not Return type bool CLI Example: salt '*' reg.delete_value HKEY_CURRENT_USER 'SOFTWARE\Salt' 'version' salt.modules.reg.read_key(hkey, path, key=None, use_32bit_registry=False) IMPORTANT: The name of this function is misleading and will be changed to reflect proper usage in the Boron release of Salt. The path option will be removed and the key will be the actual key. See the following issue: https://github.com/saltstack/salt/issues/25618 In order to not break existing state files this function will call the read_value function if a key is passed. Key will be passed as the value name. If key is not passed, this function will return the default value for the key. In the Boron release this function will be removed in favor of read_value. Read registry key value Returns the first unnamed value (Default) as a string. Returns none if first unnamed value is empty. Returns False if key not found. CLI Example: salt '*' reg.read_key HKEY_LOCAL_MACHINE 'SOFTWARE\Salt' 'version' salt.modules.reg.read_value(hive, key, vname=None, use_32bit_registry=False) Reads a registry value entry or the default value for a key. Parameters hive (str) -- The name of the hive. Can be one of the following • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters • key (str) -- The key (looks like a path) to the value name. • vname (str) -- The value name. These are the individual name/data pairs under the key. If not passed, the key (Default) value will be returned Parameters use_32bit_registry (bool) -- Accesses the 32bit portion of the registry on 64 bit installations. On 32bit machines this is ignored. Returns A dictionary containing the passed settings as well as the value_data if successful. If unsuccessful, sets success to False If vname is not passed: • Returns the first unnamed value (Default) as a string. • Returns none if first unnamed value is empty. • Returns False if key not found. Return type dict CLI Example: salt '*' reg.read_value HKEY_LOCAL_MACHINE 'SOFTWARE\Salt' 'version' salt.modules.reg.set_key(hkey, path, value, key=None, vtype='REG_DWORD', reflection=True, use_32bit_registry=False) IMPORTANT: The name of this function is misleading and will be changed to reflect proper usage in the Boron release of Salt. The path option will be removed and the key will be the actual key. See the following issue: https://github.com/saltstack/salt/issues/25618 In order to not break existing state files this function will call the set_value function if a key is passed. Key will be passed as the value name. If key is not passed, this function will return the default value for the key. In the Boron release this function will be removed in favor of set_value. Set a registry key vtype: http://docs.python.org/2/library/_winreg.html#value-types CLI Example: salt '*' reg.set_key HKEY_CURRENT_USER 'SOFTWARE\Salt' 'version' '0.97' REG_DWORD salt.modules.reg.set_value(hive, key, vname=None, vdata=None, vtype='REG_SZ', reflection=True, use_32bit_registry=False) Sets a registry value entry or the default value for a key. Parameters hive (str) -- The name of the hive. Can be one of the following • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters • key (str) -- The key (looks like a path) to the value name. • vname (str) -- The value name. These are the individual name/data pairs under the key. If not passed, the key (Default) value will be set. Parameters • vdata (str) -- The value data to be set. • vtype (str) -- The value type. Can be one of the following: • REG_BINARY • REG_DWORD • REG_EXPAND_SZ • REG_MULTI_SZ • REG_SZ Parameters reflection (bool) -- A boolean value indicating that the value should also be set in the Wow6432Node portion of the registry. Only applies to 64 bit Windows. This setting is ignored for 32 bit Windows. Deprecated since version 2015.8.2: Use use_32bit_registry instead. The parameter seems to have no effect since Windows 7 / Windows 2008R2 removed support for reflection. The parameter will be removed in Boron. Returns Returns True if successful, False if not Return type bool CLI Example: salt '*' reg.set_value HKEY_LOCAL_MACHINE 'SOFTWARE\Salt' 'version' '2015.5.2' salt.modules.rest_package Package support for the REST example salt.modules.rest_package.install(name=None, refresh=False, fromrepo=None, pkgs=None, sources=None, **kwargs) salt.modules.rest_package.installed(name, version=None, refresh=False, fromrepo=None, skip_verify=False, pkgs=None, sources=None, **kwargs) salt.modules.rest_package.list_pkgs(versions_as_list=False, **kwargs) salt.modules.rest_package.remove(name=None, pkgs=None, **kwargs) salt.modules.rest_package.upgrade(refresh=True, skip_verify=True, **kwargs) salt.modules.rest_package.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.rest_service Provide the service module for the proxy-minion REST sample salt.modules.rest_service.enabled(name, sig=None) Only the 'redbull' service is 'enabled' in the test New in version 2015.8.1. salt.modules.rest_service.get_all() Return a list of all available services New in version 2015.8.0. CLI Example: salt '*' service.get_all salt.modules.rest_service.list() Return a list of all available services. CLI Example: salt '*' service.list salt.modules.rest_service.restart(name, sig=None) Restart the specified service with rest_sample New in version 2015.8.0. CLI Example: salt '*' service.restart <service name> salt.modules.rest_service.running(name, sig=None) Return whether this service is running. New in version 2015.8.0. salt.modules.rest_service.start(name, sig=None) Start the specified service on the rest_sample New in version 2015.8.0. CLI Example: salt '*' service.start <service name> salt.modules.rest_service.status(name, sig=None) Return the status for a service via rest_sample, returns a bool whether the service is running. New in version 2015.8.0. CLI Example: salt '*' service.status <service name> salt.modules.rest_service.stop(name, sig=None) Stop the specified service on the rest_sample New in version 2015.8.0. CLI Example: salt '*' service.stop <service name> salt.modules.ret Module to integrate with the returner system and retrieve data sent to a salt returner salt.modules.ret.get_fun(returner, fun) Return info about last time fun was called on each minion CLI Example: salt '*' ret.get_fun mysql network.interfaces salt.modules.ret.get_jid(returner, jid) Return the information for a specified job id CLI Example: salt '*' ret.get_jid redis 20421104181954700505 salt.modules.ret.get_jids(returner) Return a list of all job ids CLI Example: salt '*' ret.get_jids mysql salt.modules.ret.get_minions(returner) Return a list of all minions CLI Example: salt '*' ret.get_minions mysql salt.modules.rh_ip The networking module for RHEL/Fedora based distros salt.modules.rh_ip.apply_network_settings(**settings) Apply global network configuration. CLI Example: salt '*' ip.apply_network_settings salt.modules.rh_ip.build_bond(iface, **settings) Create a bond script in /etc/modprobe.d with the passed settings and load the bonding kernel module. CLI Example: salt '*' ip.build_bond bond0 mode=balance-alb salt.modules.rh_ip.build_interface(iface, iface_type, enabled, **settings) Build an interface script for a network interface. CLI Example: salt '*' ip.build_interface eth0 eth <settings> salt.modules.rh_ip.build_network_settings(**settings) Build the global network script. CLI Example: salt '*' ip.build_network_settings <settings> salt.modules.rh_ip.build_routes(iface, **settings) Build a route script for a network interface. CLI Example: salt '*' ip.build_routes eth0 <settings> salt.modules.rh_ip.down(iface, iface_type) Shutdown a network interface CLI Example: salt '*' ip.down eth0 salt.modules.rh_ip.get_bond(iface) Return the content of a bond script CLI Example: salt '*' ip.get_bond bond0 salt.modules.rh_ip.get_interface(iface) Return the contents of an interface script CLI Example: salt '*' ip.get_interface eth0 salt.modules.rh_ip.get_network_settings() Return the contents of the global network script. CLI Example: salt '*' ip.get_network_settings salt.modules.rh_ip.get_routes(iface) Return the contents of the interface routes script. CLI Example: salt '*' ip.get_routes eth0 salt.modules.rh_ip.up(iface, iface_type) Start up a network interface CLI Example: salt '*' ip.up eth0 salt.modules.rh_service Service support for RHEL-based systems, including support for both upstart and sysvinit salt.modules.rh_service.available(name, limit='') Return True if the named service is available. Use the limit param to restrict results to services of that type. CLI Examples: salt '*' service.available sshd salt '*' service.available sshd limit=upstart salt '*' service.available sshd limit=sysvinit salt.modules.rh_service.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.rh_service.disabled(name) Check to see if the named service is disabled to start on boot CLI Example: salt '*' service.disabled <service name> salt.modules.rh_service.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.rh_service.enabled(name, **kwargs) Check to see if the named service is enabled to start on boot CLI Example: salt '*' service.enabled <service name> salt.modules.rh_service.get_all(limit='') Return all installed services. Use the limit param to restrict results to services of that type. CLI Example: salt '*' service.get_all salt '*' service.get_all limit=upstart salt '*' service.get_all limit=sysvinit salt.modules.rh_service.get_disabled(limit='') Return the disabled services. Use the limit param to restrict results to services of that type. CLI Example: salt '*' service.get_disabled salt '*' service.get_disabled limit=upstart salt '*' service.get_disabled limit=sysvinit salt.modules.rh_service.get_enabled(limit='') Return the enabled services. Use the limit param to restrict results to services of that type. CLI Examples: salt '*' service.get_enabled salt '*' service.get_enabled limit=upstart salt '*' service.get_enabled limit=sysvinit salt.modules.rh_service.missing(name, limit='') The inverse of service.available. Return True if the named service is not available. Use the limit param to restrict results to services of that type. CLI Examples: salt '*' service.missing sshd salt '*' service.missing sshd limit=upstart salt '*' service.missing sshd limit=sysvinit salt.modules.rh_service.reload(name) Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.rh_service.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.rh_service.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.rh_service.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.rh_service.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.riak Riak Salt Module salt.modules.riak.cluster_commit() Commit Cluster Changes Changed in version 2015.8.0. CLI Example: salt '*' riak.cluster_commit salt.modules.riak.cluster_join(username, hostname) Join a Riak cluster Changed in version 2015.8.0. CLI Example: salt '*' riak.cluster_join <user> <host> username - The riak username to join the cluster hostname - The riak hostname you are connecting to salt.modules.riak.cluster_leave(username, hostname) Leave a Riak cluster New in version 2015.8.0. CLI Example: salt '*' riak.cluster_leave <username> <host> username - The riak username to join the cluster hostname - The riak hostname you are connecting to salt.modules.riak.cluster_plan() Review Cluster Plan Changed in version 2015.8.0. CLI Example: salt '*' riak.cluster_plan salt.modules.riak.member_status() Get cluster member status Changed in version 2015.8.0. CLI Example: salt '*' riak.member_status salt.modules.riak.services() List available services on a node New in version 2015.8.0. CLI Example: salt '*' riak.services salt.modules.riak.start() Start Riak CLI Example: salt '*' riak.start salt.modules.riak.status() Current node status New in version 2015.8.0. CLI Example: salt '*' riak.status salt.modules.riak.stop() Stop Riak Changed in version 2015.8.0. CLI Example: salt '*' riak.stop salt.modules.riak.test() Runs a test of a few standard Riak operations New in version 2015.8.0. CLI Example: salt '*' riak.test salt.modules.rpm Support for rpm salt.modules.rpm.bin_pkg_info(path, saltenv='base') New in version 2015.8.0. Parses RPM metadata and returns a dictionary of information about the package (name, version, etc.). path Path to the file. Can either be an absolute path to a file on the minion, or a salt fileserver URL (e.g. salt://path/to/file.rpm). If a salt fileserver URL is passed, the file will be cached to the minion so that it can be examined. saltenv base Salt fileserver envrionment from which to retrieve the package. Ignored if path is a local file path on the minion. CLI Example: salt '*' lowpkg.bin_pkg_info /root/salt-2015.5.1-2.el7.noarch.rpm salt '*' lowpkg.bin_pkg_info salt://salt-2015.5.1-2.el7.noarch.rpm salt.modules.rpm.diff(package, path) Return a formatted diff between current file and original in a package. NOTE: this function includes all files (configuration and not), but does not work on binary content. Parameters • package -- The name of the package • path -- Full path to the installed file Returns Difference or empty string. For binary files only a notification. CLI example: salt '*' lowpkg.diff apache2 /etc/apache2/httpd.conf salt.modules.rpm.file_dict(*packages) List the files that belong to a package, sorted by group. Not specifying any packages will return a list of _every_ file on the system's rpm database (not generally recommended). CLI Examples: salt '*' lowpkg.file_dict httpd salt '*' lowpkg.file_dict httpd postfix salt '*' lowpkg.file_dict salt.modules.rpm.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of _every_ file on the system's rpm database (not generally recommended). CLI Examples: salt '*' lowpkg.file_list httpd salt '*' lowpkg.file_list httpd postfix salt '*' lowpkg.file_list salt.modules.rpm.info(*packages, **attr) Return a detailed package(s) summary information. If no packages specified, all packages will be returned. Parameters • packages -- • attr -- Comma-separated package attributes. If no 'attr' is specified, all available attributes returned. Valid attributes are: version, vendor, release, build_date, build_date_time_t, install_date, install_date_time_t, build_host, group, source_rpm, arch, epoch, size, license, signature, packager, url, summary, description. Returns CLI example: salt '*' lowpkg.info apache2 bash salt '*' lowpkg.info apache2 bash attr=version salt '*' lowpkg.info apache2 bash attr=version,build_date_iso,size salt.modules.rpm.list_pkgs(*packages) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' lowpkg.list_pkgs salt.modules.rpm.modified(*packages, **flags) List the modified files that belong to a package. Not specifying any packages will return a list of _all_ modified files on the system's RPM database. New in version 2015.5.0. CLI examples: salt '*' lowpkg.modified httpd salt '*' lowpkg.modified httpd postfix salt '*' lowpkg.modified salt.modules.rpm.owner(*paths) Return the name of the package that owns the file. Multiple file paths can be passed. If a single path is passed, a string will be returned, and if multiple paths are passed, a dictionary of file/package name pairs will be returned. If the file is not owned by a package, or is not present on the minion, then an empty string will be returned for that path. CLI Examples: salt '*' lowpkg.owner /usr/bin/apachectl salt '*' lowpkg.owner /usr/bin/apachectl /etc/httpd/conf/httpd.conf salt.modules.rpm.verify(*package, **kwargs) Runs an rpm -Va on a system, and returns the results in a dict Files with an attribute of config, doc, ghost, license or readme in the package header can be ignored using the ignore_types keyword argument CLI Example: salt '*' lowpkg.verify salt '*' lowpkg.verify httpd salt '*' lowpkg.verify 'httpd postfix' salt '*' lowpkg.verify 'httpd postfix' ignore_types=['config','doc'] salt.modules.rpmbuild RPM Package builder system New in version 2015.8.0. This system allows for all of the components to build rpms safely in chrooted environments. This also provides a function to generate yum repositories This module impliments the pkgbuild interface salt.modules.rpmbuild.build(runas, tgt, dest_dir, spec, sources, deps, env, template, saltenv='base', log_dir='/var/log/salt/pkgbuild') Given the package destination directory, the spec file source and package sources, use mock to safely build the rpm defined in the spec file CLI Example: salt '*' pkgbuild.build mock epel-7-x86_64 /var/www/html https://raw.githubusercontent.com/saltstack/libnacl/master/pkg/rpm/python-libnacl.spec https://pypi.python.org/packages/source/l/libnacl/libnacl-1.3.5.tar.gz This example command should build the libnacl package for rhel 7 using user mock and place it in /var/www/html/ on the minion salt.modules.rpmbuild.make_repo(repodir, keyid=None, env=None) Given the repodir, create a yum repository out of the rpms therein CLI Example: salt '*' pkgbuild.make_repo /var/www/html/ salt.modules.rpmbuild.make_src_pkg(dest_dir, spec, sources, env=None, template=None, saltenv='base') Create a source rpm from the given spec file and sources CLI Example: salt '*' pkgbuild.make_src_pkg /var/www/html/ https://raw.githubusercontent.com/saltstack/libnacl/master/pkg/rpm/python-libnacl.spec https://pypi.python.org/packages/source/l/libnacl/libnacl-1.3.5.tar.gz This example command should build the libnacl SOURCE package and place it in /var/www/html/ on the minion salt.modules.rsync Wrapper for rsync New in version 2014.1.0. This data can also be passed into pillar. Options passed into opts will overwrite options passed into pillar. salt.modules.rsync.config(confile='/etc/rsyncd.conf') Return rsync config CLI Example: salt '*' rsync.config salt.modules.rsync.rsync(src, dst, delete=False, force=False, update=False, passwordfile=None, exclude=None, excludefrom=None) Rsync files from src to dst CLI Example: salt '*' rsync.rsync {src} {dst} {delete=True} {update=True} {passwordfile=/etc/pass.crt} {exclude=xx} salt '*' rsync.rsync {src} {dst} {delete=True} {excludefrom=/xx.ini} salt.modules.rsync.version() Return rsync version CLI Example: salt '*' rsync.version salt.modules.runit runit service module This module is compatible with the service states, so it can be used to maintain services using the provider argument: myservice: service: - running - provider: runit Note that the enabled argument is not available with this provider. salt.modules.runit.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' runit.available foo salt.modules.runit.full_restart(name) Calls runit.restart() function CLI Example: salt '*' runit.full_restart <service name> salt.modules.runit.get_all() Return a list of all available services CLI Example: salt '*' runit.get_all salt.modules.runit.missing(name) The inverse of runit.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' runit.missing foo salt.modules.runit.reload(name) Send a HUP to service via runit CLI Example: salt '*' runit.reload <service name> salt.modules.runit.restart(name) Restart service via runit. This will stop/start service CLI Example: salt '*' runit.restart <service name> salt.modules.runit.start(name) Starts service via runit CLI Example: salt '*' runit.start <service name> salt.modules.runit.status(name, sig=None) Return the status for a service via runit, return pid if running CLI Example: salt '*' runit.status <service name> salt.modules.runit.stop(name) Stops service via runit CLI Example: salt '*' runit.stop <service name> salt.modules.runit.term(name) Send a TERM to service via runit CLI Example: salt '*' runit.term <service name> salt.modules.rvm Manage ruby installations and gemsets with RVM, the Ruby Version Manager. salt.modules.rvm.do(ruby, command, runas=None, cwd=None) Execute a command in an RVM controlled environment. ruby: The ruby to use. command: The command to execute. runas None The user to run rvm as. cwd None The current working directory. CLI Example: salt '*' rvm.do 2.0.0 <command> salt.modules.rvm.gemset_copy(source, destination, runas=None) Copy all gems from one gemset to another. source The name of the gemset to copy, complete with ruby version. destination The destination gemset. runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_copy foobar bazquo salt.modules.rvm.gemset_create(ruby, gemset, runas=None) Creates a gemset. ruby The ruby version to create the gemset for. gemset The name of the gemset to create. runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_create 2.0.0 foobar salt.modules.rvm.gemset_delete(ruby, gemset, runas=None) Deletes a gemset. ruby The ruby version the gemset belongs to. gemset The gemset to delete. runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_delete 2.0.0 foobar salt.modules.rvm.gemset_empty(ruby, gemset, runas=None) Remove all gems from a gemset. ruby The ruby version the gemset belongs to. gemset The gemset to empty. runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_empty 2.0.0 foobar salt.modules.rvm.gemset_list(ruby='default', runas=None) List all gemsets for the given ruby. ruby default The ruby version to list the gemsets for runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_list salt.modules.rvm.gemset_list_all(runas=None) List all gemsets for all installed rubies. Note that you must have set a default ruby before this can work. runas None The user to run rvm as. CLI Example: salt '*' rvm.gemset_list_all salt.modules.rvm.get(version='stable', runas=None) Update RVM. version stable Which version of RVM to install, e.g. stable or head. ruby The version of ruby to reinstall. CLI Example: salt '*' rvm.get salt.modules.rvm.install(runas=None) Install RVM system wide. CLI Example: salt '*' rvm.install salt.modules.rvm.install_ruby(ruby, runas=None) Install a ruby implementation. ruby The version of ruby to install. runas None The user to run rvm as. CLI Example: salt '*' rvm.install_ruby 1.9.3-p385 salt.modules.rvm.is_installed(runas=None) Check if RVM is installed. CLI Example: salt '*' rvm.is_installed salt.modules.rvm.list(runas=None) List all rvm installed rubies. runas None The user to run rvm as. CLI Example: salt '*' rvm.list salt.modules.rvm.reinstall_ruby(ruby, runas=None) Reinstall a ruby implementation. ruby The version of ruby to reinstall. runas None The user to run rvm as. CLI Example: salt '*' rvm.reinstall_ruby 1.9.3-p385 salt.modules.rvm.rubygems(ruby, version, runas=None) Installs a specific rubygems version in the given ruby. ruby The ruby to install rubygems for. version The version of rubygems to install or 'remove' to use the version that ships with 1.9 runas None The user to run rvm as. CLI Example: salt '*' rvm.rubygems 2.0.0 1.8.24 salt.modules.rvm.set_default(ruby, runas=None) Set the default ruby. ruby The version of ruby to make the default. runas None The user to run rvm as. CLI Example: salt '*' rvm.set_default 2.0.0 salt.modules.rvm.wrapper(ruby_string, wrapper_prefix, runas=None, *binaries) Install RVM wrapper scripts. ruby_string Ruby/gemset to install wrappers for. wrapper_prefix What to prepend to the name of the generated wrapper binaries. runas None The user to run rvm as. binaries None The names of the binaries to create wrappers for. When nothing is given, wrappers for ruby, gem, rake, irb, rdoc, ri and testrb are generated. CLI Example: salt '*' rvm.wrapper <ruby_string> <wrapper_prefix> salt.modules.s3 Connection module for Amazon S3 configuration This module accepts explicit s3 credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: s3.keyid: GKTADJGHEIQSXMKKRBJ08H s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A service_url may also be specified in the configuration: s3.service_url: s3.amazonaws.com A role_arn may also be specified in the configuration: s3.role_arn: arn:aws:iam::111111111111:role/my-role-to-assume If a service_url is not specified, the default is s3.amazonaws.com. This may appear in various documentation as an "endpoint". A comprehensive list for Amazon S3 may be found at: http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region The service_url will form the basis for the final endpoint that is used to query the service. SSL verification may also be turned off in the configuration: s3.verify_ssl: False This is required if using S3 bucket names that contain a period, as these will not match Amazon's S3 wildcard certificates. Certificate verification is enabled by default. AWS region may be specified in the configuration: s3.location: eu-central-1 Default is us-east-1. This module should be usable to query other S3-like services, such as Eucalyptus. depends requests salt.modules.s3.delete(bucket, path=None, action=None, key=None, keyid=None, service_url=None, verify_ssl=None, location=None, role_arn=None) Delete a bucket, or delete an object from a bucket. CLI Example to delete a bucket: salt myminion s3.delete mybucket CLI Example to delete an object from a bucket: salt myminion s3.delete mybucket remoteobject salt.modules.s3.get(bucket=None, path=None, return_bin=False, action=None, local_file=None, key=None, keyid=None, service_url=None, verify_ssl=None, location=None, role_arn=None) List the contents of a bucket, or return an object from a bucket. Set return_bin to True in order to retrieve an object wholesale. Otherwise, Salt will attempt to parse an XML response. CLI Example to list buckets: salt myminion s3.get CLI Example to list the contents of a bucket: salt myminion s3.get mybucket CLI Example to return the binary contents of an object: salt myminion s3.get mybucket myfile.png return_bin=True CLI Example to save the binary contents of an object to a local file: salt myminion s3.get mybucket myfile.png local_file=/tmp/myfile.png It is also possible to perform an action on a bucket. Currently, S3 supports the following actions: acl cors lifecycle policy location logging notification tagging versions requestPayment versioning website To perform an action on a bucket: salt myminion s3.get mybucket myfile.png action=acl salt.modules.s3.head(bucket, path=None, key=None, keyid=None, service_url=None, verify_ssl=None, location=None, role_arn=None) Return the metadata for a bucket, or an object in a bucket. CLI Examples: salt myminion s3.head mybucket salt myminion s3.head mybucket myfile.png salt.modules.s3.put(bucket, path=None, return_bin=False, action=None, local_file=None, key=None, keyid=None, service_url=None, verify_ssl=None, location=None, role_arn=None) Create a new bucket, or upload an object to a bucket. CLI Example to create a bucket: salt myminion s3.put mybucket CLI Example to upload an object to a bucket: salt myminion s3.put mybucket remotepath local_file=/path/to/file salt.modules.saltcloudmod Control a salt cloud system salt.modules.saltcloudmod.create(name, profile) Create the named vm CLI Example: salt <minion-id> saltcloud.create webserver rackspace_centos_512 salt.modules.saltutil The Saltutil module is used to manage the state of the salt minion itself. It is used to manage minion modules as well as automate updates to the salt minion. depends • esky Python module for update functionality salt.modules.saltutil.clear_cache() Forcibly removes all caches on a minion. New in version 2014.7.0. WARNING: The safest way to clear a minion cache is by first stopping the minion and then deleting the cache files before restarting it. CLI Example: salt '*' saltutil.clear_cache salt.modules.saltutil.cmd(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', kwarg=None, ssh=False, **kwargs) Assuming this minion is a master, execute a salt command CLI Example: salt '*' saltutil.cmd salt.modules.saltutil.cmd_iter(tgt, fun, arg=(), timeout=None, expr_form='glob', ret='', kwarg=None, ssh=False, **kwargs) Assuming this minion is a master, execute a salt command CLI Example: salt '*' saltutil.cmd_iter salt.modules.saltutil.find_cached_job(jid) Return the data for a specific cached job id CLI Example: salt '*' saltutil.find_cached_job <job id> salt.modules.saltutil.find_job(jid) Return the data for a specific job id CLI Example: salt '*' saltutil.find_job <job id> salt.modules.saltutil.is_running(fun) If the named function is running return the data associated with it/them. The argument can be a glob CLI Example: salt '*' saltutil.is_running state.highstate salt.modules.saltutil.kill_job(jid) Sends a kill signal (SIGKILL 9) to the named salt job's process CLI Example: salt '*' saltutil.kill_job <job id> salt.modules.saltutil.mmodule(saltenv, fun, *args, **kwargs) Loads minion modules from an environment so that they can be used in pillars for that environment CLI Example: salt '*' saltutil.mmodule base test.ping salt.modules.saltutil.refresh_beacons() Signal the minion to refresh the beacons. CLI Example: salt '*' saltutil.refresh_beacons salt.modules.saltutil.refresh_modules(async=True) Signal the minion to refresh the module and grain data The default is to refresh module asynchronously. To block until the module refresh is complete, set the 'async' flag to False. CLI Example: salt '*' saltutil.refresh_modules salt.modules.saltutil.refresh_pillar() Signal the minion to refresh the pillar data. CLI Example: salt '*' saltutil.refresh_pillar salt.modules.saltutil.regen_keys() Used to regenerate the minion keys. CLI Example: salt '*' saltutil.regen_keys salt.modules.saltutil.revoke_auth(preserve_minion_cache=False) The minion sends a request to the master to revoke its own key. Note that the minion session will be revoked and the minion may not be able to return the result of this command back to the master. If the 'preserve_minion_cache' flag is set to True, the master cache for this minion will not be removed. CLI Example: salt '*' saltutil.revoke_auth salt.modules.saltutil.runner(_fun, **kwargs) Execute a runner module (this function must be run on the master) New in version 2014.7.0. name The name of the function to run kwargs Any keyword arguments to pass to the runner function CLI Example: salt '*' saltutil.runner jobs.list_jobs salt.modules.saltutil.running() Return the data on all running salt processes on the minion CLI Example: salt '*' saltutil.running salt.modules.saltutil.signal_job(jid, sig) Sends a signal to the named salt job's process CLI Example: salt '*' saltutil.signal_job <job id> 15 salt.modules.saltutil.sync_all(saltenv=None, refresh=True) Sync down all of the dynamic modules from the file server for a specific environment. This function synchronizes custom modules, states, beacons, grains, returners, output modules, renderers, and utils. refresh True Also refresh the execution modules available to the minion. IMPORTANT: If this function is executed using a module.run state, the SLS file will not have access to newly synced execution modules unless a refresh argument is added to the state, like so: load_my_custom_module: module.run: - name: saltutil.sync_all - refresh: True See here for a more detailed explanation of why this is necessary. CLI Example: salt '*' saltutil.sync_all salt.modules.saltutil.sync_beacons(saltenv=None, refresh=True) Sync the beacons from the _beacons directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _beacons directory, base is the default environment. New in version 2015.5.1. CLI Example: salt '*' saltutil.sync_beacons salt.modules.saltutil.sync_grains(saltenv=None, refresh=True) Sync the grains from the _grains directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _grains directory, base is the default environment. CLI Example: salt '*' saltutil.sync_grains salt.modules.saltutil.sync_log_handlers(saltenv=None, refresh=True) New in version 2015.8.0. Sync utility source files from the _log_handlers directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _log_handlers directory, base is the default environment. CLI Example: salt '*' saltutil.sync_log_handlers salt.modules.saltutil.sync_modules(saltenv=None, refresh=True) Sync the modules from the _modules directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _modules directory, base is the default environment. IMPORTANT: If this function is executed using a module.run state, the SLS file will not have access to newly synced execution modules unless a refresh argument is added to the state, like so: load_my_custom_module: module.run: - name: saltutil.sync_modules - refresh: True See here for a more detailed explanation of why this is necessary. New in version 2015.5.1. CLI Example: salt '*' saltutil.sync_modules salt.modules.saltutil.sync_output(saltenv=None, refresh=True) Sync the output modules from the _output directory on the salt master file server. This function is environment aware. Pass the desired environment to grab the contents of the _output directory. Base is the default environment. CLI Example: salt '*' saltutil.sync_output salt.modules.saltutil.sync_outputters(saltenv=None, refresh=True) This function is an alias of sync_output. Sync the output modules from the _output directory on the salt master file server. This function is environment aware. Pass the desired environment to grab the contents of the _output directory. Base is the default environment. CLI Example: salt '*' saltutil.sync_output salt.modules.saltutil.sync_proxymodules(saltenv=None, refresh=False) Sync the proxy modules from the _proxy directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _returners directory, base is the default environment. CLI Example: salt '*' saltutil.sync_proxymodules salt.modules.saltutil.sync_renderers(saltenv=None, refresh=True) Sync the renderers from the _renderers directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _renderers directory, base is the default environment. CLI Example: salt '*' saltutil.sync_renderers salt.modules.saltutil.sync_returners(saltenv=None, refresh=True) Sync the returners from the _returners directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _returners directory, base is the default environment. CLI Example: salt '*' saltutil.sync_returners salt.modules.saltutil.sync_sdb(saltenv=None, refresh=False) Sync sdb modules from the _sdb directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _sdb directory, base is the default environment. New in version 2015.5.7. CLI Example: salt '*' saltutil.sync_sdb salt.modules.saltutil.sync_states(saltenv=None, refresh=True) Sync the states from the _states directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _states directory, base is the default environment. CLI Example: salt '*' saltutil.sync_states salt.modules.saltutil.sync_utils(saltenv=None, refresh=True) Sync utility source files from the _utils directory on the salt master file server. This function is environment aware, pass the desired environment to grab the contents of the _utils directory, base is the default environment. CLI Example: salt '*' saltutil.sync_utils salt.modules.saltutil.term_job(jid) Sends a termination signal (SIGTERM 15) to the named salt job's process CLI Example: salt '*' saltutil.term_job <job id> salt.modules.saltutil.update(version=None) Update the salt minion from the URL defined in opts['update_url'] SaltStack, Inc provides the latest builds here: update_url: https://repo.saltstack.com/windows/ Be aware that as of 2014-8-11 there's a bug in esky such that only the latest version available in the update_url can be downloaded and installed. This feature requires the minion to be running a bdist_esky build. The version number is optional and will default to the most recent version available at opts['update_url']. Returns details about the transaction upon completion. CLI Example: salt '*' saltutil.update salt '*' saltutil.update 0.10.3 salt.modules.saltutil.wheel(_fun, **kwargs) Execute a wheel module (this function must be run on the master) New in version 2014.7.0. name The name of the function to run kwargs Any keyword arguments to pass to the wheel function CLI Example: salt '*' saltutil.wheel key.accept match=jerry salt.modules.schedule Module for managing the Salt schedule on a minion New in version 2014.7.0. salt.modules.schedule.add(name, **kwargs) Add a job to the schedule CLI Example: salt '*' schedule.add job1 function='test.ping' seconds=3600 # If function have some arguments, use job_args salt '*' schedule.add job2 function='cmd.run' job_args="['date >> /tmp/date.log']" seconds=60 salt.modules.schedule.build_schedule_item(name, **kwargs) Build a schedule job CLI Example: salt '*' schedule.build_schedule_item job1 function='test.ping' seconds=3600 salt.modules.schedule.copy(name, target, **kwargs) Copy scheduled job to another minion or minions. CLI Example: salt '*' schedule.copy jobname target salt.modules.schedule.delete(name, **kwargs) Delete a job from the minion's schedule CLI Example: salt '*' schedule.delete job1 salt.modules.schedule.disable(**kwargs) Disable all scheduled jobs on the minion CLI Example: salt '*' schedule.disable salt.modules.schedule.disable_job(name, **kwargs) Disable a job in the minion's schedule CLI Example: salt '*' schedule.disable_job job1 salt.modules.schedule.enable(**kwargs) Enable all scheduled jobs on the minion CLI Example: salt '*' schedule.enable salt.modules.schedule.enable_job(name, **kwargs) Enable a job in the minion's schedule CLI Example: salt '*' schedule.enable_job job1 salt.modules.schedule.is_enabled(name) List a Job only if its enabled New in version 2015.5.3. CLI Example: salt '*' schedule.is_enabled name=job_name salt.modules.schedule.list(show_all=False, where=None, return_yaml=True) List the jobs currently scheduled on the minion CLI Example: salt '*' schedule.list salt '*' schedule.list show_all=True salt.modules.schedule.modify(name, **kwargs) Modify an existing job in the schedule CLI Example: salt '*' schedule.modify job1 function='test.ping' seconds=3600 salt.modules.schedule.move(name, target, **kwargs) Move scheduled job to another minion or minions. CLI Example: salt '*' schedule.move jobname target salt.modules.schedule.purge(**kwargs) Purge all the jobs currently scheduled on the minion CLI Example: salt '*' schedule.purge salt.modules.schedule.reload() Reload saved scheduled jobs on the minion CLI Example: salt '*' schedule.reload salt.modules.schedule.run_job(name, force=False) Run a scheduled job on the minion immediately CLI Example: salt '*' schedule.run_job job1 salt '*' schedule.run_job job1 force=True Force the job to run even if it is disabled. salt.modules.schedule.save(**kwargs) Save all scheduled jobs on the minion CLI Example: salt '*' schedule.save salt.modules.scsi SCSI administration module salt.modules.scsi.ls(get_size=True) List SCSI devices, with details CLI Examples: salt '*' scsi.ls salt '*' scsi.ls get_size=False get_size True Get the size information for scsi devices. This option should be set to False for older OS distributions (RHEL6 and older) due to lack of support for the '-s' option in lsscsi. New in version 2015.5.10. salt.modules.scsi.rescan_all(host) List scsi devices CLI Example: salt '*' scsi.rescan_all(0) salt.modules.sdb Module for Manipulating Data via the Salt DB API salt.modules.sdb.get(uri) Get a value from a db, using a uri in the form of sdb://<profile>/<key>. If the uri provided does not start with sdb://, then it will be returned as-is. CLI Example: salt '*' sdb.get sdb://mymemcached/foo salt.modules.sdb.set(uri, value) Set a value in a db, using a uri in the form of sdb://<profile>/<key>. If the uri provided does not start with sdb:// or the value is not successfully set, return False. CLI Example: salt '*' sdb.set sdb://mymemcached/foo bar salt.modules.seed Virtual machine image management tools salt.modules.seed.apply(path, id_=None, config=None, approve_key=True, install=True, prep_install=False, pub_key=None, priv_key=None) Seed a location (disk image, directory, or block device) with the minion config, approve the minion's key, and/or install salt-minion. CLI Example: salt 'minion' seed.apply path id [config=config_data] \ [gen_key=(true|false)] [approve_key=(true|false)] \ [install=(true|false)] path Full path to the directory, device, or disk image on the target minion's file system. id Minion id with which to seed the path. config Minion configuration options. By default, the 'master' option is set to the target host's 'master'. approve_key Request a pre-approval of the generated minion key. Requires that the salt-master be configured to either auto-accept all keys or expect a signing request from the target host. Default: true. install Install salt-minion, if absent. Default: true. prep_install Prepare the bootstrap script, but don't run it. Default: false salt.modules.seed.mkconfig(config=None, tmp=None, id_=None, approve_key=True, pub_key=None, priv_key=None) Generate keys and config and put them in a tmp directory. pub_key absolute path or file content of an optional preseeded salt key priv_key absolute path or file content of an optional preseeded salt key CLI Example: salt 'minion' seed.mkconfig [config=config_data] [tmp=tmp_dir] \ [id_=minion_id] [approve_key=(true|false)] salt.modules.seed.prep_bootstrap(mpt) Update and get the random script to a random place CLI Example: salt '*' seed.prep_bootstrap /tmp salt.modules.selinux Execute calls on selinux NOTE: This module requires the semanage and setsebool commands to be available on the minion. On RHEL-based distributions, ensure that the policycoreutils-python package is installed. On Fedora 23 and up, ensure that the policycoreutils-python-utils package is installed. If not on a Fedora or RHEL-based distribution, consult the selinux documentation for your distro to ensure that the proper packages are installed. salt.modules.selinux.getenforce() Return the mode selinux is running in CLI Example: salt '*' selinux.getenforce salt.modules.selinux.getsebool(boolean) Return the information on a specific selinux boolean CLI Example: salt '*' selinux.getsebool virt_use_usb salt.modules.selinux.list_sebool() Return a structure listing all of the selinux booleans on the system and what state they are in CLI Example: salt '*' selinux.list_sebool salt.modules.selinux.selinux_fs_path(*args) Return the location of the SELinux VFS directory CLI Example: salt '*' selinux.selinux_fs_path salt.modules.selinux.setenforce(mode) Set the SELinux enforcing mode CLI Example: salt '*' selinux.setenforce enforcing salt.modules.selinux.setsebool(boolean, value, persist=False) Set the value for a boolean CLI Example: salt '*' selinux.setsebool virt_use_usb off salt.modules.selinux.setsebools(pairs, persist=False) Set the value of multiple booleans CLI Example: salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}' salt.modules.sensors Read lm-sensors New in version 2014.1.3. salt.modules.sensors.sense(chip, fahrenheit=False) Gather lm-sensors data from a given chip To determine the chip to query, use the 'sensors' command and see the leading line in the block. Example: /usr/bin/sensors coretemp-isa-0000 Adapter: ISA adapter Physical id 0: +56.0°C (high = +87.0°C, crit = +105.0°C) Core 0: +52.0°C (high = +87.0°C, crit = +105.0°C) Core 1: +50.0°C (high = +87.0°C, crit = +105.0°C) Core 2: +56.0°C (high = +87.0°C, crit = +105.0°C) Core 3: +53.0°C (high = +87.0°C, crit = +105.0°C) Given the above, the chip is 'coretemp-isa-0000'. salt.modules.serverdensity_device Wrapper around Server Density API New in version 2014.7.0. salt.modules.serverdensity_device.create(name, **params) Function to create device in Server Density. For more info, see the API docs. CLI Example: salt '*' serverdensity_device.create lama salt '*' serverdensity_device.create rich_lama group=lama_band installedRAM=32768 salt.modules.serverdensity_device.delete(device_id) Delete a device from Server Density. For more information, see the API docs. CLI Example: salt '*' serverdensity_device.delete 51f7eafcdba4bb235e000ae4 salt.modules.serverdensity_device.get_sd_auth(val, sd_auth_pillar_name='serverdensity') Returns requested Server Density authentication value from pillar. CLI Example: salt '*' serverdensity_device.get_sd_auth <val> salt.modules.serverdensity_device.install_agent(agent_key) Function downloads Server Density installation agent, and installs sd-agent with agent_key. CLI Example: salt '*' serverdensity_device.install_agent c2bbdd6689ff46282bdaa07555641498 salt.modules.serverdensity_device.ls(**params) List devices in Server Density Results will be filtered by any params passed to this function. For more information, see the API docs on listing and searching. CLI Example: salt '*' serverdensity_device.ls salt '*' serverdensity_device.ls name=lama salt '*' serverdensity_device.ls name=lama group=lama_band installedRAM=32768 salt.modules.serverdensity_device.update(device_id, **params) Updates device information in Server Density. For more information see the API docs. CLI Example: salt '*' serverdensity_device.update 51f7eafcdba4bb235e000ae4 name=lama group=lama_band salt '*' serverdensity_device.update 51f7eafcdba4bb235e000ae4 name=better_lama group=rock_lamas swapSpace=512 salt.modules.service The default service module, if not otherwise specified salt will fall back to this basic module salt.modules.service.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.service.get_all() Return a list of all available services CLI Example: salt '*' service.get_all salt.modules.service.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.service.reload(name) Refreshes config files by calling service reload. Does not perform a full restart. CLI Example: salt '*' service.reload <service name> salt.modules.service.restart(name) Restart the specified service CLI Example: salt '*' service.restart <service name> salt.modules.service.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.service.status(name, sig=None) Return the status for a service, returns the PID or an empty string if the service is running or not, pass a signature to use to find the service via ps CLI Example: salt '*' service.status <service name> [service signature] salt.modules.service.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.shadow Manage the shadow file salt.modules.shadow.default_hash() Returns the default hash used for unset passwords CLI Example: salt '*' shadow.default_hash salt.modules.shadow.del_password(name) New in version 2014.7.0. Delete the password from name user CLI Example: salt '*' shadow.del_password username salt.modules.shadow.gen_password(password, crypt_salt=None, algorithm='sha512') New in version 2014.7.0. Generate hashed password NOTE: When called this function is called directly via remote-execution, the password argument may be displayed in the system's process list. This may be a security risk on certain systems. password Plaintext password to be hashed. crypt_salt Crpytographic salt. If not given, a random 8-character salt will be generated. algorithm The following hash algorithms are supported: • md5 • blowfish (not in mainline glibc, only available in distros that add it) • sha256 • sha512 (default) CLI Example: salt '*' shadow.gen_password 'I_am_password' salt '*' shadow.gen_password 'I_am_password' crypt_salt='I_am_salt' algorithm=sha256 salt.modules.shadow.info(name) Return information for the specified user CLI Example: salt '*' shadow.info root salt.modules.shadow.set_date(name, date) Sets the value for the date the password was last changed to days since the epoch (January 1, 1970). See man chage. CLI Example: salt '*' shadow.set_date username 0 salt.modules.shadow.set_expire(name, expire) Changed in version 2014.7.0. Sets the value for the date the account expires as days since the epoch (January 1, 1970). Using a value of -1 will clear expiration. See man chage. CLI Example: salt '*' shadow.set_expire username -1 salt.modules.shadow.set_inactdays(name, inactdays) Set the number of days of inactivity after a password has expired before the account is locked. See man chage. CLI Example: salt '*' shadow.set_inactdays username 7 salt.modules.shadow.set_maxdays(name, maxdays) Set the maximum number of days during which a password is valid. See man chage. CLI Example: salt '*' shadow.set_maxdays username 90 salt.modules.shadow.set_mindays(name, mindays) Set the minimum number of days between password changes. See man chage. CLI Example: salt '*' shadow.set_mindays username 7 salt.modules.shadow.set_password(name, password, use_usermod=False) Set the password for a named user. The password must be a properly defined hash. The password hash can be generated with this command: python -c "import crypt; print crypt.crypt('password', '\$6\$SALTsalt')" SALTsalt is the 8-character crpytographic salt. Valid characters in the salt are ., /, and any alphanumeric character. Keep in mind that the $6 represents a sha512 hash, if your OS is using a different hashing algorithm this needs to be changed accordingly CLI Example: salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..' salt.modules.shadow.set_warndays(name, warndays) Set the number of days of warning before a password change is required. See man chage. CLI Example: salt '*' shadow.set_warndays username 7 salt.modules.slack_notify Module for sending messages to Slack New in version 2015.5.0. configuration This module can be used by either passing an api key and version directly or by specifying both in a configuration profile in the salt master/minion config. For example: slack: api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.modules.slack_notify.find_room(name, api_key=None) Find a room by name and return it. Parameters • name -- The room name. • api_key -- The Slack admin api key. Returns The room object. CLI Example: salt '*' slack.find_room name="random" salt '*' slack.find_room name="random" api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.modules.slack_notify.find_user(name, api_key=None) Find a user by name and return it. Parameters • name -- The user name. • api_key -- The Slack admin api key. Returns The user object. CLI Example: salt '*' slack.find_user name="ThomasHatch" salt '*' slack.find_user name="ThomasHatch" api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.modules.slack_notify.list_rooms(api_key=None) List all Slack rooms. Parameters api_key -- The Slack admin api key. Returns The room list. CLI Example: salt '*' slack.list_rooms salt '*' slack.list_rooms api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.modules.slack_notify.list_users(api_key=None) List all Slack users. Parameters api_key -- The Slack admin api key. Returns The user list. CLI Example: salt '*' slack.list_users salt '*' slack.list_users api_key=peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.modules.slack_notify.post_message(channel, message, from_name, api_key=None) Send a message to a Slack channel. Parameters • channel -- The channel name, either will work. • message -- The message to send to the Slack channel. • from_name -- Specify who the message is from. • api_key -- The Slack api key, if not specified in the configuration. Returns Boolean if message was sent successfully. CLI Example: salt '*' slack.post_message channel="Development Room" message="Build is done" from_name="Build Server" salt.modules.slsutil Utility functions for use with or in SLS files salt.modules.smartos_imgadm Module for running imgadm command on SmartOS salt.modules.smartos_imgadm.avail(search=None, verbose=False) Return a list of available images search string Specifies search keyword verbose boolean (False) Specifies verbose output CLI Example: salt '*' imgadm.avail [percona] salt '*' imgadm.avail verbose=True salt.modules.smartos_imgadm.delete(uuid=None) Remove an installed image uuid string Specifies uuid to import CLI Example: salt '*' imgadm.delete e42f8c84-bbea-11e2-b920-078fab2aab1f salt.modules.smartos_imgadm.get(uuid=None) Return info on an installed image CLI Example: salt '*' imgadm.get e42f8c84-bbea-11e2-b920-078fab2aab1f salt.modules.smartos_imgadm.import(uuid=None, verbose=False) Import an image from the repository uuid string Specifies uuid to import verbose boolean (False) Specifies verbose output CLI Example: salt '*' imgadm.import e42f8c84-bbea-11e2-b920-078fab2aab1f [verbose=True] salt.modules.smartos_imgadm.list(verbose=False) Return a list of installed images verbose boolean (False) Specifies verbose output CLI Example: salt '*' imgadm.list [verbose=True] salt.modules.smartos_imgadm.show(uuid=None) Show manifest of a given image CLI Example: salt '*' imgadm.show e42f8c84-bbea-11e2-b920-078fab2aab1f salt.modules.smartos_imgadm.update(uuid='') Gather info on unknown image(s) (locally installed) uuid string Specifies uuid of image CLI Example: salt '*' imgadm.update [uuid] salt.modules.smartos_imgadm.vacuum(verbose=False) Remove unused images verbose boolean (False) Specifies verbose output CLI Example: salt '*' imgadm.vacuum [verbose=True] salt.modules.smartos_imgadm.version() Return imgadm version CLI Example: salt '*' imgadm.version salt.modules.smartos_virt Module for managing VMs on SmartOS salt.modules.smartos_virt.create(domain) Deprecated since version Boron: Use start() instead. Start a defined domain CLI Example: salt '*' virt.create <domain> salt.modules.smartos_virt.destroy(domain) Deprecated since version Boron: Use stop() instead. Power off a defined domain CLI Example: salt '*' virt.destroy <domain> salt.modules.smartos_virt.get_macs(uuid) Return a list off MAC addresses from the named VM CLI Example: salt '*' virt.get_macs <uuid> salt.modules.smartos_virt.init(**kwargs) Initialize a new VM CLI Example: salt '*' virt.init image_uuid='...' alias='...' [...] salt.modules.smartos_virt.list_active_vms() Return a list of uuids for active virtual machine on the minion CLI Example: salt '*' virt.list_active_vms salt.modules.smartos_virt.list_domains() Return a list of virtual machine names on the minion CLI Example: salt '*' virt.list_domains salt.modules.smartos_virt.list_inactive_vms() Return a list of uuids for inactive virtual machine on the minion CLI Example: salt '*' virt.list_inactive_vms salt.modules.smartos_virt.list_vms() Deprecated since version Boron: Use list_domains() instead. List all virtual machines. CLI Example: salt '*' virt.list_vms <domain> salt.modules.smartos_virt.reboot(uuid) Reboot a domain via ACPI request CLI Example: salt '*' virt.reboot <uuid> salt.modules.smartos_virt.setmem(uuid, memory) Change the amount of memory allocated to VM. <memory> is to be specified in MB. Note for KVM : this would require a restart of the VM. CLI Example: salt '*' virt.setmem <uuid> 512 salt.modules.smartos_virt.shutdown(uuid) Send a soft shutdown signal to the named vm CLI Example: salt '*' virt.shutdown <uuid> salt.modules.smartos_virt.start(uuid) Start a defined domain CLI Example: salt '*' virt.start <uuid> salt.modules.smartos_virt.stop(uuid) Hard power down the virtual machine, this is equivalent to powering off the hardware. CLI Example: salt '*' virt.destroy <uuid> salt.modules.smartos_virt.vm_info(uuid) Return a dict with information about the specified VM on this CN CLI Example: salt '*' virt.vm_info <uuid> salt.modules.smartos_virt.vm_virt_type(uuid) Return VM virtualization type : OS or KVM CLI Example: salt '*' virt.vm_virt_type <uuid> salt.modules.smartos_vmadm Module for running vmadm command on SmartOS salt.modules.smartos_vmadm.create(**kwargs) Create a new vm from_file string Specifies the json file to create the vm from. Note: when this is present all other options will be ignored. • : string|int|... Specifies options to set for the vm. Example: image_uuid=UUID, will specify the image_uuid for the vm to be created. nics='[{"nic_tag": "admin", "ip": "198.51.100.123", "netmask": "255.255.255.0"}]', adds 1 nic over the admin tag CLI Example: salt '*' vmadm.create from_file=/tmp/new_vm.json salt '*' vmadm.create image_uuid='...' alias='...' nics='[{ "nic_tag": "admin", "ip": "198.51.100.123", ...}, {...}]' [...] salt.modules.smartos_vmadm.create_snapshot(vm=None, name=None, key='uuid') Create snapshot of a vm vm string Specifies the vm name string Name of snapshot. The snapname must be 64 characters or less and must only contain alphanumeric characters and characters in the set [-_.:%] to comply with ZFS restrictions. key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.create_snapshot 186da9ab-7392-4f55-91a5-b8f1fe770543 baseline salt '*' vmadm.create_snapshot nacl baseline key=alias salt.modules.smartos_vmadm.delete(vm=None, key='uuid') Delete a vm vm string Specifies the vm key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.delete 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.delete nacl key=alias salt.modules.smartos_vmadm.delete_snapshot(vm=None, name=None, key='uuid') Delete snapshot of a vm vm string Specifies the vm name string Name of snapshot. The snapname must be 64 characters or less and must only contain alphanumeric characters and characters in the set [-_.:%] to comply with ZFS restrictions. key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.delete_snapshot 186da9ab-7392-4f55-91a5-b8f1fe770543 baseline salt '*' vmadm.delete_snapshot nacl baseline key=alias salt.modules.smartos_vmadm.get(vm=None, key='uuid') Output the JSON object describing a VM vm string Specifies the vm key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.get 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.get nacl key=alias salt.modules.smartos_vmadm.info(vm=None, info_type='all', key='uuid') Lookup info on running kvm vm string Specifies the vm info_type string Specifies what info to return. Value = all|block|blockstats|chardev|cpus|kvm|pci|spice|version|vnc key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.info 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.info 186da9ab-7392-4f55-91a5-b8f1fe770543 vnc salt '*' vmadm.info nacl key=alias salt '*' vmadm.info nacl vnc key=alias salt.modules.smartos_vmadm.list(search=None, sort=None, order='uuid, type, ram, state, alias', keyed=False) Return a list of VMs search string Specifies the vmadm filter property sort string Specifies the vmadm sort (-s) property order string Specifies the vmadm order (-o) property Default: uuid,type,ram,state,alias keyed boolean.INDENT 7.0 Specified if the output should be an array (False) or dict (True) Dict key is first field from order parameter Note: if key is not unique last vm wins. CLI Example: salt '*' vmadm.list salt '*' vmadm.list order=alias,ram,cpu_cap sort=-ram,-cpu_cap salt '*' vmadm.list search='type=KVM' salt.modules.smartos_vmadm.lookup(search=None, order=None, one=False) Return a list of VMs using lookup search string Specifies the vmadm filter property order string Specifies the vmadm order (-o) property Default: uuid,type,ram,state,alias one boolean Specifies if you to one result only (-1) CLI Example: salt '*' vmadm.lookup search='state=running' salt '*' vmadm.lookup search='state=running' order=uuid,alias,hostname salt '*' vmadm.lookup search='alias=nacl' one=True salt.modules.smartos_vmadm.reboot(vm=None, force=False, key='uuid') Reboot a vm vm string Specifies the vm to be rebooted force boolean Specifies if the vm should be force rebooted key string Specifies if 'vm' is a uuid, alias or hostname. CLI Example: salt '*' vmadm.reboot 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.reboot 186da9ab-7392-4f55-91a5-b8f1fe770543 True salt '*' vmadm.reboot vm=nacl key=alias salt '*' vmadm.reboot vm=nina.example.org key=hostname salt.modules.smartos_vmadm.receive(uuid=None, source=None) Receive a vm from a directory uuid string Specifies uuid of vm to receive source string Specifies the target. Can be a directory path. CLI Example: salt '*' vmadm.receive 186da9ab-7392-4f55-91a5-b8f1fe770543 /opt/backups salt.modules.smartos_vmadm.reprovision(vm=None, image=None, key='uuid') Reprovision a vm vm string Specifies the vm image string uuid of new image key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.reprovision 186da9ab-7392-4f55-91a5-b8f1fe770543 c02a2044-c1bd-11e4-bd8c-dfc1db8b0182 salt '*' vmadm.reprovision nacl c02a2044-c1bd-11e4-bd8c-dfc1db8b0182 key=alias salt.modules.smartos_vmadm.rollback_snapshot(vm=None, name=None, key='uuid') Rollback snapshot of a vm vm string Specifies the vm name string Name of snapshot. The snapname must be 64 characters or less and must only contain alphanumeric characters and characters in the set [-_.:%] to comply with ZFS restrictions. key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.rollback_snapshot 186da9ab-7392-4f55-91a5-b8f1fe770543 baseline salt '*' vmadm.rollback_snapshot nacl baseline key=alias salt.modules.smartos_vmadm.send(vm=None, target=None, key='uuid') Send a vm to a directory vm string Specifies the vm to be started target string Specifies the target. Can be a directory path. key string Specifies if 'vm' is a uuid, alias or hostname. CLI Example: salt '*' vmadm.send 186da9ab-7392-4f55-91a5-b8f1fe770543 /opt/backups salt '*' vmadm.send vm=nacl target=/opt/backups key=alias salt.modules.smartos_vmadm.start(vm=None, options=None, key='uuid') Start a vm vm string Specifies the vm to be started options string Specifies additional options key string Specifies if 'vm' is a uuid, alias or hostname. CLI Example: salt '*' vmadm.start 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.start 186da9ab-7392-4f55-91a5-b8f1fe770543 'order=c,once=d cdrom=/path/to/image.iso,ide' salt '*' vmadm.start vm=nacl key=alias salt '*' vmadm.start vm=nina.example.org key=hostname salt.modules.smartos_vmadm.stop(vm=None, force=False, key='uuid') Stop a vm vm string Specifies the vm to be stopped force boolean Specifies if the vm should be force stopped key string Specifies if 'vm' is a uuid, alias or hostname. CLI Example: salt '*' vmadm.stop 186da9ab-7392-4f55-91a5-b8f1fe770543 salt '*' vmadm.stop 186da9ab-7392-4f55-91a5-b8f1fe770543 True salt '*' vmadm.stop vm=nacl key=alias salt '*' vmadm.stop vm=nina.example.org key=hostname salt.modules.smartos_vmadm.sysrq(vm=None, action='nmi', key='uuid') Send non-maskable interupt to vm or capture a screenshot vm string Specifies the vm action string Specifies the action nmi or screenshot key string Specifies what 'vm' is. Value = uuid|alias|hostname CLI Example: salt '*' vmadm.sysrq 186da9ab-7392-4f55-91a5-b8f1fe770543 nmi salt '*' vmadm.sysrq 186da9ab-7392-4f55-91a5-b8f1fe770543 screenshot salt '*' vmadm.sysrq nacl nmi key=alias salt.modules.smartos_vmadm.update(**kwargs) Update a new vm vm string Specifies the vm to be updated key string Specifies if 'vm' is a uuid, alias or hostname. from_file string Specifies the json file to update the vm with. Note: when this is present all other options except 'vm' and 'key' will be ignored. • : string|int|... Specifies options to updte for the vm. Example: image_uuid=UUID, will specify the image_uuid for the vm to be created. add_nics='[{"nic_tag": "admin", "ip": "198.51.100.123", "netmask": "255.255.255.0"}]', adds 1 nic over the admin tag remove_nics='[ "12:ae:d3:28:98:b8" ], remove nics with mac 12:ae:d3:28:98:b8 CLI Example: salt '*' vmadm.update vm=186da9ab-7392-4f55-91a5-b8f1fe770543 from_file=/tmp/new_vm.json salt '*' vmadm.update vm=nacl key=alias from_file=/tmp/new_vm.json salt '*' vmadm.update vm=186da9ab-7392-4f55-91a5-b8f1fe770543 max_physical_memory=1024 salt.modules.smbios Interface to SMBIOS/DMI (Parsing through dmidecode) External References Desktop Management Interface (DMI) System Management BIOS DMIdecode salt.modules.smbios.get(string, clean=True) Get an individual DMI string from SMBIOS info string The string to fetch. DMIdecode supports: • bios-vendor • bios-version • bios-release-date • system-manufacturer • system-product-name • system-version • system-serial-number • system-uuid • baseboard-manufacturer • baseboard-product-name • baseboard-version • baseboard-serial-number • baseboard-asset-tag • chassis-manufacturer • chassis-type • chassis-version • chassis-serial-number • chassis-asset-tag • processor-family • processor-manufacturer • processor-version • processor-frequency clean Don't return well-known false information (invalid UUID's, serial 000000000's, etcetera) Defaults to True CLI Example: salt '*' smbios.get system-uuid clean=False salt.modules.smbios.records(rec_type=None, fields=None, clean=True) Return DMI records from SMBIOS type Return only records of type(s) The SMBIOS specification defines the following DMI types: ┌─────┬──────────────────────────────────┐ │Type │ Information │ ├─────┼──────────────────────────────────┤ │0 │ BIOS │ ├─────┼──────────────────────────────────┤ │1 │ System │ ├─────┼──────────────────────────────────┤ │2 │ Baseboard │ ├─────┼──────────────────────────────────┤ │3 │ Chassis │ ├─────┼──────────────────────────────────┤ │4 │ Processor │ ├─────┼──────────────────────────────────┤ │5 │ Memory Controller │ ├─────┼──────────────────────────────────┤ │6 │ Memory Module │ ├─────┼──────────────────────────────────┤ │7 │ Cache │ ├─────┼──────────────────────────────────┤ │8 │ Port Connector │ ├─────┼──────────────────────────────────┤ │9 │ System Slots │ ├─────┼──────────────────────────────────┤ │10 │ On Board Devices │ ├─────┼──────────────────────────────────┤ │11 │ OEM Strings │ ├─────┼──────────────────────────────────┤ │12 │ System Configuration Options │ ├─────┼──────────────────────────────────┤ │13 │ BIOS Language │ ├─────┼──────────────────────────────────┤ │14 │ Group Associations │ ├─────┼──────────────────────────────────┤ │15 │ System Event Log │ ├─────┼──────────────────────────────────┤ │16 │ Physical Memory Array │ ├─────┼──────────────────────────────────┤ │17 │ Memory Device │ ├─────┼──────────────────────────────────┤ │18 │ 32-bit Memory Error │ ├─────┼──────────────────────────────────┤ │19 │ Memory Array Mapped Address │ ├─────┼──────────────────────────────────┤ │20 │ Memory Device Mapped Address │ ├─────┼──────────────────────────────────┤ │21 │ Built-in Pointing Device │ ├─────┼──────────────────────────────────┤ │22 │ Portable Battery │ ├─────┼──────────────────────────────────┤ │23 │ System Reset │ ├─────┼──────────────────────────────────┤ │24 │ Hardware Security │ ├─────┼──────────────────────────────────┤ │25 │ System Power Controls │ ├─────┼──────────────────────────────────┤ │26 │ Voltage Probe │ ├─────┼──────────────────────────────────┤ │27 │ Cooling Device │ ├─────┼──────────────────────────────────┤ │28 │ Temperature Probe │ ├─────┼──────────────────────────────────┤ │29 │ Electrical Current Probe │ ├─────┼──────────────────────────────────┤ │30 │ Out-of-band Remote Access │ ├─────┼──────────────────────────────────┤ │31 │ Boot Integrity Services │ ├─────┼──────────────────────────────────┤ │32 │ System Boot │ ├─────┼──────────────────────────────────┤ │33 │ 64-bit Memory Error │ ├─────┼──────────────────────────────────┤ │34 │ Management Device │ ├─────┼──────────────────────────────────┤ │35 │ Management Device Component │ ├─────┼──────────────────────────────────┤ │36 │ Management Device Threshold Data │ ├─────┼──────────────────────────────────┤ │37 │ Memory Channel │ ├─────┼──────────────────────────────────┤ │38 │ IPMI Device │ ├─────┼──────────────────────────────────┤ │39 │ Power Supply │ ├─────┼──────────────────────────────────┤ │40 │ Additional Information │ ├─────┼──────────────────────────────────┤ │41 │ Onboard Devices Extended │ │ │ Information │ ├─────┼──────────────────────────────────┤ │42 │ Management Controller Host │ │ │ Interface │ └─────┴──────────────────────────────────┘ clean Don't return well-known false information (invalid UUID's, serial 000000000's, etcetera) Defaults to True CLI Example: salt '*' smbios.records clean=False salt '*' smbios.records 14 salt '*' smbios.records 4 core_count,thread_count,current_speed salt.modules.smf Service support for Solaris 10 and 11, should work with other systems that use SMF also. (e.g. SmartOS) salt.modules.smf.available(name) Returns True if the specified service is available, otherwise returns False. We look up the name with the svcs command to get back the FMRI This allows users to use simpler service names CLI Example: salt '*' service.available net-snmp salt.modules.smf.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.smf.disabled(name) Check to see if the named service is disabled to start on boot CLI Example: salt '*' service.disabled <service name> salt.modules.smf.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.smf.enabled(name, **kwargs) Check to see if the named service is enabled to start on boot CLI Example: salt '*' service.enabled <service name> salt.modules.smf.get_all() Return all installed services CLI Example: salt '*' service.get_all salt.modules.smf.get_disabled() Return the disabled services CLI Example: salt '*' service.get_disabled salt.modules.smf.get_enabled() Return the enabled services CLI Example: salt '*' service.get_enabled salt.modules.smf.get_running() Return the running services CLI Example: salt '*' service.get_running salt.modules.smf.get_stopped() Return the stopped services CLI Example: salt '*' service.get_stopped salt.modules.smf.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing net-snmp salt.modules.smf.reload(name) Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.smf.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.smf.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.smf.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.smf.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.smtp Module for Sending Messages via SMTP New in version 2014.7.0. depends • smtplib python module configuration This module can be used by either passing a jid and password directly to send_message, or by specifying the name of a configuration profile in the minion config, minion pillar, or master config. For example: my-smtp-login: smtp.server: smtp.domain.com smtp.tls: True smtp.sender: admin@domain.com smtp.username: myuser smtp.password: verybadpass The resourcename refers to the resource that is using this account. It is user-definable, and optional. The following configurations are both valid: my-smtp-login: smtp.server: smtp.domain.com smtp.tls: True smtp.sender: admin@domain.com smtp.username: myuser smtp.password: verybadpass another-smtp-login: smtp.server: smtp.domain.com smtp.tls: True smtp.sender: admin@domain.com smtp.username: myuser smtp.password: verybadpass salt.modules.smtp.send_msg(recipient, message, subject='Message from Salt', sender=None, server=None, use_ssl='True', username=None, password=None, profile=None) Send a message to an SMTP recipient. Designed for use in states. CLI Examples: smtp.send_msg 'admin@example.com' 'This is a salt module test' profile='my-smtp-account' smtp.send_msg 'admin@example.com' 'This is a salt module test' username='myuser' password='verybadpass' sender="admin@example.com' server='smtp.domain.com' salt.modules.softwareupdate Support for the softwareupdate command on MacOS. salt.modules.softwareupdate.download(*updates) Download a named update so that it can be installed later with the install or upgrade function. It returns a list of all updates that are now downloaded. CLI Example: salt '*' softwareupdate.download <update name> salt '*' softwareupdate.download "<update with whitespace>" salt '*' softwareupdate.download <update1> <update2> <update3> salt.modules.softwareupdate.download_all(rec=False, restart=True) Download all available updates so that they can be installed later with the install or upgrade function. It returns a list of updates that are now downloaded. CLI Example: salt '*' softwareupdate.download_all salt.modules.softwareupdate.ignore(*updates) Ignore a specific program update. When an update is ignored the '-' and version number at the end will be omitted, so "SecUpd2014-001-1.0" becomes "SecUpd2014-001". It will be removed automatically if present. An update is successfully ignored when it no longer shows up after list_upgrades. CLI Example: salt '*' softwareupdate.ignore <update-name> salt '*' softwareupdate.ignore "<update with whitespace>" salt '*' softwareupdate.ignore <update1> <update2> <update3> salt.modules.softwareupdate.install(*updates) Install a named upgrade. Returns a dictionary containing the name of the update and the status of its installation. Return values: - True: The update was installed. - False: The update was not installed. - None: There is no update available with that name. CLI Example: salt '*' softwareupdate.install <update-name> salt '*' softwareupdate.install "<update with whitespace>" salt '*' softwareupdate.install <update1> <update2> <update3> salt.modules.softwareupdate.list_downloads() Return a list of all updates that have been downloaded locally. CLI Example: salt '*' softwareupdate.list_downloads salt.modules.softwareupdate.list_ignored() List all upgrades that has been ignored. Ignored updates are shown without the '-' and version number at the end, this is how the softwareupdate command works. CLI Example: salt '*' softwareupdate.list_ignored salt.modules.softwareupdate.list_upgrades(rec=False, restart=False) List all available updates. rec Return only the recommended updates. restart Return only the updates that require a restart. CLI Example: salt '*' softwareupdate.list_upgrades salt.modules.softwareupdate.reset_ignored() Make sure the ignored updates are not ignored anymore, returns a list of the updates that are no longer ignored. CLI Example: salt '*' softwareupdate.reset_ignored salt.modules.softwareupdate.schedule(*status) Decide if automatic checking for upgrades should be on or off. If no arguments are given it will return the current status. Append on or off to change the status. Return values: - True: Automatic checking is now on, - False: Automatic checking is now off, - None: Invalid argument. CLI Example: salt '*' softwareupdate.schedule salt '*' softwareupdate.schedule on|off salt.modules.softwareupdate.upgrade(rec=False, restart=True) Install all available upgrades. Returns a dictionary containing the name of the update and the status of its installation. Return values: - True: The update was installed. - False: The update was not installed. rec If set to True, only install all the recommended updates. restart Set this to False if you do not want to install updates that require a restart. CLI Example: salt '*' softwareupdate.upgrade salt.modules.softwareupdate.upgrade_available(update) Check whether or not an upgrade is available with a given name. CLI Example: salt '*' softwareupdate.upgrade_available <update-name> salt '*' softwareupdate.upgrade_available "<update with whitespace>" salt.modules.solaris_group Manage groups on Solaris salt.modules.solaris_group.add(name, gid=None, **kwargs) Add the specified group CLI Example: salt '*' group.add foo 3456 salt.modules.solaris_group.chgid(name, gid) Change the gid for a named group CLI Example: salt '*' group.chgid foo 4376 salt.modules.solaris_group.delete(name) Remove the named group CLI Example: salt '*' group.delete foo salt.modules.solaris_group.getent(refresh=False) Return info on all groups CLI Example: salt '*' group.getent salt.modules.solaris_group.info(name) Return information about a group CLI Example: salt '*' group.info foo salt.modules.solaris_shadow Manage the password database on Solaris systems salt.modules.solaris_shadow.default_hash() Returns the default hash used for unset passwords CLI Example: salt '*' shadow.default_hash salt.modules.solaris_shadow.del_password(name) New in version 2015.8.8. Delete the password from name user CLI Example: salt '*' shadow.del_password username salt.modules.solaris_shadow.gen_password(password, crypt_salt=None, algorithm='sha512') New in version 2015.8.8. Generate hashed password NOTE: When called this function is called directly via remote-execution, the password argument may be displayed in the system's process list. This may be a security risk on certain systems. password Plaintext password to be hashed. crypt_salt Crpytographic salt. If not given, a random 8-character salt will be generated. algorithm The following hash algorithms are supported: • md5 • blowfish (not in mainline glibc, only available in distros that add it) • sha256 • sha512 (default) CLI Example: salt '*' shadow.gen_password 'I_am_password' salt '*' shadow.gen_password 'I_am_password' crypt_salt='I_am_salt' algorithm=sha256 salt.modules.solaris_shadow.info(name) Return information for the specified user CLI Example: salt '*' shadow.info root salt.modules.solaris_shadow.set_maxdays(name, maxdays) Set the maximum number of days during which a password is valid. See man passwd. CLI Example: salt '*' shadow.set_maxdays username 90 salt.modules.solaris_shadow.set_mindays(name, mindays) Set the minimum number of days between password changes. See man passwd. CLI Example: salt '*' shadow.set_mindays username 7 salt.modules.solaris_shadow.set_password(name, password) Set the password for a named user. The password must be a properly defined hash, the password hash can be generated with this command: openssl passwd -1 <plaintext password> CLI Example: salt '*' shadow.set_password root $1$UYCIxa628.9qXjpQCjM4a.. salt.modules.solaris_shadow.set_warndays(name, warndays) Set the number of days of warning before a password change is required. See man passwd. CLI Example: salt '*' shadow.set_warndays username 7 salt.modules.solaris_user Manage users with the useradd command salt.modules.solaris_user.add(name, uid=None, gid=None, groups=None, home=None, shell=None, unique=True, fullname='', roomnumber='', workphone='', homephone='', createhome=True, **kwargs) Add a user to the minion CLI Example: salt '*' user.add name <uid> <gid> <groups> <home> <shell> salt.modules.solaris_user.chfullname(name, fullname) Change the user's Full Name CLI Example: salt '*' user.chfullname foo "Foo Bar" salt.modules.solaris_user.chgid(name, gid) Change the default group of the user CLI Example: salt '*' user.chgid foo 4376 salt.modules.solaris_user.chgroups(name, groups, append=False) Change the groups this user belongs to, add append to append the specified groups CLI Example: salt '*' user.chgroups foo wheel,root True salt.modules.solaris_user.chhome(name, home, persist=False) Change the home directory of the user, pass true for persist to copy files to the new home dir CLI Example: salt '*' user.chhome foo /home/users/foo True salt.modules.solaris_user.chhomephone(name, homephone) Change the user's Home Phone CLI Example: salt '*' user.chhomephone foo "7735551234" salt.modules.solaris_user.chroomnumber(name, roomnumber) Change the user's Room Number CLI Example: salt '*' user.chroomnumber foo 123 salt.modules.solaris_user.chshell(name, shell) Change the default shell of the user CLI Example: salt '*' user.chshell foo /bin/zsh salt.modules.solaris_user.chuid(name, uid) Change the uid for a named user CLI Example: salt '*' user.chuid foo 4376 salt.modules.solaris_user.chworkphone(name, workphone) Change the user's Work Phone CLI Example: salt '*' user.chworkphone foo "7735550123" salt.modules.solaris_user.delete(name, remove=False, force=False) Remove a user from the minion CLI Example: salt '*' user.delete name remove=True force=True salt.modules.solaris_user.getent(refresh=False) Return the list of all info for all users CLI Example: salt '*' user.getent salt.modules.solaris_user.info(name) Return user information CLI Example: salt '*' user.info root salt.modules.solaris_user.list_groups(name) Return a list of groups the named user belongs to CLI Example: salt '*' user.list_groups foo salt.modules.solaris_user.rename(name, new_name) Change the username for a named user CLI Example: salt '*' user.rename name new_name salt.modules.solarisips IPS pkg support for Solaris This module provides support for Solaris 11 new package management - IPS (Image Packaging System). This is the default pkg module for Solaris 11 (and later). If you want to use also other packaging module (e.g. pkgutil) together with IPS, you need to override the pkg provider in sls for each package: mypackage: pkg.installed: - provider: pkgutil Or you can override it globally by setting the providers parameter in your Minion config file like this: providers: pkg: pkgutil Or you can override it globally by setting the providers parameter in your Minion config file like this: providers: pkg: pkgutil salt.modules.solarisips.available_version(name, **kwargs) This function is an alias of latest_version. The available version of the package in the repository. In case of multiple match, it returns list of all matched packages. Accepts full or partial FMRI. Please use pkg.latest_version as pkg.available_version is being deprecated. CLI Example: salt '*' pkg.latest_version pkg://solaris/entire salt.modules.solarisips.get_fmri(name, **kwargs) Returns FMRI from partial name. Returns empty string ('') if not found. In case of multiple match, the function returns list of all matched packages. CLI Example: salt '*' pkg.get_fmri bash salt.modules.solarisips.install(name=None, refresh=False, pkgs=None, version=None, test=False, **kwargs) Install the named package using the IPS pkg command. Accepts full or partial FMRI. Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} Multiple Package Installation Options: pkgs A list of packages to install. Must be passed as a python list. CLI Example: salt '*' pkg.install vim salt '*' pkg.install pkg://solaris/editor/vim salt '*' pkg.install pkg://solaris/editor/vim refresh=True salt '*' pkg.install pkgs='["foo", "bar"]' salt.modules.solarisips.is_installed(name, **kwargs) Returns True if the package is installed. Otherwise returns False. Name can be full or partial FMRI. In case of multiple match from partial FMRI name, it returns True. CLI Example: salt '*' pkg.is_installed bash salt.modules.solarisips.latest_version(name, **kwargs) The available version of the package in the repository. In case of multiple match, it returns list of all matched packages. Accepts full or partial FMRI. Please use pkg.latest_version as pkg.available_version is being deprecated. CLI Example: salt '*' pkg.latest_version pkg://solaris/entire salt.modules.solarisips.list_pkgs(versions_as_list=False, **kwargs) List the currently installed packages as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.solarisips.list_upgrades(refresh=False) Lists all packages available for update. When run in global zone, it reports only upgradable packages for the global zone. When run in non-global zone, it can report more upgradable packages than "pkg update -vn" because "pkg update" hides packages that require newer version of pkg://solaris/entire (which means that they can be upgraded only from global zone). Simply said: if you see pkg://solaris/entire in the list of upgrades, you should upgrade the global zone to get all possible updates. You can force full pkg DB refresh before listing. CLI Example: salt '*' pkg.list_upgrades salt '*' pkg.list_upgrades refresh=True salt.modules.solarisips.normalize_name(name, **kwargs) Internal function. Normalizes pkg name to full FMRI before running pkg.install. In case of multiple match or no match, it returns the name without modifications and lets the "pkg install" to decide what to do. CLI Example: salt '*' pkg.normalize_name vim salt.modules.solarisips.purge(name, **kwargs) Remove specified package. Accepts full or partial FMRI. Returns a list containing the removed packages. CLI Example: salt '*' pkg.purge <package name> salt.modules.solarisips.refresh_db(full=False) Updates the remote repos database. You can force the full pkg DB refresh from all publishers regardless the last refresh time. CLI Example: salt '*' pkg.refresh_db salt '*' pkg.refresh_db full=True salt.modules.solarisips.remove(name=None, pkgs=None, **kwargs) Remove specified package. Accepts full or partial FMRI. In case of multiple match, the command fails and won't modify the OS. name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. Returns a list containing the removed packages. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove tcsh salt '*' pkg.remove pkg://solaris/shell/tcsh salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.solarisips.search(name, versions_as_list=False, **kwargs) Searches the repository for given pkg name. The name can be full or partial FMRI. All matches are printed. Globs are also supported. CLI Example: salt '*' pkg.search bash salt.modules.solarisips.upgrade(refresh=False, **kwargs) Upgrade all packages to the latest possible version. When run in global zone, it updates also all non-global zones. In non-global zones upgrade is limited by dependency constrains linked to the version of pkg://solaris/entire. Returns also a raw output of "pkg update" command (because if update creates a new boot environment, no immediate changes are visible in "pkg list"). CLI Example: salt '*' pkg.upgrade salt.modules.solarisips.upgrade_available(name) Check if there is an upgrade available for a certain package Accepts full or partial FMRI. Returns all matches found. CLI Example: salt '*' pkg.upgrade_available apache-22 salt.modules.solarisips.version(*names, **kwargs) Common interface for obtaining the version of installed packages. Accepts full or partial FMRI. If called using pkg_resource, full FMRI is required. CLI Example: salt '*' pkg.version vim salt '*' pkg.version foo bar baz salt '*' pkg_resource.version pkg://solaris/entire salt.modules.solarispkg Package support for Solaris salt.modules.solarispkg.install(name=None, sources=None, saltenv='base', **kwargs) Install the passed package. Can install packages from the following sources: * Locally (package already exists on the minion * HTTP/HTTPS server * FTP server * Salt master Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example, installing a data stream pkg that already exists on the minion: salt '*' pkg.install sources='[{"<pkg name>": "/dir/on/minion/<pkg filename>"}]' salt '*' pkg.install sources='[{"SMClgcc346": "/var/spool/pkg/gcc-3.4.6-sol10-sparc-local.pkg"}]' CLI Example, installing a data stream pkg that exists on the salt master: salt '*' pkg.install sources='[{"<pkg name>": "salt://pkgs/<pkg filename>"}]' salt '*' pkg.install sources='[{"SMClgcc346": "salt://pkgs/gcc-3.4.6-sol10-sparc-local.pkg"}]' CLI Example, installing a data stream pkg that exists on a HTTP server: salt '*' pkg.install sources='[{"<pkg name>": "http://packages.server.com/<pkg filename>"}]' salt '*' pkg.install sources='[{"SMClgcc346": "http://packages.server.com/gcc-3.4.6-sol10-sparc-local.pkg"}]' If working with solaris zones and you want to install a package only in the global zone you can pass 'current_zone_only=True' to salt to have the package only installed in the global zone. (Behind the scenes this is passing '-G' to the pkgadd command.) Solaris default when installing a package in the global zone is to install it in all zones. This overrides that and installs the package only in the global. CLI Example, installing a data stream package only in the global zone: salt 'global_zone' pkg.install sources='[{"SMClgcc346": "/var/spool/pkg/gcc-3.4.6-sol10-sparc-local.pkg"}]' current_zone_only=True By default salt automatically provides an adminfile, to automate package installation, with these options set: email= instance=quit partial=nocheck runlevel=nocheck idepend=nocheck rdepend=nocheck space=nocheck setuid=nocheck conflict=nocheck action=nocheck basedir=default You can override any of these options in two ways. First you can optionally pass any of the options as a kwarg to the module/state to override the default value or you can optionally pass the 'admin_source' option providing your own adminfile to the minions. Note: You can find all of the possible options to provide to the adminfile by reading the admin man page: man -s 4 admin CLI Example - Overriding the 'instance' adminfile option when calling the module directly: salt '*' pkg.install sources='[{"<pkg name>": "salt://pkgs/<pkg filename>"}]' instance="overwrite" CLI Example - Overriding the 'instance' adminfile option when used in a state: SMClgcc346: pkg.installed: - sources: - SMClgcc346: salt://srv/salt/pkgs/gcc-3.4.6-sol10-sparc-local.pkg - instance: overwrite Note: the ID declaration is ignored, as the package name is read from the "sources" parameter. CLI Example - Providing your own adminfile when calling the module directly: salt '*' pkg.install sources='[{"<pkg name>": "salt://pkgs/<pkg filename>"}]' admin_source='salt://pkgs/<adminfile filename>' CLI Example - Providing your own adminfile when using states: <pkg name>: pkg.installed: - sources: - <pkg name>: salt://pkgs/<pkg filename> - admin_source: salt://pkgs/<adminfile filename> Note: the ID declaration is ignored, as the package name is read from the "sources" parameter. salt.modules.solarispkg.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... NOTE: As package repositories are not presently supported for Solaris pkgadd, this function will always return an empty string for a given package. salt.modules.solarispkg.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.solarispkg.purge(name=None, pkgs=None, **kwargs) Package purges are not supported, this function is identical to remove(). name The name of the package to be deleted Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.solarispkg.remove(name=None, pkgs=None, saltenv='base', **kwargs) Remove packages with pkgrm name The name of the package to be deleted By default salt automatically provides an adminfile, to automate package removal, with these options set: email= instance=quit partial=nocheck runlevel=nocheck idepend=nocheck rdepend=nocheck space=nocheck setuid=nocheck conflict=nocheck action=nocheck basedir=default You can override any of these options in two ways. First you can optionally pass any of the options as a kwarg to the module/state to override the default value or you can optionally pass the 'admin_source' option providing your own adminfile to the minions. Note: You can find all of the possible options to provide to the adminfile by reading the admin man page: man -s 4 admin Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove SUNWgit salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.solarispkg.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.solarispkg.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.solr Apache Solr Salt Module Author: Jed Glazner Version: 0.2.1 Modified: 12/09/2011 This module uses HTTP requests to talk to the apache solr request handlers to gather information and report errors. Because of this the minion doesn't necessarily need to reside on the actual slave. However if you want to use the signal function the minion must reside on the physical solr host. This module supports multi-core and standard setups. Certain methods are master/slave specific. Make sure you set the solr.type. If you have questions or want a feature request please ask. Coming Features in 0.3 1. Add command for checking for replication failures on slaves 2. Improve match_index_versions since it's pointless on busy solr masters 3. Add additional local fs checks for backups to make sure they succeeded Override these in the minion config solr.cores A list of core names e.g. ['core1','core2']. An empty list indicates non-multicore setup. solr.baseurl The root level URL to access solr via HTTP solr.request_timeout The number of seconds before timing out an HTTP/HTTPS/FTP request. If nothing is specified then the python global timeout setting is used. solr.type Possible values are 'master' or 'slave' solr.backup_path The path to store your backups. If you are using cores and you can specify to append the core name to the path in the backup method. solr.num_backups For versions of solr >= 3.5. Indicates the number of backups to keep. This option is ignored if your version is less. solr.init_script The full path to your init script with start/stop options solr.dih.options A list of options to pass to the DIH. Required Options for DIH clean False Clear the index before importing commit True Commit the documents to the index upon completion optimize True Optimize the index after commit is complete verbose True Get verbose output salt.modules.solr.abort_import(handler, host=None, core_name=None, verbose=False) MASTER ONLY Aborts an existing import command to the specified handler. This command can only be run if the minion is configured with solr.type=master handler str The name of the data import handler. host str (None) The solr host to query. __opts__['host'] is default. core str (None) The core the handler belongs to. verbose boolean (False) Run the command with verbose output. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.abort_import dataimport None music {'clean':True} salt.modules.solr.backup(host=None, core_name=None, append_core_to_path=False) Tell solr make a backup. This method can be mis-leading since it uses the backup API. If an error happens during the backup you are not notified. The status: 'OK' in the response simply means that solr received the request successfully. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. append_core_to_path boolean (False) If True add the name of the core to the backup path. Assumes that minion backup path is not None. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.backup music salt.modules.solr.core_status(host=None, core_name=None) MULTI-CORE HOSTS ONLY Get the status for a given core or all cores if no core is specified host str (None) The solr host to query. __opts__['host'] is default. core_name str The name of the core to reload Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.core_status None music salt.modules.solr.delta_import(handler, host=None, core_name=None, options=None, extra=None) Submits an import command to the specified handler using specified options. This command can only be run if the minion is configured with solr.type=master handler str The name of the data import handler. host str (None) The solr host to query. __opts__['host'] is default. core str (None) The core the handler belongs to. options dict (__opts__) A list of options such as clean, optimize commit, verbose, and pause_replication. leave blank to use __opts__ defaults. options will be merged with __opts__ extra dict ([]) Extra name value pairs to pass to the handler. e.g. ["name=value"] Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.delta_import dataimport None music {'clean':True} salt.modules.solr.full_import(handler, host=None, core_name=None, options=None, extra=None) MASTER ONLY Submits an import command to the specified handler using specified options. This command can only be run if the minion is configured with solr.type=master handler str The name of the data import handler. host str (None) The solr host to query. __opts__['host'] is default. core str (None) The core the handler belongs to. options dict (__opts__) A list of options such as clean, optimize commit, verbose, and pause_replication. leave blank to use __opts__ defaults. options will be merged with __opts__ extra dict ([]) Extra name value pairs to pass to the handler. e.g. ["name=value"] Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.full_import dataimport None music {'clean':True} salt.modules.solr.import_status(handler, host=None, core_name=None, verbose=False) Submits an import command to the specified handler using specified options. This command can only be run if the minion is configured with solr.type: 'master' handler str The name of the data import handler. host str (None) The solr host to query. __opts__['host'] is default. core str (None) The core the handler belongs to. verbose boolean (False) Specifies verbose output Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.import_status dataimport None music False salt.modules.solr.is_replication_enabled(host=None, core_name=None) SLAVE CALL Check for errors, and determine if a slave is replicating or not. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.is_replication_enabled music salt.modules.solr.lucene_version(core_name=None) Gets the lucene version that solr is using. If you are running a multi-core setup you should specify a core name since all the cores run under the same servlet container, they will all have the same version. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return: dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.lucene_version salt.modules.solr.match_index_versions(host=None, core_name=None) SLAVE CALL Verifies that the master and the slave versions are in sync by comparing the index version. If you are constantly pushing updates the index the master and slave versions will seldom match. A solution to this is pause indexing every so often to allow the slave to replicate and then call this method before allowing indexing to resume. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.match_index_versions music salt.modules.solr.optimize(host=None, core_name=None) Search queries fast, but it is a very expensive operation. The ideal process is to run this with a master/slave configuration. Then you can optimize the master, and push the optimized index to the slaves. If you are running a single solr instance, or if you are going to run this on a slave be aware than search performance will be horrible while this command is being run. Additionally it can take a LONG time to run and your HTTP request may timeout. If that happens adjust your timeout settings. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.optimize music salt.modules.solr.ping(host=None, core_name=None) Does a health check on solr, makes sure solr can talk to the indexes. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.ping music salt.modules.solr.reload_core(host=None, core_name=None) MULTI-CORE HOSTS ONLY Load a new core from the same configuration as an existing registered core. While the "new" core is initializing, the "old" one will continue to accept requests. Once it has finished, all new request will go to the "new" core, and the "old" core will be unloaded. host str (None) The solr host to query. __opts__['host'] is default. core_name str The name of the core to reload Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.reload_core None music Return data is in the following format: {'success':bool, 'data':dict, 'errors':list, 'warnings':list} salt.modules.solr.reload_import_config(handler, host=None, core_name=None, verbose=False) MASTER ONLY re-loads the handler config XML file. This command can only be run if the minion is a 'master' type handler str The name of the data import handler. host str (None) The solr host to query. __opts__['host'] is default. core str (None) The core the handler belongs to. verbose boolean (False) Run the command with verbose output. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.reload_import_config dataimport None music {'clean':True} salt.modules.solr.replication_details(host=None, core_name=None) Get the full replication details. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.replication_details music salt.modules.solr.set_is_polling(polling, host=None, core_name=None) SLAVE CALL Prevent the slaves from polling the master for updates. polling boolean True will enable polling. False will disable it. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.set_is_polling False salt.modules.solr.set_replication_enabled(status, host=None, core_name=None) MASTER ONLY Sets the master to ignore poll requests from the slaves. Useful when you don't want the slaves replicating during indexing or when clearing the index. status boolean Sets the replication status to the specified state. host str (None) The solr host to query. __opts__['host'] is default. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to set the status on all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.set_replication_enabled false, None, music salt.modules.solr.signal(signal=None) Signals Apache Solr to start, stop, or restart. Obviously this is only going to work if the minion resides on the solr host. Additionally Solr doesn't ship with an init script so one must be created. signal str (None) The command to pass to the apache solr init valid values are 'start', 'stop', and 'restart' CLI Example: salt '*' solr.signal restart salt.modules.solr.version(core_name=None) Gets the solr version for the core specified. You should specify a core here as all the cores will run under the same servlet container and so will all have the same version. core_name str (None) The name of the solr core if using cores. Leave this blank if you are not using cores or if you want to check all cores. Return : dict<str,obj>: {'success':boolean, 'data':dict, 'errors':list, 'warnings':list} CLI Example: salt '*' solr.version salt.modules.splay Splay function calls across targeted minions salt.modules.splay.show(splaytime=600) Show calculated splaytime for this minion Will use default value of 600 (seconds) if splaytime value not provided CLI Example: salt example-host splay.show salt example-host splay.show 60 salt.modules.splay.splay(*args, **kwargs) Splay a salt function call execution time across minions over a number of seconds (default: 600) NOTE: You probably want to use --async here and look up the job results later. If you're dead set on getting the output from the CLI command, then make sure to set the timeout (with the -t flag) to something greater than the splaytime (max splaytime + time to execute job). Otherwise, it's very likely that the cli will time out before the job returns. CLI Examples: salt --async '*' splay.splay pkg.install cowsay version=3.03-8.el6 # With specified splaytime (5 minutes) and timeout with 10 second buffer salt -t 310 '*' splay.splay 300 pkg.version cowsay salt.modules.splunk_search Module for interop with the Splunk API New in version 2015.5.0. depends • splunk-sdk python module configuration Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The module will use the 'splunk' key by default, if defined. For example: splunk: username: alice password: abc123 host: example.splunkcloud.com port: 8080 salt.modules.splunk_search.create(name, profile='splunk', **kwargs) Create a splunk search CLI Example: splunk_search.create 'my search name' search='error msg' salt.modules.splunk_search.delete(name, profile='splunk') Delete a splunk search CLI Example: splunk_search.delete 'my search name' salt.modules.splunk_search.get(name, profile='splunk') Get a splunk search CLI Example: splunk_search.get 'my search name' salt.modules.splunk_search.list(profile='splunk') List splunk searches (names only) CLI Example: splunk_search.list salt.modules.splunk_search.list_all(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk') Get all splunk search details. Produces results that can be used to create an sls file. if app or owner are specified, results will be limited to matching saved searches. if description_contains is specified, results will be limited to those where "description_contains in description" is true if name_not_contains is specified, results will be limited to those where "name_not_contains not in name" is true. If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows: CLI example: 1. Make a backup of all existing searches $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > legacy_searches.sls 2. Get all searches with new prefixed names $ salt-call splunk_search.list_all "prefix=**MANAGED BY SALT** " --out=txt | sed "s/local: //" > managed_searches.sls 3. Insert the managed searches into splunk $ salt-call state.sls managed_searches.sls 4. Manually verify that the new searches look right 5. Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls 6. Get all searches again, verify no changes $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > final_searches.sls $ diff final_searches.sls managed_searches.sls salt.modules.splunk_search.update(name, profile='splunk', **kwargs) Update a splunk search CLI Example: splunk_search.update 'my search name' sharing=app salt.modules.sqlite3 Support for SQLite3 salt.modules.sqlite3.fetch(db=None, sql=None) Retrieve data from an sqlite3 db (returns all rows, be careful!) CLI Example: salt '*' sqlite3.fetch /root/test.db 'SELECT * FROM test;' salt.modules.sqlite3.indexes(db=None) Show all indices in the database, for people with poor spelling skills CLI Example: salt '*' sqlite3.indexes /root/test.db salt.modules.sqlite3.indices(db=None) Show all indices in the database CLI Example: salt '*' sqlite3.indices /root/test.db salt.modules.sqlite3.modify(db=None, sql=None) Issue an SQL query to sqlite3 (with no return data), usually used to modify the database in some way (insert, delete, create, etc) CLI Example: salt '*' sqlite3.modify /root/test.db 'CREATE TABLE test(id INT, testdata TEXT);' salt.modules.sqlite3.sqlite_version() Return version of sqlite CLI Example: salt '*' sqlite3.sqlite_version salt.modules.sqlite3.tables(db=None) Show all tables in the database CLI Example: salt '*' sqlite3.tables /root/test.db salt.modules.sqlite3.version() Return version of pysqlite CLI Example: salt '*' sqlite3.version salt.modules.ssh Manage client ssh components NOTE: This module requires the use of MD5 hashing. Certain security audits may not permit the use of MD5. For those cases, this module should be disabled or removed. salt.modules.ssh.auth_keys(user=None, config='.ssh/authorized_keys') Return the authorized keys for users CLI Example: salt '*' ssh.auth_keys salt '*' ssh.auth_keys root salt '*' ssh.auth_keys user=root salt '*' ssh.auth_keys user="[user1, user2]" salt.modules.ssh.check_key(user, key, enc, comment, options, config='.ssh/authorized_keys', cache_keys=None) Check to see if a key needs updating, returns "update", "add" or "exists" CLI Example: salt '*' ssh.check_key <user> <key> <enc> <comment> <options> salt.modules.ssh.check_key_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None) Check a keyfile from a source destination against the local keys and return the keys to change CLI Example: salt '*' ssh.check_key_file root salt://ssh/keyfile salt.modules.ssh.check_known_host(user=None, hostname=None, key=None, fingerprint=None, config=None, port=None) Check the record in known_hosts file, either by its value or by fingerprint (it's enough to set up either key or fingerprint, you don't need to set up both). If provided key or fingerprint doesn't match with stored value, return "update", if no value is found for a given host, return "add", otherwise return "exists". If neither key, nor fingerprint is defined, then additional validation is not performed. CLI Example: salt '*' ssh.check_known_host <user> <hostname> key='AAAA...FAaQ==' salt.modules.ssh.get_known_host(user, hostname, config=None, port=None) Return information about known host from the configfile, if any. If there is no such key, return None. CLI Example: salt '*' ssh.get_known_host <user> <hostname> salt.modules.ssh.hash_known_hosts(user=None, config=None) Hash all the hostnames in the known hosts file. New in version 2014.7.0. user hash known hosts of this user config path to known hosts file: can be absolute or relative to user's home directory CLI Example: salt '*' ssh.hash_known_hosts salt.modules.ssh.host_keys(keydir=None, private=True) Return the minion's host keys CLI Example: salt '*' ssh.host_keys salt '*' ssh.host_keys keydir=/etc/ssh salt '*' ssh.host_keys keydir=/etc/ssh private=False salt.modules.ssh.key_is_encrypted(key) New in version 2015.8.7. Function to determine whether or not a private key is encrypted with a passphrase. Checks key for a Proc-Type header with ENCRYPTED in the value. If found, returns True, otherwise returns False. CLI Example: salt '*' ssh.key_is_encrypted /root/id_rsa salt.modules.ssh.recv_known_host(hostname, enc=None, port=None, hash_hostname=True, hash_known_hosts=True) Retrieve information about host public key from remote server hostname The name of the remote host (e.g. "github.com") enc Defines what type of key is being used, can be ed25519, ecdsa ssh-rsa or ssh-dss port optional parameter, denoting the port of the remote host, which will be used in case, if the public key will be requested from it. By default the port 22 is used. hash_hostname True Hash all hostnames and addresses in the known hosts file. Deprecated since version Carbon: Please use hash_known_hosts instead. hash_known_hosts True Hash all hostnames and addresses in the known hosts file. CLI Example: salt '*' ssh.recv_known_host <hostname> enc=<enc> port=<port> salt.modules.ssh.rm_auth_key(user, key, config='.ssh/authorized_keys') Remove an authorized key from the specified user's authorized key file CLI Example: salt '*' ssh.rm_auth_key <user> <key> salt.modules.ssh.rm_auth_key_from_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None) Remove an authorized key from the specified user's authorized key file, using a file as source CLI Example: salt '*' ssh.rm_auth_key_from_file <user> salt://ssh_keys/<user>.id_rsa.pub salt.modules.ssh.rm_known_host(user=None, hostname=None, config=None, port=None) Remove all keys belonging to hostname from a known_hosts file. CLI Example: salt '*' ssh.rm_known_host <user> <hostname> salt.modules.ssh.set_auth_key(user, key, enc='ssh-rsa', comment='', options=None, config='.ssh/authorized_keys', cache_keys=None) Add a key to the authorized_keys file. The "key" parameter must only be the string of text that is the encoded key. If the key begins with "ssh-rsa" or ends with user@host, remove those from the key before passing it to this function. CLI Example: salt '*' ssh.set_auth_key <user> '<key>' enc='dsa' salt.modules.ssh.set_auth_key_from_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None) Add a key to the authorized_keys file, using a file as the source. CLI Example: salt '*' ssh.set_auth_key_from_file <user> salt://ssh_keys/<user>.id_rsa.pub salt.modules.ssh.set_known_host(user=None, hostname=None, fingerprint=None, key=None, port=None, enc=None, hash_hostname=True, config=None, hash_known_hosts=True) Download SSH public key from remote host "hostname", optionally validate its fingerprint against "fingerprint" variable and save the record in the known_hosts file. If such a record does already exists in there, do nothing. user The user who owns the ssh authorized keys file to modify hostname The name of the remote host (e.g. "github.com") fingerprint The fingerprint of the key which must be presented in the known_hosts file (optional if key specified) key The public key which must be presented in the known_hosts file (optional if fingerprint specified) port optional parameter, denoting the port of the remote host, which will be used in case, if the public key will be requested from it. By default the port 22 is used. enc Defines what type of key is being used, can be ed25519, ecdsa ssh-rsa or ssh-dss hash_hostname True Hash all hostnames and addresses in the known hosts file. Deprecated since version Carbon: Please use hash_known_hosts instead. config The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/known_hosts". If no user is specified, defaults to "/etc/ssh/ssh_known_hosts". If present, must be an absolute path when a user is not specified. hash_known_hosts True Hash all hostnames and addresses in the known hosts file. CLI Example: salt '*' ssh.set_known_host <user> fingerprint='xx:xx:..:xx' enc='ssh-rsa' config='.ssh/known_hosts' salt.modules.ssh.user_keys(user=None, pubfile=None, prvfile=None) Return the user's ssh keys on the minion New in version 2014.7.0. CLI Example: salt '*' ssh.user_keys salt '*' ssh.user_keys user=user1 salt '*' ssh.user_keys user=user1 pubfile=/home/user1/.ssh/id_rsa.pub prvfile=/home/user1/.ssh/id_rsa salt '*' ssh.user_keys user=user1 prvfile=False salt '*' ssh.user_keys user="['user1','user2'] pubfile=id_rsa.pub prvfile=id_rsa As you can see you can tell Salt not to read from the user's private (or public) key file by setting the file path to False. This can be useful to prevent Salt from publishing private data via Salt Mine or others. salt.modules.state Control the state system on the minion. State Caching When a highstate is called, the minion automatically caches a copy of the last high data. If you then run a highstate with cache=True it will use that cached highdata and won't hit the fileserver except for salt:// links in the states themselves. salt.modules.state.apply(mods=None, **kwargs) New in version 2015.5.0. Apply states! This function will call highstate or state.sls based on the arguments passed in, state.apply is intended to be the main gateway for all state executions. CLI Example: salt '*' state.apply salt '*' state.apply test salt '*' state.apply test,pkgs salt.modules.state.check_request(name=None) New in version 2015.5.0. Return the state request information, if any CLI Example: salt '*' state.check_request salt.modules.state.clear_cache() Clear out cached state files, forcing even cache runs to refresh the cache on the next state execution. Remember that the state cache is completely disabled by default, this execution only applies if cache=True is used in states CLI Example: salt '*' state.clear_cache salt.modules.state.clear_request(name=None) New in version 2015.5.0. Clear out the state execution request without executing it CLI Example: salt '*' state.clear_request salt.modules.state.disable(states) Disable state runs. CLI Example: salt '*' state.disable highstate salt '*' state.disable highstate,test.succeed_without_changes NOTE: To disable a state file from running provide the same name that would be passed in a state.sls call. salt '*' state.disable bind.config salt.modules.state.enable(states) Enable state function or sls run CLI Example: salt '*' state.enable highstate salt '*' state.enable test.succeed_without_changes NOTE: To enable a state file from running provide the same name that would be passed in a state.sls call. salt '*' state.disable bind.config salt.modules.state.high(data, test=False, queue=False, **kwargs) Execute the compound calls stored in a single set of high data This function is mostly intended for testing the state system CLI Example: salt '*' state.high '{"vim": {"pkg": ["installed"]}}' salt.modules.state.highstate(test=None, queue=False, **kwargs) Retrieve the state data from the salt master for this minion and execute it test Notify states to execute in test-only (dry-run) mode. Sets the test variable in the minion opts for the duration of the state run. pillar Custom Pillar data can be passed with the pillar kwarg. Values passed here will override hard-coded Pillar values. queue False Instead of failing immediately when another state run is in progress, queue the new state run to begin running once the other has finished. This option starts a new thread for each queued state run so use this option sparingly. localconfig: Instead of using running minion opts, load localconfig and merge that with the running minion opts. This functionality is intended for using "roots" of salt directories (with their own minion config, pillars, file_roots) to run highstate out of. mock: The mock option allows for the state run to execute without actually calling any states. This then returns a mocked return which will show the requisite ordering as well as fully validate the state run. New in version 2015.8.4. CLI Example: salt '*' state.highstate salt '*' state.highstate whitelist=sls1_to_run,sls2_to_run salt '*' state.highstate exclude=sls_to_exclude salt '*' state.highstate exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]" salt '*' state.highstate pillar="{foo: 'Foo!', bar: 'Bar!'}" salt.modules.state.list_disabled() List the states which are currently disabled CLI Example: salt '*' state.list_disabled salt.modules.state.low(data, queue=False, **kwargs) Execute a single low data call This function is mostly intended for testing the state system CLI Example: salt '*' state.low '{"state": "pkg", "fun": "installed", "name": "vi"}' salt.modules.state.pkg(pkg_path, pkg_sum, hash_type, test=False, **kwargs) Execute a packaged state run, the packaged state run will exist in a tarball available locally. This packaged state can be generated using salt-ssh. CLI Example: salt '*' state.pkg /tmp/state_pkg.tgz salt.modules.state.request(mods=None, **kwargs) New in version 2015.5.0. Request that the local admin execute a state run via salt-call state.run_request All arguments match state.apply CLI Example: salt '*' state.request salt '*' state.request test salt '*' state.request test,pkgs salt.modules.state.run_request(name='default', **kwargs) New in version 2015.5.0. Execute the pending state request CLI Example: salt '*' state.run_request salt.modules.state.running(concurrent=False) Return a list of strings that contain state return data if a state function is already running. This function is used to prevent multiple state calls from being run at the same time. CLI Example: salt '*' state.running salt.modules.state.show_highstate(queue=False, **kwargs) Retrieve the highstate data from the salt master and display it Custom Pillar data can be passed with the pillar kwarg. CLI Example: salt '*' state.show_highstate salt.modules.state.show_low_sls(mods, saltenv='base', test=None, queue=False, env=None, **kwargs) Display the low data from a specific sls. The default environment is base, use saltenv (env in Salt 0.17.x and older) to specify a different environment. CLI Example: salt '*' state.show_low_sls foo salt.modules.state.show_lowstate(queue=False, **kwargs) List out the low data that will be applied to this minion CLI Example: salt '*' state.show_lowstate salt.modules.state.show_sls(mods, saltenv='base', test=None, queue=False, env=None, **kwargs) Display the state data from a specific sls or list of sls files on the master. The default environment is base, use saltenv (env in Salt 0.17.x and older) to specify a different environment. This function does not support topfiles. For top.sls please use show_top instead. Custom Pillar data can be passed with the pillar kwarg. CLI Example: salt '*' state.show_sls core,edit.vim dev salt.modules.state.show_top(queue=False, **kwargs) Return the top data that the minion will use for a highstate CLI Example: salt '*' state.show_top salt.modules.state.single(fun, name, test=None, queue=False, **kwargs) Execute a single state function with the named kwargs, returns False if insufficient data is sent to the command By default, the values of the kwargs will be parsed as YAML. So, you can specify lists values, or lists of single entry key-value maps, as you would in a YAML salt file. Alternatively, JSON format of keyword values is also supported. CLI Example: salt '*' state.single pkg.installed name=vim salt.modules.state.sls(mods, saltenv=None, test=None, exclude=None, queue=False, env=None, pillarenv=None, **kwargs) Execute a set list of state files from an environment. test Notify states to execute in test-only (dry-run) mode. Sets the test variable in the minion opts for the duration of the state run. pillar Custom Pillar data can be passed with the pillar kwarg. Values passed here will override hard-coded Pillar values. queue False Instead of failing immediately when another state run is in progress, queue the new state run to begin running once the other has finished. This option starts a new thread for each queued state run so use this option sparingly. saltenv None Specify a file_roots environment. Changed in version 0.17.0: Argument name changed from env to saltenv. Changed in version 2014.7: Defaults to None. If no saltenv is specified, the minion config will be checked for a saltenv and if found, it will be used. If none is found, base will be used. pillarenv None Specify a pillar_roots environment. By default all pillar environments merged together will be used. concurrent: WARNING: This flag is potentially dangerous. It is designed for use when multiple state runs can safely be run at the same Do not use this flag for performance optimization. localconfig: Instead of using running minion opts, load localconfig and merge that with the running minion opts. This functionality is intended for using "roots" of salt directories (with their own minion config, pillars, file_roots) to run highstate out of. mock: The mock option allows for the state run to execute without actually calling any states. This then returns a mocked return which will show the requisite ordering as well as fully validate the state run. New in version 2015.8.4. CLI Example: salt '*' state.sls core,edit.vim dev salt '*' state.sls core exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]" salt '*' state.sls myslsfile pillar="{foo: 'Foo!', bar: 'Bar!'}" salt.modules.state.sls_id(id_, mods, saltenv='base', test=None, queue=False, **kwargs) Call a single ID from the named module(s) and handle all requisites New in version 2014.7.0. CLI Example: salt '*' state.sls_id apache http salt.modules.state.template(tem, queue=False, **kwargs) Execute the information stored in a template file on the minion. This function does not ask a master for a SLS file to render but instead directly processes the file at the provided path on the minion. CLI Example: salt '*' state.template '<Path to template on the minion>' salt.modules.state.template_str(tem, queue=False, **kwargs) Execute the information stored in a string from an sls template CLI Example: salt '*' state.template_str '<Template String>' salt.modules.state.top(topfn, test=None, queue=False, saltenv=None, **kwargs) Execute a specific top file instead of the default. This is useful to apply configurations from a different environment (for example, dev or prod), without modifying the default top file. CLI Example: salt '*' state.top reverse_top.sls salt '*' state.top prod_top.sls exclude=sls_to_exclude salt '*' state.top dev_top.sls exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]" salt.modules.status Module for returning various status data about a minion. These data can be useful for compiling into stats later. salt.modules.status.all_status() Return a composite of all status data and info for this minion. Warning: There is a LOT here! CLI Example: salt '*' status.all_status salt.modules.status.cpuinfo() Return the CPU info for this minion CLI Example: salt '*' status.cpuinfo salt.modules.status.cpustats() Return the CPU stats for this minion CLI Example: salt '*' status.cpustats salt.modules.status.custom() Return a custom composite of status data and info for this minion, based on the minion config file. An example config like might be: status.cpustats.custom: [ 'cpu', 'ctxt', 'btime', 'processes' ] Where status refers to status.py, cpustats is the function where we get our data, and custom is this function It is followed by a list of keys that we want returned. This function is meant to replace all_status(), which returns anything and everything, which we probably don't want. By default, nothing is returned. Warning: Depending on what you include, there can be a LOT here! CLI Example: salt '*' status.custom salt.modules.status.diskstats() Return the disk stats for this minion CLI Example: salt '*' status.diskstats salt.modules.status.diskusage(*args) Return the disk usage for this minion Usage: salt '*' status.diskusage [paths and/or filesystem types] CLI Example: salt '*' status.diskusage # usage for all filesystems salt '*' status.diskusage / /tmp # usage for / and /tmp salt '*' status.diskusage ext? # usage for ext[234] filesystems salt '*' status.diskusage / ext? # usage for / and all ext filesystems salt.modules.status.loadavg() Return the load averages for this minion CLI Example: salt '*' status.loadavg salt.modules.status.master(master=None, connected=True) New in version 2014.7.0. Fire an event if the minion gets disconnected from its master. This function is meant to be run via a scheduled job from the minion. If master_ip is an FQDN/Hostname, is must be resolvable to a valid IPv4 address. CLI Example: salt '*' status.master salt.modules.status.meminfo() Return the memory info for this minion CLI Example: salt '*' status.meminfo salt.modules.status.netdev() Return the network device stats for this minion CLI Example: salt '*' status.netdev salt.modules.status.netstats() Return the network stats for this minion CLI Example: salt '*' status.netstats salt.modules.status.nproc() Return the number of processing units available on this system CLI Example: salt '*' status.nproc salt.modules.status.pid(sig) Return the PID or an empty string if the process is running or not. Pass a signature to use to find the process via ps. Note you can pass a Python-compatible regular expression to return all pids of processes matching the regexp. CLI Example: salt '*' status.pid <sig> salt.modules.status.procs() Return the process data CLI Example: salt '*' status.procs salt.modules.status.uptime(human_readable=True) Return the uptime for this minion human_readable: True If True return the output provided by the system. If False return the output in seconds. New in version 2015.8.4. CLI Example: salt '*' status.uptime salt.modules.status.version() Return the system version for this minion CLI Example: salt '*' status.version salt.modules.status.vmstats() Return the virtual memory stats for this minion CLI Example: salt '*' status.vmstats salt.modules.status.w() Return a list of logged in users for this minion, using the w command CLI Example: salt '*' status.w salt.modules.stormpath Support for Stormpath New in version 2015.8.0. salt.modules.stormpath.create_account(directory_id, email, password, givenName, surname, **kwargs) Create an account CLI Examples: salt myminion stormpath.create_account <directory_id> shemp@example.com letmein Shemp Howard salt.modules.stormpath.delete_account(account_id) Delete an account. CLI Examples: salt myminion stormpath.delete_account <account_id> salt.modules.stormpath.list_accounts() Show all accounts. CLI Example: salt myminion stormpath.list_accounts salt.modules.stormpath.list_directories() Show all directories. CLI Example: salt myminion stormpath.list_directories salt.modules.stormpath.show_account(account_id=None, email=None, directory_id=None, application_id=None, group_id=None, **kwargs) Show a specific account. CLI Example: salt myminion stormpath.show_account <account_id> salt.modules.stormpath.show_tenant() Get the tenant for the login being used. salt.modules.stormpath.update_account(account_id, key=None, value=None, items=None) Update one or more items for this account. Specifying an empty value will clear it for that account. CLI Examples: salt myminion stormpath.update_account <account_id> givenName shemp salt myminion stormpath.update_account <account_id> middleName '' salt myminion stormpath.update_account <account_id> items='{"givenName": "Shemp"} salt myminion stormpath.update_account <account_id> items='{"middlename": ""} salt.modules.sudo Allow for the calling of execution modules via sudo. This module is invoked by the minion if the sudo_user minion config is present. Example minion config: sudo_user: saltdev Once this setting is made, any execution module call done by the minion will be run under sudo -u <sudo_user> salt-call. For example, with the above minion config, salt sudo_minion cmd.run 'cat /etc/sudoers' is equivalent to sudo -u saltdev salt-call cmd.run 'cat /etc/sudoers' being run on sudo_minion. salt.modules.sudo.salt_call(runas, fun, *args, **kwargs) Wrap a shell execution out to salt call with sudo Example: /etc/salt/minion sudo_user: saltdev salt '*' test.ping # is run as saltdev user salt.modules.supervisord Provide the service module for system supervisord or supervisord in a virtualenv salt.modules.supervisord.add(name, user=None, conf_file=None, bin_env=None) Activates any updates in config for process/group. user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.add <name> salt.modules.supervisord.custom(command, user=None, conf_file=None, bin_env=None) Run any custom supervisord command user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.custom "mstop '*gunicorn*'" salt.modules.supervisord.options(name, conf_file=None) New in version 2014.1.0. Read the config file and return the config options for a given process name Name of the configured process conf_file path to supervisord config file CLI Example: salt '*' supervisord.options foo salt.modules.supervisord.remove(name, user=None, conf_file=None, bin_env=None) Removes process/group from active config user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.remove <name> salt.modules.supervisord.reread(user=None, conf_file=None, bin_env=None) Reload the daemon's configuration files user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.reread salt.modules.supervisord.restart(name='all', user=None, conf_file=None, bin_env=None) Restart the named service. Process group names should not include a trailing asterisk. user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.restart <service> salt '*' supervisord.restart <group>: salt.modules.supervisord.start(name='all', user=None, conf_file=None, bin_env=None) Start the named service. Process group names should not include a trailing asterisk. user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.start <service> salt '*' supervisord.start <group>: salt.modules.supervisord.status(name=None, user=None, conf_file=None, bin_env=None) List programs and its state user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.status salt.modules.supervisord.status_raw(name=None, user=None, conf_file=None, bin_env=None) Display the raw output of status user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.status_raw salt.modules.supervisord.stop(name='all', user=None, conf_file=None, bin_env=None) Stop the named service. Process group names should not include a trailing asterisk. user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.stop <service> salt '*' supervisord.stop <group>: salt.modules.supervisord.update(user=None, conf_file=None, bin_env=None) Reload config and add/remove as necessary user user to run supervisorctl as conf_file path to supervisord config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed CLI Example: salt '*' supervisord.update salt.modules.svn Subversion SCM salt.modules.svn.add(cwd, targets, user=None, username=None, password=None, *opts) Add files to be tracked by the Subversion working-copy checkout cwd The path to the Subversion repository targets None files and directories to pass to the command as arguments user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.add /path/to/repo /path/to/new/file salt.modules.svn.checkout(cwd, remote, target=None, user=None, username=None, password=None, *opts) Download a working copy of the remote Subversion repository directory or file cwd The path to the Subversion repository remote None URL to checkout target None The name to give the file or directory working copy Default: svn uses the remote basename user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.checkout /path/to/repo svn://remote/repo salt.modules.svn.commit(cwd, targets=None, msg=None, user=None, username=None, password=None, *opts) Commit the current directory, files, or directories to the remote Subversion repository cwd The path to the Subversion repository targets None files and directories to pass to the command as arguments Default: svn uses '.' msg None Message to attach to the commit log user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.commit /path/to/repo salt.modules.svn.diff(cwd, targets=None, user=None, username=None, password=None, *opts) Return the diff of the current directory, files, or directories from the remote Subversion repository cwd The path to the Subversion repository targets None files and directories to pass to the command as arguments Default: svn uses '.' user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.diff /path/to/repo salt.modules.svn.export(cwd, remote, target=None, user=None, username=None, password=None, revision='HEAD', *opts) Create an unversioned copy of a tree. cwd The path to the Subversion repository remote None URL and path to file or directory checkout target None The name to give the file or directory working copy Default: svn uses the remote basename user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.export /path/to/repo svn://remote/repo salt.modules.svn.info(cwd, targets=None, user=None, username=None, password=None, fmt='str') Display the Subversion information from the checkout. cwd The path to the Subversion repository targets None files, directories, and URLs to pass to the command as arguments svn uses '.' by default user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. fmt str How to fmt the output from info. (str, xml, list, dict) CLI Example: salt '*' svn.info /path/to/svn/repo salt.modules.svn.remove(cwd, targets, msg=None, user=None, username=None, password=None, *opts) Remove files and directories from the Subversion repository cwd The path to the Subversion repository targets None files, directories, and URLs to pass to the command as arguments msg None Message to attach to the commit log user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.remove /path/to/repo /path/to/repo/remove salt.modules.svn.status(cwd, targets=None, user=None, username=None, password=None, *opts) Display the status of the current directory, files, or directories in the Subversion repository cwd The path to the Subversion repository targets None files, directories, and URLs to pass to the command as arguments Default: svn uses '.' user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password New in version 0.17.0. CLI Example: salt '*' svn.status /path/to/repo salt.modules.svn.switch(cwd, remote, target=None, user=None, username=None, password=None, *opts) New in version 2014.1.0. Switch a working copy of a remote Subversion repository directory cwd The path to the Subversion repository remote None URL to switch target None The name to give the file or directory working copy Default: svn uses the remote basename user None Run svn as a user other than what the minion runs as username None Connect to the Subversion server as another user password None Connect to the Subversion server with this password CLI Example: salt '*' svn.switch /path/to/repo svn://remote/repo salt.modules.svn.update(cwd, targets=None, user=None, username=None, password=None, *opts) Update the current directory, files, or directories from the remote Subversion repository cwd The path to the Subversion repository targets None files and directories to pass to the command as arguments Default: svn uses '.' user None Run svn as a user other than what the minion runs as password None Connect to the Subversion server with this password New in version 0.17.0. username None Connect to the Subversion server as another user CLI Example: salt '*' svn.update /path/to/repo salt.modules.swift Module for handling OpenStack Swift calls Author: Anthony Stanton <‐ anthony.stanton@gmail.com> Inspired by the S3 and Nova modules depends • swiftclient Python module configuration This module is not usable until the user, tenant, auth URL, and password or auth_key are specified either in a pillar or in the minion's config file. For example: keystone.user: admin keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' keystone.password: verybadpass # or keystone.auth_key: 203802934809284k2j34lkj2l3kj43k If configuration for multiple OpenStack accounts is required, they can be set up as different configuration profiles: For example: openstack1: keystone.user: admin keystone.tenant: admin keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' keystone.password: verybadpass # or keystone.auth_key: 203802934809284k2j34lkj2l3kj43k openstack2: keystone.user: admin keystone.tenant: admin keystone.auth_url: 'http://127.0.0.2:5000/v2.0/' keystone.password: verybadpass # or keystone.auth_key: 303802934809284k2j34lkj2l3kj43k With this configuration in place, any of the swift functions can make use of a configuration profile by declaring it explicitly. For example: salt '*' swift.get mycontainer myfile /tmp/file profile=openstack1 NOTE: For Rackspace cloud files setting keystone.auth_version = 1 is recommended. salt.modules.swift.delete(cont, path=None, profile=None) Delete a container, or delete an object from a container. CLI Example to delete a container: salt myminion swift.delete mycontainer CLI Example to delete an object from a container: salt myminion swift.delete mycontainer remoteobject salt.modules.swift.get(cont=None, path=None, local_file=None, return_bin=False, profile=None) List the contents of a container, or return an object from a container. Set return_bin to True in order to retrieve an object wholesale. Otherwise, Salt will attempt to parse an XML response. CLI Example to list containers: salt myminion swift.get CLI Example to list the contents of a container: salt myminion swift.get mycontainer CLI Example to return the binary contents of an object: salt myminion swift.get mycontainer myfile.png return_bin=True CLI Example to save the binary contents of an object to a local file: salt myminion swift.get mycontainer myfile.png local_file=/tmp/myfile.png salt.modules.swift.head() salt.modules.swift.put(cont, path=None, local_file=None, profile=None) Create a new container, or upload an object to a container. CLI Example to create a container: salt myminion swift.put mycontainer CLI Example to upload an object to a container: salt myminion swift.put mycontainer remotepath local_file=/path/to/file salt.modules.sysbench The 'sysbench' module is used to analyze the performance of the minions, right from the master! It measures various system parameters such as CPU, Memory, File I/O, Threads and Mutex. salt.modules.sysbench.cpu() Tests for the CPU performance of minions. CLI Examples: salt '*' sysbench.cpu salt.modules.sysbench.fileio() This tests for the file read and write operations Various modes of operations are • sequential write • sequential rewrite • sequential read • random read • random write • random read and write The test works with 32 files with each file being 1Gb in size The test consumes a lot of time. Be patient! CLI Examples: salt '*' sysbench.fileio salt.modules.sysbench.memory() This tests the memory for read and write operations. CLI Examples: salt '*' sysbench.memory salt.modules.sysbench.mutex() Tests the implementation of mutex CLI Examples: salt '*' sysbench.mutex salt.modules.sysbench.ping() salt.modules.sysbench.threads() This tests the performance of the processor's scheduler CLI Example: salt '*' sysbench.threads salt.modules.syslog_ng Module for getting information about syslog-ng maintainer Tibor Benke <btibi@sch.bme.hu> maturity new depends cmd platform all This module is capable of managing syslog-ng instances which were installed via a package manager or from source. Users can use a directory as a parameter in the case of most functions, which contains the syslog-ng and syslog-ng-ctl binaries. Syslog-ng can be installed via a package manager or from source. In the latter case, the syslog-ng and syslog-ng-ctl binaries are not available from the PATH, so users should set location of the sbin directory with syslog_ng.set_binary_path. Similarly, users can specify the location of the configuration file with syslog_ng.set_config_file, then the module will use it. If it is not set, syslog-ng uses the default configuration file. class salt.modules.syslog_ng.Argument(value='') A TypedParameterValue has one or more Arguments. For example this can be the value of key_file. Does not need examples. build() class salt.modules.syslog_ng.Buildable(iterable, join_body_on='', append_extra_newline=True) Base class of most classes, which have a build method. It contains a common build function. Does not need examples. build() Builds the textual representation of the whole configuration object with it's children. build_body() Builds the body of a syslog-ng configuration object. build_header() Builds the header of a syslog-ng configuration object. build_tail() Builds the tail of a syslog-ng configuration object. class salt.modules.syslog_ng.GivenStatement(value, add_newline=True) This statement returns a string without modification. It can be used to use existing configuration snippets. Does not need examples. build() class salt.modules.syslog_ng.NamedStatement(type, id='', options=None) It represents a configuration statement, which has a name, e.g. a source. Does not need examples. class salt.modules.syslog_ng.Option(type='', params=None) A Statement class contains Option instances. An instance of Option can represent a file(), tcp(), udp(), etc. option. Does not need examples. add_parameter(param) build() class salt.modules.syslog_ng.Parameter(iterable=None, join_body_on='') An Option has one or more Parameter instances. Does not need examples. class salt.modules.syslog_ng.ParameterValue(iterable=None, join_body_on='') A TypedParameter can have one or more values. Does not need examples. class salt.modules.syslog_ng.SimpleParameter(value='') A Parameter is a SimpleParameter, if it's just a simple type, like a string. For example: destination d_file { file( "/var/log/messages" ); }; /var/log/messages is a SimpleParameter. Does not need examples. build() class salt.modules.syslog_ng.SimpleParameterValue(value='') A ParameterValuem which holds a simple type, like a string or a number. For example in ip(127.0.0.1) 127.0.0.1 is a SimpleParameterValue. Does not need examples. build() class salt.modules.syslog_ng.Statement(type, id='', options=None, has_name=True) It represents a syslog-ng configuration statement, e.g. source, destination, filter. Does not need examples. add_child(option) build_header() build_tail() exception salt.modules.syslog_ng.SyslogNgError class salt.modules.syslog_ng.TypedParameter(type='', values=None) A Parameter, which has a type: destination d_tcp { tcp( ip(127.0.0.1) ); }; ip(127.0.0.1) is a TypedParameter. Does not need examples. add_value(value) build() class salt.modules.syslog_ng.TypedParameterValue(type='', arguments=None) We have to go deeper... A TypedParameter can have a 'parameter', which also have a type. For example key_file and cert_file: source demo_tls_source { tcp( ip(0.0.0.0) port(1999) tls( key_file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert_file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") ) ); }; Does not need examples. add_argument(arg) build() class salt.modules.syslog_ng.UnnamedStatement(type, options=None) It represents a configuration statement, which doesn't have a name, e.g. a log path. Does not need examples. salt.modules.syslog_ng.config(name, config, write=True) Builds syslog-ng configuration. This function is intended to be used from the state module, users should not use it directly! name : the id of the Salt document or it is the format of <statement name>.id config : the parsed YAML code write : if True, it writes the config into the configuration file, otherwise just returns it CLI Example: salt '*' syslog_ng.config name="s_local" config="[{'tcp':[{'ip':'127.0.0.1'},{'port':1233}]}]" salt.modules.syslog_ng.config_test(syslog_ng_sbin_dir=None, cfgfile=None) Runs syntax check against cfgfile. If syslog_ng_sbin_dir is specified, it is added to the PATH during the test. CLI Example: salt '*' syslog_ng.config_test salt '*' syslog_ng.config_test /home/user/install/syslog-ng/sbin salt '*' syslog_ng.config_test /home/user/install/syslog-ng/sbin /etc/syslog-ng/syslog-ng.conf salt.modules.syslog_ng.get_config_file() Returns the configuration directory, which contains syslog-ng.conf. CLI Example: salt '*' syslog_ng.get_config_file salt.modules.syslog_ng.modules(syslog_ng_sbin_dir=None) Returns the available modules. If syslog_ng_sbin_dir is specified, it is added to the PATH during the execution of the command syslog-ng. CLI Example: salt '*' syslog_ng.modules salt '*' syslog_ng.modules /home/user/install/syslog-ng/sbin salt.modules.syslog_ng.reload(name) Reloads syslog-ng. This function is intended to be used from states. If syslog_ng.set_config_file, is called before, this function will use the set binary path. CLI Example: salt '*' syslog_ng.reload salt.modules.syslog_ng.set_binary_path(name) Sets the path, where the syslog-ng binary can be found. This function is intended to be used from states. If syslog-ng is installed via a package manager, users don't need to use this function. CLI Example: salt '*' syslog_ng.set_binary_path name="/usr/sbin" salt.modules.syslog_ng.set_config_file(name) Sets the configuration's name. This function is intended to be used from states. CLI Example: salt '*' syslog_ng.set_config_file name="/etc/syslog-ng" salt.modules.syslog_ng.set_parameters(version=None, binary_path=None, config_file=None, *args, **kwargs) Sets variables. CLI Example: salt '*' syslog_ng.set_parameters version="3.6" salt '*' syslog_ng.set_parameters binary_path="/home/user/install/syslog-ng/sbin" config_file="/home/user/install/syslog-ng/etc/syslog-ng.conf" salt.modules.syslog_ng.start(name=None, user=None, group=None, chroot=None, caps=None, no_caps=False, pidfile=None, enable_core=False, fd_limit=None, verbose=False, debug=False, trace=False, yydebug=False, persist_file=None, control=None, worker_threads=None) Ensures, that syslog-ng is started via the given parameters. This function is intended to be used from the state module. Users shouldn't use this function, if the service module is available on their system. If syslog_ng.set_config_file, is called before, this function will use the set binary path. CLI Example: salt '*' syslog_ng.start salt.modules.syslog_ng.stats(syslog_ng_sbin_dir=None) Returns statistics from the running syslog-ng instance. If syslog_ng_sbin_dir is specified, it is added to the PATH during the execution of the command syslog-ng-ctl. CLI Example: salt '*' syslog_ng.stats salt '*' syslog_ng.stats /home/user/install/syslog-ng/sbin salt.modules.syslog_ng.stop(name=None) Kills syslog-ng. This function is intended to be used from the state module. Users shouldn't use this function, if the service module is available on their system. If syslog_ng.set_config_file is called before, this function will use the set binary path. CLI Example: salt '*' syslog_ng.stop salt.modules.syslog_ng.version(syslog_ng_sbin_dir=None) Returns the version of the installed syslog-ng. If syslog_ng_sbin_dir is specified, it is added to the PATH during the execution of the command syslog-ng. CLI Example: salt '*' syslog_ng.version salt '*' syslog_ng.version /home/user/install/syslog-ng/sbin salt.modules.syslog_ng.write_config(config, newlines=2) Writes the given parameter config into the config file. This function is intended to be used from states. If syslog_ng.set_config_file, is called before, this function will use the set config file. CLI Example: salt '*' syslog_ng.write_config config="# comment" salt.modules.syslog_ng.write_version(name) Removes the previous configuration file, then creates a new one and writes the name line. This function is intended to be used from states. If syslog_ng.set_config_file, is called before, this function will use the set config file. CLI Example: salt '*' syslog_ng.write_version name="3.6" salt.modules.sysmod The sys module provides information about the available functions on the minion salt.modules.sysmod.argspec(module='') Return the argument specification of functions in Salt execution modules. CLI Example: salt '*' sys.argspec pkg.install salt '*' sys.argspec sys salt '*' sys.argspec Module names can be specified as globs. New in version 2015.5.0. salt '*' sys.argspec 'pkg.*' salt.modules.sysmod.doc(*args) Return the docstrings for all modules. Optionally, specify a module or a function to narrow the selection. The strings are aggregated into a single document on the master for easy reading. Multiple modules/functions can be specified. CLI Example: salt '*' sys.doc salt '*' sys.doc sys salt '*' sys.doc sys.doc salt '*' sys.doc network.traceroute user.info Modules can be specified as globs. New in version 2015.5.0. salt '*' sys.doc 'sys.*' salt '*' sys.doc 'sys.list_*' salt.modules.sysmod.list_functions(*args, **kwargs) List the functions for all modules. Optionally, specify a module or modules from which to list. CLI Example: salt '*' sys.list_functions salt '*' sys.list_functions sys salt '*' sys.list_functions sys user Function names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_functions 'sys.list_*' salt.modules.sysmod.list_modules(*args) List the modules loaded on the minion New in version 2015.5.0. CLI Example: salt '*' sys.list_modules Module names can be specified as globs. salt '*' sys.list_modules 's*' salt.modules.sysmod.list_renderers(*args) List the renderers loaded on the minion New in version 2015.5.0. CLI Example: salt '*' sys.list_renderers Render names can be specified as globs. salt '*' sys.list_renderers 'yaml*' salt.modules.sysmod.list_returner_functions(*args, **kwargs) List the functions for all returner modules. Optionally, specify a returner module or modules from which to list. New in version 2014.7.0. CLI Example: salt '*' sys.list_returner_functions salt '*' sys.list_returner_functions mysql salt '*' sys.list_returner_functions mysql etcd Returner names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_returner_functions 'sqlite3.get_*' salt.modules.sysmod.list_returners(*args) List the returners loaded on the minion New in version 2014.7.0. CLI Example: salt '*' sys.list_returners Returner names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_returners 's*' salt.modules.sysmod.list_runner_functions(*args, **kwargs) List the functions for all runner modules. Optionally, specify a runner module or modules from which to list. New in version 2014.7.0. CLI Example: salt '*' sys.list_runner_functions salt '*' sys.list_runner_functions state salt '*' sys.list_runner_functions state virt Runner function names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_runner_functions 'state.*' 'virt.*' salt.modules.sysmod.list_runners(*args) List the runners loaded on the minion New in version 2014.7.0. CLI Example: salt '*' sys.list_runners Runner names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_runners 'm*' salt.modules.sysmod.list_state_functions(*args, **kwargs) List the functions for all state modules. Optionally, specify a state module or modules from which to list. New in version 2014.7.0. CLI Example: salt '*' sys.list_state_functions salt '*' sys.list_state_functions file salt '*' sys.list_state_functions pkg user State function names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_state_functions 'file.*' salt '*' sys.list_state_functions 'file.s*' salt.modules.sysmod.list_state_modules(*args) List the modules loaded on the minion New in version 2014.7.0. CLI Example: salt '*' sys.list_state_modules State module names can be specified as globs. New in version 2015.5.0. salt '*' sys.list_state_modules 'mysql_*' salt.modules.sysmod.reload_modules() Tell the minion to reload the execution modules CLI Example: salt '*' sys.reload_modules salt.modules.sysmod.renderer_doc(*args) Return the docstrings for all renderers. Optionally, specify a renderer or a function to narrow the selection. The strings are aggregated into a single document on the master for easy reading. Multiple renderers can be specified. New in version 2015.5.0. CLI Example: salt '*' sys.renderer_doc salt '*' sys.renderer_doc cheetah salt '*' sys.renderer_doc jinja json Renderer names can be specified as globs. salt '*' sys.renderer_doc 'c*' 'j*' salt.modules.sysmod.returner_argspec(module='') Return the argument specification of functions in Salt returner modules. New in version 2015.5.0. CLI Example: salt '*' sys.returner_argspec xmpp salt '*' sys.returner_argspec xmpp smtp salt '*' sys.returner_argspec Returner names can be specified as globs. salt '*' sys.returner_argspec 'sqlite3.*' salt.modules.sysmod.returner_doc(*args) Return the docstrings for all returners. Optionally, specify a returner or a function to narrow the selection. The strings are aggregated into a single document on the master for easy reading. Multiple returners/functions can be specified. New in version 2014.7.0. CLI Example: salt '*' sys.returner_doc salt '*' sys.returner_doc sqlite3 salt '*' sys.returner_doc sqlite3.get_fun salt '*' sys.returner_doc sqlite3.get_fun etcd.get_fun Returner names can be specified as globs. New in version 2015.5.0. salt '*' sys.returner_doc 'sqlite3.get_*' salt.modules.sysmod.runner_argspec(module='') Return the argument specification of functions in Salt runner modules. New in version 2015.5.0. CLI Example: salt '*' sys.runner_argspec state salt '*' sys.runner_argspec http salt '*' sys.runner_argspec Runner names can be specified as globs. salt '*' sys.runner_argspec 'winrepo.*' salt.modules.sysmod.runner_doc(*args) Return the docstrings for all runners. Optionally, specify a runner or a function to narrow the selection. The strings are aggregated into a single document on the master for easy reading. Multiple runners/functions can be specified. New in version 2014.7.0. CLI Example: salt '*' sys.runner_doc salt '*' sys.runner_doc cache salt '*' sys.runner_doc cache.grains salt '*' sys.runner_doc cache.grains mine.get Runner names can be specified as globs. New in version 2015.5.0. salt '*' sys.runner_doc 'cache.clear_*' salt.modules.sysmod.state_argspec(module='') Return the argument specification of functions in Salt state modules. New in version 2015.5.0. CLI Example: salt '*' sys.state_argspec pkg.installed salt '*' sys.state_argspec file salt '*' sys.state_argspec State names can be specified as globs. salt '*' sys.state_argspec 'pkg.*' salt.modules.sysmod.state_doc(*args) Return the docstrings for all states. Optionally, specify a state or a function to narrow the selection. The strings are aggregated into a single document on the master for easy reading. Multiple states/functions can be specified. New in version 2014.7.0. CLI Example: salt '*' sys.state_doc salt '*' sys.state_doc service salt '*' sys.state_doc service.running salt '*' sys.state_doc service.running ipables.append State names can be specified as globs. New in version 2015.5.0. salt '*' sys.state_doc 'service.*' 'iptables.*' salt.modules.sysrc sysrc module for FreeBSD salt.modules.sysrc.get(**kwargs) Return system rc configuration variables CLI Example: salt '*' sysrc.get includeDefaults=True salt.modules.sysrc.remove(name, **kwargs) Remove system rc configuration variables CLI Example: salt '*' sysrc.remove name=sshd_enable salt.modules.sysrc.set(name, value, **kwargs) Set system rc configuration variables CLI Example: salt '*' sysrc.set name=sshd_flags value="-p 2222" salt.modules.system Support for reboot, shutdown, etc salt.modules.system.halt() Halt a running system CLI Example: salt '*' system.halt salt.modules.system.init(runlevel) Change the system runlevel on sysV compatible systems CLI Example: salt '*' system.init 3 salt.modules.system.poweroff() Poweroff a running system CLI Example: salt '*' system.poweroff salt.modules.system.reboot(at_time=None) Reboot the system at_time The wait time in minutes before the system will be shutdown. CLI Example: salt '*' system.reboot salt.modules.system.shutdown(at_time=None) Shutdown a running system at_time The wait time in minutes before the system will be shutdown. CLI Example: salt '*' system.shutdown 5 salt.modules.system_profiler System Profiler Module Interface with Mac OSX's command-line System Profiler utility to get information about package receipts and installed applications. New in version 2015.5.0. salt.modules.system_profiler.applications() Return the results of a call to system_profiler -xml -detail full SPApplicationsDataType as a dictionary. Top-level keys of the dictionary are the names of each set of install receipts, since there can be multiple receipts with the same name. Contents of each key are a list of dictionaries. Note that this can take a long time depending on how many applications are installed on the target Mac. CLI Example: salt '*' systemprofiler.applications salt.modules.system_profiler.receipts() Return the results of a call to system_profiler -xml -detail full SPInstallHistoryDataType as a dictionary. Top-level keys of the dictionary are the names of each set of install receipts, since there can be multiple receipts with the same name. Contents of each key are a list of dictionaries. CLI Example: salt '*' systemprofiler.receipts salt.modules.systemd Provide the service module for systemd New in version 0.10.0. salt.modules.systemd.available(name) New in version 0.10.4. Check that the given service is available taking into account template units. CLI Example: salt '*' service.available sshd salt.modules.systemd.disable(name, **kwargs) Disable the named service to not start when the system boots CLI Example: salt '*' service.disable <service name> salt.modules.systemd.disabled(name) Return if the named service is disabled to start on boot CLI Example: salt '*' service.disabled <service name> salt.modules.systemd.enable(name, **kwargs) Enable the named service to start when the system boots CLI Example: salt '*' service.enable <service name> salt.modules.systemd.enabled(name, **kwargs) Return if the named service is enabled to start on boot CLI Example: salt '*' service.enabled <service name> salt.modules.systemd.execs() New in version 2014.7.0. Return a list of all files specified as ExecStart for all services. CLI Example: salt '*' service.execs salt.modules.systemd.force_reload(name) New in version 0.12.0. Force-reload the specified service with systemd CLI Example: salt '*' service.force_reload <service name> salt.modules.systemd.get_all() Return a list of all available services CLI Example: salt '*' service.get_all salt.modules.systemd.get_disabled() Return a list of all disabled services CLI Example: salt '*' service.get_disabled salt.modules.systemd.get_enabled() Return a list of all enabled services CLI Example: salt '*' service.get_enabled salt.modules.systemd.get_static() New in version 2015.8.5. Return a list of all static services CLI Example: salt '*' service.get_static salt.modules.systemd.mask(name, runtime=False) New in version 2015.5.0. Mask the specified service with systemd runtime False Set to True to mask this service only until the next reboot New in version 2015.8.5. CLI Example: salt '*' service.mask <service name> salt.modules.systemd.masked(name) New in version 2015.8.0. Changed in version 2015.8.5: The return data for this function has changed. If the service is masked, the return value will now be the output of the systemctl is-enabled command (so that a persistent mask can be distinguished from a runtime mask). If the service is not masked, then False will be returned. Check whether or not a service is masked CLI Example: salt '*' service.masked <service name> salt.modules.systemd.missing(name) New in version 2014.1.0. The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.systemd.reload(name) Reload the specified service with systemd CLI Example: salt '*' service.reload <service name> salt.modules.systemd.restart(name) Restart the specified service with systemd CLI Example: salt '*' service.restart <service name> salt.modules.systemd.show(name) New in version 2014.7.0. Show properties of one or more units/jobs or the manager CLI Example: salt '*' service.show <service name> salt.modules.systemd.start(name) Start the specified service with systemd CLI Example: salt '*' service.start <service name> salt.modules.systemd.status(name, sig=None) Return the status for a service via systemd, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.systemd.stop(name) Stop the specified service with systemd CLI Example: salt '*' service.stop <service name> salt.modules.systemd.systemctl_reload() New in version 0.15.0. Reloads systemctl, an action needed whenever unit files are updated. CLI Example: salt '*' service.systemctl_reload salt.modules.systemd.unmask(name) New in version 2015.5.0. Unmask the specified service with systemd CLI Example: salt '*' service.unmask <service name> salt.modules.temp Simple module for creating temporary directories and files This is a thin wrapper around Pythons tempfile module New in version 2015.8.0. salt.modules.temp.dir(suffix='', prefix='tmp', parent=None) Create a temporary directory CLI Example: salt '*' temp.dir salt '*' temp.dir prefix='mytemp-' parent='/var/run/' salt.modules.temp.file(suffix='', prefix='tmp', parent=None) Create a temporary file CLI Example: salt '*' temp.file salt '*' temp.file prefix='mytemp-' parent='/var/run/' salt.modules.test Module for running arbitrary tests salt.modules.test.arg(*args, **kwargs) Print out the data passed into the function *args and `kwargs, this is used to both test the publication data and cli argument passing, but also to display the information available within the publication data. Returns {"args": args, "kwargs": kwargs}. CLI Example: salt '*' test.arg 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}' salt.modules.test.arg_repr(*args, **kwargs) Print out the data passed into the function *args and `kwargs, this is used to both test the publication data and cli argument passing, but also to display the information available within the publication data. Returns {"args": repr(args), "kwargs": repr(kwargs)}. CLI Example: salt '*' test.arg_repr 1 "two" 3.1 txt="hello" wow='{a: 1, b: "hello"}' salt.modules.test.arg_type(*args, **kwargs) Print out the types of the args and kwargs. This is used to test the types of the args and kwargs passed down to the minion CLI Example: salt '*' test.arg_type 1 'int' salt.modules.test.assertion(assertion) Assert the given argument CLI Example: salt '*' test.assert False salt.modules.test.attr_call() Call grains.items via the attribute CLI Example: .. code-block:: bash salt '*' test.attr_call salt.modules.test.collatz(start) Execute the collatz conjecture from the passed starting number, returns the sequence and the time it took to compute. Used for performance tests. CLI Example: salt '*' test.collatz 3 salt.modules.test.conf_test() Return the value for test.foo in the minion configuration file, or return the default value CLI Example: salt '*' test.conf_test salt.modules.test.cross_test(func, args=None) Execute a minion function via the __salt__ object in the test module, used to verify that the minion functions can be called via the __salt__ module. CLI Example: salt '*' test.cross_test file.gid_to_group 0 salt.modules.test.echo(text) Return a string - used for testing the connection CLI Example: salt '*' test.echo 'foo bar baz quo qux' salt.modules.test.exception(message='Test Exception') Raise an exception Optionally provide an error message or output the full stack. CLI Example: salt '*' test.exception 'Oh noes!' salt.modules.test.false() Always return False CLI Example: salt '*' test.false salt.modules.test.fib(num) Return the num-th Fibonacci number, and the time it took to compute in seconds. Used for performance tests. This function is designed to have terrible performance. CLI Example: salt '*' test.fib 3 salt.modules.test.get_opts() Return the configuration options passed to this minion CLI Example: salt '*' test.get_opts salt.modules.test.kwarg(**kwargs) Print out the data passed into the function **kwargs, this is used to both test the publication data and cli kwarg passing, but also to display the information available within the publication data. CLI Example: salt '*' test.kwarg num=1 txt="two" env='{a: 1, b: "hello"}' salt.modules.test.missing_func() salt.modules.test.module_report() Return a dict containing all of the exeution modules with a report on the overall availability via different references CLI Example: .. code-block:: bash salt '*' test.module_report salt.modules.test.not_loaded() List the modules that were not loaded by the salt loader system CLI Example: salt '*' test.not_loaded salt.modules.test.opts_pkg() Return an opts package with the grains and opts for this minion. This is primarily used to create the options used for master side state compiling routines CLI Example: salt '*' test.opts_pkg salt.modules.test.outputter(data) Test the outputter, pass in data to return CLI Example: salt '*' test.outputter foobar salt.modules.test.ping() Used to make sure the minion is up and responding. Not an ICMP ping. Returns True. CLI Example: salt '*' test.ping salt.modules.test.provider(module) Pass in a function name to discover what provider is being used CLI Example: salt '*' test.provider service salt.modules.test.providers() Return a dict of the provider names and the files that provided them CLI Example: salt '*' test.providers salt.modules.test.rand_sleep(max=60) Sleep for a random number of seconds, used to test long-running commands and minions returning at differing intervals CLI Example: salt '*' test.rand_sleep 60 salt.modules.test.rand_str(size=9999999999, hash_type=None) Return a random string size size of the string to generate hash_type hash type to use New in version 2015.5.2. CLI Example: salt '*' test.rand_str salt.modules.test.retcode(code=42) Test that the returncode system is functioning correctly CLI Example: salt '*' test.retcode 42 salt.modules.test.sleep(length) Instruct the minion to initiate a process that will sleep for a given period of time. CLI Example: salt '*' test.sleep 20 salt.modules.test.stack() Return the current stack trace CLI Example: salt '*' test.stack salt.modules.test.true() Always return True CLI Example: salt '*' test.true salt.modules.test.try_(module, return_try_exception=False, **kwargs) Try to run a module command. On an exception return None. If return_try_exception is set True return the exception. This can be helpful in templates where running a module might fail as expected. CLI Example: <pre> {% for i in range(0,230) %} {{ salt['test.try'](module='ipmi.get_users', bmc_host='172.2.2.'+i)|yaml(False) }} {% endfor %} </pre> salt.modules.test.tty(*args, **kwargs) Deprecated! Moved to cmdmod. CLI Example: salt '*' test.tty tty0 'This is a test' salt '*' test.tty pts3 'This is a test' salt.modules.test.version() Return the version of salt on the minion CLI Example: salt '*' test.version salt.modules.test.versions() This function is an alias of versions_report. Returns versions of components used by salt CLI Example: salt '*' test.versions_report salt.modules.test.versions_information() Report the versions of dependent and system software CLI Example: salt '*' test.versions_information salt.modules.test.versions_report() Returns versions of components used by salt CLI Example: salt '*' test.versions_report salt.modules.test_virtual Module for running arbitrary tests with a __virtual__ function salt.modules.test_virtual.ping() salt.modules.timezone Module for managing timezone on POSIX-like systems. salt.modules.timezone.get_hwclock() Get current hardware clock setting (UTC or localtime) CLI Example: salt '*' timezone.get_hwclock salt.modules.timezone.get_offset() Get current numeric timezone offset from UCT (i.e. -0700) CLI Example: salt '*' timezone.get_offset salt.modules.timezone.get_zone() Get current timezone (i.e. America/Denver) CLI Example: salt '*' timezone.get_zone salt.modules.timezone.get_zonecode() Get current timezone (i.e. PST, MDT, etc) CLI Example: salt '*' timezone.get_zonecode salt.modules.timezone.set_hwclock(clock) Sets the hardware clock to be either UTC or localtime CLI Example: salt '*' timezone.set_hwclock UTC salt.modules.timezone.set_zone(timezone) Unlinks, then symlinks /etc/localtime to the set timezone. The timezone is crucial to several system processes, each of which SHOULD be restarted (for instance, whatever you system uses as its cron and syslog daemons). This will not be automagically done and must be done manually! CLI Example: salt '*' timezone.set_zone 'America/Denver' salt.modules.timezone.zone_compare(timezone) Checks the hash sum between the given timezone, and the one set in /etc/localtime. Returns True if they match, and False if not. Mostly useful for running state checks. CLI Example: salt '*' timezone.zone_compare 'America/Denver' salt.modules.tls A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates. depends • PyOpenSSL Python module (0.10 or later, 0.14 or later for X509 extension support) configuration Add the following values in /etc/salt/minion for the CA module to function properly: ca.cert_base_path: '/etc/pki' CLI Example #1 Creating a CA, a server request and its signed certificate: # salt-call tls.create_ca my_little \ days=5 \ CN='My Little CA' \ C=US \ ST=Utah \ L=Salt Lake City \ O=Saltstack \ emailAddress=pleasedontemail@thisisnot.coms Created Private Key: "/etc/pki/my_little/my_little_ca_cert.key" Created CA "my_little_ca": "/etc/pki/my_little_ca/my_little_ca_cert.crt" # salt-call tls.create_csr my_little CN=www.thisisnot.coms Created Private Key: "/etc/pki/my_little/certs/www.thisisnot.coms.key Created CSR for "www.thisisnot.coms": "/etc/pki/my_little/certs/www.thisisnot.coms.csr" # salt-call tls.create_ca_signed_cert my_little CN=www.thisisnot.coms Created Certificate for "www.thisisnot.coms": /etc/pki/my_little/certs/www.thisisnot.coms.crt" CLI Example #2: Creating a client request and its signed certificate # salt-call tls.create_csr my_little CN=DBReplica_No.1 cert_type=client Created Private Key: "/etc/pki/my_little/certs//DBReplica_No.1.key." Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.csr." # salt-call tls.create_ca_signed_cert my_little CN=DBReplica_No.1 Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt" CLI Example #3: Creating both a server and client req + cert for the same CN # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \ cert_type=client Created Private Key: "/etc/pki/my_little/certs/MasterDBReplica_No.2.key." Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/MasterDBReplica_No.2.csr." # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2 Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt" # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \ cert_type=server Certificate "MasterDBReplica_No.2" already exists (doh!) # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \ cert_type=server type_ext=True Created Private Key: "/etc/pki/my_little/certs/DBReplica_No.1_client.key." Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1_client.csr." # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2 Certificate "MasterDBReplica_No.2" already exists (DOH!) # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2 \ cert_type=server type_ext=True Created Certificate for "MasterDBReplica_No.2": "/etc/pki/my_little/certs/MasterDBReplica_No.2_server.crt" CLI Example #4: Create a server req + cert with non-CN filename for the cert # salt-call tls.create_csr my_little CN=www.anothersometh.ing \ cert_type=server type_ext=True Created Private Key: "/etc/pki/my_little/certs/www.anothersometh.ing_server.key." Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/www.anothersometh.ing_server.csr." # salt-call tls_create_ca_signed_cert my_little CN=www.anothersometh.ing \ cert_type=server cert_filename="something_completely_different" Created Certificate for "www.anothersometh.ing": /etc/pki/my_little/certs/something_completely_different.crt salt.modules.tls.ca_exists(ca_name, cacert_path=None, ca_filename=None) Verify whether a Certificate Authority (CA) already exists ca_name name of the CA cacert_path absolute path to ca certificates root directory ca_filename alternative filename for the CA New in version 2015.5.3. CLI Example: salt '*' tls.ca_exists test_ca /etc/certs salt.modules.tls.cert_base_path(cacert_path=None) Return the base path for certs from CLI or from options cacert_path absolute path to ca certificates root directory CLI Example: salt '*' tls.cert_base_path salt.modules.tls.cert_info(cert_path, digest='sha256') Return information for a particular certificate cert_path path to the cert file digest what digest to use for fingerprinting CLI Example: salt '*' tls.cert_info /dir/for/certs/cert.pem salt.modules.tls.create_ca(ca_name, bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', fixmode=False, cacert_path=None, ca_filename=None, digest='sha256', onlyif=None, unless=None, replace=False) Create a Certificate Authority (CA) ca_name name of the CA bits number of RSA key bits, default is 2048 days number of days the CA will be valid, default is 365 CN common name in the request, default is "localhost" C country, default is "US" ST state, default is "Utah" L locality, default is "Centerville", the city where SaltStack originated O organization, default is "SaltStack" OU organizational unit, default is None emailAddress email address for the CA owner, default is 'xyz@pdq.net' cacert_path absolute path to ca certificates root directory ca_filename alternative filename for the CA New in version 2015.5.3. digest The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256' replace Replace this certificate even if it exists New in version 2015.5.1. Writes out a CA certificate based upon defined config values. If the file already exists, the function just returns assuming the CA certificate already exists. If the following values were set: ca.cert_base_path='/etc/pki' ca_name='koji' the resulting CA, and corresponding key, would be written in the following location: /etc/pki/koji/koji_ca_cert.crt /etc/pki/koji/koji_ca_cert.key CLI Example: salt '*' tls.create_ca test_ca salt.modules.tls.create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, ca_filename=None, cert_path=None, cert_filename=None, digest='sha256', cert_type=None, type_ext=False, replace=False) Create a Certificate (CERT) signed by a named Certificate Authority (CA) If the certificate file already exists, the function just returns assuming the CERT already exists. The CN must match an existing CSR generated by create_csr. If it does not, this method does nothing. ca_name name of the CA CN common name matching the certificate signing request days number of days certificate is valid, default is 365 (1 year) cacert_path absolute path to ca certificates root directory ca_filename alternative filename for the CA New in version 2015.5.3. cert_path full path to the certificates directory cert_filename alternative filename for the certificate, useful when using special characters in the CN. If this option is set it will override the certificate filename output effects of cert_type. type_ext will be completely overridden. New in version 2015.5.3. digest The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256' replace Replace this certificate even if it exists New in version 2015.5.1. cert_type string. Either 'server' or 'client' (see create_csr() for details). If create_csr(type_ext=True) this function must be called with the same cert_type so it can find the CSR file. NOTE: create_csr() defaults to cert_type='server'; therefore, if it was also called with type_ext, cert_type becomes a required argument for create_ca_signed_cert() type_ext bool. If set True, use cert_type as an extension to the CN when formatting the filename. e.g.: some_subject_CN_server.crt or some_subject_CN_client.crt This facilitates the context where both types are required for the same subject If cert_filename is not None, setting type_ext has no effect If the following values were set: ca.cert_base_path='/etc/pki' ca_name='koji' CN='test.egavas.org' the resulting signed certificate would be written in the following location: /etc/pki/koji/certs/test.egavas.org.crt CLI Example: salt '*' tls.create_ca_signed_cert test localhost salt.modules.tls.create_csr(ca_name, bits=2048, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', subjectAltName=None, cacert_path=None, ca_filename=None, csr_path=None, csr_filename=None, digest='sha256', type_ext=False, cert_type='server', replace=False) Create a Certificate Signing Request (CSR) for a particular Certificate Authority (CA) ca_name name of the CA bits number of RSA key bits, default is 2048 CN common name in the request, default is "localhost" C country, default is "US" ST state, default is "Utah" L locality, default is "Centerville", the city where SaltStack originated O organization, default is "SaltStack" NOTE: Must the same as CA certificate or an error will be raised OU organizational unit, default is None emailAddress email address for the request, default is 'xyz@pdq.net' subjectAltName valid subjectAltNames in full form, e.g. to add DNS entry you would call this function with this value: examples: ['DNS:somednsname.com', 'DNS:1.2.3.4', 'IP:1.2.3.4', 'IP:2001:4801:7821:77:be76:4eff:fe11:e51', 'email:me@i.like.pie.com'] NOTE: some libraries do not properly query IP: prefixes, instead looking for the given req. source with a DNS: prefix. To be thorough, you may want to include both DNS: and IP: entries if you are using subjectAltNames for destinations for your TLS connections. e.g.: requests to https://1.2.3.4 will fail from python's requests library w/out the second entry in the above list New in version 2015.8.0. cert_type Specify the general certificate type. Can be either server or client. Indicates the set of common extensions added to the CSR. server: { 'basicConstraints': 'CA:FALSE', 'extendedKeyUsage': 'serverAuth', 'keyUsage': 'digitalSignature, keyEncipherment' } client: { 'basicConstraints': 'CA:FALSE', 'extendedKeyUsage': 'clientAuth', 'keyUsage': 'nonRepudiation, digitalSignature, keyEncipherment' } type_ext boolean. Whether or not to extend the filename with CN_[cert_type] This can be useful if a server and client certificate are needed for the same CN. Defaults to False to avoid introducing an unexpected file naming pattern The files normally named some_subject_CN.csr and some_subject_CN.key will then be saved replace Replace this signing request even if it exists New in version 2015.5.1. Writes out a Certificate Signing Request (CSR) If the file already exists, the function just returns assuming the CSR already exists. If the following values were set: ca.cert_base_path='/etc/pki' ca_name='koji' CN='test.egavas.org' the resulting CSR, and corresponding key, would be written in the following location: /etc/pki/koji/certs/test.egavas.org.csr /etc/pki/koji/certs/test.egavas.org.key CLI Example: salt '*' tls.create_csr test salt.modules.tls.create_empty_crl(ca_name, cacert_path=None, ca_filename=None, crl_file=None) Create an empty Certificate Revocation List. New in version 2015.8.0. ca_name name of the CA cacert_path absolute path to ca certificates root directory ca_filename alternative filename for the CA New in version 2015.5.3. crl_file full path to the CRL file CLI Example: salt '*' tls.create_empty_crl ca_name='koji' ca_filename='ca' crl_file='/etc/openvpn/team1/crl.pem' salt.modules.tls.create_pkcs12(ca_name, CN, passphrase='', cacert_path=None, replace=False) Create a PKCS#12 browser certificate for a particular Certificate (CN) ca_name name of the CA CN common name matching the certificate signing request passphrase used to unlock the PKCS#12 certificate when loaded into the browser cacert_path absolute path to ca certificates root directory replace Replace this certificate even if it exists New in version 2015.5.1. If the following values were set: ca.cert_base_path='/etc/pki' ca_name='koji' CN='test.egavas.org' the resulting signed certificate would be written in the following location: /etc/pki/koji/certs/test.egavas.org.p12 CLI Example: salt '*' tls.create_pkcs12 test localhost salt.modules.tls.create_self_signed_cert(tls_dir='tls', bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', cacert_path=None, cert_filename=None, digest='sha256', replace=False) Create a Self-Signed Certificate (CERT) tls_dir location appended to the ca.cert_base_path, default is 'tls' bits number of RSA key bits, default is 2048 CN common name in the request, default is "localhost" C country, default is "US" ST state, default is "Utah" L locality, default is "Centerville", the city where SaltStack originated O organization, default is "SaltStack" NOTE: Must the same as CA certificate or an error will be raised OU organizational unit, default is None emailAddress email address for the request, default is 'xyz@pdq.net' cacert_path absolute path to ca certificates root directory digest The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256' replace Replace this certificate even if it exists New in version 2015.5.1. Writes out a Self-Signed Certificate (CERT). If the file already exists, the function just returns. If the following values were set: ca.cert_base_path='/etc/pki' tls_dir='koji' CN='test.egavas.org' the resulting CERT, and corresponding key, would be written in the following location: /etc/pki/koji/certs/test.egavas.org.crt /etc/pki/koji/certs/test.egavas.org.key CLI Example: salt '*' tls.create_self_signed_cert Passing options from the command line: salt 'minion' tls.create_self_signed_cert CN='test.mysite.org' salt.modules.tls.get_ca(ca_name, as_text=False, cacert_path=None) Get the certificate path or content ca_name name of the CA as_text if true, return the certificate content instead of the path cacert_path absolute path to ca certificates root directory CLI Example: salt '*' tls.get_ca test_ca as_text=False cacert_path=/etc/certs salt.modules.tls.get_ca_signed_cert(ca_name, CN='localhost', as_text=False, cacert_path=None, cert_filename=None) Get the certificate path or content ca_name name of the CA CN common name of the certificate as_text if true, return the certificate content instead of the path cacert_path absolute path to certificates root directory cert_filename alternative filename for the certificate, useful when using special characters in the CN New in version 2015.5.3. CLI Example: salt '*' tls.get_ca_signed_cert test_ca CN=localhost as_text=False cacert_path=/etc/certs salt.modules.tls.get_ca_signed_key(ca_name, CN='localhost', as_text=False, cacert_path=None, key_filename=None) Get the certificate path or content ca_name name of the CA CN common name of the certificate as_text if true, return the certificate content instead of the path cacert_path absolute path to certificates root directory key_filename alternative filename for the key, useful when using special characters New in version 2015.5.3. in the CN CLI Example: salt '*' tls.get_ca_signed_key test_ca CN=localhost as_text=False cacert_path=/etc/certs salt.modules.tls.get_extensions(cert_type) Fetch X509 and CSR extension definitions from tls:extensions: (common|server|client) or set them to standard defaults. New in version 2015.8.0. cert_type: The type of certificate such as server or client. CLI Example: salt '*' tls.get_extensions client salt.modules.tls.maybe_fix_ssl_version(ca_name, cacert_path=None, ca_filename=None) Check that the X509 version is correct (was incorrectly set in previous salt versions). This will fix the version if needed. ca_name ca authority name cacert_path absolute path to ca certificates root directory ca_filename alternative filename for the CA New in version 2015.5.3. CLI Example: salt '*' tls.maybe_fix_ssl_version test_ca /etc/certs salt.modules.tls.revoke_cert(ca_name, CN, cacert_path=None, ca_filename=None, cert_path=None, cert_filename=None, crl_file=None) Revoke a certificate. New in version 2015.8.0. ca_name Name of the CA. CN Common name matching the certificate signing request. cacert_path Absolute path to ca certificates root directory. ca_filename Alternative filename for the CA. cert_path Path to the cert file. cert_filename Alternative filename for the certificate, useful when using special characters in the CN. crl_file Full path to the CRL file. CLI Example: salt '*' tls.revoke_cert ca_name='koji' ca_filename='ca' crl_file='/etc/openvpn/team1/crl.pem' salt.modules.tls.set_ca_path(cacert_path) If wanted, store the aforementioned cacert_path in context to be used as the basepath for further operations CLI Example: salt '*' tls.set_ca_path /etc/certs salt.modules.tomcat Support for Tomcat This module uses the manager webapp to manage Apache tomcat webapps. If the manager webapp is not configured some of the functions won't work. configuration • Java bin path should be in default path • If ipv6 is enabled make sure you permit manager access to ipv6 interface "0:0:0:0:0:0:0:1" • If you are using tomcat.tar.gz it has to be installed or symlinked under /opt, preferably using name tomcat • "tomcat.signal start/stop" works but it does not use the startup scripts The following grains/pillar should be set: tomcat-manager: user: <username> passwd: <password> or the old format: tomcat-manager.user: <username> tomcat-manager.passwd: <password> Also configure a user in the conf/tomcat-users.xml file: <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-script"/> </tomcat-users> NOTE: • More information about tomcat manager: http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html • if you use only this module for deployments you've might want to strict access to the manager only from localhost for more info: http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access • Tested on: JVM Vendor: Sun Microsystems Inc. JVM Version: 1.6.0_43-b01 OS Architecture: amd64 OS Name: Linux OS Version: 2.6.32-358.el6.x86_64 Tomcat Version: Apache Tomcat/7.0.37 salt.modules.tomcat.deploy_war(war, context, force='no', url='http://localhost:8080/manager', saltenv='base', timeout=180, env=None, temp_war_location=None, version='') Deploy a WAR file war absolute path to WAR file (should be accessible by the user running tomcat) or a path supported by the salt.modules.cp.get_file function context the context path to deploy force False set True to deploy the webapp even one is deployed in the context url http://localhost:8080/manager the URL of the server manager webapp saltenv base the environment for WAR file in used by salt.modules.cp.get_url function timeout 180 timeout for HTTP request temp_war_location None use another location to temporarily copy to war file by default the system's temp directory is used version '' Specify the war version. If this argument is provided, it overrides the version encoded in the war file name, if one is present. Examples: salt '*' tomcat.deploy_war salt://salt-2015.8.6.war version=2015.08.r6 New in version 2015.8.6. CLI Examples: cp module salt '*' tomcat.deploy_war salt://application.war /api salt '*' tomcat.deploy_war salt://application.war /api no salt '*' tomcat.deploy_war salt://application.war /api yes http://localhost:8080/manager minion local file system salt '*' tomcat.deploy_war /tmp/application.war /api salt '*' tomcat.deploy_war /tmp/application.war /api no salt '*' tomcat.deploy_war /tmp/application.war /api yes http://localhost:8080/manager salt.modules.tomcat.fullversion() Return all server information from catalina.sh version CLI Example: salt '*' tomcat.fullversion salt.modules.tomcat.leaks(url='http://localhost:8080/manager', timeout=180) Find memory leaks in tomcat url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.leaks salt.modules.tomcat.ls(url='http://localhost:8080/manager', timeout=180) list all the deployed webapps url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.ls salt '*' tomcat.ls http://localhost:8080/manager salt.modules.tomcat.passwd(passwd, user='', alg='sha1', realm=None) This function replaces the $CATALINA_HOME/bin/digest.sh script convert a clear-text password to the $CATALINA_BASE/conf/tomcat-users.xml format CLI Examples: salt '*' tomcat.passwd secret salt '*' tomcat.passwd secret tomcat sha1 salt '*' tomcat.passwd secret tomcat sha1 'Protected Realm' salt.modules.tomcat.reload(app, url='http://localhost:8080/manager', timeout=180) Reload the webapp app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.reload /jenkins salt '*' tomcat.reload /jenkins http://localhost:8080/manager salt.modules.tomcat.serverinfo(url='http://localhost:8080/manager', timeout=180) return details about the server url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.serverinfo salt '*' tomcat.serverinfo http://localhost:8080/manager salt.modules.tomcat.sessions(app, url='http://localhost:8080/manager', timeout=180) return the status of the webapp sessions app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.sessions /jenkins salt '*' tomcat.sessions /jenkins http://localhost:8080/manager salt.modules.tomcat.signal(signal=None) Signals catalina to start, stop, securestart, forcestop. CLI Example: salt '*' tomcat.signal start salt.modules.tomcat.start(app, url='http://localhost:8080/manager', timeout=180) Start the webapp app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout timeout for HTTP request CLI Examples: salt '*' tomcat.start /jenkins salt '*' tomcat.start /jenkins http://localhost:8080/manager salt.modules.tomcat.status(url='http://localhost:8080/manager', timeout=180) Used to test if the tomcat manager is up url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.status salt '*' tomcat.status http://localhost:8080/manager salt.modules.tomcat.status_webapp(app, url='http://localhost:8080/manager', timeout=180) return the status of the webapp (stopped | running | missing) app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.status_webapp /jenkins salt '*' tomcat.status_webapp /jenkins http://localhost:8080/manager salt.modules.tomcat.stop(app, url='http://localhost:8080/manager', timeout=180) Stop the webapp app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.stop /jenkins salt '*' tomcat.stop /jenkins http://localhost:8080/manager salt.modules.tomcat.undeploy(app, url='http://localhost:8080/manager', timeout=180) Undeploy a webapp app the webapp context path url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request CLI Examples: salt '*' tomcat.undeploy /jenkins salt '*' tomcat.undeploy /jenkins http://localhost:8080/manager salt.modules.tomcat.version() Return server version from catalina.sh version CLI Example: salt '*' tomcat.version salt.modules.trafficserver Apache Traffic Server execution module. New in version 2015.8.0. traffic_line is used to execute individual Traffic Server commands and to script multiple commands in a shell. salt.modules.trafficserver.alarms() List all alarm events that have not been acknowledged (cleared). salt '*' trafficserver.alarms salt.modules.trafficserver.bounce_cluster() Bounce all Traffic Server nodes in the cluster. Bouncing Traffic Server shuts down and immediately restarts Traffic Server, node-by-node. salt '*' trafficserver.bounce_cluster salt.modules.trafficserver.bounce_local(drain=False) Bounce Traffic Server on the local node. Bouncing Traffic Server shuts down and immediately restarts the Traffic Server node. This option modifies the behavior of traffic_line -b and traffic_line -L such that traffic_server is not shut down until the number of active client connections drops to the number given by the proxy.config.restart.active_client_threshold configuration variable. salt '*' trafficserver.bounce_local salt '*' trafficserver.bounce_local drain=True salt.modules.trafficserver.clear_alarms(alarm) Clear (acknowledge) an alarm event. The arguments are “all” for all current alarms, a specific alarm number (e.g. ‘‘1’‘), or an alarm string identifier (e.g. ‘’MGMT_ALARM_PROXY_CONFIG_ERROR’‘). salt '*' trafficserver.clear_alarms [all | #event | name] salt.modules.trafficserver.clear_cluster() Clears accumulated statistics on all nodes in the cluster. salt '*' trafficserver.clear_cluster salt.modules.trafficserver.clear_node() Clears accumulated statistics on the local node. salt '*' trafficserver.clear_node salt.modules.trafficserver.match_var(regex) Display the current values of all performance statistics or configuration variables whose names match the given regular expression. salt '*' trafficserver.match_var regex salt.modules.trafficserver.offline(path) Mark a cache storage device as offline. The storage is identified by a path which must match exactly a path specified in storage.config. This removes the storage from the cache and redirects requests that would have used this storage to other storage. This has exactly the same effect as a disk failure for that storage. This does not persist across restarts of the traffic_server process. salt '*' trafficserver.offline /path/to/cache salt.modules.trafficserver.read_var(*args) Read variable definitions from the traffic_line command This allows reading arbitrary key=value pairs from within trafficserver salt '*' trafficserver.read_var proxy.process.http.tcp_hit_count_stat salt.modules.trafficserver.refresh() Initiate a Traffic Server configuration file reread. Use this command to update the running configuration after any configuration file modification. The timestamp of the last reconfiguration event (in seconds since epoch) is published in the proxy.node.config.reconfigure_time metric. salt '*' trafficserver.refresh salt.modules.trafficserver.restart_cluster() Restart the traffic_manager process and the traffic_server process on all the nodes in a cluster. salt '*' trafficserver.restart_cluster salt.modules.trafficserver.restart_local(drain=False) Restart the traffic_manager and traffic_server processes on the local node. This option modifies the behavior of traffic_line -b and traffic_line -L such that traffic_server is not shut down until the number of active client connections drops to the number given by the proxy.config.restart.active_client_threshold configuration variable. salt '*' trafficserver.restart_local salt '*' trafficserver.restart_local drain=True salt.modules.trafficserver.set_var(variable, value) salt '*' trafficserver.set_var proxy.config.http.server_ports salt.modules.trafficserver.shutdown() Shut down Traffic Server on the local node. salt '*' trafficserver.shutdown salt.modules.trafficserver.startup() Start Traffic Server on the local node. salt '*' trafficserver.start salt.modules.trafficserver.status() Show the current proxy server status, indicating if we’re running or not. salt '*' trafficserver.status salt.modules.trafficserver.zero_cluster() Reset performance statistics to zero across the cluster. salt '*' trafficserver.zero_cluster salt.modules.trafficserver.zero_node() Reset performance statistics to zero on the local node. salt '*' trafficserver.zero_cluster salt.modules.tuned Interface to Red Hat tuned-adm module maintainer Syed Ali <alicsyed@gmail.com> maturity new depends tuned-adm platform Linux salt.modules.tuned.active() Return current active profile CLI Example: salt '*' tuned.active salt.modules.tuned.list() List the profiles available CLI Example: salt '*' tuned.list salt.modules.tuned.off() Turn off all profiles CLI Example: salt '*' tuned.off salt.modules.tuned.profile(profile_name) Activate specified profile CLI Example: salt '*' tuned.profile virtual-guest salt.modules.twilio_notify Module for notifications via Twilio New in version 2014.7.0. depends • twilio python module configuration Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. For example: my-twilio-account: twilio.account_sid: AC32a3c83990934481addd5ce1659f04d2 twilio.auth_token: mytoken salt.modules.twilio_notify.send_sms(profile, body, to, from_) Send an sms CLI Example: twilio.send_sms twilio-account 'Test sms' '+18019999999' '+18011111111' salt.modules.udev Manage and query udev info New in version 2015.8.0. salt.modules.udev.env(dev) Return all environment variables udev has for dev CLI Example: salt '*' udev.env /dev/sda salt '*' udev.env /sys/class/net/eth0 salt.modules.udev.info(dev) Extract all info delivered by udevadm CLI Example: salt '*' udev.info /dev/sda salt '*' udev.info /sys/class/net/eth0 salt.modules.udev.links(dev) Return all udev-created device symlinks CLI Example: salt '*' udev.links /dev/sda salt '*' udev.links /sys/class/net/eth0 salt.modules.udev.name(dev) Return the actual dev name(s?) according to udev for dev CLI Example: salt '*' udev.dev /dev/sda salt '*' udev.dev /sys/class/net/eth0 salt.modules.udev.path(dev) Return the physical device path(s?) according to udev for dev CLI Example: salt '*' udev.path /dev/sda salt '*' udev.path /sys/class/net/eth0 salt.modules.upstart Module for the management of upstart systems. The Upstart system only supports service starting, stopping and restarting. Currently (as of Ubuntu 12.04) there is no tool available to disable Upstart services (like update-rc.d). This[1] is the recommended way to disable an Upstart service. So we assume that all Upstart services that have not been disabled in this manner are enabled. But this is broken because we do not check to see that the dependent services are enabled. Otherwise we would have to do something like parse the output of "initctl show-config" to determine if all service dependencies are enabled to start on boot. For example, see the "start on" condition for the lightdm service below[2]. And this would be too hard. So we wait until the upstart developers have solved this problem. :) This is to say that an Upstart service that is enabled may not really be enabled. Also, when an Upstart service is enabled, should the dependent services be enabled too? Probably not. But there should be a notice about this, at least. [1] http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting [2] example upstart configuration file: lightdm emits login-session-start emits desktop-session-start emits desktop-shutdown start on ((((filesystem and runlevel [!06]) and started dbus) and (drm-device-added card0 PRIMARY_DEVICE_FOR_DISPLAY=1 or stopped udev-fallback-graphics)) or runlevel PREVLEVEL=S) stop on runlevel [016] WARNING: This module should not be used on Red Hat systems. For these, the rh_service module should be used, as it supports the hybrid upstart/sysvinit system used in RHEL/CentOS 6. salt.modules.upstart.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available sshd salt.modules.upstart.disable(name, **kwargs) Disable the named service from starting on boot CLI Example: salt '*' service.disable <service name> salt.modules.upstart.disabled(name) Check to see if the named service is disabled to start on boot CLI Example: salt '*' service.disabled <service name> salt.modules.upstart.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.upstart.enabled(name, **kwargs) Check to see if the named service is enabled to start on boot CLI Example: salt '*' service.enabled <service name> salt.modules.upstart.force_reload(name) Force-reload the named service CLI Example: salt '*' service.force_reload <service name> salt.modules.upstart.full_restart(name) Do a full restart (stop/start) of the named service CLI Example: salt '*' service.full_restart <service name> salt.modules.upstart.get_all() Return all installed services CLI Example: salt '*' service.get_all salt.modules.upstart.get_disabled() Return the disabled services CLI Example: salt '*' service.get_disabled salt.modules.upstart.get_enabled() Return the enabled services CLI Example: salt '*' service.get_enabled salt.modules.upstart.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing sshd salt.modules.upstart.reload(name) Reload the named service CLI Example: salt '*' service.reload <service name> salt.modules.upstart.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.upstart.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.upstart.status(name, sig=None) Return the status for a service, returns a bool whether the service is running. CLI Example: salt '*' service.status <service name> salt.modules.upstart.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.uptime Wrapper around uptime API salt.modules.uptime.check_exists(name) Check if a given URL is in being monitored by uptime CLI Example: salt '*' uptime.check_exists http://example.org salt.modules.uptime.checks_list() List URL checked by uptime CLI Example: salt '*' uptime.checks_list salt.modules.uptime.create(name, **params) Create a check on a given URL. Additional parameters can be used and are passed to API (for example interval, maxTime, etc). See the documentation https://github.com/fzaninotto/uptime for a full list of the parameters. CLI Example: salt '*' uptime.create http://example.org salt.modules.uptime.delete(name) Delete a check on a given URL CLI Example: salt '*' uptime.delete http://example.org salt.modules.useradd Manage users with the useradd command salt.modules.useradd.add(name, uid=None, gid=None, groups=None, home=None, shell=None, unique=True, system=False, fullname='', roomnumber='', workphone='', homephone='', createhome=True, loginclass=None) Add a user to the minion CLI Example: salt '*' user.add name <uid> <gid> <groups> <home> <shell> salt.modules.useradd.chfullname(name, fullname) Change the user's Full Name CLI Example: salt '*' user.chfullname foo "Foo Bar" salt.modules.useradd.chgid(name, gid) Change the default group of the user CLI Example: salt '*' user.chgid foo 4376 salt.modules.useradd.chgroups(name, groups, append=False) Change the groups to which this user belongs name User to modify groups Groups to set for the user append False If True, append the specified group(s). Otherwise, this function will replace the user's groups with the specified group(s). CLI Examples: salt '*' user.chgroups foo wheel,root salt '*' user.chgroups foo wheel,root append=True salt.modules.useradd.chhome(name, home, persist=False) Change the home directory of the user, pass True for persist to move files to the new home directory if the old home directory exist. CLI Example: salt '*' user.chhome foo /home/users/foo True salt.modules.useradd.chhomephone(name, homephone) Change the user's Home Phone CLI Example: salt '*' user.chhomephone foo 7735551234 salt.modules.useradd.chloginclass(name, loginclass) Change the default login class of the user NOTE: This function only applies to OpenBSD systems. CLI Example: salt '*' user.chloginclass foo staff salt.modules.useradd.chroomnumber(name, roomnumber) Change the user's Room Number CLI Example: salt '*' user.chroomnumber foo 123 salt.modules.useradd.chshell(name, shell) Change the default shell of the user CLI Example: salt '*' user.chshell foo /bin/zsh salt.modules.useradd.chuid(name, uid) Change the uid for a named user CLI Example: salt '*' user.chuid foo 4376 salt.modules.useradd.chworkphone(name, workphone) Change the user's Work Phone CLI Example: salt '*' user.chworkphone foo 7735550123 salt.modules.useradd.delete(name, remove=False, force=False) Remove a user from the minion CLI Example: salt '*' user.delete name remove=True force=True salt.modules.useradd.get_loginclass(name) Get the login class of the user NOTE: This function only applies to OpenBSD systems. CLI Example: salt '*' user.get_loginclass foo salt.modules.useradd.getent(refresh=False) Return the list of all info for all users CLI Example: salt '*' user.getent salt.modules.useradd.info(name) Return user information CLI Example: salt '*' user.info root salt.modules.useradd.list_groups(name) Return a list of groups the named user belongs to CLI Example: salt '*' user.list_groups foo salt.modules.useradd.list_users() Return a list of all users CLI Example: salt '*' user.list_users salt.modules.useradd.rename(name, new_name) Change the username for a named user CLI Example: salt '*' user.rename name new_name salt.modules.uwsgi uWSGI stats server http://uwsgi-docs.readthedocs.org/en/latest/StatsServer.html maintainer Peter Baumgartner <pete@lincolnloop.com> maturity new platform all salt.modules.uwsgi.stats(socket) Return the data from uwsgi --connect-and-read as a dictionary. socket The socket the uWSGI stats server is listening on CLI Example: salt '*' uwsgi.stats /var/run/mystatsserver.sock salt '*' uwsgi.stats 127.0.0.1:5050 salt.modules.varnish Support for Varnish New in version 2014.7.0. NOTE: These functions are designed to work with all implementations of Varnish from 3.x onwards salt.modules.varnish.ban(ban_expression) Add ban to the varnish cache CLI Example: salt '*' varnish.ban ban_expression salt.modules.varnish.ban_list() List varnish cache current bans CLI Example: salt '*' varnish.ban_list salt.modules.varnish.param_set(param, value) Set a param in varnish cache CLI Example: salt '*' varnish.param_set param value salt.modules.varnish.param_show(param=None) Show params of varnish cache CLI Example: salt '*' varnish.param_show param salt.modules.varnish.purge() Purge the varnish cache CLI Example: salt '*' varnish.purge salt.modules.varnish.version() Return server version from varnishd -V CLI Example: salt '*' varnish.version salt.modules.vbox_guest VirtualBox Guest Additions installer salt.modules.vbox_guest.additions_install(*args, **kwargs) Install VirtualBox Guest Additions. Uses the CD, connected by VirtualBox. To connect VirtualBox Guest Additions via VirtualBox graphical interface press 'Host+D' ('Host' is usually 'Right Ctrl'). See https://www.virtualbox.org/manual/ch04.html#idp52733088 for more details. CLI Example: salt '*' vbox_guest.additions_install salt '*' vbox_guest.additions_install reboot=True salt '*' vbox_guest.additions_install upgrade_os=True Parameters • reboot (bool) -- reboot computer to complete installation • upgrade_os (bool) -- upgrade OS (to ensure the latests version of kernel and developer tools are installed) Returns version of VirtualBox Guest Additions or string with error salt.modules.vbox_guest.additions_mount() Mount VirtualBox Guest Additions CD to the temp directory. To connect VirtualBox Guest Additions via VirtualBox graphical interface press 'Host+D' ('Host' is usually 'Right Ctrl'). CLI Example: salt '*' vbox_guest.additions_mount Returns True or OSError exception salt.modules.vbox_guest.additions_remove(**kwargs) Remove VirtualBox Guest Additions. Firstly it tries to uninstall itself by executing '/opt/VBoxGuestAdditions-VERSION/uninstall.run uninstall'. It uses the CD, connected by VirtualBox if it failes. CLI Example: salt '*' vbox_guest.additions_remove salt '*' vbox_guest.additions_remove force=True Parameters force (bool) -- force VirtualBox Guest Additions removing Returns True if VirtualBox Guest Additions were removed successfully else False salt.modules.vbox_guest.additions_umount(mount_point) Unmount VirtualBox Guest Additions CD from the temp directory. CLI Example: salt '*' vbox_guest.additions_umount Parameters mount_point -- directory VirtualBox Guest Additions is mounted to Returns True or an string with error salt.modules.vbox_guest.additions_version() Check VirtualBox Guest Additions version. CLI Example: salt '*' vbox_guest.additions_version Returns version of VirtualBox Guest Additions or False if they are not installed salt.modules.vbox_guest.grant_access_to_shared_folders_to(name, users=None) Grant access to auto-mounted shared folders to the users. User is specified by it's name. To grant access for several users use argument users. Access will be denied to the users not listed in users argument. See https://www.virtualbox.org/manual/ch04.html#sf_mount_auto for more details. CLI Example: salt '*' vbox_guest.grant_access_to_shared_folders_to fred salt '*' vbox_guest.grant_access_to_shared_folders_to users ['fred', 'roman'] Parameters • name (str) -- name of the user to grant access to auto-mounted shared folders to • users (list of str) -- list of names of users to grant access to auto-mounted shared folders to (if specified, name will not be taken into account) Returns list of users who have access to auto-mounted shared folders salt.modules.vbox_guest.list_shared_folders_users() List users who have access to auto-mounted shared folders. See https://www.virtualbox.org/manual/ch04.html#sf_mount_auto for more details. CLI Example: salt '*' vbox_guest.list_shared_folders_users Returns list of users who have access to auto-mounted shared folders salt.modules.victorops Support for VictorOps New in version 2015.8.0. Requires an api_key in /etc/salt/minion: salt.modules.victorops.create_event(message_type=None, routing_key='everybody', **kwargs) Create an event in VictorOps. Designed for use in states. The following parameters are required: Parameters message_type -- One of the following values: INFO, WARNING, ACKNOWLEDGEMENT, CRITICAL, RECOVERY. The following parameters are optional: Parameters • routing_key -- The key for where messages should be routed. By default, sent to 'everyone' route. • entity_id -- The name of alerting entity. If not provided, a random name will be assigned. • timestamp -- Timestamp of the alert in seconds since epoch. Defaults to the time the alert is received at VictorOps. :param timestamp_fmt The date format for the timestamp parameter. Parameters • state_start_time -- The time this entity entered its current state (seconds since epoch). Defaults to the time alert is received. • state_start_time_fmt -- The date format for the timestamp parameter. • state_message -- Any additional status information from the alert item. • entity_is_host -- Used within VictorOps to select the appropriate display format for the incident. • entity_display_name -- Used within VictorOps to display a human-readable name for the entity. • ack_message -- A user entered comment for the acknowledgment. • ack_author -- The user that acknowledged the incident. Returns A dictionary with result, entity_id, and message if result was failure. CLI Example: salt myminion victorops.create_event message_type='CRITICAL' routing_key='everyone' entity_id='hostname/diskspace' salt myminion victorops.create_event message_type='ACKNOWLEDGEMENT' routing_key='everyone' entity_id='hostname/diskspace' ack_message='Acknowledged' ack_author='username' salt myminion victorops.create_event message_type='RECOVERY' routing_key='everyone' entity_id='hostname/diskspace' The following parameters are required: message_type salt.modules.virt Work with virtual machines managed by libvirt depends libvirt Python module salt.modules.virt.create(vm_) Start a defined domain CLI Example: salt '*' virt.create <vm name> salt.modules.virt.create_xml_path(path) Start a domain based on the XML-file path passed to the function CLI Example: salt '*' virt.create_xml_path <path to XML file on the node> salt.modules.virt.create_xml_str(xml) Start a domain based on the XML passed to the function CLI Example: salt '*' virt.create_xml_str <XML in string format> salt.modules.virt.ctrl_alt_del(vm_) Sends CTRL+ALT+DEL to a VM CLI Example: salt '*' virt.ctrl_alt_del <vm name> salt.modules.virt.define_vol_xml_path(path) Define a volume based on the XML-file path passed to the function CLI Example: salt '*' virt.define_vol_xml_path <path to XML file on the node> salt.modules.virt.define_vol_xml_str(xml) Define a volume based on the XML passed to the function CLI Example: salt '*' virt.define_vol_xml_str <XML in string format> salt.modules.virt.define_xml_path(path) Define a domain based on the XML-file path passed to the function CLI Example: salt '*' virt.define_xml_path <path to XML file on the node> salt.modules.virt.define_xml_str(xml) Define a domain based on the XML passed to the function CLI Example: salt '*' virt.define_xml_str <XML in string format> salt.modules.virt.destroy(vm_) Hard power down the virtual machine, this is equivalent to pulling the power CLI Example: salt '*' virt.destroy <vm name> salt.modules.virt.freecpu() Return an int representing the number of unallocated cpus on this hypervisor CLI Example: salt '*' virt.freecpu salt.modules.virt.freemem() Return an int representing the amount of memory (in MB) that has not been given to virtual machines on this node CLI Example: salt '*' virt.freemem salt.modules.virt.full_info() Return the node_info, vm_info and freemem CLI Example: salt '*' virt.full_info salt.modules.virt.get_disks(vm_) Return the disks of a named vm CLI Example: salt '*' virt.get_disks <vm name> salt.modules.virt.get_graphics(vm_) Returns the information on vnc for a given vm CLI Example: salt '*' virt.get_graphics <vm name> salt.modules.virt.get_macs(vm_) Return a list off MAC addresses from the named vm CLI Example: salt '*' virt.get_macs <vm name> salt.modules.virt.get_nics(vm_) Return info about the network interfaces of a named vm CLI Example: salt '*' virt.get_nics <vm name> salt.modules.virt.get_profiles(hypervisor=None) Return the virt profiles for hypervisor. Currently there are profiles for: • nic • disk CLI Example: salt '*' virt.get_profiles salt '*' virt.get_profiles hypervisor=esxi salt.modules.virt.get_xml(vm_) Returns the XML for a given vm CLI Example: salt '*' virt.get_xml <vm name> salt.modules.virt.init(name, cpu, mem, image=None, nic='default', hypervisor='kvm', start=True, disk='default', saltenv='base', seed=True, install=True, pub_key=None, priv_key=None, seed_cmd='seed.apply', **kwargs) Initialize a new vm CLI Example: salt 'hypervisor' virt.init vm_name 4 512 salt://path/to/image.raw salt 'hypervisor' virt.init vm_name 4 512 nic=profile disk=profile salt.modules.virt.is_hyper() Returns a bool whether or not this node is a hypervisor of any kind CLI Example: salt '*' virt.is_hyper salt.modules.virt.is_kvm_hyper() Returns a bool whether or not this node is a KVM hypervisor CLI Example: salt '*' virt.is_kvm_hyper salt.modules.virt.is_xen_hyper() Returns a bool whether or not this node is a XEN hypervisor CLI Example: salt '*' virt.is_xen_hyper salt.modules.virt.list_active_vms() Return a list of names for active virtual machine on the minion CLI Example: salt '*' virt.list_active_vms salt.modules.virt.list_inactive_vms() Return a list of names for inactive virtual machine on the minion CLI Example: salt '*' virt.list_inactive_vms salt.modules.virt.list_vms() Return a list of virtual machine names on the minion CLI Example: salt '*' virt.list_vms salt.modules.virt.migrate(vm_, target, ssh=False) Shared storage migration CLI Example: salt '*' virt.migrate <vm name> <target hypervisor> salt.modules.virt.migrate_non_shared(vm_, target, ssh=False) Attempt to execute non-shared storage "all" migration CLI Example: salt '*' virt.migrate_non_shared <vm name> <target hypervisor> salt.modules.virt.migrate_non_shared_inc(vm_, target, ssh=False) Attempt to execute non-shared storage "all" migration CLI Example: salt '*' virt.migrate_non_shared_inc <vm name> <target hypervisor> salt.modules.virt.node_info() Return a dict with information about this node CLI Example: salt '*' virt.node_info salt.modules.virt.pause(vm_) Pause the named vm CLI Example: salt '*' virt.pause <vm name> salt.modules.virt.purge(vm_, dirs=False) Recursively destroy and delete a virtual machine, pass True for dir's to also delete the directories containing the virtual machine disk images - USE WITH EXTREME CAUTION! CLI Example: salt '*' virt.purge <vm name> salt.modules.virt.reboot(vm_) Reboot a domain via ACPI request CLI Example: salt '*' virt.reboot <vm name> salt.modules.virt.reset(vm_) Reset a VM by emulating the reset button on a physical machine CLI Example: salt '*' virt.reset <vm name> salt.modules.virt.resume(vm_) Resume the named vm CLI Example: salt '*' virt.resume <vm name> salt.modules.virt.seed_non_shared_migrate(disks, force=False) Non shared migration requires that the disks be present on the migration destination, pass the disks information via this function, to the migration destination before executing the migration. CLI Example: salt '*' virt.seed_non_shared_migrate <disks> salt.modules.virt.set_autostart(vm_, state='on') Set the autostart flag on a VM so that the VM will start with the host system on reboot. CLI Example: salt "*" virt.set_autostart <vm name> <on | off> salt.modules.virt.setmem(vm_, memory, config=False) Changes the amount of memory allocated to VM. The VM must be shutdown for this to work. memory is to be specified in MB If config is True then we ask libvirt to modify the config as well CLI Example: salt '*' virt.setmem myvm 768 salt.modules.virt.setvcpus(vm_, vcpus, config=False) Changes the amount of vcpus allocated to VM. The VM must be shutdown for this to work. vcpus is an int representing the number to be assigned If config is True then we ask libvirt to modify the config as well CLI Example: salt '*' virt.setvcpus myvm 2 salt.modules.virt.shutdown(vm_) Send a soft shutdown signal to the named vm CLI Example: salt '*' virt.shutdown <vm name> salt.modules.virt.start(vm_) Alias for the obscurely named 'create' function CLI Example: salt '*' virt.start <vm name> salt.modules.virt.stop(vm_) Alias for the obscurely named 'destroy' function CLI Example: salt '*' virt.stop <vm name> salt.modules.virt.undefine(vm_) Remove a defined vm, this does not purge the virtual machine image, and this only works if the vm is powered down CLI Example: salt '*' virt.undefine <vm name> salt.modules.virt.virt_type() Returns the virtual machine type as a string CLI Example: salt '*' virt.virt_type salt.modules.virt.vm_cputime(vm_=None) Return cputime used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'cputime' <int> 'cputime_percent' <int> }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_cputime salt.modules.virt.vm_diskstats(vm_=None) Return disk usage counters used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'rd_req' : 0, 'rd_bytes' : 0, 'wr_req' : 0, 'wr_bytes' : 0, 'errs' : 0 }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_blockstats salt.modules.virt.vm_info(vm_=None) Return detailed information about the vms on this hyper in a list of dicts: [ 'your-vm': { 'cpu': <int>, 'maxMem': <int>, 'mem': <int>, 'state': '<state>', 'cputime' <int> }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_info salt.modules.virt.vm_netstats(vm_=None) Return combined network counters used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'rx_bytes' : 0, 'rx_packets' : 0, 'rx_errs' : 0, 'rx_drop' : 0, 'tx_bytes' : 0, 'tx_packets' : 0, 'tx_errs' : 0, 'tx_drop' : 0 }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_netstats salt.modules.virt.vm_state(vm_=None) Return list of all the vms and their state. If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_state <vm name> salt.modules.virtualenv Create virtualenv environments. New in version 0.17.0. salt.modules.virtualenv_mod.create(path, venv_bin=None, system_site_packages=False, distribute=False, clear=False, python=None, extra_search_dir=None, never_download=None, prompt=None, pip=False, symlinks=None, upgrade=None, user=None, use_vt=False, saltenv='base') Create a virtualenv path The path to create the virtualenv venv_bin None (default 'virtualenv') The name (and optionally path) of the virtualenv command. This can also be set globally in the minion config file as virtualenv.venv_bin. system_site_packages False Passthrough argument given to virtualenv or pyvenv distribute False Passthrough argument given to virtualenv pip False Install pip after creating a virtual environment, implies distribute=True clear False Passthrough argument given to virtualenv or pyvenv python None (default) Passthrough argument given to virtualenv extra_search_dir None (default) Passthrough argument given to virtualenv never_download None (default) Passthrough argument given to virtualenv if True prompt None (default) Passthrough argument given to virtualenv if not None symlinks None Passthrough argument given to pyvenv if True upgrade None Passthrough argument given to pyvenv if True user None Set ownership for the virtualenv runas None Set ownership for the virtualenv use_vt False Use VT terminal emulation (see ouptut while installing) New in version 2015.5.0. saltenv 'base' Specify a different environment. The default environment is base. New in version 2014.1.0. NOTE: The runas argument is deprecated as of 2014.1.0. user should be used instead. CLI Example: salt '*' virtualenv.create /path/to/new/virtualenv salt.modules.virtualenv_mod.get_resource_content(venv, package_or_requirement, resource_name) Returns the content of a resource of a package or a distribution inside a virtualenv New in version 2015.5.0. venv Path to the virtualenv. package_or_requirement Name of the package where the resource resides in. resource_name Name of the resource of which the content is to be returned. CLI Example: salt '*' virtualenv.get_resource_content /path/to/my/venv my_package my/resource.xml salt.modules.virtualenv_mod.get_resource_path(venv, package_or_requirement, resource_name) Returns the path to a resource of a package or a distribution inside a virtualenv New in version 2015.5.0. venv Path to the virtualenv. package_or_requirement Name of the package where the resource resides in. resource_name Name of the resource of which the path is to be returned. CLI Example: salt '*' virtualenv.get_resource_path /path/to/my/venv my_package my/resource.xml salt.modules.virtualenv_mod.get_site_packages(venv) Returns the path to the site-packages directory inside a virtualenv venv Path to the virtualenv. CLI Example: salt '*' virtualenv.get_site_packages /path/to/my/venv salt.modules.vsphere Manage VMware vCenter servers and ESXi hosts. New in version 2015.8.4. Dependencies • pyVmomi Python Module • ESXCLI pyVmomi PyVmomi can be installed via pip: pip install pyVmomi NOTE: Version 6.0 of pyVmomi has some problems with SSL error handling on certain versions of Python. If using version 6.0 of pyVmomi, Python 2.6, Python 2.7.9, or newer must be present. This is due to an upstream dependency in pyVmomi 6.0 that is not supported in Python versions 2.7 to 2.7.8. If the version of Python is not in the supported range, you will need to install an earlier version of pyVmomi. See Issue #29537 for more information. Based on the note above, to install an earlier version of pyVmomi than the version currently listed in PyPi, run the following: pip install pyVmomi==5.5.0.2014.1.1 The 5.5.0.2014.1.1 is a known stable version that this original vSphere Execution Module was developed against. ESXCLI Currently, about a third of the functions used in the vSphere Execution Module require the ESXCLI package be installed on the machine running the Proxy Minion process. The ESXCLI package is also referred to as the VMware vSphere CLI, or vCLI. VMware provides vCLI package installation instructions for vSphere 5.5 and vSphere 6.0. Once all of the required dependencies are in place and the vCLI package is installed, you can check to see if you can connect to your ESXi host or vCenter server by running the following command: esxcli -s <host-location> -u <username> -p <password> system syslog config get If the connection was successful, ESXCLI was successfully installed on your system. You should see output related to the ESXi host's syslog configuration. NOTE: Be aware that some functionality in this execution module may depend on the type of license attached to a vCenter Server or ESXi host(s). For example, certain services are only available to manipulate service state or policies with a VMware vSphere Enterprise or Enterprise Plus license, while others are available with a Standard license. The ntpd service is restricted to an Enterprise Plus license, while ssh is available via the Standard license. Please see the vSphere Comparison page for more information. About This execution module was designed to be able to handle connections both to a vCenter Server, as well as to an ESXi host. It utilizes the pyVmomi Python library and the ESXCLI package to run remote execution functions against either the defined vCenter server or the ESXi host. Whether or not the function runs against a vCenter Server or an ESXi host depends entirely upon the arguments passed into the function. Each function requires a host location, username, and password. If the credentials provided apply to a vCenter Server, then the function will be run against the vCenter Server. For example, when listing hosts using vCenter credentials, you'll get a list of hosts associated with that vCenter Server: # salt my-minion vsphere.list_hosts <vcenter-ip> <vcenter-user> <vcenter-password> my-minion: - esxi-1.example.com - esxi-2.example.com However, some functions should be used against ESXi hosts, not vCenter Servers. Functionality such as getting a host's coredump network configuration should be performed against a host and not a vCenter server. If the authentication information you're using is against a vCenter server and not an ESXi host, you can provide the host name that is associated with the vCenter server in the command, as a list, using the host_names or esxi_host kwarg. For example: # salt my-minion vsphere.get_coredump_network_config <vcenter-ip> <vcenter-user> <vcenter-password> esxi_hosts='[esxi-1.example.com, esxi-2.example.com]' my-minion: ---------- esxi-1.example.com: ---------- Coredump Config: ---------- enabled: False esxi-2.example.com: ---------- Coredump Config: ---------- enabled: True host_vnic: vmk0 ip: coredump-location.example.com port: 6500 You can also use these functions against an ESXi host directly by establishing a connection to an ESXi host using the host's location, username, and password. If ESXi connection credentials are used instead of vCenter credentials, the host_names and esxi_hosts arguments are not needed. # salt my-minion vsphere.get_coredump_network_config esxi-1.example.com root <host-password> local: ---------- 10.4.28.150: ---------- Coredump Config: ---------- enabled: True host_vnic: vmk0 ip: coredump-location.example.com port: 6500 salt.modules.vsphere.add_host_to_dvs(host, username, password, vmknic_name, vmnic_name, dvs_name, portgroup_name, protocol=None, port=None, host_names=None) Adds an ESXi host to a vSphere Distributed Virtual Switch DOES NOT migrate the ESXi's physical and virtual NICs to the switch (yet) (please don't remove the commented code) salt.modules.vsphere.coredump_network_enable(host, username, password, enabled, protocol=None, port=None, esxi_hosts=None) Enable or disable ESXi core dump collection. Returns True if coredump is enabled and returns False if core dump is not enabled. If there was an error, the error will be the value printed in the Error key dictionary for the given host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. enabled Python True or False to enable or disable coredumps. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. CLI Example: # Used for ESXi host connection information salt '*' vsphere.coredump_network_enable my.esxi.host root bad-password True # Used for connecting to a vCenter Server salt '*' vsphere.coredump_network_enable my.vcenter.location root bad-password True esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.enable_firewall_ruleset(host, username, password, ruleset_enable, ruleset_name, protocol=None, port=None, esxi_hosts=None) Enable or disable an ESXi firewall rule set. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. ruleset_enable True to enable the ruleset, false to disable. ruleset_name Name of ruleset to target. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns A standard cmd.run_all dictionary, per host. CLI Example: # Used for ESXi host connection information salt '*' vsphere.enable_firewall_ruleset my.esxi.host root bad-password True 'syslog' # Used for connecting to a vCenter Server salt '*' vsphere.enable_firewall_ruleset my.vcenter.location root bad-password True 'syslog' esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.esxcli_cmd(host, username, password, cmd_str, protocol=None, port=None, esxi_hosts=None) Run an ESXCLI command directly on the host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. cmd_str The ESXCLI command to run. Note: This should not include the -s, -u, -p, -h, --protocol, or --portnumber arguments that are frequently passed when using a bare ESXCLI command from the command line. Those arguments are handled by this function via the other args and kwargs. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. CLI Example: # Used for ESXi host connection information salt '*' vsphere.esxcli_cmd my.esxi.host root bad-password 'system coredump network get' # Used for connecting to a vCenter Server salt '*' vsphere.esxcli_cmd my.vcenter.location root bad-password 'system coredump network get' esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_coredump_network_config(host, username, password, protocol=None, port=None, esxi_hosts=None) Retrieve information on ESXi or vCenter network dump collection and format it into a dictionary. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns A dictionary with the network configuration, or, if getting the network config failed, a an error message retrieved from the standard cmd.run_all dictionary, per host. CLI Example: # Used for ESXi host connection information salt '*' vsphere.get_coredump_network_config my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_coredump_network_config my.vcenter.location root bad-password esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_firewall_status(host, username, password, protocol=None, port=None, esxi_hosts=None) Show status of all firewall rule sets. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns Nested dictionary with two toplevel keys rulesets and success success will be True or False depending on query success rulesets will list the rulesets and their statuses if success was true, per host. CLI Example: # Used for ESXi host connection information salt '*' vsphere.get_firewall_status my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_firewall_status my.vcenter.location root bad-password esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_host_datetime(host, username, password, protocol=None, port=None, host_names=None) Get the date/time information for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to get date/time information. If host_names is not provided, the date/time information will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_host_datetime my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_host_datetime my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_ntp_config(host, username, password, protocol=None, port=None, host_names=None) Get the NTP configuration information for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to get ntp configuration information. If host_names is not provided, the NTP configuration will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_ntp_config my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_ntp_config my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_service_policy(host, username, password, service_name, protocol=None, port=None, host_names=None) Get the service name's policy for a given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to retrieve the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to get service policy information. If host_names is not provided, the service policy information will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_service_policy my.esxi.host root bad-password 'ssh' # Used for connecting to a vCenter Server salt '*' vsphere.get_service_policy my.vcenter.location root bad-password 'ntpd' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_service_running(host, username, password, service_name, protocol=None, port=None, host_names=None) Get the service name's running state for a given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to retrieve the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to get the service's running state. If host_names is not provided, the service's running state will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_service_running my.esxi.host root bad-password 'ssh' # Used for connecting to a vCenter Server salt '*' vsphere.get_service_running my.vcenter.location root bad-password 'ntpd' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_ssh_key(host, username, password, protocol=None, port=None, certificate_verify=False) Retrieve the authorized_keys entry for root. This function only works for ESXi, not vCenter. Parameters • host -- The location of the ESXi Host • username -- Username to connect as • password -- Password for the ESXi web endpoint • protocol -- defaults to https, can be http if ssl is disabled on ESXi • port -- defaults to 443 for https • certificate_verify -- If true require that the SSL connection present a valid certificate Returns True if upload is successful CLI Example: salt '*' vsphere.get_ssh_key my.esxi.host root bad-password certificate_verify=True salt.modules.vsphere.get_syslog_config(host, username, password, protocol=None, port=None, esxi_hosts=None) Retrieve the syslog configuration. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns Dictionary with keys and values corresponding to the syslog configuration, per host. CLI Example: # Used for ESXi host connection information salt '*' vsphere.get_syslog_config my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_syslog_config my.vcenter.location root bad-password esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_vmotion_enabled(host, username, password, protocol=None, port=None, host_names=None) Get the VMotion enabled status for a given host or a list of host_names. Returns True if VMotion is enabled, False if it is not enabled. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts to check if VMotion is enabled. If host_names is not provided, the VMotion status will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_vmotion_enabled my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_vmotion_enabled my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_vsan_eligible_disks(host, username, password, protocol=None, port=None, host_names=None) Returns a list of VSAN-eligible disks for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts to check if any VSAN-eligible disks are available. If host_names is not provided, the VSAN-eligible disks will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_vsan_eligible_disks my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_vsan_eligible_disks my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.get_vsan_enabled(host, username, password, protocol=None, port=None, host_names=None) Get the VSAN enabled status for a given host or a list of host_names. Returns True if VSAN is enabled, False if it is not enabled, and None if a VSAN Host Config is unset, per host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts to check if VSAN enabled. If host_names is not provided, the VSAN status will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.get_vsan_enabled my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.get_vsan_enabled my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.list_clusters(host, username, password, protocol=None, port=None) Returns a list of clusters for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_clusters 1.2.3.4 root bad-password salt.modules.vsphere.list_datacenters(host, username, password, protocol=None, port=None) Returns a list of datacenters for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_datacenters 1.2.3.4 root bad-password salt.modules.vsphere.list_datastore_clusters(host, username, password, protocol=None, port=None) Returns a list of datastore clusters for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_datastore_clusters 1.2.3.4 root bad-password salt.modules.vsphere.list_datastores(host, username, password, protocol=None, port=None) Returns a list of datastores for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_datastores 1.2.3.4 root bad-password salt.modules.vsphere.list_dvs(host, username, password, protocol=None, port=None) Returns a list of distributed virtual switches for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_dvs 1.2.3.4 root bad-password salt.modules.vsphere.list_folders(host, username, password, protocol=None, port=None) Returns a list of folders for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_folders 1.2.3.4 root bad-password salt.modules.vsphere.list_hosts(host, username, password, protocol=None, port=None) Returns a list of hosts for the the specified VMware environment. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_hosts 1.2.3.4 root bad-password salt.modules.vsphere.list_networks(host, username, password, protocol=None, port=None) Returns a list of networks for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_networks 1.2.3.4 root bad-password salt.modules.vsphere.list_non_ssds(host, username, password, protocol=None, port=None, host_names=None) Returns a list of Non-SSD disks for the given host or list of host_names. NOTE: In the pyVmomi StorageSystem, ScsiDisks may, or may not have an ssd attribute. This attribute indicates if the ScsiDisk is SSD backed. As this option is optional, if a relevant disk in the StorageSystem does not have ssd = true, it will end up in the non_ssds list here. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to retrieve Non-SSD disks. If host_names is not provided, Non-SSD disks will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.list_non_ssds my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.list_non_ssds my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.list_resourcepools(host, username, password, protocol=None, port=None) Returns a list of resource pools for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_resourcepools 1.2.3.4 root bad-password salt.modules.vsphere.list_ssds(host, username, password, protocol=None, port=None, host_names=None) Returns a list of SSDs for the given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to retrieve SSDs. If host_names is not provided, SSDs will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.list_ssds my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.list_ssds my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.list_vapps(host, username, password, protocol=None, port=None) Returns a list of vApps for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_vapps 1.2.3.4 root bad-password salt.modules.vsphere.list_vms(host, username, password, protocol=None, port=None) Returns a list of VMs for the the specified host. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. salt '*' vsphere.list_vms 1.2.3.4 root bad-password salt.modules.vsphere.reset_syslog_config(host, username, password, protocol=None, port=None, syslog_config=None, esxi_hosts=None) Reset the syslog service to its default settings. Valid syslog_config values are logdir, loghost, logdir-unique, default-rotate, default-size, default-timeout, or all for all of these. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. syslog_config List of parameters to reset, provided as a comma-delimited string, or 'all' to reset all syslog configuration parameters. Required. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns Dictionary with a top-level key of 'success' which indicates if all the parameters were reset, and individual keys for each parameter indicating which succeeded or failed, per host. CLI Example: syslog_config can be passed as a quoted, comma-separated string, e.g. # Used for ESXi host connection information salt '*' vsphere.reset_syslog_config my.esxi.host root bad-password syslog_config='logdir,loghost' # Used for connecting to a vCenter Server salt '*' vsphere.reset_syslog_config my.vcenter.location root bad-password syslog_config='logdir,loghost' esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.service_restart(host, username, password, service_name, protocol=None, port=None, host_names=None) Restart the named service for the given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to set the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to restart the service. If host_names is not provided, the service will be restarted for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.service_restart my.esxi.host root bad-password 'ntpd' # Used for connecting to a vCenter Server salt '*' vsphere.service_restart my.vcenter.location root bad-password 'ntpd' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.service_start(host, username, password, service_name, protocol=None, port=None, host_names=None) Start the named service for the given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to set the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to start the service. If host_names is not provided, the service will be started for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.service_start my.esxi.host root bad-password 'ntpd' # Used for connecting to a vCenter Server salt '*' vsphere.service_start my.vcenter.location root bad-password 'ntpd' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.service_stop(host, username, password, service_name, protocol=None, port=None, host_names=None) Stop the named service for the given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to set the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to stop the service. If host_names is not provided, the service will be stopped for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.service_stop my.esxi.host root bad-password 'ssh' # Used for connecting to a vCenter Server salt '*' vsphere.service_stop my.vcenter.location root bad-password 'ssh' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.set_coredump_network_config(host, username, password, dump_ip, protocol=None, port=None, host_vnic='vmk0', dump_port=6500, esxi_hosts=None) Set the network parameters for a network coredump collection. Note that ESXi requires that the dumps first be enabled (see coredump_network_enable) before these parameters may be set. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. dump_ip IP address of host that will accept the dump. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. host_vnic Host VNic port through which to communicate. Defaults to vmk0. dump_port TCP port to use for the dump, defaults to 6500. Returns A standard cmd.run_all dictionary with a success key added, per host. success will be True if the set succeeded, False otherwise. CLI Example: # Used for ESXi host connection information salt '*' vsphere.set_coredump_network_config my.esxi.host root bad-password 'dump_ip.host.com' # Used for connecting to a vCenter Server salt '*' vsphere.set_coredump_network_config my.vcenter.location root bad-password 'dump_ip.host.com' esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.set_ntp_config(host, username, password, ntp_servers, protocol=None, port=None, host_names=None) Set NTP configuration for a given host of list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. ntp_servers A list of servers that should be added to and configured for the specified host's NTP configuration. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts to configure ntp servers. If host_names is not provided, the NTP servers will be configured for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.ntp_configure my.esxi.host root bad-password '[192.174.1.100, 192.174.1.200]' # Used for connecting to a vCenter Server salt '*' vsphere.ntp_configure my.vcenter.location root bad-password '[192.174.1.100, 192.174.1.200]' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.set_service_policy(host, username, password, service_name, service_policy, protocol=None, port=None, host_names=None) Set the service name's policy for a given host or list of hosts. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. service_name The name of the service for which to set the policy. Supported service names are: • DCUI • TSM • SSH • lbtd • lsassd • lwiod • netlogond • ntpd • sfcbd-watchdog • snmpd • vprobed • vpxa • xorg service_policy The policy to set for the service. For example, 'automatic'. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter the hosts for which to set the service policy. If host_names is not provided, the service policy information will be retrieved for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.set_service_policy my.esxi.host root bad-password 'ntpd' 'automatic' # Used for connecting to a vCenter Server salt '*' vsphere.set_service_policy my.vcenter.location root bad-password 'ntpd' 'automatic' host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.set_syslog_config(host, username, password, syslog_config, config_value, protocol=None, port=None, firewall=True, reset_service=True, esxi_hosts=None) Set the specified syslog configuration parameter. By default, this function will reset the syslog service after the configuration is set. host ESXi or vCenter host to connect to. username User to connect as, usually root. password Password to connect with. syslog_config Name of parameter to set (corresponds to the command line switch for esxcli without the double dashes (--)) Valid syslog_config values are logdir, loghost, default-rotate`, ``default-size, default-timeout, and logdir-unique. config_value Value for the above parameter. For loghost, URLs or IP addresses to use for logging. Multiple log servers can be specified by listing them, comma-separated, but without spaces before or after commas. (reference: https://blogs.vmware.com/vsphere/2012/04/configuring-multiple-syslog-servers-for-esxi-5.html) protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. firewall Enable the firewall rule set for syslog. Defaults to True. reset_service After a successful parameter set, reset the service. Defaults to True. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns Dictionary with a top-level key of 'success' which indicates if all the parameters were reset, and individual keys for each parameter indicating which succeeded or failed, per host. CLI Example: # Used for ESXi host connection information salt '*' vsphere.set_syslog_config my.esxi.host root bad-password loghost ssl://localhost:5432,tcp://10.1.0.1:1514 # Used for connecting to a vCenter Server salt '*' vsphere.set_syslog_config my.vcenter.location root bad-password loghost ssl://localhost:5432,tcp://10.1.0.1:1514 esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.syslog_service_reload(host, username, password, protocol=None, port=None, esxi_hosts=None) Reload the syslog service so it will pick up any changes. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. esxi_hosts If host is a vCenter host, then use esxi_hosts to execute this function on a list of one or more ESXi machines. Returns A standard cmd.run_all dictionary. This dictionary will at least have a retcode key. If retcode is 0 the command was successful. CLI Example: # Used for ESXi host connection information salt '*' vsphere.syslog_service_reload my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.syslog_service_reload my.vcenter.location root bad-password esxi_hosts='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.system_info(host, username, password, protocol=None, port=None) Return system information about a VMware environment. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. CLI Example: salt '*' vsphere.system_info 1.2.3.4 root bad-password salt.modules.vsphere.update_host_datetime(host, username, password, protocol=None, port=None, host_names=None) Update the date/time on the given host or list of host_names. This function should be used with caution since network delays and execution delays can result in time skews. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts should update their date/time. If host_names is not provided, the date/time will be updated for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.update_date_time my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.update_date_time my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.update_host_password(host, username, password, new_password, protocol=None, port=None) Update the password for a given host. NOTE: Currently only works with connections to ESXi hosts. Does not work with vCenter servers. host The location of the ESXi host. username The username used to login to the ESXi host, such as root. password The password used to login to the ESXi host. new_password The new password that will be updated for the provided username on the ESXi host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. CLI Example: salt '*' vsphere.update_host_password my.esxi.host root original-bad-password new-bad-password salt.modules.vsphere.upload_ssh_key(host, username, password, ssh_key=None, ssh_key_file=None, protocol=None, port=None, certificate_verify=False) Upload an ssh key for root to an ESXi host via http PUT. This function only works for ESXi, not vCenter. Only one ssh key can be uploaded for root. Uploading a second key will replace any existing key. Parameters • host -- The location of the ESXi Host • username -- Username to connect as • password -- Password for the ESXi web endpoint • ssh_key -- Public SSH key, will be added to authorized_keys on ESXi • ssh_key_file -- File containing the SSH key. Use 'ssh_key' or ssh_key_file, but not both. • protocol -- defaults to https, can be http if ssl is disabled on ESXi • port -- defaults to 443 for https • certificate_verify -- If true require that the SSL connection present a valid certificate Returns Dictionary with a 'status' key, True if upload is successful. If upload is unsuccessful, 'status' key will be False and an 'Error' key will have an informative message. CLI Example: salt '*' vsphere.upload_ssh_key my.esxi.host root bad-password ssh_key_file='/etc/salt/my_keys/my_key.pub' salt.modules.vsphere.vmotion_disable(host, username, password, protocol=None, port=None, host_names=None) Disable vMotion for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts should disable VMotion. If host_names is not provided, VMotion will be disabled for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.vmotion_disable my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.vmotion_disable my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.vmotion_enable(host, username, password, protocol=None, port=None, host_names=None, device='vmk0') Enable vMotion for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts should enable VMotion. If host_names is not provided, VMotion will be enabled for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. device The device that uniquely identifies the VirtualNic that will be used for VMotion for each host. Defaults to vmk0. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.vmotion_enable my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.vmotion_enable my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.vsan_add_disks(host, username, password, protocol=None, port=None, host_names=None) Add any VSAN-eligible disks to the VSAN System for the given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts need to add any VSAN-eligible disks to the host's VSAN system. If host_names is not provided, VSAN-eligible disks will be added to the hosts's VSAN system for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.vsan_add_disks my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.vsan_add_disks my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.vsan_disable(host, username, password, protocol=None, port=None, host_names=None) Disable VSAN for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts should disable VSAN. If host_names is not provided, VSAN will be disabled for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.vsan_disable my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.vsan_disable my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.vsphere.vsan_enable(host, username, password, protocol=None, port=None, host_names=None) Enable VSAN for a given host or list of host_names. host The location of the host. username The username used to login to the host, such as root. password The password used to login to the host. protocol Optionally set to alternate protocol if the host is not using the default protocol. Default protocol is https. port Optionally set to alternate port if the host is not using the default port. Default port is 443. host_names List of ESXi host names. When the host, username, and password credentials are provided for a vCenter Server, the host_names argument is required to tell vCenter which hosts should enable VSAN. If host_names is not provided, VSAN will be enabled for the host location instead. This is useful for when service instance connection information is used for a single ESXi host. CLI Example: # Used for single ESXi host connection information salt '*' vsphere.vsan_enable my.esxi.host root bad-password # Used for connecting to a vCenter Server salt '*' vsphere.vsan_enable my.vcenter.location root bad-password host_names='[esxi-1.host.com, esxi-2.host.com]' salt.modules.win_autoruns Module for listing programs that automatically run on startup (very alpha...not tested on anything but my Win 7x64) salt.modules.win_autoruns.list() Get a list of automatically running programs CLI Example: salt '*' autoruns.list salt.modules.win_dacl Manage DACLs on Windows depends • winreg Python module salt.modules.win_dacl.add_ace(path, objectType, user, permission, acetype, propagation) add an ace to an object path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to add permission: permissions for the user acetype: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS) CLI Example: allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS' salt.modules.win_dacl.check_ace(path, objectType, user, permission=None, acetype=None, propagation=None, exactPermissionMatch=False) checks a path to verify the ACE (access control entry) specified exists returns 'Exists' true if the ACE exists, false if it does not path: path to the file/reg key user: user that the ACL is for permission: permission to test for (READ, FULLCONTROl, etc) acetype: the type of ACE (ALLOW or DENY) propagation: the propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS, SUBKEYS, etc) exactPermissionMatch: the ACL must match exactly, IE if READ is specified, the user must have READ exactly and not FULLCONTROL (which also has the READ permission obviously) salt.modules.win_dacl.check_inheritance(path, objectType, user=None) check a specified path to verify if inheritance is enabled returns 'Inheritance' of True/False path: path of the registry key or file system object to check user: if provided, will consider only the ACEs for that user class salt.modules.win_dacl.daclConstants dacl constants used throughout the module getAceTypeBit(t) returns the acetype bit of a text value getAceTypeText(t) returns the textual representation of a acetype bit getObjectTypeBit(t) returns the bit value of the string object type getPermissionBit(t, m) returns a permission bit of the string permission value for the specified object type getPermissionText(t, m) returns the permission textual representation of a specified permission bit/object type getPropagationBit(t, p) returns the propagation bit of a text value getPropagationText(t, p) returns the textual representation of a propagation bit getSecurityHkey(s) returns the necessary string value for an HKEY for the win32security module processPath(path, objectType) processes a path/object type combo and returns: registry types with the correct HKEY text representation files/directories with environment variables expanded salt.modules.win_dacl.disable_inheritance(path, objectType, copy=True) disable inheritance on an object copy = True will copy the Inerhited ACEs to the DACL before disabling inheritance salt.modules.win_dacl.enable_inheritance(path, objectType, clear=False) enable/disable inheritance on an object clear = True will remove non-Inherited ACEs from the ACL salt.modules.win_dacl.get(path, objectType, user=None) Get the acl of an object. Will filter by user if one is provided. salt.modules.win_dacl.rm_ace(path, objectType, user, permission=None, acetype=None, propagation=None) remove an ace to an object path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to remove permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS) If any of the optional parameters are ommitted (or set to None) they act as wildcards. CLI Example: remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS' salt.modules.win_disk Module for gathering disk information on Windows depends • win32api Python module salt.modules.win_disk.usage() Return usage information for volumes mounted on this minion CLI Example: salt '*' disk.usage salt.modules.win_dns_client Module for configuring DNS Client on Windows systems salt.modules.win_dns_client.add_dns(ip, interface='Local Area Connection', index=1) Add the DNS server to the network interface (index starts from 1) Note: if the interface DNS is configured by DHCP, all the DNS servers will be removed from the interface and the requested DNS will be the only one CLI Example: salt '*' win_dns_client.add_dns <ip> <interface> <index> salt.modules.win_dns_client.dns_dhcp(interface='Local Area Connection') Configure the interface to get its DNS servers from the DHCP server CLI Example: salt '*' win_dns_client.dns_dhcp <interface> salt.modules.win_dns_client.get_dns_config(interface='Local Area Connection') Get the type of DNS configuration (dhcp / static) CLI Example: salt '*' win_dns_client.get_dns_config 'Local Area Connection' salt.modules.win_dns_client.get_dns_servers(interface='Local Area Connection') Return a list of the configured DNS servers of the specified interface CLI Example: salt '*' win_dns_client.get_dns_servers 'Local Area Connection' salt.modules.win_dns_client.rm_dns(ip, interface='Local Area Connection') Remove the DNS server from the network interface CLI Example: salt '*' win_dns_client.rm_dns <ip> <interface> salt.modules.win_file Manage information about files on the minion, set/read user, group data depends • win32api • win32file • win32security salt.modules.win_file.chgrp(path, group) Change the group of a file Under Windows, this will do nothing. While a file in Windows does have a 'primary group', this rarely used attribute generally has no bearing on permissions unless intentionally configured and is only used to support Unix compatibility features (e.g. Services For Unix, NFS services). Salt, therefore, remaps this function to do nothing while still being compatible with Unix behavior. When managing Windows systems, this function is superfluous and will generate an info level log entry if used directly. If you do actually want to set the 'primary group' of a file, use file CLI Example: salt '*' file.chpgrp c:\temp\test.txt administrators salt.modules.win_file.chown(path, user, group=None, pgroup=None, follow_symlinks=True) Chown a file, pass the file the desired user and group Under Windows, the group parameter will be ignored. This is because while files in Windows do have a 'primary group' property, this is rarely used. It generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). If you do want to change the 'primary group' property and understand the implications, pass the Windows only parameter, pgroup, instead. To set the primary group to 'None', it must be specified in quotes. Otherwise Salt will interpret it as the Python value of None and no primary group changes will occur. See the example below. CLI Example: salt '*' file.chown c:\temp\test.txt myusername salt '*' file.chown c:\temp\test.txt myusername pgroup=Administrators salt '*' file.chown c:\temp\test.txt myusername "pgroup='None'" salt.modules.win_file.chpgrp(path, group) Change the group of a file Under Windows, this will set the rarely used primary group of a file. This generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). Ensure you know what you are doing before using this function. To set the primary group to 'None', it must be specified in quotes. Otherwise Salt will interpret it as the Python value of None and no primary group changes will occur. See the example below. CLI Example: salt '*' file.chpgrp c:\temp\test.txt Administrators salt '*' file.chpgrp c:\temp\test.txt "'None'" salt.modules.win_file.get_attributes(path) Return a dictionary object with the Windows file attributes for a file. CLI Example: salt '*' file.get_attributes c:\temp\a.txt salt.modules.win_file.get_gid(path, follow_symlinks=True) Return the id of the group that owns a given file Under Windows, this will return the uid of the file. While a file in Windows does have a 'primary group', this rarely used attribute generally has no bearing on permissions unless intentionally configured and is only used to support Unix compatibility features (e.g. Services For Unix, NFS services). Salt, therefore, remaps this function to provide functionality that somewhat resembles Unix behavior for API compatibility reasons. When managing Windows systems, this function is superfluous and will generate an info level log entry if used directly. If you do actually want to access the 'primary group' of a file, use file.get_pgid. CLI Example: salt '*' file.get_gid c:\temp\test.txt salt.modules.win_file.get_group(path, follow_symlinks=True) Return the group that owns a given file Under Windows, this will return the user (owner) of the file. While a file in Windows does have a 'primary group', this rarely used attribute generally has no bearing on permissions unless intentionally configured and is only used to support Unix compatibility features (e.g. Services For Unix, NFS services). Salt, therefore, remaps this function to provide functionality that somewhat resembles Unix behavior for API compatibility reasons. When managing Windows systems, this function is superfluous and will generate an info level log entry if used directly. If you do actually want to access the 'primary group' of a file, use file.get_pgroup. CLI Example: salt '*' file.get_group c:\temp\test.txt salt.modules.win_file.get_mode(path) Return the mode of a file Right now we're just returning None because Windows' doesn't have a mode like Linux CLI Example: salt '*' file.get_mode /etc/passwd salt.modules.win_file.get_pgid(path, follow_symlinks=True) Return the id of the primary group that owns a given file (Windows only) This function will return the rarely used primary group of a file. This generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). Ensure you know what you are doing before using this function. CLI Example: salt '*' file.get_pgid c:\temp\test.txt salt.modules.win_file.get_pgroup(path, follow_symlinks=True) Return the name of the primary group that owns a given file (Windows only) This function will return the rarely used primary group of a file. This generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). Ensure you know what you are doing before using this function. The return value may be 'None', e.g. if the user is not on a domain. This is a valid group - do not confuse this with the Salt/Python value of None which means no value was returned. To be certain, use the get_pgid function which will return the SID, including for the system 'None' group. CLI Example: salt '*' file.get_pgroup c:\temp\test.txt salt.modules.win_file.get_uid(path, follow_symlinks=True) Return the id of the user that owns a given file Symlinks are followed by default to mimic Unix behavior. Specify follow_symlinks=False to turn off this behavior. CLI Example: salt '*' file.get_uid c:\temp\test.txt salt '*' file.get_uid c:\temp\test.txt follow_symlinks=False salt.modules.win_file.get_user(path, follow_symlinks=True) Return the user that owns a given file Symlinks are followed by default to mimic Unix behavior. Specify follow_symlinks=False to turn off this behavior. CLI Example: salt '*' file.get_user c:\temp\test.txt salt '*' file.get_user c:\temp\test.txt follow_symlinks=False salt.modules.win_file.gid_to_group(gid) Convert the group id to the group name on this system Under Windows, because groups are just another ACL entity, this function behaves the same as uid_to_user. For maintaining Windows systems, this function is superfluous and only exists for API compatibility with Unix. Use the uid_to_user function instead; an info level log entry will be generated if this function is used directly. CLI Example: salt '*' file.gid_to_group S-1-5-21-626487655-2533044672-482107328-1010 salt.modules.win_file.group_to_gid(group) Convert the group to the gid on this system Under Windows, because groups are just another ACL entity, this function behaves the same as user_to_uid, except if None is given, '' is returned. For maintaining Windows systems, this function is superfluous and only exists for API compatibility with Unix. Use the user_to_uid function instead; an info level log entry will be generated if this function is used directly. CLI Example: salt '*' file.group_to_gid administrators salt.modules.win_file.is_link(path) Return the path that a symlink points to This is only supported on Windows Vista or later. Inline with Unix behavior, this function will raise an error if the path is not a symlink, however, the error raised will be a SaltInvocationError, not an OSError. CLI Example: salt '*' file.is_link /path/to/link salt.modules.win_file.lchown(path, user, group=None, pgroup=None) Chown a file, pass the file the desired user and group without following any symlinks. Under Windows, the group parameter will be ignored. This is because while files in Windows do have a 'primary group' property, this is rarely used. It generally has no bearing on permissions unless intentionally configured and is most commonly used to provide Unix compatibility (e.g. Services For Unix, NFS services). If you do want to change the 'primary group' property and understand the implications, pass the Windows only parameter, pgroup, instead. To set the primary group to 'None', it must be specified in quotes. Otherwise Salt will interpret it as the Python value of None and no primary group changes will occur. See the example below. CLI Example: salt '*' file.lchown c:\temp\test.txt myusername salt '*' file.lchown c:\temp\test.txt myusername pgroup=Administrators salt '*' file.lchown c:\temp\test.txt myusername "pgroup='None'" salt.modules.win_file.readlink(path) Return the path that a symlink points to This is only supported on Windows Vista or later. Inline with Unix behavior, this function will raise an error if the path is not a symlink, however, the error raised will be a SaltInvocationError, not an OSError. CLI Example: salt '*' file.readlink /path/to/link salt.modules.win_file.remove(path, force=False) Remove the named file or directory Parameters • path (str) -- The path to the file or directory to remove. • force (bool) -- Remove even if marked Read-Only Returns True if successful, False if unsuccessful Return type bool CLI Example: salt '*' file.remove C:\Temp salt.modules.win_file.set_attributes(path, archive=None, hidden=None, normal=None, notIndexed=None, readonly=None, system=None, temporary=None) Set file attributes for a file. Note that the normal attribute means that all others are false. So setting it will clear all others. CLI Example: salt '*' file.set_attributes c:\temp\a.txt normal=True salt '*' file.set_attributes c:\temp\a.txt readonly=True hidden=True salt.modules.win_file.set_mode(path, mode) Set the mode of a file This just calls get_mode, which returns None because we don't use mode on Windows CLI Example: salt '*' file.set_mode /etc/passwd 0644 salt.modules.win_file.stats(path, hash_type='sha256', follow_symlinks=True) Return a dict containing the stats for a given file Under Windows, gid will equal uid and group will equal user. While a file in Windows does have a 'primary group', this rarely used attribute generally has no bearing on permissions unless intentionally configured and is only used to support Unix compatibility features (e.g. Services For Unix, NFS services). Salt, therefore, remaps these properties to keep some kind of compatibility with Unix behavior. If the 'primary group' is required, it can be accessed in the pgroup and pgid properties. CLI Example: salt '*' file.stats /etc/passwd salt.modules.win_file.symlink(src, link) Create a symbolic link to a file This is only supported with Windows Vista or later and must be executed by a user with the SeCreateSymbolicLink privilege. The behavior of this function matches the Unix equivalent, with one exception - invalid symlinks cannot be created. The source path must exist. If it doesn't, an error will be raised. CLI Example: salt '*' file.symlink /path/to/file /path/to/link salt.modules.win_file.uid_to_user(uid) Convert a uid to a user name CLI Example: salt '*' file.uid_to_user S-1-5-21-626487655-2533044672-482107328-1010 salt.modules.win_file.user_to_uid(user) Convert user name to a uid CLI Example: salt '*' file.user_to_uid myusername salt.modules.win_firewall Module for configuring Windows Firewall salt.modules.win_firewall.add_rule(name, localport, protocol='tcp', action='allow', dir='in') New in version 2015.5.0. Add a new firewall rule CLI Example: salt '*' firewall.add_rule 'test' '8080' 'tcp' salt.modules.win_firewall.delete_rule(name, localport, protocol='tcp', dir='in') New in version 2015.8.0. Delete an existing firewall rule CLI Example: salt '*' firewall.delete_rule 'test' '8080' 'tcp' 'in' salt.modules.win_firewall.disable(profile='allprofiles') Disable firewall profile :param profile: (default: allprofiles) CLI Example: salt '*' firewall.disable salt.modules.win_firewall.enable(profile='allprofiles') Enable firewall profile :param profile: (default: allprofiles) New in version 2015.5.0. CLI Example: salt '*' firewall.enable salt.modules.win_firewall.get_config() Get the status of all the firewall profiles CLI Example: salt '*' firewall.get_config salt.modules.win_firewall.get_rule(name='all') New in version 2015.5.0. Get firewall rule(s) info CLI Example: salt '*' firewall.get_rule 'MyAppPort' salt.modules.win_groupadd Manage groups on Windows salt.modules.win_groupadd.add(name, gid=None, system=False) Add the specified group CLI Example: salt '*' group.add foo salt.modules.win_groupadd.adduser(name, username) add a user to a group CLI Example: salt '*' group.adduser foo username salt.modules.win_groupadd.delete(name) Remove the named group CLI Example: salt '*' group.delete foo salt.modules.win_groupadd.deluser(name, username) remove a user from a group CLI Example: salt '*' group.deluser foo username salt.modules.win_groupadd.getent(refresh=False) Return info on all groups CLI Example: salt '*' group.getent salt.modules.win_groupadd.info(name) Return information about a group CLI Example: salt '*' group.info foo salt.modules.win_groupadd.members(name, members_list) remove a user from a group CLI Example: salt '*' group.members foo 'user1,user2,user3' salt.modules.win_ip The networking module for Windows based systems salt.modules.win_ip.disable(iface) Disable an interface CLI Example: salt -G 'os_family:Windows' ip.disable 'Local Area Connection #2' salt.modules.win_ip.enable(iface) Enable an interface CLI Example: salt -G 'os_family:Windows' ip.enable 'Local Area Connection #2' salt.modules.win_ip.get_all_interfaces() Return configs for all interfaces CLI Example: salt -G 'os_family:Windows' ip.get_all_interfaces salt.modules.win_ip.get_default_gateway() Set DNS source to DHCP on Windows CLI Example: salt -G 'os_family:Windows' ip.get_default_gateway salt.modules.win_ip.get_interface(iface) Return the configuration of a network interface CLI Example: salt -G 'os_family:Windows' ip.get_interface 'Local Area Connection' salt.modules.win_ip.get_subnet_length(mask) Convenience function to convert the netmask to the CIDR subnet length CLI Example: salt -G 'os_family:Windows' ip.get_subnet_length 255.255.255.0 salt.modules.win_ip.is_disabled(iface) Returns True if interface is disabled, otherwise False CLI Example: salt -G 'os_family:Windows' ip.is_disabled 'Local Area Connection #2' salt.modules.win_ip.is_enabled(iface) Returns True if interface is enabled, otherwise False CLI Example: salt -G 'os_family:Windows' ip.is_enabled 'Local Area Connection #2' salt.modules.win_ip.raw_interface_configs() Return raw configs for all interfaces CLI Example: salt -G 'os_family:Windows' ip.raw_interface_configs salt.modules.win_ip.set_dhcp_all(iface) Set both IP Address and DNS to DHCP CLI Example: salt -G 'os_family:Windows' ip.set_dhcp_all 'Local Area Connection' salt.modules.win_ip.set_dhcp_dns(iface) Set DNS source to DHCP on Windows CLI Example: salt -G 'os_family:Windows' ip.set_dhcp_dns 'Local Area Connection' salt.modules.win_ip.set_dhcp_ip(iface) Set Windows NIC to get IP from DHCP CLI Example: salt -G 'os_family:Windows' ip.set_dhcp_ip 'Local Area Connection' salt.modules.win_ip.set_static_dns(iface, *addrs) Set static DNS configuration on a Windows NIC CLI Example: salt -G 'os_family:Windows' ip.set_static_dns 'Local Area Connection' '192.168.1.1' salt -G 'os_family:Windows' ip.set_static_dns 'Local Area Connection' '192.168.1.252' '192.168.1.253' salt.modules.win_ip.set_static_ip(iface, addr, gateway=None, append=False) Set static IP configuration on a Windows NIC iface The name of the interface to manage addr IP address with subnet length (ex. 10.1.2.3/24). The ip.get_subnet_length function can be used to calculate the subnet length from a netmask. gateway None If specified, the default gateway will be set to this value. append False If True, this IP address will be added to the interface. Default is False, which overrides any existing configuration for the interface and sets addr as the only address on the interface. CLI Example: salt -G 'os_family:Windows' ip.set_static_ip 'Local Area Connection' 10.1.2.3/24 gateway=10.1.2.1 salt -G 'os_family:Windows' ip.set_static_ip 'Local Area Connection' 10.1.2.4/24 append=True salt.modules.win_network Module for gathering and managing network information salt.modules.win_network.dig(host) Performs a DNS lookup with dig Note: dig must be installed on the Windows minion CLI Example: salt '*' network.dig archlinux.org salt.modules.win_network.hw_addr(iface) Return the hardware address (a.k.a. MAC address) for a given interface CLI Example: salt '*' network.hw_addr 'Wireless Connection #1' salt.modules.win_network.hwaddr(iface) This function is an alias of hw_addr. Return the hardware address (a.k.a. MAC address) for a given interface CLI Example: salt '*' network.hw_addr 'Wireless Connection #1' salt.modules.win_network.in_subnet(cidr) Returns True if host is within specified subnet, otherwise False CLI Example: salt '*' network.in_subnet 10.0.0.0/16 salt.modules.win_network.interfaces() Return a dictionary of information about all the interfaces on the minion CLI Example: salt '*' network.interfaces salt.modules.win_network.interfaces_names() Return a list of all the interfaces names CLI Example: salt '*' network.interfaces_names salt.modules.win_network.ip_addrs(interface=None, include_loopback=False) Returns a list of IPv4 addresses assigned to the host. 127.0.0.1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. CLI Example: salt '*' network.ip_addrs salt.modules.win_network.ip_addrs6(interface=None, include_loopback=False) Returns a list of IPv6 addresses assigned to the host. ::1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. CLI Example: salt '*' network.ip_addrs6 salt.modules.win_network.ipaddrs(interface=None, include_loopback=False) This function is an alias of ip_addrs. Returns a list of IPv4 addresses assigned to the host. 127.0.0.1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. CLI Example: salt '*' network.ip_addrs salt.modules.win_network.ipaddrs6(interface=None, include_loopback=False) This function is an alias of ip_addrs6. Returns a list of IPv6 addresses assigned to the host. ::1 is ignored, unless 'include_loopback=True' is indicated. If 'interface' is provided, then only IP addresses from that interface will be returned. CLI Example: salt '*' network.ip_addrs6 salt.modules.win_network.netstat() Return information on open ports and states CLI Example: salt '*' network.netstat salt.modules.win_network.nslookup(host) Query DNS for information about a domain or ip address CLI Example: salt '*' network.nslookup archlinux.org salt.modules.win_network.ping(host) Performs a ping to a host CLI Example: salt '*' network.ping archlinux.org salt.modules.win_network.subnets() Returns a list of subnets to which the host belongs CLI Example: salt '*' network.subnets salt.modules.win_network.traceroute(host) Performs a traceroute to a 3rd party host CLI Example: salt '*' network.traceroute archlinux.org salt.modules.win_ntp Management of NTP servers on Windows New in version 2014.1.0. salt.modules.win_ntp.get_servers() Get list of configured NTP servers CLI Example: salt '*' ntp.get_servers salt.modules.win_ntp.set_servers(*servers) Set Windows to use a list of NTP servers CLI Example: salt '*' ntp.set_servers 'pool.ntp.org' 'us.pool.ntp.org' salt.modules.win_path Manage the Windows System PATH Note that not all Windows applications will rehash the PATH environment variable, Only the ones that listen to the WM_SETTINGCHANGE message http://support.microsoft.com/kb/104011 salt.modules.win_path.add(path, index=0) Add the directory to the SYSTEM path in the index location Returns: boolean True if successful, False if unsuccessful CLI Example: # Will add to the beginning of the path salt '*' win_path.add 'c:\python27' 0 # Will add to the end of the path salt '*' win_path.add 'c:\python27' index='-1' salt.modules.win_path.exists(path) Check if the directory is configured in the SYSTEM path Case-insensitive and ignores trailing backslash Returns: boolean True if path exists, False if not CLI Example: salt '*' win_path.exists 'c:\python27' salt '*' win_path.exists 'c:\python27\' salt '*' win_path.exists 'C:\pyThon27' salt.modules.win_path.get_path() Returns a list of items in the SYSTEM path CLI Example: salt '*' win_path.get_path salt.modules.win_path.rehash() Send a WM_SETTINGCHANGE Broadcast to Windows to refresh the Environment variables CLI Example: ... code-block:: bash salt '*' win_path.rehash salt.modules.win_path.remove(path) Remove the directory from the SYSTEM path Returns: boolean True if successful, False if unsuccessful CLI Example: # Will remove C:\Python27 from the path salt '*' win_path.remove 'c:\\python27' salt.modules.win_pkg A module to manage software on Windows depends • win32com • win32con • win32api • pywintypes salt.modules.win_pkg.compare_versions(ver1='', oper='==', ver2='') Compare software package versions salt.modules.win_pkg.genrepo(saltenv='base') Generate winrepo_cachefile based on sls files in the winrepo CLI Example: salt-run winrepo.genrepo salt.modules.win_pkg.get_name_map() salt.modules.win_pkg.get_repo_data(saltenv='base') Returns the cached winrepo data CLI Example: salt '*' pkg.get_repo_data salt.modules.win_pkg.install(name=None, refresh=False, pkgs=None, saltenv='base', **kwargs) Install the passed package(s) on the system using winrepo Parameters • name (str, list, or None) -- The name of a single package, or a comma-separated list of packages to install. (no spaces after the commas) • version (str) -- The specific version to install. If omitted, the latest version will be installed. If passed with multiple install, the version will apply to all packages. Recommended for single installation only. • refresh (bool) -- Boolean value representing whether or not to refresh the winrepo db • pkgs (list or None) -- A list of packages to install from a software repository. All packages listed under pkgs will be installed via a single command. • saltenv (str) -- The salt environment to use. Default is base. • kwargs (dict) -- Any additional argument that may be passed from the state module. If they don't apply, they are ignored. Returns Return a dict containing the new package names and versions: Return type dict If the package is installed by pkg.install: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} If the package is already installed: {'<package>': {'current': '<current-version>'}} The following example will refresh the winrepo and install a single package, 7zip. CLI Example: salt '*' pkg.install 7zip refresh=True CLI Example: salt '*' pkg.install 7zip salt '*' pkg.install 7zip,filezilla salt '*' pkg.install pkgs='["7zip","filezilla"]' salt.modules.win_pkg.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.win_pkg.list_available(*names) Return a list of available versions of the specified package. CLI Example: salt '*' pkg.list_available <package name> salt '*' pkg.list_available <package name01> <package name02> salt.modules.win_pkg.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt '*' pkg.list_pkgs versions_as_list=True salt.modules.win_pkg.list_upgrades(refresh=True) List all available package upgrades on this system CLI Example: salt '*' pkg.list_upgrades salt.modules.win_pkg.purge(name=None, pkgs=None, version=None, **kwargs) Package purges are not supported, this function is identical to remove(). name The name of the package to be deleted. version The version of the package to be deleted. If this option is used in combination with the pkgs option below, then this version will be applied to all targeted packages. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.win_pkg.refresh_db(saltenv='base') Just recheck the repository and return a dict: {'<database name>': Bool} CLI Example: salt '*' pkg.refresh_db salt.modules.win_pkg.remove(name=None, pkgs=None, version=None, **kwargs) Remove the passed package(s) from the system using winrepo Parameters • name (str, list, or None) -- The name of the package to be uninstalled. • version (str) -- The version of the package to be uninstalled. If this option is used to to uninstall multiple packages, then this version will be applied to all targeted packages. Recommended using only when uninstalling a single package. If this parameter is omitted, the latest version will be uninstalled. Multiple Package Options: Parameters pkgs (list or None) -- A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns Returns a dict containing the changes. Return type dict If the package is removed by pkg.remove: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} If the package is already uninstalled: {'<package>': {'current': 'not installed'}} CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.win_pkg.upgrade(refresh=True) Run a full system upgrade Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.win_pkg.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.win_pkg.version(*names, **kwargs) Returns a version if the package is installed, else returns an empty string CLI Example: salt '*' pkg.version <package name> salt.modules.win_powercfg This module allows you to control the power settings of a windows minion via powercfg. New in version 2015.8.0. salt '*' powercfg.set_monitor_timeout 0 power=dc salt '*' powercfg.set_disk_timeout 120 power=ac salt.modules.win_powercfg.get_disk_timeout() Get the current disk timeout of the current scheme CLI Example: salt '*' powercfg.get_disk_timeout salt.modules.win_powercfg.get_hibernate_timeout() Get the current hibernate timeout of the current scheme CLI Example: salt '*' powercfg.get_hibernate_timeout salt.modules.win_powercfg.get_monitor_timeout() Get the current monitor timeout of the current scheme CLI Example: salt '*' powercfg.get_monitor_timeout salt.modules.win_powercfg.get_standby_timeout() Get the current standby timeout of the current scheme CLI Example: salt '*' powercfg.get_standby_timeout salt.modules.win_powercfg.set_disk_timeout(timeout, power='ac') Set the disk timeout in minutes for the current power scheme CLI Example: salt '*' powercfg.set_disk_timeout 30 power=dc timeout The amount of time in minutes before the disk will timeout power Should we set the value for AC or DC (battery)? Valid options ac,dc. salt.modules.win_powercfg.set_hibernate_timeout(timeout, power='ac') Set the hibernate timeout in minutes for the current power scheme CLI Example: salt '*' powercfg.set_hibernate_timeout 30 power=pc timeout The amount of time in minutes before the computer hibernates power Should we set the value for AC or DC (battery)? Valid options ac,dc. salt.modules.win_powercfg.set_monitor_timeout(timeout, power='ac') Set the monitor timeout in minutes for the current power scheme CLI Example: salt '*' powercfg.set_monitor_timeout 30 power=ac timeout The amount of time in minutes before the monitor will timeout power Should we set the value for AC or DC (battery)? Valid options ac,dc. salt.modules.win_powercfg.set_standby_timeout(timeout, power='ac') Set the standby timeout in minutes for the current power scheme CLI Example: salt '*' powercfg.set_standby_timeout 30 power=dc timeout The amount of time in minutes before the computer sleeps power Should we set the value for AC or DC (battery)? Valid options ac,dc. salt.modules.win_repo Module to manage Windows software repo on a Standalone Minion file_client: local must be set in the minion config file. For documentation on Salt's Windows Repo feature, see here. salt.modules.win_repo.genrepo() Generate winrepo_cachefile based on sls files in the winrepo_dir CLI Example: salt-call winrepo.genrepo salt.modules.win_repo.show_sls(name, saltenv='base') New in version 2015.8.0. Display the rendered software definition from a specific sls file in the local winrepo cache. This will parse all Jinja. Run pkg.refresh_db to pull the latest software definitions from the master. Parameters • name (str) -- The name of the package you want to view. Start from the local winrepo root. If you have .sls files organized in subdirectories you'll have to denote them with .. For example, if I have a test directory in the winrepo root with a gvim.sls file inside, I would target that file like so: test.gvim. Directories can be targeted as well as long as they contain an init.sls inside. For example, if I have a node directory with an init.sls inside, I would target that like so: node. • saltenv (str) -- The default environment is base Returns Returns a dictionary containing the rendered data structure Return type dict CLI Example: salt '*' winrepo.show_sls gvim salt '*' winrepo.show_sls test.npp salt.modules.win_repo.update_git_repos(clean=False) Checkout git repos containing Windows Software Package Definitions. IMPORTANT: This function requires Git for Windows to be installed in order to work. When installing, make sure to select an installation option which permits the git executable to be run from the Command Prompt. clean False Clean repo cachedirs which are not configured under winrepo_remotes. NOTE: This option only applies if either pygit2 or GitPython is installed into Salt's bundled Python. WARNING: This argument should not be set to True if a mix of git and non-git repo definitions are being used, as it will result in the non-git repo definitions being removed. New in version 2015.8.0. CLI Example: salt-call winrepo.update_git_repos salt.modules.win_servermanager Manage Windows features via the ServerManager powershell module salt.modules.win_servermanager.install(feature, recurse=False) Install a feature NOTE: Some features require reboot after un/installation, if so until the server is restarted other features can not be installed! NOTE: Some features take a long time to complete un/installation, set -t with a long timeout Parameters • feature (str) -- The name of the feature to install • recurse (bool) -- Install all sub-features Returns A dictionary containing the results of the install Return type dict CLI Example: salt '*' win_servermanager.install Telnet-Client salt '*' win_servermanager.install SNMP-Service True salt.modules.win_servermanager.list_available() List available features to install Returns A list of available features Return type list CLI Example: salt '*' win_servermanager.list_available salt.modules.win_servermanager.list_installed() List installed features. Supported on Windows Server 2008 and Windows 8 and newer. Returns A list of installed features Return type list CLI Example: salt '*' win_servermanager.list_installed salt.modules.win_servermanager.remove(feature) Remove an installed feature NOTE: Some features require a reboot after installation/uninstallation. If one of these features are modified, then other features cannot be installed until the server is restarted. Additionally, some features take a while to complete installation/uninstallation, so it is a good idea to use the -t option to set a longer timeout. Parameters feature (str) -- The name of the feature to remove Returns A dictionary containing the results of the uninstall Return type dict CLI Example: salt -t 600 '*' win_servermanager.remove Telnet-Client salt.modules.win_service Windows Service module. salt.modules.win_service.available(name) Returns True if the specified service is available, otherwise returns False. CLI Example: salt '*' service.available <service name> salt.modules.win_service.config(name, bin_path=None, display_name=None, svc_type=None, start_type=None, error=None, group=None, tag=None, depend=None, obj=None, password=None, **kwargs) Modify the named service. New in version 2015.8.8. Required parameters: Parameters name (str) -- Specifies the service name returned by the getkeyname operation Optional parameters: Parameters bin_path (str) -- Specifies the path to the service binary file, backslashes must be escaped - eg: C:\path\to\binary.exe Parameters display_name (str) -- the name to be displayed in the service manager Specifies a more descriptive name for identifying the service in user interface programs. Parameters • svc_type (str) -- Specifies the service type. Acceptable values are: - own (default): Service runs in its own process - share: Service runs as a shared process - interact: Service can interact with the desktop - kernel: Service is a driver - filesys: Service is a system driver - rec: Service is a file system-recognized driver that identifies filesystems on the computer • adapt: Service is an adapter driver that identifies hardware such as keyboards, mice and disk drives • start_type (str) -- Specifies the start type for the service. Acceptable values are: • boot: Device driver that is loaded by the boot loader • system: Device driver that is started during kernel initialization • auto: Service that automatically starts • demand (default): Service must be started manually • disabled: Service cannot be started • delayed-auto: Service starts automatically after other auto-services start Parameters error (str) -- Specifies the severity of the error if the service fails to start. Acceptable values are: • normal (default): Error is logged and a message box is displayed • severe: Error is logged and computer attempts a restart with last known good configuration • critical: Error is logged, computer attempts to restart with last known good configuration, system halts on failure • ignore: Error is logged and startup continues, no notification is given to the user Parameters group (str) -- Specifies the name of the group of which this service is a member. The list of groups is stored in the registry, in the HKLMSystemCurrentControlSetControlServiceGroupOrder subkey. The default is null. Parameters tag (str) -- Specifies whether or not to obtain a TagID from the CreateService call. For boot-start and system-start drivers only. Acceptable values are: • yes/no Parameters depend (str) -- Specifies the names of services or groups that must start before this service. The names are separated by forward slashes. Parameters obj (str) -- Specifies th name of an account in which a service will run or specifies a name of the Windows driver object in which the driver will run. Default is LocalSystem Parameters password (str) -- Specifies a password. Required if other than LocalSystem account is used. Returns True if successful, False if not Return type bool CLI Example: salt '*' service.config <service name> <path to exe> display_name='<display name>' salt.modules.win_service.create(name, binpath, DisplayName=None, type='own', start='demand', error='normal', group=None, tag='no', depend=None, obj=None, password=None, **kwargs) Create the named service. New in version 2015.8.0. Required parameters: name: Specifies the service name returned by the getkeyname operation binpath: Specifies the path to the service binary file, backslashes must be escaped • eg: C:\path\to\binary.exe Optional parameters: DisplayName: the name to be displayed in the service manager type: Specifies the service type, default is own • own (default): Service runs in its own process • share: Service runs as a shared process • interact: Service can interact with the desktop • kernel: Service is a driver • filesys: Service is a system driver • rec: Service is a file system-recognized driver that identifies filesystems on the computer start: Specifies the start type for the service • boot: Device driver that is loaded by the boot loader • system: Device driver that is started during kernel initialization • auto: Service that automatically starts • demand (default): Service must be started manually • disabled: Service cannot be started • delayed-auto: Service starts automatically after other auto-services start error: Specifies the severity of the error • normal (default): Error is logged and a message box is displayed • severe: Error is logged and computer attempts a restart with last known good configuration • critical: Error is logged, computer attempts to restart with last known good configuration, system halts on failure • ignore: Error is logged and startup continues, no notification is given to the user group: Specifies the name of the group of which this service is a member tag: Specifies whether or not to obtain a TagID from the CreateService call. For boot-start and system-start drivers • yes/no depend: Specifies the names of services or groups that myust start before this service. The names are separated by forward slashes. obj: Specifies th ename of an account in which a service will run. Default is LocalSystem password: Specifies a password. Required if other than LocalSystem account is used. CLI Example: salt '*' service.create <service name> <path to exe> display_name='<display name>' salt.modules.win_service.create_win_salt_restart_task() Create a task in Windows task scheduler to enable restarting the salt-minion CLI Example: salt '*' service.create_win_salt_restart_task() salt.modules.win_service.delete(name) Delete the named service CLI Example: salt '*' service.delete <service name> salt.modules.win_service.disable(name, **kwargs) Disable the named service to start at boot CLI Example: salt '*' service.disable <service name> salt.modules.win_service.disabled(name) Check to see if the named service is disabled to start on boot CLI Example: salt '*' service.disabled <service name> salt.modules.win_service.enable(name, **kwargs) Enable the named service to start at boot CLI Example: salt '*' service.enable <service name> salt.modules.win_service.enabled(name, **kwargs) Check to see if the named service is enabled to start on boot CLI Example: salt '*' service.enabled <service name> salt.modules.win_service.execute_salt_restart_task() Run the Windows Salt restart task CLI Example: salt '*' service.execute_salt_restart_task() salt.modules.win_service.get_all() Return all installed services CLI Example: salt '*' service.get_all salt.modules.win_service.get_disabled() Return the disabled services CLI Example: salt '*' service.get_disabled salt.modules.win_service.get_enabled() Return the enabled services CLI Example: salt '*' service.get_enabled salt.modules.win_service.get_service_name(*args) The Display Name is what is displayed in Windows when services.msc is executed. Each Display Name has an associated Service Name which is the actual name of the service. This function allows you to discover the Service Name by returning a dictionary of Display Names and Service Names, or filter by adding arguments of Display Names. If no args are passed, return a dict of all services where the keys are the service Display Names and the values are the Service Names. If arguments are passed, create a dict of Display Names and Service Names CLI Example: salt '*' service.get_service_name salt '*' service.get_service_name 'Google Update Service (gupdate)' 'DHCP Client' salt.modules.win_service.getsid(name) Return the sid for this windows service CLI Example: salt '*' service.getsid <service name> salt.modules.win_service.missing(name) The inverse of service.available. Returns True if the specified service is not available, otherwise returns False. CLI Example: salt '*' service.missing <service name> salt.modules.win_service.restart(name) Restart the named service CLI Example: salt '*' service.restart <service name> salt.modules.win_service.start(name) Start the specified service CLI Example: salt '*' service.start <service name> salt.modules.win_service.status(name, sig=None) Return the status for a service, returns the PID or an empty string if the service is running or not, pass a signature to use to find the service via ps CLI Example: salt '*' service.status <service name> [service signature] salt.modules.win_service.stop(name) Stop the specified service CLI Example: salt '*' service.stop <service name> salt.modules.win_shadow Manage the shadow file salt.modules.win_shadow.info(name) Return information for the specified user This is just returns dummy data so that salt states can work. Parameters name (str) -- The name of the user account to show. CLI Example: salt '*' shadow.info root salt.modules.win_shadow.require_password_change(name) Require the user to change their password the next time they log in. Parameters name -- The name of the user account to require a password change. Returns True if successful. False if unsuccessful. Return type bool salt.modules.win_shadow.set_expire(name, expire) Set the expiration date for a user account. Parameters • name -- The name of the user account to edit. • expire -- The date the account will expire. Returns True if successful. False if unsuccessful. Return type bool salt.modules.win_shadow.set_password(name, password) Set the password for a named user. Parameters • name (str) -- The name of the user account • password (str) -- The new password Returns True if successful. False if unsuccessful. Return type bool CLI Example: salt '*' shadow.set_password root mysecretpassword salt.modules.win_shadow.unlock_account(name) Unlocks a user account. Parameters name -- The name of the user account to unlock. Returns True if successful. False if unsuccessful. Return type bool salt.modules.win_status Module for returning various status data about a minion. These data can be useful for compiling into stats later, or for problem solving if your minion is having problems. New in version 0.12.0. depends • pythoncom • wmi salt.modules.win_status.cpuload() New in version 2015.8.0. Return the processor load as a percentage CLI Example: salt '*' status.cpuload salt.modules.win_status.diskusage(human_readable=False, path=None) New in version 2015.8.0. Return the disk usage for this minion human_readable False If True, usage will be in KB/MB/GB etc. CLI Example: salt '*' status.diskusage path=c:/salt salt.modules.win_status.master(master=None, connected=True) New in version 2015.5.0. Fire an event if the minion gets disconnected from its master. This function is meant to be run via a scheduled job from the minion. If master_ip is an FQDN/Hostname, is must be resolvable to a valid IPv4 address. CLI Example: salt '*' status.master salt.modules.win_status.procs(count=False) Return the process data count False If True, this function will simply return the number of processes. New in version 2015.8.0. CLI Example: salt '*' status.procs salt '*' status.procs count salt.modules.win_status.saltmem(human_readable=False) New in version 2015.8.0. Returns the amount of memory that salt is using human_readable False return the value in a nicely formated number CLI Example: salt '*' status.saltmem salt '*' status.saltmem human_readable=True salt.modules.win_status.uptime(human_readable=False) New in version 2015.8.0. Return the system uptime for this machine in seconds human_readable False If True, then return uptime in years, days, and seconds. CLI Example: salt '*' status.uptime salt '*' status.uptime human_readable=True salt.modules.win_system Module for managing windows systems. depends • win32net Support for reboot, shutdown, etc salt.modules.win_system.get_computer_desc() Get the Windows computer description Returns Returns the computer description if found. Otherwise returns False CLI Example: salt 'minion-id' system.get_computer_desc salt.modules.win_system.get_computer_name() Get the Windows computer name Returns Returns the computer name if found. Otherwise returns False CLI Example: salt 'minion-id' system.get_computer_name salt.modules.win_system.get_domain_workgroup() Get the domain or workgroup the computer belongs to. New in version 2015.5.7. New in version 2015.8.2. Returns The name of the domain or workgroup Return type str salt.modules.win_system.get_pending_computer_name() Get a pending computer name. If the computer name has been changed, and the change is pending a system reboot, this function will return the pending computer name. Otherwise, None will be returned. If there was an error retrieving the pending computer name, False will be returned, and an error message will be logged to the minion log. Returns Returns the pending name if pending restart. Returns none if not pending restart. CLI Example: salt 'minion-id' system.get_pending_computer_name salt.modules.win_system.get_system_date() Get the Windows system date Returns Returns the system date. Return type str CLI Example: salt '*' system.get_system_date salt.modules.win_system.get_system_info() Get system information. Returns Returns a Dictionary containing information about the system to include name, description, version, etc... Return type dict salt.modules.win_system.get_system_time() Get the system time. Returns Returns the system time in HH:MM AM/PM format. Return type str salt.modules.win_system.halt(timeout=5, in_seconds=False) Halt a running system. Parameters timeout (int) -- Number of seconds before halting the system. Default is 5 seconds. Returns True is successful. Return type bool timeout The wait time before the system will be shutdown. in_seconds Whether to treat timeout as seconds or minutes. New in version 2015.8.0. CLI Example: salt '*' system.halt 5 salt.modules.win_system.init(runlevel) Change the system runlevel on sysV compatible systems CLI Example: salt '*' system.init 3 salt.modules.win_system.join_domain(domain, username=None, password=None, account_ou=None, account_exists=False, restart=False) Join a computer to an Active Directory domain. Requires reboot. Parameters • domain (str) -- The domain to which the computer should be joined, e.g. example.com • username (str) -- Username of an account which is authorized to join computers to the specified domain. Need to be either fully qualified like user@domain.tld or simply user • password (str) -- Password of the specified user • account_ou (str) -- The DN of the OU below which the account for this computer should be created when joining the domain, e.g. ou=computers,ou=departm_432,dc=my-company,dc=com • account_exists (bool) -- Needs to be set to True to allow re-using an existing account • restart (bool) -- Restarts the computer after a successful join New in version 2015.5.7. New in version 2015.8.2. Returns Returns a dictionary if successful. False if unsuccessful. Return type dict, bool CLI Example: salt 'minion-id' system.join_domain domain='domain.tld' \ username='joinuser' password='joinpassword' \ account_ou='ou=clients,ou=org,dc=domain,dc=tld' \ account_exists=False, restart=True salt.modules.win_system.lock() Lock the workstation. Returns True if successful Return type bool salt.modules.win_system.poweroff(timeout=5, in_seconds=False) Power off a running system. Parameters timeout (int) -- Number of seconds before powering off the system. Default is 5 seconds. Returns True if successful Return type bool timeout The wait time before the system will be shutdown. in_seconds Whether to treat timeout as seconds or minutes. New in version 2015.8.0. CLI Example: salt '*' system.poweroff 5 salt.modules.win_system.reboot(timeout=5, in_seconds=False) Reboot a running system. Parameters • timeout (int) -- Number of seconds before rebooting the system. Default is 5 minutes. • in_seconds (bool) -- Whether to treat timeout as seconds or minutes. New in version 2015.8.0. Returns True if successful Return type bool CLI Example: salt '*' system.reboot 5 salt.modules.win_system.set_computer_desc(desc=None) Set the Windows computer description Parameters desc (str) -- The computer description Returns False if it fails. Description if successful. CLI Example: salt 'minion-id' system.set_computer_desc 'This computer belongs to Dave!' salt.modules.win_system.set_computer_name(name) Set the Windows computer name Parameters name (str) -- The new name to give the computer. Requires a reboot to take effect. Returns Returns a dictionary containing the old and new names if successful. False if not. CLI Example: salt 'minion-id' system.set_computer_name 'DavesComputer' salt.modules.win_system.set_system_date(newdate) Set the Windows system date. Use <mm-dd-yy> format for the date. Parameters newdate (str) -- The date to set. Can be any of the following formats - YYYY-MM-DD - MM-DD-YYYY - MM-DD-YY - MM/DD/YYYY - MM/DD/YY - YYYY/MM/DD CLI Example: salt '*' system.set_system_date '03-28-13' salt.modules.win_system.set_system_date_time(years=None, months=None, days=None, hours=None, minutes=None, seconds=None) Set the system date and time. Each argument is an element of the date, but not required. If an element is not passed, the current system value for that element will be used. For example, if you don't pass the year, the current system year will be used. (Used by set_system_date and set_system_time) Parameters • years (int) -- Years digit, ie: 2015 • months (int) -- Months digit: 1 - 12 • days (int) -- Days digit: 1 - 31 • hours (int) -- Hours digit: 0 - 23 • minutes (int) -- Minutes digit: 0 - 59 • seconds (int) -- Seconds digit: 0 - 59 Returns True if successful. Otherwise False. Return type bool CLI Example: salt '*' system.set_system_date_ time 2015 5 12 11 37 53 salt.modules.win_system.set_system_time(newtime) Set the system time. Parameters newtime (str) -- The time to set. Can be any of the following formats. - HH:MM:SS AM/PM - HH:MM AM/PM - HH:MM:SS (24 hour) - HH:MM (24 hour) Returns Returns True if successful. Otherwise False. Return type bool salt.modules.win_system.shutdown(message=None, timeout=5, force_close=True, reboot=False, in_seconds=False) Shutdown a running system. Parameters • message (str) -- A message to display to the user before shutting down. • timeout (int) -- The length of time that the shutdown dialog box should be displayed, in seconds. While this dialog box is displayed, the shutdown can be stopped by the shutdown_abort function. If timeout is not zero, InitiateSystemShutdown displays a dialog box on the specified computer. The dialog box displays the name of the user who called the function, displays the message specified by the lpMessage parameter, and prompts the user to log off. The dialog box beeps when it is created and remains on top of other windows in the system. The dialog box can be moved but not closed. A timer counts down the remaining time before a forced shutdown. If timeout is zero, the computer shuts down without displaying the dialog box, and the shutdown cannot be stopped by shutdown_abort. Default is 5 minutes • in_seconds (bool) -- Whether to treat timeout as seconds or minutes. New in version 2015.8.0. • force_close (bool) -- True to force close all open applications. False displays a dialog box instructing the user to close the applications. • reboot (bool) -- True restarts the computer immediately after shutdown. False caches to disk and safely powers down the system. Returns True if successful Return type bool CLI Example: salt '*' system.shutdown 5 salt.modules.win_system.shutdown_abort() Abort a shutdown. Only available while the dialog box is being displayed to the user. Once the shutdown has initiated, it cannot be aborted Returns True if successful Return type bool salt.modules.win_system.shutdown_hard() Shutdown a running system with no timeout or warning. Returns True if successful Return type bool CLI Example: salt '*' system.shutdown_hard salt.modules.win_system.start_time_service() Start the Windows time service Returns True if successful. Otherwise False Return type bool CLI Example: salt '*' system.start_time_service salt.modules.win_system.stop_time_service() Stop the Windows time service Returns True if successful. Otherwise False Return type bool CLI Example: salt '*' system.stop_time_service salt.modules.win_system.unjoin_domain(username=None, password=None, domain=None, workgroup='WORKGROUP', disable=False, restart=False) Unjoin a computer from an Active Directory Domain. Requires restart. Parameters • username -- Username of an account which is authorized to manage computer accounts on the domain. Need to be fully qualified like user@domain.tld or domain.tld\user. If domain not specified, the passed domain will be used. If computer account doesn't need to be disabled, can be None. • password (str) -- Password of the specified user • domain (str) -- The domain from which to unjoin the computer. Can be None • workgroup (str) -- The workgroup to join the computer to. Default is WORKGROUP New in version 2015.5.7. New in version 2015.8.2. Parameters • disable (bool) -- Disable the user account in Active Directory. True to disable. • restart (bool) -- Restart the computer after successful unjoin New in version 2015.5.7. New in version 2015.8.2. Returns Returns a dictionary if successful. False if unsuccessful. Return type dict, bool CLI Example: salt 'minion-id' system.unjoin_domain restart=True salt 'minion-id' system.unjoin_domain username='unjoinuser' \\ password='unjoinpassword' disable=True \\ restart=True salt.modules.win_timezone Module for managing timezone on Windows systems. salt.modules.win_timezone.get_hwclock() Get current hardware clock setting (UTC or localtime) CLI Example: salt '*' timezone.get_hwclock salt.modules.win_timezone.get_offset() Get current numeric timezone offset from UCT (i.e. -0700) CLI Example: salt '*' timezone.get_offset salt.modules.win_timezone.get_zone() Get current timezone (i.e. America/Denver) CLI Example: salt '*' timezone.get_zone salt.modules.win_timezone.get_zonecode() Get current timezone (i.e. PST, MDT, etc) CLI Example: salt '*' timezone.get_zonecode salt.modules.win_timezone.set_hwclock(clock) Sets the hardware clock to be either UTC or localtime CLI Example: salt '*' timezone.set_hwclock UTC salt.modules.win_timezone.set_zone(timezone) Unlinks, then symlinks /etc/localtime to the set timezone. The timezone is crucial to several system processes, each of which SHOULD be restarted (for instance, whatever you system uses as its cron and syslog daemons). This will not be magically done for you! CLI Example: salt '*' timezone.set_zone 'America/Denver' salt.modules.win_timezone.zone_compare(timezone) Checks the md5sum between the given timezone, and the one set in /etc/localtime. Returns True if they match, and False if not. Mostly useful for running state checks. Example: salt '*' timezone.zone_compare 'America/Denver' salt.modules.win_update Module for running windows updates. depends • win32com • win32con • win32api • pywintypes New in version 2014.7.0. Set windows updates to run by category. Default behavior is to install all updates that do not require user interaction to complete. Optionally set categories to a category of your choice to only install certain updates. Default is to set to install all available but driver updates. The following example will install all Security and Critical Updates, and download but not install standard updates. salt '*' win_update.install_updates categories="['Critical Updates', 'Security Updates']" You can also specify a number of features about the update to have a fine grain approach to specific types of updates. These are the following features/states of updates available for configuring: 'UI' - User interaction required, skipped by default 'downloaded' - Already downloaded, included by default 'present' - Present on computer, included by default 'installed' - Already installed, skipped by default 'reboot' - Reboot required, included by default 'hidden' - Skip hidden updates, skipped by default 'software' - Software updates, included by default 'driver' - Driver updates, included by default The following example installs all updates that don't require a reboot: salt '*' win_update.install_updates skips="[{'reboot':True}]" Once installed Salt will return a similar output: 2 : Windows Server 2012 Update (KB123456) 4 : Internet Explorer Security Update (KB098765) 2 : Malware Definition Update (KB321456) ... The number at the beginning of the line is an OperationResultCode from the Windows Update Agent, it's enumeration is described here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387095(v=vs.85).aspx. The result code is then followed by the update name and its KB identifier. class salt.modules.win_update.PyWinUpdater(categories=None, skipUI=True, skipDownloaded=False, skipInstalled=True, skipReboot=False, skipPresent=False, skipSoftwareUpdates=False, skipDriverUpdates=False, skipHidden=True) AutoSearch() this function generates a search string. simplifying the search function while still providing as many features as possible. Download() GetAvailableCategories() GetCategories() GetDownloadResults() GetInstallationResults() this gets results of installation process. GetInstallationResultsPretty() converts the installation results into a pretty print. GetSearchResults() GetSearchResultsPretty() Install() Search(searchString) SetCategories(categories) SetSkip(skip, state) SetSkips(skips) salt.modules.win_update.download_updates(skips=None, retries=5, categories=None) Downloads all available updates, skipping those that require user interaction. Various aspects of the updates can be included or excluded. this feature is still in development. retries Number of retries to make before giving up. This is total, not per step. categories Specify the categories to update. Must be passed as a list. salt '*' win_update.download_updates categories="['Updates']" Categories include the following: • Updates • Windows 7 • Critical Updates • Security Updates • Update Rollups CLI Examples: # Normal Usage salt '*' win_update.download_updates # Download critical updates only salt '*' win_update.download_updates categories="['Critical Updates']" salt.modules.win_update.install_updates(skips=None, retries=5, categories=None) Downloads and installs all available updates, skipping those that require user interaction. Add cached to only install those updates which have already been downloaded. you can set the maximum number of retries to n in the search process by adding: retries=n various aspects of the updates can be included or excluded. This function is still under development. retries Number of retries to make before giving up. This is total, not per step. categories Specify the categories to install. Must be passed as a list. salt '*' win_update.install_updates categories="['Updates']" Categories include the following: • Updates • Windows 7 • Critical Updates • Security Updates • Update Rollups CLI Examples: # Normal Usage salt '*' win_update.install_updates # Install all critical updates salt '*' win_update.install_updates categories="['Critical Updates']" salt.modules.win_update.list_updates(verbose=False, skips=None, retries=5, categories=None) Returns a summary of available updates, grouped into their non-mutually exclusive categories. verbose Print results in greater detail retries Number of retries to make before giving up. This is total, not per step. categories Specify the categories to list. Must be passed as a list. salt '*' win_update.list_updates categories="['Updates']" Categories include the following: • Updates • Windows 7 • Critical Updates • Security Updates • Update Rollups CLI Examples: # Normal Usage salt '*' win_update.list_updates # List all critical updates list in verbose detail salt '*' win_update.list_updates categories=['Critical Updates'] verbose=True salt.modules.win_useradd Module for managing Windows Users depends • pywintypes • win32api • win32net • win32netcon • win32profile • win32security • win32ts NOTE: This currently only works with local user accounts, not domain accounts salt.modules.win_useradd.add(name, password=None, fullname=False, description=None, groups=None, home=None, homedrive=None, profile=None, logonscript=None) Add a user to the minion. Parameters • name (str) -- User name • password (str) -- User's password in plain text. • fullname (str) -- The user's full name. • description (str) -- A brief description of the user account. • groups (list) -- A list of groups to add the user to. • home (str) -- The path to the user's home directory. • homedrive (str) -- The drive letter to assign to the home directory. Must be the Drive Letter followed by a colon. ie: U: • profile (str) -- An explicit path to a profile. Can be a UNC or a folder on the system. If left blank, windows uses it's default profile directory. • logonscript (str) -- Path to a login script to run when the user logs on. Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.add name password salt.modules.win_useradd.addgroup(name, group) Add user to a group Parameters • name (str) -- user name to add to the group • group (str) -- name of the group to which to add the user Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.addgroup jsnuffy 'Power Users' salt.modules.win_useradd.chfullname(name, fullname) Change the full name of the user Parameters • name (str) -- user name for which to change the full name • fullname (str) -- the new value for the full name Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.chfullname user 'First Last' salt.modules.win_useradd.chgroups(name, groups, append=True) Change the groups this user belongs to, add append=False to make the user a member of only the specified groups Parameters • name (str) -- user name for which to change groups • groups (list, str) -- a single group or a list of groups to assign to the user • append (bool) -- True adds the passed groups to the user's current groups False sets the user's groups to the passed groups only Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.chgroups jsnuffy Administrators,Users True salt.modules.win_useradd.chhome(name, home, persist=False) Change the home directory of the user, pass True for persist to move files to the new home directory if the old home directory exist. Parameters • name (str) -- name of the user whose home directory you wish to change • home (str) -- new location of the home directory • persist (bool) -- True to move the contents of the existing home directory to the new location Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.chhome foo \\fileserver\home\foo True salt.modules.win_useradd.chprofile(name, profile) Change the profile directory of the user Parameters • name (str) -- name of the user whose profile you wish to change • profile (str) -- new location of the profile Returns True if successful. False is unsuccessful. :rtype: bool CLI Example: salt '*' user.chprofile foo \\fileserver\profiles\foo salt.modules.win_useradd.current(sam=False) Get the username that salt-minion is running under. If salt-minion is running as a service it should return the Local System account. If salt is running from a command prompt it should return the username that started the command prompt. New in version 2015.5.6. Parameters sam (bool) -- False returns just the username without any domain notation. True returns the domain with the username in the SAM format. Ie: domain\username Returns Returns False if the username cannot be returned. Otherwise returns the username. Return type bool str CLI Example: salt '*' user.current salt.modules.win_useradd.delete(name, purge=False, force=False) Remove a user from the minion Parameters • name (str) -- The name of the user to delete • purge (bool) -- Boolean value indicating that the user profile should also be removed when the user account is deleted. If set to True the profile will be removed. • force (bool) -- Boolean value indicating that the user account should be deleted even if the user is logged in. True will log the user out and delete user. Returns True if successful Return type bool CLI Example: salt '*' user.delete name salt.modules.win_useradd.getUserSid(username) Get the Security ID for the user Parameters username (str) -- user name for which to look up the SID Returns Returns the user SID Return type str CLI Example: salt '*' user.getUserSid jsnuffy salt.modules.win_useradd.getent(refresh=False) Return the list of all info for all users Parameters refresh (bool) -- Refresh the cached user information. Default is False. Useful when used from within a state function. Returns A dictionary containing information about all users on the system Return type dict CLI Example: salt '*' user.getent salt.modules.win_useradd.info(name) Return user information Parameters name (str) -- Username for which to display information Returns A dictionary containing user information • fullname • username • SID • passwd (will always return None) • comment (same as description, left here for backwards compatibility) • description • active • logonscript • profile • home • homedrive • groups • password_changed • successful_logon_attempts • failed_logon_attempts • last_logon • account_disabled • account_locked • password_never_expires • disallow_change_password • gid Return type dict CLI Example: salt '*' user.info jsnuffy salt.modules.win_useradd.list_groups(name) Return a list of groups the named user belongs to Parameters name (str) -- user name for which to list groups Returns list of groups to which the user belongs Return type list CLI Example: salt '*' user.list_groups foo salt.modules.win_useradd.list_users() Return a list of users on Windows Returns list of users on the system Return type list CLI Example: salt '*' user.list_users salt.modules.win_useradd.removegroup(name, group) Remove user from a group Parameters • name (str) -- user name to remove from the group • group (str) -- name of the group from which to remove the user Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.removegroup jsnuffy 'Power Users' salt.modules.win_useradd.rename(name, new_name) Change the username for a named user Parameters • name (str) -- user name to change • new_name (str) -- the new name for the current user Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.rename jsnuffy jshmoe salt.modules.win_useradd.setpassword(name, password) Set the user's password Parameters • name (str) -- user name for which to set the password • password (str) -- the new password Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.setpassword jsnuffy sup3rs3cr3t salt.modules.win_useradd.update(name, password=None, fullname=None, description=None, home=None, homedrive=None, logonscript=None, profile=None, expiration_date=None, expired=None, account_disabled=None, unlock_account=None, password_never_expires=None, disallow_change_password=None) Updates settings for the windows user. Name is the only required parameter. Settings will only be changed if the parameter is passed a value. New in version 2015.8.0. Parameters • name (str) -- The user name to update. • password (str) -- New user password in plain text. • fullname (str) -- The user's full name. • description (str) -- A brief description of the user account. • home (str) -- The path to the user's home directory. • homedrive (str) -- The drive letter to assign to the home directory. Must be the Drive Letter followed by a colon. ie: U: • logonscript (str) -- The path to the logon script. • profile (str) -- The path to the user's profile directory. • expiration_date (date) -- The date and time when the account expires. Can be a valid date/time string. To set to never expire pass the string 'Never'. Parameters expired (bool) -- Pass True to expire the account. The user will be prompted to change their password at the next logon. Pass False to mark the account as 'not expired'. You can't use this to negate the expiration if the expiration was caused by the account expiring. You'll have to change the expiration_date as well. Parameters account_disabled (bool) -- True disables the account. False enables the account. Parameters unlock_account (bool) -- True unlocks a locked user account. False is ignored. Parameters password_never_expires (bool) -- True sets the password to never expire. False allows the password to expire. Parameters disallow_change_password (bool) -- True blocks the user from changing the password. False allows the user to change the password. Returns True if successful. False is unsuccessful. Return type bool CLI Example: salt '*' user.update bob password=secret profile=C:\Users\Bob home=\\server\homeshare\bob homedrive=U: salt.modules.win_wua Module for managing Windows Updates using the Windows Update Agent. New in version 2015.8.0. depends • win32com • pythoncom salt.modules.win_wua.download_update(guid=None) Downloads a single update Parameters guid -- str A GUID for the update to be downloaded Returns A dictionary containing the status, a message, and a list of updates that were downloaded. CLI Examples: salt '*' win_wua.download_update 12345678-abcd-1234-abcd-1234567890ab salt.modules.win_wua.download_updates(guid=None) Downloads updates that match the list of passed GUIDs. It's easier to use this function by using list_updates and setting install=True. Parameters guid -- A list of GUIDs to be downloaded Returns A dictionary containing the status, a message, and a list of updates that were downloaded. CLI Examples: # Normal Usage salt '*' win_wua.download_updates guid=['12345678-abcd-1234-abcd-1234567890ab', '87654321-dcba-4321-dcba-ba0987654321'] salt.modules.win_wua.get_needs_reboot() Determines if the system needs to be rebooted. Returns bool True if the system requires a reboot, False if not CLI Examples: salt '*' win_wua.get_needs_reboot salt.modules.win_wua.get_wu_settings() Get current Windows Update settings. Returns Featured Updates: Boolean value that indicates whether to display notifications for featured updates. Group Policy Required (Read-only): Boolean value that indicates whether Group Policy requires the Automatic Updates service. Microsoft Update: Boolean value that indicates whether to turn on Microsoft Update for other Microsoft Products Needs Reboot: Boolean value that indicates whether the machine is in a reboot pending state. Non Admins Elevated: Boolean value that indicates whether non-administrators can perform some update-related actions without administrator approval. Notification Level: Number 1 to 4 indicating the update level: 1. Never check for updates 2. Check for updates but let me choose whether to download and install them 3. Download updates but let me choose whether to install them 4. Install updates automatically Read Only (Read-only): Boolean value that indicates whether the Automatic Update settings are read-only. Recommended Updates: Boolean value that indicates whether to include optional or recommended updates when a search for updates and installation of updates is performed. Scheduled Day: Days of the week on which Automatic Updates installs or uninstalls updates. Scheduled Time: Time at which Automatic Updates installs or uninstalls updates. CLI Examples: salt '*' win_wua.get_wu_settings salt.modules.win_wua.install_update(guid=None) Installs a single update Parameters guid -- str A GUID for the update to be installed Returns dict A dictionary containing the details about the installed update CLI Examples: salt '*' win_wua.install_update 12345678-abcd-1234-abcd-1234567890ab salt.modules.win_wua.install_updates(guid=None) Installs updates that match the passed criteria. It may be easier to use the list_updates function and set install=True. Parameters guid -- list A list of GUIDs to be installed Returns dict A dictionary containing the details about the installed updates CLI Examples: # Normal Usage salt '*' win_wua.install_updates guid=['12345678-abcd-1234-abcd-1234567890ab', '87654321-dcba-4321-dcba-ba0987654321'] salt.modules.win_wua.list_update(name=None, download=False, install=False) Returns details for all updates that match the search criteria Parameters • name (str) -- The name of the update you're searching for. This can be the GUID (preferred), a KB number, or the full name of the update. Run list_updates to get the GUID for the update you're looking for. • download (bool) -- Download the update returned by this function. Run this function first to see if the update exists, then set download=True to download the update. • install (bool) -- Install the update returned by this function. Run this function first to see if the update exists, then set install=True to install the update. This will override download=True Returns Returns a dict containing a list of updates that match the name if download and install are both set to False. Should usually be a single update, but can return multiple if a partial name is given. If download or install is set to true it will return the results of win_wua.download_updates: List of Updates: {'<GUID>': {'Title': <title>, 'KB': <KB>, 'GUID': <the globally unique identifier for the update> 'Description': <description>, 'Downloaded': <has the update been downloaded>, 'Installed': <has the update been installed>, 'Mandatory': <is the update mandatory>, 'UserInput': <is user input required>, 'EULAAccepted': <has the EULA been accepted>, 'Severity': <update severity>, 'NeedsReboot': <is the update installed and awaiting reboot>, 'RebootBehavior': <will the update require a reboot>, 'Categories': [ '<category 1>', '<category 2>', ...] } } Return type dict CLI Examples: # Recommended Usage using GUID without braces # Use this to find the status of a specific update salt '*' wua.list_update 12345678-abcd-1234-abcd-1234567890ab # Use the following if you don't know the GUID: # Using a KB number (could possibly return multiple results) # Not all updates have an associated KB salt '*' wua.list_update KB3030298 # Using part or all of the name of the update # Could possibly return multiple results # Not all updates have an associated KB salt '*' wua.list_update 'Microsoft Camera Codec Pack' salt.modules.win_wua.list_updates(software=True, drivers=False, summary=False, installed=False, categories=None, severities=None, download=False, install=False) Returns a detailed list of available updates or a summary Parameters • software (bool) -- Include software updates in the results (default is True) • drivers (bool) -- Include driver updates in the results (default is False) • summary (bool) -- True: Return a summary of updates available for each category. False (default): Return a detailed list of available updates. • installed (bool) -- Include installed updates in the results (default if False) • download (bool) -- (Overrides reporting functionality) Download the list of updates returned by this function. Run this function first to see what will be installed, then set download=True to download the updates. • install (bool) -- (Overrides reporting functionality) Install the list of updates returned by this function. Run this function first to see what will be installed, then set install=True to install the updates. This will override download=True • categories (list) -- Specify the categories to list. Must be passed as a list. All categories returned by default. Categories include the following: • Critical Updates • Definition Updates • Drivers (make sure you set drivers=True) • Feature Packs • Security Updates • Update Rollups • Updates • Update Rollups • Windows 7 • Windows 8.1 • Windows 8.1 drivers • Windows 8.1 and later drivers • Windows Defender • severities (list) -- Specify the severities to include. Must be passed as a list. All severities returned by default. Severities include the following: • Critical • Important Returns Returns a dict containing either a summary or a list of updates: List of Updates: {'<GUID>': {'Title': <title>, 'KB': <KB>, 'GUID': <the globally uinique identifier for the update> 'Description': <description>, 'Downloaded': <has the update been downloaded>, 'Installed': <has the update been installed>, 'Mandatory': <is the update mandatory>, 'UserInput': <is user input required>, 'EULAAccepted': <has the EULA been accepted>, 'Severity': <update severity>, 'NeedsReboot': <is the update installed and awaiting reboot>, 'RebootBehavior': <will the update require a reboot>, 'Categories': [ '<category 1>', '<category 2>', ...] } } Summary of Updates: {'Total': <total number of updates returned>, 'Available': <updates that are not downloaded or installed>, 'Downloaded': <updates that are downloaded but not installed>, 'Installed': <updates installed (usually 0 unless installed=True)>, 'Categories': { <category 1>: <total for that category>, <category 2>: <total for category 2>, ... } } Return type dict CLI Examples: # Normal Usage (list all software updates) salt '*' wua.list_updates # List all updates with categories of Critical Updates and Drivers salt '*' wua.list_updates categories=['Critical Updates','Drivers'] # List all Critical Security Updates salt '*' wua.list_updates categories=['Security Updates'] severities=['Critical'] # List all updates with a severity of Critical salt '*' wua.list_updates severities=['Critical'] # A summary of all available updates salt '*' wua.list_updates summary=True # A summary of all Feature Packs and Windows 8.1 Updates salt '*' wua.list_updates categories=['Feature Packs','Windows 8.1'] summary=True salt.modules.win_wua.set_wu_settings(level=None, recommended=None, featured=None, elevated=None, msupdate=None, day=None, time=None) Change Windows Update settings. If no parameters are passed, the current value will be returned. Parameters • level (int) -- .INDENT 2.0 Number from 1 to 4 indicating the update level: 1. Never check for updates 2. Check for updates but let me choose whether to download and install them 3. Download updates but let me choose whether to install them 4. Install updates automatically • recommended (bool) -- Boolean value that indicates whether to include optional or recommended updates when a search for updates and installation of updates is performed. • featured (bool) -- Boolean value that indicates whether to display notifications for featured updates. • elevated (bool) -- Boolean value that indicates whether non-administrators can perform some update-related actions without administrator approval. • msupdate (bool) -- Boolean value that indicates whether to turn on Microsoft Update for other Microsoft products • day (str) -- Days of the week on which Automatic Updates installs or uninstalls updates. Accepted values: - Everyday - Monday - Tuesday - Wednesday - Thursday - Friday - Saturday • time (str) -- Time at which Automatic Updates installs or uninstalls updates. Must be in the ##:## 24hr format, eg. 3:00 PM would be 15:00 Returns Returns a dictionary containing the results. CLI Examples: salt '*' win_wua.set_wu_settings level=4 recommended=True featured=False salt.modules.x509 Manage X509 certificates New in version 2015.8.0. salt.modules.x509.create_certificate(path=None, text=False, ca_server=None, **kwargs) Create an X509 certificate. path: Path to write the certificate to. text: If True, return the PEM text without writing to a file. Default False. kwargs: Any of the properties below can be included as additional keyword arguments. ca_server: Request a remotely signed certificate from ca_server. For this to work, a signing_policy must be specified, and that same policy must be configured on the ca_server. See signing_policy for details. Also the salt master must permit peers to call the sign_remote_certificate function. Example: /etc/salt/master.d/peer.conf peer: .*: - x509.sign_remote_certificate subject properties: Any of the values below can be incldued to set subject properties Any other subject properties supported by OpenSSL should also work. C: 2 letter Country code CN: Certificate common name, typically the FQDN. Email: Email address GN: Given Name L: Locality O: Organization OU: Organization Unit SN: SurName ST: State or Province signing_private_key: A path or string of the private key in PEM format that will be used to sign this certificate. If neither signing_cert, public_key, or csr are included, it will be assumed that this is a self-signed certificate, and the public key matching signing_private_key will be used to create the certificate. signing_cert: A certificate matching the private key that will be used to sign this certificate. This is used to populate the issuer values in the resulting certificate. Do not include this value for self-signed certificates. public_key: The public key to be included in this certificate. This can be sourced from a public key, certificate, csr or private key. If a private key is used, the matching public key from the private key will be generated before any processing is done. This means you can request a certificate from a remote CA using a private key file as your public_key and only the public key will be sent across the network to the CA. If neither public_key or csr are specified, it will be assumed that this is a self-signed certificate, and the public key derived from signing_private_key will be used. Specify either public_key or csr, not both. Because you can input a CSR as a public key or as a CSR, it is important to understand the difference. If you import a CSR as a public key, only the public key will be added to the certificate, subject or extension information in the CSR will be lost. csr: A file or PEM string containing a certificate signing request. This will be used to supply the subject, extensions and public key of a certificate. Any subject or extensions specified explicitly will overwrite any in the CSR. basicConstraints: X509v3 Basic Constraints extension. extensions: The following arguments set X509v3 Extension values. If the value starts with `` critical `` , the extension will be marked as critical Some special extensions are subjectKeyIdentifier and authorityKeyIdentifier. subjectKeyIdentifier can be an explicit value or it can be the special string hash. hash will set the subjectKeyIdentifier equal to the SHA1 hash of the modulus of the public key in this certificate. Note that this is not the exact same hashing method used by OpenSSL when using the hash value. authorityKeyIdentifier Use values acceptable to the openssl CLI tools. This will automatically populate authorityKeyIdentifier with the subjectKeyIdentifier of signing_cert. If this is a self-signed cert these values will be the same. basicConstraints: X509v3 Basic Constraints keyUsage: X509v3 Key Usage extendedKeyUsage: X509v3 Extended Key Usage subjectKeyIdentifier: X509v3 Subject Key Identifier issuerAltName: X509v3 Issuer Alternative Name subjectAltName: X509v3 Subject Alternative Name crlDistributionPoints: X509v3 CRL distribution points issuingDistributionPoint: X509v3 Issuing Distribution Point certificatePolicies: X509v3 Certificate Policies policyConstraints: X509v3 Policy Constraints inhibitAnyPolicy: X509v3 Inhibit Any Policy nameConstraints: X509v3 Name Constraints noCheck: X509v3 OCSP No Check nsComment: Netscape Comment nsCertType: Netscape Certificate Type days_valid: The number of days this certificate should be valid. This sets the notAfter property of the certificate. Defaults to 365. version: The version of the X509 certificate. Defaults to 3. This is automatically converted to the version value, so version=3 sets the certificate version field to 0x2. serial_number: The serial number to assign to this certificate. If omitted a random serial number of size serial_bits is generated. serial_bits: The number of bits to use when randomly generating a serial number. Defaults to 64. algorithm: The hashing algorithm to be used for signing this certificate. Defaults to sha256. copypath: An additional path to copy the resulting certificate to. Can be used to maintain a copy of all certificates issued for revocation purposes. signing_policy: A signing policy that should be used to create this certificate. Signing policies should be defined in the minion configuration, or in a minion pillar. It should be a yaml formatted list of arguments which will override any arguments passed to this function. If the minions key is included in the signing policy, only minions matching that pattern will be permitted to remotely request certificates from that policy. Example: x509_signing_policies: www: - minions: 'www*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt - C: US - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - keyUsage: "critical cRLSign, keyCertSign" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 90 - copypath: /etc/pki/issued_certs/ The above signing policy can be invoked with signing_policy=www CLI Example: salt '*' x509.create_certificate path=/etc/pki/myca.crt \ signing_private_key='/etc/pki/myca.key' csr='/etc/pki/myca.csr'} salt.modules.x509.create_crl(path=None, text=False, signing_private_key=None, signing_cert=None, revoked=None, include_expired=False, days_valid=100) Create a CRL Depends • PyOpenSSL Python module path: Path to write the crl to. text: If True, return the PEM text without writing to a file. Default False. signing_private_key: A path or string of the private key in PEM format that will be used to sign this crl. This is required. signing_cert: A certificate matching the private key that will be used to sign this crl. This is required. revoked: A list of dicts containing all the certificates to revoke. Each dict represents one certificate. A dict must contain either the key serial_number with the value of the serial number to revoke, or certificate with either the PEM encoded text of the certificate, or a path ot the certificate to revoke. The dict can optionally contain the revocation_date key. If this key is omitted the revocation date will be set to now. If should be a string in the format "%Y-%m-%d %H:%M:%S". The dict can also optionally contain the not_after key. This is redundant if the certificate key is included. If the Certificate key is not included, this can be used for the logic behind the include_expired parameter. If should be a string in the format "%Y-%m-%d %H:%M:%S". The dict can also optionally contain the reason key. This is the reason code for the revocation. Available choices are unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation and certificateHold. include_expired: Include expired certificates in the CRL. Default is False. days_valid: The number of days that the CRL should be valid. This sets the Next Update field in the CRL. CLI Example: salt '*' x509.create_crl path=/etc/pki/mykey.key signing_private_key=/etc/pki/ca.key \ signing_cert=/etc/pki/ca.crt \ revoked="{'compromized-web-key': {'certificate': '/etc/pki/certs/www1.crt', \ 'revocation_date': '2015-03-01 00:00:00'}}" salt.modules.x509.create_csr(path=None, text=False, **kwargs) Create a certificate signing request. path: Path to write the certificate to. text: If True, return the PEM text without writing to a file. Default False. kwargs: The subject, extension and version arguments from x509.create_certificate can be used. CLI Example: salt '*' x509.create_csr path=/etc/pki/myca.csr public_key='/etc/pki/myca.key' CN='My Cert salt.modules.x509.create_private_key(path=None, text=False, bits=2048) Creates a private key in PEM format. path: The path to write the file to, either path or text are required. text: If True, return the PEM text without writing to a file. Default False. bits: Length of the private key in bits. Default 2048 CLI Example: salt '*' x509.create_private_key path=/etc/pki/mykey.key salt.modules.x509.get_pem_entries(glob_path) Returns a dict containing PEM entries in files matching a glob glob_path: A path to certificates to be read and returned. CLI Example: salt '*' x509.read_pem_entries "/etc/pki/*.crt" salt.modules.x509.get_pem_entry(text, pem_type=None) Returns a properly formatted PEM string from the input text fixing any whitespace or line-break issues text: Text containing the X509 PEM entry to be returned or path to a file containing the text. pem_type: If specified, this function will only return a pem of a certain type, for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'. CLI Example: salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST" salt.modules.x509.get_private_key_size(private_key) Returns the bit length of a private key in PEM format. private_key: A path or PEM encoded string containing a private key. CLI Example: salt '*' x509.get_private_key_size /etc/pki/mycert.key salt.modules.x509.get_public_key(key, asObj=False) Returns a string containing the public key in PEM format. key: A path or PEM encoded string containing a CSR, Certificate or Private Key from which a public key can be retrieved. CLI Example: salt '*' x509.get_public_key /etc/pki/mycert.cer salt.modules.x509.get_signing_policy(signing_policy_name) Returns the details of a names signing policy, including the text of the public key that will be used to sign it. Does not return the private key. CLI Example: salt '*' x509.get_signing_policy www salt.modules.x509.read_certificate(certificate) Returns a dict containing details of a certificate. Input can be a PEM string or file path. certificate: The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate. CLI Example: salt '*' x509.read_certificate /etc/pki/mycert.crt salt.modules.x509.read_certificates(glob_path) Returns a dict containing details of a all certificates matching a glob glob_path: A path to certificates to be read and returned. CLI Example: salt '*' x509.read_certificates "/etc/pki/*.crt" salt.modules.x509.read_crl(crl) Returns a dict containing details of a certificate revocation list. Input can be a PEM string or file path. Depends • OpenSSL command line tool csl: A path or PEM encoded string containing the CSL to read. CLI Example: salt '*' x509.read_crl /etc/pki/mycrl.crl salt.modules.x509.read_csr(csr) Returns a dict containing details of a certificate request. Depends • OpenSSL command line tool csr: A path or PEM encoded string containing the CSR to read. CLI Example: salt '*' x509.read_csr /etc/pki/mycert.csr salt.modules.x509.sign_remote_certificate(argdic, **kwargs) Request a certificate to be remotely signed according to a signing policy. argdic: A dict containing all the arguments to be passed into the create_certificate function. This will become kwargs when passed to create_certificate. kwargs: kwargs delivered from publish.publish CLI Example: salt '*' x509.sign_remote_certificate argdic="{'public_key': '/etc/pki/www.key', \ 'signing_policy': 'www'}" __pub_id='www1' salt.modules.x509.verify_crl(crl, cert) Validate a CRL against a certificate. Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects. crl: The CRL to verify cert: The certificate to verify the CRL against CLI Example: salt '*' x509.verify_crl crl=/etc/pki/myca.crl cert=/etc/pki/myca.crt salt.modules.x509.verify_private_key(private_key, public_key) Verify that 'private_key' matches 'public_key' private_key: The private key to verify, can be a string or path to a private key in PEM format. public_key: The public key to verify, can be a string or path to a PEM formatted certificate, csr, or another private key. CLI Example: salt '*' x509.verify_private_key private_key=/etc/pki/myca.key public_key=/etc/pki/myca.crt salt.modules.x509.verify_signature(certificate, signing_pub_key=None) Verify that certificate has been signed by signing_pub_key certificate: The certificate to verify. Can be a path or string containing a PEM formatted certificate. signing_pub_key: The public key to verify, can be a string or path to a PEM formatted certificate, csr, or private key. CLI Example: salt '*' x509.verify_private_key private_key=/etc/pki/myca.key public_key=/etc/pki/myca.crt salt.modules.x509.write_pem(text, path, pem_type=None) Writes out a PEM string fixing any formatting or whitespace issues before writing. text: PEM string input to be written out. path: Path of the file to write the pem out to. pem_type: The PEM type to be saved, for example CERTIFICATE or PUBLIC KEY. Adding this will allow the function to take input that may contain multiple pem types. CLI Example: salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt salt.modules.xapi This module (mostly) uses the XenAPI to manage Xen virtual machines. Big fat warning: the XenAPI used in this file is the one bundled with Xen Source, NOT XenServer nor Xen Cloud Platform. As a matter of fact it will fail under those platforms. From what I've read, little work is needed to adapt this code to XS/XCP, mostly playing with XenAPI version, but as XCP is not taking precedence on Xen Source on many platforms, please keep compatibility in mind. Useful documentation: . http://downloads.xen.org/Wiki/XenAPI/xenapi-1.0.6.pdf salt.modules.xapi.create(config_) Start a defined domain CLI Example: salt '*' virt.create <path to Xen cfg file> salt.modules.xapi.destroy(vm_) Hard power down the virtual machine, this is equivalent to pulling the power CLI Example: salt '*' virt.destroy <vm name> salt.modules.xapi.freecpu() Return an int representing the number of unallocated cpus on this hypervisor CLI Example: salt '*' virt.freecpu salt.modules.xapi.freemem() Return an int representing the amount of memory that has not been given to virtual machines on this node CLI Example: salt '*' virt.freemem salt.modules.xapi.full_info() Return the node_info, vm_info and freemem CLI Example: salt '*' virt.full_info salt.modules.xapi.get_disks(vm_) Return the disks of a named vm CLI Example: salt '*' virt.get_disks <vm name> salt.modules.xapi.get_macs(vm_) Return a list off MAC addresses from the named vm CLI Example: salt '*' virt.get_macs <vm name> salt.modules.xapi.get_nics(vm_) Return info about the network interfaces of a named vm CLI Example: salt '*' virt.get_nics <vm name> salt.modules.xapi.is_hyper() Returns a bool whether or not this node is a hypervisor of any kind CLI Example: salt '*' virt.is_hyper salt.modules.xapi.list_vms() Return a list of virtual machine names on the minion CLI Example: salt '*' virt.list_vms salt.modules.xapi.migrate(vm_, target, live=1, port=0, node=-1, ssl=None, change_home_server=0) Migrates the virtual machine to another hypervisor CLI Example: salt '*' virt.migrate <vm name> <target hypervisor> [live] [port] [node] [ssl] [change_home_server] Optional values: live Use live migration port Use a specified port node Use specified NUMA node on target ssl use ssl connection for migration change_home_server change home server for managed domains salt.modules.xapi.node_info() Return a dict with information about this node CLI Example: salt '*' virt.node_info salt.modules.xapi.pause(vm_) Pause the named vm CLI Example: salt '*' virt.pause <vm name> salt.modules.xapi.reboot(vm_) Reboot a domain via ACPI request CLI Example: salt '*' virt.reboot <vm name> salt.modules.xapi.reset(vm_) Reset a VM by emulating the reset button on a physical machine CLI Example: salt '*' virt.reset <vm name> salt.modules.xapi.resume(vm_) Resume the named vm CLI Example: salt '*' virt.resume <vm name> salt.modules.xapi.setmem(vm_, memory) Changes the amount of memory allocated to VM. Memory is to be specified in MB CLI Example: salt '*' virt.setmem myvm 768 salt.modules.xapi.setvcpus(vm_, vcpus) Changes the amount of vcpus allocated to VM. vcpus is an int representing the number to be assigned CLI Example: salt '*' virt.setvcpus myvm 2 salt.modules.xapi.shutdown(vm_) Send a soft shutdown signal to the named vm CLI Example: salt '*' virt.shutdown <vm name> salt.modules.xapi.start(config_) Alias for the obscurely named 'create' function CLI Example: salt '*' virt.start <path to Xen cfg file> salt.modules.xapi.vcpu_pin(vm_, vcpu, cpus) Set which CPUs a VCPU can use. CLI Example: salt 'foo' virt.vcpu_pin domU-id 2 1 salt 'foo' virt.vcpu_pin domU-id 2 2-6 salt.modules.xapi.vm_cputime(vm_=None) Return cputime used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'cputime' <int> 'cputime_percent' <int> }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_cputime salt.modules.xapi.vm_diskstats(vm_=None) Return disk usage counters used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'io_read_kbs' : 0, 'io_write_kbs' : 0 }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_diskstats salt.modules.xapi.vm_info(vm_=None) Return detailed information about the vms. If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_info salt.modules.xapi.vm_netstats(vm_=None) Return combined network counters used by the vms on this hyper in a list of dicts: [ 'your-vm': { 'io_read_kbs' : 0, 'io_total_read_kbs' : 0, 'io_total_write_kbs' : 0, 'io_write_kbs' : 0 }, ... ] If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_netstats salt.modules.xapi.vm_state(vm_=None) Return list of all the vms and their state. If you pass a VM name in as an argument then it will return info for just the named VM, otherwise it will return all VMs. CLI Example: salt '*' virt.vm_state <vm name> salt.modules.xfs Module for managing XFS file systems. salt.modules.xfs.defragment(device) Defragment mounted XFS filesystem. In order to mount a filesystem, device should be properly mounted and writable. CLI Example: salt '*' xfs.defragment /dev/sda1 salt.modules.xfs.devices() Get known XFS formatted devices on the system. CLI Example: salt '*' xfs.devices salt.modules.xfs.dump(device, destination, level=0, label=None, noerase=None) Dump filesystem device to the media (file, tape etc). Required parameters: • device: XFS device, content of which to be dumped. • destination: Specifies a dump destination. Valid options are: • label: Label of the dump. Otherwise automatically generated label is used. • level: Specifies a dump level of 0 to 9. • noerase: Pre-erase media. Other options are not used in order to let xfsdump use its default values, as they are most optimal. See the xfsdump(8) manpage for a more complete description of these options. CLI Example: salt '*' xfs.dump /dev/sda1 /detination/on/the/client salt '*' xfs.dump /dev/sda1 /detination/on/the/client label='Company accountancy' salt '*' xfs.dump /dev/sda1 /detination/on/the/client noerase=True salt.modules.xfs.estimate(path) Estimate the space that an XFS filesystem will take. For each directory estimate the space that directory would take if it were copied to an XFS filesystem. Estimation does not cross mount points. CLI Example: salt '*' xfs.estimate /path/to/file salt '*' xfs.estimate /path/to/dir/* salt.modules.xfs.info(device) Get filesystem geometry information. CLI Example: salt '*' xfs.info /dev/sda1 salt.modules.xfs.inventory() Display XFS dump inventory without restoration. CLI Example: salt '*' xfs.inventory salt.modules.xfs.mkfs(device, label=None, ssize=None, noforce=None, bso=None, gmo=None, ino=None, lso=None, rso=None, nmo=None, dso=None) Create a file system on the specified device. By default wipes out with force. General options: • label: Specify volume label. • ssize: Specify the fundamental sector size of the filesystem. • noforce: Do not force create filesystem, if disk is already formatted. Filesystem geometry options: • bso: Block size options. • gmo: Global metadata options. • dso: Data section options. These options specify the location, size, and other parameters of the data section of the filesystem. • ino: Inode options to specify the inode size of the filesystem, and other inode allocation parameters. • lso: Log section options. • nmo: Naming options. • rso: Realtime section options. See the mkfs.xfs(8) manpage for a more complete description of corresponding options description. CLI Example: salt '*' xfs.mkfs /dev/sda1 salt '*' xfs.mkfs /dev/sda1 dso='su=32k,sw=6' noforce=True salt '*' xfs.mkfs /dev/sda1 dso='su=32k,sw=6' lso='logdev=/dev/sda2,size=10000b' salt.modules.xfs.modify(device, label=None, lazy_counting=None, uuid=None) Modify parameters of an XFS filesystem. CLI Example: salt '*' xfs.modify /dev/sda1 label='My backup' lazy_counting=False salt '*' xfs.modify /dev/sda1 uuid=False salt '*' xfs.modify /dev/sda1 uuid=True salt.modules.xfs.prune_dump(sessionid) Prunes the dump session identified by the given session id. CLI Example: salt '*' xfs.prune_dump b74a3586-e52e-4a4a-8775-c3334fa8ea2c salt.modules.xmpp Module for Sending Messages via XMPP (a.k.a. Jabber) New in version 2014.1.0. depends • sleekxmpp>=1.3.1 • pyasn1 • pyasn1-modules • dnspython configuration This module can be used by either passing a jid and password directly to send_message, or by specifying the name of a configuration profile in the minion config, minion pillar, or master config. For example: my-xmpp-login: xmpp.jid: myuser@jabber.example.org/resourcename xmpp.password: verybadpass The resourcename refers to the resource that is using this account. It is user-definable, and optional. The following configurations are both valid: my-xmpp-login: xmpp.jid: myuser@jabber.example.org/salt xmpp.password: verybadpass my-xmpp-login: xmpp.jid: myuser@jabber.example.org xmpp.password: verybadpass class salt.modules.xmpp.SendMsgBot(jid, password, recipient, msg) classmethod create_multi(jid, password, msg, recipients=None, rooms=None, nick='SaltStack Bot') Alternate constructor that accept multiple recipients and rooms start(event) class salt.modules.xmpp.SleekXMPPMUC(name='') filter(record) salt.modules.xmpp.send_msg(recipient, message, jid=None, password=None, profile=None) Send a message to an XMPP recipient. Designed for use in states. CLI Examples: xmpp.send_msg 'admins@xmpp.example.com' 'This is a salt module test' profile='my-xmpp-account' xmpp.send_msg 'admins@xmpp.example.com' 'This is a salt module test' jid='myuser@xmpp.example.com/salt' password='verybadpass' salt.modules.xmpp.send_msg_multi(message, recipients=None, rooms=None, jid=None, password=None, nick='SaltStack Bot', profile=None) Send a message to an XMPP recipient, support send message to multiple recipients or chat room. CLI Examples: xmpp.send_msg recipients=['admins@xmpp.example.com'] rooms=['secret@conference.xmpp.example.com'] 'This is a salt module test' profile='my-xmpp-account' xmpp.send_msg recipients=['admins@xmpp.example.com'] rooms=['secret@conference.xmpp.example.com'] 'This is a salt module test' jid='myuser@xmpp.example.com/salt' password='verybadpass' salt.modules.yumpkg Support for YUM/DNF NOTE: This module makes use of the repoquery utility, from the yum-utils package. This package will be installed as a dependency if salt is installed via EPEL. However, if salt has been installed using pip, or a host is being managed using salt-ssh, then as of version 2014.7.0 yum-utils will be installed automatically to satisfy this dependency. DNF is fully supported as of version 2015.5.10 and 2015.8.4 (partial support for DNF was initially added in 2015.8.0), and DNF is used automatically in place of YUM in Fedora 22 and newer. For these versions, repoquery is available from the dnf-plugins-core package. salt.modules.yumpkg.check_db(*names, **kwargs) New in version 0.17.0. Returns a dict containing the following information for each specified package: 1. A key found, which will be a boolean value denoting if a match was found in the package database. 2. If found is False, then a second key called suggestions will be present, which will contain a list of possible matches. The fromrepo, enablerepo and disablerepo arguments are supported, as used in pkg states, and the disableexcludes option is also supported. However, in Fedora 22 and newer all of these but fromrepo is ignored. New in version 2014.7.0: Support for the disableexcludes option CLI Examples: salt '*' pkg.check_db <package1> <package2> <package3> salt '*' pkg.check_db <package1> <package2> <package3> fromrepo=epel-testing salt '*' pkg.check_db <package1> <package2> <package3> disableexcludes=main salt.modules.yumpkg.clean_metadata(**kwargs) New in version 2014.1.0. Cleans local yum metadata. Functionally identical to refresh_db(). CLI Example: salt '*' pkg.clean_metadata salt.modules.yumpkg.del_repo(repo, basedir=None, **kwargs) Delete a repo from <basedir> (default basedir: all dirs in reposdir yum option). If the .repo file that the repo exists in does not contain any other repo configuration, the file itself will be deleted. CLI Examples: salt '*' pkg.del_repo myrepo salt '*' pkg.del_repo myrepo basedir=/path/to/dir salt '*' pkg.del_repo myrepo basedir=/path/to/dir,/path/to/another/dir salt.modules.yumpkg.diff(*paths) Return a formatted diff between current files and original in a package. NOTE: this function includes all files (configuration and not), but does not work on binary content. Parameters path -- Full path to the installed file Returns Difference string or raises and exception if examined file is binary. CLI example: salt '*' pkg.diff /etc/apache2/httpd.conf /etc/sudoers salt.modules.yumpkg.download(*packages) New in version 2015.5.0. Download packages to the local disk. Requires yumdownloader from yum-utils package. NOTE: yum-utils will already be installed on the minion if the package was installed from the Fedora / EPEL repositories. CLI example: salt '*' pkg.download httpd salt '*' pkg.download httpd postfix salt.modules.yumpkg.expand_repo_def(repokwargs) Take a repository definition and expand it to the full pkg repository dict that can be used for comparison. This is a helper function to make certain repo managers sane for comparison in the pkgrepo states. There is no use to calling this function via the CLI. salt.modules.yumpkg.file_dict(*packages) New in version 2014.1.0. List the files that belong to a package, grouped by package. Not specifying any packages will return a list of every file on the system's rpm database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.yumpkg.file_list(*packages) New in version 2014.1.0. List the files that belong to a package. Not specifying any packages will return a list of every file on the system's rpm database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.yumpkg.get_repo(repo, basedir=None, **kwargs) Display a repo from <basedir> (default basedir: all dirs in reposdir yum option). CLI Examples: salt '*' pkg.get_repo myrepo salt '*' pkg.get_repo myrepo basedir=/path/to/dir salt '*' pkg.get_repo myrepo basedir=/path/to/dir,/path/to/another/dir salt.modules.yumpkg.group_diff(name) New in version 2014.1.0. Changed in version Boron,2015.8.4,2015.5.10: Environment groups are now supported. The key names have been renamed, similar to the changes made in pkg.group_info. Lists packages belonging to a certain group, and which are installed CLI Example: salt '*' pkg.group_diff 'Perl Support' salt.modules.yumpkg.group_info(name, expand=False) New in version 2014.1.0. Changed in version Boron,2015.8.4,2015.5.10: The return data has changed. A new key type has been added to distinguish environment groups from package groups. Also, keys for the group name and group ID have been added. The mandatory packages, optional packages, and default packages keys have been renamed to mandatory, optional, and default for accuracy, as environment groups include other groups, and not packages. Finally, this function now properly identifies conditional packages. Lists packages belonging to a certain group CLI Example: salt '*' pkg.group_info 'Perl Support' salt.modules.yumpkg.group_install(name, skip=(), include=(), **kwargs) New in version 2014.1.0. Install the passed package group(s). This is basically a wrapper around pkg.install, which performs package group resolution for the user. This function is currently considered experimental, and should be expected to undergo changes. name Package group to install. To install more than one group, either use a comma-separated list or pass the value as a python list. CLI Examples: salt '*' pkg.group_install 'Group 1' salt '*' pkg.group_install 'Group 1,Group 2' salt '*' pkg.group_install '["Group 1", "Group 2"]' skip Packages that would normally be installed by the package group ("default" packages), which should not be installed. Can be passed either as a comma-separated list or a python list. CLI Examples: salt '*' pkg.group_install 'My Group' skip='foo,bar' salt '*' pkg.group_install 'My Group' skip='["foo", "bar"]' include Packages which are included in a group, which would not normally be installed by a yum groupinstall ("optional" packages). Note that this will not enforce group membership; if you include packages which are not members of the specified groups, they will still be installed. Can be passed either as a comma-separated list or a python list. CLI Examples: salt '*' pkg.group_install 'My Group' include='foo,bar' salt '*' pkg.group_install 'My Group' include='["foo", "bar"]' NOTE: Because this is essentially a wrapper around pkg.install, any argument which can be passed to pkg.install may also be included here, and it will be passed along wholesale. salt.modules.yumpkg.group_list() New in version 2014.1.0. Lists all groups known by yum on this system CLI Example: salt '*' pkg.group_list salt.modules.yumpkg.hold(name=None, pkgs=None, sources=None, **kwargs) New in version 2014.7.0. Version-lock packages NOTE: Requires the appropriate versionlock plugin package to be installed: • On RHEL 5: yum-versionlock • On RHEL 6 & 7: yum-plugin-versionlock • On Fedora: python-dnf-plugins-extras-versionlock name The name of the package to be held. Multiple Package Options: pkgs A list of packages to hold. Must be passed as a python list. The name parameter will be ignored if this option is passed. Returns a dict containing the changes. CLI Example: salt '*' pkg.hold <package name> salt '*' pkg.hold pkgs='["foo", "bar"]' salt.modules.yumpkg.info_installed(*names) New in version 2015.8.1. Return the information of the named package(s), installed on the system. CLI example: salt '*' pkg.info_installed <package1> salt '*' pkg.info_installed <package1> <package2> <package3> ... salt.modules.yumpkg.install(name=None, refresh=False, skip_verify=False, pkgs=None, sources=None, reinstall=False, normalize=True, **kwargs) Install the passed package(s), add refresh=True to clean the yum database before package is installed. name The name of the package to be installed. Note that this parameter is ignored if either "pkgs" or "sources" is passed. Additionally, please note that this option can only be used to install packages from a software repository. To install a package file manually, use the "sources" option. 32-bit packages can be installed on 64-bit systems by appending the architecture designation (.i686, .i586, etc.) to the end of the package name. CLI Example: salt '*' pkg.install <package name> refresh Whether or not to update the yum database before executing. reinstall Specifying reinstall=True will use yum reinstall rather than yum install for requested packages that are already installed. If a version is specified with the requested package, then yum reinstall will only be used if the installed version matches the requested version. Works with sources when the package header of the source can be matched to the name and version of an installed package. New in version 2014.7.0. skip_verify Skip the GPG verification check (e.g., --nogpgcheck) version Install a specific version of the package, e.g. 1.2.3-4.el5. Ignored if "pkgs" or "sources" is passed. Repository Options: fromrepo Specify a package repository (or repositories) from which to install. (e.g., yum --disablerepo='*' --enablerepo='somerepo') enablerepo (ignored if fromrepo is specified) Specify a disabled package repository (or repositories) to enable. (e.g., yum --enablerepo='somerepo') disablerepo (ignored if fromrepo is specified) Specify an enabled package repository (or repositories) to disable. (e.g., yum --disablerepo='somerepo') disableexcludes Disable exclude from main, for a repo or for everything. (e.g., yum --disableexcludes='main') New in version 2014.7.0. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. A specific version number can be specified by using a single-element dict representing the package and its version. CLI Examples: salt '*' pkg.install pkgs='["foo", "bar"]' salt '*' pkg.install pkgs='["foo", {"bar": "1.2.3-4.el5"}]' sources A list of RPM packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.rpm"}, {"bar": "salt://bar.rpm"}]' normalize True Normalize the package name by removing the architecture. This is useful for poorly created packages which might include the architecture as an actual part of the name such as kernel modules which match a specific kernel version. salt -G role:nsd pkg.install gpfs.gplbin-2.6.32-279.31.1.el6.x86_64 normalize=False New in version 2014.7.0. Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.yumpkg.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty string will be returned for that package. A specific repo can be requested using the fromrepo keyword argument, and the disableexcludes option is also supported. New in version 2014.7.0: Support for the disableexcludes option CLI Example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package name> fromrepo=epel-testing salt '*' pkg.latest_version <package name> disableexcludes=main salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.yumpkg.list_holds(pattern='\\w+(?:[.-][^-]+)*', full=True) Changed in version Boron,2015.8.4,2015.5.10: Function renamed from pkg.get_locked_pkgs to pkg.list_holds. List information on locked packages NOTE: Requires the appropriate versionlock plugin package to be installed: • On RHEL 5: yum-versionlock • On RHEL 6 & 7: yum-plugin-versionlock • On Fedora: python-dnf-plugins-extras-versionlock pattern \w+(?:[.-][^-]+)* Regular expression used to match the package name full True Show the full hold definition including version and epoch. Set to False to return just the name of the package(s) being held. CLI Example: salt '*' pkg.list_holds salt '*' pkg.list_holds full=False salt.modules.yumpkg.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed in a dict: {'<package_name>': '<version>'} CLI Example: salt '*' pkg.list_pkgs salt.modules.yumpkg.list_repo_pkgs(*args, **kwargs) New in version 2014.1.0. Changed in version 2014.7.0: All available versions of each package are now returned. This required a slight modification to the structure of the return dict. The return data shown below reflects the updated return dict structure. Returns all available packages. Optionally, package names (and name globs) can be passed and the results will be filtered to packages matching those names. This is recommended as it speeds up the function considerably. WARNING: Running this function on RHEL/CentOS 6 and earlier will be more resource-intensive, as the version of yum that ships with older RHEL/CentOS has no yum subcommand for listing packages from a repository. Thus, a yum list installed and yum list available are run, which generates a lot of output, which must then be analyzed to determine which package information to include in the return data. This function can be helpful in discovering the version or repo to specify in a pkg.installed state. The return data is a dictionary of repo names, with each repo containing a dictionary in which the keys are package names, and the values are a list of version numbers. Here is an example of the return data: { 'base': { 'bash': ['4.1.2-15.el6_4'], 'kernel': ['2.6.32-431.el6'] }, 'updates': { 'bash': ['4.1.2-15.el6_5.2', '4.1.2-15.el6_5.1'], 'kernel': ['2.6.32-431.29.2.el6', '2.6.32-431.23.3.el6', '2.6.32-431.20.5.el6', '2.6.32-431.20.3.el6', '2.6.32-431.17.1.el6', '2.6.32-431.11.2.el6', '2.6.32-431.5.1.el6', '2.6.32-431.3.1.el6', '2.6.32-431.1.2.0.1.el6'] } } fromrepo None Only include results from the specified repo(s). Multiple repos can be specified, comma-separated. CLI Example: salt '*' pkg.list_repo_pkgs salt '*' pkg.list_repo_pkgs foo bar baz salt '*' pkg.list_repo_pkgs 'samba4*' fromrepo=base,updates salt.modules.yumpkg.list_repos(basedir=None) Lists all repos in <basedir> (default: all dirs in reposdir yum option). CLI Example: salt '*' pkg.list_repos salt '*' pkg.list_repos basedir=/path/to/dir salt '*' pkg.list_repos basedir=/path/to/dir,/path/to/another/dir salt.modules.yumpkg.list_upgrades(refresh=True, **kwargs) Check whether or not an upgrade is available for all packages The fromrepo, enablerepo, and disablerepo arguments are supported, as used in pkg states, and the disableexcludes option is also supported. However, in Fedora 22 and newer all of these but fromrepo is ignored. New in version 2014.7.0: Support for the disableexcludes option CLI Example: salt '*' pkg.list_upgrades salt.modules.yumpkg.mod_repo(repo, basedir=None, **kwargs) Modify one or more values for a repo. If the repo does not exist, it will be created, so long as the following values are specified: repo name by which the yum refers to the repo name a human-readable name for the repo baseurl the URL for yum to reference mirrorlist the URL for yum to reference Key/Value pairs may also be removed from a repo's configuration by setting a key to a blank value. Bear in mind that a name cannot be deleted, and a baseurl can only be deleted if a mirrorlist is specified (or vice versa). CLI Examples: salt '*' pkg.mod_repo reponame enabled=1 gpgcheck=1 salt '*' pkg.mod_repo reponame basedir=/path/to/dir enabled=1 salt '*' pkg.mod_repo reponame baseurl= mirrorlist=http://host.com/ salt.modules.yumpkg.modified(*packages, **flags) List the modified files that belong to a package. Not specifying any packages will return a list of _all_ modified files on the system's RPM database. New in version 2015.5.0. Filtering by flags (True or False): size Include only files where size changed. mode Include only files which file's mode has been changed. checksum Include only files which MD5 checksum has been changed. device Include only files which major and minor numbers has been changed. symlink Include only files which are symbolic link contents. owner Include only files where owner has been changed. group Include only files where group has been changed. time Include only files where modification time of the file has been changed. capabilities Include only files where capabilities differ or not. Note: supported only on newer RPM versions. CLI Examples: salt '*' pkg.modified salt '*' pkg.modified httpd salt '*' pkg.modified httpd postfix salt '*' pkg.modified httpd owner=True group=False salt.modules.yumpkg.normalize_name(name) Strips the architecture from the specified package name, if necessary. Circumstances where this would be done include: • If the arch is 32 bit and the package name ends in a 32-bit arch. • If the arch matches the OS arch, or is noarch. CLI Example: salt '*' pkg.normalize_name zsh.x86_64 salt.modules.yumpkg.owner(*paths) New in version 2014.7.0. Return the name of the package that owns the file. Multiple file paths can be passed. Like pkg.version <salt.modules.yumpkg.version, if a single path is passed, a string will be returned, and if multiple paths are passed, a dictionary of file/package name pairs will be returned. If the file is not owned by a package, or is not present on the minion, then an empty string will be returned for that path. CLI Examples: salt '*' pkg.owner /usr/bin/apachectl salt '*' pkg.owner /usr/bin/apachectl /etc/httpd/conf/httpd.conf salt.modules.yumpkg.purge(name=None, pkgs=None, **kwargs) Package purges are not supported by yum, this function is identical to pkg.remove. name The name of the package to be purged Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.yumpkg.refresh_db(**kwargs) Check the yum repos for updated packages Returns: • True: Updates are available • False: An error occurred • None: No updates are available repo Refresh just the specified repo disablerepo Do not refresh the specified repo enablerepo Refesh a disabled repo using this option branch Add the specified branch when refreshing disableexcludes Disable the excludes defined in your config files. Takes one of three options: - all - disable all excludes - main - disable excludes defined in [main] in yum.conf - repoid - disable excludes defined for that repo CLI Example: salt '*' pkg.refresh_db salt.modules.yumpkg.remove(name=None, pkgs=None, **kwargs) Remove packages name The name of the package to be removed Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.yumpkg.unhold(name=None, pkgs=None, sources=None, **kwargs) New in version 2014.7.0. Remove version locks NOTE: Requires the appropriate versionlock plugin package to be installed: • On RHEL 5: yum-versionlock • On RHEL 6 & 7: yum-plugin-versionlock • On Fedora: python-dnf-plugins-extras-versionlock name The name of the package to be unheld Multiple Package Options: pkgs A list of packages to unhold. Must be passed as a python list. The name parameter will be ignored if this option is passed. Returns a dict containing the changes. CLI Example: salt '*' pkg.unhold <package name> salt '*' pkg.unhold pkgs='["foo", "bar"]' salt.modules.yumpkg.upgrade(refresh=True, skip_verify=False, **kwargs) Run a full system upgrade, a yum upgrade Changed in version 2014.7.0. Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade Repository Options: fromrepo Specify a package repository (or repositories) from which to install. (e.g., yum --disablerepo='*' --enablerepo='somerepo') enablerepo (ignored if fromrepo is specified) Specify a disabled package repository (or repositories) to enable. (e.g., yum --enablerepo='somerepo') disablerepo (ignored if fromrepo is specified) Specify an enabled package repository (or repositories) to disable. (e.g., yum --disablerepo='somerepo') disableexcludes Disable exclude from main, for a repo or for everything. (e.g., yum --disableexcludes='main') New in version 2014.7.0. salt.modules.yumpkg.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.yumpkg.verify(*names, **kwargs) New in version 2014.1.0. Runs an rpm -Va on a system, and returns the results in a dict Files with an attribute of config, doc, ghost, license or readme in the package header can be ignored using the ignore_types keyword argument CLI Example: salt '*' pkg.verify salt '*' pkg.verify httpd salt '*' pkg.verify 'httpd postfix' salt '*' pkg.verify 'httpd postfix' ignore_types=['config','doc'] salt.modules.yumpkg.version(*names, **kwargs) Returns a string representing the package version or an empty string if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.yumpkg.version_cmp(pkg1, pkg2) New in version 2015.5.4. Do a cmp-style comparison on two packages. Return -1 if pkg1 < pkg2, 0 if pkg1 == pkg2, and 1 if pkg1 > pkg2. Return None if there was a problem making the comparison. CLI Example: salt '*' pkg.version_cmp '0.2-001' '0.2.0.1-002' salt.modules.zcbuildout Management of zc.buildout New in version 2014.1.0. This module is inspired by minitage's buildout maker NOTE: The zc.buildout integration is still in beta; the API is subject to change General notes You have those following methods: • upgrade_bootstrap • bootstrap • run_buildout • buildout salt.modules.zcbuildout.bootstrap(*a, **kw) Run the buildout bootstrap dance (python bootstrap.py). directory directory to execute in config alternative buildout configuration file to use runas User used to run buildout as env environment variables to set when running buildout_ver force a specific buildout version (1 | 2) test_release buildout accept test release offline are we executing buildout in offline mode distribute Forcing use of distribute new_st Forcing use of setuptools >= 0.7 python path to a python executable to use in place of default (salt one) onlyif Only execute cmd if statement on the host return 0 unless Do not execute cmd if statement on the host return 0 use_vt Use the new salt VT to stream output [experimental] CLI Example: salt '*' buildout.bootstrap /srv/mybuildout salt.modules.zcbuildout.buildout(*a, **kw) Run buildout in a directory. directory directory to execute in config buildout config to use parts specific buildout parts to run runas user used to run buildout as env environment variables to set when running buildout_ver force a specific buildout version (1 | 2) test_release buildout accept test release new_st Forcing use of setuptools >= 0.7 distribute use distribute over setuptools if possible offline does buildout run offline python python to use debug run buildout with -D debug flag onlyif Only execute cmd if statement on the host return 0 unless Do not execute cmd if statement on the host return 0 newest run buildout in newest mode verbose run buildout in verbose mode (-vvvvv) use_vt Use the new salt VT to stream output [experimental] CLI Example: salt '*' buildout.buildout /srv/mybuildout salt.modules.zcbuildout.run_buildout(*a, **kw) Run a buildout in a directory. directory directory to execute in config alternative buildout configuration file to use offline are we executing buildout in offline mode runas user used to run buildout as env environment variables to set when running onlyif Only execute cmd if statement on the host return 0 unless Do not execute cmd if statement on the host return 0 newest run buildout in newest mode force run buildout unconditionally verbose run buildout in verbose mode (-vvvvv) use_vt Use the new salt VT to stream output [experimental] CLI Example: salt '*' buildout.run_buildout /srv/mybuildout salt.modules.zcbuildout.upgrade_bootstrap(*a, **kw) Upgrade current bootstrap.py with the last released one. Indeed, when we first run a buildout, a common source of problem is to have a locally stale bootstrap, we just try to grab a new copy directory directory to execute in offline are we executing buildout in offline mode buildout_ver forcing to use a specific buildout version (1 | 2) onlyif Only execute cmd if statement on the host return 0 unless Do not execute cmd if statement on the host return 0 CLI Example: salt '*' buildout.upgrade_bootstrap /srv/mybuildout salt.modules.zfs Salt interface to ZFS commands codeauthor Nitin Madhok <nmadhok@clemson.edu> salt.modules.zfs.create(name, **kwargs) New in version 2015.5.0. Create a ZFS File System. CLI Example: salt '*' zfs.create myzpool/mydataset [create_parent=True|False] NOTE: ZFS properties can be specified at the time of creation of the filesystem by passing an additional argument called "properties" and specifying the properties with their respective values in the form of a python dictionary: properties="{'property1': 'value1', 'property2': 'value2'}" Example: salt '*' zfs.create myzpool/mydataset properties="{'mountpoint': '/export/zfs', 'sharenfs': 'on'}" salt.modules.zfs.destroy(name, **kwargs) New in version 2015.5.0. Destroy a ZFS File System. CLI Example: salt '*' zfs.destroy myzpool/mydataset [force=True|False] salt.modules.zfs.exists(name) New in version 2015.5.0. Check if a ZFS filesystem or volume or snapshot exists. CLI Example: salt '*' zfs.exists myzpool/mydataset salt.modules.zfs.list(name='', **kwargs) New in version 2015.5.0. Return a list of all datasets or a specified dataset on the system and the values of their used, available, referenced, and mountpoint properties. NOTE: Information about the dataset and all of it's descendent datasets can be displayed by passing recursive=True on the CLI. CLI Example: salt '*' zfs.list [recursive=True|False] salt '*' zfs.list /myzpool/mydataset [recursive=True|False] NOTE: Dataset property value output can be customized by passing an additional argument called "properties" in the form of a python list: properties="[property1, property2, property3]" Example: salt '*' zfs.list /myzpool/mydataset properties="[name, sharenfs, mountpoint]" salt.modules.zfs.rename(name, new_name) New in version 2015.5.0. Rename or Relocate a ZFS File System. CLI Example: salt '*' zfs.rename myzpool/mydataset myzpool/renameddataset salt.modules.zk_concurrency Concurrency controls in zookeeper This module allows you to acquire and release a slot. This is primarily useful for ensureing that no more than N hosts take a specific action at once. This can also be used to coordinate between masters. salt.modules.zk_concurrency.lock(path, zk_hosts, identifier=None, max_concurrency=1, timeout=None, ephemeral_lease=False, force=False) Get lock (with optional timeout) path The path in zookeeper where the lock is zk_hosts zookeeper connect string identifier Name to identify this minion max_concurrency Maximum number of lock holders timeout timeout to wait for the lock. A None timeout will block forever ephemeral_lease Whether the locks in zookeper should be ephemeral force Forcibly acquire the lock regardless of available slots Example: ... code-block: bash salt minion zk_concurrency.lock /lock/path host1:1234,host2:1234 salt.modules.zk_concurrency.lock_holders(path, zk_hosts, identifier=None, max_concurrency=1, timeout=None, ephemeral_lease=False) Return an un-ordered list of lock holders path The path in zookeeper where the lock is zk_hosts zookeeper connect string identifier Name to identify this minion max_concurrency Maximum number of lock holders timeout timeout to wait for the lock. A None timeout will block forever ephemeral_lease Whether the locks in zookeper should be ephemeral Example: ... code-block: bash salt minion zk_concurrency.lock_holders /lock/path host1:1234,host2:1234 salt.modules.zk_concurrency.party_members(path, zk_hosts) Get the List of identifiers in a particular party path The path in zookeeper where the lock is zk_hosts zookeeper connect string Example: ... code-block: bash salt minion zk_concurrency.party_members /lock/path host1:1234,host2:1234 salt.modules.zk_concurrency.unlock(path, zk_hosts=None, identifier=None, max_concurrency=1, ephemeral_lease=False) Remove lease from semaphore path The path in zookeeper where the lock is zk_hosts zookeeper connect string identifier Name to identify this minion max_concurrency Maximum number of lock holders timeout timeout to wait for the lock. A None timeout will block forever ephemeral_lease Whether the locks in zookeper should be ephemeral Example: ... code-block: bash salt minion zk_concurrency.unlock /lock/path host1:1234,host2:1234 salt.modules.znc znc - An advanced IRC bouncer New in version 2014.7.0. Provides an interface to basic ZNC functionality salt.modules.znc.buildmod(*modules) Build module using znc-buildmod CLI Example: salt '*' znc.buildmod module.cpp [...] salt.modules.znc.dumpconf() Write the active configuration state to config file CLI Example: salt '*' znc.dumpconf salt.modules.znc.rehashconf() Rehash the active configuration state from config file CLI Example: salt '*' znc.rehashconf salt.modules.znc.version() Return server version from znc --version CLI Example: salt '*' znc.version salt.modules.zpool Module for running ZFS zpool command codeauthor Nitin Madhok <nmadhok@clemson.edu> salt.modules.zpool.add(pool_name, *vdevs) Add the specified vdev's to the given pool CLI Example: salt '*' zpool.add myzpool /path/to/vdev1 /path/to/vdev2 [...] salt.modules.zpool.create(pool_name, *vdevs, **kwargs) New in version 2015.5.0. Create a simple zpool, a mirrored zpool, a zpool having nested VDEVs, a hybrid zpool with cache, spare and log drives or a zpool with RAIDZ-1, RAIDZ-2 or RAIDZ-3 CLI Example: salt '*' zpool.create myzpool /path/to/vdev1 [...] [force=True|False] salt '*' zpool.create myzpool mirror /path/to/vdev1 /path/to/vdev2 [...] [force=True|False] salt '*' zpool.create myzpool raidz1 /path/to/vdev1 /path/to/vdev2 raidz2 /path/to/vdev3 /path/to/vdev4 /path/to/vdev5 [...] [force=True|False] salt '*' zpool.create myzpool mirror /path/to/vdev1 [...] mirror /path/to/vdev2 /path/to/vdev3 [...] [force=True|False] salt '*' zpool.create myhybridzpool mirror /tmp/file1 [...] log mirror /path/to/vdev1 [...] cache /path/to/vdev2 [...] spare /path/to/vdev3 [...] [force=True|False] NOTE: Zpool properties can be specified at the time of creation of the pool by passing an additional argument called "properties" and specifying the properties with their respective values in the form of a python dictionary: properties="{'property1': 'value1', 'property2': 'value2'}" Example: salt '*' zpool.create myzpool /path/to/vdev1 [...] properties="{'property1': 'value1', 'property2': 'value2'}" salt.modules.zpool.create_file_vdev(size, *vdevs) Creates file based virtual devices for a zpool *vdevs is a list of full paths for mkfile to create CLI Example: salt '*' zpool.create_file_vdev 7g /path/to/vdev1 [/path/to/vdev2] [...] NOTE: Depending on file size, the above command may take a while to return. salt.modules.zpool.destroy(pool_name) Destroys a storage pool CLI Example: salt '*' zpool.destroy myzpool salt.modules.zpool.exists(pool_name) Check if a ZFS storage pool is active CLI Example: salt '*' zpool.exists myzpool salt.modules.zpool.export(*pools, **kwargs) New in version 2015.5.0. Export storage pools CLI Example: salt '*' zpool.export myzpool ... [force=True|False] salt '*' zpool.export myzpool2 myzpool2 ... [force=True|False] salt.modules.zpool.import(pool_name='', new_name='', **kwargs) New in version 2015.5.0. Import storage pools or list pools available for import CLI Example: salt '*' zpool.import [all=True|False] salt '*' zpool.import myzpool [mynewzpool] [force=True|False] salt.modules.zpool.iostat(name='') Display I/O statistics for the given pools CLI Example: salt '*' zpool.iostat myzpool salt.modules.zpool.list() New in version 2015.5.0. Return a list of all pools in the system with health status and space usage CLI Example: salt '*' zpool.list salt.modules.zpool.offline(pool_name, *vdevs, **kwargs) New in version 2015.5.0. Ensure that the specified devices are offline WARNING: By default, the OFFLINE state is persistent. The device remains offline when the system is rebooted. To temporarily take a device offline, use temporary=True. CLI Example: salt '*' zpool.offline myzpool /path/to/vdev1 [...] [temporary=True|False] salt.modules.zpool.online(pool_name, *vdevs, **kwargs) New in version 2015.5.0. Ensure that the specified devices are online CLI Example: salt '*' zpool.online myzpool /path/to/vdev1 [...] salt.modules.zpool.replace(pool_name, old, new) Replaces old device with new device. CLI Example: salt '*' zpool.replace myzpool /path/to/vdev1 /path/to/vdev2 salt.modules.zpool.scrub(pool_name=None) Begin a scrub CLI Example: salt '*' zpool.scrub myzpool salt.modules.zpool.status(name='') Return the status of the named zpool CLI Example: salt '*' zpool.status myzpool salt.modules.zpool.zpool_list() Deprecated since version 2014.7.0: Use list_() instead. Return a list of all pools in the system with health status and space usage CLI Example: salt '*' zpool.zpool_list salt.modules.zypper Package support for openSUSE via the zypper package manager depends • rpm Python module. Install with zypper install rpm-python salt.modules.zypper.add_lock(packages, **kwargs) Add a package lock. Specify packages to lock by exact name. CLI Example: salt '*' pkg.add_lock <package name> salt '*' pkg.add_lock <package1>,<package2>,<package3> salt '*' pkg.add_lock pkgs='["foo", "bar"]' salt.modules.zypper.clean_locks() Remove unused locks that do not currently (with regard to repositories used) lock any package. CLI Example: salt '*' pkg.clean_locks salt.modules.zypper.del_repo(repo) Delete a repo. CLI Examples: salt '*' pkg.del_repo alias salt.modules.zypper.diff(*paths) Return a formatted diff between current files and original in a package. NOTE: this function includes all files (configuration and not), but does not work on binary content. Parameters path -- Full path to the installed file Returns Difference string or raises and exception if examined file is binary. CLI example: salt '*' pkg.diff /etc/apache2/httpd.conf /etc/sudoers salt.modules.zypper.download(*packages, **kwargs) Download packages to the local disk. refresh force a refresh if set to True. If set to False (default) it depends on zypper if a refresh is executed. CLI example: salt '*' pkg.download httpd salt '*' pkg.download httpd postfix salt.modules.zypper.file_dict(*packages) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of every file on the system's rpm database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.zypper.file_list(*packages) List the files that belong to a package. Not specifying any packages will return a list of every file on the system's rpm database (not generally recommended). CLI Examples: salt '*' pkg.file_list httpd salt '*' pkg.file_list httpd postfix salt '*' pkg.file_list salt.modules.zypper.get_repo(repo, **kwargs) Display a repo. CLI Example: salt '*' pkg.get_repo alias salt.modules.zypper.info(*names, **kwargs) Deprecated since version Nitrogen: Use info_available() instead. Return the information of the named package available for the system. CLI example: salt '*' pkg.info <package1> salt '*' pkg.info <package1> <package2> <package3> ... salt.modules.zypper.info_available(*names, **kwargs) Return the information of the named package available for the system. refresh force a refresh if set to True (default). If set to False it depends on zypper if a refresh is executed or not. CLI example: salt '*' pkg.info_available <package1> salt '*' pkg.info_available <package1> <package2> <package3> ... salt.modules.zypper.info_installed(*names, **kwargs) Return the information of the named package(s), installed on the system. Parameters • names -- Names of the packages to get information about. • attr -- Comma-separated package attributes. If no 'attr' is specified, all available attributes returned. Valid attributes are: version, vendor, release, build_date, build_date_time_t, install_date, install_date_time_t, build_host, group, source_rpm, arch, epoch, size, license, signature, packager, url, summary, description. • errors -- Handle RPM field errors (true|false). By default, various mistakes in the textual fields are simply ignored and omitted from the data. Otherwise a field with a mistake is not returned, instead a 'N/A (bad UTF-8)' (not available, broken) text is returned. Valid attributes are: ignore, report CLI example: salt '*' pkg.info_installed <package1> salt '*' pkg.info_installed <package1> <package2> <package3> ... salt '*' pkg.info_installed <package1> attr=version,vendor salt '*' pkg.info_installed <package1> <package2> <package3> ... attr=version,vendor salt '*' pkg.info_installed <package1> <package2> <package3> ... attr=version,vendor errors=true salt.modules.zypper.install(name=None, refresh=False, fromrepo=None, pkgs=None, sources=None, downloadonly=None, version=None, **kwargs) Install the passed package(s), add refresh=True to force a 'zypper refresh' before package is installed. name The name of the package to be installed. Note that this parameter is ignored if either "pkgs" or "sources" is passed. Additionally, please note that this option can only be used to install packages from a software repository. To install a package file manually, use the "sources" option. CLI Example: salt '*' pkg.install <package name> refresh force a refresh if set to True. If set to False (default) it depends on zypper if a refresh is executed. fromrepo Specify a package repository to install from. downloadonly Only download the packages, do not install. version Can be either a version number, or the combination of a comparison operator (<, >, <=, >=, =) and a version number (ex. '>1.2.3-4'). This parameter is ignored if "pkgs" or "sources" is passed. Multiple Package Installation Options: pkgs A list of packages to install from a software repository. Must be passed as a python list. A specific version number can be specified by using a single-element dict representing the package and its version. As with the version parameter above, comparison operators can be used to target a specific version of a package. CLI Examples: salt '*' pkg.install pkgs='["foo", "bar"]' salt '*' pkg.install pkgs='["foo", {"bar": "1.2.3-4"}]' salt '*' pkg.install pkgs='["foo", {"bar": "<1.2.3-4"}]' sources A list of RPM packages to install. Must be passed as a list of dicts, with the keys being package names, and the values being the source URI or local path to the package. CLI Example: salt '*' pkg.install sources='[{"foo": "salt://foo.rpm"},{"bar": "salt://bar.rpm"}]' Returns a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} salt.modules.zypper.latest_version(*names, **kwargs) Return the latest version of the named package available for upgrade or installation. If more than one package name is specified, a dict of name/version pairs is returned. If the latest version of a given package is already installed, an empty dict will be returned for that package. CLI example: salt '*' pkg.latest_version <package name> salt '*' pkg.latest_version <package1> <package2> <package3> ... salt.modules.zypper.list_installed_patterns() List installed patterns on the system. CLI Examples: salt '*' pkg.list_installed_patterns salt.modules.zypper.list_locks() List current package locks. Return a dict containing the locked package with attributes: {'<package>': {'case_sensitive': '<case_sensitive>', 'match_type': '<match_type>' 'type': '<type>'}} CLI Example: salt '*' pkg.list_locks salt.modules.zypper.list_patterns(refresh=False) List all known patterns from available repos. refresh force a refresh if set to True. If set to False (default) it depends on zypper if a refresh is executed. CLI Examples: salt '*' pkg.list_patterns salt.modules.zypper.list_pkgs(versions_as_list=False, **kwargs) List the packages currently installed as a dict with versions as a comma separated string: {'<package_name>': '<version>[,<version>...]'} versions_as_list: If set to true, the versions are provided as a list {'<package_name>': ['<version>', '<version>']} removed: not supported purge_desired: not supported CLI Example: salt '*' pkg.list_pkgs salt.modules.zypper.list_products(all=False, refresh=False) List all available or installed SUSE products. all List all products available or only installed. Default is False. refresh force a refresh if set to True. If set to False (default) it depends on zypper if a refresh is executed. Includes handling for OEM products, which read the OEM productline file and overwrite the release value. CLI Examples: salt '*' pkg.list_products salt '*' pkg.list_products all=True salt.modules.zypper.list_repos() Lists all repos. CLI Example: salt '*' pkg.list_repos salt.modules.zypper.list_upgrades(refresh=True) List all available package upgrades on this system refresh force a refresh if set to True (default). If set to False it depends on zypper if a refresh is executed. CLI Example: salt '*' pkg.list_upgrades salt.modules.zypper.mod_repo(repo, **kwargs) Modify one or more values for a repo. If the repo does not exist, it will be created, so long as the following values are specified: repo or alias alias by which the zypper refers to the repo url, mirrorlist or baseurl the URL for zypper to reference enabled enable or disable (True or False) repository, but do not remove if disabled. refresh enable or disable (True or False) auto-refresh of the repository. cache Enable or disable (True or False) RPM files caching. gpgcheck Enable or disable (True or False) GOG check for this repository. gpgautoimport Automatically trust and import new repository. Key/Value pairs may also be removed from a repo's configuration by setting a key to a blank value. Bear in mind that a name cannot be deleted, and a url can only be deleted if a mirrorlist is specified (or vice versa). CLI Examples: salt '*' pkg.mod_repo alias alias=new_alias salt '*' pkg.mod_repo alias url= mirrorlist=http://host.com/ salt.modules.zypper.modified(*packages, **flags) List the modified files that belong to a package. Not specifying any packages will return a list of _all_ modified files on the system's RPM database. New in version 2015.5.0. Filtering by flags (True or False): size Include only files where size changed. mode Include only files which file's mode has been changed. checksum Include only files which MD5 checksum has been changed. device Include only files which major and minor numbers has been changed. symlink Include only files which are symbolic link contents. owner Include only files where owner has been changed. group Include only files where group has been changed. time Include only files where modification time of the file has been changed. capabilities Include only files where capabilities differ or not. Note: supported only on newer RPM versions. CLI Examples: salt '*' pkg.modified salt '*' pkg.modified httpd salt '*' pkg.modified httpd postfix salt '*' pkg.modified httpd owner=True group=False salt.modules.zypper.owner(*paths) Return the name of the package that owns the file. Multiple file paths can be passed. If a single path is passed, a string will be returned, and if multiple paths are passed, a dictionary of file/package name pairs will be returned. If the file is not owned by a package, or is not present on the minion, then an empty string will be returned for that path. CLI Examples: salt '*' pkg.owner /usr/bin/apachectl salt '*' pkg.owner /usr/bin/apachectl /etc/httpd/conf/httpd.conf salt.modules.zypper.purge(name=None, pkgs=None, **kwargs) Recursively remove a package and all dependencies which were installed with it, this will call a zypper -n remove -u name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.purge <package name> salt '*' pkg.purge <package1>,<package2>,<package3> salt '*' pkg.purge pkgs='["foo", "bar"]' salt.modules.zypper.refresh_db() Force a repository refresh by calling zypper refresh --force, return a dict: {'<database name>': Bool} CLI Example: salt '*' pkg.refresh_db salt.modules.zypper.remove(name=None, pkgs=None, **kwargs) Remove packages with zypper -n remove name The name of the package to be deleted. Multiple Package Options: pkgs A list of packages to delete. Must be passed as a python list. The name parameter will be ignored if this option is passed. New in version 0.16.0. Returns a dict containing the changes. CLI Example: salt '*' pkg.remove <package name> salt '*' pkg.remove <package1>,<package2>,<package3> salt '*' pkg.remove pkgs='["foo", "bar"]' salt.modules.zypper.remove_lock(packages, **kwargs) Remove specified package lock. CLI Example: salt '*' pkg.remove_lock <package name> salt '*' pkg.remove_lock <package1>,<package2>,<package3> salt '*' pkg.remove_lock pkgs='["foo", "bar"]' salt.modules.zypper.search(criteria, refresh=False) List known packags, available to the system. refresh force a refresh if set to True. If set to False (default) it depends on zypper if a refresh is executed. CLI Examples: salt '*' pkg.search <criteria> salt.modules.zypper.upgrade(refresh=True) Run a full system upgrade, a zypper upgrade refresh force a refresh if set to True (default). If set to False it depends on zypper if a refresh is executed. Return a dict containing the new package names and versions: {'<package>': {'old': '<old-version>', 'new': '<new-version>'}} CLI Example: salt '*' pkg.upgrade salt.modules.zypper.upgrade_available(name) Check whether or not an upgrade is available for a given package CLI Example: salt '*' pkg.upgrade_available <package name> salt.modules.zypper.verify(*names, **kwargs) Runs an rpm -Va on a system, and returns the results in a dict Files with an attribute of config, doc, ghost, license or readme in the package header can be ignored using the ignore_types keyword argument CLI Example: salt '*' pkg.verify salt '*' pkg.verify httpd salt '*' pkg.verify 'httpd postfix' salt '*' pkg.verify 'httpd postfix' ignore_types=['config','doc'] salt.modules.zypper.version(*names, **kwargs) Returns a string representing the package version or an empty dict if not installed. If more than one package name is specified, a dict of name/version pairs is returned. CLI Example: salt '*' pkg.version <package name> salt '*' pkg.version <package1> <package2> <package3> ... salt.modules.zypper.version_cmp(ver1, ver2) New in version 2015.5.4. Do a cmp-style comparison on two packages. Return -1 if ver1 < ver2, 0 if ver1 == ver2, and 1 if ver1 > ver2. Return None if there was a problem making the comparison. CLI Example: salt '*' pkg.version_cmp '0.2-001' '0.2.0.1-002' Full list of netapi modules rest_cherrypy A REST API for Salt New in version 2014.7.0. depends • CherryPy Python module. Version 3.2.3 is currently recommended when SSL is enabled, since this version worked the best with SSL in internal testing. Versions 3.2.3 - 4.x can be used if SSL is not enabled. Be aware that there is a known SSL error introduced in version 3.2.5. The issue was reportedly resolved with CherryPy milestone 3.3, but the patch was committed for version 3.6.1. optdepends • ws4py Python module for websockets support. client_libraries • Java: https://github.com/SUSE/saltstack-netapi-client-java • Python: https://github.com/saltstack/pepper configuration All authentication is done through Salt's external auth system which requires additional configuration not described here. Example production-ready configuration; add to the Salt master config file and restart the salt-master and salt-api daemons: rest_cherrypy: port: 8000 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/certs/localhost.key Using only a secure HTTPS connection is strongly recommended since Salt authentication credentials will be sent over the wire. A self-signed certificate can be generated using the create_self_signed_cert() execution function. Running this function requires pyOpenSSL and the salt-call script is available in the salt-minion package. salt-call --local tls.create_self_signed_cert All available configuration options are detailed below. These settings configure the CherryPy HTTP server and do not apply when using an external server such as Apache or Nginx. port Required The port for the webserver to listen on. host 0.0.0.0 The socket interface for the HTTP server to listen on. debug False Starts the web server in development mode. It will reload itself when the underlying code is changed and will output more debugging info. ssl_crt The path to a SSL certificate. (See below) ssl_key The path to the private key for your SSL certificate. (See below) disable_ssl A flag to disable SSL. Warning: your Salt authentication credentials will be sent in the clear! webhook_disable_auth False The Webhook URL requires authentication by default but external services cannot always be configured to send authentication. See the Webhook documentation for suggestions on securing this interface. webhook_url /hook Configure the URL endpoint for the Webhook entry point. thread_pool 100 The number of worker threads to start up in the pool. socket_queue_size 30 Specify the maximum number of HTTP connections to queue. expire_responses True Whether to check for and kill HTTP responses that have exceeded the default timeout. max_request_body_size 1048576 Maximum size for the HTTP request body. collect_stats False Collect and report statistics about the CherryPy server Reports are available via the Stats URL. static A filesystem path to static HTML/JavaScript/CSS/image assets. static_path /static The URL prefix to use when serving static assets out of the directory specified in the static setting. app A filesystem path to an HTML file that will be served as a static file. This is useful for bootstrapping a single-page JavaScript app. app_path /app The URL prefix to use for serving the HTML file specified in the app setting. This should be a simple name containing no slashes. Any path information after the specified path is ignored; this is useful for apps that utilize the HTML5 history API. root_prefix / A URL path to the main entry point for the application. This is useful for serving multiple applications from the same URL. Authentication Authentication is performed by passing a session token with each request. Tokens are generated via the Login URL. The token may be sent in one of two ways: • Include a custom header named X-Auth-Token. For example, using curl: curl -sSk https://localhost:8000/login \ -H 'Accept: application/x-yaml' \ -d username=saltdev \ -d password=saltdev \ -d eauth=auto Copy the token value from the output and include it in subsequent requests: curl -sSk https://localhost:8000 \ -H 'Accept: application/x-yaml' \ -H 'X-Auth-Token: 697adbdc8fe971d09ae4c2a3add7248859c87079'\ -d client=local \ -d tgt='*' \ -d fun=test.ping • Sent via a cookie. This option is a convenience for HTTP clients that automatically handle cookie support (such as browsers). For example, using curl: # Write the cookie file: curl -sSk https://localhost:8000/login \ -c ~/cookies.txt \ -H 'Accept: application/x-yaml' \ -d username=saltdev \ -d password=saltdev \ -d eauth=auto # Read the cookie file: curl -sSk https://localhost:8000 \ -b ~/cookies.txt \ -H 'Accept: application/x-yaml' \ -d client=local \ -d tgt='*' \ -d fun=test.ping SEE ALSO: You can bypass the session handling via the Run URL. Usage Commands are sent to a running Salt master via this module by sending HTTP requests to the URLs detailed below. Content negotiation This REST interface is flexible in what data formats it will accept as well as what formats it will return (e.g., JSON, YAML, x-www-form-urlencoded). • Specify the format of data in the request body by including the Content-Type header. • Specify the desired data format for the response body with the Accept header. Data sent in POST and PUT requests must be in the format of a list of lowstate dictionaries. This allows multiple commands to be executed in a single HTTP request. The order of commands in the request corresponds to the return for each command in the response. Lowstate, broadly, is a dictionary of values that are mapped to a function call. This pattern is used pervasively throughout Salt. The functions called from netapi modules are described in Client Interfaces. The following example (in JSON format) causes Salt to execute two commands, a command sent to minions as well as a runner function on the master: [{ "client": "local", "tgt": "*", "fun": "test.fib", "arg": ["10"] }, { "client": "runner", "fun": "jobs.lookup_jid", "jid": "20130603122505459265" }] x-www-form-urlencoded Sending JSON or YAML in the request body is simple and most flexible, however sending data in urlencoded format is also supported with the caveats below. It is the default format for HTML forms, many JavaScript libraries, and the curl command. For example, the equivalent to running salt '*' test.ping is sending fun=test.ping&arg&client=local&tgt=* in the HTTP request body. Caveats: • Only a single command may be sent per HTTP request. • Repeating the arg parameter multiple times will cause those parameters to be combined into a single list. Note, some popular frameworks and languages (notably jQuery, PHP, and Ruby on Rails) will automatically append empty brackets onto repeated parameters. E.g., arg=one, arg=two will be sent as arg[]=one, arg[]=two. This is not supported; send JSON or YAML instead. Deployment The rest_cherrypy netapi module is a standard Python WSGI app. It can be deployed one of two ways. salt-api using the CherryPy server The default configuration is to run this module using salt-api to start the Python-based CherryPy server. This server is lightweight, multi-threaded, encrypted with SSL, and should be considered production-ready. Using a WSGI-compliant web server This module may be deployed on any WSGI-compliant server such as Apache with mod_wsgi or Nginx with FastCGI, to name just two (there are many). Note, external WSGI servers handle URLs, paths, and SSL certs directly. The rest_cherrypy configuration options are ignored and the salt-api daemon does not need to be running at all. Remember Salt authentication credentials are sent in the clear unless SSL is being enforced! An example Apache virtual host configuration: <VirtualHost *:80> ServerName example.com ServerAlias *.example.com ServerAdmin webmaster@example.com LogLevel warn ErrorLog /var/www/example.com/logs/error.log CustomLog /var/www/example.com/logs/access.log combined DocumentRoot /var/www/example.com/htdocs WSGIScriptAlias / /path/to/salt/netapi/rest_cherrypy/wsgi.py </VirtualHost> REST URI Reference • / • /login • /logout • /minions • /jobs • /run • /events • /hook • /keys • /ws • /stats / class salt.netapi.rest_cherrypy.app.LowDataAdapter The primary entry point to Salt's REST API GET() An explanation of the API with links of where to go next GET / Request Headers • Accept -- the desired response format. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -i localhost:8000 GET / HTTP/1.1 Host: localhost:8000 Accept: application/json Example response: HTTP/1.1 200 OK Content-Type: application/json POST Mock out specified imports This allows autodoc to do its thing without having oodles of req'd installed libs. This doesn't work with import * imports. http://read-the-docs.readthedocs.org/en/latest/faq.html#i-get-import-errors-on-libraries-that-depend-on-c-modules /login class salt.netapi.rest_cherrypy.app.Login(*args, **kwargs) Log in to receive a session token Authentication information. GET() Present the login interface GET /login An explanation of how to log in. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -i localhost:8000/login GET /login HTTP/1.1 Host: localhost:8000 Accept: text/html Example response: HTTP/1.1 200 OK Content-Type: text/html POST(**kwargs) Authenticate against Salt's eauth system POST /login Request Headers • X-Auth-Token -- a session token from Login. • Accept -- the desired response format. • Content-Type -- the format of the request body. Form Parameters • eauth -- the eauth backend configured for the user • username -- username • password -- password Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -si localhost:8000/login \ -H "Accept: application/json" \ -d username='saltuser' \ -d password='saltpass' \ -d eauth='pam' POST / HTTP/1.1 Host: localhost:8000 Content-Length: 42 Content-Type: application/x-www-form-urlencoded Accept: application/json username=saltuser&password=saltpass&eauth=pam Example response: HTTP/1.1 200 OK Content-Type: application/json Content-Length: 206 X-Auth-Token: 6d1b722e Set-Cookie: session_id=6d1b722e; expires=Sat, 17 Nov 2012 03:23:52 GMT; Path=/ {"return": { "token": "6d1b722e", "start": 1363805943.776223, "expire": 1363849143.776224, "user": "saltuser", "eauth": "pam", "perms": [ "grains.*", "status.*", "sys.*", "test.*" ] }} /logout class salt.netapi.rest_cherrypy.app.Logout Class to remove or invalidate sessions POST() Destroy the currently active session and expire the session cookie /minions class salt.netapi.rest_cherrypy.app.Minions Convenience URLs for working with minions GET(mid=None) A convenience URL for getting lists of minions or getting minion details GET /minions/(mid) Request Headers • X-Auth-Token -- a session token from Login. • Accept -- the desired response format. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -i localhost:8000/minions/ms-3 GET /minions/ms-3 HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Example response: HTTP/1.1 200 OK Content-Length: 129005 Content-Type: application/x-yaml return: - ms-3: grains.items: ... POST(**kwargs) Start an execution command and immediately return the job id POST /minions Request Headers • X-Auth-Token -- a session token from Login. • Accept -- the desired response format. • Content-Type -- the format of the request body. Response Headers • Content-Type -- the format of the response body; depends on the Accept request header. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available lowstate data describing Salt commands must be sent in the request body. The client option will be set to local_async(). Example request: curl -sSi localhost:8000/minions \ -H "Accept: application/x-yaml" \ -d tgt='*' \ -d fun='status.diskusage' POST /minions HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Content-Length: 26 Content-Type: application/x-www-form-urlencoded tgt=*&fun=status.diskusage Example response: HTTP/1.1 202 Accepted Content-Length: 86 Content-Type: application/x-yaml return: - jid: '20130603122505459265' minions: [ms-4, ms-3, ms-2, ms-1, ms-0] _links: jobs: - href: /jobs/20130603122505459265 /jobs class salt.netapi.rest_cherrypy.app.Jobs GET(jid=None, timeout='') A convenience URL for getting lists of previously run jobs or getting the return from a single job GET /jobs/(jid) List jobs or show a single job from the job cache. Request Headers • X-Auth-Token -- a session token from Login. • Accept -- the desired response format. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -i localhost:8000/jobs GET /jobs HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Example response: HTTP/1.1 200 OK Content-Length: 165 Content-Type: application/x-yaml return: - '20121130104633606931': Arguments: - '3' Function: test.fib Start Time: 2012, Nov 30 10:46:33.606931 Target: jerry Target-type: glob Example request: curl -i localhost:8000/jobs/20121130104633606931 GET /jobs/20121130104633606931 HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Example response: HTTP/1.1 200 OK Content-Length: 73 Content-Type: application/x-yaml info: - Arguments: - '3' Function: test.fib Minions: - jerry Start Time: 2012, Nov 30 10:46:33.606931 Target: '*' Target-type: glob User: saltdev jid: '20121130104633606931' return: - jerry: - - 0 - 1 - 1 - 2 - 6.9141387939453125e-06 /run class salt.netapi.rest_cherrypy.app.Run Class to run commands without normal session handling POST(**kwargs) Run commands bypassing the normal session handling POST /run This entry point is primarily for "one-off" commands. Each request must pass full Salt authentication credentials. Otherwise this URL is identical to the root URL (/). lowstate data describing Salt commands must be sent in the request body. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Example request: curl -sS localhost:8000/run \ -H 'Accept: application/x-yaml' \ -d client='local' \ -d tgt='*' \ -d fun='test.ping' \ -d username='saltdev' \ -d password='saltdev' \ -d eauth='pam' POST /run HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Content-Length: 75 Content-Type: application/x-www-form-urlencoded client=local&tgt=*&fun=test.ping&username=saltdev&password=saltdev&eauth=pam Example response: HTTP/1.1 200 OK Content-Length: 73 Content-Type: application/x-yaml return: - ms-0: true ms-1: true ms-2: true ms-3: true ms-4: true The /run enpoint can also be used to issue commands using the salt-ssh subsystem. When using salt-ssh, eauth credentials should not be supplied. Instad, authentication should be handled by the SSH layer itself. The use of the salt-ssh client does not require a salt master to be running. Instead, only a roster file must be present in the salt configuration directory. All SSH client requests are synchronous. Example SSH client request: curl -sS localhost:8000/run \ -H 'Accept: application/x-yaml' \ -d client='ssh' \ -d tgt='*' \ -d fun='test.ping' POST /run HTTP/1.1 Host: localhost:8000 Accept: application/x-yaml Content-Length: 75 Content-Type: application/x-www-form-urlencoded client=ssh&tgt=*&fun=test.ping Example SSH response: return: - silver: fun: test.ping fun_args: [] id: silver jid: '20141203103525666185' retcode: 0 return: true success: true /events class salt.netapi.rest_cherrypy.app.Events Expose the Salt event bus The event bus on the Salt master exposes a large variety of things, notably when executions are started on the master and also when minions ultimately return their results. This URL provides a real-time window into a running Salt infrastructure. SEE ALSO: events GET(token=None, salt_token=None) An HTTP stream of the Salt master event bus This stream is formatted per the Server Sent Events (SSE) spec. Each event is formatted as JSON. GET /events Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available Query Parameters • token -- optional parameter containing the token ordinarily supplied via the X-Auth-Token header in order to allow cross-domain requests in browsers that do not include CORS support in the EventSource API. E.g., curl -NsS localhost:8000/events?token=308650d • salt_token -- optional parameter containing a raw Salt eauth token (not to be confused with the token returned from the /login URL). E.g., curl -NsS localhost:8000/events?salt_token=30742765 Example request: curl -NsS localhost:8000/events GET /events HTTP/1.1 Host: localhost:8000 Example response: Note, the tag field is not part of the spec. SSE compliant clients should ignore unknown fields. This addition allows non-compliant clients to only watch for certain tags without having to deserialze the JSON object each time. HTTP/1.1 200 OK Connection: keep-alive Cache-Control: no-cache Content-Type: text/event-stream;charset=utf-8 retry: 400 tag: salt/job/20130802115730568475/new data: {'tag': 'salt/job/20130802115730568475/new', 'data': {'minions': ['ms-4', 'ms-3', 'ms-2', 'ms-1', 'ms-0']}} tag: salt/job/20130802115730568475/ret/jerry data: {'tag': 'salt/job/20130802115730568475/ret/jerry', 'data': {'jid': '20130802115730568475', 'return': True, 'retcode': 0, 'success': True, 'cmd': '_return', 'fun': 'test.ping', 'id': 'ms-1'}} The event stream can be easily consumed via JavaScript: var source = new EventSource('/events'); source.onopen = function() { console.debug('opening') }; source.onerror = function(e) { console.debug('error!', e) }; source.onmessage = function(e) { console.debug('Tag: ', e.data.tag) console.debug('Data: ', e.data.data) }; Or using CORS: var source = new EventSource('/events?token=ecd589e4e01912cf3c4035afad73426dbb8dba75', {withCredentials: true}); It is also possible to consume the stream via the shell. Records are separated by blank lines; the data: and tag: prefixes will need to be removed manually before attempting to unserialize the JSON. curl's -N flag turns off input buffering which is required to process the stream incrementally. Here is a basic example of printing each event as it comes in: curl -NsS localhost:8000/events |\ while IFS= read -r line ; do echo $line done Here is an example of using awk to filter events based on tag: curl -NsS localhost:8000/events |\ awk ' BEGIN { RS=""; FS="\\n" } $1 ~ /^tag: salt\/job\/[0-9]+\/new$/ { print $0 } ' tag: salt/job/20140112010149808995/new data: {"tag": "salt/job/20140112010149808995/new", "data": {"tgt_type": "glob", "jid": "20140112010149808995", "tgt": "jerry", "_stamp": "2014-01-12_01:01:49.809617", "user": "shouse", "arg": [], "fun": "test.ping", "minions": ["jerry"]}} tag: 20140112010149808995 data: {"tag": "20140112010149808995", "data": {"fun_args": [], "jid": "20140112010149808995", "return": true, "retcode": 0, "success": true, "cmd": "_return", "_stamp": "2014-01-12_01:01:49.819316", "fun": "test.ping", "id": "jerry"}} /hook class salt.netapi.rest_cherrypy.app.Webhook A generic web hook entry point that fires an event on Salt's event bus External services can POST data to this URL to trigger an event in Salt. For example, Amazon SNS, Jenkins-CI or Travis-CI, or GitHub web hooks. NOTE: Be mindful of security Salt's Reactor can run any code. A Reactor SLS that responds to a hook event is responsible for validating that the event came from a trusted source and contains valid data. This is a generic interface and securing it is up to you! This URL requires authentication however not all external services can be configured to authenticate. For this reason authentication can be selectively disabled for this URL. Follow best practices -- always use SSL, pass a secret key, configure the firewall to only allow traffic from a known source, etc. The event data is taken from the request body. The Content-Type header is respected for the payload. The event tag is prefixed with salt/netapi/hook and the URL path is appended to the end. For example, a POST request sent to /hook/mycompany/myapp/mydata will produce a Salt event with the tag salt/netapi/hook/mycompany/myapp/mydata. The following is an example .travis.yml file to send notifications to Salt of successful test runs: language: python script: python -m unittest tests after_success: - | curl -sSk https://saltapi-url.example.com:8000/hook/travis/build/success -d branch="${TRAVIS_BRANCH}" -d commit="${TRAVIS_COMMIT}" SEE ALSO: events, reactor POST(*args, **kwargs) Fire an event in Salt with a custom event tag and data POST /hook Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available • 413 -- request body is too large Example request: curl -sS localhost:8000/hook -d foo='Foo!' -d bar='Bar!' POST /hook HTTP/1.1 Host: localhost:8000 Content-Length: 16 Content-Type: application/x-www-form-urlencoded foo=Foo&bar=Bar! Example response: HTTP/1.1 200 OK Content-Length: 14 Content-Type: application/json {"success": true} As a practical example, an internal continuous-integration build server could send an HTTP POST request to the URL https://localhost:8000/hook/mycompany/build/success which contains the result of a build and the SHA of the version that was built as JSON. That would then produce the following event in Salt that could be used to kick off a deployment via Salt's Reactor: Event fired at Fri Feb 14 17:40:11 2014 ************************* Tag: salt/netapi/hook/mycompany/build/success Data: {'_stamp': '2014-02-14_17:40:11.440996', 'headers': { 'X-My-Secret-Key': 'F0fAgoQjIT@W', 'Content-Length': '37', 'Content-Type': 'application/json', 'Host': 'localhost:8000', 'Remote-Addr': '127.0.0.1'}, 'post': {'revision': 'aa22a3c4b2e7', 'result': True}} Salt's Reactor could listen for the event: reactor: - 'salt/netapi/hook/mycompany/build/*': - /srv/reactor/react_ci_builds.sls And finally deploy the new build: {% set secret_key = data.get('headers', {}).get('X-My-Secret-Key') %} {% set build = data.get('post', {}) %} {% if secret_key == 'F0fAgoQjIT@W' and build.result == True %} deploy_my_app: cmd.state.sls: - tgt: 'application*' - arg: - myapp.deploy - kwarg: pillar: revision: {{ revision }} {% endif %} /keys class salt.netapi.rest_cherrypy.app.Keys Convenience URLs for working with minion keys New in version 2014.7.0. These URLs wrap the functionality provided by the key wheel module functions. GET Mock out specified imports This allows autodoc to do its thing without having oodles of req'd installed libs. This doesn't work with import * imports. http://read-the-docs.readthedocs.org/en/latest/faq.html#i-get-import-errors-on-libraries-that-depend-on-c-modules POST Mock out specified imports This allows autodoc to do its thing without having oodles of req'd installed libs. This doesn't work with import * imports. http://read-the-docs.readthedocs.org/en/latest/faq.html#i-get-import-errors-on-libraries-that-depend-on-c-modules /ws class salt.netapi.rest_cherrypy.app.WebsocketEndpoint Open a WebSocket connection to Salt's event bus The event bus on the Salt master exposes a large variety of things, notably when executions are started on the master and also when minions ultimately return their results. This URL provides a real-time window into a running Salt infrastructure. Uses websocket as the transport mechanism. SEE ALSO: events GET(token=None, **kwargs) Return a websocket connection of Salt's event stream GET /ws/(token) Query format_events The event stream will undergo server-side formatting if the format_events URL parameter is included in the request. This can be useful to avoid formatting on the client-side: curl -NsS <...snip...> localhost:8000/ws?format_events Reqheader X-Auth-Token an authentication token from Login. Status 101 switching to the websockets protocol Status 401 authentication required Status 406 requested Content-Type not available Example request: curl -NsSk \ -H 'X-Auth-Token: ffedf49d' \ -H 'Host: localhost:8000' \ -H 'Connection: Upgrade' \ -H 'Upgrade: websocket' \ -H 'Origin: https://localhost:8000' \ -H 'Sec-WebSocket-Version: 13' \ -H 'Sec-WebSocket-Key: '"$(echo -n $RANDOM | base64)" \ localhost:8000/ws GET /ws HTTP/1.1 Connection: Upgrade Upgrade: websocket Host: localhost:8000 Origin: https://localhost:8000 Sec-WebSocket-Version: 13 Sec-WebSocket-Key: s65VsgHigh7v/Jcf4nXHnA== X-Auth-Token: ffedf49d Example response: HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: mWZjBV9FCglzn1rIKJAxrTFlnJE= Sec-WebSocket-Version: 13 An authentication token may optionally be passed as part of the URL for browsers that cannot be configured to send the authentication header or cookie: curl -NsS <...snip...> localhost:8000/ws/ffedf49d The event stream can be easily consumed via JavaScript: // Note, you must be authenticated! var source = new Websocket('ws://localhost:8000/ws/d0ce6c1a'); source.onerror = function(e) { console.debug('error!', e); }; source.onmessage = function(e) { console.debug(e.data); }; source.send('websocket client ready') source.close(); Or via Python, using the Python module websocket-client for example. # Note, you must be authenticated! from websocket import create_connection ws = create_connection('ws://localhost:8000/ws/d0ce6c1a') ws.send('websocket client ready') # Look at https://pypi.python.org/pypi/websocket-client/ for more # examples. while listening_to_events: print ws.recv() ws.close() Above examples show how to establish a websocket connection to Salt and activating real time updates from Salt's event stream by signaling websocket client ready. /stats class salt.netapi.rest_cherrypy.app.Stats Expose statistics on the running CherryPy server GET() Return a dump of statistics collected from the CherryPy server GET /stats Request Headers • X-Auth-Token -- a session token from Login. • Accept -- the desired response format. Response Headers • Content-Type -- the format of the response body; depends on the Accept request header. Status Codes • 200 -- success • 401 -- authentication required • 406 -- requested Content-Type not available rest_tornado A non-blocking REST API for Salt depends • tornado Python module configuration All authentication is done through Salt's external auth system which requires additional configuration not described here. In order to run rest_tornado with the salt-master add the following to the Salt master config file. rest_tornado: # can be any port port: 8000 # address to bind to (defaults to 0.0.0.0) address: 0.0.0.0 # socket backlog backlog: 128 ssl_crt: /etc/pki/api/certs/server.crt # no need to specify ssl_key if cert and key # are in one single file ssl_key: /etc/pki/api/certs/server.key debug: False disable_ssl: False webhook_disable_auth: False Authentication Authentication is performed by passing a session token with each request. Tokens are generated via the SaltAuthHandler URL. The token may be sent in one of two ways: • Include a custom header named X-Auth-Token. • Sent via a cookie. This option is a convenience for HTTP clients that automatically handle cookie support (such as browsers). SEE ALSO: You can bypass the session handling via the RunSaltAPIHandler URL. Usage Commands are sent to a running Salt master via this module by sending HTTP requests to the URLs detailed below. Content negotiation This REST interface is flexible in what data formats it will accept as well as what formats it will return (e.g., JSON, YAML, x-www-form-urlencoded). • Specify the format of data in the request body by including the Content-Type header. • Specify the desired data format for the response body with the Accept header. Data sent in POST and PUT requests must be in the format of a list of lowstate dictionaries. This allows multiple commands to be executed in a single HTTP request. lowstate A dictionary containing various keys that instruct Salt which command to run, where that command lives, any parameters for that command, any authentication credentials, what returner to use, etc. Salt uses the lowstate data format internally in many places to pass command data between functions. Salt also uses lowstate for the LocalClient() Python API interface. The following example (in JSON format) causes Salt to execute two commands: [{ "client": "local", "tgt": "*", "fun": "test.fib", "arg": ["10"] }, { "client": "runner", "fun": "jobs.lookup_jid", "jid": "20130603122505459265" }] Multiple commands in a Salt API request will be executed in serial and makes no gaurantees that all commands will run. Meaning that if test.fib (from the example above) had an exception, the API would still execute "jobs.lookup_jid". Responses to these lowstates are an in-order list of dicts containing the return data, a yaml response could look like: - ms-1: true ms-2: true - ms-1: foo ms-2: bar In the event of an exception while executing a command the return for that lowstate will be a string, for example if no minions matched the first lowstate we would get a return like: - No minions matched the target. No command was sent, no jid was assigned. - ms-1: true ms-2: true x-www-form-urlencoded Sending JSON or YAML in the request body is simple and most flexible, however sending data in urlencoded format is also supported with the caveats below. It is the default format for HTML forms, many JavaScript libraries, and the curl command. For example, the equivalent to running salt '*' test.ping is sending fun=test.ping&arg&client=local&tgt=* in the HTTP request body. Caveats: • Only a single command may be sent per HTTP request. • Repeating the arg parameter multiple times will cause those parameters to be combined into a single list. Note, some popular frameworks and languages (notably jQuery, PHP, and Ruby on Rails) will automatically append empty brackets onto repeated parameters. E.g., arg=one, arg=two will be sent as arg[]=one, arg[]=two. This is not supported; send JSON or YAML instead. A Websockets add-on to saltnado depends • tornado Python module In order to enable saltnado_websockets you must add websockets: True to your saltnado config block. rest_tornado: # can be any port port: 8000 ssl_crt: /etc/pki/api/certs/server.crt # no need to specify ssl_key if cert and key # are in one single file ssl_key: /etc/pki/api/certs/server.key debug: False disable_ssl: False websockets: True All Events Exposes all "real-time" events from Salt's event bus on a websocket connection. It should be noted that "Real-time" here means these events are made available to the server as soon as any salt related action (changes to minions, new jobs etc) happens. Clients are however assumed to be able to tolerate any network transport related latencies. Functionality provided by this endpoint is similar to the /events end point. The event bus on the Salt master exposes a large variety of things, notably when executions are started on the master and also when minions ultimately return their results. This URL provides a real-time window into a running Salt infrastructure. Uses websocket as the transport mechanism. Exposes GET method to return websocket connections. All requests should include an auth token. A way to obtain obtain authentication tokens is shown below. % curl -si localhost:8000/login \ -H "Accept: application/json" \ -d username='salt' \ -d password='salt' \ -d eauth='pam' Which results in the response { "return": [{ "perms": [".*", "@runner", "@wheel"], "start": 1400556492.277421, "token": "d0ce6c1a37e99dcc0374392f272fe19c0090cca7", "expire": 1400599692.277422, "user": "salt", "eauth": "pam" }] } In this example the token returned is d0ce6c1a37e99dcc0374392f272fe19c0090cca7 and can be included in subsequent websocket requests (as part of the URL). The event stream can be easily consumed via JavaScript: // Note, you must be authenticated! // Get the Websocket connection to Salt var source = new Websocket('wss://localhost:8000/all_events/d0ce6c1a37e99dcc0374392f272fe19c0090cca7'); // Get Salt's "real time" event stream. source.onopen = function() { source.send('websocket client ready'); }; // Other handlers source.onerror = function(e) { console.debug('error!', e); }; // e.data represents Salt's "real time" event data as serialized JSON. source.onmessage = function(e) { console.debug(e.data); }; // Terminates websocket connection and Salt's "real time" event stream on the server. source.close(); Or via Python, using the Python module websocket-client for example. Or the tornado client. # Note, you must be authenticated! from websocket import create_connection # Get the Websocket connection to Salt ws = create_connection('wss://localhost:8000/all_events/d0ce6c1a37e99dcc0374392f272fe19c0090cca7') # Get Salt's "real time" event stream. ws.send('websocket client ready') # Simple listener to print results of Salt's "real time" event stream. # Look at https://pypi.python.org/pypi/websocket-client/ for more examples. while listening_to_events: print ws.recv() # Salt's "real time" event data as serialized JSON. # Terminates websocket connection and Salt's "real time" event stream on the server. ws.close() # Please refer to https://github.com/liris/websocket-client/issues/81 when using a self signed cert Above examples show how to establish a websocket connection to Salt and activating real time updates from Salt's event stream by signaling websocket client ready. Formatted Events Exposes formatted "real-time" events from Salt's event bus on a websocket connection. It should be noted that "Real-time" here means these events are made available to the server as soon as any salt related action (changes to minions, new jobs etc) happens. Clients are however assumed to be able to tolerate any network transport related latencies. Functionality provided by this endpoint is similar to the /events end point. The event bus on the Salt master exposes a large variety of things, notably when executions are started on the master and also when minions ultimately return their results. This URL provides a real-time window into a running Salt infrastructure. Uses websocket as the transport mechanism. Formatted events parses the raw "real time" event stream and maintains a current view of the following: • minions • jobs A change to the minions (such as addition, removal of keys or connection drops) or jobs is processed and clients are updated. Since we use salt's presence events to track minions, please enable presence_events and set a small value for the loop_interval in the salt master config file. Exposes GET method to return websocket connections. All requests should include an auth token. A way to obtain obtain authentication tokens is shown below. % curl -si localhost:8000/login \ -H "Accept: application/json" \ -d username='salt' \ -d password='salt' \ -d eauth='pam' Which results in the response { "return": [{ "perms": [".*", "@runner", "@wheel"], "start": 1400556492.277421, "token": "d0ce6c1a37e99dcc0374392f272fe19c0090cca7", "expire": 1400599692.277422, "user": "salt", "eauth": "pam" }] } In this example the token returned is d0ce6c1a37e99dcc0374392f272fe19c0090cca7 and can be included in subsequent websocket requests (as part of the URL). The event stream can be easily consumed via JavaScript: // Note, you must be authenticated! // Get the Websocket connection to Salt var source = new Websocket('wss://localhost:8000/formatted_events/d0ce6c1a37e99dcc0374392f272fe19c0090cca7'); // Get Salt's "real time" event stream. source.onopen = function() { source.send('websocket client ready'); }; // Other handlers source.onerror = function(e) { console.debug('error!', e); }; // e.data represents Salt's "real time" event data as serialized JSON. source.onmessage = function(e) { console.debug(e.data); }; // Terminates websocket connection and Salt's "real time" event stream on the server. source.close(); Or via Python, using the Python module websocket-client for example. Or the tornado client. # Note, you must be authenticated! from websocket import create_connection # Get the Websocket connection to Salt ws = create_connection('wss://localhost:8000/formatted_events/d0ce6c1a37e99dcc0374392f272fe19c0090cca7') # Get Salt's "real time" event stream. ws.send('websocket client ready') # Simple listener to print results of Salt's "real time" event stream. # Look at https://pypi.python.org/pypi/websocket-client/ for more examples. while listening_to_events: print ws.recv() # Salt's "real time" event data as serialized JSON. # Terminates websocket connection and Salt's "real time" event stream on the server. ws.close() # Please refer to https://github.com/liris/websocket-client/issues/81 when using a self signed cert Above examples show how to establish a websocket connection to Salt and activating real time updates from Salt's event stream by signaling websocket client ready. Example responses Minion information is a dictionary keyed by each connected minion's id (mid), grains information for each minion is also included. Minion information is sent in response to the following minion events: • connection drops • requires running manage.present periodically every loop_interval seconds • minion addition • minon removal # Not all grains are shown data: { "minions": { "minion1": { "id": "minion1", "grains": { "kernel": "Darwin", "domain": "local", "zmqversion": "4.0.3", "kernelrelease": "13.2.0" } } } } Job information is also tracked and delivered. Job information is also a dictionary in which each job's information is keyed by salt's jid. data: { "jobs": { "20140609153646699137": { "tgt_type": "glob", "jid": "20140609153646699137", "tgt": "*", "start_time": "2014-06-09T15:36:46.700315", "state": "complete", "fun": "test.ping", "minions": { "minion1": { "return": true, "retcode": 0, "success": true } } } } } Setup REST URI Reference • / • /login • /minions • /jobs • /run • /events • /hook / salt.netapi.rest_tornado.saltnado.SaltAPIHandler alias of <Mock object at 0x7f22b6f7b510> /login salt.netapi.rest_tornado.saltnado.SaltAuthHandler alias of <Mock object at 0x7f22b07a5cd0> /minions salt.netapi.rest_tornado.saltnado.MinionSaltAPIHandler alias of <Mock object at 0x7f22b07a5310> /jobs salt.netapi.rest_tornado.saltnado.JobsSaltAPIHandler alias of <Mock object at 0x7f22b07a5950> /run salt.netapi.rest_tornado.saltnado.RunSaltAPIHandler alias of <Mock object at 0x7f22b07a58d0> /events salt.netapi.rest_tornado.saltnado.EventsSaltAPIHandler alias of <Mock object at 0x7f22c13dcc50> /hook salt.netapi.rest_tornado.saltnado.WebhookSaltAPIHandler alias of <Mock object at 0x7f22b07a5350> rest_wsgi A minimalist REST API for Salt This rest_wsgi module provides a no-frills REST interface for sending commands to the Salt master. There are no dependencies. Extra care must be taken when deploying this module into production. Please read this documentation in entirety. All authentication is done through Salt's external auth system. Usage • All requests must be sent to the root URL (/). • All requests must be sent as a POST request with JSON content in the request body. • All responses are in JSON. SEE ALSO: rest_cherrypy The rest_cherrypy module is more full-featured, production-ready, and has builtin security features. Deployment The rest_wsgi netapi module is a standard Python WSGI app. It can be deployed one of two ways. Using a WSGI-compliant web server This module may be run via any WSGI-compliant production server such as Apache with mod_wsgi or Nginx with FastCGI. It is strongly recommended that this app be used with a server that supports HTTPS encryption since raw Salt authentication credentials must be sent with every request. Any apps that access Salt through this interface will need to manually manage authentication credentials (either username and password or a Salt token). Tread carefully. salt-api using a development-only server If run directly via the salt-api daemon it uses the wsgiref.simple_server() that ships in the Python standard library. This is a single-threaded server that is intended for testing and development. This server does not use encryption; please note that raw Salt authentication credentials must be sent with every HTTP request. Running this module via salt-api is not recommended! In order to start this module via the salt-api daemon the following must be put into the Salt master config: rest_wsgi: port: 8001 Usage examples POST / Example request for a basic test.ping: % curl -sS -i \ -H 'Content-Type: application/json' \ -d '[{"eauth":"pam","username":"saltdev","password":"saltdev","client":"local","tgt":"*","fun":"test.ping"}]' localhost:8001 Example response: HTTP/1.0 200 OK Content-Length: 89 Content-Type: application/json {"return": [{"ms--4": true, "ms--3": true, "ms--2": true, "ms--1": true, "ms--0": true}]} Example request for an asynchronous test.ping: % curl -sS -i \ -H 'Content-Type: application/json' \ -d '[{"eauth":"pam","username":"saltdev","password":"saltdev","client":"local_async","tgt":"*","fun":"test.ping"}]' localhost:8001 Example response: HTTP/1.0 200 OK Content-Length: 103 Content-Type: application/json {"return": [{"jid": "20130412192112593739", "minions": ["ms--4", "ms--3", "ms--2", "ms--1", "ms--0"]}]} Example request for looking up a job ID: % curl -sS -i \ -H 'Content-Type: application/json' \ -d '[{"eauth":"pam","username":"saltdev","password":"saltdev","client":"runner","fun":"jobs.lookup_jid","jid":"20130412192112593739"}]' localhost:8001 Example response: HTTP/1.0 200 OK Content-Length: 89 Content-Type: application/json {"return": [{"ms--4": true, "ms--3": true, "ms--2": true, "ms--1": true, "ms--0": true}]} form lowstate A list of lowstate data appropriate for the client interface you are calling. status 200 success status 401 authentication required Full list of builtin output modules Follow one of the below links for further information and examples ┌────────────────────┬──────────────────────────────────┐ │compact │ Display compact output data │ │ │ structure │ ├────────────────────┼──────────────────────────────────┤ │highstate │ Outputter for displaying results │ │ │ of state runs │ ├────────────────────┼──────────────────────────────────┤ │json_out │ Display return data in JSON │ │ │ format │ ├────────────────────┼──────────────────────────────────┤ │key │ Display salt-key output │ ├────────────────────┼──────────────────────────────────┤ │nested │ Recursively display nested data │ ├────────────────────┼──────────────────────────────────┤ │newline_values_only │ Display values only, separated │ │ │ by newlines │ ├────────────────────┼──────────────────────────────────┤ │no_out │ Display no output │ ├────────────────────┼──────────────────────────────────┤ │no_return │ Display output for minions that │ │ │ did not return │ ├────────────────────┼──────────────────────────────────┤ │overstatestage │ Display clean output of an │ │ │ overstate stage │ ├────────────────────┼──────────────────────────────────┤ │pprint_out │ Python pretty-print (pprint) │ ├────────────────────┼──────────────────────────────────┤ │progress │ Display return data as a │ │ │ progress bar │ ├────────────────────┼──────────────────────────────────┤ │raw │ Display raw output data │ │ │ structure │ ├────────────────────┼──────────────────────────────────┤ │txt │ Simple text outputter │ ├────────────────────┼──────────────────────────────────┤ │virt_query │ virt.query outputter │ ├────────────────────┼──────────────────────────────────┤ │yaml_out │ Display return data in YAML │ │ │ format │ └────────────────────┴──────────────────────────────────┘ salt.output.compact Display compact output data structure Example output:: 'saltdev': {'test_|-always-passes_|-foo_|-succeed_without_changes': {'comment': 'Success!', 'name': 'foo', 'start_time': '05:16:26.111814', 'result': True, 'duration': 1, '__run_num__': 0, 'changes': {}}, 'test_|-my-custom-combo_|-foo_|-configurable_test_state': {'comment': 'bar.baz', 'name': 'foo', 'start_time': '05:16:26.117177', 'result': False, 'duration': 1, '__run_num__': 4, 'changes': {'testing': {'new': 'Something pretended to change', 'old': 'Unchanged'}}}, 'test_|-always-fails_|-foo_|-fail_without_changes': {'comment': 'Failure!', 'name': 'foo', 'start_time': '05:16:26.113124', 'result': False, 'duration': 1, '__run_num__': 1, 'changes': {}}, 'test_|-always-changes-and-succeeds_|-foo_|-succeed_with_changes': {'comment': 'Success!', 'name': 'foo', 'start_time': '05:16:26.114570', 'result': True, 'duration': 0, '__run_num__': 2, 'changes': {'testing': {'new': 'Something pretended to change', 'old': 'Unchanged'}}}, 'test_|-always-changes-and-fails_|-foo_|-fail_with_changes': {'comment': 'Failure!', 'name': 'foo', 'start_time': '05:16:26.115561', 'result': False, 'duration': 1, '__run_num__': 3, 'changes': {'testing': {'new': 'Something pretended to change', 'old': 'Unchanged'}}}}}{'myminion': {'foo': {'list': ['Hello', 'World'], 'bar': 'baz', 'dictionary': {'abc': 123, 'def': 456}}}} salt.output.compact.output(data) Rather basic.... salt.output.highstate Outputter for displaying results of state runs The return data from the Highstate command is a standard data structure which is parsed by the highstate outputter to deliver a clean and readable set of information about the HighState run on minions. Two configurations can be set to modify the highstate outputter. These values can be set in the master config to change the output of the salt command or set in the minion config to change the output of the salt-call command. state_verbose: By default state_verbose is set to True, setting this to False will instruct the highstate outputter to omit displaying anything in green, this means that nothing with a result of True and no changes will not be printed state_output: The highstate outputter has five output modes, full, terse, mixed, changes and filter. • The default is set to full, which will display many lines of detailed information for each executed chunk. • If terse is used, then the output is greatly simplified and shown in only one line. • If mixed is used, then terse output will be used unless a state failed, in which case full output will be used. • If changes is used, then terse output will be used if there was no error and no changes, otherwise full output will be used. • If filter is used, then either or both of two different filters can be used: exclude or terse. These can be set as such from the command line, or in the Salt config as state_output_exclude or state_output_terse, respectively. The values to exclude must be a comma-separated list of True, False and/or None. Because of parsing nuances, if only one of these is used, it must still contain a comma. For instance: exclude=True,. state_tabular: If state_output uses the terse output, set this to True for an aligned output format. If you wish to use a custom format, this can be set to a string. Example output: myminion: ---------- ID: test.ping Function: module.run Result: True Comment: Module function test.ping executed Changes: ---------- ret: True Summary for myminion ------------ Succeeded: 1 Failed: 0 ------------ Total: 0 salt.output.highstate.output(data) The HighState Outputter is only meant to be used with the state.highstate function, or a function that returns highstate return data. salt.output.json_out Display return data in JSON format configuration The output format can be configured in two ways: Using the --out-indent CLI flag and specifying a positive integer or a negative integer to group JSON from each minion to a single line. Or setting the output_indent setting in the Master or Minion configuration file with one of the following values: • Null: put each minion return on a single line. • pretty: use four-space indents and sort the keys. • An integer: specify the indentation level. Salt's outputters operate on a per-minion basis. Each minion return will be output as a single JSON object once it comes in to the master. Some JSON parsers can guess when an object ends and a new one begins but many can not. A good way to differentiate between each minion return is to use the single-line output format and to parse each line individually. Example output (truncated): {"dave": {"en0": {"hwaddr": "02:b0:26:32:4c:69", ...}}} {"jerry": {"en0": {"hwaddr": "02:26:ab:0d:b9:0d", ...}}} {"kevin": {"en0": {"hwaddr": "02:6d:7f:ce:9f:ee", ...}}} {"mike": {"en0": {"hwaddr": "02:48:a2:4b:70:a0", ...}}} {"phill": {"en0": {"hwaddr": "02:1d:cc:a2:33:55", ...}}} {"stuart": {"en0": {"hwaddr": "02:9a:e0:ea:9e:3c", ...}}} salt.output.json_out.output(data) Print the output data in JSON salt.output.key Display salt-key output The salt-key command makes use of this outputter to format its output. salt.output.key.output(data) Read in the dict structure generated by the salt key API methods and print the structure. salt.output.nested Recursively display nested data This is the default outputter for most execution functions. Example output: myminion: ---------- foo: ---------- bar: baz dictionary: ---------- abc: 123 def: 456 list: - Hello - World class salt.output.nested.NestDisplay Manage the nested display contents display(ret, indent, prefix, out) Recursively iterate down through data structures to determine output ustring(indent, color, msg, prefix='', suffix='', endc=None) salt.output.nested.output(ret) Display ret data salt.output.newline_values_only Display values only, separated by newlines New in version 2015.5.0. This outputter is designed for Salt CLI return data. It will do the following to the return dict: 1. Get just the values (ignoring the minion IDs). 2. Each value, if it is iterable, is split a separate line. 3. Each minion's values are separated by newlines. This results in a single string of return data containing all the values from the various minions. WARNING: As noted above, this outputter will discard the minion ID. If the minion ID is important, then an outputter that returns the full return dictionary in a parsable format (such as json, pprint,, or yaml) may be more suitable. Example 1 Input { 'myminion': ['127.0.0.1', '10.0.0.1'], 'second-minion': ['127.0.0.1', '10.0.0.2'] } Output 127.0.0.1 10.0.0.1 127.0.0.1 10.0.0.2 Example 2 Input { 'myminion': 8, 'second-minion': 10 } Output 8 10 salt.output.newline_values_only.output(data) Display modified ret data salt.output.no_out Display no output No output is produced when this outputter is selected salt.output.no_out.output(ret) Don't display data. Used when you only are interested in the return. salt.output.no_return Display output for minions that did not return This outputter is used to display notices about which minions failed to return when a salt function is run with -v or --verbose. It should not be called directly from the CLI. Example output: virtucentos: Minion did not return class salt.output.no_return.NestDisplay Create generator for nested output display(ret, indent, prefix, out) Recursively iterate down through data structures to determine output salt.output.no_return.output(ret) Display ret data salt.output.overstatestage Display clean output of an overstate stage This outputter is used to display OverState stages, and should not be called directly. salt.output.overstatestage.output(data) Format the data for printing stage information from the overstate system salt.output.pprint_out Python pretty-print (pprint) The python pretty-print system was once the default outputter. It simply passes the return data through to pprint.pformat and prints the results. Example output: {'saltmine': {'foo': {'bar': 'baz', 'dictionary': {'abc': 123, 'def': 456}, 'list': ['Hello', 'World']}}} salt.output.pprint_out.output(data) Print out via pretty print salt.output.progress Display return data as a progress bar salt.output.progress.output(ret, bar) Update the progress bar salt.output.progress.progress_iter(progress) Initialize and return a progress bar iter salt.output.raw Display raw output data structure This outputter simply displays the output as a python data structure, by printing a string representation of it. It is similar to the pprint outputter, only the data is not nicely formatted/indented. This was the original outputter used by Salt before the outputter system was developed. Example output: {'myminion': {'foo': {'list': ['Hello', 'World'], 'bar': 'baz', 'dictionary': {'abc': 123, 'def': 456}}}} salt.output.raw.output(data) Rather basic.... salt.output.txt Simple text outputter The txt outputter has been developed to make the output from shell commands on minions appear as they do when the command is executed on the minion. salt.output.txt.output(data) Output the data in lines, very nice for running commands salt.output.virt_query virt.query outputter Used to display the output from the virt.query runner. salt.output.virt_query.output(data) Display output for the salt-run virt.query function salt.output.yaml_out Display return data in YAML format This outputter defaults to printing in YAML block mode for better readability. Example output: saltmine: foo: bar: baz dictionary: abc: 123 def: 456 list: - Hello - World salt.output.yaml_out.output(data) Print out YAML using the block mode Peer Communication Salt 0.9.0 introduced the capability for Salt minions to publish commands. The intent of this feature is not for Salt minions to act as independent brokers one with another, but to allow Salt minions to pass commands to each other. In Salt 0.10.0 the ability to execute runners from the master was added. This allows for the master to return collective data from runners back to the minions via the peer interface. The peer interface is configured through two options in the master configuration file. For minions to send commands from the master the peer configuration is used. To allow for minions to execute runners from the master the peer_run configuration is used. Since this presents a viable security risk by allowing minions access to the master publisher the capability is turned off by default. The minions can be allowed access to the master publisher on a per minion basis based on regular expressions. Minions with specific ids can be allowed access to certain Salt modules and functions. Peer Configuration The configuration is done under the peer setting in the Salt master configuration file, here are a number of configuration possibilities. The simplest approach is to enable all communication for all minions, this is only recommended for very secure environments. peer: .*: - .* This configuration will allow minions with IDs ending in example.com access to the test, ps, and pkg module functions. peer: .*example.com: - test.* - ps.* - pkg.* The configuration logic is simple, a regular expression is passed for matching minion ids, and then a list of expressions matching minion functions is associated with the named minion. For instance, this configuration will also allow minions ending with foo.org access to the publisher. peer: .*example.com: - test.* - ps.* - pkg.* .*foo.org: - test.* - ps.* - pkg.* NOTE: Functions are matched using regular expressions. Peer Runner Communication Configuration to allow minions to execute runners from the master is done via the peer_run option on the master. The peer_run configuration follows the same logic as the peer option. The only difference is that access is granted to runner modules. To open up access to all minions to all runners: peer_run: .*: - .* This configuration will allow minions with IDs ending in example.com access to the manage and jobs runner functions. peer_run: .*example.com: - manage.* - jobs.* NOTE: Functions are matched using regular expressions. Using Peer Communication The publish module was created to manage peer communication. The publish module comes with a number of functions to execute peer communication in different ways. Currently there are three functions in the publish module. These examples will show how to test the peer system via the salt-call command. To execute test.ping on all minions: # salt-call publish.publish \* test.ping To execute the manage.up runner: # salt-call publish.runner manage.up To match minions using other matchers, use expr_form: # salt-call publish.publish 'webserv* and not G@os:Ubuntu' test.ping expr_form='compound' Pillars Salt includes a number of built-in external pillars, listed at all-salt.pillars. You may also wish to look at the standard pillar documentation, at pillar-configuration The source for the built-in Salt pillars can be found here: https://github.com/saltstack/salt/blob/develop/salt/pillar Full list of builtin pillar modules ┌────────────────┬──────────────────────────────────┐ │cmd_json │ Execute a command and read the │ │ │ output as JSON. │ ├────────────────┼──────────────────────────────────┤ │cmd_yaml │ Execute a command and read the │ │ │ output as YAML. │ ├────────────────┼──────────────────────────────────┤ │cmd_yamlex │ Execute a command and read the │ │ │ output as YAMLEX. │ ├────────────────┼──────────────────────────────────┤ │cobbler │ A module to pull data from │ │ │ Cobbler via its API into the │ │ │ Pillar dictionary │ ├────────────────┼──────────────────────────────────┤ │consul_pillar │ Use consul data as a Pillar │ │ │ source │ ├────────────────┼──────────────────────────────────┤ │django_orm │ Generate Pillar data from Django │ │ │ models through the Django ORM │ ├────────────────┼──────────────────────────────────┤ │ec2_pillar │ Retrieve EC2 instance data for │ │ │ minions. │ ├────────────────┼──────────────────────────────────┤ │etcd_pillar │ Use etcd data as a Pillar source │ ├────────────────┼──────────────────────────────────┤ │file_tree │ Recursively iterate over │ │ │ directories and add all files as │ │ │ Pillar data │ ├────────────────┼──────────────────────────────────┤ │foreman │ A module to pull data from │ │ │ Foreman via its API into the │ │ │ Pillar dictionary │ ├────────────────┼──────────────────────────────────┤ │git_pillar │ Use a git repository as a Pillar │ │ │ source │ ├────────────────┼──────────────────────────────────┤ │hg_pillar │ Use remote Mercurial repository │ │ │ as a Pillar source. │ ├────────────────┼──────────────────────────────────┤ │hiera │ Use hiera data as a Pillar │ │ │ source │ ├────────────────┼──────────────────────────────────┤ │libvirt │ Load up the libvirt keys into │ │ │ Pillar for a given minion if │ │ │ said keys have been generated │ │ │ using the libvirt key runner │ ├────────────────┼──────────────────────────────────┤ │mongo │ Read Pillar data from a mongodb │ │ │ collection │ ├────────────────┼──────────────────────────────────┤ │mysql │ Retrieve Pillar data by doing a │ │ │ MySQL query │ ├────────────────┼──────────────────────────────────┤ │neutron │ Use Openstack Neutron data as a │ │ │ Pillar source. │ ├────────────────┼──────────────────────────────────┤ │pepa │ Pepa │ ├────────────────┼──────────────────────────────────┤ │pillar_ldap │ Use LDAP data as a Pillar source │ ├────────────────┼──────────────────────────────────┤ │puppet │ Execute an unmodified │ │ │ puppet_node_classifier and read │ │ │ the output as YAML. │ ├────────────────┼──────────────────────────────────┤ │reclass_adapter │ Use the "reclass" database as a │ │ │ Pillar source │ ├────────────────┼──────────────────────────────────┤ │redismod │ Read pillar data from a Redis │ │ │ backend │ ├────────────────┼──────────────────────────────────┤ │s3 │ Copy pillar data from a bucket │ │ │ in Amazon S3 │ ├────────────────┼──────────────────────────────────┤ │sql_base │ Retrieve Pillar data by doing a │ │ │ SQL query │ ├────────────────┼──────────────────────────────────┤ │sqlite3 │ Retrieve Pillar data by doing a │ │ │ SQLite3 query │ ├────────────────┼──────────────────────────────────┤ │svn_pillar │ Clone a remote SVN repository │ │ │ and use the filesystem as a │ │ │ Pillar source │ ├────────────────┼──────────────────────────────────┤ │varstack_pillar │ Use Varstack data as a Pillar │ │ │ source │ ├────────────────┼──────────────────────────────────┤ │virtkey │ Accept a key from a hypervisor │ │ │ if the virt runner has already │ │ │ submitted an authorization │ │ │ request │ └────────────────┴──────────────────────────────────┘ salt.pillar.cmd_json Execute a command and read the output as JSON. The JSON data is then directly overlaid onto the minion's Pillar data. salt.pillar.cmd_json.ext_pillar(minion_id, pillar, command) Execute a command and read the output as JSON salt.pillar.cmd_yaml Execute a command and read the output as YAML. The YAML data is then directly overlaid onto the minion's Pillar data salt.pillar.cmd_yaml.ext_pillar(minion_id, pillar, command) Execute a command and read the output as YAML salt.pillar.cmd_yamlex Execute a command and read the output as YAMLEX. The YAMLEX data is then directly overlaid onto the minion's Pillar data salt.pillar.cmd_yamlex.ext_pillar(minion_id, pillar, command) Execute a command and read the output as YAMLEX salt.pillar.cobbler A module to pull data from Cobbler via its API into the Pillar dictionary Configuring the Cobbler ext_pillar The same cobbler.* parameters are used for both the Cobbler tops and Cobbler pillar modules. ext_pillar: - cobbler: key: cobbler # Nest results within this key. By default, values are not nested. only: [parameters] # Add only these keys to pillar. cobbler.url: https://example.com/cobbler_api #default is http://localhost/cobbler_api cobbler.user: username # default is no username cobbler.password: password # default is no password Module Documentation salt.pillar.cobbler.ext_pillar(minion_id, pillar, key=None, only=()) Read pillar data from Cobbler via its API. salt.pillar.consul_pillar module Use consul data as a Pillar source depends • python-consul In order to use an consul server, a profile must be created in the master configuration file: my_consul_config: consul.host: 127.0.0.1 consul.port: 8500 After the profile is created, configure the external pillar system to use it. Optionally, a root may be specified. ext_pillar: - consul: my_consul_config ext_pillar: - consul: my_consul_config root=/salt Using these configuration profiles, multiple consul sources may also be used: ext_pillar: - consul: my_consul_config - consul: my_other_consul_config The minion_id may be used in the root path to expose minion-specific information stored in consul. ext_pillar: - consul: my_consul_config root=/salt/%(minion_id)s Minion-specific values may override shared values when the minion-specific root appears after the shared root: ext_pillar: - consul: my_consul_config root=/salt-shared - consul: my_other_consul_config root=/salt-private/%(minion_id)s salt.pillar.consul_pillar.consul_fetch(client, path) Query consul for all keys/values within base path salt.pillar.consul_pillar.ext_pillar(minion_id, pillar, conf) Check consul for all data salt.pillar.consul_pillar.fetch_tree(client, path) Grab data from consul, trim base path and remove any keys which are folders. Take the remaining data and send it to be formatted in such a way as to be used as pillar data. salt.pillar.consul_pillar.get_conn(opts, profile) Return a client object for accessing consul salt.pillar.consul_pillar.pillar_format(ret, keys, value) Perform data formatting to be used as pillar data and merge it with the current pillar data salt.pillar.django_orm Generate Pillar data from Django models through the Django ORM maintainer Micah Hausler <micah.hausler@gmail.com> maturity new Configuring the django_orm ext_pillar To use this module, your Django project must be on the salt master server with database access. This assumes you are using virtualenv with all the project's requirements installed. ext_pillar: - django_orm: pillar_name: my_application project_path: /path/to/project/ settings_module: my_application.settings env_file: /path/to/env/file.sh # Optional: If your project is not using the system python, # add your virtualenv path below. env: /path/to/virtualenv/ django_app: # Required: the app that is included in INSTALLED_APPS my_application.clients: # Required: the model name Client: # Required: model field to use as the key in the rendered # Pillar. Must be unique; must also be included in the # ``fields`` list below. name: shortname # Optional: # See Django's QuerySet documentation for how to use .filter() filter: {'kw': 'args'} # Required: a list of field names # List items will be used as arguments to the .values() method. # See Django's QuerySet documentation for how to use .values() fields: - field_1 - field_2 This would return pillar data that would look like my_application: my_application.clients: Client: client_1: field_1: data_from_field_1 field_2: data_from_field_2 client_2: field_1: data_from_field_1 field_2: data_from_field_2 As another example, data from multiple database tables can be fetched using Django's regular lookup syntax. Note, using ManyToManyFields will not currently work since the return from values() changes if a ManyToMany is present. ext_pillar: - django_orm: pillar_name: djangotutorial project_path: /path/to/mysite settings_module: mysite.settings django_app: mysite.polls: Choices: name: poll__question fields: - poll__question - poll__id - choice_text - votes Module Documentation salt.pillar.django_orm.ext_pillar(minion_id, pillar, pillar_name, project_path, settings_module, django_app, env=None, env_file=None, *args, **kwargs) Connect to a Django database through the ORM and retrieve model fields Parameters • pillar_name (str) -- The name of the pillar to be returned • project_path (str) -- The full path to your Django project (the directory manage.py is in) • settings_module (str) -- The settings module for your project. This can be found in your manage.py file • django_app (str) -- A dictionary containing your apps, models, and fields • env (str) -- The full path to the virtualenv for your Django project • env_file (str) -- An optional bash file that sets up your environment. The file is run in a subprocess and the changed variables are then added salt.pillar.ec2_pillar Retrieve EC2 instance data for minions. The minion id must be the instance-id retrieved from AWS. As an option, use_grain can be set to True. This allows the use of an instance-id grain instead of the minion-id. Since this is a potential security risk, the configuration can be further expanded to include a list of minions that are trusted to only allow the alternate id of the instances to specific hosts. There is no glob matching at this time. ext_pillar: - ec2_pillar: use_grain: True minion_ids: - trusted-minion-1 - trusted-minion-2 - trusted-minion-3 This is a very simple pillar that simply retrieves the instance data from AWS. Currently the only portion implemented are EC2 tags, which returns a list of key/value pairs for all of the EC2 tags assigned to the instance. salt.pillar.ec2_pillar.ext_pillar(minion_id, pillar, use_grain=False, minion_ids=None) Execute a command and read the output as YAML salt.pillar.etcd_pillar Use etcd data as a Pillar source New in version 2014.7.0. depends • python-etcd In order to use an etcd server, a profile must be created in the master configuration file: my_etcd_config: etcd.host: 127.0.0.1 etcd.port: 4001 After the profile is created, configure the external pillar system to use it. Optionally, a root may be specified. ext_pillar: - etcd: my_etcd_config ext_pillar: - etcd: my_etcd_config root=/salt Using these configuration profiles, multiple etcd sources may also be used: ext_pillar: - etcd: my_etcd_config - etcd: my_other_etcd_config The minion_id may be used in the root path to expose minion-specific information stored in etcd. ext_pillar: - etcd: my_etcd_config root=/salt/%(minion_id)s Minion-specific values may override shared values when the minion-specific root appears after the shared root: ext_pillar: - etcd: my_etcd_config root=/salt-shared - etcd: my_other_etcd_config root=/salt-private/%(minion_id)s Using the configuration above, the following commands could be used to share a key with all minions but override its value for a specific minion: etcdctl set /salt-shared/mykey my_value etcdctl set /salt-private/special_minion_id/mykey my_other_value salt.pillar.etcd_pillar.ext_pillar(minion_id, pillar, conf) Check etcd for all data salt.pillar.file_tree Recursively iterate over directories and add all files as Pillar data New in version 2015.5.0. Example Configuration ext_pillar: - file_tree: root_dir: /path/to/root/directory follow_dir_links: False keep_newline: True The root_dir parameter is required and points to the directory where files for each host are stored. The follow_dir_links parameter is optional and defaults to False. If follow_dir_links is set to True, this external pillar will follow symbolic links to other directories. WARNING: Be careful when using follow_dir_links, as a recursive symlink chain will result in unexpected results. If keep_newline is set to True, then the pillar values for files ending in newlines will keep that newline. The default behavior is to remove the end-of-file newline. keep_newline should be turned on if the pillar data is intended to be used to deploy a file using contents_pillar with a file.managed state. Changed in version 2015.8.4: The raw_data parameter has been renamed to keep_newline. In earlier releases, raw_data must be used. Also, this parameter can now be a list of globs, allowing for more granular control over which pillar values keep their end-of-file newline. The globs match paths relative to the directories named for minion IDs and nodegroups underneath the root_dir (see the layout examples in the below sections). ext_pillar: - file_tree: root_dir: /path/to/root/directory keep_newline: - files/testdir/* NOTE: In earlier releases, this documentation incorrectly stated that binary files would not affected by the keep_newline configuration. However, this module does not actually distinguish between binary and text files. Assigning Pillar Data to Individual Hosts To configure pillar data for each host, this external pillar will recursively iterate over root_dir/hosts/id (where id is a minion ID), and compile pillar data with each subdirectory as a dictionary key and each file as a value. For example, the following root_dir tree: ./hosts/ ./hosts/test-host/ ./hosts/test-host/files/ ./hosts/test-host/files/testdir/ ./hosts/test-host/files/testdir/file1.txt ./hosts/test-host/files/testdir/file2.txt ./hosts/test-host/files/another-testdir/ ./hosts/test-host/files/another-testdir/symlink-to-file1.txt will result in the following pillar tree for minion with ID test-host: test-host: ---------- files: ---------- another-testdir: ---------- symlink-to-file1.txt: Contents of file #1. testdir: ---------- file1.txt: Contents of file #1. file2.txt: Contents of file #2. NOTE: Subdirectories underneath root_dir/hosts/id become nested dictionaries, as shown above. Assigning Pillar Data to Entire Nodegroups To assign Pillar data to all minions in a given nodegroup, this external pillar recursively iterates over root_dir/nodegroups/nodegroup (where nodegroup is the name of a nodegroup), and like for individual hosts, compiles pillar data with each subdirectory as a dictionary key and each file as a value. IMPORTANT: If the same Pillar key is set for a minion both by nodegroup and by individual host, then the value set for the individual host will take precedence. For example, the following root_dir tree: ./nodegroups/ ./nodegroups/test-group/ ./nodegroups/test-group/files/ ./nodegroups/test-group/files/testdir/ ./nodegroups/test-group/files/testdir/file1.txt ./nodegroups/test-group/files/testdir/file2.txt ./nodegroups/test-group/files/another-testdir/ ./nodegroups/test-group/files/another-testdir/symlink-to-file1.txt will result in the following pillar data for minions in the node group test-group: test-host: ---------- files: ---------- another-testdir: ---------- symlink-to-file1.txt: Contents of file #1. testdir: ---------- file1.txt: Contents of file #1. file2.txt: Contents of file #2. salt.pillar.file_tree.ext_pillar(minion_id, pillar, root_dir=None, follow_dir_links=False, debug=False, raw_data=None, keep_newline=False) Compile pillar data for the specified minion ID salt.pillar.foreman A module to pull data from Foreman via its API into the Pillar dictionary Configuring the Foreman ext_pillar Set the following Salt config to setup Foreman as external pillar source: ext_pillar: - foreman: key: foreman # Nest results within this key only: ['hostgroup_name', 'parameters'] # Add only these keys to pillar foreman.url: https://example.com/foreman_api foreman.user: username # default is admin foreman.password: password # default is changeme The following options are optional: foreman.api: apiversion # default is 2 (1 is not supported yet) foreman.verifyssl: False # default is True foreman.certfile: /etc/ssl/certs/mycert.pem # default is None foreman.keyfile: /etc/ssl/private/mykey.pem # default is None foreman.cafile: /etc/ssl/certs/mycert.ca.pem # default is None foreman.lookup_parameters: True # default is True An alternative would be to use the Foreman modules integrating Salt features in the Smart Proxy and the webinterface. Further information can be found on GitHub. Module Documentation salt.pillar.foreman.ext_pillar(minion_id, pillar, key=None, only=()) Read pillar data from Foreman via its API. salt.pillar.git_pillar Use a git repository as a Pillar source NOTE: This external pillar has been rewritten for the 2015.8.0 release. The old method of configuring this external pillar will be maintained for a couple releases, allowing time for configurations to be updated to reflect the new usage. This external pillar allows for a Pillar top file and Pillar SLS files to be sourced from a git repository. However, since git_pillar does not have an equivalent to the pillar_roots parameter, configuration is slightly different. The Pillar top file must still contain the relevant environment, like so: base: '*': - foo The branch/tag which maps to that environment must then be specified along with the repo's URL. Configuration details can be found below. Configuring git_pillar for Salt releases before 2015.8.0 For Salt releases earlier than 2015.8.0, GitPython is the only supported provider for git_pillar. Individual repositories can be configured under the ext_pillar configuration parameter like so: ext_pillar: - git: master https://gitserver/git-pillar.git root=subdirectory The repository is specified in the format <branch> <repo_url>, with an optional root parameter (added in the 2014.7.0 release) which allows the pillar SLS files to be served up from a subdirectory (similar to gitfs_root in gitfs). To use more than one branch from the same repo, multiple lines must be specified under ext_pillar: ext_pillar: - git: master https://gitserver/git-pillar.git - git: dev https://gitserver/git-pillar.git To remap a specific branch to a specific Pillar environment, use the format <branch>:<env>: ext_pillar: - git: develop:dev https://gitserver/git-pillar.git - git: master:prod https://gitserver/git-pillar.git In this case, the develop branch would need its own top.sls with a dev section in it, like this: dev: '*': - bar The master branch would need its own top.sls with a prod section in it: prod: '*': - bar If __env__ is specified as the branch name, then git_pillar will use the branch specified by gitfs_base: ext_pillar: - git: __env__ https://gitserver/git-pillar.git root=pillar The corresponding Pillar top file would look like this: {{env}}: '*': - bar Configuring git_pillar for Salt releases 2015.8.0 and later NOTE: In version 2015.8.0, the method of configuring git external pillars has changed, and now more closely resembles that of the Git Fileserver Backend. If Salt detects the old configuration schema, it will use the pre-2015.8.0 code to compile the external pillar. A warning will also be logged. Beginning with Salt version 2015.8.0, pygit2 is now supported in addition to GitPython (‐ Dulwich will not be supported for the forseeable future). The requirements for GitPython and pygit2 are the same as for gitfs, as described here. IMPORTANT: git_pillar has its own set of global configuration parameters. While it may seem intuitive to use the global gitfs configuration parameters (gitfs_base, etc.) to manage git_pillar, this will not work. The main difference for this is the fact that the different components which use Salt's git backend code do not all function identically. For instance, in git_pillar it is necessary to specify which branch/tag to be used for git_pillar remotes. This is the reverse behavior from gitfs, where branches/tags make up your environments. See here for documentation on the git_pillar configuration options and their usage. Here is an example git_pillar configuration: ext_pillar: - git: # Use 'prod' instead of the branch name 'production' as the environment - production https://gitserver/git-pillar.git: - env: prod # Use 'dev' instead of the branch name 'develop' as the environment - develop https://gitserver/git-pillar.git: - env: dev # No per-remote config parameters (and no trailing colon), 'qa' will # be used as the environment - qa https://gitserver/git-pillar.git # SSH key authentication - master git@other-git-server:pillardata-ssh.git: # Pillar SLS files will be read from the 'pillar' subdirectory in # this repository - root: pillar - privkey: /path/to/key - pubkey: /path/to/key.pub - passphrase: CorrectHorseBatteryStaple # HTTPS authentication - master https://other-git-server/pillardata-https.git: - user: git - password: CorrectHorseBatteryStaple The main difference between this and the old way of configuring git_pillar is that multiple remotes can be configured under one git section under ext_pillar. More than one git section can be used, but it is not necessary. Remotes will be evaluated sequentially. Per-remote configuration parameters are supported (similar to gitfs), and global versions of the git_pillar configuration parameters can also be set. With the addition of pygit2 support, git_pillar can now interact with authenticated remotes. Authentication works just like in gitfs (as outlined in the Git Fileserver Backend Walkthrough), only with the global authenication parameter names prefixed with git_pillar instead of gitfs (e.g. git_pillar_pubkey, git_pillar_privkey, git_pillar_passphrase, etc.). salt.pillar.git_pillar.ext_pillar(minion_id, repo, pillar_dirs) Checkout the ext_pillar sources and compile the resulting pillar SLS salt.pillar.hg_pillar Use remote Mercurial repository as a Pillar source. New in version 2015.8.0. The module depends on the hglib python module being available. This is the same requirement as for hgfs_ so should not pose any extra hurdles. This external Pillar source can be configured in the master config file as such: ext_pillar: - hg: ssh://hg@example.co/user/repo class salt.pillar.hg_pillar.Repo(repo_uri) Deal with remote hg (mercurial) repository for Pillar close() Cleanup mercurial command server pull() update(branch='default') Ensure we are using the latest revision in the hg repository salt.pillar.hg_pillar.ext_pillar(minion_id, pillar, repo, branch='default', root=None) Extract pillar from an hg repository salt.pillar.hg_pillar.update(repo_uri) Execute an hg pull on all the repos salt.pillar.hiera Use hiera data as a Pillar source salt.pillar.hiera.ext_pillar(minion_id, pillar, conf) Execute hiera and return the data salt.pillar.libvirt Load up the libvirt keys into Pillar for a given minion if said keys have been generated using the libvirt key runner salt.pillar.libvirt.ext_pillar(minion_id, pillar, command) Read in the generated libvirt keys salt.pillar.libvirt.gen_hyper_keys(minion_id, country='US', state='Utah', locality='Salt Lake City', organization='Salted') Generate the keys to be used by libvirt hypervisors, this routine gens the keys and applies them to the pillar for the hypervisor minions salt.pillar.mongo Read Pillar data from a mongodb collection depends pymongo (for salt-master) This module will load a node-specific pillar dictionary from a mongo collection. It uses the node's id for lookups and can load either the whole document, or just a specific field from that document as the pillar dictionary. Salt Master Mongo Configuration The module shares the same base mongo connection variables as salt.returners.mongo_return. These variables go in your master config file. • mongo.db - The mongo database to connect to. Defaults to 'salt'. • mongo.host - The mongo host to connect to. Supports replica sets by specifying all hosts in the set, comma-delimited. Defaults to 'salt'. • mongo.port - The port that the mongo database is running on. Defaults to 27017. • mongo.user - The username for connecting to mongo. Only required if you are using mongo authentication. Defaults to ''. • mongo.password - The password for connecting to mongo. Only required if you are using mongo authentication. Defaults to ''. Configuring the Mongo ext_pillar The Mongo ext_pillar takes advantage of the fact that the Salt Master configuration file is yaml. It uses a sub-dictionary of values to adjust specific features of the pillar. This is the explicit single-line dictionary notation for yaml. One may be able to get the easier-to-read multi-line dict to work correctly with some experimentation. ext_pillar: - mongo: {collection: vm, id_field: name, re_pattern: \.example\.com, fields: [customer_id, software, apache_vhosts]} In the example above, we've decided to use the vm collection in the database to store the data. Minion ids are stored in the name field on documents in that collection. And, since minion ids are FQDNs in most cases, we'll need to trim the domain name in order to find the minion by hostname in the collection. When we find a minion, return only the customer_id, software, and apache_vhosts fields, as that will contain the data we want for a given node. They will be available directly inside the pillar dict in your SLS templates. Module Documentation salt.pillar.mongo.ext_pillar(minion_id, pillar, collection='pillar', id_field='_id', re_pattern=None, re_replace='', fields=None) Connect to a mongo database and read per-node pillar information. Parameters: • collection: The mongodb collection to read data from. Defaults to 'pillar'. • id_field: The field in the collection that represents an individual minion id. Defaults to '_id'. • re_pattern: If your naming convention in the collection is shorter than the minion id, you can use this to trim the name. re_pattern will be used to match the name, and re_replace will be used to replace it. Backrefs are supported as they are in the Python standard library. If None, no mangling of the name will be performed - the collection will be searched with the entire minion id. Defaults to None. • re_replace: Use as the replacement value in node ids matched with re_pattern. Defaults to ''. Feel free to use backreferences here. • fields: The specific fields in the document to use for the pillar data. If None, will use the entire document. If using the entire document, the _id field will be converted to string. Be careful with other fields in the document as they must be string serializable. Defaults to None. salt.pillar.mysql Retrieve Pillar data by doing a MySQL query MariaDB provides Python support through the MySQL Python package. Therefore, you may use this module with both MySQL or MariaDB. This module is a concrete implementation of the sql_base ext_pillar for MySQL. maturity new depends python-mysqldb platform all Legacy compatibility This module has an extra addition for backward compatibility. If there's a keyword arg of mysql_query, that'll go first before other args. This legacy compatibility translates to depth 1. We do this so that it's backward compatible with older configs. This is deprecated and slated to be removed in Boron. Configuring the mysql ext_pillar Use the 'mysql' key under ext_pillar for configuration of queries. MySQL configuration of the MySQL returner is being used (mysql.db, mysql.user, mysql.pass, mysql.port, mysql.host) for database connection info. Required python modules: MySQLdb Complete example mysql: user: 'salt' pass: 'super_secret_password' db: 'salt_db' ext_pillar: - mysql: fromdb: query: 'SELECT col1,col2,col3,col4,col5,col6,col7 FROM some_random_table WHERE minion_pattern LIKE %s' depth: 5 as_list: True with_lists: [1,3] class salt.pillar.mysql.MySQLExtPillar This class receives and processes the database rows from MySQL. extract_queries(args, kwargs) This function normalizes the config block into a set of queries we can use. The return is a list of consistently laid out dicts. salt.pillar.mysql.ext_pillar(minion_id, pillar, *args, **kwargs) Execute queries against MySQL, merge and return as a dict salt.pillar.neutron module Use Openstack Neutron data as a Pillar source. Will list all networks listed inside of Neutron, to all minions. New in version 2015.5.1. depends • python-neutronclient A keystone profile must be used for the pillar to work (no generic keystone configuration here). For example: my openstack_config: keystone.user: 'admin' keystone.password: 'password' keystone.tenant: 'admin' keystone.auth_url: 'http://127.0.0.1:5000/v2.0/' keystone.region_name: 'RegionOne' keystone.service_type: 'network' After the profile is created, configure the external pillar system to use it. ext_pillar: - neutron: my_openstack_config Using these configuration profiles, multiple neutron sources may also be used: ext_pillar: - neutron: my_openstack_config - neutron: my_other_openstack_config By default, these networks will be returned as a pillar item called networks. In order to have them returned under a different name, add the name after the Keystone profile name: ext_pillar: • neutron: my_openstack_config neutron_networks salt.pillar.neutron.ext_pillar(minion_id, pillar, conf) Check neutron for all data salt.pillar.pepa Pepa Configuration templating for SaltStack using Hierarchical substitution and Jinja. Configuring Pepa extension_modules: /srv/salt/ext ext_pillar: - pepa: resource: host # Name of resource directory and sub-key in pillars sequence: # Sequence used for hierarchical substitution - hostname: # Name of key name: input # Alias used for template directory base_only: True # Only use templates from Base environment, i.e. no staging - default: - environment: - location..region: name: region - location..country: name: country - location..datacenter: name: datacenter - roles: - osfinger: name: os - hostname: name: override base_only: True subkey: True # Create a sub-key in pillars, named after the resource in this case [host] subkey_only: True # Only create a sub-key, and leave the top level untouched pepa_roots: # Base directory for each environment base: /srv/pepa/base # Path for base environment dev: /srv/pepa/base # Associate dev with base qa: /srv/pepa/qa prod: /srv/pepa/prod # Use a different delimiter for nested dictionaries, defaults to '..' since some keys may use '.' in the name #pepa_delimiter: .. # Supply Grains for Pepa, this should **ONLY** be used for testing or validation #pepa_grains: # environment: dev # Supply Pillar for Pepa, this should **ONLY** be used for testing or validation #pepa_pillars: # saltversion: 0.17.4 # Enable debug for Pepa, and keep Salt on warning #log_level: debug #log_granular_levels: # salt: warning # salt.loaded.ext.pillar.pepa: debug Pepa can also be used in Master-less SaltStack setup. Command line usage: pepa.py [-h] [-c CONFIG] [-d] [-g GRAINS] [-p PILLAR] [-n] [-v] hostname positional arguments: hostname Hostname optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG Configuration file -d, --debug Print debug info -g GRAINS, --grains GRAINS Input Grains as YAML -p PILLAR, --pillar PILLAR Input Pillar as YAML -n, --no-color No color output -v, --validate Validate output Templates Templates is configuration for a host or software, that can use information from Grains or Pillars. These can then be used for hierarchically substitution. Example File: host/input/test_example_com.yaml location..region: emea location..country: nl location..datacenter: foobar environment: dev roles: - salt.master network..gateway: 10.0.0.254 network..interfaces..eth0..hwaddr: 00:20:26:a1:12:12 network..interfaces..eth0..dhcp: False network..interfaces..eth0..ipv4: 10.0.0.3 network..interfaces..eth0..netmask: 255.255.255.0 network..interfaces..eth0..fqdn: {{ hostname }} cobbler..profile: fedora-19-x86_64 As you see in this example you can use Jinja directly inside the template. Example File: host/region/amer.yaml network..dns..servers: - 10.0.0.1 - 10.0.0.2 time..ntp..servers: - ntp1.amer.example.com - ntp2.amer.example.com - ntp3.amer.example.com time..timezone: America/Chihuahua yum..mirror: yum.amer.example.com Each template is named after the value of the key using lowercase and all extended characters are replaced with underscore. Example: osfinger: Fedora-19 Would become: fedora_19.yaml Nested dictionaries In order to create nested dictionaries as output you can use double dot ".." as a delimiter. You can change this using "pepa_delimiter" we choose double dot since single dot is already used by key names in some modules, and using ":" requires quoting in the YAML. Example: network..dns..servers: - 10.0.0.1 - 10.0.0.2 network..dns..options: - timeout:2 - attempts:1 - ndots:1 network..dns..search: - example.com Would become: network: dns: servers: - 10.0.0.1 - 10.0.0.2 options: - timeout:2 - attempts:1 - ndots:1 search: - example.com Operators Operators can be used to merge/unset a list/hash or set the key as immutable, so it can't be changed. ┌────────────┬──────────────────────────────────┐ │Operator │ Description │ ├────────────┼──────────────────────────────────┤ │merge() │ Merge list or hash │ ├────────────┼──────────────────────────────────┤ │unset() │ Unset key │ ├────────────┼──────────────────────────────────┤ │immutable() │ Set the key as immutable, so it │ │ │ can't be changed │ ├────────────┼──────────────────────────────────┤ │imerge() │ Set immutable and merge │ ├────────────┼──────────────────────────────────┤ │iunset() │ Set immutable and unset │ └────────────┴──────────────────────────────────┘ Example: network..dns..search..merge(): - foobar.com - dummy.nl owner..immutable(): Operations host..printers..unset(): Validation Since it's very hard to test Jinja as is, the best approach is to run all the permutations of input and validate the output, i.e. Unit Testing. To facilitate this in Pepa we use YAML, Jinja and Cerberus <‐ https://github.com/nicolaiarocci/cerberus>. Schema So this is a validation schema for network configuration, as you see it can be customized with Jinja just as Pepa templates. This was designed to be run as a build job in Jenkins or similar tool. You can provide Grains/Pillar input using either the config file or command line arguments. File Example: host/validation/network.yaml network..dns..search: type: list allowed: - example.com network..dns..options: type: list allowed: ['timeout:2', 'attempts:1', 'ndots:1'] network..dns..servers: type: list schema: regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}$ network..gateway: type: string regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}$ {% if network.interfaces is defined %} {% for interface in network.interfaces %} network..interfaces..{{ interface }}..dhcp: type: boolean network..interfaces..{{ interface }}..fqdn: type: string regex: ^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-zA-Z]{2,6}$ network..interfaces..{{ interface }}..hwaddr: type: string regex: ^([0-9a-f]{1,2}\:){5}[0-9a-f]{1,2}$ network..interfaces..{{ interface }}..ipv4: type: string regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}$ network..interfaces..{{ interface }}..netmask: type: string regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}$ {% endfor %} {% endif %} Links For more examples and information see <https://github.com/mickep76/pepa>. salt.pillar.pepa.ext_pillar(minion_id, pillar, resource, sequence, subkey=False, subkey_only=False) Evaluate Pepa templates salt.pillar.pepa.key_value_to_tree(data) Convert key/value to tree salt.pillar.pepa.validate(output, resource) Validate Pepa templates salt.pillar.pillar_ldap Use LDAP data as a Pillar source This pillar module executes a series of LDAP searches. Data returned by these searches are aggregated, whereby data returned by later searches override data by previous searches with the same key. The final result is merged with existing pillar data. The configuration of this external pillar module is done via an external file which provides the actual configuration for the LDAP searches. Configuring the LDAP ext_pillar The basic configuration is part of the master configuration. ext_pillar: - pillar_ldap: /etc/salt/master.d/pillar_ldap.yaml NOTE: When placing the file in the master.d directory, make sure its name doesn't end in .conf, otherwise the salt-master process will attempt to parse its content. WARNING: Make sure this file has very restrictive permissions, as it will contain possibly sensitive LDAP credentials! The only required key in the master configuration is pillar_ldap pointing to a file containing the actual configuration. Configuring the LDAP searches The file is processed using Salt's Renderers <renderers> which makes it possible to reference grains within the configuration. WARNING: When using Jinja in this file, make sure to do it in a way which prevents leaking sensitive information. A rogue minion could send arbitrary grains to trick the master into returning secret data. Use only the 'id' grain which is verified through the minion's key/cert. Map Mode The it-admins configuration below returns the Pillar it-admins by: • filtering for: • members of the group it-admins • objects with objectclass=user • returning the data of users (mode: map), where each user is a dictionary containing the configured string or list attributes. Configuration: salt-users: server: ldap.company.tld port: 389 tls: true dn: 'dc=company,dc=tld binddn: 'cn=salt-pillars,ou=users,dc=company,dc=tld' bindpw: bi7ieBai5Ano referrals: false anonymous: false mode: map dn: 'ou=users,dc=company,dc=tld' filter: '(&(memberof=cn=it-admins,ou=groups,dc=company,dc=tld)(objectclass=user))' attrs: - cn - displayName - givenName - sn lists: - memberOf **Result:** salt-users: - cn: cn=johndoe,ou=users,dc=company,dc=tld displayName: John Doe givenName: John sn: Doe memberOf: - cn=it-admins,ou=groups,dc=company,dc=tld - cn=team01,ou=groups,dc=company - cn: cn=janedoe,ou=users,dc=company,dc=tld displayName: Jane Doe givenName: Jane sn: Doe memberOf: - cn=it-admins,ou=groups,dc=company,dc=tld - cn=team02,ou=groups,dc=company List Mode TODO: see also _result_to_dict() documentation salt.pillar.pillar_ldap.ext_pillar(minion_id, pillar, config_file) Execute LDAP searches and return the aggregated data salt.pillar.puppet Execute an unmodified puppet_node_classifier and read the output as YAML. The YAML data is then directly overlaid onto the minion's Pillar data. salt.pillar.puppet.ext_pillar(minion_id, pillar, command) Execute an unmodified puppet_node_classifier and read the output as YAML salt.pillar.reclass_adapter Use the "reclass" database as a Pillar source This ext_pillar plugin provides access to the reclass database, such that Pillar data for a specific minion are fetched using reclass. You can find more information about reclass at http://reclass.pantsfullofunix.net. To use the plugin, add it to the ext_pillar list in the Salt master config and tell reclass by way of a few options how and where to find the inventory: ext_pillar: - reclass: storage_type: yaml_fs inventory_base_uri: /srv/salt This would cause reclass to read the inventory from YAML files in /srv/salt/nodes and /srv/salt/classes. If you are also using reclass as master_tops plugin, and you want to avoid having to specify the same information for both, use YAML anchors (take note of the differing data types for ext_pillar and master_tops): reclass: &reclass storage_type: yaml_fs inventory_base_uri: /srv/salt reclass_source_path: ~/code/reclass ext_pillar: - reclass: *reclass master_tops: reclass: *reclass If you want to run reclass from source, rather than installing it, you can either let the master know via the PYTHONPATH environment variable, or by setting the configuration option, like in the example above. salt.pillar.reclass_adapter.ext_pillar(minion_id, pillar, **kwargs) Obtain the Pillar data from reclass for the given minion_id. salt.pillar.redismod Read pillar data from a Redis backend New in version 2014.7.0. depends • redis Python module (on master) Salt Master Redis Configuration The module shares the same base Redis connection variables as salt.returners.redis_return. These variables go in your master config file. • redis.db - The Redis database to use. Defaults to 0. • redis.host - The Redis host to connect to. Defaults to 'salt'. • redis.port - The port that the Redis database is listening on. Defaults to 6379. • redis.password - The password for authenticating with Redis. Only required if you are using master auth. Defaults to None. Configuring the Redis ext_pillar ext_pillar: - redis: {function: key_value} salt.pillar.redismod.ext_pillar(minion_id, pillar, function, **kwargs) Grabs external pillar data based on configured function salt.pillar.redismod.key_json(minion_id, pillar, pillar_key=None) Pulls a string from redis and deserializes it from json. Deserialized dictionary data loaded directly into top level if pillar_key is not set. pillar_key Pillar key to return data into salt.pillar.redismod.key_value(minion_id, pillar, pillar_key='redis_pillar') Looks for key in redis matching minion_id, returns a structure based on the data type of the redis key. String for string type, dict for hash type and lists for lists, sets and sorted sets. pillar_key Pillar key to return data into salt.pillar.s3 Copy pillar data from a bucket in Amazon S3 The S3 pillar can be configured in the master config file with the following options ext_pillar: - s3: bucket: my.fancy.pillar.bucket keyid: KASKFJWAKJASJKDAJKSD key: ksladfDLKDALSFKSD93q032sdDasdfasdflsadkf multiple_env: False environment: base prefix: somewhere/overthere verify_ssl: True service_url: s3.amazonaws.com s3_cache_expire: 30 s3_sync_on_update: True The bucket parameter specifies the target S3 bucket. It is required. The keyid parameter specifies the key id to use when access the S3 bucket. If it is not provided, an attempt to fetch it from EC2 instance meta-data will be made. The key parameter specifies the key to use when access the S3 bucket. If it is not provided, an attempt to fetch it from EC2 instance meta-data will be made. The multiple_env defaults to False. It specifies whether the pillar should interpret top level folders as pillar environments (see mode section below). The environment defaults to 'base'. It specifies which environment the bucket represents when in single environments mode (see mode section below). It is ignored if multiple_env is True. The prefix defaults to ''. It specifies a key prefix to use when searching for data in the bucket for the pillar. It works when multiple_env is True or False. Essentially it tells ext_pillar to look for your pillar data in a 'subdirectory' of your S3 bucket The verify_ssl parameter defaults to True. It specifies whether to check for valid S3 SSL certificates. NOTE If you use bucket names with periods, this must be set to False else an invalid certificate error will be thrown (issue #12200). The service_url parameter defaults to 's3.amazonaws.com'. It specifies the base url to use for accessing S3. The s3_cache_expire parameter defaults to 30s. It specifies expiration time of S3 metadata cache file. The s3_sync_on_update parameter defaults to True. It specifies if cache is synced on update rather than jit. This pillar can operate in two modes, single environment per bucket or multiple environments per bucket. Single environment mode must have this bucket structure: s3://<bucket name>/<prefix>/<files> Multiple environment mode must have this bucket structure: s3://<bucket name>/<prefix>/<environment>/<files> If you wish to define your pillar data entirely within S3 it's recommended that you use the prefix= parameter and specify one entry in ext_pillar for each environment rather than specifying multiple_env. This is due to issue #22471 (‐ https://github.com/saltstack/salt/issues/22471) class salt.pillar.s3.S3Credentials(key, keyid, bucket, service_url, verify_ssl, location) salt.pillar.s3.ext_pillar(minion_id, pillar, bucket, key=None, keyid=None, verify_ssl=True, location=None, multiple_env=False, environment='base', prefix='', service_url=None, s3_cache_expire=30, s3_sync_on_update=True) Execute a command and read the output as YAML salt.pillar.sql_base module Retrieve Pillar data by doing a SQL query This module is not meant to be used directly as an ext_pillar. It is a place to put code common to PEP 249 compliant SQL database adapters. It exposes a python ABC that can be subclassed for new database providers. maturity new platform all Theory of sql_base ext_pillar Ok, here's the theory for how this works... • First, any non-keyword args are processed in order. • Then, remaining keywords are processed. We do this so that it's backward compatible with older configs. Keyword arguments are sorted before being appended, so that they're predictable, but they will always be applied last so overall it's moot. For each of those items we process, it depends on the object type: • Strings are executed as is and the pillar depth is determined by the number of fields returned. • A list has the first entry used as the query, the second as the pillar depth. • A mapping uses the keys "query" and "depth" as the tuple You can retrieve as many fields as you like, how they get used depends on the exact settings. Configuring a sql_base ext_pillar The sql_base ext_pillar cannot be used directly, but shares query configuration with its implementations. These examples use a fake 'sql_base' adapter, which should be replaced with the name of the adapter you are using. A list of queries can be passed in ext_pillar: - sql_base: - "SELECT pillar,value FROM pillars WHERE minion_id = %s" - "SELECT pillar,value FROM more_pillars WHERE minion_id = %s" Or you can pass in a mapping ext_pillar: - sql_base: main: "SELECT pillar,value FROM pillars WHERE minion_id = %s" extras: "SELECT pillar,value FROM more_pillars WHERE minion_id = %s" The query can be provided as a string as we have just shown, but they can be provided as lists ext_pillar: - sql_base: - "SELECT pillar,value FROM pillars WHERE minion_id = %s" 2 Or as a mapping ext_pillar: - sql_base: - query: "SELECT pillar,value FROM pillars WHERE minion_id = %s" depth: 2 The depth defines how the dicts are constructed. Essentially if you query for fields a,b,c,d for each row you'll get: • With depth 1: {a: {"b": b, "c": c, "d": d}} • With depth 2: {a: {b: {"c": c, "d": d}}} • With depth 3: {a: {b: {c: d}}} Depth greater than 3 wouldn't be different from 3 itself. Depth of 0 translates to the largest depth needed, so 3 in this case. (max depth == key count - 1) Then they are merged in a similar way to plain pillar data, in the order returned by the SQL database. Thus subsequent results overwrite previous ones when they collide. The ignore_null option can be used to change the overwrite behavior so that only non-NULL values in subsequent results will overwrite. This can be used to selectively overwrite default values. ext_pillar: - sql_base: - query: "SELECT pillar,value FROM pillars WHERE minion_id = 'default' and minion_id != %s" depth: 2 - query: "SELECT pillar,value FROM pillars WHERE minion_id = %s" depth: 2 ignore_null: True If you specify as_list: True in the mapping expression it will convert collisions to lists. If you specify with_lists: '...' in the mapping expression it will convert the specified depths to list. The string provided is a sequence numbers that are comma separated. The string '1,3' will result in: a,b,c,d,e,1 # field 1 same, field 3 differs a,b,c,f,g,2 # ^^^^ a,z,h,y,j,3 # field 1 same, field 3 same a,z,h,y,k,4 # ^^^^ ^ ^ These columns define list grouping {a: [ {c: [ {e: 1}, {g: 2} ] }, {h: [ {j: 3, k: 4 } ] } ]} The range for with_lists is 1 to number_of_fields, inclusive. Numbers outside this range are ignored. Finally, if you pass the queries in via a mapping, the key will be the first level name where as passing them in as a list will place them in the root. This isolates the query results into their own subtrees. This may be a help or hindrance to your aims and can be used as such. You can basically use any SELECT query that gets you the information, you could even do joins or subqueries in case your minion_id is stored elsewhere. It is capable of handling single rows or multiple rows per minion. Configuration of the connection depends on the adapter in use. More complete example for MySQL (to also show configuration) mysql: user: 'salt' pass: 'super_secret_password' db: 'salt_db' ext_pillar: - mysql: fromdb: query: 'SELECT col1,col2,col3,col4,col5,col6,col7 FROM some_random_table WHERE minion_pattern LIKE %s' depth: 5 as_list: True with_lists: [1,3] class salt.pillar.sql_base.SqlBaseExtPillar This class receives and processes the database rows in a database agnostic way. as_list = False depth = 0 enter_root(root) Set self.focus for kwarg queries extract_queries(args, kwargs) This function normalizes the config block into a set of queries we can use. The return is a list of consistently laid out dicts. fetch(minion_id, pillar, *args, **kwargs) Execute queries, merge and return as a dict. field_names = None focus = None ignore_null = False num_fields = 0 process_fields(field_names, depth) The primary purpose of this function is to store the sql field list and the depth to which we process. process_results(rows) This function takes a list of database results and iterates over, merging them into a dict form. result = None with_lists = None salt.pillar.sqlite3 module Retrieve Pillar data by doing a SQLite3 query sqlite3 is included in the stdlib since python2.5. This module is a concrete implementation of the sql_base ext_pillar for SQLite3. maturity new platform all Configuring the sqlite3 ext_pillar Use the 'sqlite3' key under ext_pillar for configuration of queries. SQLite3 database connection configuration requires the following values configured in the master config: Note, timeout is in seconds. pillar.sqlite3.database: /var/lib/salt/pillar.db pillar.sqlite3.timeout: 5.0 Complete example pillar: sqlite3: database: '/var/lib/salt/pillar.db' timeout: 5.0 ext_pillar: - sqlite3: fromdb: query: 'SELECT col1,col2,col3,col4,col5,col6,col7 FROM some_random_table WHERE minion_pattern LIKE ?' depth: 5 as_list: True with_lists: [1,3] class salt.pillar.sqlite3.SQLite3ExtPillar This class receives and processes the database rows from SQLite3. salt.pillar.sqlite3.ext_pillar(minion_id, pillar, *args, **kwargs) Execute queries against SQLite3, merge and return as a dict salt.pillar.svn_pillar Clone a remote SVN repository and use the filesystem as a Pillar source This external Pillar source can be configured in the master config file like so: ext_pillar: - svn: trunk svn://svnserver/repo root=subdirectory The root= parameter is optional and used to set the subdirectory from where to look for Pillar files (such as top.sls). Changed in version 2014.7.0: The optional root parameter will be added. Note that this is not the same thing as configuring pillar data using the pillar_roots parameter. The branch referenced in the ext_pillar entry above (master), would evaluate to the base environment, so this branch needs to contain a top.sls with a base section in it, like this: base: '*': - foo To use other environments from the same SVN repo as svn_pillar sources, just add additional lines, like so: ext_pillar: - svn: trunk svn://svnserver/repo - svn: dev svn://svnserver/repo In this case, the dev branch would need its own top.sls with a dev section in it, like this: dev: '*': - bar class salt.pillar.svn_pillar.SvnPillar(branch, repo_location, root, opts) Deal with the remote SVN repository for Pillar pillar_dir() Returns the directory of the pillars (repo cache + branch + root) update() salt.pillar.svn_pillar.ext_pillar(minion_id, pillar, repo_string) Execute a command and read the output as YAML salt.pillar.varstack_pillar Use Varstack data as a Pillar source Configuring Varstack Using varstack in Salt is fairly simple. Just put the following into the config file of your master: ext_pillar: - varstack: /etc/varstack.yaml Varstack will then use /etc/varstack.yaml to determine which configuration data to return as pillar information. From there you can take a look at the README of varstack on how this file is evaluated. salt.pillar.varstack_pillar.ext_pillar(minion_id, pillar, conf) Parse varstack data and return the result salt.pillar.virtkey Accept a key from a hypervisor if the virt runner has already submitted an authorization request salt.pillar.virtkey.ext_pillar(hyper_id, pillar, name, key) Accept the key for the VM on the hyper, if authorized. Full list of builtin proxy modules ┌────────────┬──────────────────────────────────┐ │esxi │ Proxy Minion interface module │ │ │ for managing VMWare ESXi hosts. │ ├────────────┼──────────────────────────────────┤ │fx2 │ Dell FX2 chassis │ ├────────────┼──────────────────────────────────┤ │junos │ │ ├────────────┼──────────────────────────────────┤ │rest_sample │ This is a simple proxy-minion │ │ │ designed to connect to and │ │ │ communicate with │ ├────────────┼──────────────────────────────────┤ │ssh_sample │ This is a simple proxy-minion │ │ │ designed to connect to and │ │ │ communicate with a server that │ │ │ exposes functionality via SSH. │ └────────────┴──────────────────────────────────┘ salt.proxy.esxi Proxy Minion interface module for managing VMWare ESXi hosts. New in version 2015.8.4. Special Note: SaltStack thanks Adobe Corporation for their support in creating this Proxy Minion integration. This proxy minion enables VMware ESXi (hereafter referred to as simply 'ESXi') hosts to be treated individually like a Salt Minion. Since the ESXi host may not necessarily run on an OS capable of hosting a Python stack, the ESXi host can't run a Salt Minion directly. Salt's "Proxy Minion" functionality enables you to designate another machine to host a minion process that "proxies" communication from the Salt Master. The master does not know nor care that the target is not a "real" Salt Minion. More in-depth conceptual reading on Proxy Minions can be found in the Proxy Minion section of Salt's documentation. Dependencies • pyVmomi Python Module • ESXCLI pyVmomi PyVmomi can be installed via pip: pip install pyVmomi NOTE: Version 6.0 of pyVmomi has some problems with SSL error handling on certain versions of Python. If using version 6.0 of pyVmomi, Python 2.6, Python 2.7.9, or newer must be present. This is due to an upstream dependency in pyVmomi 6.0 that is not supported in Python versions 2.7 to 2.7.8. If the version of Python is not in the supported range, you will need to install an earlier version of pyVmomi. See Issue #29537 for more information. Based on the note above, to install an earlier version of pyVmomi than the version currently listed in PyPi, run the following: pip install pyVmomi==5.5.0.2014.1.1 The 5.5.0.2014.1.1 is a known stable version that this original ESXi State Module was developed against. ESXCLI Currently, about a third of the functions used in the vSphere Execution Module require the ESXCLI package be installed on the machine running the Proxy Minion process. The ESXCLI package is also referred to as the VMware vSphere CLI, or vCLI. VMware provides vCLI package installation instructions for vSphere 5.5 and vSphere 6.0. Once all of the required dependencies are in place and the vCLI package is installed, you can check to see if you can connect to your ESXi host or vCenter server by running the following command: esxcli -s <host-location> -u <username> -p <password> system syslog config get If the connection was successful, ESXCLI was successfully installed on your system. You should see output related to the ESXi host's syslog configuration. Configuration To use this integration proxy module, please configure the following: Pillar Proxy minions get their configuration from Salt's Pillar. Every proxy must have a stanza in Pillar and a reference in the Pillar top-file that matches the ID. At a minimum for communication with the ESXi host, the pillar should look like this: proxy: proxytype: esxi host: <ip or dns name of esxi host> username: <ESXi username> passwords: - first_password - second_password - third_password proxytype The proxytype key and value pair is critical, as it tells Salt which interface to load from the proxy directory in Salt's install hierarchy, or from /srv/salt/_proxy on the Salt Master (if you have created your own proxy module, for example). To use this ESXi Proxy Module, set this to esxi. host The location, or ip/dns, of the ESXi host. Required. username The username used to login to the ESXi host, such as root. Required. passwords A list of passwords to be used to try and login to the ESXi host. At least one password in this list is required. The proxy integration will try the passwords listed in order. It is configured this way so you can have a regular password and the password you may be updating for an ESXi host either via the vsphere.update_host_password execution module function or via the esxi.password_present state function. This way, after the password is changed, you should not need to restart the proxy minion--it should just pick up the the new password provided in the list. You can then change pillar at will to move that password to the front and retire the unused ones. This also allows you to use any number of potential fallback passwords. NOTE: When a password is changed on the host to one in the list of possible passwords, the further down on the list the password is, the longer individual commands will take to return. This is due to the nature of pyVmomi's login system. We have to wait for the first attempt to fail before trying the next password on the list. This scenario is especially true, and even slower, when the proxy minion first starts. If the correct password is not the first password on the list, it may take up to a minute for test.ping to respond with a True result. Once the initial authorization is complete, the responses for commands will be a little faster. To avoid these longer waiting periods, SaltStack recommends moving the correct password to the top of the list and restarting the proxy minion at your earliest convenience. protocol If the ESXi host is not using the default protocol, set this value to an alternate protocol. Default is https. port If the ESXi host is not using the default port, set this value to an alternate port. Default is 443. Salt Proxy After your pillar is in place, you can test the proxy. The proxy can run on any machine that has network connectivity to your Salt Master and to the ESXi host in question. SaltStack recommends that the machine running the salt-proxy process also run a regular minion, though it is not strictly necessary. On the machine that will run the proxy, make sure there is an /etc/salt/proxy file with at least the following in it: master: <ip or hostname of salt-master> You can then start the salt-proxy process with: salt-proxy --proxyid <id you want to give the host> You may want to add -l debug to run the above in the foreground in debug mode just to make sure everything is OK. Next, accept the key for the proxy on your salt-master, just like you would for a regular minion: salt-key -a <id you gave the esxi host> You can confirm that the pillar data is in place for the proxy: salt <id> pillar.items And now you should be able to ping the ESXi host to make sure it is responding: salt <id> test.ping At this point you can execute one-off commands against the host. For example, you can get the ESXi host's system information: salt <id> esxi.cmd system_info Note that you don't need to provide credentials or an ip/hostname. Salt knows to use the credentials you stored in Pillar. It's important to understand how this particular proxy works. Salt.modules.vsphere is a standard Salt execution module. If you pull up the docs for it you'll see that almost every function in the module takes credentials and a target host. When credentials and a host aren't passed, Salt runs commands through pyVmomi against the local machine. If you wanted, you could run functions from this module on any host where an appropriate version of pyVmomi is installed, and that host would reach out over the network and communicate with the ESXi host. esxi.cmd acts as a "shim" between the execution module and the proxy. Its first parameter is always the function from salt.modules.vsphere. If the function takes more positional or keyword arguments you can append them to the call. It's this shim that speaks to the ESXi host through the proxy, arranging for the credentials and hostname to be pulled from the Pillar section for this Proxy Minion. Because of the presence of the shim, to lookup documentation for what functions you can use to interface with the ESXi host, you'll want to look in salt.modules.vsphere instead of salt.modules.esxi. States Associated states are thoroughly documented in salt.states.esxi. Look there to find an example structure for Pillar as well as an example .sls file for standing up an ESXi host from scratch. salt.proxy.esxi.ch_config(cmd, *args, **kwargs) This function is called by the salt.modules.esxi.cmd shim. It then calls whatever is passed in cmd inside the salt.modules.vsphere module. Passes the return through from the vsphere module. cmd The command to call inside salt.modules.vsphere args Arguments that need to be passed to that command. kwargs Keyword arguments that need to be passed to that command. salt.proxy.esxi.find_credentials(host) Cycle through all the possible credentials and return the first one that works. salt.proxy.esxi.grains() Get the grains from the proxy device. salt.proxy.esxi.grains_refresh() Refresh the grains from the proxy device. salt.proxy.esxi.init(opts) This function gets called when the proxy starts up. For ESXi devices, the host, login credentials, and, if configured, the protocol and port are cached. salt.proxy.esxi.ping() Check to see if the host is responding. Returns False if the host didn't respond, True otherwise. CLI Example: salt esxi-host test.ping salt.proxy.esxi.shutdown() Shutdown the connection to the proxy device. For this proxy, shutdown is a no-op. salt.proxy.fx2 Dell FX2 chassis New in version 2015.8.2. Proxy minion interface module for managing Dell FX2 chassis (Dell Chassis Management Controller version 1.2 and above, iDRAC8 version 2.00 and above) Dependencies • iDRAC Remote execution module (salt.modules.dracr) • Chassis command shim (salt.modules.chassis) • Dell Chassis States (salt.states.dellchassis) • Dell's racadm command line interface to CMC and iDRAC devices. Special Note: SaltStack thanks Adobe Corporation for their support in creating this proxy minion integration. This proxy minion enables Dell FX2 and FX2s (hereafter referred to as simply "chassis", "CMC", or "FX2") chassis to be treated individually like a salt-minion. Since the CMC embedded in the chassis does not run an OS capable of hosting a Python stack, the chassis can't run a minion directly. Salt's "Proxy Minion" functionality enables you to designate another machine to host a minion process that "proxies" communication from the salt-master. The master does not know nor care that the target is not a real minion. More in-depth conceptual reading on Proxy Minions can be found in the Proxy Minion section of Salt's documentation. To configure this integration, follow these steps: Pillar Proxy minions get their configuration from Salt's Pillar. Every proxy must have a stanza in Pillar, and a reference in the Pillar topfile that matches the ID. At a minimum for communication with the chassis the pillar should look like this: proxy: host: <ip or dns name of chassis controller> admin_username: <iDRAC username for the CMC, usually 'root'> fallback_admin_username: <username to try if the first fails> passwords: - first_password - second_password - third-password proxytype: fx2 The proxytype line above is critical, it tells Salt which interface to load from the proxy directory in Salt's install hierarchy, or from /srv/salt/_proxy on the salt-master (if you have created your own proxy module, for example). The proxy integration will try the passwords listed in order. It is configured this way so you can have a regular password, a potential fallback password, and the third password can be the one you intend to change the chassis to use. This way, after it is changed, you should not need to restart the proxy minion--it should just pick up the third password in the list. You can then change pillar at will to move that password to the front and retire the unused ones. Beware, many Dell CMC and iDRAC units are configured to lockout IP addresses or users after too many failed password attempts. This can generate user panic in the form of "I no longer know what the password is!!!". To mitigate panic try the web interface from a different IP, or setup a emergency administrator user in the CMC before doing a wholesale password rotation. The automatic lockout can be disabled via Salt with the following: salt <cmc> chassis.cmd set_general cfgRacTuning cfgRacTuneIpBlkEnable 0 and then verified with salt <cmc> chassis.cmd get_general cfgRacTuning cfgRacTuneIpBlkEnable salt-proxy After your pillar is in place, you can test the proxy. The proxy can run on any machine that has network connectivity to your salt-master and to the chassis in question. SaltStack recommends that this machine also run a regular minion, though it is not strictly necessary. On the machine that will run the proxy, make sure there is an /etc/salt/proxy file with at least the following in it: master: <ip or hostname of salt-master> You can start the proxy with salt-proxy --proxyid <id you want to give the chassis> You may want to add -l debug to run the above in the foreground in debug mode just to make sure everything is OK. Next, accept the key for the proxy on your salt-master, just like you would for a regular minion: salt-key -a <id you want to give the chassis> You can confirm that the pillar data is in place for the proxy: salt <id> pillar.items And now you should be able to ping the chassis to make sure it is responding: salt <id> test.ping At this point you can execute one-off commands against the chassis. For example, you can get the chassis inventory: salt <id> chassis.cmd inventory Note that you don't need to provide credentials or an ip/hostname. Salt knows to use the credentials you stored in Pillar. It's important to understand how this particular proxy works. Salt.modules.dracr is a standard Salt execution module. If you pull up the docs for it you'll see that almost every function in the module takes credentials and a target host. When credentials and a host aren't passed, Salt runs racadm against the local machine. If you wanted you could run functions from this module on any host where an appropriate version of racadm is installed, and that host would reach out over the network and communicate with the chassis. Chassis.cmd acts as a "shim" between the execution module and the proxy. It's first parameter is always the function from salt.modules.dracr to execute. If the function takes more positional or keyword arguments you can append them to the call. It's this shim that speaks to the chassis through the proxy, arranging for the credentials and hostname to be pulled from the pillar section for this proxy minion. Because of the presence of the shim, to lookup documentation for what functions you can use to interface with the chassis, you'll want to look in salt.modules.dracr instead of salt.modules.chassis. States Associated states are thoroughly documented in salt.states.dellchassis. Look there to find an example structure for pillar as well as an example .sls file for standing up a Dell Chassis from scratch. salt.proxy.fx2.admin_password() Return the admin_password in the DETAILS dictionary, or 'calvin' (the Dell default) if there is none present salt.proxy.fx2.admin_username() Return the admin_username in the DETAILS dictionary, or root if there is none present salt.proxy.fx2.chconfig(cmd, *args, **kwargs) This function is called by the salt.modules.chassis.cmd shim. It then calls whatever is passed in cmd inside the salt.modules.dracr module. Parameters • cmd -- The command to call inside salt.modules.dracr • args -- Arguments that need to be passed to that command • kwargs -- Keyword arguments that need to be passed to that command Returns Passthrough the return from the dracr module. salt.proxy.fx2.find_credentials() Cycle through all the possible credentials and return the first one that works salt.proxy.fx2.grains() Get the grains from the proxied device salt.proxy.fx2.grains_refresh() Refresh the grains from the proxied device salt.proxy.fx2.host() salt.proxy.fx2.init(opts) This function gets called when the proxy starts up. We check opts to see if a fallback user and password are supplied. If they are present, and the primary credentials don't work, then we try the backup before failing. Whichever set of credentials works is placed in the persistent DETAILS dictionary and will be used for further communication with the chassis. salt.proxy.fx2.ping() Is the chassis responding? Returns Returns False if the chassis didn't respond, True otherwise. salt.proxy.fx2.shutdown(opts) Shutdown the connection to the proxied device. For this proxy shutdown is a no-op. salt.proxy.rest_sample This is a simple proxy-minion designed to connect to and communicate with the bottle-based web service contained in https://github.com/saltstack/salt-contrib/tree/master/proxyminion_rest_example salt.proxy.rest_sample.grains() Get the grains from the proxied device salt.proxy.rest_sample.grains_refresh() Refresh the grains from the proxied device salt.proxy.rest_sample.id(opts) Return a unique ID for this proxy minion. This ID MUST NOT CHANGE. If it changes while the proxy is running the salt-master will get really confused and may stop talking to this minion salt.proxy.rest_sample.init(opts) salt.proxy.rest_sample.package_install(name, **kwargs) Install a "package" on the REST server salt.proxy.rest_sample.package_list() List "packages" installed on the REST server salt.proxy.rest_sample.package_remove(name) Remove a "package" on the REST server salt.proxy.rest_sample.package_status(name) Check the installation status of a package on the REST server salt.proxy.rest_sample.ping() Is the REST server up? salt.proxy.rest_sample.service_list() List "services" on the REST server salt.proxy.rest_sample.service_restart(name) Restart a "service" on the REST server salt.proxy.rest_sample.service_start(name) Start a "service" on the REST server salt.proxy.rest_sample.service_status(name) Check if a service is running on the REST server salt.proxy.rest_sample.service_stop(name) Stop a "service" on the REST server salt.proxy.rest_sample.shutdown(opts) For this proxy shutdown is a no-op salt.proxy.ssh_sample This is a simple proxy-minion designed to connect to and communicate with a server that exposes functionality via SSH. This can be used as an option when the device does not provide an api over HTTP and doesn't have the python stack to run a minion. salt.proxy.ssh_sample.init(opts) Required. Can be used to initialize the server connection. salt.proxy.ssh_sample.package_install(name, **kwargs) Install a "package" on the ssh server salt.proxy.ssh_sample.package_list() List "packages" by executing a command via ssh This function is called in response to the salt command ..code-block::bash salt target_minion pkg.list_pkgs salt.proxy.ssh_sample.package_remove(name) Remove a "package" on the ssh server salt.proxy.ssh_sample.parse(out) Extract json from out. Parameter out: Type string. The data returned by the ssh command. salt.proxy.ssh_sample.ping() Required. Ping the device on the other end of the connection salt.proxy.ssh_sample.service_list() Start a "service" on the ssh server New in version 2015.8.2. salt.proxy.ssh_sample.service_restart(name) Restart a "service" on the ssh server New in version 2015.8.2. salt.proxy.ssh_sample.service_start(name) Start a "service" on the ssh server New in version 2015.8.2. salt.proxy.ssh_sample.service_stop(name) Stop a "service" on the ssh server New in version 2015.8.2. salt.proxy.ssh_sample.shutdown(opts) Disconnect Renderers The Salt state system operates by gathering information from common data types such as lists, dictionaries, and strings that would be familiar to any developer. SLS files are translated from whatever data templating format they are written in back into Python data types to be consumed by Salt. By default SLS files are rendered as Jinja templates and then parsed as YAML documents. But since the only thing the state system cares about is raw data, the SLS files can be any structured format that can be dreamed up. Currently there is support for Jinja + YAML, Mako + YAML, Wempy + YAML, Jinja + json, Mako + json and Wempy + json. Renderers can be written to support any template type. This means that the Salt states could be managed by XML files, HTML files, Puppet files, or any format that can be translated into the Pythonic data structure used by the state system. Multiple Renderers A default renderer is selected in the master configuration file by providing a value to the renderer key. When evaluating an SLS, more than one renderer can be used. When rendering SLS files, Salt checks for the presence of a Salt-specific shebang line. The shebang line directly calls the name of the renderer as it is specified within Salt. One of the most common reasons to use multiple renderers is to use the Python or py renderer. Below, the first line is a shebang that references the py renderer. #!py def run(): ''' Install the python-mako package ''' return {'include': ['python'], 'python-mako': {'pkg': ['installed']}} Composing Renderers A renderer can be composed from other renderers by connecting them in a series of pipes(|). In fact, the default Jinja + YAML renderer is implemented by connecting a YAML renderer to a Jinja renderer. Such renderer configuration is specified as: jinja | yaml. Other renderer combinations are possible: yaml i.e, just YAML, no templating. mako | yaml pass the input to the mako renderer, whose output is then fed into the yaml renderer. jinja | mako | yaml This one allows you to use both jinja and mako templating syntax in the input and then parse the final rendered output as YAML. The following is a contrived example SLS file using the jinja | mako | yaml renderer: #!jinja|mako|yaml An_Example: cmd.run: - name: | echo "Using Salt ${grains['saltversion']}" \ "from path {{grains['saltpath']}}." - cwd: / <%doc> ${...} is Mako's notation, and so is this comment. </%doc> {# Similarly, {{...}} is Jinja's notation, and so is this comment. #} For backward compatibility, jinja | yaml can also be written as yaml_jinja, and similarly, the yaml_mako, yaml_wempy, json_jinja, json_mako, and json_wempy renderers are all supported. Keep in mind that not all renderers can be used alone or with any other renderers. For example, the template renderers shouldn't be used alone as their outputs are just strings, which still need to be parsed by another renderer to turn them into highstate data structures. For example, it doesn't make sense to specify yaml | jinja because the output of the YAML renderer is a highstate data structure (a dict in Python), which cannot be used as the input to a template renderer. Therefore, when combining renderers, you should know what each renderer accepts as input and what it returns as output. Writing Renderers A custom renderer must be a Python module placed in the renderers directory and the module implement the render function. The render function will be passed the path of the SLS file as an argument. The purpose of of render function is to parse the passed file and to return the Python data structure derived from the file. Custom renderers must be placed in a _renderers directory within the file_roots specified by the master config file. Custom renderers are distributed when any of the following are run: state.highstate saltutil.sync_renderers saltutil.sync_all Any custom renderers which have been synced to a minion, that are named the same as one of Salt's default set of renderers, will take the place of the default renderer with the same name. Examples The best place to find examples of renderers is in the Salt source code. Documentation for renderers included with Salt can be found here: https://github.com/saltstack/salt/blob/develop/salt/renderers Here is a simple YAML renderer example: import yaml def render(yaml_data, env='', sls='', **kws): if not isinstance(yaml_data, basestring): yaml_data = yaml_data.read() data = yaml.load(yaml_data) return data if data else {} Full List of Renderers Full list of builtin renderer modules ┌──────────┬──────────────────────────────────┐ │cheetah │ Cheetah Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │genshi │ Genshi Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │gpg │ Renderer that will decrypt GPG │ │ │ ciphers │ ├──────────┼──────────────────────────────────┤ │hjson │ Hjson Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │jinja │ Jinja loading utils to enable a │ │ │ more powerful backend for jinja │ │ │ templates │ ├──────────┼──────────────────────────────────┤ │json │ JSON Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │mako │ Mako Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │msgpack │ │ ├──────────┼──────────────────────────────────┤ │py │ Pure python state renderer │ ├──────────┼──────────────────────────────────┤ │pydsl │ A Python-based DSL │ ├──────────┼──────────────────────────────────┤ │pyobjects │ Python renderer that includes a │ │ │ Pythonic Object based interface │ ├──────────┼──────────────────────────────────┤ │stateconf │ A flexible renderer that takes a │ │ │ templating engine and a data │ │ │ format │ ├──────────┼──────────────────────────────────┤ │wempy │ │ ├──────────┼──────────────────────────────────┤ │yaml │ YAML Renderer for Salt │ ├──────────┼──────────────────────────────────┤ │yamlex │ │ └──────────┴──────────────────────────────────┘ salt.renderers.cheetah Cheetah Renderer for Salt salt.renderers.cheetah.render(cheetah_data, saltenv='base', sls='', method='xml', **kws) Render a Cheetah template. Return type A Python data structure salt.renderers.genshi Genshi Renderer for Salt salt.renderers.genshi.render(genshi_data, saltenv='base', sls='', method='xml', **kws) Render a Genshi template. A method should be passed in as part of the kwargs. If no method is passed in, xml is assumed. Valid methods are: Note that the text method will call NewTextTemplate. If oldtext is desired, it must be called explicitly Return type A Python data structure salt.renderers.gpg Renderer that will decrypt GPG ciphers Any key in the SLS file can be a GPG cipher, and this renderer will decrypt it before passing it off to Salt. This allows you to safely store secrets in source control, in such a way that only your Salt master can decrypt them and distribute them only to the minions that need them. The typical use-case would be to use ciphers in your pillar data, and keep a secret key on your master. You can put the public key in source control so that developers can add new secrets quickly and easily. This renderer requires the gpg binary. No python libraries are required as of the 2015.8.3 release. To set things up, you will first need to generate a keypair. On your master, run: # mkdir -p /etc/salt/gpgkeys # chmod 0700 /etc/salt/gpgkeys # gpg --gen-key --homedir /etc/salt/gpgkeys Do not supply a password for your keypair, and use a name that makes sense for your application. Be sure to back up your gpg directory someplace safe! NOTE: Unfortunately, there are some scenarios - for example, on virtual machines which don’t have real hardware - where insufficient entropy causes key generation to be extremely slow. If you come across this problem, you should investigate means of increasing the system entropy. On virtualised Linux systems, this can often be achieved by installing the rng-tools package. To retrieve the public key: # gpg --homedir /etc/salt/gpgkeys --armor --export <KEY-NAME> > exported_pubkey.gpg Now, to encrypt secrets, copy the public key to your local machine and run: $ gpg --import exported_pubkey.gpg To generate a cipher from a secret: $ echo -n "supersecret" | gpg --armor --encrypt -r <KEY-name> To apply the renderer on a file-by-file basis add the following line to the top of any pillar with gpg data in it: #!yaml|gpg Now with your renderer configured, you can include your ciphers in your pillar data like so: #!yaml|gpg a-secret: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+ cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ skqmFTbOiA== =Eqsm -----END PGP MESSAGE----- salt.renderers.gpg.render(gpg_data, saltenv='base', sls='', argline='', **kwargs) Create a gpg object given a gpg_keydir, and then use it to try to decrypt the data to be rendered. salt.renderers.hjson Hjson Renderer for Salt http://laktak.github.io/hjson/ salt.renderers.hjson.render(hjson_data, saltenv='base', sls='', **kws) Accepts HJSON as a string or as a file object and runs it through the HJSON parser. Return type A Python data structure salt.renderers.jinja Jinja loading utils to enable a more powerful backend for jinja templates Jinja in States The most basic usage of Jinja in state files is using control structures to wrap conditional or redundant state elements: {% if grains['os'] != 'FreeBSD' %} tcsh: pkg: - installed {% endif %} motd: file.managed: {% if grains['os'] == 'FreeBSD' %} - name: /etc/motd {% elif grains['os'] == 'Debian' %} - name: /etc/motd.tail {% endif %} - source: salt://motd In this example, the first if block will only be evaluated on minions that aren't running FreeBSD, and the second block changes the file name based on the os grain. Writing if-else blocks can lead to very redundant state files however. In this case, using pillars, or using a previously defined variable might be easier: {% set motd = ['/etc/motd'] %} {% if grains['os'] == 'Debian' %} {% set motd = ['/etc/motd.tail', '/var/run/motd'] %} {% endif %} {% for motdfile in motd %} {{ motdfile }}: file.managed: - source: salt://motd {% endfor %} Using a variable set by the template, the for loop will iterate over the list of MOTD files to update, adding a state block for each file. Include and Import Includes and imports can be used to share common, reusable state configuration between state files and between files. {% from 'lib.sls' import test %} This would import the test template variable or macro, not the test state element, from the file lib.sls. In the case that the included file performs checks again grains, or something else that requires context, passing the context into the included file is required: {% from 'lib.sls' import test with context %} Macros Macros are helpful for eliminating redundant code, however stripping whitespace from the template block, as well as contained blocks, may be necessary to emulate a variable return from the macro. # init.sls {% from 'lib.sls' import pythonpkg with context %} python-virtualenv: pkg.installed: - name: {{ pythonpkg('virtualenv') }} python-fabric: pkg.installed: - name: {{ pythonpkg('fabric') }} # lib.sls {% macro pythonpkg(pkg) -%} {%- if grains['os'] == 'FreeBSD' -%} py27-{{ pkg }} {%- elif grains['os'] == 'Debian' -%} python-{{ pkg }} {%- endif -%} {%- endmacro %} This would define a macro that would return a string of the full package name, depending on the packaging system's naming convention. The whitespace of the macro was eliminated, so that the macro would return a string without line breaks, using whitespace control. Template Inheritance Template inheritance works fine from state files and files. The search path starts at the root of the state tree or pillar. Filters Saltstack extends builtin filters with these custom filters: strftime Converts any time related object into a time based string. It requires a valid strftime directives. An exhaustive list can be found in the official Python documentation. {% set curtime = None | strftime() %} Fuzzy dates require the timelib Python module is installed. {{ "2002/12/25"|strftime("%y") }} {{ "1040814000"|strftime("%Y-%m-%d") }} {{ datetime|strftime("%u") }} {{ "tomorrow"|strftime }} sequence Ensure that parsed data is a sequence. yaml_encode Serializes a single object into a YAML scalar with any necessary handling for escaping special characters. This will work for any scalar YAML data type: ints, floats, timestamps, booleans, strings, unicode. It will not work for multi-objects such as sequences or maps. {%- set bar = 7 %} {%- set baz = none %} {%- set zip = true %} {%- set zap = 'The word of the day is "salty"' %} {%- load_yaml as foo %} bar: {{ bar|yaml_encode }} baz: {{ baz|yaml_encode }} baz: {{ zip|yaml_encode }} baz: {{ zap|yaml_encode }} {%- endload %} In the above case {{ bar }} and {{ foo.bar }} should be identical and {{ baz }} and {{ foo.baz }} should be identical. yaml_dquote Serializes a string into a properly-escaped YAML double-quoted string. This is useful when the contents of a string are unknown and may contain quotes or unicode that needs to be preserved. The resulting string will be emitted with opening and closing double quotes. {%- set bar = '"The quick brown fox . . ."' %} {%- set baz = 'The word of the day is "salty".' %} {%- load_yaml as foo %} bar: {{ bar|yaml_dquote }} baz: {{ baz|yaml_dquote }} {%- endload %} In the above case {{ bar }} and {{ foo.bar }} should be identical and {{ baz }} and {{ foo.baz }} should be identical. If variable contents are not guaranteed to be a string then it is better to use yaml_encode which handles all YAML scalar types. yaml_squote Similar to the yaml_dquote filter but with single quotes. Note that YAML only allows special escapes inside double quotes so yaml_squote is not nearly as useful (viz. you likely want to use yaml_encode or yaml_dquote). Jinja in Files Jinja can be used in the same way in managed files: # redis.sls /etc/redis/redis.conf: file.managed: - source: salt://redis.conf - template: jinja - context: bind: 127.0.0.1 # lib.sls {% set port = 6379 %} # redis.conf {% from 'lib.sls' import port with context %} port {{ port }} bind {{ bind }} As an example, configuration was pulled from the file context and from an external template file. NOTE: Macros and variables can be shared across templates. They should not be starting with one or more underscores, and should be managed by one of the following tags: macro, set, load_yaml, load_json, import_yaml and import_json. Calling Salt Functions The Jinja renderer provides a shorthand lookup syntax for the salt dictionary of execution function. New in version 2014.7.0. # The following two function calls are equivalent. {{ salt['cmd.run']('whoami') }} {{ salt.cmd.run('whoami') }} Debugging The show_full_context function can be used to output all variables present in the current Jinja context. New in version 2014.7.0. Context is: {{ show_full_context() }} salt.renderers.jinja.render(template_file, saltenv='base', sls='', argline='', context=None, tmplpath=None, **kws) Render the template_file, passing the functions and grains into the Jinja rendering system. Return type string class salt.utils.jinja.SerializerExtension(environment) Yaml and Json manipulation. Format filters Allows jsonifying or yamlifying any data structure. For example, this dataset: data = { 'foo': True, 'bar': 42, 'baz': [1, 2, 3], 'qux': 2.0 } yaml = {{ data|yaml }} json = {{ data|json }} python = {{ data|python }} will be rendered as: yaml = {bar: 42, baz: [1, 2, 3], foo: true, qux: 2.0} json = {"baz": [1, 2, 3], "foo": true, "bar": 42, "qux": 2.0} python = {'bar': 42, 'baz': [1, 2, 3], 'foo': True, 'qux': 2.0} The yaml filter takes an optional flow_style parameter to control the default-flow-style parameter of the YAML dumper. {{ data|yaml(False) }} will be rendered as: bar: 42 baz: - 1 - 2 - 3 foo: true qux: 2.0 Load filters Strings and variables can be deserialized with load_yaml and load_json tags and filters. It allows one to manipulate data directly in templates, easily: {%- set yaml_src = "{foo: it works}"|load_yaml %} {%- set json_src = "{'bar': 'for real'}"|load_json %} Dude, {{ yaml_src.foo }} {{ json_src.bar }}! will be rendered as: Dude, it works for real! Load tags Salt implements import_yaml and import_json tags. They work like the import tag, except that the document is also deserialized. Syntaxes are {% load_yaml as [VARIABLE] %}[YOUR DATA]{% endload %} and {% load_json as [VARIABLE] %}[YOUR DATA]{% endload %} For example: {% load_yaml as yaml_src %} foo: it works {% endload %} {% load_json as json_src %} { "bar": "for real" } {% endload %} Dude, {{ yaml_src.foo }} {{ json_src.bar }}! will be rendered as: Dude, it works for real! Import tags External files can be imported and made available as a Jinja variable. {% import_yaml "myfile.yml" as myfile %} {% import_json "defaults.json" as defaults %} {% import_text "completeworksofshakespeare.txt" as poems %} Catalog import_* and load_* tags will automatically expose their target variable to import. This feature makes catalog of data to handle. for example: # doc1.sls {% load_yaml as var1 %} foo: it works {% endload %} {% load_yaml as var2 %} bar: for real {% endload %} # doc2.sls {% from "doc1.sls" import var1, var2 as local2 %} {{ var1.foo }} {{ local2.bar }} salt.renderers.json JSON Renderer for Salt salt.renderers.json.render(json_data, saltenv='base', sls='', **kws) Accepts JSON as a string or as a file object and runs it through the JSON parser. Return type A Python data structure salt.renderers.mako Mako Renderer for Salt salt.renderers.mako.render(template_file, saltenv='base', sls='', context=None, tmplpath=None, **kws) Render the template_file, passing the functions and grains into the Mako rendering system. Return type string salt.renderers.msgpack salt.renderers.msgpack.render(msgpack_data, saltenv='base', sls='', **kws) Accepts a message pack string or a file object, renders said data back to a python dict. Return type A Python data structure salt.renderers.py Pure python state renderer The SLS file should contain a function called run which returns high state data. In this module, a few objects are defined for you, giving access to Salt's execution functions, grains, pillar, etc. They are: • __salt__ - Execution functions (i.e. __salt__['test.echo']('foo')) • __grains__ - Grains (i.e. __grains__['os']) • __pillar__ - Pillar data (i.e. __pillar__['foo']) • __opts__ - Minion configuration options • __env__ - The effective salt fileserver environment (i.e. base). Also referred to as a "saltenv". __env__ should not be modified in a pure python SLS file. To use a different environment, the environment should be set when executing the state. This can be done in a couple different ways: • Using the saltenv argument on the salt CLI (i.e. salt '*' state.sls foo.bar.baz saltenv=env_name). • By adding a saltenv argument to an individual state within the SLS file. In other words, adding a line like this to the state's data structure: {'saltenv': 'env_name'} • __sls__ - The SLS path of the file. For example, if the root of the base environment is /srv/salt, and the SLS file is /srv/salt/foo/bar/baz.sls, then __sls__ in that file will be foo.bar.baz. #!py def run(): config = {} if __grains__['os'] == 'Ubuntu': user = 'ubuntu' group = 'ubuntu' home = '/home/{0}'.format(user) else: user = 'root' group = 'root' home = '/root/' config['s3cmd'] = { 'pkg': [ 'installed', {'name': 's3cmd'}, ], } config[home + '/.s3cfg'] = { 'file.managed': [ {'source': 'salt://s3cfg/templates/s3cfg'}, {'template': 'jinja'}, {'user': user}, {'group': group}, {'mode': 600}, {'context': { 'aws_key': __pillar__['AWS_ACCESS_KEY_ID'], 'aws_secret_key': __pillar__['AWS_SECRET_ACCESS_KEY'], }, }, ], } return config salt.renderers.py.render(template, saltenv='base', sls='', tmplpath=None, **kws) Render the python module's components Return type string salt.renderers.pydsl A Python-based DSL maintainer Jack Kuan <kjkuan@gmail.com> maturity new platform all The pydsl renderer allows one to author salt formulas (.sls files) in pure Python using a DSL that's easy to write and easy to read. Here's an example: #!pydsl apache = state('apache') apache.pkg.installed() apache.service.running() state('/var/www/index.html') \ .file('managed', source='salt://webserver/index.html') \ .require(pkg='apache') Notice that any Python code is allow in the file as it's really a Python module, so you have the full power of Python at your disposal. In this module, a few objects are defined for you, including the usual (with __ added) __salt__ dictionary, __grains__, __pillar__, __opts__, __env__, and __sls__, plus a few more: __file__ local file system path to the sls module. __pydsl__ Salt PyDSL object, useful for configuring DSL behavior per sls rendering. include Salt PyDSL function for creating include-declaration's. extend Salt PyDSL function for creating extend-declaration's. state Salt PyDSL function for creating ID-declaration's. A state ID-declaration is created with a state(id) function call. Subsequent state(id) call with the same id returns the same object. This singleton access pattern applies to all declaration objects created with the DSL. state('example') assert state('example') is state('example') assert state('example').cmd is state('example').cmd assert state('example').cmd.running is state('example').cmd.running The id argument is optional. If omitted, an UUID will be generated and used as the id. state(id) returns an object under which you can create a state-declaration object by accessing an attribute named after any state module available in Salt. state('example').cmd state('example').file state('example').pkg ... Then, a function-declaration object can be created from a state-declaration object by one of the following two ways: 1. by calling a method named after the state function on the state-declaration object. state('example').file.managed(...) 2. by directly calling the attribute named for the state-declaration, and supplying the state function name as the first argument. state('example').file('managed', ...) With either way of creating a function-declaration object, any function-arg-declaration's can be passed as keyword arguments to the call. Subsequent calls of a function-declaration will update the arg declarations. state('example').file('managed', source='salt://webserver/index.html') state('example').file.managed(source='salt://webserver/index.html') As a shortcut, the special name argument can also be passed as the first or second positional argument depending on the first or second way of calling the state-declaration object. In the following two examples ls -la is the name argument. state('example').cmd.run('ls -la', cwd='/') state('example').cmd('run', 'ls -la', cwd='/') Finally, a requisite-declaration object with its requisite-reference's can be created by invoking one of the requisite methods (see State Requisites) on either a function-declaration object or a state-declaration object. The return value of a requisite call is also a function-declaration object, so you can chain several requisite calls together. Arguments to a requisite call can be a list of state-declaration objects and/or a set of keyword arguments whose names are state modules and values are IDs of ID-declaration's or names of name-declaration's. apache2 = state('apache2') apache2.pkg.installed() state('libapache2-mod-wsgi').pkg.installed() # you can call requisites on function declaration apache2.service.running() \ .require(apache2.pkg, pkg='libapache2-mod-wsgi') \ .watch(file='/etc/apache2/httpd.conf') # or you can call requisites on state declaration. # this actually creates an anonymous function declaration object # to add the requisites. apache2.service.require(state('libapache2-mod-wsgi').pkg, pkg='apache2') \ .watch(file='/etc/apache2/httpd.conf') # we still need to set the name of the function declaration. apache2.service.running() include-declaration objects can be created with the include function, while extend-declaration objects can be created with the extend function, whose arguments are just function-declaration objects. include('edit.vim', 'http.server') extend(state('apache2').service.watch(file='/etc/httpd/httpd.conf') The include function, by default, causes the included sls file to be rendered as soon as the include function is called. It returns a list of rendered module objects; sls files not rendered with the pydsl renderer return None's. This behavior creates no include-declaration's in the resulting high state data structure. import types # including multiple sls returns a list. _, mod = include('a-non-pydsl-sls', 'a-pydsl-sls') assert _ is None assert isinstance(slsmods[1], types.ModuleType) # including a single sls returns a single object mod = include('a-pydsl-sls') # myfunc is a function that calls state(...) to create more states. mod.myfunc(1, 2, "three") Notice how you can define a reusable function in your pydsl sls module and then call it via the module returned by include. It's still possible to do late includes by passing the delayed=True keyword argument to include. include('edit.vim', 'http.server', delayed=True) Above will just create a include-declaration in the rendered result, and such call always returns None. Special integration with the cmd state Taking advantage of rendering a Python module, PyDSL allows you to declare a state that calls a pre-defined Python function when the state is executed. greeting = "hello world" def helper(something, *args, **kws): print greeting # hello world print something, args, kws # test123 ['a', 'b', 'c'] {'x': 1, 'y': 2} state().cmd.call(helper, "test123", 'a', 'b', 'c', x=1, y=2) The cmd.call state function takes care of calling our helper function with the arguments we specified in the states, and translates the return value of our function into a structure expected by the state system. See salt.states.cmd.call() for more information. Implicit ordering of states Salt states are explicitly ordered via requisite-declaration's. However, with pydsl it's possible to let the renderer track the order of creation for function-declaration objects, and implicitly add require requisites for your states to enforce the ordering. This feature is enabled by setting the ordered option on __pydsl__. NOTE: this feature is only available if your minions are using Python >= 2.7. include('some.sls.file') A = state('A').cmd.run(cwd='/var/tmp') extend(A) __pydsl__.set(ordered=True) for i in range(10): i = str(i) state(i).cmd.run('echo '+i, cwd='/') state('1').cmd.run('echo one') state('2').cmd.run(name='echo two') Notice that the ordered option needs to be set after any extend calls. This is to prevent pydsl from tracking the creation of a state function that's passed to an extend call. Above example should create states from 0 to 9 that will output 0, one, two, 3, ... 9, in that order. It's important to know that pydsl tracks the creations of function-declaration objects, and automatically adds a require requisite to a function-declaration object that requires the last function-declaration object created before it in the sls file. This means later calls (perhaps to update the function's function-arg-declaration) to a previously created function declaration will not change the order. Render time state execution When Salt processes a salt formula file, the file is rendered to salt's high state data representation by a renderer before the states can be executed. In the case of the pydsl renderer, the .sls file is executed as a python module as it is being rendered which makes it easy to execute a state at render time. In pydsl, executing one or more states at render time can be done by calling a configured ID-declaration object. #!pydsl s = state() # save for later invocation # configure it s.cmd.run('echo at render time', cwd='/') s.file.managed('target.txt', source='salt://source.txt') s() # execute the two states now Once an ID-declaration is called at render time it is detached from the sls module as if it was never defined. NOTE: If implicit ordering is enabled (i.e., via __pydsl__.set(ordered=True)) then the first invocation of a ID-declaration object must be done before a new function-declaration is created. Integration with the stateconf renderer The salt.renderers.stateconf renderer offers a few interesting features that can be leveraged by the pydsl renderer. In particular, when using with the pydsl renderer, we are interested in stateconf's sls namespacing feature (via dot-prefixed id declarations), as well as, the automatic start and goal states generation. Now you can use pydsl with stateconf like this: #!pydsl|stateconf -ps include('xxx', 'yyy') # ensure that states in xxx run BEFORE states in this file. extend(state('.start').stateconf.require(stateconf='xxx::goal')) # ensure that states in yyy run AFTER states in this file. extend(state('.goal').stateconf.require_in(stateconf='yyy::start')) __pydsl__.set(ordered=True) ... -s enables the generation of a stateconf start state, and -p lets us pipe high state data rendered by pydsl to stateconf. This example shows that by require-ing or require_in-ing the included sls' start or goal states, it's possible to ensure that the included sls files can be made to execute before or after a state in the including sls file. Importing custom Python modules To use a custom Python module inside a PyDSL state, place the module somewhere that it can be loaded by the Salt loader, such as _modules in the /srv/salt directory. Then, copy it to any minions as necessary by using saltutil.sync_modules. To import into a PyDSL SLS, one must bypass the Python importer and insert it manually by getting a reference from Python's sys.modules dictionary. For example: #!pydsl|stateconf -ps def main(): my_mod = sys.modules['salt.loaded.ext.module.my_mod'] salt.renderers.pydsl.render(template, saltenv='base', sls='', tmplpath=None, rendered_sls=None, **kws) salt.renderers.pyobjects Python renderer that includes a Pythonic Object based interface maintainer Evan Borgstrom <evan@borgstrom.ca> Let's take a look at how you use pyobjects in a state file. Here's a quick example that ensures the /tmp directory is in the correct state. #!pyobjects File.managed("/tmp", user='root', group='root', mode='1777') Nice and Pythonic! By using the "shebang" syntax to switch to the pyobjects renderer we can now write our state data using an object based interface that should feel at home to python developers. You can import any module and do anything that you'd like (with caution, importing sqlalchemy, django or other large frameworks has not been tested yet). Using the pyobjects renderer is exactly the same as using the built-in Python renderer with the exception that pyobjects provides you with an object based interface for generating state data. Creating state data Pyobjects takes care of creating an object for each of the available states on the minion. Each state is represented by an object that is the CamelCase version of its name (i.e. File, Service, User, etc), and these objects expose all of their available state functions (i.e. File.managed, Service.running, etc). The name of the state is split based upon underscores (_), then each part is capitalized and finally the parts are joined back together. Some examples: • postgres_user becomes PostgresUser • ssh_known_hosts becomes SshKnownHosts Context Managers and requisites How about something a little more complex. Here we're going to get into the core of how to use pyobjects to write states. #!pyobjects with Pkg.installed("nginx"): Service.running("nginx", enable=True) with Service("nginx", "watch_in"): File.managed("/etc/nginx/conf.d/mysite.conf", owner='root', group='root', mode='0444', source='salt://nginx/mysite.conf') The objects that are returned from each of the magic method calls are setup to be used a Python context managers (with) and when you use them as such all declarations made within the scope will automatically use the enclosing state as a requisite! The above could have also been written use direct requisite statements as. #!pyobjects Pkg.installed("nginx") Service.running("nginx", enable=True, require=Pkg("nginx")) File.managed("/etc/nginx/conf.d/mysite.conf", owner='root', group='root', mode='0444', source='salt://nginx/mysite.conf', watch_in=Service("nginx")) You can use the direct requisite statement for referencing states that are generated outside of the current file. #!pyobjects # some-other-package is defined in some other state file Pkg.installed("nginx", require=Pkg("some-other-package")) The last thing that direct requisites provide is the ability to select which of the SaltStack requisites you want to use (require, require_in, watch, watch_in, use & use_in) when using the requisite as a context manager. #!pyobjects with Service("my-service", "watch_in"): ... The above example would cause all declarations inside the scope of the context manager to automatically have their watch_in set to Service("my-service"). Including and Extending To include other states use the include() function. It takes one name per state to include. To extend another state use the extend() function on the name when creating a state. #!pyobjects include('http', 'ssh') Service.running(extend('apache'), watch=[File('/etc/httpd/extra/httpd-vhosts.conf')]) Importing from other state files Like any Python project that grows you will likely reach a point where you want to create reusability in your state tree and share objects between state files, Map Data (described below) is a perfect example of this. To facilitate this Python's import statement has been augmented to allow for a special case when working with a Salt state tree. If you specify a Salt url (salt://...) as the target for importing from then the pyobjects renderer will take care of fetching the file for you, parsing it with all of the pyobjects features available and then place the requested objects in the global scope of the template being rendered. This works for all types of import statements; import X, from X import Y, and from X import Y as Z. #!pyobjects import salt://myfile.sls from salt://something/data.sls import Object from salt://something/data.sls import Object as Other See the Map Data section for a more practical use. Caveats: • Imported objects are ALWAYS put into the global scope of your template, regardless of where your import statement is. Salt object In the spirit of the object interface for creating state data pyobjects also provides a simple object interface to the __salt__ object. A function named salt exists in scope for your sls files and will dispatch its attributes to the __salt__ dictionary. The following lines are functionally equivalent: #!pyobjects ret = salt.cmd.run(bar) ret = __salt__['cmd.run'](bar) Pillar, grain, mine & config data Pyobjects provides shortcut functions for calling pillar.get, grains.get, mine.get & config.get on the __salt__ object. This helps maintain the readability of your state files. Each type of data can be access by a function of the same name: pillar(), grains(), mine() and config(). The following pairs of lines are functionally equivalent: #!pyobjects value = pillar('foo:bar:baz', 'qux') value = __salt__['pillar.get']('foo:bar:baz', 'qux') value = grains('pkg:apache') value = __salt__['grains.get']('pkg:apache') value = mine('os:Fedora', 'network.interfaces', 'grain') value = __salt__['mine.get']('os:Fedora', 'network.interfaces', 'grain') value = config('foo:bar:baz', 'qux') value = __salt__['config.get']('foo:bar:baz', 'qux') Map Data When building complex states or formulas you often need a way of building up a map of data based on grain data. The most common use of this is tracking the package and service name differences between distributions. To build map data using pyobjects we provide a class named Map that you use to build your own classes with inner classes for each set of values for the different grain matches. #!pyobjects class Samba(Map): merge = 'samba:lookup' class Debian: server = 'samba' client = 'samba-client' service = 'samba' class Ubuntu: __grain__ = 'os' service = 'smbd' class RedHat: server = 'samba' client = 'samba' service = 'smb' To use this new data you can import it into your state file and then access your attributes. To access the data in the map you simply access the attribute name on the base class that is extending Map. Assuming the above Map was in the file samba/map.sls, you could do the following. #!pyobjects from salt://samba/map.sls import Samba with Pkg.installed("samba", names=[Samba.server, Samba.client]): Service.running("samba", name=Samba.service) TODO • Interface for working with reactor files class salt.renderers.pyobjects.PyobjectsModule(name, attrs) This provides a wrapper for bare imports. salt.renderers.pyobjects.load_states() This loads our states into the salt __context__ salt.renderers.pyobjects.render(template, saltenv='base', sls='', salt_data=True, **kwargs) salt.renderers.stateconf maintainer Jack Kuan <kjkuan@gmail.com> maturity new platform all This module provides a custom renderer that processes a salt file with a specified templating engine (e.g. Jinja) and a chosen data renderer (e.g. YAML), extracts arguments for any stateconf.set state, and provides the extracted arguments (including Salt-specific args, such as require, etc) as template context. The goal is to make writing reusable/configurable/parameterized salt files easier and cleaner. To use this renderer, either set it as the default renderer via the renderer option in master/minion's config, or use the shebang line in each individual sls file, like so: #!stateconf. Note, due to the way this renderer works, it must be specified as the first renderer in a render pipeline. That is, you cannot specify #!mako|yaml|stateconf, for example. Instead, you specify them as renderer arguments: #!stateconf mako . yaml. Here's a list of features enabled by this renderer. • Prefixes any state id (declaration or reference) that starts with a dot (.) to avoid duplicated state ids when the salt file is included by other salt files. For example, in the salt://some/file.sls, a state id such as .sls_params will be turned into some.file::sls_params. Example: #!stateconf yaml . jinja .vim: pkg.installed Above will be translated into: some.file::vim: pkg.installed: - name: vim Notice how that if a state under a dot-prefixed state id has no name argument then one will be added automatically by using the state id with the leading dot stripped off. The leading dot trick can be used with extending state ids as well, so you can include relatively and extend relatively. For example, when extending a state in salt://some/other_file.sls, e.g.: #!stateconf yaml . jinja include: - .file extend: .file::sls_params: stateconf.set: - name1: something Above will be pre-processed into: include: - some.file extend: some.file::sls_params: stateconf.set: - name1: something • Adds a sls_dir context variable that expands to the directory containing the rendering salt file. So, you can write salt://{{sls_dir}}/... to reference templates files used by your salt file. • Recognizes the special state function, stateconf.set, that configures a default list of named arguments usable within the template context of the salt file. Example: #!stateconf yaml . jinja .sls_params: stateconf.set: - name1: value1 - name2: value2 - name3: - value1 - value2 - value3 - require_in: - cmd: output # --- end of state config --- .output: cmd.run: - name: | echo 'name1={{sls_params.name1}} name2={{sls_params.name2}} name3[1]={{sls_params.name3[1]}} ' This even works with include + extend so that you can override the default configured arguments by including the salt file and then extend the stateconf.set states that come from the included salt file. (IMPORTANT: Both the included and the extending sls files must use the stateconf renderer for this ``extend`` to work!) Notice that the end of configuration marker (# --- end of state config --) is needed to separate the use of 'stateconf.set' form the rest of your salt file. The regex that matches such marker can be configured via the stateconf_end_marker option in your master or minion config file. Sometimes, it is desirable to set a default argument value that's based on earlier arguments in the same stateconf.set. For example, it may be tempting to do something like this: #!stateconf yaml . jinja .apache: stateconf.set: - host: localhost - port: 1234 - url: 'http://{{host}}:{{port}}/' # --- end of state config --- .test: cmd.run: - name: echo '{{apache.url}}' - cwd: / However, this won't work. It can however be worked around like so: #!stateconf yaml . jinja .apache: stateconf.set: - host: localhost - port: 1234 {# - url: 'http://{{host}}:{{port}}/' #} # --- end of state config --- # {{ apache.setdefault('url', "http://%(host)s:%(port)s/" % apache) }} .test: cmd.run: - name: echo '{{apache.url}}' - cwd: / • Adds support for relative include and exclude of .sls files. Example: #!stateconf yaml . jinja include: - .apache - .db.mysql - ..app.django exclude: - sls: .users If the above is written in a salt file at salt://some/where.sls then it will include salt://some/apache.sls, salt://some/db/mysql.sls and salt://app/django.sls, and exclude salt://some/users.ssl. Actually, it does that by rewriting the above include and exclude into: include: - some.apache - some.db.mysql - app.django exclude: - sls: some.users • Optionally (enabled by default, disable via the -G renderer option, e.g. in the shebang line: #!stateconf -G), generates a stateconf.set goal state (state id named as .goal by default, configurable via the master/minion config option, stateconf_goal_state) that requires all other states in the salt file. Note, the .goal state id is subject to dot-prefix rename rule mentioned earlier. Such goal state is intended to be required by some state in an including salt file. For example, in your webapp salt file, if you include a sls file that is supposed to setup Tomcat, you might want to make sure that all states in the Tomcat sls file will be executed before some state in the webapp sls file. • Optionally (enable via the -o renderer option, e.g. in the shebang line: #!stateconf -o), orders the states in a sls file by adding a require requisite to each state such that every state requires the state defined just before it. The order of the states here is the order they are defined in the sls file. (Note: this feature is only available if your minions are using Python >= 2.7. For Python2.6, it should also work if you install the ordereddict module from PyPI) By enabling this feature, you are basically agreeing to author your sls files in a way that gives up the explicit (or implicit?) ordering imposed by the use of require, watch, require_in or watch_in requisites, and instead, you rely on the order of states you define in the sls files. This may or may not be a better way for you. However, if there are many states defined in a sls file, then it tends to be easier to see the order they will be executed with this feature. You are still allowed to use all the requisites, with a few restrictions. You cannot require or watch a state defined after the current state. Similarly, in a state, you cannot require_in or watch_in a state defined before it. Breaking any of the two restrictions above will result in a state loop. The renderer will check for such incorrect uses if this feature is enabled. Additionally, names declarations cannot be used with this feature because the way they are compiled into low states make it impossible to guarantee the order in which they will be executed. This is also checked by the renderer. As a workaround for not being able to use names, you can achieve the same effect, by generate your states with the template engine available within your sls file. Finally, with the use of this feature, it becomes possible to easily make an included sls file execute all its states after some state (say, with id X) in the including sls file. All you have to do is to make state, X, require_in the first state defined in the included sls file. When writing sls files with this renderer, one should avoid using what can be defined in a name argument of a state as the state's id. That is, avoid writing states like this: /path/to/some/file: file.managed: - source: salt://some/file cp /path/to/some/file file2: cmd.run: - cwd: / - require: - file: /path/to/some/file Instead, define the state id and the name argument separately for each state. Also, the ID should be something meaningful and easy to reference within a requisite (which is a good habit anyway, and such extra indirection would also makes the sls file easier to modify later). Thus, the above states should be written like this: add-some-file: file.managed: - name: /path/to/some/file - source: salt://some/file copy-files: cmd.run: - name: cp /path/to/some/file file2 - cwd: / - require: - file: add-some-file Moreover, when referencing a state from a requisite, you should reference the state's id plus the state name rather than the state name plus its name argument. (Yes, in the above example, you can actually require the file: /path/to/some/file, instead of the file: add-some-file). The reason is that this renderer will re-write or rename state id's and their references for state id's prefixed with .. So, if you reference name then there's no way to reliably rewrite such reference. salt.renderers.wempy salt.renderers.wempy.render(template_file, saltenv='base', sls='', argline='', context=None, **kws) Render the data passing the functions and grains into the rendering system Return type string salt.renderers.yaml Understanding YAML The default renderer for SLS files is the YAML renderer. YAML is a markup language with many powerful features. However, Salt uses a small subset of YAML that maps over very commonly used data structures, like lists and dictionaries. It is the job of the YAML renderer to take the YAML data structure and compile it into a Python data structure for use by Salt. Though YAML syntax may seem daunting and terse at first, there are only three very simple rules to remember when writing YAML for SLS files. Rule One: Indentation YAML uses a fixed indentation scheme to represent relationships between data layers. Salt requires that the indentation for each level consists of exactly two spaces. Do not use tabs. Rule Two: Colons Python dictionaries are, of course, simply key-value pairs. Users from other languages may recognize this data type as hashes or associative arrays. Dictionary keys are represented in YAML as strings terminated by a trailing colon. Values are represented by either a string following the colon, separated by a space: my_key: my_value In Python, the above maps to: {'my_key': 'my_value'} Dictionaries can be nested: first_level_dict_key: second_level_dict_key: value_in_second_level_dict And in Python: {'first_level_dict_key': {'second_level_dict_key': 'value_in_second_level_dict' } Rule Three: Dashes To represent lists of items, a single dash followed by a space is used. Multiple items are a part of the same list as a function of their having the same level of indentation. - list_value_one - list_value_two - list_value_three Lists can be the value of a key-value pair. This is quite common in Salt: my_dictionary: - list_value_one - list_value_two - list_value_three Reference YAML Renderer for Salt salt.renderers.yaml.get_yaml_loader(argline) Return the ordered dict yaml loader salt.renderers.yaml.render(yaml_data, saltenv='base', sls='', argline='', **kws) Accepts YAML as a string or as a file object and runs it through the YAML parser. Return type A Python data structure salt.renderers.yamlex YAMLEX renderer is a replacement of the YAML renderer. It's 100% YAML with a pinch of Salt magic: • All mappings are automatically OrderedDict • All strings are automatically str obj • data aggregation with !aggregation yaml tag, based on the salt.utils.aggregation module. • data aggregation over documents for pillar Instructed aggregation within the !aggregation and the !reset tags: #!yamlex foo: !aggregate first foo: !aggregate second bar: !aggregate {first: foo} bar: !aggregate {second: bar} baz: !aggregate 42 qux: !aggregate default !reset qux: !aggregate my custom data is roughly equivalent to foo: [first, second] bar: {first: foo, second: bar} baz: [42] qux: [my custom data] Reference salt.renderers.yamlex.render(sls_data, saltenv='base', sls='', **kws) Accepts YAML_EX as a string or as a file object and runs it through the YAML_EX parser. Return type A Python data structure Returners By default the return values of the commands sent to the Salt minions are returned to the Salt master, however anything at all can be done with the results data. By using a Salt returner, results data can be redirected to external data-stores for analysis and archival. Returners pull their configuration values from the Salt minions. Returners are only configured once, which is generally at load time. The returner interface allows the return data to be sent to any system that can receive data. This means that return data can be sent to a Redis server, a MongoDB server, a MySQL server, or any system. SEE ALSO: Full list of builtin returners Using Returners All Salt commands will return the command data back to the master. Specifying returners will ensure that the data is _also_ sent to the specified returner interfaces. Specifying what returners to use is done when the command is invoked: salt '*' test.ping --return redis_return This command will ensure that the redis_return returner is used. It is also possible to specify multiple returners: salt '*' test.ping --return mongo_return,redis_return,cassandra_return In this scenario all three returners will be called and the data from the test.ping command will be sent out to the three named returners. Writing a Returner A returner is a Python module containing at minimum a returner function. Other optional functions can be included to add support for master_job_cache, external_job_cache, and Event Returners. returner The returner function must accept a single argument. The argument contains return data from the called minion function. If the minion function test.ping is called, the value of the argument will be a dictionary. Run the following command from a Salt master to get a sample of the dictionary: salt-call --local --metadata test.ping --out=pprint import redis import json def returner(ret): ''' Return information to a redis server ''' # Get a redis connection serv = redis.Redis( host='redis-serv.example.com', port=6379, db='0') serv.sadd("%(id)s:jobs" % ret, ret['jid']) serv.set("%(jid)s:%(id)s" % ret, json.dumps(ret['return'])) serv.sadd('jobs', ret['jid']) serv.sadd(ret['jid'], ret['id']) The above example of a returner set to send the data to a Redis server serializes the data as JSON and sets it in redis. Master Job Cache Support master_job_cache, external_job_cache, and Event Returners. Salt's master_job_cache allows returners to be used as a pluggable replacement for the default_job_cache. In order to do so, a returner must implement the following functions: NOTE: The code samples contained in this section were taken from the cassandra_cql returner. prep_jid Ensures that job ids (jid) don't collide, unless passed_jid is provided. nochache is an optional boolean that indicates if return data should be cached. passed_jid is a caller provided jid which should be returned unconditionally. def prep_jid(nocache, passed_jid=None): # pylint: disable=unused-argument ''' Do any work necessary to prepare a JID, including sending a custom id ''' return passed_jid if passed_jid is not None else salt.utils.jid.gen_jid() save_load Save job information. The jid is generated by prep_jid and should be considered a unique identifier for the job. The jid, for example, could be used as the primary/unique key in a database. The load is what is returned to a Salt master by a minion. The following code example stores the load as a JSON string in the salt.jids table. def save_load(jid, load): ''' Save the load to the specified jid id ''' query = '''INSERT INTO salt.jids ( jid, load ) VALUES ( '{0}', '{1}' );'''.format(jid, json.dumps(load)) # cassandra_cql.cql_query may raise a CommandExecutionError try: __salt__['cassandra_cql.cql_query'](query) except CommandExecutionError: log.critical('Could not save load in jids table.') raise except Exception as e: log.critical('''Unexpected error while inserting into jids: {0}'''.format(str(e))) raise get_load must accept a job id (jid) and return the job load stored by save_load, or an empty dictionary when not found. def get_load(jid): ''' Return the load data that marks a specified jid ''' query = '''SELECT load FROM salt.jids WHERE jid = '{0}';'''.format(jid) ret = {} # cassandra_cql.cql_query may raise a CommandExecutionError try: data = __salt__['cassandra_cql.cql_query'](query) if data: load = data[0].get('load') if load: ret = json.loads(load) except CommandExecutionError: log.critical('Could not get load from jids table.') raise except Exception as e: log.critical('''Unexpected error while getting load from jids: {0}'''.format(str(e))) raise return ret External Job Cache Support Salt's external_job_cache extends the master_job_cache. External Job Cache support requires the following functions in addition to what is required for Master Job Cache support: get_jid Return a dictionary containing the information (load) returned by each minion when the specified job id was executed. Sample: { "local": { "master_minion": { "fun_args": [], "jid": "20150330121011408195", "return": true, "retcode": 0, "success": true, "cmd": "_return", "_stamp": "2015-03-30T12:10:12.708663", "fun": "test.ping", "id": "master_minion" } } } get_fun Return a dictionary of minions that called a given Salt function as their last function call. Sample: { "local": { "minion1": "test.ping", "minion3": "test.ping", "minion2": "test.ping" } } get_jids Return a list of all job ids. Sample: { "local": [ "20150330121011408195", "20150330195922139916" ] } get_minions Returns a list of minions Sample: { "local": [ "minion3", "minion2", "minion1", "master_minion" ] } Please refer to one or more of the existing returners (i.e. mysql, cassandra_cql) if you need further clarification. Event Support An event_return function must be added to the returner module to allow events to be logged from a master via the returner. A list of events are passed to the function by the master. The following example was taken from the MySQL returner. In this example, each event is inserted into the salt_events table keyed on the event tag. The tag contains the jid and therefore is guaranteed to be unique. def event_return(events): ''' Return event to mysql server Requires that configuration be enabled via 'event_return' option in master config. ''' with _get_serv(events, commit=True) as cur: for event in events: tag = event.get('tag', '') data = event.get('data', '') sql = '''INSERT INTO `salt_events` (`tag`, `data`, `master_id` ) VALUES (%s, %s, %s)''' cur.execute(sql, (tag, json.dumps(data), __opts__['id'])) Custom Returners Place custom returners in a _returners directory within the file_roots specified by the master config file. Custom returners are distributed when any of the following are called: state.highstate saltutil.sync_returners saltutil.sync_all Any custom returners which have been synced to a minion that are named the same as one of Salt's default set of returners will take the place of the default returner with the same name. Naming the Returner Note that a returner's default name is its filename (i.e. foo.py becomes returner foo), but that its name can be overridden by using a __virtual__ function. A good example of this can be found in the redis returner, which is named redis_return.py but is loaded as simply redis: try: import redis HAS_REDIS = True except ImportError: HAS_REDIS = False __virtualname__ = 'redis' def __virtual__(): if not HAS_REDIS: return False return __virtualname__ Testing the Returner The returner, prep_jid, save_load, get_load, and event_return functions can be tested by configuring the master_job_cache and Event Returners in the master config file and submitting a job to test.ping each minion from the master. Once you have successfully exercised the Master Job Cache functions, test the External Job Cache functions using the ret execution module. salt-call ret.get_jids cassandra_cql --output=json salt-call ret.get_fun cassandra_cql test.ping --output=json salt-call ret.get_minions cassandra_cql --output=json salt-call ret.get_jid cassandra_cql 20150330121011408195 --output=json Event Returners For maximimum visibility into the history of events across a Salt infrastructure, all events seen by a salt master may be logged to a returner. To enable event logging, set the event_return configuration option in the master config to returner which should be designated as the handler for event returns. NOTE: Not all returners support event returns. Verify a returner has an event_return() function before using. NOTE: On larger installations, many hundreds of events may be generated on a busy master every second. Be certain to closely monitor the storage of a given returner as Salt can easily overwhealm an underpowered server with thousands of returns. Full List of Returners Full list of builtin returner modules ┌─────────────────────┬──────────────────────────────────┐ │carbon_return │ Take data from salt and "return" │ │ │ it into a carbon receiver │ ├─────────────────────┼──────────────────────────────────┤ │cassandra_cql_return │ Return data to a cassandra │ │ │ server │ ├─────────────────────┼──────────────────────────────────┤ │cassandra_return │ Return data to a Cassandra │ │ │ ColumnFamily │ ├─────────────────────┼──────────────────────────────────┤ │couchbase_return │ Simple returner for Couchbase. │ ├─────────────────────┼──────────────────────────────────┤ │couchdb_return │ Simple returner for CouchDB. │ ├─────────────────────┼──────────────────────────────────┤ │django_return │ A returner that will infor a │ │ │ Django system that returns are │ │ │ available using Django's signal │ │ │ system. │ ├─────────────────────┼──────────────────────────────────┤ │elasticsearch_return │ Return data to an elasticsearch │ │ │ server for indexing. │ ├─────────────────────┼──────────────────────────────────┤ │etcd_return │ Return data to an etcd server or │ │ │ cluster │ ├─────────────────────┼──────────────────────────────────┤ │hipchat_return │ Return salt data via hipchat. │ ├─────────────────────┼──────────────────────────────────┤ │influxdb_return │ Return data to an influxdb │ │ │ server. │ ├─────────────────────┼──────────────────────────────────┤ │kafka_return │ Return data to a Kafka topic │ ├─────────────────────┼──────────────────────────────────┤ │local │ The local returner is used to │ │ │ test the returner interface, it │ │ │ just prints the │ ├─────────────────────┼──────────────────────────────────┤ │local_cache │ Return data to local job cache │ ├─────────────────────┼──────────────────────────────────┤ │memcache_return │ Return data to a memcache server │ ├─────────────────────┼──────────────────────────────────┤ │mongo_future_return │ Return data to a mongodb server │ ├─────────────────────┼──────────────────────────────────┤ │mongo_return │ Return data to a mongodb server │ ├─────────────────────┼──────────────────────────────────┤ │multi_returner │ Read/Write multiple returners │ ├─────────────────────┼──────────────────────────────────┤ │mysql │ Return data to a mysql server │ ├─────────────────────┼──────────────────────────────────┤ │nagios_return │ Return salt data to Nagios │ ├─────────────────────┼──────────────────────────────────┤ │odbc │ Return data to an ODBC compliant │ │ │ server. │ └─────────────────────┴──────────────────────────────────┘ │pgjsonb │ Return data to a PostgreSQL │ │ │ server with json data stored in │ │ │ Pg's jsonb data type │ ├─────────────────────┼──────────────────────────────────┤ │postgres │ Return data to a postgresql │ │ │ server │ ├─────────────────────┼──────────────────────────────────┤ │postgres_local_cache │ Use a postgresql server for the │ │ │ master job cache. │ ├─────────────────────┼──────────────────────────────────┤ │pushover_returner │ Return salt data via pushover (‐ │ │ │ http://www.pushover.net) │ ├─────────────────────┼──────────────────────────────────┤ │redis_return │ Return data to a redis server │ ├─────────────────────┼──────────────────────────────────┤ │sentry_return │ Salt returner that report │ │ │ execution results back to │ │ │ sentry. │ ├─────────────────────┼──────────────────────────────────┤ │slack_returner │ Return salt data via slack │ ├─────────────────────┼──────────────────────────────────┤ │sms_return │ Return data by SMS. │ ├─────────────────────┼──────────────────────────────────┤ │smtp_return │ Return salt data via email │ ├─────────────────────┼──────────────────────────────────┤ │sqlite3_return │ Insert minion return data into a │ │ │ sqlite3 database │ ├─────────────────────┼──────────────────────────────────┤ │syslog_return │ Return data to the host │ │ │ operating system's syslog │ │ │ facility │ ├─────────────────────┼──────────────────────────────────┤ │xmpp_return │ Return salt data via xmpp │ └─────────────────────┴──────────────────────────────────┘ salt.returners.carbon_return Take data from salt and "return" it into a carbon receiver Add the following configuration to the minion configuration file: carbon.host: <server ip address> carbon.port: 2003 Errors when trying to convert data to numbers may be ignored by setting carbon.skip_on_error to True: carbon.skip_on_error: True By default, data will be sent to carbon using the plaintext protocol. To use the pickle protocol, set carbon.mode to pickle: carbon.mode: pickle You can also specify the pattern used for the metric base path (except for virt modules metrics): carbon.metric_base_pattern: carbon.[minion_id].[module].[function] These tokens can used : [module]: salt module [function]: salt function [minion_id]: minion id Default is : carbon.metric_base_pattern: [module].[function].[minion_id] Carbon settings may also be configured as: carbon: host: <server IP or hostname> port: <carbon port> skip_on_error: True mode: (pickle|text) metric_base_pattern: <pattern> | [module].[function].[minion_id] Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.carbon: host: <server IP or hostname> port: <carbon port> skip_on_error: True mode: (pickle|text) To use the carbon returner, append '--return carbon' to the salt command. salt '*' test.ping --return carbon To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return carbon --return_config alternative salt.returners.carbon_return.event_return(events) Return event data to remote carbon server Provide a list of events to be stored in carbon salt.returners.carbon_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.carbon_return.returner(ret) Return data to a remote carbon server using the text metric protocol Each metric will look like: [module].[function].[minion_id].[metric path [...]].[metric name] salt.returners.cassandra_cql_return Return data to a cassandra server New in version 2015.5.0. maintainer Corin Kochenower<ckochenower@saltstack.com> maturity new as of 2015.2 depends salt.modules.cassandra_cql depends DataStax Python Driver for Apache Cassandra https://github.com/datastax/python-driver pip install cassandra-driver platform all configuration To enable this returner, the minion will need the DataStax Python Driver for Apache Cassandra ( https://github.com/datastax/python-driver ) installed and the following values configured in the minion or master config. The list of cluster IPs must include at least one cassandra node IP address. No assumption or default will be used for the cluster IPs. The cluster IPs will be tried in the order listed. The port, username, and password values shown below will be the assumed defaults if you do not provide values.: cassandra: cluster: - 192.168.50.11 - 192.168.50.12 - 192.168.50.13 port: 9042 username: salt password: salt Use the following cassandra database schema: CREATE KEYSPACE IF NOT EXISTS salt WITH replication = {'class': 'SimpleStrategy', 'replication_factor' : 1}; CREATE USER IF NOT EXISTS salt WITH PASSWORD 'salt' NOSUPERUSER; GRANT ALL ON KEYSPACE salt TO salt; USE salt; CREATE TABLE IF NOT EXISTS salt.salt_returns ( jid text, minion_id text, fun text, alter_time timestamp, full_ret text, return text, success boolean, PRIMARY KEY (jid, minion_id, fun) ) WITH CLUSTERING ORDER BY (minion_id ASC, fun ASC); CREATE INDEX IF NOT EXISTS salt_returns_minion_id ON salt.salt_returns (minion_id); CREATE INDEX IF NOT EXISTS salt_returns_fun ON salt.salt_returns (fun); CREATE TABLE IF NOT EXISTS salt.jids ( jid text PRIMARY KEY, load text ); CREATE TABLE IF NOT EXISTS salt.minions ( minion_id text PRIMARY KEY, last_fun text ); CREATE INDEX IF NOT EXISTS minions_last_fun ON salt.minions (last_fun); CREATE TABLE IF NOT EXISTS salt.salt_events ( id timeuuid, tag text, alter_time timestamp, data text, master_id text, PRIMARY KEY (id, tag) ) WITH CLUSTERING ORDER BY (tag ASC); CREATE INDEX tag ON salt.salt_events (tag); Required python modules: cassandra-driver To use the cassandra returner, append '--return cassandra' to the salt command. ex: salt '*' test.ping --return cassandra salt.returners.cassandra_cql_return.event_return(events) Return event to one of potentially many clustered cassandra nodes Requires that configuration be enabled via 'event_return' option in master config. Cassandra does not support an auto-increment feature due to the highly inefficient nature of creating a monotonically increasing number across all nodes in a distributed database. Each event will be assigned a uuid by the connecting client. salt.returners.cassandra_cql_return.get_fun(fun) Return a dict of the last function called for all minions salt.returners.cassandra_cql_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.cassandra_cql_return.get_jids() Return a list of all job ids salt.returners.cassandra_cql_return.get_load(jid) Return the load data that marks a specified jid salt.returners.cassandra_cql_return.get_minions() Return a list of minions salt.returners.cassandra_cql_return.prep_jid(nocache, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.cassandra_cql_return.returner(ret) Return data to one of potentially many clustered cassandra nodes salt.returners.cassandra_cql_return.save_load(jid, load) Save the load to the specified jid id salt.returners.cassandra_return Return data to a Cassandra ColumnFamily Here's an example Keyspace / ColumnFamily setup that works with this returner: create keyspace salt; use salt; create column family returns with key_validation_class='UTF8Type' and comparator='UTF8Type' and default_validation_class='UTF8Type'; Required python modules: pycassa To use the cassandra returner, append '--return cassandra' to the salt command. ex: salt '*' test.ping --return cassandra salt.returners.cassandra_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.cassandra_return.returner(ret) Return data to a Cassandra ColumnFamily salt.returners.couchbase_return Simple returner for Couchbase. Optional configuration settings are listed below, along with sane defaults. couchbase.host: 'salt' couchbase.port: 8091 couchbase.bucket: 'salt' couchbase.skip_verify_views: False To use the couchbase returner, append '--return couchbase' to the salt command. ex: salt '*' test.ping --return couchbase All of the return data will be stored in documents as follows: JID load: load obj tgt_minions: list of minions targeted nocache: should we not cache the return data JID/MINION_ID return: return_data out: out_data salt.returners.couchbase_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.couchbase_return.get_jids() Return a list of all job ids salt.returners.couchbase_return.get_load(jid) Return the load data that marks a specified jid salt.returners.couchbase_return.prep_jid(nocache=False, passed_jid=None) Return a job id and prepare the job id directory This is the function responsible for making sure jids don't collide (unless its passed a jid) So do what you have to do to make sure that stays the case salt.returners.couchbase_return.returner(load) Return data to the local job cache salt.returners.couchbase_return.save_load(jid, clear_load) Save the load to the specified jid salt.returners.couchbase_return.save_minions(jid, minions, syndic_id=None) Save/update the minion list for a given jid. The syndic_id argument is included for API compatibility only. salt.returners.couchdb_return Simple returner for CouchDB. Optional configuration settings are listed below, along with sane defaults: couchdb.db: 'salt' couchdb.url: 'http://salt:5984/' Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.couchdb.db: 'salt' alternative.couchdb.url: 'http://salt:5984/' To use the couchdb returner, append --return couchdb to the salt command. Example: salt '*' test.ping --return couchdb To use the alternative configuration, append --return_config alternative to the salt command. New in version 2015.5.0. salt '*' test.ping --return couchdb --return_config alternative On concurrent database access As this returner creates a couchdb document whith the salt job id as document id and as only one document with a given id can exist in a given couchdb database, it is advised for most setups that every minion be configured to write to it own database (the value of couchdb.db may be suffixed with the minion id), otherwise multi-minion targeting can lead to losing output: • the first returning minion is able to create a document in the database • other minions fail with {'error': 'HTTP Error 409: Conflict'} salt.returners.couchdb_return.ensure_views() This function makes sure that all the views that should exist in the design document do exist. salt.returners.couchdb_return.get_fun(fun) Return a dict with key being minion and value being the job details of the last run of function 'fun'. salt.returners.couchdb_return.get_jid(jid) Get the document with a given JID. salt.returners.couchdb_return.get_jids() List all the jobs that we have.. salt.returners.couchdb_return.get_minions() Return a list of minion identifiers from a request of the view. salt.returners.couchdb_return.get_valid_salt_views() Returns a dict object of views that should be part of the salt design document. salt.returners.couchdb_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.couchdb_return.returner(ret) Take in the return and shove it into the couchdb database. salt.returners.couchdb_return.set_salt_view() Helper function that sets the salt design document. Uses get_valid_salt_views and some hardcoded values. salt.returners.django_return A returner that will infor a Django system that returns are available using Django's signal system. https://docs.djangoproject.com/en/dev/topics/signals/ It is up to the Django developer to register necessary handlers with the signals provided by this returner and process returns as necessary. The easiest way to use signals is to import them from this returner directly and then use a decorator to register them. An example Django module that registers a function called 'returner_callback' with this module's 'returner' function: import salt.returners.django_return from django.dispatch import receiver @receiver(salt.returners.django_return, sender=returner) def returner_callback(sender, ret): print('I received {0} from {1}'.format(ret, sender)) salt.returners.django_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom ID salt.returners.django_return.returner(ret) Signal a Django server that a return is available salt.returners.django_return.save_load(jid, load) Save the load to the specified jid salt.returners.elasticsearch_return Return data to an elasticsearch server for indexing. maintainer Jurnell Cockhren <jurnell.cockhren@sophicware.com>, Arnold Bechtoldt <‐ mail@arnoldbechtoldt.com> maturity New depends elasticsearch-py platform all To enable this returner the elasticsearch python client must be installed on the desired minions (all or some subset). Please see documentation of elasticsearch execution module for a valid connection configuration. WARNING: The index that you wish to store documents will be created by Elasticsearch automatically if doesn't exist yet. It is highly recommended to create predefined index templates with appropriate mapping(s) that will be used by Elasticsearch upon index creation. Otherwise you will have problems as described in #20826. To use the returner per salt call: salt '*' test.ping --return elasticsearch In order to have the returner apply to all minions: ext_job_cache: elasticsearch salt.returners.elasticsearch_return.get_load(jid) Return the load data that marks a specified jid New in version 2015.8.1. salt.returners.elasticsearch_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.elasticsearch_return.returner(ret) Process the return from Salt salt.returners.elasticsearch_return.save_load(jid, load) Save the load to the specified jid id New in version 2015.8.1. salt.returners.etcd_return Return data to an etcd server or cluster depends • python-etcd In order to return to an etcd server, a profile should be created in the master configuration file: my_etcd_config: etcd.host: 127.0.0.1 etcd.port: 4001 It is technically possible to configure etcd without using a profile, but this is not considered to be a best practice, especially when multiple etcd servers or clusters are available. etcd.host: 127.0.0.1 etcd.port: 4001 Additionally, two more options must be specified in the top-level configuration in order to use the etcd returner: etcd.returner: my_etcd_config etcd.returner_root: /salt/return The etcd.returner option specifies which configuration profile to use. The etcd.returner_root option specifies the path inside etcd to use as the root of the returner system. Once the etcd options are configured, the returner may be used: CLI Example: salt '*' test.ping --return etcd salt.returners.etcd_return.get_fun() Return a dict of the last function called for all minions salt.returners.etcd_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.etcd_return.get_jids() Return a list of all job ids salt.returners.etcd_return.get_load(jid) Return the load data that marks a specified jid salt.returners.etcd_return.get_minions() Return a list of minions salt.returners.etcd_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.etcd_return.returner(ret) Return data to an etcd server or cluster salt.returners.etcd_return.save_load(jid, load) Save the load to the specified jid salt.returners.hipchat_return Return salt data via hipchat. New in version 2015.5.0. The following fields can be set in the minion conf file: hipchat.room_id (required) hipchat.api_key (required) hipchat.api_version (required) hipchat.from_name (required) hipchat.color (optional) hipchat.notify (optional) hipchat.profile (optional) Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: hipchat.room_id hipchat.api_key hipchat.api_version hipchat.from_name Hipchat settings may also be configured as: hipchat: room_id: RoomName api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx api_version: v1 from_name: user@email.com alternative.hipchat: room_id: RoomName api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx api_version: v1 from_name: user@email.com hipchat_profile: api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx api_version: v1 from_name: user@email.com hipchat: profile: hipchat_profile room_id: RoomName alternative.hipchat: profile: hipchat_profile room_id: RoomName To use the HipChat returner, append '--return hipchat' to the salt command. salt '*' test.ping --return hipchat To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return hipchat --return_config alternative salt.returners.hipchat_return.event_return(events) Return event data to hipchat salt.returners.hipchat_return.returner(ret) Send an hipchat message with the return data from a job salt.returners.influxdb_return Return data to an influxdb server. New in version 2015.8.0. To enable this returner the minion will need the python client for influxdb installed and the following values configured in the minion or master config, these are the defaults: influxdb.db: 'salt' influxdb.user: 'salt' influxdb.password: 'salt' influxdb.host: 'localhost' influxdb.port: 8086 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.influxdb.db: 'salt' alternative.influxdb.user: 'salt' alternative.influxdb.password: 'salt' alternative.influxdb.host: 'localhost' alternative.influxdb.port: 6379 To use the influxdb returner, append '--return influxdb' to the salt command. salt '*' test.ping --return influxdb To use the alternative configuration, append '--return_config alternative' to the salt command. salt '*' test.ping --return influxdb --return_config alternative salt.returners.influxdb_return.get_fun(fun) Return a dict of the last function called for all minions salt.returners.influxdb_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.influxdb_return.get_jids() Return a list of all job ids salt.returners.influxdb_return.get_load(jid) Return the load data that marks a specified jid salt.returners.influxdb_return.get_minions() Return a list of minions salt.returners.influxdb_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.influxdb_return.returner(ret) Return data to a influxdb data store salt.returners.influxdb_return.save_load(jid, load) Save the load to the specified jid salt.returners.kafka_return Return data to a Kafka topic maintainer Christer Edwards (christer.edwards@gmail.com) maturity 0.1 depends kafka-python platform all To enable this returner install kafka-python and enable the following settings in the minion config: returner.kafka.hostnames: • "server1" • "server2" • "server3" returner.kafka.topic: 'topic' To use the kafka returner, append '--return kafka' to the Salt command, eg; salt '*' test.ping --return kafka salt.returners.kafka_return.returner(ret) Return information to a Kafka server salt.returners.local The local returner is used to test the returner interface, it just prints the return data to the console to verify that it is being passed properly To use the local returner, append '--return local' to the salt command. ex: salt '*' test.ping --return local salt.returners.local.event_return(event) Print event return data to the terminal to verify functionality salt.returners.local.returner(ret) Print the return data to the terminal to verify functionality salt.returners.local_cache Return data to local job cache salt.returners.local_cache.clean_old_jobs() Clean out the old jobs from the job cache salt.returners.local_cache.get_endtime(jid) Retrieve the stored endtime for a given job Returns False if no endtime is present salt.returners.local_cache.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.local_cache.get_jids() Return a dict mapping all job ids to job information salt.returners.local_cache.get_jids_filter(count, filter_find_job=True) Return a list of all jobs information filtered by the given criteria. :param int count: show not more than the count of most recent jobs :param bool filter_find_jobs: filter out 'saltutil.find_job' jobs salt.returners.local_cache.get_load(jid) Return the load data that marks a specified jid salt.returners.local_cache.prep_jid(nocache=False, passed_jid=None, recurse_count=0) Return a job id and prepare the job id directory. This is the function responsible for making sure jids don't collide (unless it is passed a jid). So do what you have to do to make sure that stays the case salt.returners.local_cache.returner(load) Return data to the local job cache salt.returners.local_cache.save_load(jid, clear_load, minions=None, recurse_count=0) Save the load to the specified jid minions argument is to provide a pre-computed list of matched minions for the job, for cases when this function can't compute that list itself (such as for salt-ssh) salt.returners.local_cache.save_minions(jid, minions, syndic_id=None) Save/update the serialized list of minions for a given job salt.returners.local_cache.update_endtime(jid, time) Update (or store) the end time for a given job Endtime is stored as a plain text string salt.returners.memcache_return Return data to a memcache server To enable this returner the minion will need the python client for memcache installed and the following values configured in the minion or master config, these are the defaults. memcache.host: 'localhost' memcache.port: '11211' Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location. alternative.memcache.host: 'localhost' alternative.memcache.port: '11211' python2-memcache uses 'localhost' and '11211' as syntax on connection. To use the memcache returner, append '--return memcache' to the salt command. salt '*' test.ping --return memcache To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return memcache --return_config alternative salt.returners.memcache_return.get_fun(fun) Return a dict of the last function called for all minions salt.returners.memcache_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.memcache_return.get_jids() Return a list of all job ids salt.returners.memcache_return.get_load(jid) Return the load data that marks a specified jid salt.returners.memcache_return.get_minions() Return a list of minions salt.returners.memcache_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.memcache_return.returner(ret) Return data to a memcache data store salt.returners.memcache_return.save_load(jid, load) Save the load to the specified jid salt.returners.mongo_future_return Return data to a mongodb server Required python modules: pymongo This returner will send data from the minions to a MongoDB server. To configure the settings for your MongoDB server, add the following lines to the minion config files: mongo.db: <database name> mongo.host: <server ip address> mongo.user: <MongoDB username> mongo.password: <MongoDB user password> mongo.port: 27017 You can also ask for indexes creation on the most common used fields, which should greatly improve performance. Indexes are not created by default. mongo.indexes: true Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.mongo.db: <database name> alternative.mongo.host: <server ip address> alternative.mongo.user: <MongoDB username> alternative.mongo.password: <MongoDB user password> alternative.mongo.port: 27017 This mongo returner is being developed to replace the default mongodb returner in the future and should not be considered API stable yet. To use the mongo returner, append '--return mongo' to the salt command. salt '*' test.ping --return mongo To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return mongo --return_config alternative salt.returners.mongo_future_return.get_fun(fun) Return the most recent jobs that have executed the named function salt.returners.mongo_future_return.get_jid(jid) Return the return information associated with a jid salt.returners.mongo_future_return.get_jids() Return a list of job ids salt.returners.mongo_future_return.get_load(jid) Return the load associated with a given job id salt.returners.mongo_future_return.get_minions() Return a list of minions salt.returners.mongo_future_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.mongo_future_return.returner(ret) Return data to a mongodb server salt.returners.mongo_future_return.save_load(jid, load) Save the load for a given job id salt.returners.mongo_return Return data to a mongodb server Required python modules: pymongo This returner will send data from the minions to a MongoDB server. To configure the settings for your MongoDB server, add the following lines to the minion config files. mongo.db: <database name> mongo.host: <server ip address> mongo.user: <MongoDB username> mongo.password: <MongoDB user password> mongo.port: 27017 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location. alternative.mongo.db: <database name> alternative.mongo.host: <server ip address> alternative.mongo.user: <MongoDB username> alternative.mongo.password: <MongoDB user password> alternative.mongo.port: 27017 To use the mongo returner, append '--return mongo' to the salt command. salt '*' test.ping --return mongo_return To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return mongo_return --return_config alternative salt.returners.mongo_return.get_fun(fun) Return the most recent jobs that have executed the named function salt.returners.mongo_return.get_jid(jid) Return the return information associated with a jid salt.returners.mongo_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.mongo_return.returner(ret) Return data to a mongodb server salt.returners.multi_returner Read/Write multiple returners salt.returners.multi_returner.clean_old_jobs() Clean out the old jobs from all returners (if you have it) salt.returners.multi_returner.get_jid(jid) Merge the return data from all returners salt.returners.multi_returner.get_jids() Return all job data from all returners salt.returners.multi_returner.get_load(jid) Merge the load data from all returners salt.returners.multi_returner.prep_jid(nocache=False, passed_jid=None) Call both with prep_jid on all returners in multi_returner TODO: finish this, what do do when you get different jids from 2 returners... since our jids are time based, this make this problem hard, because they aren't unique, meaning that we have to make sure that no one else got the jid and if they did we spin to get a new one, which means "locking" the jid in 2 returners is non-trivial salt.returners.multi_returner.returner(load) Write return to all returners in multi_returner salt.returners.multi_returner.save_load(jid, clear_load) Write load to all returners in multi_returner salt.returners.mysql Return data to a mysql server maintainer Dave Boucha <dave@saltstack.com>, Seth House <shouse@saltstack.com> maturity new depends python-mysqldb platform all To enable this returner, the minion will need the python client for mysql installed and the following values configured in the minion or master config. These are the defaults: mysql.host: 'salt' mysql.user: 'salt' mysql.pass: 'salt' mysql.db: 'salt' mysql.port: 3306 SSL is optional. The defaults are set to None. If you do not want to use SSL, either exclude these options or set them to None. mysql.ssl_ca: None mysql.ssl_cert: None mysql.ssl_key: None Alternative configuration values can be used by prefacing the configuration with alternative.. Any values not found in the alternative configuration will be pulled from the default location. As stated above, SSL configuration is optional. The following ssl options are simply for illustration purposes: alternative.mysql.host: 'salt' alternative.mysql.user: 'salt' alternative.mysql.pass: 'salt' alternative.mysql.db: 'salt' alternative.mysql.port: 3306 alternative.mysql.ssl_ca: '/etc/pki/mysql/certs/localhost.pem' alternative.mysql.ssl_cert: '/etc/pki/mysql/certs/localhost.crt' alternative.mysql.ssl_key: '/etc/pki/mysql/certs/localhost.key' Use the following mysql database schema: CREATE DATABASE `salt` DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci; USE `salt`; -- -- Table structure for table `jids` -- DROP TABLE IF EXISTS `jids`; CREATE TABLE `jids` ( `jid` varchar(255) NOT NULL, `load` mediumtext NOT NULL, UNIQUE KEY `jid` (`jid`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE INDEX jid ON jids(jid) USING BTREE; -- -- Table structure for table `salt_returns` -- DROP TABLE IF EXISTS `salt_returns`; CREATE TABLE `salt_returns` ( `fun` varchar(50) NOT NULL, `jid` varchar(255) NOT NULL, `return` mediumtext NOT NULL, `id` varchar(255) NOT NULL, `success` varchar(10) NOT NULL, `full_ret` mediumtext NOT NULL, `alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP, KEY `id` (`id`), KEY `jid` (`jid`), KEY `fun` (`fun`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -- -- Table structure for table `salt_events` -- DROP TABLE IF EXISTS `salt_events`; CREATE TABLE `salt_events` ( `id` BIGINT NOT NULL AUTO_INCREMENT, `tag` varchar(255) NOT NULL, `data` mediumtext NOT NULL, `alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP, `master_id` varchar(255) NOT NULL, PRIMARY KEY (`id`), KEY `tag` (`tag`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; Required python modules: MySQLdb To use the mysql returner, append '--return mysql' to the salt command. salt '*' test.ping --return mysql To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return mysql --return_config alternative salt.returners.mysql.event_return(events) Return event to mysql server Requires that configuration be enabled via 'event_return' option in master config. salt.returners.mysql.get_fun(fun) Return a dict of the last function called for all minions salt.returners.mysql.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.mysql.get_jids() Return a list of all job ids salt.returners.mysql.get_jids_filter(count, filter_find_job=True) Return a list of all job ids :param int count: show not more than the count of most recent jobs :param bool filter_find_jobs: filter out 'saltutil.find_job' jobs salt.returners.mysql.get_load(jid) Return the load data that marks a specified jid salt.returners.mysql.get_minions() Return a list of minions salt.returners.mysql.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.mysql.returner(ret) Return data to a mysql server salt.returners.mysql.save_load(jid, load) Save the load to the specified jid id salt.returners.nagios_return Return salt data to Nagios The following fields can be set in the minion conf file: nagios.url (required) nagios.token (required) nagios.service (optional) nagios.check_type (optional) Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: nagios.url nagios.token nagios.service Nagios settings may also be configured as: nagios: url: http://localhost/nrdp token: r4nd0mt0k3n service: service-check alternative.nagios: url: http://localhost/nrdp token: r4nd0mt0k3n service: another-service-check To use the Nagios returner, append '--return nagios' to the salt command. ex: .. code-block:: bash salt '*' test.ping --return nagios To use the alternative configuration, append '--return_config alternative' to the salt command. ex: salt '*' test.ping --return nagios --return_config alternative salt.returners.nagios_return.returner(ret) Send a message to Nagios with the data salt.returners.odbc Return data to an ODBC compliant server. This driver was developed with Microsoft SQL Server in mind, but theoretically could be used to return data to any compliant ODBC database as long as there is a working ODBC driver for it on your minion platform. maintainer C. R. Oldham (cr@saltstack.com) maturity New depends unixodbc, pyodbc, freetds (for SQL Server) platform all To enable this returner the minion will need On Linux: unixodbc (http://www.unixodbc.org) pyodbc (pip install pyodbc) The FreeTDS ODBC driver for SQL Server (http://www.freetds.org) or another compatible ODBC driver On Windows: TBD unixODBC and FreeTDS need to be configured via /etc/odbcinst.ini and /etc/odbc.ini. /etc/odbcinst.ini: [TDS] Description=TDS Driver=/usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so (Note the above Driver line needs to point to the location of the FreeTDS shared library. This example is for Ubuntu 14.04.) /etc/odbc.ini: [TS] Description = "Salt Returner" Driver=TDS Server = <your server ip or fqdn> Port = 1433 Database = salt Trace = No Also you need the following values configured in the minion or master config. Configure as you see fit: returner.odbc.dsn: 'TS' returner.odbc.user: 'salt' returner.odbc.passwd: 'salt' Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.returner.odbc.dsn: 'TS' alternative.returner.odbc.user: 'salt' alternative.returner.odbc.passwd: 'salt' Running the following commands against Microsoft SQL Server in the desired database as the appropriate user should create the database tables correctly. Replace with equivalent SQL for other ODBC-compliant servers -- -- Table structure for table 'jids' -- if OBJECT_ID('dbo.jids', 'U') is not null DROP TABLE dbo.jids CREATE TABLE dbo.jids ( jid varchar(255) PRIMARY KEY, load varchar(MAX) NOT NULL ); -- -- Table structure for table 'salt_returns' -- IF OBJECT_ID('dbo.salt_returns', 'U') IS NOT NULL DROP TABLE dbo.salt_returns; CREATE TABLE dbo.salt_returns ( added datetime not null default (getdate()), fun varchar(100) NOT NULL, jid varchar(255) NOT NULL, retval varchar(MAX) NOT NULL, id varchar(255) NOT NULL, success bit default(0) NOT NULL, full_ret varchar(MAX) ); CREATE INDEX salt_returns_added on dbo.salt_returns(added); CREATE INDEX salt_returns_id on dbo.salt_returns(id); CREATE INDEX salt_returns_jid on dbo.salt_returns(jid); CREATE INDEX salt_returns_fun on dbo.salt_returns(fun); To use this returner, append '--return odbc' to the salt command. .. code-block:: bash salt '*' status.diskusage --return odbc To use the alternative configuration, append '--return_config alternative' to the salt command. .. versionadded:: 2015.5.0 .. code-block:: bash salt '*' test.ping --return odbc --return_config alternative salt.returners.odbc.get_fun(fun) Return a dict of the last function called for all minions salt.returners.odbc.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.odbc.get_jids() Return a list of all job ids salt.returners.odbc.get_load(jid) Return the load data that marks a specified jid salt.returners.odbc.get_minions() Return a list of minions salt.returners.odbc.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.odbc.returner(ret) Return data to an odbc server salt.returners.odbc.save_load(jid, load) Save the load to the specified jid id salt.returners.pgjsonb Return data to a PostgreSQL server with json data stored in Pg's jsonb data type maintainer Dave Boucha <dave@saltstack.com>, Seth House <shouse@saltstack.com>, C. R. Oldham <cr@saltstack.com> maturity new depends python-psycopg2 platform all To enable this returner, the minion will need the python client for PostgreSQL installed and the following values configured in the minion or master config. These are the defaults: returner.pgjsonb.host: 'salt' returner.pgjsonb.user: 'salt' returner.pgjsonb.pass: 'salt' returner.pgjsonb.db: 'salt' returner.pgjsonb.port: 5432 SSL is optional. The defaults are set to None. If you do not want to use SSL, either exclude these options or set them to None. returner.pgjsonb.ssl_ca: None returner.pgjsonb.ssl_cert: None returner.pgjsonb.ssl_key: None Alternative configuration values can be used by prefacing the configuration with alternative.. Any values not found in the alternative configuration will be pulled from the default location. As stated above, SSL configuration is optional. The following ssl options are simply for illustration purposes: alternative.pgjsonb.host: 'salt' alternative.pgjsonb.user: 'salt' alternative.pgjsonb.pass: 'salt' alternative.pgjsonb.db: 'salt' alternative.pgjsonb.port: 5432 alternative.pgjsonb.ssl_ca: '/etc/pki/mysql/certs/localhost.pem' alternative.pgjsonb.ssl_cert: '/etc/pki/mysql/certs/localhost.crt' alternative.pgjsonb.ssl_key: '/etc/pki/mysql/certs/localhost.key' Use the following Pg database schema: CREATE DATABASE salt WITH ENCODING 'utf-8'; -- -- Table structure for table `jids` -- DROP TABLE IF EXISTS jids; CREATE OR REPLACE TABLE jids ( jid varchar(255) NOT NULL primary key load jsonb NOT NULL ); CREATE INDEX idx_jids_jsonb on jids USING gin (load) WITH (fastupdate=on); -- -- Table structure for table `salt_returns` -- DROP TABLE IF EXISTS salt_returns; CREATE TABLE salt_returns ( fun varchar(50) NOT NULL, jid varchar(255) NOT NULL, return jsonb NOT NULL, id varchar(255) NOT NULL, success varchar(10) NOT NULL, full_ret jsonb NOT NULL, alter_time TIMESTAMP WITH TIME ZONE DEFAULT NOW()); CREATE INDEX idx_salt_returns_id ON salt_returns (id); CREATE INDEX idx_salt_returns_jid ON salt_returns (jid); CREATE INDEX idx_salt_returns_fun ON salt_returns (fun); CREATE INDEX idx_salt_returns_return ON salt_returns USING gin (return) with (fastupdate=on); CREATE INDEX idx_salt_returns_full_ret ON salt_returns USING gin (full_ret) with (fastupdate=on); -- -- Table structure for table `salt_events` -- DROP TABLE IF EXISTS salt_events; DROP SEQUENCE IF EXISTS seq_salt_events_id; CREATE SEQUENCE seq_salt_events_id; CREATE TABLE salt_events ( id BIGINT NOT NULL UNIQUE DEFAULT nextval('seq_salt_events_id'), tag varchar(255) NOT NULL, data jsonb NOT NULL, alter_time TIMESTAMP WITH TIME ZONE DEFAULT NOW(), master_id varchar(255) NOT NULL); CREATE INDEX idx_salt_events_tag on salt_events (tag); CREATE INDEX idx_salt_events_data ON salt_events USING gin (data) with (fastupdate=on); Required python modules: Psycopg2 To use this returner, append '--return pgjsonb' to the salt command. salt '*' test.ping --return pgjsonb To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return pgjsonb --return_config alternative salt.returners.pgjsonb.event_return(events) Return event to Pg server Requires that configuration be enabled via 'event_return' option in master config. salt.returners.pgjsonb.get_fun(fun) Return a dict of the last function called for all minions salt.returners.pgjsonb.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.pgjsonb.get_jids() Return a list of all job ids salt.returners.pgjsonb.get_load(jid) Return the load data that marks a specified jid salt.returners.pgjsonb.get_minions() Return a list of minions salt.returners.pgjsonb.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.pgjsonb.returner(ret) Return data to a Pg server salt.returners.pgjsonb.save_load(jid, load) Save the load to the specified jid id salt.returners.postgres Return data to a postgresql server maintainer None maturity New depends psycopg2 platform all To enable this returner the minion will need the psycopg2 installed and the following values configured in the minion or master config: returner.postgres.host: 'salt' returner.postgres.user: 'salt' returner.postgres.passwd: 'salt' returner.postgres.db: 'salt' returner.postgres.port: 5432 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.returner.postgres.host: 'salt' alternative.returner.postgres.user: 'salt' alternative.returner.postgres.passwd: 'salt' alternative.returner.postgres.db: 'salt' alternative.returner.postgres.port: 5432 Running the following commands as the postgres user should create the database correctly: psql << EOF CREATE ROLE salt WITH PASSWORD 'salt'; CREATE DATABASE salt WITH OWNER salt; EOF psql -h localhost -U salt << EOF -- -- Table structure for table 'jids' -- DROP TABLE IF EXISTS jids; CREATE TABLE jids ( jid varchar(20) PRIMARY KEY, load text NOT NULL ); -- -- Table structure for table 'salt_returns' -- DROP TABLE IF EXISTS salt_returns; CREATE TABLE salt_returns ( added TIMESTAMP WITH TIME ZONE DEFAULT now(), fun text NOT NULL, jid varchar(20) NOT NULL, return text NOT NULL, id text NOT NULL, success boolean ); CREATE INDEX ON salt_returns (added); CREATE INDEX ON salt_returns (id); CREATE INDEX ON salt_returns (jid); CREATE INDEX ON salt_returns (fun); EOF Required python modules: psycopg2 To use the postgres returner, append '--return postgres' to the salt command. salt '*' test.ping --return postgres To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return postgres --return_config alternative salt.returners.postgres.get_fun(fun) Return a dict of the last function called for all minions salt.returners.postgres.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.postgres.get_jids() Return a list of all job ids salt.returners.postgres.get_load(jid) Return the load data that marks a specified jid salt.returners.postgres.get_minions() Return a list of minions salt.returners.postgres.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.postgres.returner(ret) Return data to a postgres server salt.returners.postgres.save_load(jid, load) Save the load to the specified jid id salt.returners.postgres_local_cache Use a postgresql server for the master job cache. This helps the job cache to cope with scale. maintainer gjredelinghuys@gmail.com maturity New depends psycopg2 platform all To enable this returner the minion will need the psycopg2 installed and the following values configured in the master config: master_job_cache: postgres_local_cache master_job_cache.postgres.host: 'salt' master_job_cache.postgres.user: 'salt' master_job_cache.postgres.passwd: 'salt' master_job_cache.postgres.db: 'salt' master_job_cache.postgres.port: 5432 Running the following command as the postgres user should create the database correctly: psql << EOF CREATE ROLE salt WITH PASSWORD 'salt'; CREATE DATABASE salt WITH OWNER salt; EOF and then: psql -h localhost -U salt << EOF -- -- Table structure for table 'jids' -- DROP TABLE IF EXISTS jids; CREATE TABLE jids ( jid varchar(20) PRIMARY KEY, started TIMESTAMP WITH TIME ZONE DEFAULT now(), tgt_type text NOT NULL, cmd text NOT NULL, tgt text NOT NULL, kwargs text NOT NULL, ret text NOT NULL, username text NOT NULL, arg text NOT NULL, fun text NOT NULL ); -- -- Table structure for table 'salt_returns' -- -- note that 'success' must not have NOT NULL constraint, since -- some functions don't provide it. DROP TABLE IF EXISTS salt_returns; CREATE TABLE salt_returns ( added TIMESTAMP WITH TIME ZONE DEFAULT now(), fun text NOT NULL, jid varchar(20) NOT NULL, return text NOT NULL, id text NOT NULL, success boolean ); CREATE INDEX ON salt_returns (added); CREATE INDEX ON salt_returns (id); CREATE INDEX ON salt_returns (jid); CREATE INDEX ON salt_returns (fun); EOF Required python modules: psycopg2 salt.returners.postgres_local_cache.clean_old_jobs() Clean out the old jobs from the job cache salt.returners.postgres_local_cache.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.postgres_local_cache.get_jids() Return a list of all job ids For master job cache this also formats the output and returns a string salt.returners.postgres_local_cache.get_load(jid) Return the load data that marks a specified jid salt.returners.postgres_local_cache.prep_jid(nocache=False, passed_jid=None) Return a job id and prepare the job id directory This is the function responsible for making sure jids don't collide (unless its passed a jid). So do what you have to do to make sure that stays the case salt.returners.postgres_local_cache.returner(load) Return data to a postgres server salt.returners.postgres_local_cache.save_load(jid, clear_load) Save the load to the specified jid id salt.returners.pushover_returner Return salt data via pushover (http://www.pushover.net) New in version Boron. The following fields can be set in the minion conf file: pushover.user (required) pushover.token (required) pushover.title (optional) pushover.device (optional) pushover.priority (optional) pushover.expire (optional) pushover.retry (optional) pushover.profile (optional) Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.pushover.user alternative.pushover.token alternative.pushover.title alternative.pushover.device alternative.pushover.priority alternative.pushover.expire alternative.pushover.retry PushOver settings may also be configured as: pushover: user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx title: Salt Returner device: phone priority: -1 expire: 3600 retry: 5 alternative.pushover: user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx title: Salt Returner device: phone priority: 1 expire: 4800 retry: 2 pushover_profile: token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pushover: user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx profile: pushover_profile alternative.pushover: user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx profile: pushover_profile To use the PushOver returner, append '--return pushover' to the salt command. ex: .. code-block:: bash salt '*' test.ping --return pushover To use the alternative configuration, append '--return_config alternative' to the salt command. ex: salt '*' test.ping --return pushover --return_config alternative salt.returners.pushover_returner.returner(ret) Send an PushOver message with the data salt.returners.redis_return Return data to a redis server To enable this returner the minion will need the python client for redis installed and the following values configured in the minion or master config, these are the defaults: redis.db: '0' redis.host: 'salt' redis.port: 6379 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.redis.db: '0' alternative.redis.host: 'salt' alternative.redis.port: 6379 To use the redis returner, append '--return redis' to the salt command. salt '*' test.ping --return redis To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return redis --return_config alternative salt.returners.redis_return.get_fun(fun) Return a dict of the last function called for all minions salt.returners.redis_return.get_jid(jid) Return the information returned when the specified job id was executed salt.returners.redis_return.get_jids() Return a list of all job ids salt.returners.redis_return.get_load(jid) Return the load data that marks a specified jid salt.returners.redis_return.get_minions() Return a list of minions salt.returners.redis_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.redis_return.returner(ret) Return data to a redis data store salt.returners.redis_return.save_load(jid, load) Save the load to the specified jid salt.returners.sentry_return Salt returner that report execution results back to sentry. The returner will inspect the payload to identify errors and flag them as such. Pillar needs something like: raven: servers: - http://192.168.1.1 - https://sentry.example.com public_key: deadbeefdeadbeefdeadbeefdeadbeef secret_key: beefdeadbeefdeadbeefdeadbeefdead project: 1 tags: - os - master - saltversion - cpuarch and https://pypi.python.org/pypi/raven installed The tags list (optional) specifies grains items that will be used as sentry tags, allowing tagging of events in the sentry ui. salt.returners.sentry_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.sentry_return.returner(ret) Log outcome to sentry. The returner tries to identify errors and report them as such. All other messages will be reported at info level. salt.returners.slack_returner Return salt data via slack New in version 2015.5.0. The following fields can be set in the minion conf file: slack.channel (required) slack.api_key (required) slack.username (required) slack.as_user (required to see the profile picture of your bot) slack.profile (optional) Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: slack.channel slack.api_key slack.username slack.as_user Slack settings may also be configured as: slack: channel: RoomName api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username: user as_user: true alternative.slack: room_id: RoomName api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx from_name: user@email.com slack_profile: api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx from_name: user@email.com slack: profile: slack_profile channel: RoomName alternative.slack: profile: slack_profile channel: RoomName To use the Slack returner, append '--return slack' to the salt command. salt '*' test.ping --return slack To use the alternative configuration, append '--return_config alternative' to the salt command. salt '*' test.ping --return slack --return_config alternative salt.returners.slack_returner.returner(ret) Send an slack message with the data salt.returners.sms_return Return data by SMS. New in version 2015.5.0. maintainer Damian Myerscough maturity new depends twilio platform all To enable this returner the minion will need the python twilio library installed and the following values configured in the minion or master config: twilio.sid: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' twilio.token: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' twilio.to: '+1415XXXXXXX' twilio.from: '+1650XXXXXXX' To use the sms returner, append '--return sms' to the salt command. salt '*' test.ping --return sms salt.returners.sms_return.returner(ret) Return a response in an SMS message salt.returners.smtp_return Return salt data via email The following fields can be set in the minion conf file. Fields are optional unless noted otherwise. • from (required) The name/address of the email sender. • to (required) The name/address of the email recipient. • host (required) The SMTP server hostname or address. • port The SMTP server port; defaults to 25. • username The username used to authenticate to the server. If specified a password is also required. It is recommended but not required to also use TLS with this option. • password The password used to authenticate to the server. • tls Whether to secure the connection using TLS; defaults to False • subject The email subject line. • fields Which fields from the returned data to include in the subject line of the email; comma-delimited. For example: id,fun. Please note, the subject line is not encrypted. • gpgowner A user's ~/.gpg directory. This must contain a gpg public key matching the address the mail is sent to. If left unset, no encryption will be used. Requires python-gnupg to be installed. • template The path to a file to be used as a template for the email body. • renderer A Salt renderer, or render-pipe, to use to render the email template. Default jinja. Below is an example of the above settings in a Salt Minion configuration file: smtp.from: me@example.net smtp.to: you@example.com smtp.host: localhost smtp.port: 1025 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location. For example: alternative.smtp.username: saltdev alternative.smtp.password: saltdev alternative.smtp.tls: True To use the SMTP returner, append '--return smtp' to the salt command. salt '*' test.ping --return smtp To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return smtp --return_config alternative An easy way to test the SMTP returner is to use the development SMTP server built into Python. The command below will start a single-threaded SMTP server that prints any email it receives to the console. python -m smtpd -n -c DebuggingServer localhost:1025 salt.returners.smtp_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.smtp_return.returner(ret) Send an email with the data salt.returners.sqlite3 Insert minion return data into a sqlite3 database maintainer Mickey Malone <mickey.malone@gmail.com> maturity New depends None platform All Sqlite3 is a serverless database that lives in a single file. In order to use this returner the database file must exist, have the appropriate schema defined, and be accessible to the user whom the minion process is running as. This returner requires the following values configured in the master or minion config: returner.sqlite3.database: /usr/lib/salt/salt.db returner.sqlite3.timeout: 5.0 Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: alternative.returner.sqlite3.database: /usr/lib/salt/salt.db alternative.returner.sqlite3.timeout: 5.0 Use the commands to create the sqlite3 database and tables: sqlite3 /usr/lib/salt/salt.db << EOF -- -- Table structure for table 'jids' -- CREATE TABLE jids ( jid TEXT PRIMARY KEY, load TEXT NOT NULL ); -- -- Table structure for table 'salt_returns' -- CREATE TABLE salt_returns ( fun TEXT KEY, jid TEXT KEY, id TEXT KEY, fun_args TEXT, date TEXT NOT NULL, full_ret TEXT NOT NULL, success TEXT NOT NULL ); EOF To use the sqlite returner, append '--return sqlite3' to the salt command. salt '*' test.ping --return sqlite3 To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return sqlite3 --return_config alternative salt.returners.sqlite3_return.get_fun(fun) Return a dict of the last function called for all minions salt.returners.sqlite3_return.get_jid(jid) Return the information returned from a specified jid salt.returners.sqlite3_return.get_jids() Return a list of all job ids salt.returners.sqlite3_return.get_load(jid) Return the load from a specified jid salt.returners.sqlite3_return.get_minions() Return a list of minions salt.returners.sqlite3_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.sqlite3_return.returner(ret) Insert minion return data into the sqlite3 database salt.returners.sqlite3_return.save_load(jid, load) Save the load to the specified jid salt.returners.syslog_return Return data to the host operating system's syslog facility Required python modules: syslog, json The syslog returner simply reuses the operating system's syslog facility to log return data To use the syslog returner, append '--return syslog' to the salt command. salt '*' test.ping --return syslog NOTE: Syslog server implementations may have limits on the maximum record size received by the client. This may lead to job return data being truncated in the syslog server's logs. For example, for rsyslog on RHEL-based systems, the default maximum record size is approximately 2KB (which return data can easily exceed). This is configurable in rsyslog.conf via the $MaxMessageSize config parameter. Please consult your syslog implmentation's documentation to determine how to adjust this limit. salt.returners.syslog_return.prep_jid(nocache=False, passed_jid=None) Do any work necessary to prepare a JID, including sending a custom id salt.returners.syslog_return.returner(ret) Return data to the local syslog salt.returners.xmpp_return Return salt data via xmpp The following fields can be set in the minion conf file: xmpp.jid (required) xmpp.password (required) xmpp.recipient (required) xmpp.profile (optional) Alternative configuration values can be used by prefacing the configuration. Any values not found in the alternative configuration will be pulled from the default location: xmpp.jid xmpp.password xmpp.recipient xmpp.profile XMPP settings may also be configured as: xmpp: jid: user@xmpp.domain.com/resource password: password recipient: user@xmpp.example.com alternative.xmpp: jid: user@xmpp.domain.com/resource password: password recipient: someone@xmpp.example.com xmpp_profile: jid: user@xmpp.domain.com/resource password: password xmpp: profile: xmpp_profile recipient: user@xmpp.example.com alternative.xmpp: profile: xmpp_profile recipient: someone-else@xmpp.example.com To use the XMPP returner, append '--return xmpp' to the salt command. salt '*' test.ping --return xmpp To use the alternative configuration, append '--return_config alternative' to the salt command. New in version 2015.5.0. salt '*' test.ping --return xmpp --return_config alternative class salt.returners.xmpp_return.SendMsgBot(jid, password, recipient, msg) start(event) salt.returners.xmpp_return.returner(ret) Send an xmpp message with the data Full list of builtin roster modules ┌─────────────┬──────────────────────────────────┐ │ansible │ Read in an Ansible inventory │ │ │ file or script │ ├─────────────┼──────────────────────────────────┤ │cache │ Use the minion cache on the │ │ │ master to derive IP addresses │ │ │ based on minion ID. │ ├─────────────┼──────────────────────────────────┤ │cloud │ Use the cloud cache on the │ │ │ master to derive IPv4 addresses │ │ │ based on minion ID. │ ├─────────────┼──────────────────────────────────┤ │clustershell │ This roster resolves hostname in │ │ │ a pdsh/clustershell style. │ ├─────────────┼──────────────────────────────────┤ │flat │ Read in the roster from a flat │ │ │ file using the renderer system │ ├─────────────┼──────────────────────────────────┤ │scan │ Scan a netmask or ipaddr for │ │ │ open ssh ports │ └─────────────┴──────────────────────────────────┘ salt.roster.ansible Read in an Ansible inventory file or script Flat inventory files should be in the regular ansible inventory format. [servers] salt.gtmanfred.com ansible_ssh_user=gtmanfred ansible_ssh_host=127.0.0.1 ansible_ssh_port=22 ansible_ssh_pass='password' [desktop] home ansible_ssh_user=gtmanfred ansible_ssh_host=12.34.56.78 ansible_ssh_port=23 ansible_ssh_pass='password' [computers:children] desktop servers [names:vars] http_port=80 then salt-ssh can be used to hit any of them [~]# salt-ssh all test.ping salt.gtmanfred.com: True home: True [~]# salt-ssh desktop test.ping home: True [~]# salt-ssh computers test.ping salt.gtmanfred.com: True home: True [~]# salt-ssh salt.gtmanfred.com test.ping salt.gtmanfred.com: True There is also the option of specifying a dynamic inventory, and generating it on the fly #!/bin/bash echo '{ "servers": { "hosts": [ "salt.gtmanfred.com" ] }, "desktop": { "hosts": [ "home" ] }, "computers": { "hosts":{}, "children": [ "desktop", "servers" ] }, "_meta": { "hostvars": { "salt.gtmanfred.com": { "ansible_ssh_user": "gtmanfred", "ansible_ssh_host": "127.0.0.1", "ansible_sudo_pass": "password", "ansible_ssh_port": 22 }, "home": { "ansible_ssh_user": "gtmanfred", "ansible_ssh_host": "12.34.56.78", "ansible_sudo_pass": "password", "ansible_ssh_port": 23 } } } }' This is the format that an inventory script needs to output to work with ansible, and thus here. [~]# salt-ssh --roster-file /etc/salt/hosts salt.gtmanfred.com test.ping salt.gtmanfred.com: True Any of the [groups] or direct hostnames will return. The 'all' is special, and returns everything. class salt.roster.ansible.Inventory(tgt, tgt_type='glob', inventory_file='/etc/salt/roster') Matcher for static inventory files class salt.roster.ansible.Script(tgt, tgt_type='glob', inventory_file='/etc/salt/roster') Matcher for Inventory scripts class salt.roster.ansible.Target get_glob() Return minions that match via glob targets() Execute the correct tgt_type routine and return salt.roster.ansible.targets(tgt, tgt_type='glob', **kwargs) Return the targets from the ansible inventory_file Default: /etc/salt/roster salt.roster.cache Use the minion cache on the master to derive IP addresses based on minion ID. Currently only contains logic to return an IPv4 address; does not handle IPv6, or authentication (passwords, keys, etc). It is possible to configure this roster to prefer a particular type of IP over another. To configure the order, set the roster_order in the master config file. The default for this is: roster_order: - public - private - local salt.roster.cache.extract_ipv4(roster_order, ipv4) Extract the preferred IP address from the ipv4 grain salt.roster.cache.targets(tgt, tgt_type='glob', **kwargs) Return the targets from the flat yaml file, checks opts for location but defaults to /etc/salt/roster salt.roster.cloud Use the cloud cache on the master to derive IPv4 addresses based on minion ID. This roster requires that the minion in question was created using at least the 2015.5.0 version of Salt Cloud. Starting with the 2015.5.0 release, Salt Cloud maintains an index of minions that it creates and deletes. This index tracks the provider and profile configuration used to provision the minion, including authentication information. So long as this configuration remains current, it can be used by Salt SSH to log into any minion in the index. To connect as a user other than root, modify the cloud configuration file usually located at /etc/salt/cloud. For example, add the following: ssh_username: my_user sudo: True salt.roster.cloud.extract_ipv4(roster_order, ipv4) Extract the preferred IP address from the ipv4 grain salt.roster.cloud.targets(tgt, tgt_type='glob', **kwargs) Return the targets from the flat yaml file, checks opts for location but defaults to /etc/salt/roster salt.roster.clustershell This roster resolves hostname in a pdsh/clustershell style. depends clustershell, https://github.com/cea-hpc/clustershell When you want to use host globs for target matching, use --roster clustershell. For example: salt-ssh --roster clustershell 'server_[1-10,21-30],test_server[5,7,9]' test.ping salt.roster.clustershell.targets(tgt, tgt_type='glob', **kwargs) Return the targets salt.roster.flat Read in the roster from a flat file using the renderer system class salt.roster.flat.RosterMatcher(raw, tgt, tgt_type, ipv='ipv4') Matcher for the roster data structure get_data(minion) Return the configured ip ret_glob_minions() Return minions that match via glob ret_list_minions() Return minions that match via list ret_nodegroup_minions() Return minions which match the special list-only groups defined by ssh_list_nodegroups ret_pcre_minions() Return minions that match via pcre ret_range_minions() Return minions that are returned by a range query targets() Execute the correct tgt_type routine and return salt.roster.flat.targets(tgt, tgt_type='glob', **kwargs) Return the targets from the flat yaml file, checks opts for location but defaults to /etc/salt/roster salt.roster.scan Scan a netmask or ipaddr for open ssh ports class salt.roster.scan.RosterMatcher(tgt, tgt_type) Matcher for the roster data structure targets() Return ip addrs based on netmask, sitting in the "glob" spot because it is the default salt.roster.scan.targets(tgt, tgt_type='glob', **kwargs) Return the targets from the flat yaml file, checks opts for location but defaults to /etc/salt/roster Salt Runners Salt runners are convenience applications executed with the salt-run command. Salt runners work similarly to Salt execution modules however they execute on the Salt master itself instead of remote Salt minions. A Salt runner can be a simple client call or a complex application. SEE ALSO: The full list of runners Full list of runner modules ┌───────────┬──────────────────────────────────┐ │cache │ Return cached data from minions │ ├───────────┼──────────────────────────────────┤ │cloud │ The Salt Cloud Runner │ ├───────────┼──────────────────────────────────┤ │doc │ A runner module to collect and │ │ │ display the inline documentation │ │ │ from the │ ├───────────┼──────────────────────────────────┤ │drac │ Manage Dell DRAC from the Master │ ├───────────┼──────────────────────────────────┤ │error │ Error generator to enable │ │ │ integration testing of salt │ │ │ runner error handling │ ├───────────┼──────────────────────────────────┤ │f5 │ Runner to provide F5 Load │ │ │ Balancer functionality │ ├───────────┼──────────────────────────────────┤ │fileserver │ Directly manage the Salt │ │ │ fileserver plugins │ ├───────────┼──────────────────────────────────┤ │git_pillar │ Runner module to directly manage │ │ │ the git external pillar │ ├───────────┼──────────────────────────────────┤ │http │ Module for making various web │ │ │ calls. │ ├───────────┼──────────────────────────────────┤ │jobs │ A convenience system to manage │ │ │ jobs, both active and already │ │ │ run │ ├───────────┼──────────────────────────────────┤ │launchd │ Manage launchd plist files │ ├───────────┼──────────────────────────────────┤ │lxc │ Control Linux Containers via │ │ │ Salt │ ├───────────┼──────────────────────────────────┤ │manage │ General management functions for │ │ │ salt, tools like seeing what │ │ │ hosts are up │ ├───────────┼──────────────────────────────────┤ │mine │ A runner to access data from the │ │ │ salt mine │ ├───────────┼──────────────────────────────────┤ │nacl │ This runner helps create │ │ │ encrypted passwords that can be │ │ │ included in pillars. │ ├───────────┼──────────────────────────────────┤ │network │ Network tools to run from the │ │ │ Master │ ├───────────┼──────────────────────────────────┤ │pagerduty │ Runner Module for Firing Events │ │ │ via PagerDuty │ ├───────────┼──────────────────────────────────┤ │pillar │ Functions to interact with the │ │ │ pillar compiler on the master │ ├───────────┼──────────────────────────────────┤ │pkg │ Package helper functions using │ │ │ salt.modules.pkg │ ├───────────┼──────────────────────────────────┤ │queue │ General management and │ │ │ processing of queues. │ ├───────────┼──────────────────────────────────┤ │sdb │ Runner for setting and querying │ │ │ data via the sdb API on the │ │ │ master │ ├───────────┼──────────────────────────────────┤ │ssh │ A Runner module interface on top │ │ │ of the salt-ssh Python API. │ ├───────────┼──────────────────────────────────┤ │search │ Runner frontend to search system │ ├───────────┼──────────────────────────────────┤ │state │ Execute orchestration functions │ ├───────────┼──────────────────────────────────┤ │survey │ A general map/reduce style salt │ │ │ runner for aggregating results │ │ │ returned by several different │ │ │ minions. │ ├───────────┼──────────────────────────────────┤ │test │ This runner is used only for │ │ │ test purposes and servers no │ │ │ production purpose │ ├───────────┼──────────────────────────────────┤ │thin │ The thin runner is used to │ │ │ manage the salt thin systems. │ ├───────────┼──────────────────────────────────┤ │virt │ Control virtual machines via │ │ │ Salt │ ├───────────┼──────────────────────────────────┤ │winrepo │ Runner to manage Windows │ │ │ software repo │ └───────────┴──────────────────────────────────┘ salt.runners.cache Return cached data from minions salt.runners.cache.clear_all(tgt=None, expr_form='glob') Clear the cached pillar, grains, and mine data of the targeted minions CLI Example: salt-run cache.clear_all salt.runners.cache.clear_git_lock(role, remote=None, **kwargs) New in version 2015.8.2. Remove the update locks for Salt components (gitfs, git_pillar, winrepo) which use gitfs backend code from salt.utils.gitfs. NOTE: Running cache.clear_all will not include this function as it does for pillar, grains, and mine. Additionally, executing this function with a role of gitfs is equivalent to running salt-run fileserver.clear_lock backend=git. role Which type of lock to remove (gitfs, git_pillar, or winrepo) remote If specified, then any remotes which contain the passed string will have their lock cleared. For example, a remote value of github will remove the lock from all github.com remotes. type update,checkout The types of lock to clear. Can be update, checkout, or both of et (either comma-separated or as a Python list). New in version 2015.8.8. CLI Example: salt-run cache.clear_git_lock git_pillar salt.runners.cache.clear_grains(tgt=None, expr_form='glob') Clear the cached grains data of the targeted minions CLI Example: salt-run cache.clear_grains salt.runners.cache.clear_mine(tgt=None, expr_form='glob') Clear the cached mine data of the targeted minions CLI Example: salt-run cache.clear_mine salt.runners.cache.clear_mine_func(tgt=None, expr_form='glob', clear_mine_func_flag=None) Clear the cached mine function data of the targeted minions CLI Example: salt-run cache.clear_mine_func tgt='*' clear_mine_func_flag='network.interfaces' salt.runners.cache.clear_pillar(tgt=None, expr_form='glob') Clear the cached pillar data of the targeted minions CLI Example: salt-run cache.clear_pillar salt.runners.cache.grains(tgt=None, expr_form='glob', outputter=None, **kwargs) Return cached grains of the targeted minions CLI Example: salt-run cache.grains salt.runners.cache.mine(tgt=None, expr_form='glob', outputter=None, **kwargs) Return cached mine data of the targeted minions CLI Example: salt-run cache.mine salt.runners.cache.pillar(tgt=None, expr_form='glob', outputter=None, **kwargs) Return cached pillars of the targeted minions CLI Example: salt-run cache.pillar salt.runners.cloud The Salt Cloud Runner This runner wraps the functionality of salt cloud making salt cloud routines available to all internal apis via the runner system salt.runners.cloud.action(func=None, cloudmap=None, instances=None, provider=None, instance=None, **kwargs) Execute a single action on the given map/provider/instance CLI Example: salt-run cloud.actions start my-salt-vm salt.runners.cloud.create(provider, instances, **kwargs) Create an instance using Salt Cloud CLI Example: salt-run cloud.create my-ec2-config myinstance image=ami-1624987f size='t1.micro' ssh_username=ec2-user securitygroup=default delvol_on_destroy=True salt.runners.cloud.destroy(instances) Destroy the named vm(s) salt.runners.cloud.full_query(query_type='list_nodes_full') List all available cloud provider data salt.runners.cloud.list_images(provider='all') List cloud provider images for the given providers salt.runners.cloud.list_locations(provider='all') List cloud provider sizes for the given providers salt.runners.cloud.list_sizes(provider='all') List cloud provider sizes for the given providers salt.runners.cloud.map_run(path, **kwargs) Execute a salt cloud map file salt.runners.cloud.profile(prof=None, instances=None, **kwargs) Create a cloud vm with the given profile and instances, instances can be a list or comma-delimited string CLI Example: salt-run cloud.profile prof=my-ec2 instances=node1,node2,node3 salt.runners.cloud.query(query_type='list_nodes') List cloud provider data for all providers salt.runners.cloud.select_query(query_type='list_nodes_select') List selected nodes salt.runners.doc A runner module to collect and display the inline documentation from the various module types salt.runners.doc.execution() Collect all the sys.doc output from each minion and return the aggregate CLI Example: salt-run doc.execution salt.runners.doc.runner() Return all inline documentation for runner modules CLI Example: salt-run doc.runner salt.runners.doc.wheel() Return all inline documentation for wheel modules CLI Example: salt-run doc.wheel salt.runners.drac Manage Dell DRAC from the Master The login credentials need to be configured in the Salt master configuration file. salt.runners.drac.poweroff(hostname, timeout=20) Power server off CLI Example: salt-run drac.poweroff example.com salt.runners.drac.poweron(hostname, timeout=20) Power server on CLI Example: salt-run drac.poweron example.com salt.runners.drac.pxe(hostname, timeout=20) Connect to the Dell DRAC and have the boot order set to PXE and power cycle the system to PXE boot CLI Example: salt-run drac.pxe example.com salt.runners.drac.reboot(hostname, timeout=20) Reboot a server using the Dell DRAC CLI Example: salt-run drac.reboot example.com salt.runners.drac.version(hostname, timeout=20) Display the version of DRAC CLI Example: salt-run drac.version example.com salt.runners.error Error generator to enable integration testing of salt runner error handling salt.runners.error.error(name=None, message='') If name is None Then return empty dict Otherwise raise an exception with __name__ from name, message from message CLI Example: salt-run error salt-run error.error name="Exception" message="This is an error." salt.runners.f5 Runner to provide F5 Load Balancer functionality depends • pycontrol Python module configuration In order to connect to a F5 Load Balancer, you must specify in the Salt master configuration the currently avilable load balancers load_balancers: bigip1.example.com username: admin password: secret bigip2.example.com: username: admin password: secret class salt.runners.f5.F5Mgmt(lb, username, password) add_pool_member(name, port, pool_name) Add a node to a pool check_member_pool(member, pool_name) Check a pool member exists in a specific pool check_pool(name) Check to see if a pool exists check_virtualserver(name) Check to see if a virtual server exists create_pool(name, method='ROUND_ROBIN') Create a pool on the F5 load balancer create_vs(name, ip, port, protocol, profile, pool_name) Create a virtual server lbmethods() List all the load balancer methods salt.runners.f5.add_pool_member(lb, name, port, pool_name) Add a node to a pool CLI Examples: salt-run f5.add_pool_member load_balancer 10.0.0.1 80 my_pool salt.runners.f5.check_member_pool(lb, member, pool_name) Check a pool member exists in a specific pool CLI Examples: salt-run f5.check_member_pool load_balancer 10.0.0.1 my_pool salt.runners.f5.check_pool(lb, name) Check to see if a pool exists CLI Examples: salt-run f5.check_pool load_balancer pool_name salt.runners.f5.check_virtualserver(lb, name) Check to see if a virtual server exists CLI Examples: salt-run f5.check_virtualserver load_balancer virtual_server salt.runners.f5.create_pool(lb, name, method='ROUND_ROBIN') Create a pool on the F5 load balancer CLI Examples: salt-run f5.create_pool load_balancer pool_name loadbalance_method salt-run f5.create_pool load_balancer my_pool ROUND_ROBIN salt.runners.f5.create_vs(lb, name, ip, port, protocol, profile, pool_name) Create a virtual server CLI Examples: salt-run f5.create_vs lbalancer vs_name 10.0.0.1 80 tcp http poolname salt.runners.fileserver Directly manage the Salt fileserver plugins salt.runners.fileserver.clear_cache(backend=None) New in version 2015.5.0. Clear the fileserver cache from VCS fileserver backends (git, hg, svn). Executing this runner with no arguments will clear the cache for all enabled VCS fileserver backends, but this can be narrowed using the backend argument. backend Only clear the update lock for the specified backend(s). If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. CLI Example: salt-run fileserver.clear_cache salt-run fileserver.clear_cache backend=git,hg salt-run fileserver.clear_cache hg salt-run fileserver.clear_cache -roots salt.runners.fileserver.clear_lock(backend=None, remote=None) New in version 2015.5.0. Clear the fileserver update lock from VCS fileserver backends (git, hg, svn). This should only need to be done if a fileserver update was interrupted and a remote is not updating (generating a warning in the Master's log file). Executing this runner with no arguments will remove all update locks from all enabled VCS fileserver backends, but this can be narrowed by using the following arguments: backend Only clear the update lock for the specified backend(s). remote If specified, then any remotes which contain the passed string will have their lock cleared. For example, a remote value of github will remove the lock from all github.com remotes. CLI Example: salt-run fileserver.clear_lock salt-run fileserver.clear_lock backend=git,hg salt-run fileserver.clear_lock backend=git remote=github salt-run fileserver.clear_lock remote=bitbucket salt.runners.fileserver.dir_list(saltenv='base', backend=None, outputter=None) Return a list of directories in the given environment saltenv base The salt fileserver environment to be listed backend Narrow fileserver backends to a subset of the enabled ones. If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. New in version 2015.5.0. CLI Example: salt-run fileserver.dir_list salt-run fileserver.dir_list saltenv=prod salt-run fileserver.dir_list saltenv=dev backend=git salt-run fileserver.dir_list base hg,roots salt-run fileserver.dir_list -git salt.runners.fileserver.empty_dir_list(saltenv='base', backend=None, outputter=None) New in version 2015.5.0. Return a list of empty directories in the given environment saltenv base The salt fileserver environment to be listed backend Narrow fileserver backends to a subset of the enabled ones. If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. NOTE: Some backends (such as git and hg) do not support empty directories. So, passing backend=git or backend=hg will result in an empty list being returned. CLI Example: salt-run fileserver.empty_dir_list salt-run fileserver.empty_dir_list saltenv=prod salt-run fileserver.empty_dir_list backend=roots salt.runners.fileserver.envs(backend=None, sources=False, outputter=None) Return the available fileserver environments. If no backend is provided, then the environments for all configured backends will be returned. backend Narrow fileserver backends to a subset of the enabled ones. Changed in version 2015.5.0: If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. Additionally, fileserver backends can now be passed as a comma-separated list. In earlier versions, they needed to be passed as a python list (ex: backend="['roots', 'git']") CLI Example: salt-run fileserver.envs salt-run fileserver.envs backend=roots,git salt-run fileserver.envs git salt.runners.fileserver.file_list(saltenv='base', backend=None, outputter=None) Return a list of files from the salt fileserver saltenv base The salt fileserver environment to be listed backend Narrow fileserver backends to a subset of the enabled ones. If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. New in version 2015.5.0. CLI Examples: salt-run fileserver.file_list salt-run fileserver.file_list saltenv=prod salt-run fileserver.file_list saltenv=dev backend=git salt-run fileserver.file_list base hg,roots salt-run fileserver.file_list -git salt.runners.fileserver.lock(backend=None, remote=None) New in version 2015.5.0. Set a fileserver update lock for VCS fileserver backends (git, hg, svn). NOTE: This will only operate on enabled backends (those configured in fileserver_backend). backend Only set the update lock for the specified backend(s). remote If not None, then any remotes which contain the passed string will have their lock cleared. For example, a remote value of *github.com* will remove the lock from all github.com remotes. CLI Example: salt-run fileserver.lock salt-run fileserver.lock backend=git,hg salt-run fileserver.lock backend=git remote='*github.com*' salt-run fileserver.lock remote=bitbucket salt.runners.fileserver.symlink_list(saltenv='base', backend=None, outputter=None) Return a list of symlinked files and dirs saltenv base The salt fileserver environment to be listed backend Narrow fileserver backends to a subset of the enabled ones. If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. New in version 2015.5.0. CLI Example: salt-run fileserver.symlink_list salt-run fileserver.symlink_list saltenv=prod salt-run fileserver.symlink_list saltenv=dev backend=git salt-run fileserver.symlink_list base hg,roots salt-run fileserver.symlink_list -git salt.runners.fileserver.update(backend=None) Update the fileserver cache. If no backend is provided, then the cache for all configured backends will be updated. backend Narrow fileserver backends to a subset of the enabled ones. Changed in version 2015.5.0: If all passed backends start with a minus sign (-), then these backends will be excluded from the enabled backends. However, if there is a mix of backends with and without a minus sign (ex: backend=-roots,git) then the ones starting with a minus sign will be disregarded. Additionally, fileserver backends can now be passed as a comma-separated list. In earlier versions, they needed to be passed as a python list (ex: backend="['roots', 'git']") CLI Example: salt-run fileserver.update salt-run fileserver.update backend=roots,git salt.runners.git_pillar Runner module to directly manage the git external pillar salt.runners.git_pillar.update(branch=None, repo=None) New in version 2014.1.0. Changed in version 2015.8.4: This runner function now supports the new git_pillar configuration schema introduced in 2015.8.0. Additionally, the branch and repo can now be omitted to update all git_pillar remotes. The return data has also changed. For releases 2015.8.3 and earlier, there is no value returned. Starting with 2015.8.4, the return data is a dictionary. If using the old git_pillar configuration schema, then the dictionary values will be True if the update completed without error, and False if an error occurred. If using the new git_pillar configuration schema, the values will be True only if new commits were fetched, and False if there were errors or no new commits were fetched. Update one or all configured git_pillar remotes. CLI Example: # Update specific branch and repo salt-run git_pillar.update branch='branch' repo='https://foo.com/bar.git' # Update all repos (2015.8.4 and later) salt-run git_pillar.update # Run with debug logging salt-run git_pillar.update -l debug salt.runners.http Module for making various web calls. Primarily designed for webhooks and the like, but also useful for basic http testing. New in version 2015.5.0. salt.runners.http.query(url, output=True, **kwargs) Query a resource, and decode the return data New in version 2015.5.0. CLI Example: salt-run http.query http://somelink.com/ salt-run http.query http://somelink.com/ method=POST params='key1=val1&key2=val2' salt-run http.query http://somelink.com/ method=POST data='<xml>somecontent</xml>' salt.runners.http.update_ca_bundle(target=None, source=None, merge_files=None) Update the local CA bundle file from a URL New in version 2015.5.0. CLI Example: salt-run http.update_ca_bundle salt-run http.update_ca_bundle target=/path/to/cacerts.pem salt-run http.update_ca_bundle source=https://example.com/cacerts.pem If the target is not specified, it will be pulled from the ca_cert configuration variable available to the master. If it cannot be found there, it will be placed at <<FILE_ROOTS>>/cacerts.pem. If the source is not specified, it will be pulled from the ca_cert_url configuration variable available to the master. If it cannot be found, it will be downloaded from the cURL website, using an http (not https) URL. USING THE DEFAULT URL SHOULD BE AVOIDED! merge_files may also be specified, which includes a string or list of strings representing a file or files to be appended to the end of the CA bundle, once it is downloaded. CLI Example: salt-run http.update_ca_bundle merge_files=/path/to/mycert.pem salt.runners.jobs A convenience system to manage jobs, both active and already run salt.runners.jobs.active(outputter=None, display_progress=False) Return a report on all actively running jobs from a job id centric perspective CLI Example: salt-run jobs.active salt.runners.jobs.last_run(ext_source=None, outputter=None, metadata=None, function=None, target=None, display_progress=False) New in version 2015.8.0. List all detectable jobs and associated functions CLI Example: salt-run jobs.last_run salt-run jobs.last_run target=nodename salt-run jobs.last_run function='cmd.run' salt-run jobs.last_run metadata="{'foo': 'bar'}" salt.runners.jobs.list_job(jid, ext_source=None, outputter=None, display_progress=False) List a specific job given by its jid ext_source If provided, specifies which external job cache to use. display_progress False If True, fire progress events. New in version 2015.8.8. CLI Example: salt-run jobs.list_job 20130916125524463507 salt-run jobs.list_job 20130916125524463507 --out=pprint salt.runners.jobs.list_jobs(ext_source=None, outputter=None, search_metadata=None, search_function=None, search_target=None, start_time=None, end_time=None, display_progress=False) List all detectable jobs and associated functions ext_source If provided, specifies which external job cache to use. FILTER OPTIONS NOTE: If more than one of the below options are used, only jobs which match all of the filters will be returned. search_metadata Specify a dictionary to match to the job's metadata. If any of the key-value pairs in this dictionary match, the job will be returned. Example: salt-run jobs.list_jobs search_metadata='{"foo": "bar", "baz": "qux"}' search_function Can be passed as a string or a list. Returns jobs which match the specified function. Globbing is allowed. Example: salt-run jobs.list_jobs search_function='test.*' salt-run jobs.list_jobs search_function='["test.*", "pkg.install"]' Changed in version 2015.8.8: Multiple targets can now also be passed as a comma-separated list. For example: salt-run jobs.list_jobs search_function='test.*,pkg.install' search_target Can be passed as a string or a list. Returns jobs which match the specified minion name. Globbing is allowed. Example: salt-run jobs.list_jobs search_target='*.mydomain.tld' salt-run jobs.list_jobs search_target='["db*", "myminion"]' Changed in version 2015.8.8: Multiple targets can now also be passed as a comma-separated list. For example: salt-run jobs.list_jobs search_target='db*,myminion' start_time Accepts any timestamp supported by the dateutil Python module (if this module is not installed, this argument will be ignored). Returns jobs which started after this timestamp. end_time Accepts any timestamp supported by the dateutil Python module (if this module is not installed, this argument will be ignored). Returns jobs which started before this timestamp. CLI Example: salt-run jobs.list_jobs salt-run jobs.list_jobs search_function='test.*' search_target='localhost' search_metadata='{"bar": "foo"}' salt-run jobs.list_jobs start_time='2015, Mar 16 19:00' end_time='2015, Mar 18 22:00' salt.runners.jobs.list_jobs_filter(count, filter_find_job=True, ext_source=None, outputter=None, display_progress=False) List all detectable jobs and associated functions ext_source The external job cache to use. Default: None. CLI Example: salt-run jobs.list_jobs_filter 50 salt-run jobs.list_jobs_filter 100 filter_find_job=False salt.runners.jobs.lookup_jid(jid, ext_source=None, returned=True, missing=False, outputter=None, display_progress=False) Return the printout from a previously executed job jid The jid to look up. ext_source The external job cache to use. Default: None. returned True If True, include the minions that did return from the command. New in version 2015.8.0. missing False If True, include the minions that did not return from the command. display_progress False If True, fire progress events. New in version 2015.5.0. CLI Example: salt-run jobs.lookup_jid 20130916125524463507 salt-run jobs.lookup_jid 20130916125524463507 --out=highstate salt.runners.jobs.print_job(jid, ext_source=None, outputter=None) Print a specific job's detail given by it's jid, including the return data. CLI Example: salt-run jobs.print_job 20130916125524463507 salt.runners.launchd Manage launchd plist files salt.runners.launchd.write_launchd_plist(program) Write a launchd plist for managing salt-master or salt-minion CLI Example: salt-run launchd.write_launchd_plist salt-master salt.runners.lxc Control Linux Containers via Salt depends lxc execution module salt.runners.lxc.cloud_init(names, host=None, quiet=False, **kwargs) Wrapper for using lxc.init in saltcloud compatibility mode names Name of the containers, supports a single name or a comma delimited list of names. host Minion to start the container on. Required. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. saltcloud_mode init the container with the saltcloud opts format instead salt.runners.lxc.find_guest(name, quiet=False, path=None) Returns the host for a container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.find_guest name salt.runners.lxc.find_guests(names, path=None) Return a dict of hosts and named guests path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt.runners.lxc.freeze(name, quiet=False, path=None) Freeze the named container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.freeze name salt.runners.lxc.info(name, quiet=False, path=None) Returns information about a container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.info name salt.runners.lxc.init(names, host=None, saltcloud_mode=False, quiet=False, **kwargs) Initialize a new container salt-run lxc.init name host=minion_id [cpuset=cgroups_cpuset] \ [cpushare=cgroups_cpushare] [memory=cgroups_memory] \ [template=lxc_template_name] [clone=original name] \ [profile=lxc_profile] [network_proflile=network_profile] \ [nic=network_profile] [nic_opts=nic_opts] \ [start=(true|false)] [seed=(true|false)] \ [install=(true|false)] [config=minion_config] \ [snapshot=(true|false)] names Name of the containers, supports a single name or a comma delimited list of names. host Minion on which to initialize the container (required) path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. saltcloud_mode init the container with the saltcloud opts format instead See lxc.init_interface module documentation cpuset cgroups cpuset. cpushare cgroups cpu shares. memory cgroups memory limit, in MB Changed in version 2015.5.0: If no value is passed, no limit is set. In earlier Salt versions, not passing this value causes a 1024MB memory limit to be set, and it was necessary to pass memory=0 to set no limit. template Name of LXC template on which to base this container clone Clone this container from an existing container profile A LXC profile (defined in config or pillar). network_profile Network profile to use for the container New in version 2015.5.2. nic Deprecated since version 2015.5.0: Use network_profile instead nic_opts Extra options for network interfaces. E.g.: {"eth0": {"mac": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1", "ipv6": "2001:db8::ff00:42:8329"}} start Start the newly created container. seed Seed the container with the minion config and autosign its key. Default: true install If salt-minion is not already installed, install it. Default: true config Optional config parameters. By default, the id is set to the name of the container. salt.runners.lxc.list(host=None, quiet=False, path=None) List defined containers (running, stopped, and frozen) for the named (or all) host(s). path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.list [host=minion_id] salt.runners.lxc.purge(name, delete_key=True, quiet=False, path=None) Purge the named container and delete its minion key if present. WARNING: Destroys all data associated with the container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.purge name salt.runners.lxc.start(name, quiet=False, path=None) Start the named container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.start name salt.runners.lxc.stop(name, quiet=False, path=None) Stop the named container. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.stop name salt.runners.lxc.unfreeze(name, quiet=False, path=None) Unfreeze the named container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. salt-run lxc.unfreeze name salt.runners.manage General management functions for salt, tools like seeing what hosts are up and what hosts are down salt.runners.manage.alived(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.alived salt.runners.manage.allowed(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.allowed salt.runners.manage.bootstrap(version='develop', script=None, hosts='', root_user=True) Bootstrap minions with salt-bootstrap version develop Git tag of version to install script https://bootstrap.saltstack.com Script to execute hosts Comma-separated hosts [example: hosts='host1.local,host2.local'] root_user True Prepend root@ to each host. CLI Example: salt-run manage.bootstrap hosts='host1,host2' salt-run manage.bootstrap hosts='host1,host2' version='v0.17' salt-run manage.bootstrap hosts='host1,host2' version='v0.17' script='https://bootstrap.saltstack.com/develop' salt-run manage.bootstrap hosts='ec2-user@host1,ec2-user@host2' root_user=False salt.runners.manage.bootstrap_psexec(hosts='', master=None, version=None, arch='win32', installer_url=None, username=None, password=None) Bootstrap Windows minions via PsExec. hosts Comma separated list of hosts to deploy the Windows Salt minion. master Address of the Salt master passed as an argument to the installer. version Point release of installer to download. Defaults to the most recent. arch Architecture of installer to download. Defaults to win32. installer_url URL of minion installer executable. Defaults to the latest version from https://repo.saltstack.com/windows/ username Optional user name for login on remote computer. password Password for optional username. If omitted, PsExec will prompt for one to be entered for each host. CLI Example: salt-run manage.bootstrap_psexec hosts='host1,host2' salt-run manage.bootstrap_psexec hosts='host1,host2' version='0.17' username='DOMAIN\Administrator' salt-run manage.bootstrap_psexec hosts='host1,host2' installer_url='http://exampledomain/salt-installer.exe' salt.runners.manage.down(removekeys=False) Print a list of all the down or unresponsive salt minions Optionally remove keys of down minions CLI Example: salt-run manage.down salt-run manage.down removekeys=True salt.runners.manage.get_stats(estate=None, stack='road') Print the stack stats estate None The name of the target estate. Master stats would be requested by default stack 'road' Show stats on either road or lane stack Allowed values are 'road' or 'lane'. CLI Example: salt-run manage.get_stats [estate=alpha_minion] [stack=lane] salt.runners.manage.joined(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.joined salt.runners.manage.key_regen() This routine is used to regenerate all keys in an environment. This is invasive! ALL KEYS IN THE SALT ENVIRONMENT WILL BE REGENERATED!! The key_regen routine sends a command out to minions to revoke the master key and remove all minion keys, it then removes all keys from the master and prompts the user to restart the master. The minions will all reconnect and keys will be placed in pending. After the master is restarted and minion keys are in the pending directory execute a salt-key -A command to accept the regenerated minion keys. The master must be restarted within 60 seconds of running this command or the minions will think there is something wrong with the keys and abort. Only Execute this runner after upgrading minions and master to 0.15.1 or higher! CLI Example: salt-run manage.key_regen salt.runners.manage.lane_stats(estate=None) Print the estate manor lane stack stats estate None The name of the target estate. Master stats would be requested by default CLI Example: salt-run manage.lane_stats [estate=alpha_minion] salt.runners.manage.list_not_state(subset=None, show_ipv4=False, state=None) New in version 2015.8.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. state 'available' Show minions being in specific state that is one of 'available', 'joined', 'allowed', 'alived' or 'reaped'. CLI Example: salt-run manage.list_not_state salt.runners.manage.list_state(subset=None, show_ipv4=False, state=None) New in version 2015.8.0. Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. state 'available' Show minions being in specific state that is one of 'available', 'joined', 'allowed', 'alived' or 'reaped'. CLI Example: salt-run manage.list_state salt.runners.manage.not_alived(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.not_alived salt.runners.manage.not_allowed(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.not_allowed salt.runners.manage.not_joined(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.not_joined salt.runners.manage.not_present(subset=None, show_ipv4=False) New in version 2015.5.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.not_present salt.runners.manage.not_reaped(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are NOT up according to Salt's presence detection (no commands will be sent) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.not_reaped salt.runners.manage.present(subset=None, show_ipv4=False) Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.present salt.runners.manage.reaped(subset=None, show_ipv4=False) New in version 2015.8.0. Print a list of all minions that are up according to Salt's presence detection (no commands will be sent to minions) subset None Pass in a CIDR range to filter minions by IP address. show_ipv4 False Also show the IP address each minion is connecting from. CLI Example: salt-run manage.reaped salt.runners.manage.road_stats(estate=None) Print the estate road stack stats estate None The name of the target estate. Master stats would be requested by default CLI Example: salt-run manage.road_stats [estate=alpha_minion] salt.runners.manage.safe_accept(target, expr_form='glob') Accept a minion's public key after checking the fingerprint over salt-ssh CLI Example: salt-run manage.safe_accept my_minion salt-run manage.safe_accept minion1,minion2 expr_form=list salt.runners.manage.status(output=True) Print the status of all known salt minions CLI Example: salt-run manage.status salt.runners.manage.up() Print a list of all of the minions that are up CLI Example: salt-run manage.up salt.runners.manage.versions() Check the version of active minions CLI Example: salt-run manage.versions salt.runners.mine A runner to access data from the salt mine salt.runners.mine.get(tgt, fun, tgt_type='glob') Gathers the data from the specified minions' mine, pass in the target, function to look up and the target type CLI Example: salt-run mine.get '*' network.interfaces salt.runners.nacl This runner helps create encrypted passwords that can be included in pillars. depends libnacl, https://github.com/saltstack/libnacl This is often useful if you wish to store your pillars in source control or share your pillar data with others that you trust. I don't advise making your pillars public regardless if they are encrypted or not. The following configurations can be defined in the master config so your users can create encrypted passwords using the runner nacl: cat /etc/salt/master.d/nacl.conf nacl.config: key: None keyfile: /root/.nacl Now with the config in the master you can use the runner nacl like: salt-run nacl.enc 'data' salt.runners.nacl.dec(data, **kwargs) Takes a key generated from nacl.keygen and decrypt some data. CLI Examples: salt-run nacl.dec pEXHQM6cuaF7A= salt-run nacl.dec data='pEXHQM6cuaF7A=' keyfile=/root/.nacl salt-run nacl.dec data='pEXHQM6cuaF7A=' key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k=' salt.runners.nacl.enc(data, **kwargs) Takes a key generated from nacl.keygen and encrypt some data. CLI Examples: salt-run nacl.enc datatoenc salt-run nacl.enc datatoenc keyfile=/root/.nacl salt-run nacl.enc datatoenc key='cKEzd4kXsbeCE7/nLTIqXwnUiD1ulg4NoeeYcCFpd9k=' salt.runners.nacl.keygen(keyfile=None) Use libnacl to generate a private key CLI Examples: salt-run nacl.keygen salt-run nacl.keygen keyfile=/root/.nacl salt-run --out=newline_values_only nacl.keygen > /root/.nacl salt.runners.network Network tools to run from the Master salt.runners.network.wol(mac, bcast='255.255.255.255', destport=9) Send a "Magic Packet" to wake up a Minion CLI Example: salt-run network.wol 08-00-27-13-69-77 salt-run network.wol 080027136977 255.255.255.255 7 salt-run network.wol 08:00:27:13:69:77 255.255.255.255 7 salt.runners.network.wollist(maclist, bcast='255.255.255.255', destport=9) Send a "Magic Packet" to wake up a list of Minions. This list must contain one MAC hardware address per line CLI Example: salt-run network.wollist '/path/to/maclist' salt-run network.wollist '/path/to/maclist' 255.255.255.255 7 salt-run network.wollist '/path/to/maclist' 255.255.255.255 7 salt.runners.pagerduty Runner Module for Firing Events via PagerDuty New in version 2014.1.0. configuration This module can be used by specifying the name of a configuration profile in the master config. For example: my-pagerduty-account: pagerduty.api_key: F3Rbyjbve43rfFWf2214 pagerduty.subdomain: mysubdomain salt.runners.pagerduty.create_event(service_key=None, description=None, details=None, incident_key=None, profile=None) Create an event in PagerDuty. Designed for use in states. CLI Example: salt-run pagerduty.create_event <service_key> <description> <details> profile=my-pagerduty-account The following parameters are required: service_key This key can be found by using pagerduty.list_services. description This is a short description of the event. details This can be a more detailed description of the event. profile This refers to the configuration profile to use to connect to the PagerDuty service. salt.runners.pagerduty.list_escalation_policies(profile=None, api_key=None) This function is an alias of list_policies. List escalation policies belonging to this account CLI Example: salt-run pagerduty.list_policies my-pagerduty-account salt-run pagerduty.list_escalation_policies my-pagerduty-account salt.runners.pagerduty.list_incidents(profile=None, api_key=None) List incidents belonging to this account CLI Example: salt-run pagerduty.list_incidents my-pagerduty-account salt.runners.pagerduty.list_maintenance_windows(profile=None, api_key=None) This function is an alias of list_windows. List maintenance windows belonging to this account CLI Example: salt-run pagerduty.list_windows my-pagerduty-account salt-run pagerduty.list_maintenance_windows my-pagerduty-account salt.runners.pagerduty.list_policies(profile=None, api_key=None) List escalation policies belonging to this account CLI Example: salt-run pagerduty.list_policies my-pagerduty-account salt-run pagerduty.list_escalation_policies my-pagerduty-account salt.runners.pagerduty.list_schedules(profile=None, api_key=None) List schedules belonging to this account CLI Example: salt-run pagerduty.list_schedules my-pagerduty-account salt.runners.pagerduty.list_services(profile=None, api_key=None) List services belonging to this account CLI Example: salt-run pagerduty.list_services my-pagerduty-account salt.runners.pagerduty.list_users(profile=None, api_key=None) List users belonging to this account CLI Example: salt-run pagerduty.list_users my-pagerduty-account salt.runners.pagerduty.list_windows(profile=None, api_key=None) List maintenance windows belonging to this account CLI Example: salt-run pagerduty.list_windows my-pagerduty-account salt-run pagerduty.list_maintenance_windows my-pagerduty-account salt.runners.pillar Functions to interact with the pillar compiler on the master salt.runners.pillar.show_pillar(minion='*', **kwargs) Returns the compiled pillar either of a specific minion or just the global available pillars. This function assumes that no minion has the id *. CLI Example: shows minion specific pillar: salt-run pillar.show_pillar 'www.example.com' shows global pillar: salt-run pillar.show_pillar shows global pillar for 'dev' pillar environment: salt-run pillar.show_pillar 'saltenv=dev' API Example: import salt.config import salt.runner opts = salt.config.master_config('/etc/salt/master') runner = salt.runner.RunnerClient(opts) pillar = runner.cmd('pillar.show_pillar', []) print(pillar) salt.runners.pillar.show_top(minion=None, saltenv='base') Returns the compiled top data for pillar for a specific minion. If no minion is specified, we use the first minion we find. CLI Example: salt-run pillar.show_top salt.runners.pkg Package helper functions using salt.modules.pkg New in version 2015.8.0. salt.runners.pkg.list_upgrades(jid, style='group', outputter='nested', ext_source=None) Show list of available pkg upgrades using a specified format style CLI Example: salt-run pkg.list_upgrades jid=20141120114114417719 style=group salt.runners.queue General management and processing of queues. This runner facilitates interacting with various queue backends such as the included sqlite3 queue or the planned AWS SQS and Redis queues The queue functions such as insert, delete, and pop can be used for typical management of the queue. The process_queue function pops the requested number of items from the queue and creates a Salt Event that can then be processed by a Reactor. The process_queue function can be called manually, or can be configured to run on a schedule with the Salt Scheduler or regular system cron. It is also possible to use the peer system to allow a minion to call the runner. This runner, as well as the Queues system, is not api stable at this time. There are many things that could potentially be done with queues within Salt. For the time being the focus will be on queueing infrastructure actions on specific minions. The queues generally will be populated with minion IDs. When the process_queue runner function is called events are created on the Salt Event bus that indicate the queue and a list of one or more minion IDs. The reactor is set up to match on event tags for a specific queue and then take infrastructure actions on those minion IDs. These actions might be to delete the minion's key from the master, use salt-cloud to destroy the vm, or some other custom action. salt.runners.queue.delete(queue, items, backend='sqlite') Delete an item or items from a queue CLI Example: salt-run queue.delete myqueue myitem salt-run queue.delete myqueue myitem backend=sqlite salt-run queue.delete myqueue "['item1', 'item2', 'item3']" salt.runners.queue.insert(queue, items, backend='sqlite') Add an item or items to a queue CLI Example: salt-run queue.insert myqueue myitem salt-run queue.insert myqueue "['item1', 'item2', 'item3']" salt-run queue.insert myqueue myitem backend=sqlite salt-run queue.insert myqueue "['item1', 'item2', 'item3']" backend=sqlite salt.runners.queue.list_items(queue, backend='sqlite') List contents of a queue CLI Example: salt-run queue.list_items myqueue salt-run queue.list_items myqueue backend=sqlite salt.runners.queue.list_length(queue, backend='sqlite') Provide the number of items in a queue CLI Example: salt-run queue.list_length myqueue salt-run queue.list_length myqueue backend=sqlite salt.runners.queue.list_queues(backend='sqlite') Return a list of Salt Queues on the backend CLI Example: salt-run queue.list_queues salt-run queue.list_queues backend=sqlite salt.runners.queue.pop(queue, quantity=1, backend='sqlite') Pop one or more or all items from a queue CLI Example: salt-run queue.pop myqueue salt-run queue.pop myqueue 6 salt-run queue.pop myqueue all salt-run queue.pop myqueue 6 backend=sqlite salt-run queue.pop myqueue all backend=sqlite salt.runners.queue.process_queue(queue, quantity=1, backend='sqlite') Pop items off a queue and create an event on the Salt event bus to be processed by a Reactor. CLI Example: salt-run queue.process_queue myqueue salt-run queue.process_queue myqueue 6 salt-run queue.process_queue myqueue all backend=sqlite salt.runners.sdb Runner for setting and querying data via the sdb API on the master salt.runners.sdb.get(uri) Get a value from a db, using a uri in the form of sdb://<profile>/<key>. If the uri provided does not start with sdb://, then it will be returned as-is. CLI Example: salt '*' sdb.get sdb://mymemcached/foo salt.runners.sdb.set(uri, value) Set a value in a db, using a uri in the form of sdb://<profile>/<key>. If the uri provided does not start with sdb:// or the value is not successfully set, return False. CLI Example: salt '*' sdb.set sdb://mymemcached/foo bar salt.runners.ssh A Runner module interface on top of the salt-ssh Python API. This allows for programmatic use from salt-api, the Reactor, Orchestrate, etc. salt.runners.ssh.cmd(tgt, fun, arg=(), timeout=None, expr_form='glob', kwarg=None) Execute a single command via the salt-ssh subsystem and return all routines at once New in version 2015.5.0. A wrapper around the SSHClient.cmd method. salt.runners.search Runner frontend to search system salt.runners.search.query(term) Query the search system CLI Example: salt-run search.query foo salt.runners.state Execute orchestration functions salt.runners.state.event(tagmatch='*', count=-1, quiet=False, sock_dir=None, pretty=False) Watch Salt's event bus and block until the given tag is matched New in version 2014.7.0. This is useful for utilizing Salt's event bus from shell scripts or for taking simple actions directly from the CLI. Enable debug logging to see ignored events. Parameters • tagmatch -- the event is written to stdout for each tag that matches this pattern; uses the same matching semantics as Salt's Reactor. • count -- this number is decremented for each event that matches the tagmatch parameter; pass -1 to listen forever. • quiet -- do not print to stdout; just block • sock_dir -- path to the Salt master's event socket file. • pretty -- Output the JSON all on a single line if False (useful for shell tools); pretty-print the JSON output if True. CLI Examples: # Reboot a minion and run highstate when it comes back online salt 'jerry' system.reboot && \\ salt-run state.event 'salt/minion/jerry/start' count=1 quiet=True && \\ salt 'jerry' state.highstate # Reboot multiple minions and run highstate when all are back online salt -L 'kevin,stewart,dave' system.reboot && \\ salt-run state.event 'salt/minion/*/start' count=3 quiet=True && \\ salt -L 'kevin,stewart,dave' state.highstate # Watch the event bus forever in a shell while-loop. salt-run state.event | while read -r tag data; do echo $tag echo $data | jq -colour-output . done SEE ALSO: See https://github.com/saltstack/salt/blob/develop/tests/eventlisten.sh for an example of usage within a shell script. salt.runners.state.orchestrate(mods, saltenv='base', test=None, exclude=None, pillar=None) New in version 0.17.0. Execute a state run from the master, used as a powerful orchestration system. SEE ALSO: More Orchestrate documentation • Full Orchestrate Tutorial • Docs for the master-side state module CLI Examples: salt-run state.orchestrate webserver salt-run state.orchestrate webserver saltenv=dev test=True Changed in version 2014.1.1: Runner renamed from state.sls to state.orchestrate Changed in version 2014.7.0: Runner uses the pillar variable salt.runners.state.orchestrate_high(data, test=None, queue=False, pillar=None, **kwargs) Execute a single state orchestration routine New in version 2015.5.0. CLI Example: salt-run state.orchestrate_high '{ stage_one: {salt.state: [{tgt: "db*"}, {sls: postgres_setup}]}, stage_two: {salt.state: [{tgt: "web*"}, {sls: apache_setup}, { require: [{salt: stage_one}], }]}, }' salt.runners.state.orchestrate_single(fun, name, test=None, queue=False, pillar=None, **kwargs) Execute a single state orchestration routine New in version 2015.5.0. CLI Example: salt-run state.orchestrate_single fun=salt.wheel name=key.list_all salt.runners.survey A general map/reduce style salt runner for aggregating results returned by several different minions. New in version 2014.7.0. Aggregated results are sorted by the size of the minion pools which returned matching results. Useful for playing the game: " some of these things are not like the others... " when identifying discrepancies in a large infrastructure managed by salt. salt.runners.survey.diff(*args, **kwargs) Return the DIFFERENCE of the result sets returned by each matching minion pool New in version 2014.7.0. These pools are determined from the aggregated and sorted results of a salt command. This command displays the "diffs" as a series of 2-way differences-- namely the difference between the FIRST displayed minion pool (according to sort order) and EACH SUBSEQUENT minion pool result set. Differences are displayed according to the Python "difflib.unified_diff()" as in the case of the salt execution module "file.get_diff". This command is submitted via a salt runner using the general form: salt-run survey.diff [survey_sort=up/down] <target> <salt-execution-module> <salt-execution-module parameters> Optionally accept a "survey_sort=" parameter. Default: "survey_sort=down" CLI Example #1: ( Example to display the "differences of files" ) salt-run survey.diff survey_sort=up "*" cp.get_file_str file:///etc/hosts salt.runners.survey.hash(*args, **kwargs) Return the MATCHING minion pools from the aggregated and sorted results of a salt command New in version 2014.7.0. This command is submitted via a salt runner using the general form: salt-run survey.hash [survey_sort=up/down] <target> <salt-execution-module> <salt-execution-module parameters> Optionally accept a "survey_sort=" parameter. Default: "survey_sort=down" CLI Example #1: ( functionally equivalent to "salt-run manage.up" ) salt-run survey.hash "*" test.ping CLI Example #2: ( find an "outlier" minion config file ) salt-run survey.hash "*" file.get_hash /etc/salt/minion survey_sort=up salt.runners.test This runner is used only for test purposes and servers no production purpose salt.runners.test.arg(*args, **kwargs) Output the given args and kwargs Kwargs will be filtered for 'private' keynames. salt.runners.test.raw_arg(*args, **kwargs) Output the given args and kwargs salt.runners.test.sleep(s_time=10) Sleep t seconds, then return True salt.runners.test.stdout_print() Print 'foo' and return 'bar' salt.runners.test.stream() Return True salt.runners.thin The thin runner is used to manage the salt thin systems. Salt Thin is a transport-less version of Salt that can be used to run routines in a standalone way. This runner has tools which generate the standalone salt system for easy consumption. salt.runners.thin.generate(extra_mods='', overwrite=False, so_mods='') Generate the salt-thin tarball and print the location of the tarball Optional additional mods to include (e.g. mako) can be supplied as a comma delimited string. Permits forcing an overwrite of the output file as well. CLI Example: salt-run thin.generate salt-run thin.generate mako salt-run thin.generate mako,wempy 1 salt-run thin.generate overwrite=1 salt.runners.virt Control virtual machines via Salt salt.runners.virt.force_off(name) Force power down the named virtual machine salt.runners.virt.host_info(host=None) Return information about the host connected to this master salt.runners.virt.hyper_info(hyper=None) Return information about the host connected to this master salt.runners.virt.init(name, cpu, mem, image, hyper=None, hypervisor='kvm', host=None, seed=True, nic='default', install=True, start=True, disk='default', saltenv='base') This routine is used to create a new virtual machine. This routines takes a number of options to determine what the newly created virtual machine will look like. name The mandatory name of the new virtual machine. The name option is also the minion id, all minions must have an id. cpu The number of cpus to allocate to this new virtual machine. mem The amount of memory to allocate tot his virtual machine. The number is interpreted in megabytes. image The network location of the virtual machine image, commonly a location on the salt fileserver, but http, https and ftp can also be used. hypervisor The hypervisor to use for the new virtual machine. Default is 'kvm'. host The host to use for the new virtual machine, if this is omitted Salt will automatically detect what host to use. seed Set to False to prevent Salt from seeding the new virtual machine. nic The nic profile to use, defaults to the "default" nic profile which assumes a single network interface per VM associated with the "br0" bridge on the master. install Set to False to prevent Salt from installing a minion on the new VM before it spins up. disk The disk profile to use saltenv The Salt environment to use salt.runners.virt.list(host=None, quiet=False, hyper=None) List the virtual machines on each host, this is a simplified query, showing only the virtual machine names belonging to each host. A single host can be passed in to specify an individual host to list. salt.runners.virt.migrate(name, target='') Migrate a VM from one host to another. This routine will just start the migration and display information on how to look up the progress. salt.runners.virt.next_host() Return the host to use for the next autodeployed VM. This queries the available host and executes some math the determine the most "available" next host. salt.runners.virt.next_hyper() Return the host to use for the next autodeployed VM. This queries the available host and executes some math the determine the most "available" next host. salt.runners.virt.pause(name) Pause the named VM salt.runners.virt.purge(name, delete_key=True) Destroy the named VM salt.runners.virt.query(host=None, quiet=False, hyper=None) Query the virtual machines. When called without options all hosts are detected and a full query is returned. A single host can be passed in to specify an individual host to query. salt.runners.virt.reset(name) Force power down and restart an existing VM salt.runners.virt.resume(name) Resume a paused VM salt.runners.virt.start(name) Start a named virtual machine salt.runners.virt.vm_info(name, quiet=False) Return the information on the named VM salt.runners.winrepo Runner to manage Windows software repo salt.runners.winrepo.genrepo(opts=None, fire_event=True) Generate winrepo_cachefile based on sls files in the winrepo_dir opts Specify an alternate opts dict. Should not be used unless this function is imported into an execution module. fire_event True Fire an event on failure. Only supported on the master. CLI Example: salt-run winrepo.genrepo salt.runners.winrepo.update_git_repos(opts=None, clean=False, masterless=False) Checkout git repos containing Windows Software Package Definitions opts Specify an alternate opts dict. Should not be used unless this function is imported into an execution module. clean False Clean repo cachedirs which are not configured under winrepo_remotes. WARNING: This argument should not be set to True if a mix of git and non-git repo definitions are being used, as it will result in the non-git repo definitions being removed. New in version 2015.8.0. CLI Examples: salt-run winrepo.update_git_repos salt-run winrepo.update_git_repos clean=True Writing Salt Runners A Salt runner is written in a similar manner to a Salt execution module. Both are Python modules which contain functions and each public function is a runner which may be executed via the salt-run command. For example, if a Python module named test.py is created in the runners directory and contains a function called foo, the test runner could be invoked with the following command: # salt-run test.foo Runners have several options for controlling output. Any print statement in a runner is automatically also fired onto the master event bus where. For example: def a_runner(outputter=None, display_progress=False): print('Hello world') ... The above would result in an event fired as follows: Event fired at Tue Jan 13 15:26:45 2015 ************************* Tag: salt/run/20150113152644070246/print Data: {'_stamp': '2015-01-13T15:26:45.078707', 'data': 'hello', 'outputter': 'pprint'} A runner may also send a progress event, which is displayed to the user during runner execution and is also passed across the event bus if the display_progress argument to a runner is set to True. A custom runner may send its own progress event by using the __jid_event_.fire_event() method as shown here: if display_progress: __jid_event__.fire_event({'message': 'A progress message', 'progress') The above would produce output on the console reading: A progress message as well as an event on the event similar to: Event fired at Tue Jan 13 15:21:20 2015 ************************* Tag: salt/run/20150113152118341421/progress Data: {'_stamp': '2015-01-13T15:21:20.390053', 'message': "A progress message"} A runner could use the same approach to send an event with a customized tag onto the event bus by replacing the second argument (progress) with whatever tag is desired. However, this will not be shown on the command-line and will only be fired onto the event bus. Synchronous vs. Asynchronous A runner may be fired asychronously which will immediately return control. In this case, no output will be display to the user if salt-run is being used from the command-line. If used programatically, no results will be returned. If results are desired, they must be gathered either by firing events on the bus from the runner and then watching for them or by some other means. NOTE: When running a runner in asyncronous mode, the --progress flag will not deliver output to the salt-run CLI. However, progress events will still be fired on the bus. In synchronous mode, which is the default, control will not be returned until the runner has finished executing. To add custom runners, put them in a directory and add it to runner_dirs in the master configuration file. Examples Examples of runners can be found in the Salt distribution: https://github.com/saltstack/salt/blob/develop/salt/runners A simple runner that returns a well-formatted list of the minions that are responding to Salt calls could look like this: # Import salt modules import salt.client def up(): ''' Print a list of all of the minions that are up ''' client = salt.client.LocalClient(__opts__['conf_file']) minions = client.cmd('*', 'test.ping', timeout=1) for minion in sorted(minions): print minion State Enforcement Salt offers an optional interface to manage the configuration or "state" of the Salt minions. This interface is a fully capable mechanism used to enforce the state of systems from a central manager. Mod Aggregate State Runtime Modifications New in version 2014.7.0. The mod_aggregate system was added in the 2014.7.0 release of Salt and allows for runtime modification of the executing state data. Simply put, it allows for the data used by Salt's state system to be changed on the fly at runtime, kind of like a configuration management JIT compiler or a runtime import system. All in all, it makes Salt much more dynamic. How it Works The best example is the pkg state. One of the major requests in Salt has long been adding the ability to install all packages defined at the same time. The mod_aggregate system makes this a reality. While executing Salt's state system, when a pkg state is reached the mod_aggregate function in the state module is called. For pkg this function scans all of the other states that are slated to run, and picks up the references to name and pkgs, then adds them to pkgs in the first state. The result is a single call to yum, apt-get, pacman, etc as part of the first package install. How to Use it NOTE: Since this option changes the basic behavior of the state runtime, after it is enabled states should be executed using test=True to ensure that the desired behavior is preserved. In config files The first way to enable aggregation is with a configuration option in either the master or minion configuration files. Salt will invoke mod_aggregate the first time it encounters a state module that has aggregate support. If this option is set in the master config it will apply to all state runs on all minions, if set in the minion config it will only apply to said minion. Enable for all states: state_aggregate: True Enable for only specific state modules: state_aggregate: - pkg In states The second way to enable aggregation is with the state-level aggregate keyword. In this configuration, Salt will invoke the mod_aggregate function the first time it encounters this keyword. Any additional occurrences of the keyword will be ignored as the aggregation has already taken place. The following example will trigger mod_aggregate when the lamp_stack state is processed resulting in a single call to the underlying package manager. lamp_stack: pkg.installed: - pkgs: - php - mysql-client - aggregate: True memcached: pkg.installed: - name: memcached Adding mod_aggregate to a State Module Adding a mod_aggregate routine to an existing state module only requires adding an additional function to the state module called mod_aggregate. The mod_aggregate function just needs to accept three parameters and return the low data to use. Since mod_aggregate is working on the state runtime level it does need to manipulate low data. The three parameters are low, chunks, and running. The low option is the low data for the state execution which is about to be called. The chunks is the list of all of the low data dictionaries which are being executed by the runtime and the running dictionary is the return data from all of the state executions which have already be executed. This example, simplified from the pkg state, shows how to create mod_aggregate functions: def mod_aggregate(low, chunks, running): ''' The mod_aggregate function which looks up all packages in the available low chunks and merges them into a single pkgs ref in the present low data ''' pkgs = [] # What functions should we aggregate? agg_enabled = [ 'installed', 'latest', 'removed', 'purged', ] # The `low` data is just a dict with the state, function (fun) and # arguments passed in from the sls if low.get('fun') not in agg_enabled: return low # Now look into what other things are set to execute for chunk in chunks: # The state runtime uses "tags" to track completed jobs, it may # look familiar with the _|- tag = salt.utils.gen_state_tag(chunk) if tag in running: # Already ran the pkg state, skip aggregation continue if chunk.get('state') == 'pkg': if '__agg__' in chunk: continue # Check for the same function if chunk.get('fun') != low.get('fun'): continue # Pull out the pkg names! if 'pkgs' in chunk: pkgs.extend(chunk['pkgs']) chunk['__agg__'] = True elif 'name' in chunk: pkgs.append(chunk['name']) chunk['__agg__'] = True if pkgs: if 'pkgs' in low: low['pkgs'].extend(pkgs) else: low['pkgs'] = pkgs # The low has been modified and needs to be returned to the state # runtime for execution return low Altering States NOTE: This documentation has been moved here. File State Backups In 0.10.2 a new feature was added for backing up files that are replaced by the file.managed and file.recurse states. The new feature is called the backup mode. Setting the backup mode is easy, but it can be set in a number of places. The backup_mode can be set in the minion config file: backup_mode: minion Or it can be set for each file: /etc/ssh/sshd_config: file.managed: - source: salt://ssh/sshd_config - backup: minion Backed-up Files The files will be saved in the minion cachedir under the directory named file_backup. The files will be in the location relative to where they were under the root filesystem and be appended with a timestamp. This should make them easy to browse. Interacting with Backups Starting with version 0.17.0, it will be possible to list, restore, and delete previously-created backups. Listing The backups for a given file can be listed using file.list_backups: # salt foo.bar.com file.list_backups /tmp/foo.txt foo.bar.com: ---------- 0: ---------- Backup Time: Sat Jul 27 2013 17:48:41.738027 Location: /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_17:48:41_738027_2013 Size: 13 1: ---------- Backup Time: Sat Jul 27 2013 17:48:28.369804 Location: /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_17:48:28_369804_2013 Size: 35 Restoring Restoring is easy using file.restore_backup, just pass the path and the numeric id found with file.list_backups: # salt foo.bar.com file.restore_backup /tmp/foo.txt 1 foo.bar.com: ---------- comment: Successfully restored /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_17:48:28_369804_2013 to /tmp/foo.txt result: True The existing file will be backed up, just in case, as can be seen if file.list_backups is run again: # salt foo.bar.com file.list_backups /tmp/foo.txt foo.bar.com: ---------- 0: ---------- Backup Time: Sat Jul 27 2013 18:00:19.822550 Location: /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_18:00:19_822550_2013 Size: 53 1: ---------- Backup Time: Sat Jul 27 2013 17:48:41.738027 Location: /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_17:48:41_738027_2013 Size: 13 2: ---------- Backup Time: Sat Jul 27 2013 17:48:28.369804 Location: /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_17:48:28_369804_2013 Size: 35 NOTE: Since no state is being run, restoring a file will not trigger any watches for the file. So, if you are restoring a config file for a service, it will likely still be necessary to run a service.restart. Deleting Deleting backups can be done using file.delete_backup: # salt foo.bar.com file.delete_backup /tmp/foo.txt 0 foo.bar.com: ---------- comment: Successfully removed /var/cache/salt/minion/file_backup/tmp/foo.txt_Sat_Jul_27_18:00:19_822550_2013 result: True Understanding State Compiler Ordering NOTE: This tutorial is an intermediate level tutorial. Some basic understanding of the state system and writing Salt Formulas is assumed. Salt's state system is built to deliver all of the power of configuration management systems without sacrificing simplicity. This tutorial is made to help users understand in detail just how the order is defined for state executions in Salt. This tutorial is written to represent the behavior of Salt as of version 0.17.0. Compiler Basics To understand ordering in depth some very basic knowledge about the state compiler is very helpful. No need to worry though, this is very high level! High Data and Low Data When defining Salt Formulas in YAML the data that is being represented is referred to by the compiler as High Data. When the data is initially loaded into the compiler it is a single large python dictionary, this dictionary can be viewed raw by running: salt '*' state.show_highstate This "High Data" structure is then compiled down to "Low Data". The Low Data is what is matched up to create individual executions in Salt's configuration management system. The low data is an ordered list of single state calls to execute. Once the low data is compiled the evaluation order can be seen. The low data can be viewed by running: salt '*' state.show_lowstate NOTE: The state execution module contains MANY functions for evaluating the state system and is well worth a read! These routines can be very useful when debugging states or to help deepen one's understanding of Salt's state system. As an example, a state written thusly: apache: pkg.installed: - name: httpd service.running: - name: httpd - watch: - file: apache_conf - pkg: apache apache_conf: file.managed: - name: /etc/httpd/conf.d/httpd.conf - source: salt://apache/httpd.conf Will have High Data which looks like this represented in json: { "apache": { "pkg": [ { "name": "httpd" }, "installed", { "order": 10000 } ], "service": [ { "name": "httpd" }, { "watch": [ { "file": "apache_conf" }, { "pkg": "apache" } ] }, "running", { "order": 10001 } ], "__sls__": "blah", "__env__": "base" }, "apache_conf": { "file": [ { "name": "/etc/httpd/conf.d/httpd.conf" }, { "source": "salt://apache/httpd.conf" }, "managed", { "order": 10002 } ], "__sls__": "blah", "__env__": "base" } } The subsequent Low Data will look like this: [ { "name": "httpd", "state": "pkg", "__id__": "apache", "fun": "installed", "__env__": "base", "__sls__": "blah", "order": 10000 }, { "name": "httpd", "watch": [ { "file": "apache_conf" }, { "pkg": "apache" } ], "state": "service", "__id__": "apache", "fun": "running", "__env__": "base", "__sls__": "blah", "order": 10001 }, { "name": "/etc/httpd/conf.d/httpd.conf", "source": "salt://apache/httpd.conf", "state": "file", "__id__": "apache_conf", "fun": "managed", "__env__": "base", "__sls__": "blah", "order": 10002 } ] This tutorial discusses the Low Data evaluation and the state runtime. Ordering Layers Salt defines 2 order interfaces which are evaluated in the state runtime and defines these orders in a number of passes. Definition Order NOTE: The Definition Order system can be disabled by turning the option state_auto_order to False in the master configuration file. The top level of ordering is the Definition Order. The Definition Order is the order in which states are defined in salt formulas. This is very straightforward on basic states which do not contain include statements or a top file, as the states are just ordered from the top of the file, but the include system starts to bring in some simple rules for how the Definition Order is defined. Looking back at the "Low Data" and "High Data" shown above, the order key has been transparently added to the data to enable the Definition Order. The Include Statement Basically, if there is an include statement in a formula, then the formulas which are included will be run BEFORE the contents of the formula which is including them. Also, the include statement is a list, so they will be loaded in the order in which they are included. In the following case: foo.sls include: - bar - baz bar.sls include: - quo baz.sls include: - qux In the above case if state.sls foo were called then the formulas will be loaded in the following order: 1. quo 2. bar 3. qux 4. baz 5. foo The order Flag The Definition Order happens transparently in the background, but the ordering can be explicitly overridden using the order flag in states: apache: pkg.installed: - name: httpd - order: 1 This order flag will over ride the definition order, this makes it very simple to create states that are always executed first, last or in specific stages, a great example is defining a number of package repositories that need to be set up before anything else, or final checks that need to be run at the end of a state run by using order: last or order: -1. When the order flag is explicitly set the Definition Order system will omit setting an order for that state and directly use the order flag defined. Lexicographical Fall-back Salt states were written to ALWAYS execute in the same order. Before the introduction of Definition Order in version 0.17.0 everything was ordered lexicographically according to the name of the state, then function then id. This is the way Salt has always ensured that states always run in the same order regardless of where they are deployed, the addition of the Definition Order method mealy makes this finite ordering easier to follow. The lexicographical ordering is still applied but it only has any effect when two order statements collide. This means that if multiple states are assigned the same order number that they will fall back to lexicographical ordering to ensure that every execution still happens in a finite order. NOTE: If running with state_auto_order: False the order key is not set automatically, since the Lexicographical order can be derived from other keys. Requisite Ordering Salt states are fully declarative, in that they are written to declare the state in which a system should be. This means that components can require that other components have been set up successfully. Unlike the other ordering systems, the Requisite system in Salt is evaluated at runtime. The requisite system is also built to ensure that the ordering of execution never changes, but is always the same for a given set of states. This is accomplished by using a runtime that processes states in a completely predictable order instead of using an event loop based system like other declarative configuration management systems. Runtime Requisite Evaluation The requisite system is evaluated as the components are found, and the requisites are always evaluated in the same order. This explanation will be followed by an example, as the raw explanation may be a little dizzying at first as it creates a linear dependency evaluation sequence. The "Low Data" is an ordered list or dictionaries, the state runtime evaluates each dictionary in the order in which they are arranged in the list. When evaluating a single dictionary it is checked for requisites, requisites are evaluated in order, require then watch then prereq. NOTE: If using requisite in statements like require_in and watch_in these will be compiled down to require and watch statements before runtime evaluation. Each requisite contains an ordered list of requisites, these requisites are looked up in the list of dictionaries and then executed. Once all requisites have been evaluated and executed then the requiring state can safely be run (or not run if requisites have not been met). This means that the requisites are always evaluated in the same order, again ensuring one of the core design principals of Salt's State system to ensure that execution is always finite is intact. Simple Runtime Evaluation Example Given the above "Low Data" the states will be evaluated in the following order: 1. The pkg.installed is executed ensuring that the apache package is installed, it contains no requisites and is therefore the first defined state to execute. 2. The service.running state is evaluated but NOT executed, a watch requisite is found, therefore they are read in order, the runtime first checks for the file, sees that it has not been executed and calls for the file state to be evaluated. 3. The file state is evaluated AND executed, since it, like the pkg state does not contain any requisites. 4. The evaluation of the service state continues, it next checks the pkg requisite and sees that it is met, with all requisites met the service state is now executed. Best Practice The best practice in Salt is to choose a method and stick with it, official states are written using requisites for all associations since requisites create clean, traceable dependency trails and make for the most portable formulas. To accomplish something similar to how classical imperative systems function all requisites can be omitted and the failhard option then set to True in the master configuration, this will stop all state runs at the first instance of a failure. In the end, using requisites creates very tight and fine grained states, not using requisites makes full sequence runs and while slightly easier to write, and gives much less control over the executions. Extending External SLS Data Sometimes a state defined in one SLS file will need to be modified from a separate SLS file. A good example of this is when an argument needs to be overwritten or when a service needs to watch an additional state. The Extend Declaration The standard way to extend is via the extend declaration. The extend declaration is a top level declaration like include and encapsulates ID declaration data included from other SLS files. A standard extend looks like this: include: - http - ssh extend: apache: file: - name: /etc/httpd/conf/httpd.conf - source: salt://http/httpd2.conf ssh-server: service: - watch: - file: /etc/ssh/banner /etc/ssh/banner: file.managed: - source: salt://ssh/banner A few critical things happened here, first off the SLS files that are going to be extended are included, then the extend dec is defined. Under the extend dec 2 IDs are extended, the apache ID's file state is overwritten with a new name and source. Than the ssh server is extended to watch the banner file in addition to anything it is already watching. Extend is a Top Level Declaration This means that extend can only be called once in an sls, if if is used twice then only one of the extend blocks will be read. So this is WRONG: include: - http - ssh extend: apache: file: - name: /etc/httpd/conf/httpd.conf - source: salt://http/httpd2.conf # Second extend will overwrite the first!! Only make one extend: ssh-server: service: - watch: - file: /etc/ssh/banner The Requisite in Statement Since one of the most common things to do when extending another SLS is to add states for a service to watch, or anything for a watcher to watch, the requisite in statement was added to 0.9.8 to make extending the watch and require lists easier. The ssh-server extend statement above could be more cleanly defined like so: include: - ssh /etc/ssh/banner: file.managed: - source: salt://ssh/banner - watch_in: - service: ssh-server Rules to Extend By There are a few rules to remember when extending states: 1. Always include the SLS being extended with an include declaration 2. Requisites (watch and require) are appended to, everything else is overwritten 3. extend is a top level declaration, like an ID declaration, cannot be declared twice in a single SLS 4. Many IDs can be extended under the extend declaration Failhard Global Option Normally, when a state fails Salt continues to execute the remainder of the defined states and will only refuse to execute states that require the failed state. But the situation may exist, where you would want all state execution to stop if a single state execution fails. The capability to do this is called failing hard. State Level Failhard A single state can have a failhard set, this means that if this individual state fails that all state execution will immediately stop. This is a great thing to do if there is a state that sets up a critical config file and setting a require for each state that reads the config would be cumbersome. A good example of this would be setting up a package manager early on: /etc/yum.repos.d/company.repo: file.managed: - source: salt://company/yumrepo.conf - user: root - group: root - mode: 644 - order: 1 - failhard: True In this situation, the yum repo is going to be configured before other states, and if it fails to lay down the config file, than no other states will be executed. Global Failhard It may be desired to have failhard be applied to every state that is executed, if this is the case, then failhard can be set in the master configuration file. Setting failhard in the master configuration file will result in failing hard when any minion gathering states from the master have a state fail. This is NOT the default behavior, normally Salt will only fail states that require a failed state. Using the global failhard is generally not recommended, since it can result in states not being executed or even checked. It can also be confusing to see states failhard if an admin is not actively aware that the failhard has been set. To use the global failhard set failhard: True in the master configuration file. Global State Arguments NOTE: This documentation has been moved here. Highstate data structure definitions The Salt State Tree A state tree is a collection of SLS files and directories that live under the directory specified in file_roots. NOTE: Directory names or filenames in the state tree cannot contain a period, with the exception of the period in the .sls file suffix. Top file The main state file that instructs minions what environment and modules to use during state execution. Configurable via state_top. SEE ALSO: A detailed description of the top file Include declaration Defines a list of Module reference strings to include in this SLS. Occurs only in the top level of the highstate structure. Example: include: - edit.vim - http.server Module reference The name of a SLS module defined by a separate SLS file and residing on the Salt Master. A module named edit.vim is a reference to the SLS file salt://edit/vim.sls. ID declaration Defines an individual highstate component. Always references a value of a dictionary containing keys referencing State declaration and Requisite declaration. Can be overridden by a Name declaration or a Names declaration. Occurs on the top level or under the Extend declaration. Must be unique across entire state tree. If the same ID declaration is used twice, only the first one matched will be used. All subsequent ID declarations with the same name will be ignored. NOTE: Naming gotchas In Salt versions earlier than 0.9.7, ID declarations containing dots would result in unpredictable highstate output. Extend declaration Extends a Name declaration from an included SLS module. The keys of the extend declaration always refer to an existing ID declaration which have been defined in included SLS modules. Occurs only in the top level and defines a dictionary. States cannot be extended more than once in a single state run. Extend declarations are useful for adding-to or overriding parts of a State declaration that is defined in another SLS file. In the following contrived example, the shown mywebsite.sls file is include -ing and extend -ing the apache.sls module in order to add a watch declaration that will restart Apache whenever the Apache configuration file, mywebsite changes. include: - apache extend: apache: service: - watch: - file: mywebsite mywebsite: file.managed: - name: /var/www/mysite SEE ALSO: watch_in and require_in Sometimes it is more convenient to use the watch_in or require_in syntax instead of extending another SLS file. State Requisites State declaration A list which contains one string defining the Function declaration and any number of Function arg declaration dictionaries. Can, optionally, contain a number of additional components like the name override components — name and names. Can also contain requisite declarations. Occurs under an ID declaration. Requisite declaration A list containing requisite references. Used to build the action dependency tree. While Salt states are made to execute in a deterministic order, this order is managed by requiring and watching other Salt states. Occurs as a list component under a State declaration or as a key under an ID declaration. Requisite reference A single key dictionary. The key is the name of the referenced State declaration and the value is the ID of the referenced ID declaration. Occurs as a single index in a Requisite declaration list. Function declaration The name of the function to call within the state. A state declaration can contain only a single function declaration. For example, the following state declaration calls the installed function in the pkg state module: httpd: pkg.installed: [] The function can be declared inline with the state as a shortcut. The actual data structure is compiled to this form: httpd: pkg: - installed Where the function is a string in the body of the state declaration. Technically when the function is declared in dot notation the compiler converts it to be a string in the state declaration list. Note that the use of the first example more than once in an ID declaration is invalid yaml. INVALID: httpd: pkg.installed service.running When passing a function without arguments and another state declaration within a single ID declaration, then the long or "standard" format needs to be used since otherwise it does not represent a valid data structure. VALID: httpd: pkg.installed: [] service.running: [] Occurs as the only index in the State declaration list. Function arg declaration A single key dictionary referencing a Python type which is to be passed to the named Function declaration as a parameter. The type must be the data type expected by the function. Occurs under a Function declaration. For example in the following state declaration user, group, and mode are passed as arguments to the managed function in the file state module: /etc/http/conf/http.conf: file.managed: - user: root - group: root - mode: 644 Name declaration Overrides the name argument of a State declaration. If name is not specified the ID declaration satisfies the name argument. The name is always a single key dictionary referencing a string. Overriding name is useful for a variety of scenarios. For example, avoiding clashing ID declarations. The following two state declarations cannot both have /etc/motd as the ID declaration: motd_perms: file.managed: - name: /etc/motd - mode: 644 motd_quote: file.append: - name: /etc/motd - text: "Of all smells, bread; of all tastes, salt." Another common reason to override name is if the ID declaration is long and needs to be referenced in multiple places. In the example below it is much easier to specify mywebsite than to specify /etc/apache2/sites-available/mywebsite.com multiple times: mywebsite: file.managed: - name: /etc/apache2/sites-available/mywebsite.com - source: salt://mywebsite.com a2ensite mywebsite.com: cmd.wait: - unless: test -L /etc/apache2/sites-enabled/mywebsite.com - watch: - file: mywebsite apache2: service.running: - watch: - file: mywebsite Names declaration Expands the contents of the containing State declaration into multiple state declarations, each with its own name. For example, given the following state declaration: python-pkgs: pkg.installed: - names: - python-django - python-crypto - python-yaml Once converted into the lowstate data structure the above state declaration will be expanded into the following three state declarations: python-django: pkg.installed python-crypto: pkg.installed python-yaml: pkg.installed Other values can be overridden during the expansion by providing an additional dictionary level. New in version 2014.7.0. ius: pkgrepo.managed: - humanname: IUS Community Packages for Enterprise Linux 6 - $basearch - gpgcheck: 1 - baseurl: http://mirror.rackspace.com/ius/stable/CentOS/6/$basearch - gpgkey: http://dl.iuscommunity.org/pub/ius/IUS-COMMUNITY-GPG-KEY - names: - ius - ius-devel: - baseurl: http://mirror.rackspace.com/ius/development/CentOS/6/$basearch Large example Here is the layout in yaml using the names of the highdata structure components. <Include Declaration>: - <Module Reference> - <Module Reference> <Extend Declaration>: <ID Declaration>: [<overrides>] # standard declaration <ID Declaration>: <State Module>: - <Function> - <Function Arg> - <Function Arg> - <Function Arg> - <Name>: <name> - <Requisite Declaration>: - <Requisite Reference> - <Requisite Reference> # inline function and names <ID Declaration>: <State Module>.<Function>: - <Function Arg> - <Function Arg> - <Function Arg> - <Names>: - <name> - <name> - <name> - <Requisite Declaration>: - <Requisite Reference> - <Requisite Reference> # multiple states for single id <ID Declaration>: <State Module>: - <Function> - <Function Arg> - <Name>: <name> - <Requisite Declaration>: - <Requisite Reference> <State Module>: - <Function> - <Function Arg> - <Names>: - <name> - <name> - <Requisite Declaration>: - <Requisite Reference> Include and Exclude Salt SLS files can include other SLS files and exclude SLS files that have been otherwise included. This allows for an SLS file to easily extend or manipulate other SLS files. Include When other SLS files are included, everything defined in the included SLS file will be added to the state run. When including define a list of SLS formulas to include: include: - http - libvirt The include statement will include SLS formulas from the same environment that the including SLS formula is in. But the environment can be explicitly defined in the configuration to override the running environment, therefore if an SLS formula needs to be included from an external environment named "dev" the following syntax is used: include: - dev: http NOTE: include does not simply inject the states where you place it in the SLS file. If you need to guarantee order of execution, consider using requisites. Do not use dots in SLS file names or their directories The initial implementation of top.sls and include-declaration followed the python import model where a slash is represented as a period. This means that a SLS file with a period in the name ( besides the suffix period) can not be referenced. For example, webserver_1.0.sls is not referenceable because webserver_1.0 would refer to the directory/file webserver_1/0.sls The same applies for any subdirecortories, this is especially 'tricky' when git repos are created. Another command that typically can't render it's output is `state.show_sls` of a file in a path that contains a dot. Relative Include In Salt 0.16.0, the capability to include SLS formulas which are relative to the running SLS formula was added. Simply precede the formula name with a .: include: - .virt - .virt.hyper In Salt 2015.8, the ability to include SLS formulas which are relative to the parents of the running SLS formula was added. In order to achieve this, precede the formula name with more than one . (dot). Much like Python's relative import abilities, two or more leading dots represent a relative include of the parent or parents of the current package, with each . representing one level after the first. The following SLS configuration, if placed within example.dev.virtual, would result in example.http and base being included respectively: include: - ..http - ...base Exclude The exclude statement, added in Salt 0.10.3, allows an SLS to hard exclude another SLS file or a specific id. The component is excluded after the high data has been compiled, so nothing should be able to override an exclude. Since the exclude can remove an id or an SLS the type of component to exclude needs to be defined. An exclude statement that verifies that the running highstate does not contain the http SLS and the /etc/vimrc id would look like this: exclude: - sls: http - id: /etc/vimrc NOTE: The current state processing flow checks for duplicate IDs before processing excludes. An error occurs if duplicate IDs are present even if one of the IDs is targeted by an exclude. State System Layers The Salt state system is comprised of multiple layers. While using Salt does not require an understanding of the state layers, a deeper understanding of how Salt compiles and manages states can be very beneficial. Function Call The lowest layer of functionality in the state system is the direct state function call. State executions are executions of single state functions at the core. These individual functions are defined in state modules and can be called directly via the state.single command. salt '*' state.single pkg.installed name='vim' Low Chunk The low chunk is the bottom of the Salt state compiler. This is a data representation of a single function call. The low chunk is sent to the state caller and used to execute a single state function. A single low chunk can be executed manually via the state.low command. salt '*' state.low '{name: vim, state: pkg, fun: installed}' The passed data reflects what the state execution system gets after compiling the data down from sls formulas. Low State The Low State layer is the list of low chunks "evaluated" in order. To see what the low state looks like for a highstate, run: salt '*' state.show_lowstate This will display the raw lowstate in the order which each low chunk will be evaluated. The order of evaluation is not necessarily the order of execution, since requisites are evaluated at runtime. Requisite execution and evaluation is finite; this means that the order of execution can be ascertained with 100% certainty based on the order of the low state. High Data High data is the data structure represented in YAML via SLS files. The High data structure is created by merging the data components rendered inside sls files (or other render systems). The High data can be easily viewed by executing the state.show_highstate or state.show_sls functions. Since this data is a somewhat complex data structure, it may be easier to read using the json, yaml, or pprint outputters: salt '*' state.show_highstate --out yaml salt '*' state.show_sls edit.vim --out pprint SLS Above "High Data", the logical layers are no longer technically required to be executed, or to be executed in a hierarchy. This means that how the High data is generated is optional and very flexible. The SLS layer allows for many mechanisms to be used to render sls data from files or to use the fileserver backend to generate sls and file data from external systems. The SLS layer can be called directly to execute individual sls formulas. NOTE: SLS Formulas have historically been called "SLS files". This is because a single SLS was only constituted in a single file. Now the term "SLS Formula" better expresses how a compartmentalized SLS can be expressed in a much more dynamic way by combining pillar and other sources, and the SLS can be dynamically generated. To call a single SLS formula named edit.vim, execute state.sls: salt '*' state.sls edit.vim HighState Calling SLS directly logically assigns what states should be executed from the context of the calling minion. The Highstate layer is used to allow for full contextual assignment of what is executed where to be tied to groups of, or individual, minions entirely from the master. This means that the environment of a minion, and all associated execution data pertinent to said minion, can be assigned from the master without needing to execute or configure anything on the target minion. This also means that the minion can independently retrieve information about its complete configuration from the master. To execute the High State call state.highstate: salt '*' state.highstate Orchestrate The orchestrate layer expresses the highest functional layer of Salt's automated logic systems. The Overstate allows for stateful and functional orchestration of routines from the master. The orchestrate defines in data execution stages which minions should execute states, or functions, and in what order using requisite logic. The Orchestrate Runner NOTE: This documentation has been moved here. Ordering States The way in which configuration management systems are executed is a hotly debated topic in the configuration management world. Two major philosophies exist on the subject, to either execute in an imperative fashion where things are executed in the order in which they are defined, or in a declarative fashion where dependencies need to be mapped between objects. Imperative ordering is finite and generally considered easier to write, but declarative ordering is much more powerful and flexible but generally considered more difficult to create. Salt has been created to get the best of both worlds. States are evaluated in a finite order, which guarantees that states are always executed in the same order, and the states runtime is declarative, making Salt fully aware of dependencies via the requisite system. State Auto Ordering Salt always executes states in a finite manner, meaning that they will always execute in the same order regardless of the system that is executing them. But in Salt 0.17.0, the state_auto_order option was added. This option makes states get evaluated in the order in which they are defined in sls files. The evaluation order makes it easy to know what order the states will be executed in, but it is important to note that the requisite system will override the ordering defined in the files, and the order option described below will also override the order in which states are defined in sls files. If the classic ordering is preferred (lexicographic), then set state_auto_order to False in the master configuration file. Otherwise, state_auto_order defaults to True. Requisite Statements NOTE: This document represents behavior exhibited by Salt requisites as of version 0.9.7 of Salt. Often when setting up states any single action will require or depend on another action. Salt allows for the building of relationships between states with requisite statements. A requisite statement ensures that the named state is evaluated before the state requiring it. There are three types of requisite statements in Salt, require, watch, and prereq. These requisite statements are applied to a specific state declaration: httpd: pkg.installed: [] file.managed: - name: /etc/httpd/conf/httpd.conf - source: salt://httpd/httpd.conf - require: - pkg: httpd In this example, the require requisite is used to declare that the file /etc/httpd/conf/httpd.conf should only be set up if the pkg state executes successfully. The requisite system works by finding the states that are required and executing them before the state that requires them. Then the required states can be evaluated to see if they have executed correctly. Require statements can refer to any state defined in Salt. The basic examples are pkg, service, and file, but any used state can be referenced. In addition to state declarations such as pkg, file, etc., sls type requisites are also recognized, and essentially allow 'chaining' of states. This provides a mechanism to ensure the proper sequence for complex state formulas, especially when the discrete states are split or groups into separate sls files: include: - network httpd: pkg.installed: [] service.running: - require: - pkg: httpd - sls: network In this example, the httpd service running state will not be applied (i.e., the httpd service will not be started) unless both the httpd package is installed AND the network state is satisfied. NOTE: Requisite matching Requisites match on both the ID Declaration and the name parameter. Therefore, if using the pkgs or sources argument to install a list of packages in a pkg state, it's important to note that it is impossible to match an individual package in the list, since all packages are installed as a single state. Multiple Requisites The requisite statement is passed as a list, allowing for the easy addition of more requisites. Both requisite types can also be separately declared: httpd: pkg.installed: [] service.running: - enable: True - watch: - file: /etc/httpd/conf/httpd.conf - require: - pkg: httpd - user: httpd - group: httpd file.managed: - name: /etc/httpd/conf/httpd.conf - source: salt://httpd/httpd.conf - require: - pkg: httpd user.present: [] group.present: [] In this example, the httpd service is only going to be started if the package, user, group, and file are executed successfully. Requisite Documentation For detailed information on each of the individual requisites, please look here. The Order Option Before using the order option, remember that the majority of state ordering should be done with a requisite-declaration, and that a requisite declaration will override an order option, so a state with order option should not require or required by other states. The order option is used by adding an order number to a state declaration with the option order: vim: pkg.installed: - order: 1 By adding the order option to 1 this ensures that the vim package will be installed in tandem with any other state declaration set to the order 1. Any state declared without an order option will be executed after all states with order options are executed. But this construct can only handle ordering states from the beginning. Certain circumstances will present a situation where it is desirable to send a state to the end of the line. To do this, set the order to last: vim: pkg.installed: - order: last State Providers New in version 0.9.8. Salt predetermines what modules should be mapped to what uses based on the properties of a system. These determinations are generally made for modules that provide things like package and service management. Sometimes in states, it may be necessary to use an alternative module to provide the needed functionality. For instance, an older Arch Linux system may not be running systemd, so instead of using the systemd service module, you can revert to the default service module: httpd: service.running: - enable: True - provider: service In this instance, the basic service module (which manages sysvinit-based services) will replace the systemd module which is used by default on Arch Linux. However, if it is necessary to make this override for most or every service, it is better to just override the provider in the minion config file, as described in the section below. Setting a Provider in the Minion Config File Sometimes, when running Salt on custom Linux spins, or distribution that are derived from other distributions, Salt does not successfully detect providers. The providers which are most likely to be affected by this are: • pkg • service • user • group When something like this happens, rather than specifying the provider manually in each state, it easier to use the providers parameter in the minion config file to set the provider. If you end up needing to override a provider because it was not detected, please let us know! File an issue on the issue tracker, and provide the output from the grains.items function, taking care to sanitize any sensitive information. Below are tables that should help with deciding which provider to use if one needs to be overridden. Provider: pkg ┌─────────────────┬──────────────────────────────────┐ │Execution Module │ Used for │ ├─────────────────┼──────────────────────────────────┤ │apt │ Debian/Ubuntu-based distros │ │ │ which use apt-get(8) for package │ │ │ management │ ├─────────────────┼──────────────────────────────────┤ │brew │ Mac OS software management using │ │ │ Homebrew │ ├─────────────────┼──────────────────────────────────┤ │ebuild │ Gentoo-based systems (utilizes │ │ │ the portage python module as │ │ │ well as emerge(1)) │ ├─────────────────┼──────────────────────────────────┤ │freebsdpkg │ FreeBSD-based OSes using │ │ │ pkg_add(1) │ ├─────────────────┼──────────────────────────────────┤ │openbsdpkg │ OpenBSD-based OSes using │ │ │ pkg_add(1) │ ├─────────────────┼──────────────────────────────────┤ │pacman │ Arch Linux-based distros using │ │ │ pacman(8) │ ├─────────────────┼──────────────────────────────────┤ │pkgin │ NetBSD-based OSes using pkgin(1) │ ├─────────────────┼──────────────────────────────────┤ │pkgng │ FreeBSD-based OSes using pkg(8) │ ├─────────────────┼──────────────────────────────────┤ │pkgutil │ Solaris-based OSes using │ │ │ OpenCSW's pkgutil(1) │ ├─────────────────┼──────────────────────────────────┤ │solarispkg │ Solaris-based OSes using │ │ │ pkgadd(1M) │ ├─────────────────┼──────────────────────────────────┤ │solarisips │ Solaris-based OSes using IPS │ │ │ pkg(1) │ ├─────────────────┼──────────────────────────────────┤ │win_pkg │ Windows │ ├─────────────────┼──────────────────────────────────┤ │yumpkg │ RedHat-based distros and │ │ │ derivatives (wraps yum(8)) │ ├─────────────────┼──────────────────────────────────┤ │zypper │ SUSE-based distros using │ │ │ zypper(8) │ └─────────────────┴──────────────────────────────────┘ Provider: service ┌─────────────────┬──────────────────────────────────┐ │Execution Module │ Used for │ ├─────────────────┼──────────────────────────────────┤ │debian_service │ Debian (non-systemd) │ ├─────────────────┼──────────────────────────────────┤ │freebsdservice │ FreeBSD-based OSes using │ │ │ service(8) │ ├─────────────────┼──────────────────────────────────┤ │gentoo_service │ Gentoo Linux using sysvinit and │ │ │ rc-update(8) │ ├─────────────────┼──────────────────────────────────┤ │launchctl │ Mac OS hosts using launchctl(1) │ ├─────────────────┼──────────────────────────────────┤ │netbsdservice │ NetBSD-based OSes │ ├─────────────────┼──────────────────────────────────┤ │openbsdservice │ OpenBSD-based OSes │ ├─────────────────┼──────────────────────────────────┤ │rh_service │ RedHat-based distros and │ │ │ derivatives using service(8) and │ │ │ chkconfig(8). Supports both pure │ │ │ sysvinit and mixed │ │ │ sysvinit/upstart systems. │ ├─────────────────┼──────────────────────────────────┤ │service │ Fallback which simply wraps │ │ │ sysvinit scripts │ ├─────────────────┼──────────────────────────────────┤ │smf │ Solaris-based OSes which use SMF │ ├─────────────────┼──────────────────────────────────┤ │systemd │ Linux distros which use systemd │ ├─────────────────┼──────────────────────────────────┤ │upstart │ Ubuntu-based distros using │ │ │ upstart │ ├─────────────────┼──────────────────────────────────┤ │win_service │ Windows │ └─────────────────┴──────────────────────────────────┘ Provider: user ┌─────────────────┬──────────────────────────────────┐ │Execution Module │ Used for │ ├─────────────────┼──────────────────────────────────┤ │useradd │ Linux, NetBSD, and OpenBSD │ │ │ systems using useradd(8), │ │ │ userdel(8), and usermod(8) │ ├─────────────────┼──────────────────────────────────┤ │pw_user │ FreeBSD-based OSes using pw(8) │ ├─────────────────┼──────────────────────────────────┤ │solaris_user │ Solaris-based OSes using │ │ │ useradd(1M), userdel(1M), and │ │ │ usermod(1M) │ ├─────────────────┼──────────────────────────────────┤ │win_useradd │ Windows │ └─────────────────┴──────────────────────────────────┘ Provider: group ┌─────────────────┬──────────────────────────────────┐ │Execution Module │ Used for │ ├─────────────────┼──────────────────────────────────┤ │groupadd │ Linux, NetBSD, and OpenBSD │ │ │ systems using groupadd(8), │ │ │ groupdel(8), and groupmod(8) │ ├─────────────────┼──────────────────────────────────┤ │pw_group │ FreeBSD-based OSes using pw(8) │ ├─────────────────┼──────────────────────────────────┤ │solaris_group │ Solaris-based OSes using │ │ │ groupadd(1M), groupdel(1M), and │ │ │ groupmod(1M) │ ├─────────────────┼──────────────────────────────────┤ │win_groupadd │ Windows │ └─────────────────┴──────────────────────────────────┘ Arbitrary Module Redirects The provider statement can also be used for more powerful means, instead of overwriting or extending the module used for the named service an arbitrary module can be used to provide certain functionality. emacs: pkg.installed: - provider: - cmd: customcmd In this example, the state is being instructed to use a custom module to invoke commands. Arbitrary module redirects can be used to dramatically change the behavior of a given state. Requisites and Other Global State Arguments Fire Event Notifications New in version 2015.8.0. The fire_event option in a state will cause the minion to send an event to the Salt Master upon completion of that individual state. The following example will cause the minion to send an event to the Salt Master with a tag of salt/state_result/20150505121517276431/dasalt/nano and the result of the state will be the data field of the event. Notice that the name of the state gets added to the tag. nano_stuff: pkg.installed: - name: nano - fire_event: True In the following example instead of setting fire_event to True, fire_event is set to an arbitrary string, which will cause the event to be sent with this tag: salt/state_result/20150505121725642845/dasalt/custom/tag/nano/finished nano_stuff: pkg.installed: - name: nano - fire_event: custom/tag/nano/finished Requisites The Salt requisite system is used to create relationships between states. The core idea being that, when one state is dependent somehow on another, that inter-dependency can be easily defined. These dependencies are expressed by declaring the relationships using state names and ID's or names. The generalized form of a requisite target is <state name> : <ID or name>. The specific form is defined as a Requisite Reference Requisites come in two types: Direct requisites (such as require), and requisite_ins (such as require_in). The relationships are directional: a direct requisite requires something from another state. However, a requisite_in inserts a requisite into the targeted state pointing to the targeting state. The following example demonstrates a direct requisite: vim: pkg.installed: [] /etc/vimrc: file.managed: - source: salt://edit/vimrc - require: - pkg: vim In the example above, the file /etc/vimrc depends on the vim package. Requisite_in statements are the opposite. Instead of saying "I depend on something", requisite_ins say "Someone depends on me": vim: pkg.installed: - require_in: - file: /etc/vimrc /etc/vimrc: file.managed: - source: salt://edit/vimrc So here, with a requisite_in, the same thing is accomplished as in the first example, but the other way around. The vim package is saying "/etc/vimrc depends on me". This will result in a require being inserted into the /etc/vimrc state which targets the vim state. In the end, a single dependency map is created and everything is executed in a finite and predictable order. NOTE: Requisite matching Requisites match on both the ID Declaration and the name parameter. This means that, in the example above, the require_in requisite would also have been matched if the /etc/vimrc state was written as follows: vimrc: file.managed: - name: /etc/vimrc - source: salt://edit/vimrc Direct Requisite and Requisite_in types There are several direct requisite statements that can be used in Salt: • require • watch • prereq • use • onchanges • onfail Each direct requisite also has a corresponding requisite_in: • require_in • watch_in • prereq_in • use_in • onchanges_in • onfail_in All of the requisites define specific relationships and always work with the dependency logic defined above. require The use of require demands that the dependent state executes before the depending state. The state containing the require requisite is defined as the depending state. The state specified in the require statement is defined as the dependent state. If the dependent state's execution succeeds, the depending state will then execute. If the dependent state's execution fails, the depending state will not execute. In the first example above, the file /etc/vimrc will only execute after the vim package is installed successfully. Require an entire sls file As of Salt 0.16.0, it is possible to require an entire sls file. Do this first by including the sls file and then setting a state to require the included sls file: include: - foo bar: pkg.installed: - require: - sls: foo watch watch statements are used to add additional behavior when there are changes in other states. NOTE: If a state should only execute when another state has changes, and otherwise do nothing, the new onchanges requisite should be used instead of watch. watch is designed to add additional behavior when there are changes, but otherwise execute normally. The state containing the watch requisite is defined as the watching state. The state specified in the watch statement is defined as the watched state. When the watched state executes, it will return a dictionary containing a key named "changes". Here are two examples of state return dictionaries, shown in json for clarity: "local": { "file_|-/tmp/foo_|-/tmp/foo_|-directory": { "comment": "Directory /tmp/foo updated", "__run_num__": 0, "changes": { "user": "bar" }, "name": "/tmp/foo", "result": true } } "local": { "pkgrepo_|-salt-minion_|-salt-minion_|-managed": { "comment": "Package repo 'salt-minion' already configured", "__run_num__": 0, "changes": {}, "name": "salt-minion", "result": true } } If the "result" of the watched state is True, the watching state will execute normally. This part of watch mirrors the functionality of the require requisite. If the "result" of the watched state is False, the watching state will never run, nor will the watching state's mod_watch function execute. However, if the "result" of the watched state is True, and the "changes" key contains a populated dictionary (changes occurred in the watched state), then the watch requisite can add additional behavior. This additional behavior is defined by the mod_watch function within the watching state module. If the mod_watch function exists in the watching state module, it will be called in addition to the normal watching state. The return data from the mod_watch function is what will be returned to the master in this case; the return data from the main watching function is discarded. If the "changes" key contains an empty dictionary, the watch requisite acts exactly like the require requisite (the watching state will execute if "result" is True, and fail if "result" is False in the watched state). NOTE: Not all state modules contain mod_watch. If mod_watch is absent from the watching state module, the watch requisite behaves exactly like a require requisite. A good example of using watch is with a service.running state. When a service watches a state, then the service is reloaded/restarted when the watched state changes, in addition to Salt ensuring that the service is running. ntpd: service.running: - watch: - file: /etc/ntp.conf file.managed: - name: /etc/ntp.conf - source: salt://ntp/files/ntp.conf prereq New in version 0.16.0. prereq allows for actions to be taken based on the expected results of a state that has not yet been executed. The state containing the prereq requisite is defined as the pre-requiring state. The state specified in the prereq statement is defined as the pre-required state. When a prereq requisite is evaluated, the pre-required state reports if it expects to have any changes. It does this by running the pre-required single state as a test-run by enabling test=True. This test-run will return a dictionary containing a key named "changes". (See the watch section above for examples of "changes" dictionaries.) If the "changes" key contains a populated dictionary, it means that the pre-required state expects changes to occur when the state is actually executed, as opposed to the test-run. The pre-requiring state will now actually run. If the pre-requiring state executes successfully, the pre-required state will then execute. If the pre-requiring state fails, the pre-required state will not execute. If the "changes" key contains an empty dictionary, this means that changes are not expected by the pre-required state. Neither the pre-required state nor the pre-requiring state will run. The best way to define how prereq operates is displayed in the following practical example: When a service should be shut down because underlying code is going to change, the service should be off-line while the update occurs. In this example, graceful-down is the pre-requiring state and site-code is the pre-required state. graceful-down: cmd.run: - name: service apache graceful - prereq: - file: site-code site-code: file.recurse: - name: /opt/site_code - source: salt://site/code In this case the apache server will only be shutdown if the site-code state expects to deploy fresh code via the file.recurse call. The site-code deployment will only be executed if the graceful-down run completes successfully. onfail New in version 2014.7.0. The onfail requisite allows for reactions to happen strictly as a response to the failure of another state. This can be used in a number of ways, such as executing a second attempt to set up a service or begin to execute a separate thread of states because of a failure. The onfail requisite is applied in the same way as require as watch: primary_mount: mount.mounted: - name: /mnt/share - device: 10.0.0.45:/share - fstype: nfs backup_mount: mount.mounted: - name: /mnt/share - device: 192.168.40.34:/share - fstype: nfs - onfail: - mount: primary_mount onchanges New in version 2014.7.0. The onchanges requisite makes a state only apply if the required states generate changes, and if the watched state's "result" is True. This can be a useful way to execute a post hook after changing aspects of a system. If a state has multiple onchanges requisites then the state will trigger if any of the watched states changes. use The use requisite is used to inherit the arguments passed in another id declaration. This is useful when many files need to have the same defaults. /etc/foo.conf: file.managed: - source: salt://foo.conf - template: jinja - mkdirs: True - user: apache - group: apache - mode: 755 /etc/bar.conf file.managed: - source: salt://bar.conf - use: - file: /etc/foo.conf The use statement was developed primarily for the networking states but can be used on any states in Salt. This makes sense for the networking state because it can define a long list of options that need to be applied to multiple network interfaces. The use statement does not inherit the requisites arguments of the targeted state. This means also a chain of use requisites would not inherit inherited options. The _in versions of requisites All of the requisites also have corresponding requisite_in versions, which do the reverse of their normal counterparts. The examples below all use require_in as the example, but note that all of the _in requisites work the same way: They result in a normal requisite in the targeted state, which targets the state which has defines the requisite_in. Thus, a require_in causes the target state to require the targeting state. Similarly, a watch_in causes the target state to watch the targeting state. This pattern continues for the rest of the requisites. If a state declaration needs to be required by another state declaration then require_in can accommodate it. Therefore, these two sls files would be the same in the end: Using require httpd: pkg.installed: [] service.running: - require: - pkg: httpd Using require_in httpd: pkg.installed: - require_in: - service: httpd service.running: [] The require_in statement is particularly useful when assigning a require in a separate sls file. For instance it may be common for httpd to require components used to set up PHP or mod_python, but the HTTP state does not need to be aware of the additional components that require it when it is set up: http.sls httpd: pkg.installed: [] service.running: - require: - pkg: httpd php.sls include: - http php: pkg.installed: - require_in: - service: httpd mod_python.sls include: - http mod_python: pkg.installed: - require_in: - service: httpd Now the httpd server will only start if php or mod_python are first verified to be installed. Thus allowing for a requisite to be defined "after the fact". Altering States The state altering system is used to make sure that states are evaluated exactly as the user expects. It can be used to double check that a state preformed exactly how it was expected to, or to make 100% sure that a state only runs under certain conditions. The use of unless or onlyif options help make states even more stateful. The check_cmds option helps ensure that the result of a state is evaluated correctly. Reload reload_modules is a boolean option that forces salt to reload its modules after a state finishes. See Reloading Modules. Unless New in version 2014.7.0. The unless requisite specifies that a state should only run when any of the specified commands return False. The unless requisite operates as NAND and is useful in giving more granular control over when a state should execute. NOTE: Under the hood unless calls cmd.retcode with python_shell=True. This means the commands referenced by unless will be parsed by a shell, so beware of side-effects as this shell will be run with the same privileges as the salt-minion. Also be aware that the boolean value is determined by the shell's concept of True and False, rather than Python's concept of True and False. vim: pkg.installed: - unless: - rpm -q vim-enhanced - ls /usr/bin/vim In the example above, the state will only run if either the vim-enhanced package is not installed (returns False) or if /usr/bin/vim does not exist (returns False). The state will run if both commands return False. However, the state will not run if both commands return True. Unless checks are resolved for each name to which they are associated. For example: deploy_app: cmd.run: - names: - first_deploy_cmd - second_deploy_cmd - unless: ls /usr/bin/vim In the above case, some_check will be run prior to _each_ name -- once for first_deploy_cmd and a second time for second_deploy_cmd. Onlyif New in version 2014.7.0. The onlyif requisite specifies that if each command listed in onlyif returns True, then the state is run. If any of the specified commands return False, the state will not run. NOTE: Under the hood onlyif calls cmd.retcode with python_shell=True. This means the commands referenced by onlyif will be parsed by a shell, so beware of side-effects as this shell will be run with the same privileges as the salt-minion. Also be aware that the boolean value is determined by the shell's concept of True and False, rather than Python's concept of True and False. stop-volume: module.run: - name: glusterfs.stop_volume - m_name: work - onlyif: - gluster volume status work - order: 1 remove-volume: module.run: - name: glusterfs.delete - m_name: work - onlyif: - gluster volume info work - watch: - cmd: stop-volume The above example ensures that the stop_volume and delete modules only run if the gluster commands return a 0 ret value. Listen/Listen_in New in version 2014.7.0. listen and its counterpart listen_in trigger mod_wait functions for states, when those states succeed and result in changes, similar to how watch its counterpart watch_in. Unlike watch and watch_in, listen, and listen_in will not modify the order of states and can be used to ensure your states are executed in the order they are defined. All listen/listen_in actions will occur at the end of a state run, after all states have completed. restart-apache2: service.running: - name: apache2 - listen: - file: /etc/apache2/apache2.conf configure-apache2: file.managed: - name: /etc/apache2/apache2.conf - source: salt://apache2/apache2.conf This example will cause apache2 to be restarted when the apache2.conf file is changed, but the apache2 restart will happen at the end of the state run. restart-apache2: service.running: - name: apache2 configure-apache2: file.managed: - name: /etc/apache2/apache2.conf - source: salt://apache2/apache2.conf - listen_in: - service: apache2 This example does the same as the above example, but puts the state argument on the file resource, rather than the service resource. check_cmd New in version 2014.7.0. Check Command is used for determining that a state did or did not run as expected. NOTE: Under the hood check_cmd calls cmd.retcode with python_shell=True. This means the commands referenced by unless will be parsed by a shell, so beware of side-effects as this shell will be run with the same privileges as the salt-minion. comment-repo: file.replace: - name: /etc/yum.repos.d/fedora.repo - pattern: ^enabled=0 - repl: enabled=1 - check_cmd: - grep 'enabled=0' /etc/yum.repos.d/fedora.repo && return 1 || return 0 This will attempt to do a replace on all enabled=0 in the .repo file, and replace them with enabled=1. The check_cmd is just a bash command. It will do a grep for enabled=0 in the file, and if it finds any, it will return a 0, which will prompt the && portion of the command to return a 1, causing check_cmd to set the state as failed. If it returns a 1, meaning it didn't find any 'enabled=0' it will hit the || portion of the command, returning a 0, and declaring the function succeeded. Overriding Checks There are two commands used for the above checks. mod_run_check is used to check for onlyif and unless. If the goal is to override the global check for these to variables, include a mod_run_check in the salt/states/ file. mod_run_check_cmd is used to check for the check_cmd options. To override this one, include a mod_run_check_cmd in the states file for the state. Startup States Sometimes it may be desired that the salt minion execute a state run when it is started. This alleviates the need for the master to initiate a state run on a new minion and can make provisioning much easier. As of Salt 0.10.3 the minion config reads options that allow for states to be executed at startup. The options are startup_states, sls_list, and top_file. The startup_states option can be passed one of a number of arguments to define how to execute states. The available options are: highstate Execute state.highstate sls Read in the sls_list option and execute the named sls files top Read in the top_file option and execute states based on that top file on the Salt Master Examples: Execute state.highstate when starting the minion: startup_states: highstate Execute the sls files edit.vim and hyper: startup_states: sls sls_list: - edit.vim - hyper State Testing Executing a Salt state run can potentially change many aspects of a system and it may be desirable to first see what a state run is going to change before applying the run. Salt has a test interface to report on exactly what will be changed, this interface can be invoked on any of the major state run functions: salt '*' state.highstate test=True salt '*' state.sls test=True salt '*' state.single test=True The test run is mandated by adding the test=True option to the states. The return information will show states that will be applied in yellow and the result is reported as None. Default Test If the value test is set to True in the minion configuration file then states will default to being executed in test mode. If this value is set then states can still be run by calling test=False: salt '*' state.highstate test=False salt '*' state.sls test=False salt '*' state.single test=False The Top File Introduction Most infrastructures are made up of groups of machines, each machine in the group performing a role similar to others. Those groups of machines work in concert with each other to create an application stack. To effectively manage those groups of machines, an administrator needs to be able to create roles for those groups. For example, a group of machines that serve front-end web traffic might have roles which indicate that those machines should all have the Apache webserver package installed and that the Apache service should always be running. In Salt, the file which contains a mapping between groups of machines on a network and the configuration roles that should be applied to them is called a top file. Top files are named top.sls by default and they are so-named because they always exist in the "top" of a directory hierarchy that contains state files. That directory hierarchy is called a state tree. A Basic Example Top files have three components: • Environment: A state tree directory containing a set of state files to configure systems. • Target: A grouping of machines which will have a set of states applied to them. • State files: A list of state files to apply to a target. Each state file describes one or more states to be configured and enforced on the targeted machines. The relationship between these three components is nested as follows: • Environments contain targets • Targets contain states Putting these concepts together, we can describe a scenario in which all minions with an ID that begins with web have an apache state applied to them: base: # Apply SLS files from the directory root for the 'base' environment 'web*': # All minions with a minion_id that begins with 'web' - apache # Apply the state file named 'apache.sls' Environments Environments are directory hierarchies which contain a top files and a set of state files. Environments can be used in many ways, however there is no requirement that they be used at all. In fact, the most common way to deploy Salt is with a single environment, called base. It is recommended that users only create multiple environments if they have a use case which specifically calls for multiple versions of state trees. Getting Started with Top Files Each environment is defined inside a salt master configuration variable called, file_roots . In the most common single-environment setup, only the base environment is defined in file_roots along with only one directory path for the state tree. file_roots: base: - /srv/salt In the above example, the top file will only have a single environment to pull from. Next is a simple single-environment top file placed in /srv/salt/top.sls, illustrating that for the environment called base, all minions will have the state files named core.sls and edit.sls applied to them. base: '*': - core - edit Assuming the file_roots configuration from above, Salt will look in the /srv/salt directory for core.sls and edit.sls. Multiple Environments In some cases, teams may wish to create versioned state trees which can be used to test Salt configurations in isolated sets of systems such as a staging environment before deploying states into production. For this case, multiple environments can be used to accomplish this task. To create multiple environments, the file_roots option can be expanded: file_roots: dev: - /srv/salt/dev qa: - /srv/salt/qa prod: - /srv/salt/prod In the above, we declare three environments: dev, qa and prod. Each environment has a single directory assigned to it. Our top file references the environments: dev: 'webserver*': - webserver 'db*': - db qa: 'webserver*': - webserver 'db*': - db prod: 'webserver*': - webserver 'db*': - db As seen above, the top file now declares the three environments and for each, targets are defined to map globs of minion IDs to state files. For example, all minions which have an ID beginning with the string webserver will have the webserver state from the requested environment assigned to it. In this manner, a proposed change to a state could first be made in a state file in /srv/salt/dev and then be applied to development webservers before moving the state into QA by copying the state file into /srv/salt/qa. Choosing an Environment to Target The top file is used to assign a minion to an environment unless overridden using the methods described below. The environment in the top file must match an environment in file_roots in order for any states to be applied to that minion. The states that will be applied to a minion in a given environment can be viewed using the state.show_top execution function. Minions may be pinned to a particular environment by setting the environment value in the minion configuration file. In doing so, a minion will only request files from the environment to which it is assigned. The environment to use may also be dynamically selected at the time that a salt, salt-call or salt-ssh by passing passing a flag to the execution module being called. This is most commonly done with functions in the state module by using the saltenv= argument. For example, to run a highstate on all minions, using the state files in the prod state tree, run: salt '*' state.highstate saltenv=prod. NOTE: Not all functions accept saltenv as an argument See individual function documentation to verify. Shorthand If you assign only one SLS to a system, as in this example, a shorthand is also available: base: '*': global dev: 'webserver*': webserver 'db*': db qa: 'webserver*': webserver 'db*': db prod: 'webserver*': webserver 'db*': db Advanced Minion Targeting In addition to globs, minions can be specified in top files a few other ways. Some common ones are compound matches and node groups. Below is a slightly more complex top file example, showing the different types of matches you can perform: # All files will be taken from the file path specified in the base # environment in the ``file_roots`` configuration value. base: # All minions get the following three state files applied '*': - ldap-client - networking - salt.minion # All minions which have an ID that begins with the phrase # 'salt-master' will have an SLS file applied that is named # 'master.sls' and is in the 'salt' directory, underneath # the root specified in the ``base`` environment in the # configuration value for ``file_roots``. 'salt-master*': - salt.master # Minions that have an ID matching the following regular # expression will have the state file called 'web.sls' in the # nagios/mon directory applied. Additionally, minions matching # the regular expression will also have the 'server.sls' file # in the apache/ directory applied. # NOTE! # # Take note of the 'match' directive here, which tells Salt # to treat the target string as a regex to be matched! '^(memcache|web).(qa|prod).loc$': - match: pcre - nagios.mon.web - apache.server # Minions that have a grain set indicating that they are running # the Ubuntu operating system will have the state file called # 'ubuntu.sls' in the 'repos' directory applied. # # Again take note of the 'match' directive here which tells # Salt to match against a grain instead of a minion ID. 'os:Ubuntu': - match: grain - repos.ubuntu # Minions that are either RedHat or CentOS should have the 'epel.sls' # state applied, from the 'repos/' directory. 'os:(RedHat|CentOS)': - match: grain_pcre - repos.epel # The three minions with the IDs of 'foo', 'bar' and 'baz' should # have 'database.sls' applied. 'foo,bar,baz': - match: list - database # Any minion for which the pillar key 'somekey' is set and has a value # of that key matching 'abc' will have the 'xyz.sls' state applied. 'somekey:abc': - match: pillar - xyz # All minions which begin with the strings 'nag1' or any minion with # a grain set called 'role' with the value of 'monitoring' will have # the 'server.sls' state file applied from the 'nagios/' directory. 'nag1* or G@role:monitoring': - match: compound - nagios.server How Top Files Are Compiled When using multiple environments, it is not necessary to create a top file for each environment. The most common approach, and the easiest to maintain, is to use a single top file placed in only one environment. However, some workflows do call for multiple top files. In this case, top files may be merged together to create high data for the state compiler to use as a source to compile states on a minion. For the following discussion of top file compilation, assume the following configuration: /etc/salt/master: <snip> file_roots: first_env: - /srv/salt/first second_env: - /srv/salt/second /srv/salt/first/top.sls: first_env: '*': - first second_env: '*': - second The astute reader will ask how the state compiler resolves which should be an obvious conflict if a minion is not pinned to a particular environment and if no environment argument is passed into a state function. Given the above, it is initially unclear whether first.sls will be applied or whether second.sls will be applied in a salt '*' state.highstate command. When conflicting keys arise, there are several configuration options which control the behaviour of salt: • env_order Setting env_order will set the order in which environments are processed by the state compiler. • top_file_merging_strategy Can be set to same, which will process only the top file from the environment that the minion belongs to via the environment configuration setting or the environment that is requested via the saltenv argument supported by some functions in the state module. Can also be set to merge. This is the default. When set to merge, top files will be merged together. The order in which top files are merged together can be controlled with env_order. • default_top If top_file_merging_strategy is set to same and an environment does not contain a top file, the top file in the environment specified by default_top will be used instead. SLS Template Variable Reference The template engines available to sls files and file templates come loaded with a number of context variables. These variables contain information and functions to assist in the generation of templates. See each variable below for its availability -- not all variables are available in all templating contexts. Salt The salt variable is available to abstract the salt library functions. This variable is a python dictionary containing all of the functions available to the running salt minion. It is available in all salt templates. {% for file in salt['cmd.run']('ls -1 /opt/to_remove').splitlines() %} /opt/to_remove/{{ file }}: file.absent {% endfor %} Opts The opts variable abstracts the contents of the minion's configuration file directly to the template. The opts variable is a dictionary. It is available in all templates. {{ opts['cachedir'] }} The config.get function also searches for values in the opts dictionary. Pillar The pillar dictionary can be referenced directly, and is available in all templates: {{ pillar['key'] }} Using the pillar.get function via the salt variable is generally recommended since a default can be safely set in the event that the value is not available in pillar and dictionaries can be traversed directly: {{ salt['pillar.get']('key', 'failover_value') }} {{ salt['pillar.get']('stuff:more:deeper') }} Grains The grains dictionary makes the minion's grains directly available, and is available in all templates: {{ grains['os'] }} The grains.get function can be used to traverse deeper grains and set defaults: {{ salt['grains.get']('os') }} saltenv The saltenv variable is available in only in sls files when gathering the sls from an environment. {{ saltenv }} sls The sls variable contains the sls reference value, and is only available in the actual SLS file (not in any files referenced in that SLS). The sls reference value is the value used to include the sls in top files or via the include option. {{ sls }} State Modules State Modules are the components that map to actual enforcement and management of Salt states. States are Easy to Write! State Modules should be easy to write and straightforward. The information passed to the SLS data structures will map directly to the states modules. Mapping the information from the SLS data is simple, this example should illustrate: /etc/salt/master: # maps to "name" file.managed: # maps to <filename>.<function> - e.g. "managed" in https://github.com/saltstack/salt/tree/develop/salt/states/file.py - user: root # one of many options passed to the manage function - group: root - mode: 644 - source: salt://salt/master Therefore this SLS data can be directly linked to a module, function, and arguments passed to that function. This does issue the burden, that function names, state names and function arguments should be very human readable inside state modules, since they directly define the user interface. Keyword Arguments Salt passes a number of keyword arguments to states when rendering them, including the environment, a unique identifier for the state, and more. Additionally, keep in mind that the requisites for a state are part of the keyword arguments. Therefore, if you need to iterate through the keyword arguments in a state, these must be considered and handled appropriately. One such example is in the pkgrepo.managed state, which needs to be able to handle arbitrary keyword arguments and pass them to module execution functions. An example of how these keyword arguments can be handled can be found here. Using Custom State Modules Place your custom state modules inside a _states directory within the file_roots specified by the master config file. These custom state modules can then be distributed in a number of ways. Custom state modules are distributed when state.highstate is run, or by executing the saltutil.sync_states or saltutil.sync_all functions. Any custom states which have been synced to a minion, that are named the same as one of Salt's default set of states, will take the place of the default state with the same name. Note that a state's default name is its filename (i.e. foo.py becomes state foo), but that its name can be overridden by using a __virtual__ function. Cross Calling Execution Modules from States As with Execution Modules, State Modules can also make use of the __salt__ and __grains__ data. See cross calling execution modules. It is important to note that the real work of state management should not be done in the state module unless it is needed. A good example is the pkg state module. This module does not do any package management work, it just calls the pkg execution module. This makes the pkg state module completely generic, which is why there is only one pkg state module and many backend pkg execution modules. On the other hand some modules will require that the logic be placed in the state module, a good example of this is the file module. But in the vast majority of cases this is not the best approach, and writing specific execution modules to do the backend work will be the optimal solution. Cross Calling State Modules All of the Salt state modules are available to each other and state modules can call functions available in other state modules. The variable __states__ is packed into the modules after they are loaded into the Salt minion. The __states__ variable is a Python dictionary containing all of the state modules. Dictionary keys are strings representing the names of the modules and the values are the functions themselves. Salt state modules can be cross-called by accessing the value in the __states__ dict: ret = __states__['file.managed'](name='/tmp/myfile', source='salt://myfile') This code will call the managed function in the file state module and pass the arguments name and source to it. Return Data A State Module must return a dict containing the following keys/values: • name: The same value passed to the state as "name". • changes: A dict describing the changes made. Each thing changed should be a key, with its value being another dict with keys called "old" and "new" containing the old/new values. For example, the pkg state's changes dict has one key for each package changed, with the "old" and "new" keys in its sub-dict containing the old and new versions of the package. • result: A tristate value. True if the action was successful, False if it was not, or None if the state was run in test mode, test=True, and changes would have been made if the state was not run in test mode. ┌───────────────────┬───────────┬───────────┐ │ │ live mode │ test mode │ ├───────────────────┼───────────┼───────────┤ │no changes │ True │ True │ ├───────────────────┼───────────┼───────────┤ │successful changes │ True │ None │ ├───────────────────┼───────────┼───────────┤ │failed changes │ False │ None │ └───────────────────┴───────────┴───────────┘ NOTE: Test mode does not predict if the changes will be successful or not. • comment: A string containing a summary of the result. Test State All states should check for and support test being passed in the options. This will return data about what changes would occur if the state were actually run. An example of such a check could look like this: # Return comment of changes if test. if __opts__['test']: ret['result'] = None ret['comment'] = 'State Foo will execute with param {0}'.format(bar) return ret Make sure to test and return before performing any real actions on the minion. Watcher Function If the state being written should support the watch requisite then a watcher function needs to be declared. The watcher function is called whenever the watch requisite is invoked and should be generic to the behavior of the state itself. The watcher function should accept all of the options that the normal state functions accept (as they will be passed into the watcher function). A watcher function typically is used to execute state specific reactive behavior, for instance, the watcher for the service module restarts the named service and makes it useful for the watcher to make the service react to changes in the environment. The watcher function also needs to return the same data that a normal state function returns. Mod_init Interface Some states need to execute something only once to ensure that an environment has been set up, or certain conditions global to the state behavior can be predefined. This is the realm of the mod_init interface. A state module can have a function called mod_init which executes when the first state of this type is called. This interface was created primarily to improve the pkg state. When packages are installed the package metadata needs to be refreshed, but refreshing the package metadata every time a package is installed is wasteful. The mod_init function for the pkg state sets a flag down so that the first, and only the first, package installation attempt will refresh the package database (the package database can of course be manually called to refresh via the refresh option in the pkg state). The mod_init function must accept the Low State Data for the given executing state as an argument. The low state data is a dict and can be seen by executing the state.show_lowstate function. Then the mod_init function must return a bool. If the return value is True, then the mod_init function will not be executed again, meaning that the needed behavior has been set up. Otherwise, if the mod_init function returns False, then the function will be called the next time. A good example of the mod_init function is found in the pkg state module: def mod_init(low): ''' Refresh the package database here so that it only needs to happen once ''' if low['fun'] == 'installed' or low['fun'] == 'latest': rtag = __gen_rtag() if not os.path.exists(rtag): open(rtag, 'w+').write('') return True else: return False The mod_init function in the pkg state accepts the low state data as low and then checks to see if the function being called is going to install packages, if the function is not going to install packages then there is no need to refresh the package database. Therefore if the package database is prepared to refresh, then return True and the mod_init will not be called the next time a pkg state is evaluated, otherwise return False and the mod_init will be called next time a pkg state is evaluated. Log Output You can call the logger from custom modules to write messages to the minion logs. The following code snippet demonstrates writing log messages: import logging log = logging.getLogger(__name__) log.info('Here is Some Information') log.warning('You Should Not Do That') log.error('It Is Busted') Full State Module Example The following is a simplistic example of a full state module and function. Remember to call out to execution modules to perform all the real work. The state module should only perform "before" and "after" checks. 1. Make a custom state module by putting the code into a file at the following path: /srv/salt/_states/my_custom_state.py. 2. Distribute the custom state module to the minions: salt '*' saltutil.sync_states 3. Write a new state to use the custom state by making a new state file, for instance /srv/salt/my_custom_state.sls. 4. Add the following SLS configuration to the file created in Step 3: human_friendly_state_id: # An arbitrary state ID declaration. my_custom_state: # The custom state module name. - enforce_custom_thing # The function in the custom state module. - name: a_value # Maps to the ``name`` parameter in the custom function. - foo: Foo # Specify the required ``foo`` parameter. - bar: False # Override the default value for the ``bar`` parameter. Example state module import salt.exceptions def enforce_custom_thing(name, foo, bar=True): ''' Enforce the state of a custom thing This state module does a custom thing. It calls out to the execution module ``my_custom_module`` in order to check the current system and perform any needed changes. name The thing to do something to foo A required argument bar : True An argument with a default value ''' ret = {'name': name, 'changes': {}, 'result': False, 'comment': ''} # Start with basic error-checking. Do all the passed parameters make sense # and agree with each-other? if bar == True and foo.startswith('Foo'): raise salt.exceptions.SaltInvocationError( 'Argument "foo" cannot start with "Foo" if argument "bar" is True.') # Check the current state of the system. Does anything need to change? current_state = __salt__['my_custom_module.current_state'](name) if current_state == foo: ret['result'] = True ret['comment'] = 'System already in the correct state' return ret # The state of the system does need to be changed. Check if we're running # in ``test=true`` mode. if __opts__['test'] == True: ret['comment'] = 'The state of "{0}" will be changed.'.format(name) ret['changes'] = { 'old': current_state, 'new': 'Description, diff, whatever of the new state', } # Return ``None`` when running with ``test=true``. ret['result'] = None return ret # Finally, make the actual change and return the result. new_state = __salt__['my_custom_module.change_state'](name, foo) ret['comment'] = 'The state of "{0}" was changed!'.format(name) ret['changes'] = { 'old': current_state, 'new': new_state, } ret['result'] = True return ret State Management State management, also frequently called Software Configuration Management (SCM), is a program that puts and keeps a system into a predetermined state. It installs software packages, starts or restarts services or puts configuration files in place and watches them for changes. Having a state management system in place allows one to easily and reliably configure and manage a few servers or a few thousand servers. It allows configurations to be kept under version control. Salt States is an extension of the Salt Modules that we discussed in the previous remote execution tutorial. Instead of calling one-off executions the state of a system can be easily defined and then enforced. Understanding the Salt State System Components The Salt state system is comprised of a number of components. As a user, an understanding of the SLS and renderer systems are needed. But as a developer, an understanding of Salt states and how to write the states is needed as well. NOTE: States are compiled and executed only on minions that have been targeted. To execute functions directly on masters, see runners. Salt SLS System The primary system used by the Salt state system is the SLS system. SLS stands for SaLt State. The Salt States are files which contain the information about how to configure Salt minions. The states are laid out in a directory tree and can be written in many different formats. The contents of the files and they way they are laid out is intended to be as simple as possible while allowing for maximum flexibility. The files are laid out in states and contains information about how the minion needs to be configured. SLS File Layout SLS files are laid out in the Salt file server. A simple layout can look like this: top.sls ssh.sls sshd_config users/init.sls users/admin.sls salt/master.sls web/init.sls The top.sls file is a key component. The top.sls files is used to determine which SLS files should be applied to which minions. The rest of the files with the .sls extension in the above example are state files. Files without a .sls extensions are seen by the Salt master as files that can be downloaded to a Salt minion. States are translated into dot notation. For example, the ssh.sls file is seen as the ssh state and the users/admin.sls file is seen as the users.admin state. Files named init.sls are translated to be the state name of the parent directory, so the web/init.sls file translates to the web state. In Salt, everything is a file; there is no "magic translation" of files and file types. This means that a state file can be distributed to minions just like a plain text or binary file. SLS Files The Salt state files are simple sets of data. Since SLS files are just data they can be represented in a number of different ways. The default format is YAML generated from a Jinja template. This allows for the states files to have all the language constructs of Python and the simplicity of YAML. State files can then be complicated Jinja templates that translate down to YAML, or just plain and simple YAML files. The State files are simply common data structures such as dictionaries and lists, constructed using a templating language such as YAML. Here is an example of a Salt State: vim: pkg.installed: [] salt: pkg.latest: - name: salt service.running: - names: - salt-master - salt-minion - require: - pkg: salt - watch: - file: /etc/salt/minion /etc/salt/minion: file.managed: - source: salt://salt/minion - user: root - group: root - mode: 644 - require: - pkg: salt This short stanza will ensure that vim is installed, Salt is installed and up to date, the salt-master and salt-minion daemons are running and the Salt minion configuration file is in place. It will also ensure everything is deployed in the right order and that the Salt services are restarted when the watched file updated. The Top File The top file controls the mapping between minions and the states which should be applied to them. The top file specifies which minions should have which SLS files applied and which environments they should draw those SLS files from. The top file works by specifying environments on the top-level. Each environment contains globs to match minions. Finally, each glob contains a list of lists of Salt states to apply to matching minions: base: '*': - salt - users - users.admin 'saltmaster.*': - match: pcre - salt.master This above example uses the base environment which is built into the default Salt setup. The base environment has two globs. First, the '*' glob contains a list of SLS files to apply to all minions. The second glob contains a regular expression that will match all minions with an ID matching saltmaster.* and specifies that for those minions, the salt.master state should be applied. Reloading Modules Some Salt states require that specific packages be installed in order for the module to load. As an example the pip state module requires the pip package for proper name and version parsing. In most of the common cases, Salt is clever enough to transparently reload the modules. For example, if you install a package, Salt reloads modules because some other module or state might require just that package which was installed. On some edge-cases salt might need to be told to reload the modules. Consider the following state file which we'll call pep8.sls: python-pip: cmd.run: - name: | easy_install --script-dir=/usr/bin -U pip - cwd: / pep8: pip.installed: - require: - cmd: python-pip The above example installs pip using easy_install from setuptools and installs pep8 using pip, which, as told earlier, requires pip to be installed system-wide. Let's execute this state: salt-call state.sls pep8 The execution output would be something like: ---------- State: - pip Name: pep8 Function: installed Result: False Comment: State pip.installed found in sls pep8 is unavailable Changes: Summary ------------ Succeeded: 1 Failed: 1 ------------ Total: 2 If we executed the state again the output would be: ---------- State: - pip Name: pep8 Function: installed Result: True Comment: Package was successfully installed Changes: pep8==1.4.6: Installed Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 Since we installed pip using cmd, Salt has no way to know that a system-wide package was installed. On the second execution, since the required pip package was installed, the state executed correctly. NOTE: Salt does not reload modules on every state run because doing so would greatly slow down state execution. So how do we solve this edge-case? reload_modules! reload_modules is a boolean option recognized by salt on all available states which forces salt to reload its modules once a given state finishes. The modified state file would now be: python-pip: cmd.run: - name: | easy_install --script-dir=/usr/bin -U pip - cwd: / - reload_modules: true pep8: pip.installed: - require: - cmd: python-pip Let's run it, once: salt-call state.sls pep8 The output is: ---------- State: - pip Name: pep8 Function: installed Result: True Comment: Package was successfully installed Changes: pep8==1.4.6: Installed Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 Full list of builtin state modules ┌─────────────────────────────┬──────────────────────────────────┐ │alias │ Configuration of email aliases │ ├─────────────────────────────┼──────────────────────────────────┤ │alternatives │ Configuration of the │ │ │ alternatives system │ ├─────────────────────────────┼──────────────────────────────────┤ │apache │ Apache state │ └─────────────────────────────┴──────────────────────────────────┘ │apache_module │ Manage Apache Modules │ ├─────────────────────────────┼──────────────────────────────────┤ │aptpkg │ Package management operations │ │ │ specific to APT- and DEB-based │ │ │ systems │ ├─────────────────────────────┼──────────────────────────────────┤ │archive │ Extract an archive │ ├─────────────────────────────┼──────────────────────────────────┤ │artifactory │ This state downloads artifacts │ │ │ from artifactory. │ ├─────────────────────────────┼──────────────────────────────────┤ │at │ Configuration disposable │ │ │ regularly scheduled tasks for │ │ │ at. │ ├─────────────────────────────┼──────────────────────────────────┤ │augeas │ Configuration management using │ │ │ Augeas │ ├─────────────────────────────┼──────────────────────────────────┤ │aws_sqs │ Manage SQS Queues │ ├─────────────────────────────┼──────────────────────────────────┤ │beacon │ Management of the Salt beacons │ ├─────────────────────────────┼──────────────────────────────────┤ │bigip │ A state module designed to │ │ │ enforce load-balancing │ │ │ configurations for F5 Big-IP │ │ │ entities. │ ├─────────────────────────────┼──────────────────────────────────┤ │blockdev │ Management of Block Devices │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_asg │ Manage Autoscale Groups │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_cfn │ Connection module for Amazon │ │ │ Cloud Formation │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_cloudwatch_alarm │ Manage Cloudwatch alarms │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_dynamodb │ Manage DynamoDB Tables │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_ec2 │ Manage EC2 │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_elasticache │ Manage Elasticache │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_elb │ Manage ELBs │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_iam │ Manage IAM objects │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_iam_role │ Manage IAM roles │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_kms │ Manage KMS keys, key policies │ │ │ and grants. │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_lc │ Manage Launch Configurations │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_rds │ Manage RDSs │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_route53 │ Manage Route53 records │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_secgroup │ Manage Security Groups │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_sns │ Manage SNS Topics │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_sqs │ Manage SQS Queues │ ├─────────────────────────────┼──────────────────────────────────┤ │boto_vpc │ Manage VPCs │ ├─────────────────────────────┼──────────────────────────────────┤ │bower │ Installation of Bower Packages │ ├─────────────────────────────┼──────────────────────────────────┤ │cabal │ Installation of Cabal Packages │ ├─────────────────────────────┼──────────────────────────────────┤ │chef │ Execute Chef client runs │ ├─────────────────────────────┼──────────────────────────────────┤ │cloud │ Using states instead of maps to │ │ │ deploy clouds │ ├─────────────────────────────┼──────────────────────────────────┤ │cmd │ Execution of arbitrary commands │ ├─────────────────────────────┼──────────────────────────────────┤ │composer │ Installation of Composer │ │ │ Packages │ ├─────────────────────────────┼──────────────────────────────────┤ │cron │ Management of cron, the Unix │ │ │ command scheduler │ ├─────────────────────────────┼──────────────────────────────────┤ │cyg │ Installation of Cygwin packages. │ ├─────────────────────────────┼──────────────────────────────────┤ │ddns │ Dynamic DNS updates │ ├─────────────────────────────┼──────────────────────────────────┤ │debconfmod │ Management of debconf selections │ ├─────────────────────────────┼──────────────────────────────────┤ │dellchassis │ Manage chassis via Salt Proxies. │ ├─────────────────────────────┼──────────────────────────────────┤ │disk │ Disk monitoring state │ ├─────────────────────────────┼──────────────────────────────────┤ │dockerio │ Manage Docker containers │ ├─────────────────────────────┼──────────────────────────────────┤ │dockerng │ Management of Docker containers │ ├─────────────────────────────┼──────────────────────────────────┤ │drac │ Management of Dell DRAC │ ├─────────────────────────────┼──────────────────────────────────┤ │elasticsearch_index │ State module to manage │ │ │ Elasticsearch indices │ ├─────────────────────────────┼──────────────────────────────────┤ │elasticsearch_index_template │ State module to manage │ │ │ Elasticsearch index templates │ ├─────────────────────────────┼──────────────────────────────────┤ │environ │ Support for getting and setting │ │ │ the environment variables of the │ │ │ current salt process. │ ├─────────────────────────────┼──────────────────────────────────┤ │eselect │ Management of Gentoo │ │ │ configuration using eselect │ ├─────────────────────────────┼──────────────────────────────────┤ │etcd_mod │ Manage etcd Keys │ ├─────────────────────────────┼──────────────────────────────────┤ │esxi │ Manage VMware ESXi Hosts. │ ├─────────────────────────────┼──────────────────────────────────┤ │event │ Send events through Salt's event │ │ │ system during state runs │ ├─────────────────────────────┼──────────────────────────────────┤ │file │ Operations on regular files, │ │ │ special files, directories, and │ │ │ symlinks │ ├─────────────────────────────┼──────────────────────────────────┤ │firewalld │ Management of firewalld │ ├─────────────────────────────┼──────────────────────────────────┤ │gem │ Installation of Ruby modules │ │ │ packaged as gems │ ├─────────────────────────────┼──────────────────────────────────┤ │git │ States to manage git │ │ │ repositories and git │ │ │ configuration │ ├─────────────────────────────┼──────────────────────────────────┤ │glance │ Managing Images in OpenStack │ │ │ Glance │ ├─────────────────────────────┼──────────────────────────────────┤ │glusterfs │ Manage glusterfs pool. │ ├─────────────────────────────┼──────────────────────────────────┤ │gnomedesktop │ Configuration of the GNOME │ │ │ desktop │ ├─────────────────────────────┼──────────────────────────────────┤ │grafana │ Manage Grafana Dashboards │ ├─────────────────────────────┼──────────────────────────────────┤ │grains │ Manage grains on the minion │ ├─────────────────────────────┼──────────────────────────────────┤ │group │ Management of user groups │ ├─────────────────────────────┼──────────────────────────────────┤ │hg │ Interaction with Mercurial │ │ │ repositories │ ├─────────────────────────────┼──────────────────────────────────┤ │hipchat │ Send a message to Hipchat │ ├─────────────────────────────┼──────────────────────────────────┤ │host │ Management of addresses and │ │ │ names in hosts file │ ├─────────────────────────────┼──────────────────────────────────┤ │htpasswd │ Support for htpasswd module. │ ├─────────────────────────────┼──────────────────────────────────┤ │http │ HTTP monitoring states │ ├─────────────────────────────┼──────────────────────────────────┤ │ifttt │ Trigger an event in IFTTT │ ├─────────────────────────────┼──────────────────────────────────┤ │incron │ Management of incron, the │ │ │ inotify cron │ ├─────────────────────────────┼──────────────────────────────────┤ │influxdb_database │ Management of InfluxDB databases │ ├─────────────────────────────┼──────────────────────────────────┤ │influxdb_user │ Management of InfluxDB users │ ├─────────────────────────────┼──────────────────────────────────┤ │ini_manage │ Manage ini files │ ├─────────────────────────────┼──────────────────────────────────┤ │ipmi │ Manage IPMI devices over LAN │ ├─────────────────────────────┼──────────────────────────────────┤ │ipset │ Management of ipsets │ ├─────────────────────────────┼──────────────────────────────────┤ │iptables │ Management of iptables │ ├─────────────────────────────┼──────────────────────────────────┤ │jboss7 │ Manage JBoss 7 Application │ │ │ Server via CLI interface │ ├─────────────────────────────┼──────────────────────────────────┤ │keyboard │ Management of keyboard layouts │ ├─────────────────────────────┼──────────────────────────────────┤ │keystone │ Management of Keystone users │ ├─────────────────────────────┼──────────────────────────────────┤ │kmod │ Loading and unloading of kernel │ │ │ modules │ ├─────────────────────────────┼──────────────────────────────────┤ │layman │ Management of Gentoo Overlays │ │ │ using layman │ ├─────────────────────────────┼──────────────────────────────────┤ │libvirt │ Manage libvirt certificates │ ├─────────────────────────────┼──────────────────────────────────┤ │linux_acl │ Linux File Access Control Lists │ ├─────────────────────────────┼──────────────────────────────────┤ │locale │ Management of languages/locales │ ├─────────────────────────────┼──────────────────────────────────┤ │lvm │ Management of Linux logical │ │ │ volumes │ ├─────────────────────────────┼──────────────────────────────────┤ │lvs_server │ Management of LVS (Linux Virtual │ │ │ Server) Real Server │ ├─────────────────────────────┼──────────────────────────────────┤ │lvs_service │ Management of LVS (Linux Virtual │ │ │ Server) Service │ ├─────────────────────────────┼──────────────────────────────────┤ │lxc │ Manage Linux Containers │ ├─────────────────────────────┼──────────────────────────────────┤ │makeconf │ Management of Gentoo make.conf │ ├─────────────────────────────┼──────────────────────────────────┤ │mdadm │ Managing software RAID with │ │ │ mdadm │ ├─────────────────────────────┼──────────────────────────────────┤ │memcached │ States for Management of │ │ │ Memcached Keys │ ├─────────────────────────────┼──────────────────────────────────┤ │modjk │ State to control Apache modjk │ ├─────────────────────────────┼──────────────────────────────────┤ │modjk_worker │ Manage modjk workers │ ├─────────────────────────────┼──────────────────────────────────┤ │module │ Execution of Salt modules from │ │ │ within states │ ├─────────────────────────────┼──────────────────────────────────┤ │mongodb_database │ Management of Mongodb databases │ ├─────────────────────────────┼──────────────────────────────────┤ │mongodb_user │ Management of Mongodb users │ ├─────────────────────────────┼──────────────────────────────────┤ │monit │ Monit state │ ├─────────────────────────────┼──────────────────────────────────┤ │mount │ Mounting of filesystems │ ├─────────────────────────────┼──────────────────────────────────┤ │mysql_database │ Management of MySQL databases │ │ │ (schemas) │ ├─────────────────────────────┼──────────────────────────────────┤ │mysql_grants │ Management of MySQL grants (user │ │ │ permissions) │ ├─────────────────────────────┼──────────────────────────────────┤ │mysql_query │ Execution of MySQL queries │ ├─────────────────────────────┼──────────────────────────────────┤ │mysql_user │ Management of MySQL users │ ├─────────────────────────────┼──────────────────────────────────┤ │network │ Configuration of network │ │ │ interfaces │ ├─────────────────────────────┼──────────────────────────────────┤ │nftables │ Management of nftables │ ├─────────────────────────────┼──────────────────────────────────┤ │npm │ Installation of NPM Packages │ ├─────────────────────────────┼──────────────────────────────────┤ │ntp │ Management of NTP servers │ ├─────────────────────────────┼──────────────────────────────────┤ │openstack_config │ Manage OpenStack configuration │ │ │ file settings. │ ├─────────────────────────────┼──────────────────────────────────┤ │pagerduty │ Create an Event in PagerDuty │ ├─────────────────────────────┼──────────────────────────────────┤ │pagerduty_escalation_policy │ Manage PagerDuty escalation │ │ │ policies. │ ├─────────────────────────────┼──────────────────────────────────┤ │pagerduty_schedule │ Manage PagerDuty schedules. │ ├─────────────────────────────┼──────────────────────────────────┤ │pagerduty_service │ Manage PagerDuty services │ ├─────────────────────────────┼──────────────────────────────────┤ │pagerduty_user │ Manage PagerDuty users. │ ├─────────────────────────────┼──────────────────────────────────┤ │pecl │ Installation of PHP Extensions │ │ │ Using pecl │ ├─────────────────────────────┼──────────────────────────────────┤ │pip_state │ Installation of Python Packages │ │ │ Using pip │ ├─────────────────────────────┼──────────────────────────────────┤ │pkg │ Installation of packages using │ │ │ OS package managers such as yum │ │ │ or apt-get │ ├─────────────────────────────┼──────────────────────────────────┤ │pkgbuild │ The pkgbuild state is the front │ │ │ of Salt package building │ │ │ backend. │ ├─────────────────────────────┼──────────────────────────────────┤ │pkgng │ Manage package remote repo using │ │ │ FreeBSD pkgng │ ├─────────────────────────────┼──────────────────────────────────┤ │pkgrepo │ Management of APT/YUM package │ │ │ repos │ ├─────────────────────────────┼──────────────────────────────────┤ │portage_config │ Management of Portage package │ │ │ configuration on Gentoo │ ├─────────────────────────────┼──────────────────────────────────┤ │ports │ Manage software from FreeBSD │ │ │ ports │ └─────────────────────────────┴──────────────────────────────────┘ │postgres_database │ Management of PostgreSQL │ │ │ databases │ ├─────────────────────────────┼──────────────────────────────────┤ │postgres_extension │ Management of PostgreSQL │ │ │ extensions (e.g.: postgis) │ ├─────────────────────────────┼──────────────────────────────────┤ │postgres_group │ Management of PostgreSQL groups │ │ │ (roles) │ ├─────────────────────────────┼──────────────────────────────────┤ │postgres_schema │ Management of PostgreSQL schemas │ ├─────────────────────────────┼──────────────────────────────────┤ │postgres_tablespace │ Management of PostgreSQL │ │ │ tablespace │ ├─────────────────────────────┼──────────────────────────────────┤ │postgres_user │ Management of PostgreSQL users │ │ │ (roles) │ ├─────────────────────────────┼──────────────────────────────────┤ │powerpath │ Powerpath configuration support │ ├─────────────────────────────┼──────────────────────────────────┤ │process │ Process Management │ ├─────────────────────────────┼──────────────────────────────────┤ │pushover │ Send a message to PushOver │ ├─────────────────────────────┼──────────────────────────────────┤ │pyenv │ Managing python installations │ │ │ with pyenv │ ├─────────────────────────────┼──────────────────────────────────┤ │pyrax_queues │ Manage Rackspace Queues │ ├─────────────────────────────┼──────────────────────────────────┤ │quota │ Management of POSIX Quotas │ ├─────────────────────────────┼──────────────────────────────────┤ │rabbitmq_cluster │ Manage RabbitMQ Clusters │ ├─────────────────────────────┼──────────────────────────────────┤ │rabbitmq_plugin │ Manage RabbitMQ Plugins │ ├─────────────────────────────┼──────────────────────────────────┤ │rabbitmq_policy │ Manage RabbitMQ Policies │ ├─────────────────────────────┼──────────────────────────────────┤ │rabbitmq_user │ Manage RabbitMQ Users │ ├─────────────────────────────┼──────────────────────────────────┤ │rabbitmq_vhost │ Manage RabbitMQ Virtual Hosts │ ├─────────────────────────────┼──────────────────────────────────┤ │rbenv │ Managing Ruby installations with │ │ │ rbenv │ ├─────────────────────────────┼──────────────────────────────────┤ │rdp │ Manage RDP Service on Windows │ │ │ servers │ ├─────────────────────────────┼──────────────────────────────────┤ │redismod │ Management of Redis server │ ├─────────────────────────────┼──────────────────────────────────┤ │reg │ │ ├─────────────────────────────┼──────────────────────────────────┤ │rvm │ Managing Ruby installations and │ │ │ gemsets with Ruby Version │ │ │ Manager (RVM) │ ├─────────────────────────────┼──────────────────────────────────┤ │saltmod │ Control the Salt command │ │ │ interface │ ├─────────────────────────────┼──────────────────────────────────┤ │schedule │ Management of the Salt scheduler │ ├─────────────────────────────┼──────────────────────────────────┤ │selinux │ Management of SELinux rules │ ├─────────────────────────────┼──────────────────────────────────┤ │serverdensity_device │ Monitor Server with Server │ │ │ Density │ ├─────────────────────────────┼──────────────────────────────────┤ │service │ Starting or restarting of │ │ │ services and daemons │ ├─────────────────────────────┼──────────────────────────────────┤ │slack │ Send a message to Slack │ ├─────────────────────────────┼──────────────────────────────────┤ │smtp │ Sending Messages via SMTP │ ├─────────────────────────────┼──────────────────────────────────┤ │splunk_search │ Splunk Search State Module │ ├─────────────────────────────┼──────────────────────────────────┤ │ssh_auth │ Control of entries in SSH │ │ │ authorized_key files │ ├─────────────────────────────┼──────────────────────────────────┤ │ssh_known_hosts │ Control of SSH known_hosts │ │ │ entries │ ├─────────────────────────────┼──────────────────────────────────┤ │stateconf │ Stateconf System │ ├─────────────────────────────┼──────────────────────────────────┤ │status │ Minion status monitoring │ ├─────────────────────────────┼──────────────────────────────────┤ │stormpath_account │ Support for Stormpath. │ ├─────────────────────────────┼──────────────────────────────────┤ │supervisord │ Interaction with the Supervisor │ │ │ daemon │ ├─────────────────────────────┼──────────────────────────────────┤ │svn │ Manage SVN repositories │ ├─────────────────────────────┼──────────────────────────────────┤ │sysctl │ Configuration of the Linux │ │ │ kernel using sysctl │ ├─────────────────────────────┼──────────────────────────────────┤ │syslog_ng │ State module for syslog_ng │ ├─────────────────────────────┼──────────────────────────────────┤ │sysrc │ │ ├─────────────────────────────┼──────────────────────────────────┤ │test │ Test States │ ├─────────────────────────────┼──────────────────────────────────┤ │timezone │ Management of timezones │ ├─────────────────────────────┼──────────────────────────────────┤ │tls │ Enforce state for SSL/TLS │ ├─────────────────────────────┼──────────────────────────────────┤ │tomcat │ This state uses the manager │ │ │ webapp to manage Apache tomcat │ │ │ webapps │ ├─────────────────────────────┼──────────────────────────────────┤ │trafficserver │ Control Apache Traffic Server │ ├─────────────────────────────┼──────────────────────────────────┤ │tuned │ Interface to Red Hat tuned-adm │ │ │ module │ ├─────────────────────────────┼──────────────────────────────────┤ │uptime │ Monitor Web Server with Uptime │ ├─────────────────────────────┼──────────────────────────────────┤ │user │ Management of user accounts │ ├─────────────────────────────┼──────────────────────────────────┤ │vbox_guest │ VirtualBox Guest Additions │ │ │ installer state │ ├─────────────────────────────┼──────────────────────────────────┤ │victorops │ Create an Event in VictorOps │ ├─────────────────────────────┼──────────────────────────────────┤ │virtualenv_mod │ Setup of Python virtualenv │ │ │ sandboxes. │ ├─────────────────────────────┼──────────────────────────────────┤ │win_dacl │ Windows Object Access Control │ │ │ Lists │ ├─────────────────────────────┼──────────────────────────────────┤ │win_dns_client │ Module for configuring DNS │ │ │ Client on Windows systems │ ├─────────────────────────────┼──────────────────────────────────┤ │win_firewall │ State for configuring Windows │ │ │ Firewall │ ├─────────────────────────────┼──────────────────────────────────┤ │win_network │ Configuration of network │ │ │ interfaces on Windows hosts │ ├─────────────────────────────┼──────────────────────────────────┤ │win_path │ Manage the Windows System PATH │ ├─────────────────────────────┼──────────────────────────────────┤ │win_powercfg │ This module allows you to │ │ │ control the power settings of a │ │ │ windows minion via powercfg. │ ├─────────────────────────────┼──────────────────────────────────┤ │win_servermanager │ Manage Windows features via the │ │ │ ServerManager powershell module │ ├─────────────────────────────┼──────────────────────────────────┤ │win_system │ Management of Windows system │ │ │ information │ ├─────────────────────────────┼──────────────────────────────────┤ │win_update │ Management of the windows update │ │ │ agent │ ├─────────────────────────────┼──────────────────────────────────┤ │winrepo │ Manage Windows Package │ │ │ Repository │ ├─────────────────────────────┼──────────────────────────────────┤ │x509 │ Manage X509 Certificates │ ├─────────────────────────────┼──────────────────────────────────┤ │xmpp │ Sending Messages over XMPP │ ├─────────────────────────────┼──────────────────────────────────┤ │zcbuildout │ Management of zc.buildout │ ├─────────────────────────────┼──────────────────────────────────┤ │zk_concurrency │ Control concurrency of steps │ │ │ within state execution using │ │ │ zookeeper │ └─────────────────────────────┴──────────────────────────────────┘ salt.states.alias Configuration of email aliases The mail aliases file can be managed to contain definitions for specific email aliases: username: alias.present: - target: user@example.com thomas: alias.present: - target: thomas@example.com salt.states.alias.absent(name) Ensure that the named alias is absent name The alias to remove salt.states.alias.present(name, target) Ensures that the named alias is present with the given target or list of targets. If the alias exists but the target differs from the previous entry, the target(s) will be overwritten. If the alias does not exist, the alias will be created. name The local user/address to assign an alias to target The forwarding address salt.states.alternatives Configuration of the alternatives system Control the alternatives system {% set my_hadoop_conf = '/opt/hadoop/conf' %} {{ my_hadoop_conf }}: file.directory hadoop-0.20-conf: alternatives.install: - name: hadoop-0.20-conf - link: /etc/hadoop-0.20/conf - path: {{ my_hadoop_conf }} - priority: 30 - require: - file: {{ my_hadoop_conf }} hadoop-0.20-conf: alternatives.remove: - name: hadoop-0.20-conf - path: {{ my_hadoop_conf }} salt.states.alternatives.auto(name) New in version 0.17.0. Instruct alternatives to use the highest priority path for <name> name is the master name for this link group (e.g. pager) salt.states.alternatives.install(name, link, path, priority) Install new alternative for defined <name> name is the master name for this link group (e.g. pager) link is the symlink pointing to /etc/alternatives/<name>. (e.g. /usr/bin/pager) path is the location of the new alternative target. NB: This file / directory must already exist. (e.g. /usr/bin/less) priority is an integer; options with higher numbers have higher priority in automatic mode. salt.states.alternatives.remove(name, path) Removes installed alternative for defined <name> and <path> or fallback to default alternative, if some defined before. name is the master name for this link group (e.g. pager) path is the location of one of the alternative target files. (e.g. /usr/bin/less) salt.states.alternatives.set(name, path) New in version 0.17.0. Sets alternative for <name> to <path>, if <path> is defined as an alternative for <name>. name is the master name for this link group (e.g. pager) path is the location of one of the alternative target files. (e.g. /usr/bin/less) salt.states.apache Apache state New in version 2014.7.0. Allows for inputting a yaml dictionary into a file for apache configuration files. The variable this is special and signifies what should be included with the above word between angle brackets (<>). /etc/httpd/conf.d/website.com.conf: apache.configfile: - config: - VirtualHost: this: '*:80' ServerName: - website.com ServerAlias: - www.website.com - dev.website.com ErrorLog: logs/website.com-error_log CustomLog: logs/website.com-access_log combined DocumentRoot: /var/www/vhosts/website.com Directory: this: /var/www/vhosts/website.com Order: Deny,Allow Deny from: all Allow from: - 127.0.0.1 - 192.168.100.0/24 Options: - +Indexes - FollowSymlinks AllowOverride: All salt.states.apache.configfile(name, config) salt.states.apache_module Manage Apache Modules New in version 2014.7.0. Enable and disable apache modules. Enable cgi module: apache_module.enable: - name: cgi Disable cgi module: apache_module.disable: - name: cgi salt.states.apache_module.disable(name) Ensure an Apache module is disabled. name Name of the Apache module salt.states.apache_module.enable(name) Ensure an Apache module is enabled. name Name of the Apache module salt.states.aptpkg Package management operations specific to APT- and DEB-based systems salt.states.aptpkg.held(name) Set package in 'hold' state, meaning it will not be upgraded. name The name of the package, e.g., 'tmux' salt.states.archive Extract an archive New in version 2014.1.0. salt.states.archive.extracted(name, source, archive_format, archive_user=None, user=None, group=None, tar_options=None, source_hash=None, if_missing=None, keep=False) New in version 2014.1.0. State that make sure an archive is extracted in a directory. The downloaded archive is erased if successfully extracted. The archive is downloaded only if necessary. NOTE: If if_missing is not defined, this state will check for name instead. If name exists, it will assume the archive was previously extracted successfully and will not extract it again. Example, tar with flag for lmza compression: graylog2-server: archive.extracted: - name: /opt/ - source: https://github.com/downloads/Graylog2/graylog2-server/graylog2-server-0.9.6p1.tar.lzma - source_hash: md5=499ae16dcae71eeb7c3a30c75ea7a1a6 - tar_options: J - archive_format: tar - if_missing: /opt/graylog2-server-0.9.6p1/ Example, tar with flag for verbose output: graylog2-server: archive.extracted: - name: /opt/ - source: https://github.com/downloads/Graylog2/graylog2-server/graylog2-server-0.9.6p1.tar.gz - source_hash: md5=499ae16dcae71eeb7c3a30c75ea7a1a6 - archive_format: tar - tar_options: v - user: root - group: root - if_missing: /opt/graylog2-server-0.9.6p1/ name Directory name where to extract the archive source Archive source, same syntax as file.managed source argument. source_hash Hash of source file, or file with list of hash-to-file mappings. It uses the same syntax as the file.managed source_hash argument. archive_format tar, zip or rar archive_user The user to own each extracted file. Deprecated since version Boron: replaced by standardized user parameter. user The user to own each extracted file. New in version 2015.8.0. group The group to own each extracted file. New in version 2015.8.0. if_missing Some archives, such as tar, extract themselves in a subfolder. This directive can be used to validate if the archive had been previously extracted. tar_options Required if used with archive_format: tar, otherwise optional. It needs to be the tar argument specific to the archive being extracted, such as 'J' for LZMA or 'v' to verbosely list files processed. Using this option means that the tar executable on the target will be used, which is less platform independent. Main operators like -x, --extract, --get, -c and -f/--file should not be used here. If archive_format is zip or rar and this option is not set, then the Python tarfile module is used. The tarfile module supports gzip and bz2 in Python 2. keep Keep the archive in the minion's cache salt.states.artifactory This state downloads artifacts from artifactory. salt.states.artifactory.downloaded(name, artifact, target_dir='/tmp', target_file=None) Ensures that the artifact from artifactory exists at given location. If it doesn't exist, then it will be downloaded. It it already exists then the checksum of existing file is checked against checksum in artifactory. If it is different then the step will fail. artifact Details of the artifact to be downloaded from artifactory. Various options are: • artifactory_url: URL of the artifactory instance • repository: Repository in artifactory • artifact_id: Artifact ID • group_id: Group ID • packaging: Packaging • classifier: Classifier • version: Version • username: Artifactory username • password: Artifactory password target_dir Directory where the artifact should be downloaded. By default it is downloaded to /tmp directory. target_file Target file to download artifact to. By default file name is resolved by artifactory. An example to download an artifact to a specific file: jboss_module_downloaded: artifactory.downloaded: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'libs-release-local' artifact_id: 'module' group_id: 'com.company.module' packaging: 'jar' classifier: 'sources' version: '1.0' - target_file: /opt/jboss7/modules/com/company/lib/module.jar Download artifact to the folder (automatically resolves file name): jboss_module_downloaded: artifactory.downloaded: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'libs-release-local' artifact_id: 'module' group_id: 'com.company.module' packaging: 'jar' classifier: 'sources' version: '1.0' - target_dir: /opt/jboss7/modules/com/company/lib salt.states.at Configuration disposable regularly scheduled tasks for at. The at state can be add disposable regularly scheduled tasks for your system. salt.states.at.absent(name, jobid=None, **kwargs) Remove a job from queue The 'kwargs' can include hour. minute. day. month. year limit Target range tag Job's tag runas Runs user-specified jobs example1: at.absent: - limit: all example2: at.absent: - limit: all - year: 13 example3: at.absent: - limit: all - tag: rose - runas: jim example4: at.absent: - limit: all - tag: rose - day: 13 - hour: 16 salt.states.at.present(name, timespec, tag=None, user=None, job=None) Add a job to queue. job Command to run. timespec The 'timespec' follows the format documented in the at(1) manpage. tag Make a tag for the job. user The user to run the at job New in version 2014.1.4. rose: at.present: - job: 'echo "I love saltstack" > love' - timespec: '9:09 11/09/13' - tag: love - user: jam salt.states.augeas Configuration management using Augeas New in version 0.17.0. This state requires the augeas Python module. Augeas can be used to manage configuration files. WARNING: Minimal installations of Debian and Ubuntu have been seen to have packaging bugs with python-augeas, causing the augeas module to fail to import. If the minion has the augeas module installed, and the state fails with a comment saying that the state is unavailable, first restart the salt-minion service. If the problem persists past that, the following command can be run from the master to determine what is causing the import to fail: salt minion-id cmd.run 'python -c "from augeas import Augeas"' For affected Debian/Ubuntu hosts, installing libpython2.7 has been known to resolve the issue. salt.states.augeas.change(name, context=None, changes=None, lens=None, **kwargs) New in version 2014.7.0. This state replaces setvalue(). Issue changes to Augeas, optionally for a specific context, with a specific lens. name State name context A file path, prefixed by /files. Should resolve to an actual file (not an arbitrary augeas path). This is used to avoid duplicating the file name for each item in the changes list (for example, set bind 0.0.0.0 in the example below operates on the file specified by context). If context is not specified, a file path prefixed by /files should be included with the set command. The file path is examined to determine if the specified changes are already present. redis-conf: augeas.change: - context: /files/etc/redis/redis.conf - changes: - set bind 0.0.0.0 - set maxmemory 1G changes List of changes that are issued to Augeas. Available commands are set, setm, mv/move, ins/insert, and rm/remove. lens The lens to use, needs to be suffixed with .lns, e.g.: Nginx.lns. See the list of stock lenses shipped with Augeas. Usage examples: Set the bind parameter in /etc/redis/redis.conf: redis-conf: augeas.change: - changes: - set /files/etc/redis/redis.conf/bind 0.0.0.0 NOTE: Use the context parameter to specify the file you want to manipulate. This way you don't have to include this in the changes every time: redis-conf: augeas.change: - context: /files/etc/redis/redis.conf - changes: - set bind 0.0.0.0 - set databases 4 - set maxmemory 1G Augeas is aware of a lot of common configuration files and their syntax. It knows the difference between for example ini and yaml files, but also files with very specific syntax, like the hosts file. This is done with lenses, which provide mappings between the Augeas tree and the file. There are many preconfigured lenses that come with Augeas by default, and they specify the common locations for configuration files. So most of the time Augeas will know how to manipulate a file. In the event that you need to manipulate a file that Augeas doesn't know about, you can specify the lens to use like this: redis-conf: augeas.change: - lens: redis - context: /files/etc/redis/redis.conf - changes: - set bind 0.0.0.0 NOTE: Even though Augeas knows that /etc/redis/redis.conf is a Redis configuration file and knows how to parse it, it is recommended to specify the lens anyway. This is because by default, Augeas loads all known lenses and their associated file paths. All these files are parsed when Augeas is loaded, which can take some time. When specifying a lens, Augeas is loaded with only that lens, which speeds things up quite a bit. A more complex example, this adds an entry to the services file for Zabbix, and removes an obsolete service: zabbix-service: augeas.change: - lens: services - context: /files/etc/services - changes: - ins service-name after service-name[last()] - set service-name[last()] zabbix-agent - set service-name[. = 'zabbix-agent']/#comment "Zabbix Agent service" - set service-name[. = 'zabbix-agent']/port 10050 - set service-name[. = 'zabbix-agent']/protocol tcp - rm service-name[. = 'im-obsolete'] - unless: grep "zabbix-agent" /etc/services WARNING: Don't forget the unless here, otherwise a new entry will be added every time this state is run. salt.states.aws_sqs Manage SQS Queues Create and destroy SQS queues. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses the awscli tool provided by Amazon. This can be downloaded from pip. Also check the documentation for awscli for configuration information. myqueue: aws_sqs.exists: - region: eu-west-1 salt.states.aws_sqs.absent(name, region, user=None, opts=False) Remove the named SQS queue if it exists. name Name of the SQS queue. region Region to remove the queue from user Name of the user performing the SQS operations opts Include additional arguments and options to the aws command line salt.states.aws_sqs.exists(name, region, user=None, opts=False) Ensure the SQS queue exists. name Name of the SQS queue. region Region to create the queue user Name of the user performing the SQS operations opts Include additional arguments and options to the aws command line salt.states.beacon Management of the Salt beacons New in version 2015.8.0. ps: beacon.present: - enable: False - salt-master: running - apache2: stopped sh: beacon.present: load: beacon.present: - 1m: - 0.0 - 2.0 - 5m: - 0.0 - 1.5 - 15m: - 0.1 - 1.0 salt.states.beacon.absent(name, **kwargs) Ensure beacon is absent. name The name of the beacon ensured absent. salt.states.beacon.disabled(name, **kwargs) Disable a beacon. name The name of the beacon to enable. salt.states.beacon.enabled(name, **kwargs) Enable a beacon. name The name of the beacon to enable. salt.states.beacon.present(name, **kwargs) Ensure beacon is configured with the included beacon data. name The name of the beacon ensure is configured. salt.states.bigip A state module designed to enforce load-balancing configurations for F5 Big-IP entities. maturity develop platform f5_bigip_11.6 salt.states.bigip.add_pool_member(hostname, username, password, name, member) A function to connect to a bigip device and add a new member to an existing pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify member The member to add to the pool salt.states.bigip.create_monitor(hostname, username, password, monitor_type, name, **kwargs) A function to connect to a bigip device and create a monitor. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to create name The name of the monitor to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. salt.states.bigip.create_node(hostname, username, password, name, address) Create a new node if it does not already exist. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to create address The address of the node salt.states.bigip.create_pool(hostname, username, password, name, members=None, allow_nat=None, allow_snat=None, description=None, gateway_failsafe_device=None, ignore_persisted_weight=None, ip_tos_to_client=None, ip_tos_to_server=None, link_qos_to_client=None, link_qos_to_server=None, load_balancing_mode=None, min_active_members=None, min_up_members=None, min_up_members_action=None, min_up_members_checking=None, monitor=None, profiles=None, queue_depth_limit=None, queue_on_connection_limit=None, queue_time_limit=None, reselect_tries=None, service_down_action=None, slow_ramp_time=None) Create a new node if it does not already exist. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to create members List of members to be added to the pool allow_nat [yes | no] allow_snat [yes | no] description [string] gateway_failsafe_device [string] ignore_persisted_weight [enabled | disabled] ip_tos_to_client [pass-through | [integer]] ip_tos_to_server [pass-through | [integer]] link_qos_to_client [pass-through | [integer]] link_qos_to_server [pass-through | [integer]] load_balancing_mode [dynamic-ratio-member | dynamic-ratio-node | fastest-app-response | fastest-node | least-connections-members | least-connections-node | least-sessions | observed-member | observed-node | predictive-member | predictive-node | ratio-least-connections-member | ratio-least-connections-node | ratio-member | ratio-node | ratio-session | round-robin | weighted-least-connections-member | weighted-least-connections-node] min_active_members [integer] min_up_members [integer] min_up_members_action [failover | reboot | restart-all] min_up_members_checking [enabled | disabled] monitor [name] profiles [none | profile_name] queue_depth_limit [integer] queue_on_connection_limit [enabled | disabled] queue_time_limit [integer] reselect_tries [integer] service_down_action [drop | none | reselect | reset] slow_ramp_time [integer] salt.states.bigip.create_profile(hostname, username, password, profile_type, name, **kwargs) A function to connect to a bigip device and create a profile. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each profile type. Typically, tmsh arg names are used. Special Characters |, , and : must be escaped using \ when used within strings. salt.states.bigip.create_virtual(hostname, username, password, name, destination, pool=None, address_status=None, auto_lasthop=None, bwc_policy=None, cmp_enabled=None, connection_limit=None, dhcp_relay=None, description=None, fallback_persistence=None, flow_eviction_policy=None, gtm_score=None, ip_forward=None, ip_protocol=None, internal=None, twelve_forward=None, last_hop_pool=None, mask=None, mirror=None, nat64=None, persist=None, profiles=None, policies=None, rate_class=None, rate_limit=None, rate_limit_mode=None, rate_limit_dst=None, rate_limit_src=None, rules=None, related_rules=None, reject=None, source=None, source_address_translation=None, source_port=None, virtual_state=None, traffic_classes=None, translate_address=None, translate_port=None, vlans=None) A function to connect to a bigip device and create a virtual server if it does not already exists. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to create destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ] pool [ [pool_name] | none] address_status [yes | no] auto_lasthop [default | enabled | disabled ] bwc_policy [none] | string] cmp_enabled [yes | no] dhcp_relay [yes | no} connection_limit [integer] description [string] state [disabled | enabled] fallback_persistence [none | [profile name] ] flow_eviction_policy [none | [eviction policy name] ] gtm_score [integer] ip_forward [yes | no] ip_protocol [any | protocol] internal [yes | no] twelve_forward(12-forward) [yes | no] last_hop-pool [ [pool_name] | none] mask { [ipv4] | [ipv6] } mirror { [disabled | enabled | none] } nat64 [enabled | disabled] persist [list] profiles [none | default | list ] policies [none | default | list ] rate_class [name] rate_limit [integer] rate_limit-mode [destination | object | object-destination | object-source | object-source-destination | source | source-destination] rate_limit-dst [integer] rate_limit-src [integer] rules [none | list ] related_rules [none | list ] reject [yes | no] source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] } source_address_translation [none | snat:pool_name | lsn | automap | dictionary ] source_port [change | preserve | preserve-strict] state [enabled | disabled] traffic_classes [none | default | list ] translate_address [enabled | disabled] translate_port [enabled | disabled] vlans [none | default | dictionary] vlan_ids [ list] enabled [ true | false ] salt.states.bigip.delete_monitor(hostname, username, password, monitor_type, name) Modify an existing monitor. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to create name The name of the monitor to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. salt.states.bigip.delete_node(hostname, username, password, name) Delete an existing node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node which will be deleted. salt.states.bigip.delete_pool(hostname, username, password, name) Delete an existing pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool which will be deleted salt.states.bigip.delete_pool_member(hostname, username, password, name, member) Delete an existing pool member. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to be modified member The name of the member to delete from the pool salt.states.bigip.delete_profile(hostname, username, password, profile_type, name) Modify an existing profile. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each profile type. Typically, tmsh arg names are used. salt.states.bigip.delete_virtual(hostname, username, password, name) Delete an existing virtual. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual which will be deleted salt.states.bigip.list_monitor(hostname, username, password, monitor_type, name) A fucntion to list an exsiting monitor. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to list name The name of the monitor to list salt.states.bigip.list_node(hostname, username, password, name) A function to connect to a bigip device and list a specific node. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to list. salt.states.bigip.list_pool(hostname, username, password, name) A function to connect to a bigip device and list a specific pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to list. salt.states.bigip.list_profile(hostname, username, password, profile_type, name) A function to list an existing profile. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to list name The name of the profile to list salt.states.bigip.list_virtual(hostname, username, password, name) A function to list a specific virtual. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to list salt.states.bigip.manage_monitor(hostname, username, password, monitor_type, name, **kwargs) Create a new monitor if a monitor of this type and name does not already exists. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to create name The name of the monitor to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. salt.states.bigip.manage_node(hostname, username, password, name, address, connection_limit=None, description=None, dynamic_ratio=None, logging=None, monitor=None, rate_limit=None, ratio=None, session=None, node_state=None) Manages a node of a given bigip device. If the node does not exist it will be created, otherwise, only the properties which are different than the existing will be updated. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to manage. address The address of the node connection_limit [integer] description [string] dynam c_ratio: [integer] logging [enabled | disabled] monitor [[name] | none | default] rate_limit [integer] ratio [integer] session [user-enabled | user-disabled] node_state (state) [user-down | user-up ] salt.states.bigip.manage_pool(hostname, username, password, name, allow_nat=None, allow_snat=None, description=None, gateway_failsafe_device=None, ignore_persisted_weight=None, ip_tos_to_client=None, ip_tos_to_server=None, link_qos_to_client=None, link_qos_to_server=None, load_balancing_mode=None, min_active_members=None, min_up_members=None, min_up_members_action=None, min_up_members_checking=None, monitor=None, profiles=None, queue_depth_limit=None, queue_on_connection_limit=None, queue_time_limit=None, reselect_tries=None, service_down_action=None, slow_ramp_time=None) Create a new pool if it does not already exist. Pool members are managed separately. Only the parameters specified are enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to create allow_nat [yes | no] allow_snat [yes | no] description [string] gateway_failsafe_device [string] ignore_persisted_weight [enabled | disabled] ip_tos_to_client [pass-through | [integer]] ip_tos_to_server [pass-through | [integer]] link_qos_to_client [pass-through | [integer]] link_qos_to_server [pass-through | [integer]] load_balancing_mode [dynamic-ratio-member | dynamic-ratio-node | fastest-app-response | fastest-node | least-connections-members | least-connections-node | least-sessions | observed-member | observed-node | predictive-member | predictive-node | ratio-least-connections-member | ratio-least-connections-node | ratio-member | ratio-node | ratio-session | round-robin | weighted-least-connections-member | weighted-least-connections-node] min_active_members [integer] min_up_members [integer] min_up_members_action [failover | reboot | restart-all] min_up_members_checking [enabled | disabled] monitor [name] profiles [none | profile_name] queue_depth_limit [integer] queue_on_connection_limit [enabled | disabled] queue_time_limit [integer] reselect_tries [integer] service_down_action [drop | none | reselect | reset] slow_ramp_time [integer] salt.states.bigip.manage_pool_members(hostname, username, password, name, members) Manage the members of an existing pool. This function replaces all current pool members. Only the parameters specified are enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify members list of pool members to manage. salt.states.bigip.manage_profile(hostname, username, password, profile_type, name, **kwargs) Create a new profile if a monitor of this type and name does not already exists. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each profile type. Typically, tmsh arg names are used. salt.states.bigip.manage_virtual(hostname, username, password, name, destination, pool=None, address_status=None, auto_lasthop=None, bwc_policy=None, cmp_enabled=None, connection_limit=None, dhcp_relay=None, description=None, fallback_persistence=None, flow_eviction_policy=None, gtm_score=None, ip_forward=None, ip_protocol=None, internal=None, twelve_forward=None, last_hop_pool=None, mask=None, mirror=None, nat64=None, persist=None, profiles=None, policies=None, rate_class=None, rate_limit=None, rate_limit_mode=None, rate_limit_dst=None, rate_limit_src=None, rules=None, related_rules=None, reject=None, source=None, source_address_translation=None, source_port=None, virtual_state=None, traffic_classes=None, translate_address=None, translate_port=None, vlans=None) Manage a virtual server. If a virtual does not exists it will be created, otherwise only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to create destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ] pool [ [pool_name] | none] address_status [yes | no] auto_lasthop [default | enabled | disabled ] bwc_policy [none] | string] cmp_enabled [yes | no] dhcp_relay [yes | no} connection_limit [integer] description [string] state [disabled | enabled] fallback_persistence [none | [profile name] ] flow_eviction_policy [none | [eviction policy name] ] gtm_score [integer] ip_forward [yes | no] ip_protocol [any | protocol] internal [yes | no] twelve_forward(12-forward) [yes | no] last_hop-pool [ [pool_name] | none] mask { [ipv4] | [ipv6] } mirror { [disabled | enabled | none] } nat64 [enabled | disabled] persist [list] profiles [none | default | list ] policies [none | default | list ] rate_class [name] rate_limit [integer] rate_limit-mode [destination | object | object-destination | object-source | object-source-destination | source | source-destination] rate_limit-dst [integer] rate_limit-src [integer] rules [none | list ] related_rules [none | list ] reject [yes | no] source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] } source_address_translation [none | snat:pool_name | lsn | automap | dictionary ] source_port [change | preserve | preserve-strict] state [enabled | disabled] traffic_classes [none | default | list ] translate_address [enabled | disabled] translate_port [enabled | disabled] vlans [none | default | dictionary] vlan_ids [ list] enabled [ true | false ] salt.states.bigip.modify_monitor(hostname, username, password, monitor_type, name, **kwargs) Modify an existing monitor. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password monitor_type The type of monitor to create name The name of the monitor to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. salt.states.bigip.modify_node(hostname, username, password, name, connection_limit=None, description=None, dynamic_ratio=None, logging=None, monitor=None, rate_limit=None, ratio=None, session=None, node_state=None) Modify an existing node. Only a node which already exists will be modified and only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the node to modify connection_limit [integer] description [string] dynamic_ratio [integer] logging [enabled | disabled] monitor [[name] | none | default] rate_limit [integer] ratio [integer] session [user-enabled | user-disabled] node_state (state) [user-down | user-up ] salt.states.bigip.modify_pool(hostname, username, password, name, allow_nat=None, allow_snat=None, description=None, gateway_failsafe_device=None, ignore_persisted_weight=None, ip_tos_to_client=None, ip_tos_to_server=None, link_qos_to_client=None, link_qos_to_server=None, load_balancing_mode=None, min_active_members=None, min_up_members=None, min_up_members_action=None, min_up_members_checking=None, monitor=None, profiles=None, queue_depth_limit=None, queue_on_connection_limit=None, queue_time_limit=None, reselect_tries=None, service_down_action=None, slow_ramp_time=None) Modify an existing pool. Pool members are managed separately. Only the parameters specified are enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to create allow_nat [yes | no] allow_snat [yes | no] description [string] gateway_failsafe_device [string] ignore_persisted_weight [enabled | disabled] ip_tos_to_client [pass-through | [integer]] ip_tos_to_server [pass-through | [integer]] link_qos_to_client [pass-through | [integer]] link_qos_to_server [pass-through | [integer]] load_balancing_mode [dynamic-ratio-member | dynamic-ratio-node | fastest-app-response | fastest-node | least-connections-members | least-connections-node | least-sessions | observed-member | observed-node | predictive-member | predictive-node | ratio-least-connections-member | ratio-least-connections-node | ratio-member | ratio-node | ratio-session | round-robin | weighted-least-connections-member | weighted-least-connections-node] min_active_members [integer] min_up_members [integer] min_up_members_action [failover | reboot | restart-all] min_up_members_checking [enabled | disabled] monitor [name] profiles [none | profile_name] queue_depth_limit [integer] queue_on_connection_limit [enabled | disabled] queue_time_limit [integer] reselect_tries [integer] service_down_action [drop | none | reselect | reset] slow_ramp_time [integer] salt.states.bigip.modify_pool_member(hostname, username, password, name, member, connection_limit=None, description=None, dynamic_ratio=None, inherit_profile=None, logging=None, monitor=None, priority_group=None, profiles=None, rate_limit=None, ratio=None, session=None, member_state=None) A function to connect to a bigip device and modify a member of an existing pool. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the pool to modify member The member modify connection_limit [integer] description [string] dynamic_ratio [integer] inherit_profile [enabled | disabled] logging [enabled | disabled] monitor [name] priority_group [integer] profiles [none | profile_name] rate_limit [integer] ratio [integer] session [user-enabled | user-disabled] member_state (state) [ user-up | user-down ] salt.states.bigip.modify_profile(hostname, username, password, profile_type, name, **kwargs) Modify an existing profile. If it does exists, only the parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password profile_type The type of profile to create name The name of the profile to create kwargs [ arg=val ] ... Consult F5 BIGIP user guide for specific options for each monitor type. Typically, tmsh arg names are used. salt.states.bigip.modify_virtual(hostname, username, password, name, destination, pool=None, address_status=None, auto_lasthop=None, bwc_policy=None, cmp_enabled=None, connection_limit=None, dhcp_relay=None, description=None, fallback_persistence=None, flow_eviction_policy=None, gtm_score=None, ip_forward=None, ip_protocol=None, internal=None, twelve_forward=None, last_hop_pool=None, mask=None, mirror=None, nat64=None, persist=None, profiles=None, policies=None, rate_class=None, rate_limit=None, rate_limit_mode=None, rate_limit_dst=None, rate_limit_src=None, rules=None, related_rules=None, reject=None, source=None, source_address_translation=None, source_port=None, virtual_state=None, traffic_classes=None, translate_address=None, translate_port=None, vlans=None) Modify an virtual server. modify an existing virtual. Only parameters specified will be enforced. hostname The host/address of the bigip device username The iControl REST username password The iControl REST password name The name of the virtual to create destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ] pool [ [pool_name] | none] address_status [yes | no] auto_lasthop [default | enabled | disabled ] bwc_policy [none] | string] cmp_enabled [yes | no] dhcp_relay [yes | no} connection_limit [integer] description [string] state [disabled | enabled] fallback_persistence [none | [profile name] ] flow_eviction_policy [none | [eviction policy name] ] gtm_score [integer] ip_forward [yes | no] ip_protocol [any | protocol] internal [yes | no] twelve_forward(12-forward) [yes | no] last_hop-pool [ [pool_name] | none] mask { [ipv4] | [ipv6] } mirror { [disabled | enabled | none] } nat64 [enabled | disabled] persist [list] profiles [none | default | list ] policies [none | default | list ] rate_class [name] rate_limit [integer] rate_limit-mode [destination | object | object-destination | object-source | object-source-destination | source | source-destination] rate_limit_dst [integer] rate_limit_src [integer] rules [none | list ] related_rules [none | list ] reject [yes | no] source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] } source_address_translation [none | snat:pool_name | lsn | automap | dictionary ] source_port [change | preserve | preserve-strict] state [enabled | disabled] traffic_classes [none | default | list ] translate_address [enabled | disabled] translate_port [enabled | disabled] vlans [none | default | dictionary ] vlan_ids [ list] enabled [ true | false ] salt.states.blockdev Management of Block Devices A state module to manage blockdevices /dev/sda: blockdev.tuned: - read-only: True master-data: blockdev.tuned: - name: /dev/vg/master-data - read-only: True - read-ahead: 1024 New in version 2014.7.0. salt.states.blockdev.formatted(name, fs_type='ext4', **kwargs) Manage filesystems of partitions. name The name of the block device fs_type The filesystem it should be formatted as salt.states.blockdev.tuned(name, **kwargs) Manage options of block device name The name of the block device opts: • read-ahead Read-ahead buffer size • filesystem-read-ahead Filesystem Read-ahead buffer size • read-only Set Read-Only • read-write Set Read-Write salt.states.boto_asg Manage Autoscale Groups New in version 2014.7.0. Create and destroy autoscale groups. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit autoscale credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: asg.keyid: GKTADJGHEIQSXMKKRBJ08H asg.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure myasg exists: boto_asg.present: - name: myasg - launch_config_name: mylc - availability_zones: - us-east-1a - us-east-1b - min_size: 1 - max_size: 1 - desired_capacity: 1 - load_balancers: - myelb - suspended_processes: - AddToLoadBalancer - AlarmNotification - scaling_policies ---------- - adjustment_type: ChangeInCapacity - as_name: api-production-iad - cooldown: 1800 - min_adjustment_step: None - name: ScaleDown - scaling_adjustment: -1 - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars. Ensure myasg exists: boto_asg.present: - name: myasg - launch_config_name: mylc - availability_zones: - us-east-1a - us-east-1b - min_size: 1 - max_size: 1 - desired_capacity: 1 - load_balancers: - myelb - profile: myprofile # Passing in a profile. Ensure myasg exists: boto_asg.present: - name: myasg - launch_config_name: mylc - availability_zones: - us-east-1a - us-east-1b - min_size: 1 - max_size: 1 - desired_capacity: 1 - load_balancers: - myelb - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 # Deleting an autoscale group with running instances. Ensure myasg is deleted: boto_asg.absent: - name: myasg # If instances exist, we must force the deletion of the asg. - force: True It's possible to specify cloudwatch alarms that will be setup along with the ASG. Note the alarm name will be the name attribute defined, plus the ASG resource name. Ensure myasg exists: boto_asg.present: - name: myasg - launch_config_name: mylc - availability_zones: - us-east-1a - us-east-1b - min_size: 1 - max_size: 1 - desired_capacity: 1 - load_balancers: - myelb - profile: myprofile - alarms: CPU: name: 'ASG CPU **MANAGED BY SALT**' attributes: metric: CPUUtilization namespace: AWS/EC2 statistic: Average comparison: '>=' threshold: 65.0 period: 60 evaluation_periods: 30 unit: null description: 'ASG CPU' alarm_actions: [ 'arn:aws:sns:us-east-1:12345:myalarm' ] insufficient_data_actions: [] ok_actions: [ 'arn:aws:sns:us-east-1:12345:myalarm' ] You can also use alarms from pillars, and override values from the pillar alarms by setting overrides on the resource. Note that 'boto_asg_alarms' will be used as a default value for all resources, if defined and can be used to ensure alarms are always set for an ASG resource. Setting the alarms in a pillar: my_asg_alarm: CPU: name: 'ASG CPU **MANAGED BY SALT**' attributes: metric: CPUUtilization namespace: AWS/EC2 statistic: Average comparison: '>=' threshold: 65.0 period: 60 evaluation_periods: 30 unit: null description: 'ASG CPU' alarm_actions: [ 'arn:aws:sns:us-east-1:12345:myalarm' ] insufficient_data_actions: [] ok_actions: [ 'arn:aws:sns:us-east-1:12345:myalarm' ] Overriding the alarm values on the resource: Ensure myasg exists: boto_asg.present: - name: myasg - launch_config_name: mylc - availability_zones: - us-east-1a - us-east-1b - min_size: 1 - max_size: 1 - desired_capacity: 1 - load_balancers: - myelb - profile: myprofile - alarms_from_pillar: my_asg_alarm # override CPU:attributes:threshold - alarms: CPU: attributes: threshold: 50.0 salt.states.boto_asg.absent(name, force=False, region=None, key=None, keyid=None, profile=None) Ensure the named autoscale group is deleted. name Name of the autoscale group. force Force deletion of autoscale group. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_asg.present(name, launch_config_name, availability_zones, min_size, max_size, launch_config=None, desired_capacity=None, load_balancers=None, default_cooldown=None, health_check_type=None, health_check_period=None, placement_group=None, vpc_zone_identifier=None, tags=None, termination_policies=None, suspended_processes=None, scaling_policies=None, scaling_policies_from_pillar='boto_asg_scaling_policies', alarms=None, alarms_from_pillar='boto_asg_alarms', region=None, key=None, keyid=None, profile=None, notification_arn=None, notification_arn_from_pillar='boto_asg_notification_arn', notification_types=None, notification_types_from_pillar='boto_asg_notification_types') Ensure the autoscale group exists. name Name of the autoscale group. launch_config_name Name of the launch config to use for the group. Or, if launch_config is specified, this will be the launch config name's prefix. (see below) launch_config A dictionary of launch config attributes. If specified, a launch config will be used or created, matching this set of attributes, and the autoscale group will be set to use that launch config. The launch config name will be the launch_config_name followed by a hyphen followed by a hash of the launch_config dict contents. availability_zones List of availability zones for the group. min_size Minimum size of the group. max_size Maximum size of the group. desired_capacity The desired capacity of the group. load_balancers List of load balancers for the group. Once set this can not be updated (Amazon restriction). default_cooldown Number of seconds after a Scaling Activity completes before any further scaling activities can start. health_check_type The service you want the health status from, Amazon EC2 or Elastic Load Balancer (EC2 or ELB). health_check_period Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health. placement_group Physical location of your cluster placement group created in Amazon EC2. Once set this can not be updated (Amazon restriction). vpc_zone_identifier A list of the subnet identifiers of the Virtual Private Cloud. tags A list of tags. Example: • key: 'key' value: 'value' propagate_at_launch: true termination_policies A list of termination policies. Valid values are: “OldestInstance”, “NewestInstance”, “OldestLaunchConfiguration”, “ClosestToNextInstanceHour”, “Default”. If no value is specified, the “Default” value is used. suspended_processes List of processes to be suspended. see http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/US_SuspendResume.html scaling_policies List of scaling policies. Each policy is a dict of key-values described by http://boto.readthedocs.org/en/latest/ref/autoscale.html#boto.ec2.autoscale.policy.ScalingPolicy scaling_policies_from_pillar: name of pillar dict that contains scaling policy settings. Scaling policies defined for this specific state will override those from pillar. alarms: a dictionary of name->boto_cloudwatch_alarm sections to be associated with this ASG. All attributes should be specified except for dimension which will be automatically set to this ASG. See the boto_cloudwatch_alarm state for information about these attributes. alarms_from_pillar: name of pillar dict that contains alarm settings. Alarms defined for this specific state will override those from pillar. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. notification_arn The aws arn that notifications will be sent to notification_arn_from_pillar name of the pillar dict that contains notifcation_arn settings. A notification_arn defined for this specific state will override the one from pillar. notification_types A list of event names that will trigger a notification. The list of valid notification types is: "autoscaling:EC2_INSTANCE_LAUNCH", "autoscaling:EC2_INSTANCE_LAUNCH_ERROR", "autoscaling:EC2_INSTANCE_TERMINATE", "autoscaling:EC2_INSTANCE_TERMINATE_ERROR", "autoscaling:TEST_NOTIFICATION" notification_types_from_pillar name of the pillar dict that contains notifcation_types settings. Notification_types defined for this specific state will override those from the pillar. salt.states.boto_cfn Connection module for Amazon Cloud Formation New in version 2015.8.0. depends boto configuration This module accepts explicit AWS credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs stack-present: boto_cfn.present: - name: mystack - template_body: salt://base/mytemplate.json - disable_rollback: true - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' stack-absent: boto_cfn.absent: - name: mystack salt.states.boto_cfn.absent(name, region=None, key=None, keyid=None, profile=None) Ensure cloud formation stack is absent. name (string) – The name of the stack to delete. region (string) - Region to connect to. key (string) - Secret key to be used. keyid (string) - Access key to be used. profile (dict) - A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_cfn.present(name, template_body=None, template_url=None, parameters=None, notification_arns=None, disable_rollback=None, timeout_in_minutes=None, capabilities=None, tags=None, on_failure=None, stack_policy_body=None, stack_policy_url=None, use_previous_template=None, stack_policy_during_update_body=None, stack_policy_during_update_url=None, region=None, key=None, keyid=None, profile=None) Ensure cloud formation stack is present. name (string) - Name of the stack. template_body (string) – Structure containing the template body. Can also be loaded from a file by using salt://. template_url (string) – Location of file containing the template body. The URL must point to a template located in an S3 bucket in the same region as the stack. parameters (list) – A list of key/value tuples that specify input parameters for the stack. A 3-tuple (key, value, bool) may be used to specify the UsePreviousValue option. notification_arns (list) – The Simple Notification Service (SNS) topic ARNs to publish stack related events. You can find your SNS topic ARNs using the `SNS console`_ or your Command Line Interface (CLI). disable_rollback (bool) – Indicates whether or not to rollback on failure. timeout_in_minutes (integer) – The amount of time that can pass before the stack status becomes CREATE_FAILED; if DisableRollback is not set or is set to False, the stack will be rolled back. capabilities (list) – The list of capabilities you want to allow in the stack. Currently, the only valid capability is ‘CAPABILITY_IAM’. tags (dict) – A set of user-defined Tags to associate with this stack, represented by key/value pairs. Tags defined for the stack are propagated to EC2 resources that are created as part of the stack. A maximum number of 10 tags can be specified. on_failure (string) – Determines what action will be taken if stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE. You can specify either OnFailure or DisableRollback, but not both. stack_policy_body (string) – Structure containing the stack policy body. Can also be loaded from a file by using salt://. stack_policy_url (string) – Location of a file containing the stack policy. The URL must point to a policy (max size: 16KB) located in an S3 bucket in the same region as the stack.If you pass StackPolicyBody and StackPolicyURL, only StackPolicyBody is used. use_previous_template (boolean) – Used only when templates are not the same. Set to True to use the previous template instead of uploading a new one via TemplateBody or TemplateURL. stack_policy_during_update_body (string) – Used only when templates are not the same. Structure containing the temporary overriding stack policy body. If you pass StackPolicyDuringUpdateBody and StackPolicyDuringUpdateURL, only StackPolicyDuringUpdateBody is used. Can also be loaded from a file by using salt://. stack_policy_during_update_url (string) – Used only when templates are not the same. Location of a file containing the temporary overriding stack policy. The URL must point to a policy (max size: 16KB) located in an S3 bucket in the same region as the stack. If you pass StackPolicyDuringUpdateBody and StackPolicyDuringUpdateURL, only StackPolicyDuringUpdateBody is used. region (string) - Region to connect to. key (string) - Secret key to be used. keyid (string) - Access key to be used. profile (dict) - A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_cloudwatch_alarm Manage Cloudwatch alarms New in version 2014.7.0. Create and destroy cloudwatch alarms. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the minion's config file: cloudwatch.keyid: GKTADJGHEIQSXMKKRBJ08H cloudwatch.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 my test alarm: boto_cloudwatch_alarm.present: - name: my test alarm - attributes: metric: ApproximateNumberOfMessagesVisible namespace: AWS/SQS statistic: Average comparison: ">=" threshold: 20000.0 period: 60 evaluation_periods: 1 description: test alarm via salt dimensions: QueueName: - the-sqs-queue-name alarm_actions: - arn:aws:sns:us-east-1:1111111:myalerting-action salt.states.boto_cloudwatch_alarm.absent(name, region=None, key=None, keyid=None, profile=None) Ensure the named cloudwatch alarm is deleted. name Name of the alarm. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_cloudwatch_alarm.present(name, attributes, region=None, key=None, keyid=None, profile=None) Ensure the cloudwatch alarm exists. name Name of the alarm attributes A dict of key/value cloudwatch alarm attributes. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_dynamodb Manage DynamoDB Tables New in version 2015.5.0. Create and destroy DynamoDB tables. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit DynamoDB credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure DynamoDB table does not exist: boto_dynamodb.absent: - table_name: new_table - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - region: us-east-1 Ensure DynamoDB table exists: boto_dynamodb.present: - table_name: new_table - read_capacity_units: 1 - write_capacity_units: 2 - hash_key: primary_id - hash_key_data_type: N - range_key: start_timestamp - range_key_data_type: N - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - region: us-east-1 - local_indexes: - index: - name: "primary_id_end_timestamp_index" - hash_key: primary_id - hash_key_data_type: N - range_key: end_timestamp - range_key_data_type: N - global_indexes: - index: - name: "name_end_timestamp_index" - hash_key: name - hash_key_data_type: S - range_key: end_timestamp - range_key_data_type: N - read_capacity_units: 3 - write_capacity_units: 4 salt.states.boto_dynamodb.absent(table_name, region=None, key=None, keyid=None, profile=None) Ensure the DynamoDB table does not exist. table_name Name of the DynamoDB table. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_dynamodb.present(table_name, region=None, key=None, keyid=None, profile=None, read_capacity_units=None, write_capacity_units=None, hash_key=None, hash_key_data_type=None, range_key=None, range_key_data_type=None, local_indexes=None, global_indexes=None) Ensure the DynamoDB table exists. Note: all properties of the table can only be set during table creation. Adding or changing indexes or key schema cannot be done after table creation table_name Name of the DynamoDB table region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. read_capacity_units The read throughput for this table write_capacity_units The write throughput for this table hash_key The name of the attribute that will be used as the hash key for this table hash_key_data_type The DynamoDB datatype of the hash key range_key The name of the attribute that will be used as the range key for this table range_key_data_type The DynamoDB datatype of the range key local_indexes The local indexes you would like to create global_indexes The local indexes you would like to create salt.states.boto_ec2 Manage EC2 New in version 2015.8.0. This module provides an interface to the Elastic Compute Cloud (EC2) service from AWS. The below code creates a key pair: create-key-pair: boto_ec2.key_present: - name: mykeypair - save_private: /root/ - region: eu-west-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs import-key-pair: boto_ec2.key_present: - name: mykeypair - upload_public: 'ssh-rsa AAAA' - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs You can also use salt:// in order to define the public key. import-key-pair: boto_ec2.key_present: - name: mykeypair - upload_public: salt://mybase/public_key.pub - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs The below code deletes a key pair: delete-key-pair: boto_ec2.key_absent: - name: mykeypair - region: eu-west-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_ec2.key_absent(name, region=None, key=None, keyid=None, profile=None) Deletes a key pair salt.states.boto_ec2.key_present(name, save_private=None, upload_public=None, region=None, key=None, keyid=None, profile=None) Ensure key pair is present. salt.states.boto_elasticache Manage Elasticache New in version 2014.7.0. Create, destroy and update Elasticache clusters. Be aware that this interacts with Amazon's services, and so may incur charges. Note: This module currently only supports creation and deletion of elasticache resources and will not modify clusters when their configuration changes in your state files. This module uses boto, which can be installed via package, or pip. This module accepts explicit elasticache credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: elasticache.keyid: GKTADJGHEIQSXMKKRBJ08H elasticache.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure myelasticache exists: boto_elasticache.present: - name: myelasticache - engine: redis - cache_node_type: cache.t1.micro - num_cache_nodes: 1 - notification_topic_arn: arn:aws:sns:us-east-1:879879:my-sns-topic - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars Ensure myelasticache exists: boto_elasticache.present: - name: myelasticache - engine: redis - cache_node_type: cache.t1.micro - num_cache_nodes: 1 - notification_topic_arn: arn:aws:sns:us-east-1:879879:my-sns-topic - region: us-east-1 - profile: myprofile # Passing in a profile Ensure myelasticache exists: boto_elasticache.present: - name: myelasticache - engine: redis - cache_node_type: cache.t1.micro - num_cache_nodes: 1 - notification_topic_arn: arn:aws:sns:us-east-1:879879:my-sns-topic - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_elasticache.absent(name, wait=True, region=None, key=None, keyid=None, profile=None) Ensure the named elasticache cluster is deleted. name Name of the cache cluster. wait Boolean. Wait for confirmation from boto that the cluster is in the deleting state. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_elasticache.creategroup(name, primary_cluster_id, replication_group_description, wait=None, region=None, key=None, keyid=None, profile=None) Ensure the a replication group is create. name Name of replication group wait Waits for the group to be available primary_cluster_id Name of the master cache node replication_group_description Description for the group region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_elasticache.present(name, engine=None, cache_node_type=None, num_cache_nodes=None, preferred_availability_zone=None, port=None, cache_parameter_group_name=None, cache_security_group_names=None, replication_group_id=None, auto_minor_version_upgrade=True, security_group_ids=None, cache_subnet_group_name=None, engine_version=None, notification_topic_arn=None, preferred_maintenance_window=None, wait=None, region=None, key=None, keyid=None, profile=None) Ensure the cache cluster exists. name Name of the cache cluster (cache cluster id). engine The name of the cache engine to be used for this cache cluster. Valid values are memcached or redis. cache_node_type The compute and memory capacity of the nodes in the cache cluster. cache.t1.micro, cache.m1.small, etc. See: http://boto.readthedocs.org/en/latest/ref/elasticache.html#boto.elasticache.layer1.ElastiCacheConnection.create_cache_cluster num_cache_nodes The number of cache nodes that the cache cluster will have. preferred_availability_zone The EC2 Availability Zone in which the cache cluster will be created. All cache nodes belonging to a cache cluster are placed in the preferred availability zone. port The port number on which each of the cache nodes will accept connections. cache_parameter_group_name The name of the cache parameter group to associate with this cache cluster. If this argument is omitted, the default cache parameter group for the specified engine will be used. cache_security_group_names A list of cache security group names to associate with this cache cluster. Use this parameter only when you are creating a cluster outside of a VPC. replication_group_id The replication group to which this cache cluster should belong. If this parameter is specified, the cache cluster will be added to the specified replication group as a read replica; otherwise, the cache cluster will be a standalone primary that is not part of any replication group. auto_minor_version_upgrade Determines whether minor engine upgrades will be applied automatically to the cache cluster during the maintenance window. A value of True allows these upgrades to occur; False disables automatic upgrades. security_group_ids One or more VPC security groups associated with the cache cluster. Use this parameter only when you are creating a cluster in a VPC. cache_subnet_group_name The name of the cache subnet group to be used for the cache cluster. Use this parameter only when you are creating a cluster in a VPC. engine_version The version number of the cache engine to be used for this cluster. notification_topic_arn The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) topic to which notifications will be sent. The Amazon SNS topic owner must be the same as the cache cluster owner. preferred_maintenance_window The weekly time range (in UTC) during which system maintenance can occur. Example: sun:05:00-sun:09:00 wait Boolean. Wait for confirmation from boto that the cluster is in the available state. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_elasticache.subnet_group_absent(name, tags=None, region=None, key=None, keyid=None, profile=None) salt.states.boto_elasticache.subnet_group_present(name, subnet_ids, description, tags=None, region=None, key=None, keyid=None, profile=None) Ensure ElastiCache subnet group exists. New in version 2015.8.0. name The name for the ElastiCache subnet group. This value is stored as a lowercase string. subnet_ids A list of VPC subnet IDs for the cache subnet group. description Subnet group description. tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_elb Manage ELBs New in version 2014.7.0. Create and destroy ELBs. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit elb credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: elb.keyid: GKTADJGHEIQSXMKKRBJ08H elb.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - availability_zones: - us-east-1a - us-east-1c - us-east-1d - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - listeners: - elb_port: 443 instance_port: 80 elb_protocol: HTTPS instance_protocol: HTTP certificate: 'arn:aws:iam::1111111:server-certificate/mycert' - elb_port: 8210 instance_port: 8210 elb_protocol: TCP - health_check: target: 'HTTP:80/' - attributes: cross_zone_load_balancing: enabled: true access_log: enabled: true s3_bucket_name: 'mybucket' s3_bucket_prefix: 'my-logs' emit_interval: 5 - cnames: - name: mycname.example.com. zone: example.com. ttl: 60 - name: myothercname.example.com. zone: example.com. # Using a profile from pillars Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - profile: myelbprofile # Passing in a profile Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's possible to specify attributes from pillars by specifying a pillar. You can override the values defined in the pillard by setting the attributes on the resource. The module will use the default pillar key 'boto_elb_attributes', which allows you to set default attributes for all ELB resources. Setting the attributes pillar: my_elb_attributes: cross_zone_load_balancing: enabled: true connection_draining: enabled: true timeout: 20 access_log: enabled: true s3_bucket_name: 'mybucket' s3_bucket_prefix: 'my-logs' emit_interval: 5 Overriding the attribute values on the resource: Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - attributes_from_pillar: my_elb_attributes # override cross_zone_load_balancing:enabled - attributes: cross_zone_load_balancing: enabled: false - profile: myelbprofile It's possible to specify cloudwatch alarms that will be setup along with the ELB. Note the alarm name will be defined by the name attribute provided, plus the ELB resource name. Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - profile: myelbprofile - alarms: UnHealthyHostCount: name: 'ELB UnHealthyHostCount **MANAGED BY SALT**' attributes: metric: UnHealthyHostCount namespace: AWS/ELB statistic: Average comparison: '>=' threshold: 1.0 period: 600 evaluation_periods: 6 unit: null description: ELB UnHealthyHostCount alarm_actions: ['arn:aws:sns:us-east-1:12345:myalarm'] insufficient_data_actions: [] ok_actions: ['arn:aws:sns:us-east-1:12345:myalarm'] You can also use alarms from pillars, and override values from the pillar alarms by setting overrides on the resource. Note that 'boto_elb_alarms' will be used as a default value for all resources, if defined and can be used to ensure alarms are always set for a resource. Setting the alarms in a pillar: my_elb_alarm: UnHealthyHostCount: name: 'ELB UnHealthyHostCount **MANAGED BY SALT**' attributes: metric: UnHealthyHostCount namespace: AWS/ELB statistic: Average comparison: '>=' threshold: 1.0 period: 600 evaluation_periods: 6 unit: null description: ELB UnHealthyHostCount alarm_actions: ['arn:aws:sns:us-east-1:12345:myalarm'] insufficient_data_actions: [] ok_actions: ['arn:aws:sns:us-east-1:12345:myalarm'] Overriding the alarm values on the resource: Ensure myelb ELB exists: boto_elb.present: - name: myelb - region: us-east-1 - profile: myelbprofile - alarms_from_pillar: my_elb_alarm # override UnHealthyHostCount:attributes:threshold - alarms: UnHealthyHostCount: attributes: threshold: 2.0 salt.states.boto_elb.absent(name, region=None, key=None, keyid=None, profile=None) salt.states.boto_elb.present(name, listeners, availability_zones=None, subnets=None, security_groups=None, scheme='internet-facing', health_check=None, attributes=None, attributes_from_pillar='boto_elb_attributes', cnames=None, alarms=None, alarms_from_pillar='boto_elb_alarms', region=None, key=None, keyid=None, profile=None, wait_for_sync=True) Ensure the ELB exists. name Name of the ELB. availability_zones A list of availability zones for this ELB. listeners A list of listener lists; example: [ ['443', 'HTTPS', 'arn:aws:iam::1111111:server-certificate/mycert'], ['8443', '80', 'HTTPS', 'HTTP', 'arn:aws:iam::1111111:server-certificate/mycert'] ] subnets A list of subnet IDs in your VPC to attach to your LoadBalancer. security_groups The security groups assigned to your LoadBalancer within your VPC. scheme The type of a LoadBalancer. internet-facing or internal. Once set, can not be modified. health_check A dict defining the health check for this ELB. attributes A dict defining the attributes to set on this ELB. attributes_from_pillar name of pillar dict that contains attributes. Attributes defined for this specific state will override those from pillar. cnames A list of cname dicts with attributes: name, zone, ttl, and identifier. See the boto_route53 state for information about these attributes. alarms: a dictionary of name->boto_cloudwatch_alarm sections to be associated with this ELB. All attributes should be specified except for dimension which will be automatically set to this ELB. See the boto_cloudwatch_alarm state for information about these attributes. alarms_from_pillar: name of pillar dict that contains alarm settings. Alarms defined for this specific state will override those from pillar. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. wait_for_sync Wait for an INSYNC change status from Route53. salt.states.boto_elb.register_instances(name, instances, region=None, key=None, keyid=None, profile=None) Add instance/s to load balancer New in version 2015.8.0. add-instances: boto_elb.register_instances: - name: myloadbalancer - instances: - instance-id1 - instance-id2 salt.states.boto_iam Manage IAM objects New in version 2015.8.0. This module uses boto, which can be installed via package, or pip. This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: delete-user: boto_iam.user_absent: - name: myuser - delete_keys: true delete-keys: boto_iam.keys_absent: - access_keys: - 'AKIAJHTMIQ2ASDFLASDF' - 'PQIAJHTMIQ2ASRTLASFR' - user_name: myuser create-user: boto_iam.user_present: - name: myuser - policies: mypolicy: | { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*"}] } - password: NewPassword$$1 - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' create-group: boto_iam.group_present: - name: mygroup - users: - myuser - myuser1 - policies: mypolicy: | { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*"}] } - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'safsdfsal;fdkjsafkljsASSADFalkfj' change-policy: boto_iam.account_policy: - change_password: True - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'safsdfsal;fdkjsafkljsASSADFalkfj' create server certificate: boto_iam.server_cert_present: - name: mycert - public_key: salt://base/mycert.crt - private_key: salt://base/mycert.key - cert_chain: salt://base/mycert_chain.crt - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' delete server certificate: boto_iam.server_cert_absent: - name: mycert create keys for user: boto_iam.keys_present: - name: myusername - number: 2 - save_dir: /root - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' salt.states.boto_iam.account_policy(allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None) Change account policy. allow_users_to_change_password (bool) Allows all IAM users in your account to use the AWS Management Console to change their own passwords. hard_expiry (bool) Prevents IAM users from setting a new password after their password has expired. max_password_age (int) The number of days that an IAM user password is valid. minimum_password_length (int) The minimum number of characters allowed in an IAM user password. password_reuse_prevention (int) Specifies the number of previous passwords that IAM users are prevented from reusing. require_lowercase_characters (bool) Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). require_numbers (bool) Specifies whether IAM user passwords must contain at least one numeric character (0 to 9). require_symbols (bool) Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' require_uppercase_characters (bool) Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) salt.states.boto_iam.group_present(name, policies=None, policies_from_pillars=None, users=None, region=None, key=None, keyid=None, profile=None, path='/') Ensure the IAM group is present name (string) The name of the new group. path (string) The path for the group, defaults to '/' policies (dict) A dict of IAM group policy documents. policies_from_pillars (list) A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. users (list) A list of users to be added to the group. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam.keys_absent(access_keys, user_name, region=None, key=None, keyid=None, profile=None) Ensure the IAM user access_key_id is absent. access_key_id (list) A list of access key ids user_name (string) The username of the user region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam.keys_present(name, number, save_dir, region=None, key=None, keyid=None, profile=None) Ensure the IAM access keys are present. name (string) The name of the new user. number (int) Number of keys that user should have. save_dir (string) The directory that the key/keys will be saved. Keys are saved to a file named according to the username privided. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam.server_cert_absent(name, region=None, key=None, keyid=None, profile=None) Deletes a server certificate. name (string) The name for the server certificate. Do not include the path in this value. region (string) The name of the region to connect to. key (string) The key to be used in order to connect keyid (string) The keyid to be used in order to connect profile (string) The profile that contains a dict of region, key, keyid salt.states.boto_iam.server_cert_present(name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None) Crete server certificate. name (string) The name for the server certificate. Do not include the path in this value. public_key (string) The contents of the public key certificate in PEM-encoded format. private_key (string) The contents of the private key in PEM-encoded format. cert_chain (string) The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain. path (string) The path for the server certificate. region (string) The name of the region to connect to. key (string) The key to be used in order to connect keyid (string) The keyid to be used in order to connect profile (string) The profile that contains a dict of region, key, keyid salt.states.boto_iam.user_absent(name, delete_keys=None, region=None, key=None, keyid=None, profile=None) Ensure the IAM user is absent. User cannot be deleted if it has keys. name (string) The name of the new user. delete_keys (bool) Delete all keys from user. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam.user_present(name, policies=None, policies_from_pillars=None, password=None, path=None, region=None, key=None, keyid=None, profile=None) Ensure the IAM user is present name (string) The name of the new user. policies (dict) A dict of IAM group policy documents. policies_from_pillars (list) A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. password (string) The password for the new user. Must comply with account policy. path (string) The path of the user. Default is '/'. New in version 2015.8.2. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam_role Manage IAM roles New in version 2014.7.0. This module uses boto, which can be installed via package, or pip. This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: iam.keyid: GKTADJGHEIQSXMKKRBJ08H iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Creating a role will automatically create an instance profile and associate it with the role. This is the default behavior of the AWS console. myrole: boto_iam_role.present: - region: us-east-1 - key: GKTADJGHEIQSXMKKRBJ08H - keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - policies_from_pillars: - shared_iam_bootstrap_policy - policies: MySQSPolicy: Statement: - Action: - sqs:* Effect: Allow Resource: - arn:aws:sqs:*:*:* Sid: MyPolicySQS1 MyS3Policy: Statement: - Action: - s3:GetObject Effect: Allow Resource: - arn:aws:s3:*:*:mybucket/* # Using a credentials profile from pillars myrole: boto_iam_role.present: - profile: myiamprofile # Passing in a credentials profile myrole: boto_iam_role.present: - profile: key: GKTADJGHEIQSXMKKRBJ08H keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 If delete_policies: False is specified, existing policies that are not in the given list of policies will not be deleted. This allows manual modifications on the IAM role to be persistent. This functionality was added in 2015.8.0. NOTE: When using the profile parameter and region is set outside of the profile group, region is ignored and a default region will be used. If region is missing from the profile data set, us-east-1 will be used as the default region. salt.states.boto_iam_role.absent(name, region=None, key=None, keyid=None, profile=None) Ensure the IAM role is deleted. name Name of the IAM role. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_iam_role.present(name, policy_document=None, path=None, policies=None, policies_from_pillars=None, create_instance_profile=True, region=None, key=None, keyid=None, profile=None, delete_policies=True) Ensure the IAM role exists. name Name of the IAM role. policy_document The policy that grants an entity permission to assume the role. (See http://boto.readthedocs.org/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role) path The path to the role/instance profile. (See http://boto.readthedocs.org/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role) policies A dict of IAM role policies. policies_from_pillars A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. create_instance_profile A boolean of whether or not to create an instance profile and associate it with this role. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. delete_policies Deletes existing policies that are not in the given list of policies. Default value is True. If False is specified, existing policies will not be deleted allowing manual modifications on the IAM role to be persistent. New in version 2015.8.0. salt.states.boto_kms Manage KMS keys, key policies and grants. New in version 2015.8.0. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: elb.keyid: GKTADJGHEIQSXMKKRBJ08H elb.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure mykey key exists: boto_kms.key_present: - name: mykey - region: us-east-1 # Using a profile from pillars Ensure mykey key exists: boto_kms.key_present: - name: mykey - region: us-east-1 - profile: myprofile # Passing in a profile Ensure mykey key exists: boto_key.key_present: - name: mykey - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_kms.key_present(name, policy, description=None, key_usage=None, grants=None, manage_grants=False, key_rotation=False, enabled=True, region=None, key=None, keyid=None, profile=None) Ensure the KMS key exists. KMS keys can not be deleted, so this function must be used to ensure the key is enabled or disabled. name Name of the key. policy Key usage policy. description Description of the key. key_usage Specifies the intended use of the key. Can only be set on creation, defaults to ENCRYPT_DECRYPT, which is also the only supported option. grants A list of grants to apply to the key. Not currently implemented. manage_grants Whether or not to manage grants. False by default, which will not manage any grants. key_rotation Whether or not key rotation is enabled for the key. False by default. enabled Whether or not the key is enabled. True by default. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_lc Manage Launch Configurations New in version 2014.7.0. Create and destroy Launch Configurations. Be aware that this interacts with Amazon's services, and so may incur charges. A limitation of this module is that you can not modify launch configurations once they have been created. If a launch configuration with the specified name exists, this module will always report success, even if the specified configuration doesn't match. This is due to a limitation in Amazon's launch configuration API, as it only allows launch configurations to be created and deleted. Also note that a launch configuration that's in use by an autoscale group can not be deleted until the autoscale group is no longer using it. This may affect the way in which you want to order your states. This module uses boto, which can be installed via package, or pip. This module accepts explicit autoscale credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: asg.keyid: GKTADJGHEIQSXMKKRBJ08H asg.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Credential information is shared with autoscale groups as launch configurations and autoscale groups are completely dependent on each other. Ensure mylc exists: boto_lc.present: - name: mylc - image_id: ami-0b9c9f62 - key_name: mykey - security_groups: - mygroup - instance_type: m1.small - instance_monitoring: true - block_device_mappings: - '/dev/sda1': size: 20 - cloud_init: scripts: 'run_salt.sh': | #!/bin/bash add-apt-repository -y ppa:saltstack/salt apt-get update apt-get install -y salt-minion salt-call state.highstate - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars. Ensure mylc exists: boto_lc.present: - name: mylc - image_id: ami-0b9c9f62 - profile: myprofile # Passing in a profile. Ensure mylc exists: boto_lc.present: - name: mylc - image_id: ami-0b9c9f62 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 salt.states.boto_lc.absent(name, region=None, key=None, keyid=None, profile=None) Ensure the named launch configuration is deleted. name Name of the launch configuration. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_lc.present(name, image_id, key_name=None, security_groups=None, user_data=None, cloud_init=None, instance_type='m1.small', kernel_id=None, ramdisk_id=None, block_device_mappings=None, instance_monitoring=False, spot_price=None, instance_profile_name=None, ebs_optimized=False, associate_public_ip_address=None, volume_type=None, delete_on_termination=True, iops=None, use_block_device_types=False, region=None, key=None, keyid=None, profile=None) Ensure the launch configuration exists. name Name of the launch configuration. image_id AMI to use for instances. AMI must exist or creation of the launch configuration will fail. key_name Name of the EC2 key pair to use for instances. Key must exist or creation of the launch configuration will fail. security_groups List of Names or security group id’s of the security groups with which to associate the EC2 instances or VPC instances, respectively. Security groups must exist, or creation of the launch configuration will fail. user_data The user data available to launched EC2 instances. cloud_init A dict of cloud_init configuration. Currently supported values: scripts, cloud-config. Mutually exclusive with user_data. instance_type The instance type. ex: m1.small. kernel_id The kernel id for the instance. ramdisk_id The RAM disk ID for the instance. block_device_mappings A dict of block device mappings. instance_monitoring Whether instances in group are launched with detailed monitoring. spot_price The spot price you are bidding. Only applies if you are building an autoscaling group with spot instances. instance_profile_name The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. Instance profile must exist or the creation of the launch configuration will fail. ebs_optimized Specifies whether the instance is optimized for EBS I/O (true) or not (false). associate_public_ip_address Used for Auto Scaling groups that launch instances into an Amazon Virtual Private Cloud. Specifies whether to assign a public IP address to each instance launched in a Amazon VPC. volume_type Undocumented in boto. delete_on_termination Undocumented in boto. iops Undocumented in boto. use_block_device_types Undocumented in boto. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_rds Manage RDSs New in version 2015.8.0. Create and destroy RDS instances. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit rds credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: rds.keyid: GKTADJGHEIQSXMKKRBJ08H rds.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure myrds RDS exists: boto_rds.present: - name: myrds - allocated_storage: 5 - db_instance_class: db.t2.micro - engine: MySQL - master_username: myuser - master_user_password: mypass - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - tags: - - key1 - value1 - - key2 - value2 NOTE: This state module uses boto.rds2, which requires a different tagging syntax than some of the other boto states. The tags key and value set noted in the example above is the required yaml notation that rds2 depends upon to function properly. For more information, please see Issue #28715. salt.states.boto_rds.absent(name, skip_final_snapshot=None, final_db_snapshot_identifier=None, tags=None, region=None, key=None, keyid=None, profile=None) salt.states.boto_rds.present(name, allocated_storage, db_instance_class, engine, master_username, master_user_password, db_name=None, db_security_groups=None, vpc_security_group_ids=None, availability_zone=None, db_subnet_group_name=None, preferred_maintenance_window=None, db_parameter_group_name=None, backup_retention_period=None, preferred_backup_window=None, port=None, multi_az=None, engine_version=None, auto_minor_version_upgrade=None, license_model=None, iops=None, option_group_name=None, character_set_name=None, publicly_accessible=None, wait_status=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure RDS instance exists. name Name of the RDS instance. allocated_storage The amount of storage (in gigabytes) to be initially allocated for the database instance. db_instance_class The compute and memory capacity of the Amazon RDS DB instance. engine The name of the database engine to be used for this instance. Supported engine types are: MySQL, oracle-se1, oracle-se, oracle-ee, sqlserver-ee, sqlserver-se, sqlserver-ex, sqlserver-web, and postgres. For more information, please see the engine argument in the boto_rds create_dbinstance documentation. master_username The name of master user for the client DB instance. master_user_password The password for the master database user. Can be any printable ASCII character except "/", '"', or "@". db_name The database name for the restored DB instance. db_security_groups A list of DB security groups to associate with this DB instance. vpc_security_group_ids A list of EC2 VPC security groups to associate with this DB instance. availability_zone The EC2 Availability Zone that the database instance will be created in. db_subnet_group_name A DB subnet group to associate with this DB instance. preferred_maintenance_window The weekly time range (in UTC) during which system maintenance can occur. backup_retention_period The number of days for which automated backups are retained. preferred_backup_window The daily time range during which automated backups are created if automated backups are enabled. port The port number on which the database accepts connections. multi_az Specifies if the DB instance is a Multi-AZ deployment. You cannot set the AvailabilityZone parameter if the MultiAZ parameter is set to true. engine_version The version number of the database engine to use. auto_minor_version_upgrade Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. license_model License model information for this DB instance. iops The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for the DB instance. option_group_name Indicates that the DB instance should be associated with the specified option group. character_set_name For supported engines, indicates that the DB instance should be associated with the specified CharacterSet. publicly_accessible Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address. wait_status Wait for the RDS instance to reach a disared status before finishing the state. Available states: available, modifying, backing-up tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_rds.replica_present(name, source, db_instance_class=None, availability_zone=None, port=None, auto_minor_version_upgrade=None, iops=None, option_group_name=None, publicly_accessible=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure RDS replica exists. Ensure myrds replica RDS exists: boto_rds.create_replica: - name: myreplica - source: mydb salt.states.boto_rds.subnet_group_absent(name, tags=None, region=None, key=None, keyid=None, profile=None) salt.states.boto_rds.subnet_group_present(name, subnet_ids, description, tags=None, region=None, key=None, keyid=None, profile=None) Ensure DB subnet group exists. name The name for the DB subnet group. This value is stored as a lowercase string. subnet_ids The EC2 Subnet IDs for the DB subnet group. description Subnet group description. tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_route53 Manage Route53 records New in version 2014.7.0. Create and delete Route53 records. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit route53 credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: route53.keyid: GKTADJGHEIQSXMKKRBJ08H route53.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 mycnamerecord: boto_route53.present: - name: test.example.com. - value: my-elb.us-east-1.elb.amazonaws.com. - zone: example.com. - ttl: 60 - record_type: CNAME - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars myarecord: boto_route53.present: - name: test.example.com. - value: 1.1.1.1 - zone: example.com. - ttl: 60 - record_type: A - region: us-east-1 - profile: myprofile # Passing in a profile myarecord: boto_route53.present: - name: test.example.com. - value: 1.1.1.1 - zone: example.com. - ttl: 60 - record_type: A - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_route53.absent(name, zone, record_type, identifier=None, region=None, key=None, keyid=None, profile=None, wait_for_sync=True, split_dns=False, private_zone=False) Ensure the Route53 record is deleted. name Name of the record. zone The zone to delete the record from. record_type The record type (A, NS, MX, TXT, etc.) identifier An identifier to match for deletion. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. wait_for_sync Wait for an INSYNC change status from Route53. split_dns Route53 supports a public and private DNS zone with the same names. private_zone If using split_dns, specify if this is the private zone. salt.states.boto_route53.present(name, value, zone, record_type, ttl=None, identifier=None, region=None, key=None, keyid=None, profile=None, wait_for_sync=True, split_dns=False, private_zone=False) Ensure the Route53 record is present. name Name of the record. value Value of the record. zone The zone to create the record in. record_type The record type (A, NS, MX, TXT, etc.) ttl The time to live for the record. identifier The unique identifier to use for this record. region The region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. wait_for_sync Wait for an INSYNC change status from Route53. split_dns Route53 supports a public and private DNS zone with the same names. private_zone If using split_dns, specify if this is the private zone. salt.states.boto_secgroup Manage Security Groups New in version 2014.7.0. Create and destroy Security Groups. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit EC2 credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: secgroup.keyid: GKTADJGHEIQSXMKKRBJ08H secgroup.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure mysecgroup exists: boto_secgroup.present: - name: mysecgroup - description: My security group - rules: - ip_protocol: tcp from_port: 80 to_port: 80 cidr_ip: - 10.0.0.0/0 - 192.168.0.0/0 - ip_protocol: icmp from_port: -1 to_port: -1 source_group_name: mysecgroup - rules_egress: - ip_protocol: all from_port: -1 to_port: -1 cidr_ip: - 10.0.0.0/0 - 192.168.0.0/0 - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars Ensure mysecgroup exists: boto_secgroup.present: - name: mysecgroup - description: My security group - profile: myprofile # Passing in a profile Ensure mysecgroup exists: boto_secgroup.present: - name: mysecgroup - description: My security group - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 NOTE: When using the profile parameter and region is set outside of the profile group, region is ignored and a default region will be used. If region is missing from the profile data set, us-east-1 will be used as the default region. salt.states.boto_secgroup.absent(name, vpc_id=None, vpc_name=None, region=None, key=None, keyid=None, profile=None) Ensure a security group with the specified name does not exist. name Name of the security group. vpc_id The ID of the VPC to remove the security group from, if any. Exclusive with vpc_name. vpc_name The name of the VPC wherefrom to delete the security group, if any. Exclusive with vpc_id. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_secgroup.present(name, description, vpc_id=None, vpc_name=None, rules=None, rules_egress=None, region=None, key=None, keyid=None, profile=None) Ensure the security group exists with the specified rules. name Name of the security group. description A description of this security group. vpc_id The ID of the VPC to create the security group in, if any. Exclusive with vpc_name. vpc_name The name of the VPC wherein to create the security group, if any. Exclusive with vpc_id. New in version 2015.8.2. rules A list of ingress rule dicts. If not specified, rules=None, the ingress rules will be unmanaged. If set to an empty list, [], then all ingress rules will be removed. rules_egress A list of egress rule dicts. If not specified, rules_egress=None, the egress rules will be unmanaged. If set to an empty list, [], then all egress rules will be removed. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key, and keyid. salt.states.boto_sns Manage SNS Topics Create and destroy SNS topics. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit AWS credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: sns.keyid: GKTADJGHEIQSXMKKRBJ08H sns.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 mytopic: boto_sns.present: - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs # Using a profile from pillars mytopic: boto_sns.present: - region: us-east-1 - profile: mysnsprofile # Passing in a profile mytopic: boto_sns.present: - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_sns.absent(name, region=None, key=None, keyid=None, profile=None) Ensure the named sns topic is deleted. name Name of the SNS topic. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_sns.present(name, subscriptions=None, region=None, key=None, keyid=None, profile=None) Ensure the SNS topic exists. name Name of the SNS topic. subscriptions List of SNS subscriptions. Each subscription is a dictionary with a protocol and endpoint key: [ {'protocol': 'https', 'endpoint': 'https://www.example.com/sns-endpoint'}, {'protocol': 'sqs', 'endpoint': 'arn:aws:sqs:us-west-2:123456789012:MyQueue'} ] region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_sqs Manage SQS Queues New in version 2014.7.0. Create and destroy SQS queues. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit SQS credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: sqs.keyid: GKTADJGHEIQSXMKKRBJ08H sqs.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 myqueue: boto_sqs.present: - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - attributes: ReceiveMessageWaitTimeSeconds: 20 # Using a profile from pillars myqueue: boto_sqs.present: - region: us-east-1 - profile: mysqsprofile # Passing in a profile myqueue: boto_sqs.present: - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_sqs.absent(name, region=None, key=None, keyid=None, profile=None) Ensure the named sqs queue is deleted. name Name of the SQS queue. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_sqs.present(name, attributes=None, region=None, key=None, keyid=None, profile=None) Ensure the SQS queue exists. name Name of the SQS queue. attributes A dict of key/value SQS attributes. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc Manage VPCs New in version 2015.8.0. Create and destroy VPCs. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses boto, which can be installed via package, or pip. This module accepts explicit vpc credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: vpc.keyid: GKTADJGHEIQSXMKKRBJ08H vpc.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Ensure VPC exists: boto_vpc.present: - name: myvpc - cidr_block: 10.10.11.0/24 - dns_hostnames: True - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs Ensure subnet exists: boto_vpc.subnet_present: - name: mysubnet - vpc_id: vpc-123456 - cidr_block: 10.0.0.0/16 - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs Ensure internet gateway exists: boto_vpc.internet_gateway_present: - name: myigw - vpc_name: myvpc - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs Ensure route table exists: boto_vpc.route_table_present: - name: my_route_table - vpc_id: vpc-123456 - routes: - destination_cidr_block: 0.0.0.0/0 instance_id: i-123456 interface_id: eni-123456 - subnet_names: - subnet1 - subnet2 - region: us-east-1 - keyid: GKTADJGHEIQSXMKKRBJ08H - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs salt.states.boto_vpc.absent(name, tags=None, region=None, key=None, keyid=None, profile=None) Ensure VPC with passed properties is absent. name Name of the VPC. tags A list of tags. All tags must match. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.internet_gateway_absent(name, detach=False, region=None, key=None, keyid=None, profile=None) Ensure the named internet gateway is absent. name Name of the internet gateway. detach First detach the internet gateway from a VPC, if attached. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.internet_gateway_present(name, vpc_name=None, vpc_id=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure an internet gateway exists. name Name of the internet gateway. vpc_name Name of the VPC to which the internet gateway should be attached. vpc_id Id of the VPC to which the internet_gateway should be attached. Only one of vpc_name or vpc_id may be provided. tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.present(name, cidr_block, instance_tenancy=None, dns_support=None, dns_hostnames=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure VPC exists. name Name of the VPC. cidr_block The range of IPs in CIDR format, for example: 10.0.0.0/24. Block size must be between /16 and /28 netmask. instance_tenancy Instances launched in this VPC will be ingle-tenant or dedicated hardware. dns_support Indicates whether the DNS resolution is supported for the VPC. dns_hostnames Indicates whether the instances launched in the VPC get DNS hostnames. tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.route_table_absent(name, region=None, key=None, keyid=None, profile=None) Ensure the named route table is absent. name Name of the route table. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.route_table_present(name, vpc_name=None, vpc_id=None, routes=None, subnet_ids=None, subnet_names=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure route table with routes exists and is associated to a VPC. Example: .. code-block:: yaml boto_vpc.route_table_present: • name: my_route_table • vpc_id: vpc-123456 • routes: - destination_cidr_block: 0.0.0.0/0 instance_id: i-123456 interface_id: eni-123456 • subnet_names: - subnet1 - subnet2 name Name of the route table. vpc_name Name of the VPC with which the route table should be associated. vpc_id Id of the VPC with which the route table should be associated. Either vpc_name or vpc_id must be provided. routes A list of routes. subnet_ids A list of subnet ids to associate subnet_names A list of subnet names to associate tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.subnet_absent(name=None, subnet_id=None, region=None, key=None, keyid=None, profile=None) Ensure subnet with passed properties is absent. name Name of the subnet. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.boto_vpc.subnet_present(name, cidr_block, vpc_name=None, vpc_id=None, availability_zone=None, tags=None, region=None, key=None, keyid=None, profile=None) Ensure a subnet exists. name Name of the subnet. cidr_block The range if IPs for the subnet, in CIDR format. For example: 10.0.0.0/24. Block size must be between /16 and /28 netmask. vpc_name Name of the VPC in which the subnet should be placed. Either vpc_name or vpc_id must be provided. vpc_id Id of the VPC in which the subnet should be placed. Either vpc_name or vpc_id must be provided. availability_zone AZ in which the subnet should be placed. tags A list of tags. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. salt.states.bower Installation of Bower Packages These states manage the installed packages using Bower. Note that npm, git and bower must be installed for these states to be available, so bower states should include requisites to pkg.installed states for the packages which provide npm and git (simply npm and git in most cases), and npm.installed state for the package which provides bower. Example: npm: pkg.installed git: pkg.installed bower: npm.installed require: - pkg: npm - pkg: git underscore: bower.installed: - dir: /path/to/project - require: - npm: bower salt.states.bower.bootstrap(name, user=None) Bootstraps a frontend distribution. Will execute 'bower install' on the specified directory. user The user to run Bower with salt.states.bower.installed(name, dir, pkgs=None, user=None, env=None) Verify that the given package is installed and is at the correct version (if specified). underscore: bower.installed: - dir: /path/to/project - user: someuser jquery#2.0: bower.installed: - dir: /path/to/project name The package to install dir The target directory in which to install the package pkgs A list of packages to install with a single Bower invocation; specifying this argument will ignore the name argument user The user to run Bower with env A list of environment variables to be set prior to execution. The format is the same as the cmd.run. state function. salt.states.bower.removed(name, dir, user=None) Verify that the given package is not installed. dir The target directory in which to install the package user The user to run Bower with salt.states.cabal Installation of Cabal Packages New in version 2015.8.0. These states manage the installed packages for Haskell using cabal. Note that cabal-install must be installed for these states to be available, so cabal states should include a requisite to a pkg.installed state for the package which provides cabal (cabal-install in case of Debian based distributions). Example: .. code-block:: yaml cabal-install: pkg.installed ShellCheck: cabal.installed: • require: - pkg: cabal-install salt.states.cabal.installed(name, pkgs=None, user=None, install_global=False, env=None) Verify that the given package is installed and is at the correct version (if specified). ShellCheck-0.3.5: cabal: - installed: name The package to install user The user to run cabal install with install_global Install package globally instead of locally env A list of environment variables to be set prior to execution. The format is the same as the cmd.run. state function. salt.states.cabal.removed(name, user=None, env=None) Verify that given package is not installed. salt.states.chef Execute Chef client runs Run chef-client or chef-solo my-chef-run: chef.client: - override-runlist: 'demo1,demo2' - server: 'https://chef.domain.com' default-chef-run: chef.client: [] my-solo-run: chef.solo: - environment: dev salt.states.chef.client(name, **kwargs) name Unique identifier for the state. Does not affect the Chef run. server The chef server URL client_key Set the client key file location config The configuration file to use config-file-jail Directory under which config files are allowed to be loaded (no client.rb or knife.rb outside this path will be loaded). environment Set the Chef Environment on the node group Group to set privilege to json-attributes Load attributes from a JSON file or URL localmode Point chef-client at local repository if True log_level Set the log level (debug, info, warn, error, fatal) logfile Set the log file location node-name The node name for this client override-runlist Replace current run list with specified items for a single run pid Set the PID file location, defaults to /tmp/chef-client.pid run-lock-timeout Set maximum duration to wait for another client run to finish, default is indefinitely. runlist Permanently replace current run list with specified items user User to set privilege to validation_key Set the validation key file location, used for registering new clients salt.states.chef.solo(name, **kwargs) name Unique identifier for the state. Does not affect the Chef run. config The configuration file to use environment Set the Chef Environment on the node group Group to set privilege to json-attributes Load attributes from a JSON file or URL log_level Set the log level (debug, info, warn, error, fatal) logfile Set the log file location node-name The node name for this client override-runlist Replace current run list with specified items for a single run recipe-url Pull down a remote gzipped tarball of recipes and untar it to the cookbook cache run-lock-timeout Set maximum duration to wait for another client run to finish, default is indefinitely. user User to set privilege to salt.states.cloud Using states instead of maps to deploy clouds New in version 2014.1.0. Use this minion to spin up a cloud instance: my-ec2-instance: cloud.profile: my-ec2-config salt.states.cloud.absent(name, onlyif=None, unless=None) Ensure that no instances with the specified names exist. CAUTION: This is a destructive state, which will search all configured cloud providers for the named instance, and destroy it. name The name of the instance to destroy onlyif Do run the state only if is unless succeed unless Do not run the state at least unless succeed salt.states.cloud.present(name, cloud_provider, onlyif=None, unless=None, **kwargs) Spin up a single instance on a cloud provider, using salt-cloud. This state does not take a profile argument; rather, it takes the arguments that would normally be configured as part of the state. Note that while this function does take any configuration argument that would normally be used to create an instance, it will not verify the state of any of those arguments on an existing instance. Stateful properties of an instance should be configured using their own individual state (i.e., cloud.tagged, cloud.untagged, etc). name The name of the instance to create cloud_provider The name of the cloud provider to use onlyif Do run the state only if is unless succeed unless Do not run the state at least unless succeed salt.states.cloud.profile(name, profile, onlyif=None, unless=None, **kwargs) Create a single instance on a cloud provider, using a salt-cloud profile. Note that while profiles used this function do take any configuration argument that would normally be used to create an instance using a profile, this state will not verify the state of any of those arguments on an existing instance. Stateful properties of an instance should be configured using their own individual state (i.e., cloud.tagged, cloud.untagged, etc). name The name of the instance to create profile The name of the cloud profile to use onlyif Do run the state only if is unless succeed unless Do not run the state at least unless succeed kwargs Any profile override or addition salt.states.cloud.volume_absent(name, provider=None, **kwargs) Check that a block volume exists. salt.states.cloud.volume_attached(name, server_name, provider=None, **kwargs) Check if a block volume is attached. salt.states.cloud.volume_detached(name, server_name=None, provider=None, **kwargs) Check if a block volume is attached. Returns True if server or Volume do not exist. salt.states.cloud.volume_present(name, provider=None, **kwargs) Check that a block volume exists. salt.states.cmd Execution of arbitrary commands The cmd state module manages the enforcement of executed commands, this state can tell a command to run under certain circumstances. A simple example to execute a command: date > /tmp/salt-run: cmd.run Only run if another execution failed, in this case truncate syslog if there is no disk space: > /var/log/messages: cmd.run: - unless: echo 'foo' > /tmp/.test && rm -f /tmp/.test Only run if the file specified by creates does not exist, in this case touch /tmp/foo if it does not exist. touch /tmp/foo: cmd.run: - creates: /tmp/foo NOTE: The creates option was added to version 2014.7.0 Salt determines whether the cmd state is successfully enforced based on the exit code returned by the command. If the command returns a zero exit code, then salt determines that the state was successfully enforced. If the script returns a non-zero exit code, then salt determines that it failed to successfully enforce the state. If a command returns a non-zero exit code but you wish to treat this as a success, then you must place the command in a script and explicitly set the exit code of the script to zero. Please note that the success or failure of the state is not affected by whether a state change occurred nor the stateful argument. When executing a command or script, the state (i.e., changed or not) of the command is unknown to Salt's state system. Therefore, by default, the cmd state assumes that any command execution results in a changed state. This means that if a cmd state is watched by another state then the state that's watching will always be executed due to the changed state in the cmd state. Using the Stateful Argument Many state functions in this module now also accept a stateful argument. If stateful is specified to be true then it is assumed that the command or script will determine its own state and communicate it back by following a simple protocol described below: 1. If there's nothing in the stdout of the command, then assume no changes. Otherwise, the stdout must be either in JSON or its last non-empty line must be a string of key=value pairs delimited by spaces (no spaces on either side of =). 2. If it's JSON then it must be a JSON object (e.g., {}). If it's key=value pairs then quoting may be used to include spaces. (Python's shlex module is used to parse the key=value string) Two special keys or attributes are recognized in the output: changed: bool (i.e., 'yes', 'no', 'true', 'false', case-insensitive) comment: str (i.e., any string) So, only if changed is True then assume the command execution has changed the state, and any other key values or attributes in the output will be set as part of the changes. 3. If there's a comment then it will be used as the comment of the state. Here's an example of how one might write a shell script for use with a stateful command: #!/bin/bash # echo "Working hard..." # writing the state line echo # an empty line here so the next line will be the last. echo "changed=yes comment='something has changed' whatever=123" And an example SLS file using this module: Run myscript: cmd.run: - name: /path/to/myscript - cwd: / - stateful: True Run only if myscript changed something: cmd.wait: - name: echo hello - cwd: / - watch: - cmd: Run myscript Note that if the cmd.wait state also specifies stateful: True it can then be watched by some other states as well. 4. The stateful argument can optionally include a test_name parameter. This is used to specify a command to run in test mode. This command should return stateful data for changes that would be made by the command in the name parameter. New in version 2015.2.0. Run myscript: cmd.run: - name: /path/to/myscript - cwd: / - stateful: - test_name: /path/to/myscript test Run masterscript: cmd.script: - name: masterscript - source: salt://path/to/masterscript - cwd: / - stateful: - test_name: masterscript test cmd.wait is not restricted to watching only cmd states. For example it can also watch a git state for changes # Watch for changes to a git repo and rebuild the project on updates my-project: git.latest: - name: git@github.com/repo/foo - target: /opt/foo - rev: master cmd.wait: - name: make install - cwd: /opt/foo - watch: - git: my-project Should I use cmd.run or cmd.wait? These two states are often confused. The important thing to remember about them is that cmd.run states are run each time the SLS file that contains them is applied. If it is more desirable to have a command that only runs after some other state changes, then cmd.wait does just that. cmd.wait is designed to watch other states, and is executed when the state it is watching changes. Example: /usr/local/bin/postinstall.sh: cmd.wait: - watch: - pkg: mycustompkg file.managed: - source: salt://utils/scripts/postinstall.sh mycustompkg: pkg.installed: - require: - file: /usr/local/bin/postinstall.sh How do I create an environment from a pillar map? The map that comes from a pillar cannot be directly consumed by the env option. To use it one must convert it to a list. Example: printenv: cmd.run: - env: {% for key, value in pillar['keys'].iteritems() %} - '{{ key }}': '{{ value }}' {% endfor %} salt.states.cmd.call(name, func, args=(), kws=None, onlyif=None, unless=None, creates=None, output_loglevel='debug', use_vt=False, **kwargs) Invoke a pre-defined Python function with arguments specified in the state declaration. This function is mainly used by the salt.renderers.pydsl renderer. The interpretation of onlyif and unless arguments are identical to those of cmd.run, and all other arguments(cwd, runas, ...) allowed by cmd.run are allowed here, except that their effects apply only to the commands specified in onlyif and unless rather than to the function to be invoked. In addition, the stateful argument has no effects here. The return value of the invoked function will be interpreted as follows. If it's a dictionary then it will be passed through to the state system, which expects it to have the usual structure returned by any salt state function. Otherwise, the return value (denoted as result in the code below) is expected to be a JSON serializable object, and this dictionary is returned: { 'name': name 'changes': {'retval': result}, 'result': True if result is None else bool(result), 'comment': result if isinstance(result, string_types) else '' } salt.states.cmd.mod_run_check(cmd_kwargs, onlyif, unless, group, creates) Execute the onlyif and unless logic. Return a result dict if: * group is not available * onlyif failed (onlyif != 0) * unless succeeded (unless == 0) else return True salt.states.cmd.mod_watch(name, **kwargs) Execute a cmd function based on a watch call salt.states.cmd.run(name, onlyif=None, unless=None, creates=None, cwd=None, user=None, group=None, shell=None, env=None, stateful=False, umask=None, output_loglevel='debug', quiet=False, timeout=None, ignore_timeout=False, use_vt=False, **kwargs) Run a command if certain circumstances are met. Use cmd.wait if you want to use the watch requisite. name The command to execute, remember that the command will execute with the path and permissions of the salt-minion. onlyif A command to run as a check, run the named command only if the command passed to the onlyif option returns true unless A command to run as a check, only run the named command if the command passed to the unless option returns false cwd The current working directory to execute the command in, defaults to /root user The user name to run the command as group The group context to run the command as shell The shell to use for execution, defaults to the shell grain env A list of environment variables to be set prior to execution. Example: script-foo: cmd.run: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': script-bar: cmd.run: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} stateful The command being executed is expected to return data about executing a state. For more information, see the Using the "Stateful" Argument section. umask The umask (in octal) to use when running the command. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. quiet The command will be executed quietly, meaning no log entries of the actual command or its return data. This is deprecated as of the 2014.1.0 release, and is being replaced with output_loglevel: quiet. timeout If the command has not terminated after timeout seconds, send the subprocess sigterm, and if sigterm is ignored, follow up with sigkill ignore_timeout Ignore the timeout of commands, which is useful for running nohup processes. New in version 2015.8.0. creates Only run if the file specified by creates does not exist. New in version 2014.7.0. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. NOTE: cmd.run supports the usage of reload_modules. This functionality allows you to force Salt to reload all modules. You should only use reload_modules if your cmd.run does some sort of installation (such as pip), if you do not reload the modules future items in your state which rely on the software being installed will fail. getpip: cmd.run: - name: /usr/bin/python /usr/local/sbin/get-pip.py - unless: which pip - require: - pkg: python - file: /usr/local/sbin/get-pip.py - reload_modules: True salt.states.cmd.script(name, source=None, template=None, onlyif=None, unless=None, creates=None, cwd=None, user=None, group=None, shell=None, env=None, stateful=False, umask=None, timeout=None, use_vt=False, output_loglevel='debug', **kwargs) Download a script and execute it with specified arguments. source The location of the script to download. If the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently jinja, mako, and wempy are supported name Either "cmd arg1 arg2 arg3..." (cmd is not used) or a source "salt://...". onlyif Run the named command only if the command passed to the onlyif option returns true unless Run the named command only if the command passed to the unless option returns false cwd The current working directory to execute the command in, defaults to /root user The name of the user to run the command as group The group context to run the command as shell The shell to use for execution. The default is set in grains['shell'] env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} umask The umask (in octal) to use when running the command. stateful The command being executed is expected to return data about executing a state. For more information, see the Using the "Stateful" Argument section. timeout If the command has not terminated after timeout seconds, send the subprocess sigterm, and if sigterm is ignored, follow up with sigkill args String of command line args to pass to the script. Only used if no args are specified as part of the name argument. To pass a string containing spaces in YAML, you will need to doubly-quote it: "arg1 'arg two' arg3" creates Only run if the file specified by creates does not exist. New in version 2014.7.0. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. salt.states.cmd.wait(name, onlyif=None, unless=None, creates=None, cwd=None, user=None, group=None, shell=None, env=(), stateful=False, umask=None, output_loglevel='debug', use_vt=False, **kwargs) Run the given command only if the watch statement calls it name The command to execute, remember that the command will execute with the path and permissions of the salt-minion. onlyif A command to run as a check, run the named command only if the command passed to the onlyif option returns true unless A command to run as a check, only run the named command if the command passed to the unless option returns false cwd The current working directory to execute the command in, defaults to /root user The user name to run the command as group The group context to run the command as shell The shell to use for execution, defaults to /bin/sh env A list of environment variables to be set prior to execution. Example: script-foo: cmd.wait: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': script-bar: cmd.wait: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} umask The umask (in octal) to use when running the command. stateful The command being executed is expected to return data about executing a state. For more information, see the Using the "Stateful" Argument section. creates Only run if the file specified by creates does not exist. New in version 2014.7.0. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. salt.states.cmd.wait_call(name, func, args=(), kws=None, onlyif=None, unless=None, creates=None, stateful=False, use_vt=False, output_loglevel='debug', **kwargs) salt.states.cmd.wait_script(name, source=None, template=None, onlyif=None, unless=None, cwd=None, user=None, group=None, shell=None, env=None, stateful=False, umask=None, use_vt=False, output_loglevel='debug', **kwargs) Download a script from a remote source and execute it only if a watch statement calls it. source The source script being downloaded to the minion, this source script is hosted on the salt master server. If the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs template If this setting is applied then the named templating engine will be used to render the downloaded file, currently jinja, mako, and wempy are supported name The command to execute, remember that the command will execute with the path and permissions of the salt-minion. onlyif A command to run as a check, run the named command only if the command passed to the onlyif option returns true unless A command to run as a check, only run the named command if the command passed to the unless option returns false cwd The current working directory to execute the command in, defaults to /root user The user name to run the command as group The group context to run the command as shell The shell to use for execution, defaults to the shell grain env A list of environment variables to be set prior to execution. Example: salt://scripts/foo.sh: cmd.wait_script: - env: - BATCH: 'yes' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Variables as values are not evaluated. So $PATH in the following example is a literal '$PATH': salt://scripts/bar.sh: cmd.wait_script: - env: "PATH=/some/path:$PATH" One can still use the existing $PATH by using a bit of Jinja: {% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %} mycommand: cmd.run: - name: ls -l / - env: - PATH: {{ [current_path, '/my/special/bin']|join(':') }} umask The umask (in octal) to use when running the command. stateful The command being executed is expected to return data about executing a state. For more information, see the Using the "Stateful" Argument section. use_vt Use VT utils (saltstack) to stream the command output more interactively to the console and the logs. This is experimental. output_loglevel Control the loglevel at which the output from the command is logged. Note that the command being run will still be logged (loglevel: DEBUG) regardless, unless quiet is used for this value. salt.states.composer Installation of Composer Packages These states manage the installed packages for composer for PHP. Note that either composer is installed and accessible via a bin directory or you can pass the location of composer in the state. get-composer: cmd.run: - name: 'CURL=`which curl`; $CURL -sS https://getcomposer.org/installer | php' - unless: test -f /usr/local/bin/composer - cwd: /root/ install-composer: cmd.wait: - name: mv /root/composer.phar /usr/local/bin/composer - cwd: /root/ - watch: - cmd: get-composer /path/to/project: composer.installed: - no_dev: true - require: - cmd: install-composer # Without composer installed in your PATH # Note: composer.phar must be executable for state to work properly /path/to/project: composer.installed: - composer: /path/to/composer.phar - php: /usr/local/bin/php - no_dev: true salt.states.composer.installed(name, composer=None, php=None, user=None, prefer_source=None, prefer_dist=None, no_scripts=None, no_plugins=None, optimize=None, no_dev=None, quiet=False, composer_home='/root', always_check=True) Verify that the correct versions of composer dependencies are present. dir Directory location of the composer.json file. composer Location of the composer.phar file. If not set composer will just execute "composer" as if it is installed globally. (i.e. /path/to/composer.phar) php Location of the php executable to use with composer. (i.e. /usr/bin/php) user Which system user to run composer as. New in version 2014.1.4. prefer_source --prefer-source option of composer. prefer_dist --prefer-dist option of composer. no_scripts --no-scripts option of composer. no_plugins --no-plugins option of composer. optimize --optimize-autoloader option of composer. Recommended for production. no_dev --no-dev option for composer. Recommended for production. quiet --quiet option for composer. Whether or not to return output from composer. composer_home $COMPOSER_HOME environment variable always_check If True, _always_ run composer install in the directory. This is the default behavior. If False, only run composer install if there is no vendor directory present. salt.states.composer.update(name, composer=None, php=None, user=None, prefer_source=None, prefer_dist=None, no_scripts=None, no_plugins=None, optimize=None, no_dev=None, quiet=False, composer_home='/root') Composer update the directory to ensure we have the latest versions of all project dependencies. dir Directory location of the composer.json file. composer Location of the composer.phar file. If not set composer will just execute "composer" as if it is installed globally. (i.e. /path/to/composer.phar) php Location of the php executable to use with composer. (i.e. /usr/bin/php) user Which system user to run composer as. New in version 2014.1.4. prefer_source --prefer-source option of composer. prefer_dist --prefer-dist option of composer. no_scripts --no-scripts option of composer. no_plugins --no-plugins option of composer. optimize --optimize-autoloader option of composer. Recommended for production. no_dev --no-dev option for composer. Recommended for production. quiet --quiet option for composer. Whether or not to return output from composer. composer_home $COMPOSER_HOME environment variable salt.states.cron Management of cron, the Unix command scheduler Cron declarations require a number of parameters. The following are the parameters used by Salt to define the various timing values for a cron job: • minute • hour • daymonth • month • dayweek (0 to 6 are Sunday through Saturday, 7 can also be used for Sunday) WARNING: Any timing arguments not specified take a value of *. This means that setting hour to 5, while not defining the minute param, will result in Salt adding a job that will execute every minute between 5 and 6 A.M.! Additionally, the default user for these states is root. Therefore, if the cron job is for another user, it is necessary to specify that user with the user parameter. A long time ago (before 2014.2), when making changes to an existing cron job, the name declaration is the parameter used to uniquely identify the job, so if an existing cron that looks like this: date > /tmp/crontest: cron.present: - user: root - minute: 5 Is changed to this: date > /tmp/crontest: cron.present: - user: root - minute: 7 - hour: 2 Then the existing cron will be updated, but if the cron command is changed, then a new cron job will be added to the user's crontab. The current behavior is still relying on that mechanism, but you can also specify an identifier to identify your crontabs: date > /tmp/crontest: cron.present: - identifier: SUPERCRON - user: root - minute: 7 - hour: 2 New in version 2014.1.2. And, some months later, you modify it: superscript > /tmp/crontest: cron.present: - identifier: SUPERCRON - user: root - minute: 3 - hour: 4 New in version 2014.1.2. The old date > /tmp/crontest will be replaced by superscript > /tmp/crontest. Additionally, Salt also supports running a cron every x minutes very similarly to the Unix convention of using */5 to have a job run every five minutes. In Salt, this looks like: date > /tmp/crontest: cron.present: - user: root - minute: '*/5' The job will now run every 5 minutes. Additionally, the temporal parameters (minute, hour, etc.) can be randomized by using random instead of using a specific value. For example, by using the random keyword in the minute parameter of a cron state, the same cron job can be pushed to hundreds or thousands of hosts, and they would each use a randomly-generated minute. This can be helpful when the cron job accesses a network resource, and it is not desirable for all hosts to run the job concurrently. /path/to/cron/script: cron.present: - user: root - minute: random - hour: 2 New in version 0.16.0. Since Salt assumes a value of * for unspecified temporal parameters, adding a parameter to the state and setting it to random will change that value from * to a randomized numeric value. However, if that field in the cron entry on the minion already contains a numeric value, then using the random keyword will not modify it. salt.states.cron.absent(name, user='root', identifier=False, **kwargs) Verifies that the specified cron job is absent for the specified user; only the name is matched when removing a cron job. name The command that should be absent in the user crontab. user The name of the user whose crontab needs to be modified, defaults to the root user identifier Custom-defined identifier for tracking the cron line for future crontab edits. This defaults to the state id salt.states.cron.env_absent(name, user='root') Verifies that the specified environment variable is absent from the crontab for the specified user name The name of the environment variable to remove from the user crontab user The name of the user whose crontab needs to be modified, defaults to the root user salt.states.cron.env_present(name, value=None, user='root') Verifies that the specified environment variable is present in the crontab for the specified user. name The name of the environment variable to set in the user crontab user The name of the user whose crontab needs to be modified, defaults to the root user value The value to set for the given environment variable salt.states.cron.file(name, source_hash='', user='root', template=None, context=None, replace=True, defaults=None, env=None, backup='', **kwargs) Provides file.managed-like functionality (templating, etc.) for a pre-made crontab file, to be assigned to a given user. name The source file to be used as the crontab. This source file can be hosted on either the salt master server, or on an HTTP or FTP server. For files hosted on the salt file server, if the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs If the file is hosted on a HTTP or FTP server then the source_hash argument is also required source_hash This can be either a file which contains a source hash string for the source, or a source hash string. The source hash string is the hash algorithm followed by the hash of the file: md5=e138491e9d5b97023cea823fe17bac22 user The user to whom the crontab should be assigned. This defaults to root. template If this setting is applied then the named templating engine will be used to render the downloaded file. Currently, jinja and mako are supported. context Overrides default context variables passed to the template. replace If the crontab should be replaced, if False then this command will be ignored if a crontab exists for the specified user. Default is True. defaults Default context passed to the template. backup Overrides the default backup mode for the user's crontab. salt.states.cron.present(name, user='root', minute='*', hour='*', daymonth='*', month='*', dayweek='*', comment=None, identifier=False) Verifies that the specified cron job is present for the specified user. For more advanced information about what exactly can be set in the cron timing parameters, check your cron system's documentation. Most Unix-like systems' cron documentation can be found via the crontab man page: man 5 crontab. name The command that should be executed by the cron job. user The name of the user whose crontab needs to be modified, defaults to the root user minute The information to be set into the minute section, this can be any string supported by your cron system's the minute field. Default is * hour The information to be set in the hour section. Default is * daymonth The information to be set in the day of month section. Default is * month The information to be set in the month section. Default is * dayweek The information to be set in the day of week section. Default is * comment User comment to be added on line previous the cron job identifier Custom-defined identifier for tracking the cron line for future crontab edits. This defaults to the state id salt.states.cyg Installation of Cygwin packages. A state module to manage cygwin packages. Packages can be installed or removed. dos2unix: cyg.installed class salt.states.cyg.DictDiffer(current_dict, past_dict) Calculate the difference between two dictionaries. 1. items added 2. items removed 3. keys same in both but changed values 4. keys same in both and unchanged values added() Return a set of additions to past_dict. changed() Return a set of the keys with changed values. removed() Return a set of things removed from past_dict. same() True if the two dicts are the same. unchanged() Return a set of the keys with unchanged values. salt.states.cyg.installed(name, cyg_arch='x86_64', mirrors=None) Make sure that a package is installed. name The name of the package to install cyg_arch x86_64 The cygwin architecture to install the package into. Current options are x86 and x86_64 mirrors None List of mirrors to check. None will use a default mirror (kernel.org) CLI Example: rsync: cyg.installed: - mirrors: - http://mirror/without/public/key: "" - http://mirror/with/public/key: http://url/of/public/key salt.states.cyg.removed(name, cyg_arch='x86_64', mirrors=None) Make sure that a package is not installed. name The name of the package to uninstall cyg_arch x86_64 The cygwin architecture to remove the package from. Current options are x86 and x86_64 mirrors None List of mirrors to check. None will use a default mirror (kernel.org) CLI Example: rsync: cyg.removed: - mirrors: - http://mirror/without/public/key: "" - http://mirror/with/public/key: http://url/of/public/key salt.states.cyg.updated(name=None, cyg_arch='x86_64', mirrors=None) Make sure all packages are up to date. name None No affect, salt fails poorly without the arg available cyg_arch x86_64 The cygwin architecture to update. Current options are x86 and x86_64 mirrors None List of mirrors to check. None will use a default mirror (kernel.org) CLI Example: rsync: cyg.updated: - mirrors: - http://mirror/without/public/key: "" - http://mirror/with/public/key: http://url/of/public/key salt.states.ddns Dynamic DNS updates Ensure a DNS record is present or absent utilizing RFC 2136 type dynamic updates. depends • dnspython NOTE: The dnspython module is required when managing DDNS using a TSIG key. If you are not using a TSIG key, DDNS is allowed by ACLs based on IP address and the dnspython module is not required. Example: webserver: ddns.present: - zone: example.com - ttl: 60 - data: 111.222.333.444 - nameserver: 123.234.345.456 - keyfile: /srv/salt/dnspy_tsig_key.txt salt.states.ddns.absent(name, zone, data=None, rdtype=None, **kwargs) Ensures that the named DNS record is absent. name The host portion of the DNS record, e.g., 'webserver'. Name and zone are concatenated when the entry is created, so make sure that information is not duplicated in these two arguments. zone The zone to check data Data for the DNS record. E.g., the IP address for an A record. If omitted, all records matching name (and rdtype, if provided) will be purged. rdtype DNS resource type. If omitted, all types will be purged. **kwargs Additional arguments the ddns.update function may need (e.g. nameserver, keyfile, keyname). Note that the nsupdate key file can’t be reused by this function, the keyfile and other arguments must follow the dnspython spec. salt.states.ddns.present(name, zone, ttl, data, rdtype='A', **kwargs) Ensures that the named DNS record is present with the given ttl. name The host portion of the DNS record, e.g., 'webserver'. Name and zone are concatenated when the entry is created, so make sure that information is not duplicated in these two arguments. zone The zone to check/update ttl TTL for the record data Data for the DNS record. E.g., the IP address for an A record. rdtype DNS resource type. Default 'A'. **kwargs Additional arguments the ddns.update function may need (e.g. nameserver, keyfile, keyname). Note that the nsupdate key file can’t be reused by this function, the keyfile and other arguments must follow the dnspython spec. salt.states.debconfmod Management of debconf selections depends • debconf-utils package The debconfmod state module manages the enforcement of debconf selections, this state can set those selections prior to package installation. Available Functions The debconfmod state has two functions, the set and set_file functions set Set debconf selections from the state itself set_file Set debconf selections from a file nullmailer-debconf: debconf.set: - name: nullmailer - data: 'shared/mailname': {'type': 'string', 'value': 'server.domain.tld'} 'nullmailer/relayhost': {'type': 'string', 'value': 'mail.domain.tld'} ferm-debconf: debconf.set: - name: ferm - data: 'ferm/enable': {'type': 'boolean', 'value': True} NOTE: Due to how PyYAML imports nested dicts (see here), the values in the data dict must be indented four spaces instead of two. salt.states.debconfmod.set(name, data, **kwargs) Set debconf selections <state_id>: debconf.set: - name: <name> - data: <question>: {'type': <type>, 'value': <value>} <question>: {'type': <type>, 'value': <value>} <state_id>: debconf.set: - name: <name> - data: <question>: {'type': <type>, 'value': <value>} <question>: {'type': <type>, 'value': <value>} name: The package name to set answers for. data: A set of questions/answers for debconf. Note that everything under this must be indented twice. question: The question the is being pre-answered type: The type of question that is being asked (string, boolean, select, etc.) value: The answer to the question salt.states.debconfmod.set_file(name, source, template=None, context=None, defaults=None, **kwargs) Set debconf selections from a file or a template <state_id>: debconf.set_file: - source: salt://pathto/pkg.selections <state_id>: debconf.set_file: - source: salt://pathto/pkg.selections?saltenv=myenvironment <state_id>: debconf.set_file: - source: salt://pathto/pkg.selections.jinja2 - template: jinja - context: some_value: "false" source: The location of the file containing the package selections template If this setting is applied then the named templating engine will be used to render the package selections file, currently jinja, mako, and wempy are supported context Overrides default context variables passed to the template. defaults Default context passed to the template. salt.states.dellchassis Manage chassis via Salt Proxies. New in version 2015.8.2. Below is an example state that sets basic parameters: my-dell-chassis: dellchassis.chassis: - chassis_name: my-dell-chassis - datacenter: dc-1-us - location: my-location - mode: 2 - idrac_launch: 1 - slot_names: - server-1: my-slot-name - server-2: my-other-slot-name - blade_power_states: - server-1: on - server-2: off - server-3: powercycle However, it is possible to place the entire set of chassis configuration data in pillar. Here's an example pillar structure: proxy: host: 10.27.20.18 admin_username: root fallback_admin_username: root passwords: - super-secret - old-secret proxytype: fx2 chassis: name: fx2-1 username: root password: saltstack1 datacenter: london location: rack-1-shelf-3 management_mode: 2 idrac_launch: 0 slot_names: - 'server-1': blade1 - 'server-2': blade2 servers: server-1: idrac_password: saltstack1 ipmi_over_lan: True ip: 172.17.17.132 netmask: 255.255.0.0 gateway: 172.17.17.1 server-2: idrac_password: saltstack1 ipmi_over_lan: True ip: 172.17.17.2 netmask: 255.255.0.0 gateway: 172.17.17.1 server-3: idrac_password: saltstack1 ipmi_over_lan: True ip: 172.17.17.20 netmask: 255.255.0.0 gateway: 172.17.17.1 server-4: idrac_password: saltstack1 ipmi_over_lan: True ip: 172.17.17.2 netmask: 255.255.0.0 gateway: 172.17.17.1 switches: switch-1: ip: 192.168.1.2 netmask: 255.255.255.0 gateway: 192.168.1.1 snmp: nonpublic password: saltstack1 switch-2: ip: 192.168.1.3 netmask: 255.255.255.0 gateway: 192.168.1.1 snmp: nonpublic password: saltstack1 And to go with it, here's an example state that pulls the data from the pillar stated above: {% set details = pillar.get('proxy:chassis', {}) %} standup-step1: dellchassis.chassis: - name: {{ details['name'] }} - location: {{ details['location'] }} - mode: {{ details['management_mode'] }} - idrac_launch: {{ details['idrac_launch'] }} - slot_names: {% for entry details['slot_names'] %} - {{ entry.keys()[0] }}: {{ entry[entry.keys()[0]] }} {% endfor %} blade_powercycle: dellchassis.chassis: - blade_power_states: - server-1: powercycle - server-2: powercycle - server-3: powercycle - server-4: powercycle # Set idrac_passwords for blades. racadm needs them to be called 'server-x' {% for k, v in details['servers'].iteritems() %} {{ k }}: dellchassis.blade_idrac: - idrac_password: {{ v['idrac_password'] }} {% endfor %} # Set management ip addresses, passwords, and snmp strings for switches {% for k, v in details['switches'].iteritems() %} {{ k }}-switch-setup: dellchassis.switch: - name: {{ k }} - ip: {{ v['ip'] }} - netmask: {{ v['netmask'] }} - gateway: {{ v['gateway'] }} - password: {{ v['password'] }} - snmp: {{ v['snmp'] }} {% endfor %} NOTE: This state module relies on the dracr.py execution module, which runs racadm commands on the chassis, blades, etc. The racadm command runs very slowly and, depending on your state, the proxy minion return might timeout before the racadm commands have completed. If you are repeatedly seeing minions timeout after state calls, please use the -t CLI argument to increase the timeout variable. For example: salt '*' state.sls my-dell-chasis-state-name -t 60 NOTE: The Dell CMC units perform adequately but many iDRACs are excruciatingly slow. Some functions can take minutes to execute. salt.states.dellchassis.blade_idrac(name, idrac_password=None, idrac_ipmi=None, idrac_ip=None, idrac_netmask=None, idrac_gateway=None, idrac_dnsname=None, idrac_dhcp=None) Set parameters for iDRAC in a blade. Parameters idrac_password -- Password to use to connect to the iDRACs directly (idrac_ipmi and idrac_dnsname must be set directly on the iDRAC. They can't be set through the CMC. If this password is present, use it instead of the CMC password) :param idrac_ipmi: Enable/Disable IPMI over LAN :param idrac_ip: Set IP address for iDRAC :param idrac_netmask: Set netmask for iDRAC :param idrac_gateway: Set gateway for iDRAC :param idrac_dhcp: Turn on DHCP for iDRAC (True turns on, False does nothing becaause setting a static IP will disable DHCP). Returns A standard Salt changes dictionary NOTE: If any of the IP address settings is configured, all of ip, netmask, and gateway must be present salt.states.dellchassis.chassis(name, chassis_name=None, password=None, datacenter=None, location=None, mode=None, idrac_launch=None, slot_names=None, blade_power_states=None) Manage a Dell Chassis. chassis_name The name of the chassis. datacenter The datacenter in which the chassis is located location The location of the chassis. password Password for the chassis. Note: If this password is set for the chassis, the current implementation of this state will set this password both on the chassis and the iDrac passwords on any configured blades. If the password for the blades should be distinct, they should be set separately with the blade_idrac function. mode The management mode of the chassis. Viable options are: • 0: None • 1: Monitor • 2: Manage and Monitor idrac_launch The iDRAC launch method of the chassis. Viable options are: • 0: Disabled (launch iDRAC using IP address) • 1: Enabled (launch iDRAC using DNS name) slot_names The names of the slots, provided as a list identified by their slot numbers. blade_power_states The power states of a blade server, provided as a list and identified by their server numbers. Viable options are: • on: Ensure the blade server is powered on. • off: Ensure the blade server is powered off. • powercycle: Power cycle the blade server. Example: my-dell-chassis: dellchassis.chassis: - chassis_name: my-dell-chassis - location: my-location - datacenter: london - mode: 2 - idrac_launch: 1 - slot_names: - 1: my-slot-name - 2: my-other-slot-name - blade_power_states: - server-1: on - server-2: off - server-3: powercycle salt.states.dellchassis.firmware_update(hosts=None, directory='') State to update the firmware on host using the racadm command firmwarefile filename (string) starting with salt:// host string representing the hostname supplied to the racadm command directory Directory name where firmwarefile will be downloaded dell-chassis-firmware-update: dellchassis.firmware_update: hosts: cmc: salt://firmware_cmc.exe server-1: salt://firmware.exe directory: /opt/firmwares salt.states.dellchassis.switch(name, ip=None, netmask=None, gateway=None, dhcp=None, password=None, snmp=None) Manage switches in a Dell Chassis. name The switch designation (e.g. switch-1, switch-2) ip The Static IP Address of the switch netmask The netmask for the static IP gateway The gateway for the static IP dhcp True: Enable DHCP False: Do not change DHCP setup (disabling DHCP is automatic when a static IP is set) password The access (root) password for the switch snmp The SNMP community string for the switch Example: my-dell-chassis: dellchassis.switch: - switch: switch-1 - ip: 192.168.1.1 - netmask: 255.255.255.0 - gateway: 192.168.1.254 - dhcp: True - password: secret - snmp: public salt.states.disk Disk monitoring state Monitor the state of disk resources salt.states.disk.status(name, maximum=None, minimum=None) Return the current disk usage stats for the named mount point salt.states.dockerio Manage Docker containers Deprecated since version 2015.8.0: Future feature development will be done only in dockerng. See the documentation for this module for information on the deprecation path. Docker is a lightweight, portable, self-sufficient software container wrapper. The base supported wrapper type is LXC, cgroups, and the Linux Kernel. NOTE: This state module requires docker-py version >= 0.6.0 which supports Docker Remote API version 1.12. Available Functions • built corp/mysuperdocker_img: docker.built: - path: /path/to/dir/container • pulled ubuntu: docker.pulled: - tag: latest • pushed corp/mysuperdocker_img: docker.pushed • installed mysuperdocker-container: docker.installed: - name: mysuperdocker - hostname: superdocker - image: corp/mysuperdocker_img • loaded mysuperdocker-file: docker.loaded: - name: mysuperdocker - source: salt://_files/tmp/docker_image.tar • running my_service: docker.running: - container: mysuperdocker - image: corp/mysuperdocker_img - port_bindings: - "5000/tcp": HostIp: "" HostPort: "5000" NOTE: The ports argument above is a dictionary. The double indentation is required for PyYAML to load the data structure properly as a python dictionary. More information can be found here • absent mys_old_uperdocker: docker.absent • run /finish-install.sh: docker.run: - cid: mysuperdocker - unless: grep -q something /var/log/foo - docker_unless: grep -q done /install_log Use Cases Ensures the container is running with the latest image available my-service-image: docker.pulled: - name: registry/my-service:latest - force: true my-service-container: docker.installed: - image: registry/my-service:latest - watch: - docker: my-service-image my-service: docker.running: - container: my-service-container - watch: - docker: my-service-container NOTE: The docker modules are named dockerio because the name 'docker' would conflict with the underlying docker-py library. salt.states.dockerio.absent(name) Ensure that the container is absent; if not, it will will be killed and destroyed. (docker inspect) name: Either the container name or id salt.states.dockerio.built(name, tag='latest', path=None, quiet=False, nocache=False, rm=True, force=False, timeout=None, *args, **kwargs) Build a docker image from a path or URL to a dockerfile. (docker build) name Name of the image tag tag of the image (defaults to 'latest') path URL (e.g. url/branch/docker_dir/dockerfile) or filesystem path to the dockerfile salt.states.dockerio.installed(name, image, tag='latest', command=None, hostname=None, user=None, detach=True, stdin_open=False, tty=False, mem_limit=None, ports=None, environment=None, dns=None, volumes=None, volumes_from=None, cpu_shares=None, cpuset=None, *args, **kwargs) Ensure that a container with the given name exists; if not, build a new container from the specified image. (docker run) name Name for the container image Image from which to build this container tag tag of the image (defaults to 'latest') environment Environment variables for the container, either • a mapping of key, values • a list of mappings of key, values ports List of ports definitions, either: • a port to map • a mapping of mapping portInHost : PortInContainer volumes List of volumes (see notes for the running function) For other parameters, see absolutely first the salt.modules.dockerio execution module and the docker-py python bindings for docker documentation for docker.create_container. NOTE: This command does not verify that the named container is running the specified image. salt.states.dockerio.loaded(name, tag='latest', source=None, source_hash='', force=False) Load an image into the local docker registry (docker load) name Name of the docker image tag tag of the image (defaults to 'latest') source The source .tar file to download to the minion, created by docker save this source file can be hosted on either the salt master server, or on an HTTP or FTP server. If the file is hosted on a HTTP or FTP server then the source_hash argument is also required NOTE: See first the documentation for Salt file.managed source_hash This can be one of the following: 1. a source hash string 2. the URI of a file that contains source hash strings force Load even if the image exists salt.states.dockerio.mod_watch(name, sfun=None, *args, **kw) salt.states.dockerio.present(name, image=None, tag='latest', is_latest=False) If a container with the given name is not present, this state will fail. Supports optionally checking for specific image/tag (docker inspect) name: container id image: image the container should be running (defaults to any) tag: tag of the image (defaults to 'latest') is_latest: also check if the container runs the latest version of the image ( latest defined as the latest pulled onto the local machine) salt.states.dockerio.pulled(name, tag='latest', force=False, insecure_registry=False, *args, **kwargs) Pull an image from a docker registry. (docker pull) NOTE: See first the documentation for docker login, docker pull, docker push, and docker.import_image (docker import). NOTE that we added in SaltStack a way to authenticate yourself with the Docker Hub Registry by supplying your credentials (username, email & password) using pillars. For more information, see salt.modules.dockerio execution module. name Name of the image tag Tag of the image force Pull even if the image is already pulled insecure_registry Set to True to allow connections to non-HTTPS registries. Default False. salt.states.dockerio.pushed(name, tag='latest', insecure_registry=False) Push an image from a docker registry. (docker push) NOTE: See first the documentation for docker login, docker pull, docker push, and docker.import_image (docker import). NOTE that we added in SaltStack a way to authenticate yourself with the Docker Hub Registry by supplying your credentials (username, email & password) using pillars. For more information, see salt.modules.dockerio execution module. name Name of the image tag Tag of the image [Optional] insecure_registry Set to True to allow connections to non-HTTPS registries. Default False. salt.states.dockerio.run(name, cid=None, hostname=None, onlyif=None, unless=None, docked_onlyif=None, docked_unless=None, *args, **kwargs) Run a command in a specific container You can match by either name or hostname name command to run in the container cid Container id or name state_id state_id onlyif Only execute cmd if statement on the host returns 0 unless Do not execute cmd if statement on the host returns 0 docked_onlyif Only execute cmd if statement in the container returns 0 docked_unless Do not execute cmd if statement in the container returns 0 salt.states.dockerio.running(name, image, tag='latest', container=None, command=None, hostname=None, user=None, detach=True, stdin_open=False, tty=False, mem_limit=None, ports=None, environment=None, dns=None, volumes=None, volumes_from=None, start=True, cap_add=None, cap_drop=None, privileged=None, lxc_conf=None, network_mode=None, check_is_running=True, publish_all_ports=False, links=None, restart_policy=None, cpu_shares=None, cpuset=None, kill_signal=None, *args, **kwargs) Ensure that a container is running. If the container does not exist, it will be created from the specified image. (docker run) name / container Name for the container image Image from which to build this container tag tag of the image (defaults to 'latest') environment Environment variables for the container, either • a mapping of key, values • a list of mappings of key, values ports List of ports definitions, either: • a port to map • a mapping of mapping portInHost : PortInContainer - ports: - "5000/tcp": HostIp: "" HostPort: "5000" publish_all_ports Publish all ports from the port list (default is false, only meaningful if port does not contain portinhost:portincontainer mapping) volumes List of volumes to mount or create in the container (like -v of docker run command), mapping host directory to container directory. To specify a volume in the container in terse list format: - volumes: - "/var/log/service" # container-only volume - "/srv/timezone:/etc/timezone" # bound volume - "/usr/local/etc/passwd:/etc/passwd:ro" # read-only bound volume You can also use the short dictionary form (note that the notion of source:target from docker is preserved): - volumes: - /var/log/service: /var/log/service # mandatory read-write implied Or, alternatively, to specify read-only mounting, use the extended form: - volumes: - /home/user1: bind: /mnt/vol2 ro: True - /var/www: bind: /mnt/vol1 ro: False Or (for backwards compatibility) another dict style: - volumes: /home/user1: bind: /mnt/vol2 ro: True /var/www: bind: /mnt/vol1 ro: False volumes_from List of containers to share volumes with dns List of DNS servers. - dns: - 127.0.0.1 network_mode • 'bridge': creates a new network stack for the container on the docker bridge • 'none': no networking for this container • 'container:[name|id]': reuses another container network stack) • 'host': use the host network stack inside the container - network_mode: host restart_policy Restart policy to apply when a container exits (no, on-failure[:max-retry], always) - restart_policy: MaximumRetryCount: 5 Name: on-failure cap_add List of capabilities to add in a container. cap_drop List of capabilities to drop in a container. check_is_running Enable checking if a container should run or not. Useful for data-only containers that must be linked to another one. e.g. nginx <- static-files cpu_shares CPU shares (relative weight) - cpu_shares: 2 cpuset CPUs in which to allow execution ('0-3' or '0,1') - cpuset: '0-3' kill_signal If defined, its value will be sent as a kill signal to the running container. i.e. It will use client.kill(signal=kill_signal) instead of client.restart(), when the state is triggered by a watcher requisite. possible use case: Soft reload of nginx nginx: docker.running: - image: some-fictional-registry.com/nginx - tag: latest - kill_signal: SIGHUP - watch: - file: /etc/nginx/nginx.conf This state will ask nginx to reload (instead of restart) each time the /etc/nginx/nginx.conf is modified. New in version 2015.8.0. For other parameters, see salt.modules.dockerio execution module and the docker-py python bindings for docker documentation <‐ https://github.com/dotcloud/docker-py#api>`_ for docker.create_container. NOTE: This command does not verify that the named container is running the specified image. salt.states.dockerio.script(*args, **kw) Placeholder function for a cmd.script alike. NOTE: Not yet implemented. Its implementation might be very similar from salt.states.dockerio.run salt.states.dockerng Management of Docker containers New in version 2015.8.0. This is the state module to accompany the dockerng execution module. Why Make a Second Docker State Module? We have received a lot of feedback on our Docker support. In the process of implementing recommended improvements, it became obvious that major changes needed to be made to the functions and return data. In the end, a complete rewrite was done. The changes being too significant, it was decided that making a separate execution module and state module (called dockerng) would be the best option. This will give users a couple release cycles to modify their scripts, SLS files, etc. to use the new functionality, rather than forcing users to change everything immediately. In the Carbon release of Salt (due in 2016), this execution module will take the place of the default Docker execution module, and backwards-compatible naming will be maintained for a couple releases after that to allow users time to replace references to dockerng with docker. NOTE: To pull from a Docker registry, authentication must be configured. See here for more information on how to configure access to docker registries in Pillar data. salt.states.dockerng.absent(name, force=False) Ensure that a container is absent name Name of the container force False Set to True to remove the container even if it is running Usage Examples: mycontainer: dockerng.absent multiple_containers: dockerng.absent: - names: - foo - bar - baz salt.states.dockerng.image_absent(name=None, images=None, force=False) Ensure that an image is absent from the Minion. Image names can be specified either using repo:tag notation, or just the repo name (in which case a tag of latest is assumed). images Run this state on more than one image at a time. The following two examples accomplish the same thing: remove_images: dockerng.image_absent: - names: - busybox - centos:6 - nginx remove_images: dockerng.image_absent: - images: - busybox - centos:6 - nginx However, the second example will be a bit quicker since Salt will do all the deletions in a single run, rather than executing the state separately on each image (as it would in the first example). force False Salt will fail to remove any images currently in use by a container. Set this option to true to remove the image even if it is already present. NOTE: This option can also be overridden by Pillar data. If the Minion has a pillar variable named dockerng.running.force which is set to True, it will turn on this option. This pillar variable can even be set at runtime. For example: salt myminion state.sls docker_stuff pillar="{dockerng.force: True}" If this pillar variable is present and set to False, then it will turn off this option. For more granular control, setting a pillar variable named dockerng.force.image_name will affect only the named image. salt.states.dockerng.image_present(name, build=None, load=None, force=False, insecure_registry=False, client_timeout=60) Ensure that an image is present. The image can either be pulled from a Docker registry, built from a Dockerfile, or loaded from a saved image. Image names can be specified either using repo:tag notation, or just the repo name (in which case a tag of latest is assumed). If neither of the build or load arguments are used, then Salt will pull from the configured registries. If the specified image already exists, it will not be pulled unless force is set to True. Here is an example of a state that will pull an image from the Docker Hub: myuser/myimage:mytag: dockerng.image_present build Path to directory on the Minion containing a Dockerfile myuser/myimage:mytag: dockerng.image_present: - build: /home/myuser/docker/myimage The image will be built using dockerng.build and the specified image name and tag will be applied to it. load Loads a tar archive created with dockerng.load (or the docker load Docker CLI command), and assigns it the specified repo and tag. myuser/myimage:mytag: dockerng.image_present: - load: salt://path/to/image.tar force False Set this parameter to True to force Salt to pull/build/load the image even if it is already present. client_timeout Timeout in seconds for the Docker client. This is not a timeout for the state, but for receiving a response from the API. salt.states.dockerng.mod_watch(name, sfun=None, **kwargs) salt.states.dockerng.network_absent(name, driver=None) Ensure that a network is absent. name Name of the network Usage Examples: network_foo: dockerng.network_absent salt.states.dockerng.network_present(name, driver=None, containers=None) Ensure that a network is present. name Name of the network driver Type of driver for that network. containers: List of container names that should be part of this network Usage Examples: network_foo: dockerng.network_present network_bar: dockerng.network_present - name: bar - containers: - cont1 - cont2 salt.states.dockerng.running(name, image=None, force=False, stop_timeout=10, validate_ip_addrs=True, watch_action='force', client_timeout=60, start=True, **kwargs) Ensure that a container with a specific configuration is present and running name Name of the container image Image to use for the container. Image names can be specified either using repo:tag notation, or just the repo name (in which case a tag of latest is assumed). NOTE: This state will pull the image if it is not present. However, if the image needs to be built from a Dockerfile or loaded from a saved image, or if you would like to use requisites to trigger a replacement of the container when the image is updated, then the dockerng.image_present should be used to manage the image. force False Set this parameter to True to force Salt to re-create the container irrespective of whether or not it is configured as desired. stop_timeout 10 If the container needs to be replaced, the container will be stopped using dockerng.stop. The value of this parameter will be passed to dockerng.stop as the timeout value, telling Docker how long to wait for a graceful shutdown before killing the container. validate_ip_addrs True For parameters which accept IP addresses as input, IP address validation will be performed. To disable, set this to False watch_action force Control what type of action is taken when this state watches another state that has changes. The default action is force, which runs the state with force set to True, triggering a rebuild of the container. If any other value is passed, it will be assumed to be a kill signal. If the container matches the specified configuration, and is running, then the action will be to send that signal to the container. Kill signals can be either strings or numbers, and are defined in the Standard Signals section of the signal(7) manpage. Run man 7 signal on a Linux host to browse this manpage. For example: mycontainer: dockerng.running: - image: busybox - watch_action: SIGHUP - watch: - file: some_file NOTE: If the container differs from the specified configuration, or is not running, then instead of sending a signal to the container, the container will be re-created/started and no signal will be sent. client_timeout Timeout in seconds for the Docker client. This is not a timeout for this function, but for receiving a response from the API. NOTE: This is only used if Salt needs to pull the requested image. CONTAINER CONFIGURATION PARAMETERS command or cmd Command to run in the container foo: dockerng.running: - image: bar/baz:latest - command: bash OR foo: dockerng.running: - image: bar/baz:latest - cmd: bash Changed in version 2015.8.1: cmd is now also accepted hostname Hostname of the container. If not provided, and if a name has been provided, the hostname will default to the name that was passed. foo: dockerng.running: - image: bar/baz:latest - hostname: web1 WARNING: hostname cannot be set if network_mode is set to host. The below example will result in an error: foo: dockerng.running: - image: bar/baz:latest - hostname: web1 - network_mode: host domainname Domain name of the container foo: dockerng.running: - image: bar/baz:latest - hostname: domain.tld interactive False Leave stdin open foo: dockerng.running: - image: bar/baz:latest - interactive: True tty False Attach TTYs foo: dockerng.running: - image: bar/baz:latest - tty: True detach True If True, run the container's command in the background (daemon mode) foo: dockerng.running: - image: bar/baz:latest - detach: False user User under which to run docker foo: dockerng.running: - image: bar/baz:latest - user: foo memory 0 Memory limit. Can be specified in bytes or using single-letter units (i.e. 512M, 2G, etc.). A value of 0 (the default) means no memory limit. foo: dockerng.running: - image: bar/baz:latest - memory: 512M memory_swap -1 Total memory limit (memory plus swap). Set to -1 to disable swap. A value of 0 means no swap limit. foo: dockerng.running: - image: bar/baz:latest - memory_swap: 1G mac_address MAC address to use for the container. If not specified, a random MAC address will be used. foo: dockerng.running: - image: bar/baz:latest - mac_address: 01:23:45:67:89:0a network_disabled False If True, networking will be disabled within the container foo: dockerng.running: - image: bar/baz:latest - network_disabled: True working_dir Working directory inside the container foo: dockerng.running: - image: bar/baz:latest - working_dir: /var/log/nginx entrypoint Entrypoint for the container foo: dockerng.running: - image: bar/baz:latest - entrypoint: "mycmd --arg1 --arg2" The entrypoint can also be specified as a list of arguments: foo: dockerng.running: - image: bar/baz:latest - entrypoint: - mycmd - --arg1 - --arg2 environment Either a list of variable/value mappings, or a list of strings in the format VARNAME=value. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - environment: - VAR1: value - VAR2: value foo: dockerng.running: - image: bar/baz:latest - environment: - VAR1=value - VAR2=value NOTE: Values must be strings. Otherwise it will be considered as an error. ports A list of ports to expose on the container. Can either be a comma-separated list or a YAML list. If the protocol is omitted, the port will be assumed to be a TCP port. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - ports: 1111,2222/udp foo: dockerng.running: - image: bar/baz:latest - ports: - 1111 - 2222/udp volumes None List of directories to expose as volumes. Can either be a comma-separated list or a YAML list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - volumes: /mnt/vol1,/mnt/vol2 foo: dockerng.running: - image: bar/baz:latest - volumes: - /mnt/vol1 - /mnt/vol2 cpu_shares CPU shares (relative weight) foo: dockerng.running: - image: bar/baz:latest - cpu_shares: 0.5 cpuset CPUs on which which to allow execution, specified as a string containing a range (e.g. 0-3) or a comma-separated list of CPUs (e.g. 0,1). foo: dockerng.running: - image: bar/baz:latest - cpuset: "0,1" binds Files/directories to bind mount. Each bind mount should be passed in the format <host_path>:<container_path>:<read_only>, where <read_only> is one of rw (for read-write access) or ro (for read-only access). foo: dockerng.running: - image: bar/baz:latest - binds: /srv/www:/var/www:ro,/etc/foo.conf:/usr/local/etc/foo.conf:rw Binds can be passed as a YAML list instead of a comma-separated list: foo: dockerng.running: - image: bar/baz:latest - binds: - /srv/www:/var/www:ro - /home/myuser/conf/foo.conf:/etc/foo.conf:rw Optionally, the read-only information can be left off the end and the bind mount will be assumed to be read-write. The example below is equivalent to the one above: foo: dockerng.running: - image: bar/baz:latest - binds: - /srv/www:/var/www:ro - /home/myuser/conf/foo.conf:/etc/foo.conf port_bindings Bind exposed ports. Port bindings should be passed in the same way as the --publish argument to the docker run CLI command: • ip:hostPort:containerPort - Bind a specific IP and port on the host to a specific port within the container. • ip::containerPort - Bind a specific IP and an ephemeral port to a specific port within the container. • hostPort:containerPort - Bind a specific port on all of the host's interfaces to a specific port within the container. • containerPort - Bind an ephemeral port on all of the host's interfaces to a specific port within the container. Multiple bindings can be separated by commas, or passed as a Python list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - port_bindings: "5000:5000,2123:2123/udp,8080" foo: dockerng.running: - image: bar/baz:latest - port_bindings: - 5000:5000 - 2123:2123/udp - "8080" NOTE: When configuring bindings for UDP ports, the protocol must be passed in the containerPort value, as seen in the examples above. lxc_conf Additional LXC configuration parameters to set before starting the container. foo: dockerng.running: - image: bar/baz:latest - lxc_conf: - lxc.utsname: docker NOTE: These LXC configuration parameters will only have the desired effect if the container is using the LXC execution driver, which has not been the default for some time. publish_all_ports False Allocates a random host port for each port exposed using the ports parameter foo: dockerng.running: - image: bar/baz:latest - ports: 8080 - publish_all_ports: True links Link this container to another. Links should be specified in the format <container_name_or_id>:<link_alias>. Multiple links can be passed, either as a comma separated list or a YAML list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - links: web1:link1,web2:link2 foo: dockerng.running: - image: bar/baz:latest - links: - web1:link1 - web2:link2 dns List of DNS nameservers. Can be passed as a comma-separated list or a YAML list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - dns: 8.8.8.8,8.8.4.4 foo: dockerng.running: - image: bar/baz:latest - dns: - 8.8.8.8 - 8.8.4.4 NOTE: To skip IP address validation, use validate_ip_addrs=False dns_search List of DNS search domains. Can be passed as a comma-separated list or a YAML list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - dns_search: foo1.domain.tld,foo2.domain.tld foo: dockerng.running: - image: bar/baz:latest - dns_search: - foo1.domain.tld - foo2.domain.tld volumes_from Container names or IDs from which the container will get volumes. Can be passed as a comma-separated list or a YAML list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - volumes_from: foo foo: dockerng.running: - image: bar/baz:latest - volumes_from: - foo network_mode bridge One of the following: • bridge - Creates a new network stack for the container on the docker bridge • null - No networking (equivalent of the Docker CLI argument --net=none) • container:<name_or_id> - Reuses another container's network stack • host - Use the host's network stack inside the container • Any name that identifies an existing network that might be created with dockerng.network_present. WARNING: Using host mode gives the container full access to the hosts system's services (such as D-bus), and is therefore considered insecure. foo: dockerng.running: - image: bar/baz:latest - network_mode: null restart_policy Set a restart policy for the container. Must be passed as a string in the format policy[:retry_count] where policy is one of always or on-failure, and retry_count is an optional limit to the number of retries. The retry count is ignored when using the always restart policy. foo: dockerng.running: - image: bar/baz:latest - restart_policy: on-failure:5 bar: dockerng.running: - image: bar/baz:latest - restart_policy: always cap_add List of capabilities to add within the container. Can be passed as a comma-separated list or a Python list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - cap_add: SYS_ADMIN,MKNOD foo: dockerng.running: - image: bar/baz:latest - cap_add: - SYS_ADMIN - MKNOD NOTE: This option requires Docker 1.2.0 or newer. cap_drop List of capabilities to drop within the container. Can be passed as a comma-separated list or a Python list. The below two examples are equivalent: foo: dockerng.running: - image: bar/baz:latest - cap_drop: SYS_ADMIN,MKNOD foo: dockerng.running: - image: bar/baz:latest - cap_drop: - SYS_ADMIN - MKNOD NOTE: This option requires Docker 1.2.0 or newer. extra_hosts Additional hosts to add to the container's /etc/hosts file. Can be passed as a comma-separated list or a Python list. The below two exampels are equivalent: foo: dockerng.running: - image: bar/baz:latest - extra_hosts: web1:10.9.8.7,web2:10.9.8.8 foo: dockerng.running: - image: bar/baz:latest - extra_hosts: - web1:10.9.8.7 - web2:10.9.8.8 NOTE: To skip IP address validation, use validate_ip_addrs=False NOTE: This option requires Docker 1.3.0 or newer. pid_mode Set to host to use the host container's PID namespace within the container foo: dockerng.running: - image: bar/baz:latest - pid_mode: host NOTE: This option requires Docker 1.5.0 or newer. labels Add Metadata to the container. Can be a list of strings/dictionaries or a dictionary of strings (keys and values). foo: dockerng.running: - image: bar/baz:latest - labels: - LABEL1 - LABEL2 foo: dockerng.running: - image: bar/baz:latest - labels: KEY1: VALUE1 KEY2: VALUE2 foo: dockerng.running: - image: bar/baz:latest - labels: - KEY1: VALUE1 - KEY2: VALUE2 start True Set to False to suppress starting of the container if it exists, matches the desired configuration, but is not running. This is useful for data-only containers, or for non-daemonized container processes, such as the django migrate and collectstatic commands. In instances such as this, the container only needs to be started the first time. salt.states.dockerng.stopped(name=None, containers=None, stop_timeout=10, unpause=False, error_on_absent=True) Ensure that a container (or containers) is stopped name Name or ID of the container containers Run this state on more than one container at a time. The following two examples accomplish the same thing: stopped_containers: dockerng.stopped: - names: - foo - bar - baz stopped_containers: dockerng.stopped: - containers: - foo - bar - baz However, the second example will be a bit quicker since Salt will stop all specified containers in a single run, rather than executing the state separately on each image (as it would in the first example). stop_timeout 10 Timeout for graceful shutdown of the container. If this timeout is exceeded, the container will be killed. unpause False Set to True to unpause any paused containers before stopping. If unset, then an error will be raised for any container that was paused. error_on_absent True By default, this state will return an error if any of the specified containers are absent. Set this to False to suppress that error. salt.states.dockerng.volume_absent(name, driver=None) Ensure that a volume is absent. New in version 2015.8.4. name Name of the volume Usage Examples: volume_foo: dockerng.volume_absent salt.states.dockerng.volume_present(name, driver=None, driver_opts=None, force=False) Ensure that a volume is present. New in version 2015.8.4. Changed in version 2015.8.6: This function no longer deletes and re-creates a volume if the existing volume's driver does not match the driver parameter (unless the force parameter is set to True). name Name of the volume driver Type of driver for that volume. If None and the volume does not yet exist, the volume will be created using Docker's default driver. If None and the volume does exist, this function does nothing, even if the existing volume's driver is not the Docker default driver. (To ensure that an existing volume's driver matches the Docker default, you must explicitly name Docker's default driver here.) driver_opts Options for the volume driver force False If the volume already exists but the existing volume's driver does not match the driver specified by the driver parameter, this parameter controls whether the function errors out (if False) or deletes and re-creates the volume (if True). New in version 2015.8.6. Usage Examples: volume_foo: dockerng.volume_present volume_bar: dockerng.volume_present - name: bar - driver: local - driver_opts: foo: bar volume_bar: dockerng.volume_present - name: bar - driver: local - driver_opts: - foo: bar - option: value salt.states.drac Management of Dell DRAC The DRAC module is used to create and manage DRAC cards on Dell servers Ensure the user damian is present damian: drac.present: - name: damian - password: secret - permission: login,test_alerts,clear_logs Ensure the user damian does not exist damian: drac.absent: - name: damian Ensure DRAC network is in a consistent state my_network: drac.network: - ip: 10.225.108.29 - netmask: 255.255.255.224 - gateway: 10.225.108.1 salt.states.drac.absent(name) Ensure a user does not exist on the Dell DRAC name: The users username salt.states.drac.network(ip, netmask, gateway) Ensure the DRAC network settings are consistent salt.states.drac.present(name, password, permission) Ensure the user exists on the Dell DRAC name: The users username password The password used to authenticate permission The permissions that should be assigned to a user salt.states.elasticsearch_index State module to manage Elasticsearch indices New in version 2015.8.0. salt.states.elasticsearch_index.absent(name) Ensure that the named index is absent salt.states.elasticsearch_index.present(name, definition) Ensure that the named index is present salt.states.elasticsearch_index_template State module to manage Elasticsearch index templates New in version 2015.8.0. salt.states.elasticsearch_index_template.absent(name) Ensure that the named index template is absent salt.states.elasticsearch_index_template.present(name, definition=None) Ensure that the named index template is present salt.states.environ Support for getting and setting the environment variables of the current salt process. salt.states.environ.setenv(name, value, false_unsets=False, clear_all=False, update_minion=False) Set the salt process environment variables. name The environment key to set. Must be a string. value Either a string or dict. When string, it will be the value set for the environment key of 'name' above. When a dict, each key/value pair represents an environment variable to set. false_unsets If a key's value is False and false_unsets is True, then the key will be removed from the salt processes environment dict entirely. If a key's value is False and false_unsets is not True, then the key's value will be set to an empty string. Default: False clear_all USE WITH CAUTION! This option can unset environment variables needed for salt to function properly. If clear_all is True, then any environment variables not defined in the environ dict will be deleted. Default: False update_minion If True, apply these environ changes to the main salt-minion process. If False, the environ changes will only affect the current salt subprocess. Default: False Example: a_string_env: environ.setenv: - name: foo - value: bar - update_minion: True a_dict_env: environ.setenv: - name: does_not_matter - value: foo: bar baz: quux salt.states.eselect Management of Gentoo configuration using eselect A state module to manage Gentoo configuration via eselect profile: eselect.set: target: hardened/linux/amd64 salt.states.eselect.set(name, target, module_parameter=None, action_parameter=None) Verify that the given module is set to the given target name The name of the module target The target to be set for this module module_parameter additional params passed to the defined module action_parameter additional params passed to the defined action salt.states.etcd_mod Manage etcd Keys New in version 2015.8.0. depends • python-etcd This state module supports setting and removing keys from etcd. Salt Master Configuration To work with an etcd server you must configure an etcd profile in the Salt Master configuration, for example: my_etd_config: etcd.host: 127.0.0.1 etcd.port: 4001 You can also configure etcd without a profile however it is recommended that you use profiles: etcd.host: 127.0.0.1 etcd.port: 4001 Available Functions • set This will set a value to a key in etcd. Changes will be returned if the key has been created or the value of the key has been updated. This means you can watch these states for changes. /foo/bar/baz: etcd.set: - value: foo - profile: my_etcd_config • wait_set Performs the same functionality as set but only if a watch requisite is True. /some/file.txt: file.managed: - source: salt://file.txt /foo/bar/baz: etcd.wait_set: - value: foo - profile: my_etcd_config - watch: - file: /some/file.txt • rm This will delete a key from etcd. If the key exists then changes will be returned and thus you can watch for changes on the state, if the key does not exist then no changes will occur. /foo/bar/baz: etcd.rm: - profile: my_etcd_config • wait_rm Performs the same functionality as rm but only if a watch requisite is True. /some/file.txt: file.managed: - source: salt://file.txt /foo/bar/baz: etcd.wait_rm: - profile: my_etcd_config - watch: - file: /some/file.txt salt.states.etcd_mod.mod_watch(name, **kwargs) Execute a etcd function based on a watch call requisite. salt.states.etcd_mod.rm(name, recurse=False, profile=None) Deletes a key from etcd. This function is also aliased as rm. name The etcd key name to remove, for example /foo/bar/baz. recurse Optional, defaults to False. If True performs a recursive delete. profile Optional, defaults to None. Sets the etcd profile to use which has been defined in the Salt Master config. salt.states.etcd_mod.set(name, value, profile=None) Set a key in etcd and can be called as set. name The etcd key name, for example: /foo/bar/baz. value The value the key should contain. profile Optional, defaults to None. Sets the etcd profile to use which has been defined in the Salt Master config. salt.states.etcd_mod.wait_rm(name, recurse=False, profile=None) Deletes a key from etcd only if the watch statement calls it. This function is also aliased as wait_rm. name The etcd key name to remove, for example /foo/bar/baz. recurse Optional, defaults to False. If True performs a recursive delete, see: https://python-etcd.readthedocs.org/en/latest/#delete-a-key. profile Optional, defaults to None. Sets the etcd profile to use which has been defined in the Salt Master config. salt.states.etcd_mod.wait_set(name, value, profile=None) Set a key in etcd only if the watch statement calls it. This function is also aliased as wait_set. name The etcd key name, for example: /foo/bar/baz. value The value the key should contain. profile The etcd profile to use that has been configured on the Salt Master, this is optional and defaults to None. salt.states.esxi Manage VMware ESXi Hosts. New in version 2015.8.4. Dependencies • pyVmomi Python Module • ESXCLI pyVmomi PyVmomi can be installed via pip: pip install pyVmomi NOTE: Version 6.0 of pyVmomi has some problems with SSL error handling on certain versions of Python. If using version 6.0 of pyVmomi, Python 2.6, Python 2.7.9, or newer must be present. This is due to an upstream dependency in pyVmomi 6.0 that is not supported in Python versions 2.7 to 2.7.8. If the version of Python is not in the supported range, you will need to install an earlier version of pyVmomi. See Issue #29537 for more information. Based on the note above, to install an earlier version of pyVmomi than the version currently listed in PyPi, run the following: pip install pyVmomi==5.5.0.2014.1.1 The 5.5.0.2014.1.1 is a known stable version that this original ESXi State Module was developed against. ESXCLI Currently, about a third of the functions used in the vSphere Execution Module require the ESXCLI package be installed on the machine running the Proxy Minion process. The ESXCLI package is also referred to as the VMware vSphere CLI, or vCLI. VMware provides vCLI package installation instructions for vSphere 5.5 and vSphere 6.0. Once all of the required dependencies are in place and the vCLI package is installed, you can check to see if you can connect to your ESXi host or vCenter server by running the following command: esxcli -s <host-location> -u <username> -p <password> system syslog config get If the connection was successful, ESXCLI was successfully installed on your system. You should see output related to the ESXi host's syslog configuration. NOTE: Be aware that some functionality in this state module may depend on the type of license attached to the ESXi host. For example, certain services are only available to manipulate service state or policies with a VMware vSphere Enterprise or Enterprise Plus license, while others are available with a Standard license. The ntpd service is restricted to an Enterprise Plus license, while ssh is available via the Standard license. Please see the vSphere Comparison page for more information. About This state module was written to be used in conjunction with Salt's ESXi Proxy Minion. For a tutorial on how to use Salt's ESXi Proxy Minion, please refer to the ESXi Proxy Minion Tutorial for configuration examples, dependency installation instructions, how to run remote execution functions against ESXi hosts via a Salt Proxy Minion, and a larger state example. salt.states.esxi.coredump_configured(name, enabled, dump_ip, host_vnic='vmk0', dump_port=6500) Ensures a host's core dump configuration. name Name of the state. enabled Sets whether or not ESXi core dump collection should be enabled. This is a boolean value set to True or False to enable or disable core dumps. Note that ESXi requires that the core dump must be enabled before any other parameters may be set. This also affects the changes results in the state return dictionary. If enabled is False, we can't obtain any previous settings to compare other state variables, resulting in many old references returning None. Once enabled is True the changes dictionary comparisons will be more accurate. This is due to the way the system coredemp network configuration command returns data. dump_ip The IP address of host that will accept the dump. host_vnic Host VNic port through which to communicate. Defaults to vmk0. dump_port TCP port to use for the dump. Defaults to 6500. Example: configure-host-coredump: esxi.coredump_configured: - enabled: True - dump_ip: 'my-coredump-ip.example.com' salt.states.esxi.ntp_configured(name, service_running, ntp_servers=None, service_policy=None, service_restart=False, update_datetime=False) Ensures a host's NTP server configuration such as setting NTP servers, ensuring the NTP daemon is running or stopped, or restarting the NTP daemon for the ESXi host. name Name of the state. service_running Ensures the running state of the ntp daemon for the host. Boolean value where True indicates that ntpd should be running and False indicates that it should be stopped. ntp_servers A list of servers that should be added to the ESXi host's NTP configuration. service_policy The policy to set for the NTP service. NOTE: When setting the service policy to off or on, you must quote the setting. If you don't, the yaml parser will set the string to a boolean, which will cause trouble checking for stateful changes and will error when trying to set the policy on the ESXi host. service_restart If set to True, the ntp daemon will be restarted, regardless of its previous running state. Default is False. update_datetime If set to True, the date/time on the given host will be updated to UTC. Default setting is False. This option should be used with caution since network delays and execution delays can result in time skews. Example: configure-host-ntp: esxi.ntp_configured: - service_running: True - ntp_servers: - 192.174.1.100 - 192.174.1.200 - service_policy: 'on' - service_restart: True salt.states.esxi.password_present(name, password) Ensures the given password is set on the ESXi host. Passwords cannot be obtained from host, so if a password is set in this state, the vsphere.update_host_password function will always run (except when using test=True functionality) and the state's changes dictionary will always be populated. The username for which the password will change is the same username that is used to authenticate against the ESXi host via the Proxy Minion. For example, if the pillar definition for the proxy username is defined as root, then the username that the password will be updated for via this state is root. name Name of the state. password The new password to change on the host. Example: configure-host-password: esxi.password_present: - password: 'new-bad-password' salt.states.esxi.ssh_configured(name, service_running, ssh_key=None, ssh_key_file=None, service_policy=None, service_restart=False, certificate_verify=False) Manage the SSH configuration for a host including whether or not SSH is running or the presence of a given SSH key. Note: Only one ssh key can be uploaded for root. Uploading a second key will replace any existing key. name Name of the state. service_running Ensures whether or not the SSH service should be running on a host. Represented as a boolean value where True indicates that SSH should be running and False indicates that SSH should stopped. In order to update SSH keys, the SSH service must be running. ssh_key Public SSH key to added to the authorized_keys file on the ESXi host. You can use ssh_key or ssh_key_file, but not both. ssh_key_file File containing the public SSH key to be added to the authorized_keys file on the ESXi host. You can use ssh_key_file or ssh_key, but not both. service_policy The policy to set for the NTP service. NOTE: When setting the service policy to off or on, you must quote the setting. If you don't, the yaml parser will set the string to a boolean, which will cause trouble checking for stateful changes and will error when trying to set the policy on the ESXi host. service_restart If set to True, the SSH service will be restarted, regardless of its previous running state. Default is False. certificate_verify If set to True, the SSL connection must present a valid certificate. Default is False. Example: configure-host-ssh: esxi.ssh_configured: - service_running: True - ssh_key_file: /etc/salt/ssh_keys/my_key.pub - service_policy: 'on' - service_restart: True - certificate_verify: True salt.states.esxi.syslog_configured(name, syslog_configs, firewall=True, reset_service=True, reset_syslog_config=False, reset_configs=None) Ensures the specified syslog configuration parameters. By default, this state will reset the syslog service after any new or changed parameters are set successfully. name Name of the state. syslog_configs Name of parameter to set (corresponds to the command line switch for esxcli without the double dashes (--)) Valid syslog_config values are logdir, loghost, logdir-unique, default-rotate, default-size, and default-timeout. Each syslog_config option also needs a configuration value to set. For example, loghost requires URLs or IP addresses to use for logging. Multiple log servers can be specified by listing them, comma-separated, but without spaces before or after commas (reference: https://blogs.vmware.com/vsphere/2012/04/configuring-multiple-syslog-servers-for-esxi-5.html) firewall Enable the firewall rule set for syslog. Defaults to True. reset_service After a successful parameter set, reset the service. Defaults to True. reset_syslog_config Resets the syslog service to it's default settings. Defaults to False. If set to True, default settings defined by the list of syslog configs in reset_configs will be reset before running any other syslog settings. reset_configs A comma-delimited list of parameters to reset. Only runs if reset_syslog_config is set to True. If reset_syslog_config is set to True, but no syslog configs are listed in reset_configs, then reset_configs will be set to all by default. See syslog_configs parameter above for a list of valid options. Example: configure-host-syslog: esxi.syslog_configured: - syslog_configs: loghost: ssl://localhost:5432,tcp://10.1.0.1:1514 default-timeout: 120 - firewall: True - reset_service: True - reset_syslog_config: True - reset_configs: loghost,default-timeout salt.states.esxi.vmotion_configured(name, enabled, device='vmk0') Configures a host's VMotion properties such as enabling VMotion and setting the device VirtualNic that VMotion will use. name Name of the state. enabled Ensures whether or not VMotion should be enabled on a host as a boolean value where True indicates that VMotion should be enabled and False indicates that VMotion should be disabled. device The device that uniquely identifies the VirtualNic that will be used for VMotion for the host. Defaults to vmk0. Example: configure-vmotion: esxi.vmotion_configured: - enabled: True - device: sample-device salt.states.esxi.vsan_configured(name, enabled, add_disks_to_vsan=False) Configures a host's VSAN properties such as enabling or disabling VSAN, or adding VSAN-eligible disks to the VSAN system for the host. name Name of the state. enabled Ensures whether or not VSAN should be enabled on a host as a boolean value where True indicates that VSAN should be enabled and False indicates that VSAN should be disabled. add_disks_to_vsan If set to True, any VSAN-eligible disks for the given host will be added to the host's VSAN system. Default is False. Example: configure-host-vsan: esxi.vsan_configured: - enabled: True - add_disks_to_vsan: True salt.states.event Send events through Salt's event system during state runs salt.states.event.send(name, data=None, preload=None, with_env=False, with_grains=False, with_pillar=False, **kwargs) Send an event to the Salt Master New in version 2014.7.0. Accepts the same arguments as the event.send execution module of the same name. Example: # ...snip bunch of states above mycompany/mystaterun/status/update: event.send: - data: status: "Half-way through the state run!" # ...snip bunch of states below salt.states.event.wait(name, sfun=None) Fire an event on the Salt master event bus if called from a watch statement New in version 2014.7.0. Example: # Stand up a new web server. apache: pkg: - installed - name: httpd service: - running - enable: True - name: httpd # Notify the load balancer to update the pool once Apache is running. refresh_pool: event: - wait - name: mycompany/loadbalancer/pool/update - data: new_web_server_ip: {{ grains['ipv4'] | first() }} - watch: - pkg: apache salt.states.file Operations on regular files, special files, directories, and symlinks Salt States can aggressively manipulate files on a system. There are a number of ways in which files can be managed. Regular files can be enforced with the file.managed state. This state downloads files from the salt master and places them on the target system. Managed files can be rendered as a jinja, mako, or wempy template, adding a dynamic component to file management. An example of file.managed which makes use of the jinja templating system would look like this: /etc/http/conf/http.conf: file.managed: - source: salt://apache/http.conf - user: root - group: root - mode: 644 - template: jinja - defaults: custom_var: "default value" other_var: 123 {% if grains['os'] == 'Ubuntu' %} - context: custom_var: "override" {% endif %} It is also possible to use the py renderer as a templating option. The template would be a Python script which would need to contain a function called run(), which returns a string. All arguments to the state will be made available to the Python script as globals. The returned string will be the contents of the managed file. For example: def run(): lines = ['foo', 'bar', 'baz'] lines.extend([source, name, user, context]) # Arguments as globals return '\n\n'.join(lines) NOTE: The defaults and context arguments require extra indentation (four spaces instead of the normal two) in order to create a nested dictionary. More information. If using a template, any user-defined template variables in the file defined in source must be passed in using the defaults and/or context arguments. The general best practice is to place default values in defaults, with conditional overrides going into context, as seen above. The template will receive a variable custom_var, which would be accessed in the template using {{ custom_var }}. If the operating system is Ubuntu, the value of the variable custom_var would be override, otherwise it is the default default value The source parameter can be specified as a list. If this is done, then the first file to be matched will be the one that is used. This allows you to have a default file on which to fall back if the desired file does not exist on the salt fileserver. Here's an example: /etc/foo.conf: file.managed: - source: - salt://foo.conf.{{ grains['fqdn'] }} - salt://foo.conf.fallback - user: foo - group: users - mode: 644 - backup: minion NOTE: Salt supports backing up managed files via the backup option. For more details on this functionality please review the backup_mode documentation. The source parameter can also specify a file in another Salt environment. In this example foo.conf in the dev environment will be used instead. /etc/foo.conf: file.managed: - source: - salt://foo.conf?saltenv=dev - user: foo - group: users - mode: '0644' WARNING: When using a mode that includes a leading zero you must wrap the value in single quotes. If the value is not wrapped in quotes it will be read by YAML as an integer and evaluated as an octal. Special files can be managed via the mknod function. This function will create and enforce the permissions on a special file. The function supports the creation of character devices, block devices, and fifo pipes. The function will create the directory structure up to the special file if it is needed on the minion. The function will not overwrite or operate on (change major/minor numbers) existing special files with the exception of user, group, and permissions. In most cases the creation of some special files require root permisisons on the minion. This would require that the minion to be run as the root user. Here is an example of a character device: /var/named/chroot/dev/random: file.mknod: - ntype: c - major: 1 - minor: 8 - user: named - group: named - mode: 660 Here is an example of a block device: /var/named/chroot/dev/loop0: file.mknod: - ntype: b - major: 7 - minor: 0 - user: named - group: named - mode: 660 Here is an example of a fifo pipe: /var/named/chroot/var/log/logfifo: file.mknod: - ntype: p - user: named - group: named - mode: 660 Directories can be managed via the directory function. This function can create and enforce the permissions on a directory. A directory statement will look like this: /srv/stuff/substuf: file.directory: - user: fred - group: users - mode: 755 - makedirs: True If you need to enforce user and/or group ownership or permissions recursively on the directory's contents, you can do so by adding a recurse directive: /srv/stuff/substuf: file.directory: - user: fred - group: users - mode: 755 - makedirs: True - recurse: - user - group - mode As a default, mode will resolve to dir_mode and file_mode, to specify both directory and file permissions, use this form: /srv/stuff/substuf: file.directory: - user: fred - group: users - file_mode: 744 - dir_mode: 755 - makedirs: True - recurse: - user - group - mode Symlinks can be easily created; the symlink function is very simple and only takes a few arguments: /etc/grub.conf: file.symlink: - target: /boot/grub/grub.conf Recursive directory management can also be set via the recurse function. Recursive directory management allows for a directory on the salt master to be recursively copied down to the minion. This is a great tool for deploying large code and configuration systems. A state using recurse would look something like this: /opt/code/flask: file.recurse: - source: salt://code/flask - include_empty: True A more complex recurse example: {% set site_user = 'testuser' %} {% set site_name = 'test_site' %} {% set project_name = 'test_proj' %} {% set sites_dir = 'test_dir' %} django-project: file.recurse: - name: {{ sites_dir }}/{{ site_name }}/{{ project_name }} - user: {{ site_user }} - dir_mode: 2775 - file_mode: '0644' - template: jinja - source: salt://project/templates_dir - include_empty: True salt.states.file.absent(name) Make sure that the named file or directory is absent. If it exists, it will be deleted. This will work to reverse any of the functions in the file state module. If a directory is supplied, it will be recursively deleted. name The path which should be deleted salt.states.file.accumulated(name, filename, text, **kwargs) Prepare accumulator which can be used in template in file.managed state. Accumulator dictionary becomes available in template. It can also be used in file.blockreplace. name Accumulator name filename Filename which would receive this accumulator (see file.managed state documentation about name) text String or list for adding in accumulator require_in / watch_in One of them required for sure we fill up accumulator before we manage the file. Probably the same as filename Example: Given the following: animals_doing_things: file.accumulated: - filename: /tmp/animal_file.txt - text: ' jumps over the lazy dog.' - require_in: - file: animal_file animal_file: file.managed: - name: /tmp/animal_file.txt - source: salt://animal_file.txt - template: jinja One might write a template for animal_file.txt like the following: The quick brown fox{% for animal in accumulator['animals_doing_things'] %}{{ animal }}{% endfor %} Collectively, the above states and template file will produce: The quick brown fox jumps over the lazy dog. Multiple accumulators can be "chained" together. NOTE: The 'accumulator' data structure is a Python dictionary. Do not expect any loop over the keys in a deterministic order! salt.states.file.append(name, text=None, makedirs=False, source=None, source_hash=None, template='jinja', sources=None, source_hashes=None, defaults=None, context=None, ignore_whitespace=True) Ensure that some text appears at the end of a file. The text will not be appended if it already exists in the file. A single string of text or a list of strings may be appended. name The location of the file to append to. text The text to be appended, which can be a single string or a list of strings. makedirs If the file is located in a path without a parent directory, then the state will fail. If makedirs is set to True, then the parent directories will be created to facilitate the creation of the named file. Defaults to False. source A single source file to append. This source file can be hosted on either the salt master server, or on an HTTP or FTP server. Both HTTPS and HTTP are supported as well as downloading directly from Amazon S3 compatible URLs with both pre-configured and automatic IAM credentials (see s3.get state documentation). File retrieval from Openstack Swift object storage is supported via swift://container/object_path URLs (see swift.get documentation). For files hosted on the salt file server, if the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs. If the file is hosted on an HTTP or FTP server, the source_hash argument is also required. source_hash This can be one of the following: 1. a source hash string 2. the URI of a file that contains source hash strings The function accepts the first encountered long unbroken alphanumeric string of correct length as a valid hash, in order from most secure to least secure: Type Length ====== ====== sha512 128 sha384 96 sha256 64 sha224 56 sha1 40 md5 32 The file can contain several checksums for several files. Each line must contain both the file name and the hash. If no file name is matched, the first hash encountered will be used, otherwise the most secure hash with the correct source file name will be used. Debian file type *.dsc is supported. Examples: /etc/rc.conf ef6e82e4006dee563d98ada2a2a80a27 sha254c8525aee419eb649f0233be91c151178b30f0dff8ebbdcc8de71b1d5c8bcc06a /etc/resolv.conf ead48423703509d37c4a90e6a0d53e143b6fc268 Known issues: If the remote server URL has the hash file as an apparent sub-directory of the source file, the module will discover that it has already cached a directory where a file should be cached. For example: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz/+md5 template jinja The named templating engine will be used to render the appended-to file. Defaults to jinja. sources A list of source files to append. If the files are hosted on an HTTP or FTP server, the source_hashes argument is also required. source_hashes A list of source_hashes corresponding to the sources list specified in the sources argument. defaults Default context passed to the template. context Overrides default context variables passed to the template. ignore_whitespace New in version 2015.8.4. Spaces and Tabs in text are ignored by default, when searching for the appending content, one space or multiple tabs are the same for salt. Set this option to False if you want to change this behavior. Multi-line example: /etc/motd: file.append: - text: | Thou hadst better eat salt with the Philosophers of Greece, than sugar with the Courtiers of Italy. - Benjamin Franklin Multiple lines of text: /etc/motd: file.append: - text: - Trust no one unless you have eaten much salt with him. - "Salt is born of the purest of parents: the sun and the sea." Gather text from multiple template files: /etc/motd: file: - append - template: jinja - sources: - salt://motd/devops-messages.tmpl - salt://motd/hr-messages.tmpl - salt://motd/general-messages.tmpl New in version 0.9.5. salt.states.file.blockreplace(name, marker_start='#-- start managed zone --', marker_end='#-- end managed zone --', source=None, source_hash=None, template='jinja', sources=None, source_hashes=None, defaults=None, context=None, content='', append_if_not_found=False, prepend_if_not_found=False, backup='.bak', show_changes=True) Maintain an edit in a file in a zone delimited by two line markers New in version 2014.1.0. A block of content delimited by comments can help you manage several lines entries without worrying about old entries removal. This can help you maintaining an un-managed file containing manual edits. Note: this function will store two copies of the file in-memory (the original version and the edited version) in order to detect changes and only edit the targeted file if necessary. name Filesystem path to the file to be edited marker_start The line content identifying a line as the start of the content block. Note that the whole line containing this marker will be considered, so whitespace or extra content before or after the marker is included in final output marker_end The line content identifying a line as the end of the content block. Note that the whole line containing this marker will be considered, so whitespace or extra content before or after the marker is included in final output. Note: you can use file.accumulated and target this state. All accumulated data dictionaries content will be added as new lines in the content content The content to be used between the two lines identified by marker_start and marker_end source The source file to download to the minion, this source file can be hosted on either the salt master server, or on an HTTP or FTP server. Both HTTPS and HTTP are supported as well as downloading directly from Amazon S3 compatible URLs with both pre-configured and automatic IAM credentials. (see s3.get state documentation) File retrieval from Openstack Swift object storage is supported via swift://container/object_path URLs, see swift.get documentation. For files hosted on the salt file server, if the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs. If source is left blank or None (use ~ in YAML), the file will be created as an empty file and the content will not be managed. This is also the case when a file already exists and the source is undefined; the contents of the file will not be changed or managed. If the file is hosted on a HTTP or FTP server then the source_hash argument is also required A list of sources can also be passed in to provide a default source and a set of fallbacks. The first source in the list that is found to exist will be used and subsequent entries in the list will be ignored. file_override_example: file.managed: - source: - salt://file_that_does_not_exist - salt://file_that_exists source_hash This can be one of the following: 1. a source hash string 2. the URI of a file that contains source hash strings The function accepts the first encountered long unbroken alphanumeric string of correct length as a valid hash, in order from most secure to least secure: Type Length ====== ====== sha512 128 sha384 96 sha256 64 sha224 56 sha1 40 md5 32 Using a Source Hash File The file can contain several checksums for several files. Each line must contain both the file name and the hash. If no file name is matched, the first hash encountered will be used, otherwise the most secure hash with the correct source file name will be used. When using a source hash file the source_hash argument needs to be a url, the standard download urls are supported, ftp, http, salt etc: Example: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.hash The following is an example of the supported source_hash format: /etc/rc.conf ef6e82e4006dee563d98ada2a2a80a27 sha254c8525aee419eb649f0233be91c151178b30f0dff8ebbdcc8de71b1d5c8bcc06a /etc/resolv.conf ead48423703509d37c4a90e6a0d53e143b6fc268 Debian file type *.dsc files are also supported. Inserting the Source Hash in the sls Data Examples: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: md5=79eef25f9b0b2c642c62b7f737d4f53f template If this setting is applied then the named templating engine will be used to render the downloaded file, currently jinja, mako, and wempy are supported context Overrides default context variables passed to the template. defaults Default context passed to the template. append_if_not_found If markers are not found and set to True then the markers and content will be appended to the file. Default is False prepend_if_not_found If markers are not found and set to True then the markers and content will be prepended to the file. Default is False backup The file extension to use for a backup of the file if any edit is made. Set this to False to skip making a backup. dry_run Don't make any edits to the file show_changes Output a unified diff of the old file and the new file. If False return a boolean if any changes were made Example of usage with an accumulator and with a variable: {% set myvar = 42 %} hosts-config-block-{{ myvar }}: file.blockreplace: - name: /etc/hosts - marker_start: "# START managed zone {{ myvar }} -DO-NOT-EDIT-" - marker_end: "# END managed zone {{ myvar }} --" - content: 'First line of content' - append_if_not_found: True - backup: '.bak' - show_changes: True hosts-config-block-{{ myvar }}-accumulated1: file.accumulated: - filename: /etc/hosts - name: my-accumulator-{{ myvar }} - text: "text 2" - require_in: - file: hosts-config-block-{{ myvar }} hosts-config-block-{{ myvar }}-accumulated2: file.accumulated: - filename: /etc/hosts - name: my-accumulator-{{ myvar }} - text: | text 3 text 4 - require_in: - file: hosts-config-block-{{ myvar }} will generate and maintain a block of content in /etc/hosts: # START managed zone 42 -DO-NOT-EDIT- First line of content text 2 text 3 text 4 # END managed zone 42 -- salt.states.file.comment(name, regex, char='#', backup='.bak') Comment out specified lines in a file. name The full path to the file to be edited regex A regular expression used to find the lines that are to be commented; this pattern will be wrapped in parenthesis and will move any preceding/trailing ^ or $ characters outside the parenthesis (e.g., the pattern ^foo$ will be rewritten as ^(foo)$) Note that you _need_ the leading ^, otherwise each time you run highstate, another comment char will be inserted. char # The character to be inserted at the beginning of a line in order to comment it out backup .bak The file will be backed up before edit with this file extension WARNING: This backup will be overwritten each time sed / comment / uncomment is called. Meaning the backup will only be useful after the first invocation. Usage: /etc/fstab: file.comment: - regex: ^bind 127.0.0.1 New in version 0.9.5. salt.states.file.copy(name, source, force=False, makedirs=False, preserve=False, user=None, group=None, mode=None, subdir=False, **kwargs) If the source file exists on the system, copy it to the named file. The named file will not be overwritten if it already exists unless the force option is set to True. name The location of the file to copy to source The location of the file to copy to the location specified with name force If the target location is present then the file will not be moved, specify "force: True" to overwrite the target file makedirs If the target subdirectories don't exist create them preserve New in version 2015.5.0. Set preserve: True to preserve user/group ownership and mode after copying. Default is False. If preserve is set to True, then user/group/mode attributes will be ignored. user New in version 2015.5.0. The user to own the copied file, this defaults to the user salt is running as on the minion. If preserve is set to True, then this will be ignored group New in version 2015.5.0. The group to own the copied file, this defaults to the group salt is running as on the minion. If preserve is set to True or on Windows this will be ignored mode New in version 2015.5.0. The permissions to set on the copied file, aka 644, '0775', '4664'. If preserve is set to True, then this will be ignored. Not supported on Windows subdir New in version 2015.5.0. If the name is a directory then place the file inside the named directory salt.states.file.directory(name, user=None, group=None, recurse=None, dir_mode=None, file_mode=None, makedirs=False, clean=False, require=None, exclude_pat=None, follow_symlinks=False, force=False, backupname=None, allow_symlink=True, **kwargs) Ensure that a named directory is present and has the right perms name The location to create or manage a directory user The user to own the directory; this defaults to the user salt is running as on the minion group The group ownership set for the directory; this defaults to the group salt is running as on the minion. On Windows, this is ignored recurse Enforce user/group ownership and mode of directory recursively. Accepts a list of strings representing what you would like to recurse. If mode is defined, will recurse on both file_mode and dir_mode if they are defined. If ignore_files or ignore_dirs is included, files or directories will be left unchanged respectively. Example: /var/log/httpd: file.directory: - user: root - group: root - dir_mode: 755 - file_mode: 644 - recurse: - user - group - mode Leave files or directories unchanged: /var/log/httpd: file.directory: - user: root - group: root - dir_mode: 755 - file_mode: 644 - recurse: - user - group - mode - ignore_dirs New in version 2015.5.0. dir_mode / mode The permissions mode to set any directories created. Not supported on Windows file_mode The permissions mode to set any files created if 'mode' is run in 'recurse'. This defaults to dir_mode. Not supported on Windows makedirs If the directory is located in a path without a parent directory, then the state will fail. If makedirs is set to True, then the parent directories will be created to facilitate the creation of the named file. clean Make sure that only files that are set up by salt and required by this function are kept. If this option is set then everything in this directory will be deleted unless it is required. require Require other resources such as packages or files exclude_pat When 'clean' is set to True, exclude this pattern from removal list and preserve in the destination. follow_symlinks False If the desired path is a symlink (or recurse is defined and a symlink is encountered while recursing), follow it and check the permissions of the directory/file to which the symlink points. New in version 2014.1.4. force If the name of the directory exists and is not a directory and force is set to False, the state will fail. If force is set to True, the file in the way of the directory will be deleted to make room for the directory, unless backupname is set, then it will be renamed. New in version 2014.7.0. backupname If the name of the directory exists and is not a directory, it will be renamed to the backupname. If the backupname already exists and force is False, the state will fail. Otherwise, the backupname will be removed first. New in version 2014.7.0. allow_symlink True If allow_symlink is True and the specified path is a symlink, it will be allowed to remain if it points to a directory. If allow_symlink is False then the state will fail, unless force is also set to True, in which case it will be removed or renamed, depending on the value of the backupname argument. New in version 2014.7.0. salt.states.file.exists(name) Verify that the named file or directory is present or exists. Ensures pre-requisites outside of Salt's purview (e.g., keytabs, private keys, etc.) have been previously satisfied before deployment. name Absolute path which must exist salt.states.file.line(name, content, match=None, mode=None, location=None, before=None, after=None, show_changes=True, backup=False, quiet=False, indent=True) Line-based editing of a file. New in version 2015.8.0. Parameters • name -- Filesystem path to the file to be edited. • content -- Content of the line. • match -- Match the target line for an action by a fragment of a string or regular expression. • mode -- .INDENT 2.0 Ensure If line does not exist, it will be added. Replace If line already exist, it will be replaced. Delete Delete the line, once found. Insert Insert a line. • location -- .INDENT 2.0 start Place the content at the beginning of the file. end Place the content at the end of the file. • before -- Regular expression or an exact case-sensitive fragment of the string. • after -- Regular expression or an exact case-sensitive fragment of the string. • show_changes -- Output a unified diff of the old file and the new file. If False return a boolean if any changes were made. Default is True NOTE: Using this option will store two copies of the file in-memory (the original version and the edited version) in order to generate the diff. • backup -- Create a backup of the original file with the extension: "Year-Month-Day-Hour-Minutes-Seconds". • quiet -- Do not raise any exceptions. E.g. ignore the fact that the file that is tried to be edited does not exist and nothing really happened. • indent -- Keep indentation with the previous line. salt.states.file.managed(name, source=None, source_hash='', user=None, group=None, mode=None, template=None, makedirs=False, dir_mode=None, context=None, replace=True, defaults=None, env=None, backup='', show_diff=True, create=True, contents=None, contents_pillar=None, contents_grains=None, contents_newline=True, contents_delimiter=':', allow_empty=True, follow_symlinks=True, check_cmd=None, **kwargs) Manage a given file, this function allows for a file to be downloaded from the salt master and potentially run through a templating system. name The location of the file to manage source The source file to download to the minion, this source file can be hosted on either the salt master server, or on an HTTP or FTP server. Both HTTPS and HTTP are supported as well as downloading directly from Amazon S3 compatible URLs with both pre-configured and automatic IAM credentials. (see s3.get state documentation) File retrieval from Openstack Swift object storage is supported via swift://container/object_path URLs, see swift.get documentation. For files hosted on the salt file server, if the file is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs. If source is left blank or None (use ~ in YAML), the file will be created as an empty file and the content will not be managed. This is also the case when a file already exists and the source is undefined; the contents of the file will not be changed or managed. If the file is hosted on a HTTP or FTP server then the source_hash argument is also required A list of sources can also be passed in to provide a default source and a set of fallbacks. The first source in the list that is found to exist will be used and subsequent entries in the list will be ignored. Source list functionality only supports local files and remote files hosted on the salt master server or retrievable via HTTP, HTTPS, or FTP. file_override_example: file.managed: - source: - salt://file_that_does_not_exist - salt://file_that_exists source_hash This can be one of the following: 1. a source hash string 2. the URI of a file that contains source hash strings The function accepts the first encountered long unbroken alphanumeric string of correct length as a valid hash, in order from most secure to least secure: Type Length ====== ====== sha512 128 sha384 96 sha256 64 sha224 56 sha1 40 md5 32 Using a Source Hash File The file can contain several checksums for several files. Each line must contain both the file name and the hash. If no file name is matched, the first hash encountered will be used, otherwise the most secure hash with the correct source file name will be used. When using a source hash file the source_hash argument needs to be a url, the standard download urls are supported, ftp, http, salt etc: Example: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.hash The following is an example of the supported source_hash format: /etc/rc.conf ef6e82e4006dee563d98ada2a2a80a27 sha254c8525aee419eb649f0233be91c151178b30f0dff8ebbdcc8de71b1d5c8bcc06a /etc/resolv.conf ead48423703509d37c4a90e6a0d53e143b6fc268 Debian file type *.dsc files are also supported. Inserting the Source Hash in the sls Data Examples: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: md5=79eef25f9b0b2c642c62b7f737d4f53f Known issues: If the remote server URL has the hash file as an apparent sub-directory of the source file, the module will discover that it has already cached a directory where a file should be cached. For example: tomdroid-src-0.7.3.tar.gz: file.managed: - name: /tmp/tomdroid-src-0.7.3.tar.gz - source: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz - source_hash: https://launchpad.net/tomdroid/beta/0.7.3/+download/tomdroid-src-0.7.3.tar.gz/+md5 user The user to own the file, this defaults to the user salt is running as on the minion group The group ownership set for the file, this defaults to the group salt is running as on the minion On Windows, this is ignored mode The permissions to set on this file, aka 644, 0775, 4664. Not supported on Windows template If this setting is applied then the named templating engine will be used to render the downloaded file, currently jinja, mako, and wempy are supported makedirs False If set to True, then the parent directories will be created to facilitate the creation of the named file. If False, and the parent directory of the destination file doesn't exist, the state will fail. dir_mode If directories are to be created, passing this option specifies the permissions for those directories. If this is not set, directories will be assigned permissions from the 'mode' argument. replace True If set to False and the file already exists, the file will not be modified even if changes would otherwise be made. Permissions and ownership will still be enforced, however. context Overrides default context variables passed to the template. defaults Default context passed to the template. backup Overrides the default backup mode for this specific file. show_diff True If set to False, the diff will not be shown in the return data if changes are made. create True If set to False, then the file will only be managed if the file already exists on the system. contents Specify the contents of the file. Cannot be used in combination with source. Ignores hashes and does not use a templating engine. This value can be either a single string, a multiline YAML string or a list of strings. If a list of strings, then the strings will be joined together with newlines in the resulting file. For example, the below two example states would result in identical file contents: /path/to/file1: file.managed: - contents: - This is line 1 - This is line 2 /path/to/file2: file.managed: - contents: | This is line 1 This is line 2 contents_pillar New in version 0.17.0. Operates like contents, but draws from a value stored in pillar, using the pillar path syntax used in pillar.get. This is useful when the pillar value contains newlines, as referencing a pillar variable using a jinja/mako template can result in YAML formatting issues due to the newlines causing indentation mismatches. For example, the following could be used to deploy an SSH private key: /home/deployer/.ssh/id_rsa: file.managed: - user: deployer - group: deployer - mode: 600 - contents_pillar: userdata:deployer:id_rsa This would populate /home/deployer/.ssh/id_rsa with the contents of pillar['userdata']['deployer']['id_rsa']. An example of this pillar setup would be like so: userdata: deployer: id_rsa: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- NOTE: The private key above is shortened to keep the example brief, but shows how to do multiline string in YAML. The key is followed by a pipe character, and the mutliline string is indented two more spaces. To avoid the hassle of creating an indented multiline YAML string, the file_tree external pillar can be used instead. However, this will not work for binary files in Salt releases before 2015.8.4. contents_grains New in version 2014.7.0. Same as contents_pillar, but with grains contents_newline True New in version 2014.7.0. Changed in version 2015.8.4: This option is now ignored if the contents being deployed contain binary data. If True, files managed using contents, contents_pillar, or contents_grains will have a newline added to the end of the file if one is not present. Setting this option to False will omit this final newline. contents_delimiter New in version 2015.8.4. Can be used to specify an alternate delimiter for contents_pillar or contents_grains. This delimiter will be passed through to pillar.get or grains.get when retrieving the contents. allow_empty True New in version 2015.8.4. If set to False, then the state will fail if the contents specified by contents_pillar or contents_grains are empty. follow_symlinks True New in version 2014.7.0. If the desired path is a symlink follow it and make changes to the file to which the symlink points. check_cmd New in version 2014.7.0. The specified command will be run with the managed file as an argument. If the command exits with a nonzero exit code, the state will fail and no changes will be made to the file. For example, the following could be used to verify sudoers before making changes: /etc/sudoers: file.managed: - user: root - group: root - mode: 0440 - source: salt://sudoers/files/sudoers.jinja - template: jinja - check_cmd: /usr/sbin/visudo -c -f salt.states.file.missing(name) Verify that the named file or directory is missing, this returns True only if the named file is missing but does not remove the file if it is present. name Absolute path which must NOT exist salt.states.file.mknod(name, ntype, major=0, minor=0, user=None, group=None, mode='0600') Create a special file similar to the 'nix mknod command. The supported device types are p (fifo pipe), c (character device), and b (block device). Provide the major and minor numbers when specifying a character device or block device. A fifo pipe does not require this information. The command will create the necessary dirs if needed. If a file of the same name not of the same type/major/minor exists, it will not be overwritten or unlinked (deleted). This is logically in place as a safety measure because you can really shoot yourself in the foot here and it is the behavior of 'nix mknod. It is also important to note that not just anyone can create special devices. Usually this is only done as root. If the state is executed as none other than root on a minion, you may receive a permission error. name name of the file ntype node type 'p' (fifo pipe), 'c' (character device), or 'b' (block device) major major number of the device does not apply to a fifo pipe minor minor number of the device does not apply to a fifo pipe user owning user of the device/pipe group owning group of the device/pipe mode permissions on the device/pipe Usage: /dev/chr: file.mknod: - ntype: c - major: 180 - minor: 31 - user: root - group: root - mode: 660 /dev/blk: file.mknod: - ntype: b - major: 8 - minor: 999 - user: root - group: root - mode: 660 /dev/fifo: file.mknod: - ntype: p - user: root - group: root - mode: 660 New in version 0.17.0. salt.states.file.mod_run_check_cmd(cmd, filename, **check_cmd_opts) Execute the check_cmd logic. Return a result dict if check_cmd succeeds (check_cmd == 0) otherwise return True salt.states.file.patch(name, source=None, hash=None, options='', dry_run_first=True, env=None, **kwargs) Apply a patch to a file. NOTE: A suitable patch executable must be available on the minion when using this state function. name The file to which the patch will be applied. source The source patch to download to the minion, this source file must be hosted on the salt master server. If the file is located in the directory named spam, and is called eggs, the source string is salt://spam/eggs. A source is required. hash Hash of the patched file. If the hash of the target file matches this value then the patch is assumed to have been applied. The hash string is the hash algorithm followed by the hash of the file: md5=e138491e9d5b97023cea823fe17bac22 options Extra options to pass to patch. dry_run_first True Run patch with --dry-run first to check if it will apply cleanly. env Specify the environment from which to retrieve the patch file indicated by the source parameter. If not provided, this defaults to the environment from which the state is being executed. Usage: # Equivalent to ``patch --forward /opt/file.txt file.patch`` /opt/file.txt: file.patch: - source: salt://file.patch - hash: md5=e138491e9d5b97023cea823fe17bac22 salt.states.file.prepend(name, text=None, makedirs=False, source=None, source_hash=None, template='jinja', sources=None, source_hashes=None, defaults=None, context=None) Ensure that some text appears at the beginning of a file The text will not be prepended again if it already exists in the file. You may specify a single line of text or a list of lines to append. Multi-line example: /etc/motd: file.prepend: - text: | Thou hadst better eat salt with the Philosophers of Greece, than sugar with the Courtiers of Italy. - Benjamin Franklin Multiple lines of text: /etc/motd: file.prepend: - text: - Trust no one unless you have eaten much salt with him. - "Salt is born of the purest of parents: the sun and the sea." Gather text from multiple template files: /etc/motd: file: - prepend - template: jinja - sources: - salt://motd/devops-messages.tmpl - salt://motd/hr-messages.tmpl - salt://motd/general-messages.tmpl New in version 2014.7.0. salt.states.file.recurse(name, source, clean=False, require=None, user=None, group=None, dir_mode=None, file_mode=None, sym_mode=None, template=None, context=None, defaults=None, env=None, include_empty=False, backup='', include_pat=None, exclude_pat=None, maxdepth=None, keep_symlinks=False, force_symlinks=False, **kwargs) Recurse through a subdirectory on the master and copy said subdirectory over to the specified path. name The directory to set the recursion in source The source directory, this directory is located on the salt master file server and is specified with the salt:// protocol. If the directory is located on the master in the directory named spam, and is called eggs, the source string is salt://spam/eggs clean Make sure that only files that are set up by salt and required by this function are kept. If this option is set then everything in this directory will be deleted unless it is required. require Require other resources such as packages or files user The user to own the directory. This defaults to the user salt is running as on the minion group The group ownership set for the directory. This defaults to the group salt is running as on the minion. On Windows, this is ignored dir_mode The permissions mode to set on any directories created. Not supported on Windows file_mode The permissions mode to set on any files created. Not supported on Windows sym_mode The permissions mode to set on any symlink created. Not supported on Windows template If this setting is applied then the named templating engine will be used to render the downloaded file. Supported templates are: jinja, mako and wempy. NOTE: The template option is required when recursively applying templates. context Overrides default context variables passed to the template. defaults Default context passed to the template. include_empty Set this to True if empty directories should also be created (default is False) include_pat When copying, include only this pattern from the source. Default is glob match; if prefixed with 'E@', then regexp match. Example: - include_pat: hello* :: glob matches 'hello01', 'hello02' ... but not 'otherhello' - include_pat: E@hello :: regexp matches 'otherhello', 'hello01' ... exclude_pat Exclude this pattern from the source when copying. If both include_pat and exclude_pat are supplied, then it will apply conditions cumulatively. i.e. first select based on include_pat, and then within that result apply exclude_pat. Also, when 'clean=True', exclude this pattern from the removal list and preserve in the destination. Example: - exclude_pat: APPDATA* :: glob matches APPDATA.01, APPDATA.02,.. for exclusion - exclude_pat: E@(APPDATA)|(TEMPDATA) :: regexp matches APPDATA or TEMPDATA for exclusion maxdepth When copying, only copy paths which are of depth maxdepth from the source path. Example: - maxdepth: 0 :: Only include files located in the source directory - maxdepth: 1 :: Only include files located in the source or immediate subdirectories keep_symlinks Keep symlinks when copying from the source. This option will cause the copy operation to terminate at the symlink. If desire behavior similar to rsync, then set this to True. force_symlinks Force symlink creation. This option will force the symlink creation. If a file or directory is obstructing symlink creation it will be recursively removed so that symlink creation can proceed. This option is usually not needed except in special circumstances. salt.states.file.rename(name, source, force=False, makedirs=False) If the source file exists on the system, rename it to the named file. The named file will not be overwritten if it already exists unless the force option is set to True. name The location of the file to rename to source The location of the file to move to the location specified with name force If the target location is present then the file will not be moved, specify "force: True" to overwrite the target file makedirs If the target subdirectories don't exist create them salt.states.file.replace(name, pattern, repl, count=0, flags=8, bufsize=1, append_if_not_found=False, prepend_if_not_found=False, not_found_content=None, backup='.bak', show_changes=True) Maintain an edit in a file. New in version 0.17.0. name Filesystem path to the file to be edited. pattern A regular expression, to be matched using Python's search(). repl The replacement text count Maximum number of pattern occurrences to be replaced. Defaults to 0. If count is a positive integer n, no more than n occurrences will be replaced, otherwise all occurrences will be replaced. flags A list of flags defined in the re module documentation. Each list item should be a string that will correlate to the human-friendly flag name. E.g., ['IGNORECASE', 'MULTILINE']. Optionally, flags may be an int, with a value corresponding to the XOR (|) of all the desired flags. Defaults to 8 (which supports 'MULTILINE'). bufsize How much of the file to buffer into memory at once. The default value 1 processes one line at a time. The special value file may be specified which will read the entire file into memory before processing. append_if_not_found False If set to True, and pattern is not found, then the content will be appended to the file. New in version 2014.7.0. prepend_if_not_found False If set to True and pattern is not found, then the content will be prepended to the file. New in version 2014.7.0. not_found_content Content to use for append/prepend if not found. If None (default), uses repl. Useful when repl uses references to group in pattern. New in version 2014.7.0. backup The file extension to use for a backup of the file before editing. Set to False to skip making a backup. show_changes True Output a unified diff of the old file and the new file. If False return a boolean if any changes were made. Returns a boolean or a string. For complex regex patterns, it can be useful to avoid the need for complex quoting and escape sequences by making use of YAML's multiline string syntax. complex_search_and_replace: file.replace: # <...snip...> - pattern: | CentOS \(2.6.32[^\n]+\n\s+root[^\n]+\n\)+ NOTE: When using YAML multiline string syntax in pattern:, make sure to also use that syntax in the repl: part, or you might loose line feeds. salt.states.file.serialize(name, dataset=None, dataset_pillar=None, user=None, group=None, mode=None, env=None, backup='', makedirs=False, show_diff=True, create=True, merge_if_exists=False, **kwargs) Serializes dataset and store it into managed file. Useful for sharing simple configuration files. name The location of the file to create dataset The dataset that will be serialized dataset_pillar Operates like dataset, but draws from a value stored in pillar, using the pillar path syntax used in pillar.get. This is useful when the pillar value contains newlines, as referencing a pillar variable using a jinja/mako template can result in YAML formatting issues due to the newlines causing indentation mismatches. New in version FIXME. formatter Write the data as this format. Supported output formats: • JSON • YAML • Python (via pprint.pformat) user The user to own the directory, this defaults to the user salt is running as on the minion group The group ownership set for the directory, this defaults to the group salt is running as on the minion mode The permissions to set on this file, aka 644, 0775, 4664 backup Overrides the default backup mode for this specific file. makedirs Create parent directories for destination file. New in version 2014.1.3. show_diff If set to False, the diff will not be shown. create Default is True, if create is set to False then the file will only be managed if the file already exists on the system. merge_if_exists Default is False, if merge_if_exists is True then the existing file will be parsed and the dataset passed in will be merged with the existing content New in version 2014.7.0. For example, this state: /etc/dummy/package.json: file.serialize: - dataset: name: naive description: A package using naive versioning author: A confused individual <iam@confused.com> dependencies: express: >= 1.2.0 optimist: >= 0.1.0 engine: node 0.4.1 - formatter: json will manage the file /etc/dummy/package.json: { "author": "A confused individual <iam@confused.com>", "dependencies": { "express": ">= 1.2.0", "optimist": ">= 0.1.0" }, "description": "A package using naive versioning", "engine": "node 0.4.1", "name": "naive" } salt.states.file.symlink(name, target, force=False, backupname=None, makedirs=False, user=None, group=None, mode=None, **kwargs) Create a symbolic link (symlink, soft link) If the file already exists and is a symlink pointing to any location other than the specified target, the symlink will be replaced. If the symlink is a regular file or directory then the state will return False. If the regular file or directory is desired to be replaced with a symlink pass force: True, if it is to be renamed, pass a backupname. name The location of the symlink to create target The location that the symlink points to force If the name of the symlink exists and is not a symlink and force is set to False, the state will fail. If force is set to True, the file or directory in the way of the symlink file will be deleted to make room for the symlink, unless backupname is set, when it will be renamed backupname If the name of the symlink exists and is not a symlink, it will be renamed to the backupname. If the backupname already exists and force is False, the state will fail. Otherwise, the backupname will be removed first. makedirs If the location of the symlink does not already have a parent directory then the state will fail, setting makedirs to True will allow Salt to create the parent directory user The user to own the file, this defaults to the user salt is running as on the minion group The group ownership set for the file, this defaults to the group salt is running as on the minion. On Windows, this is ignored mode The permissions to set on this file, aka 644, 0775, 4664. Not supported on Windows salt.states.file.touch(name, atime=None, mtime=None, makedirs=False) Replicate the 'nix "touch" command to create a new empty file or update the atime and mtime of an existing file. Note that if you just want to create a file and don't care about atime or mtime, you should use file.managed instead, as it is more feature-complete. (Just leave out the source/template/contents arguments, and it will just create the file and/or check its permissions, without messing with contents) name name of the file atime atime of the file mtime mtime of the file makedirs whether we should create the parent directory/directories in order to touch the file Usage: /var/log/httpd/logrotate.empty: file.touch New in version 0.9.5. salt.states.file.uncomment(name, regex, char='#', backup='.bak') Uncomment specified commented lines in a file name The full path to the file to be edited regex A regular expression used to find the lines that are to be uncommented. This regex should not include the comment character. A leading ^ character will be stripped for convenience (for easily switching between comment() and uncomment()). The regex will be searched for from the beginning of the line, ignoring leading spaces (we prepend '^[ t]*') char # The character to remove in order to uncomment a line backup .bak The file will be backed up before edit with this file extension; WARNING: This backup will be overwritten each time sed / comment / uncomment is called. Meaning the backup will only be useful after the first invocation. Usage: /etc/adduser.conf: file.uncomment: - regex: EXTRA_GROUPS New in version 0.9.5. salt.states.firewalld Management of firewalld New in version 2015.8.0. The following example applies changes to the public zone, blocks echo-reply and echo-request packets, does not set the zone to be the default, enables masquerading, and allows ports 22/tcp and 25/tcp. public: firewalld.present: - name: public - block_icmp: - echo-reply - echo-request - default: False - masquerade: True - ports: - 22/tcp - 25/tcp The following example applies changes to the public zone, enables masquerading and configures port forwarding TCP traffic from port 22 to 2222, and forwards TCP traffic from port 80 to 443 at 192.168.0.1. my_zone: firewalld.present: - name: public - masquerade: True - port_fwd: - 22:2222:tcp - 80:443:tcp:192.168.0.1 salt.states.firewalld.present(name, block_icmp=None, default=None, masquerade=False, ports=None, port_fwd=None, services=None) Ensure a zone has specific attributes. salt.states.gem Installation of Ruby modules packaged as gems A state module to manage rubygems. Gems can be set up to be installed or removed. This module will use RVM or rbenv if they are installed. In that case, you can specify what ruby version and gemset to target. addressable: gem.installed: - user: rvm - ruby: jruby@jgemset salt.states.gem.installed(name, ruby=None, gem_bin=None, user=None, version=None, rdoc=False, ri=False, pre_releases=False, proxy=None) Make sure that a gem is installed. name The name of the gem to install ruby: None Only for RVM or rbenv installations: the ruby version and gemset to target. gem_bin: None Custom gem command to run instead of the default. Use this to install gems to a non-default ruby install. If you are using rvm or rbenv use the ruby argument instead. user: None The user under which to run the gem command New in version 0.17.0. version None Specify the version to install for the gem. Doesn't play nice with multiple gems at once rdoc False Generate RDoc documentation for the gem(s). ri False Generate RI documentation for the gem(s). pre_releases False Install pre-release version of gem(s) if available. proxy None Use the specified HTTP proxy server for all outgoing traffic. Format: http://hostname[:port] salt.states.gem.removed(name, ruby=None, user=None, gem_bin=None) Make sure that a gem is not installed. name The name of the gem to uninstall gem_bin None Full path to gem binary to use. ruby None If RVM or rbenv are installed, the ruby version and gemset to use. Ignored if gem_bin is specified. user: None The user under which to run the gem command New in version 0.17.0. salt.states.gem.sources_add(name, ruby=None, user=None) Make sure that a gem source is added. name The URL of the gem source to be added ruby: None For RVM or rbenv installations: the ruby version and gemset to target. user: None The user under which to run the gem command New in version 0.17.0. salt.states.gem.sources_remove(name, ruby=None, user=None) Make sure that a gem source is removed. name The URL of the gem source to be removed ruby: None For RVM or rbenv installations: the ruby version and gemset to target. user: None The user under which to run the gem command New in version 0.17.0. salt.states.git States to manage git repositories and git configuration IMPORTANT: Before using git over ssh, make sure your remote host fingerprint exists in your ~/.ssh/known_hosts file. Changed in version 2015.8.8: This state module now requires git 1.6.5 (released 10 October 2009) or newer. salt.states.git.config_set(name, value=None, multivar=None, repo=None, user=None, **kwargs) New in version 2014.7.0. Changed in version 2015.8.0: Renamed from git.config to git.config_set. For earlier versions, use git.config. Ensure that a config value is set to the desired value(s) name Name of the git config value to set value Set a single value for the config item multivar Set multiple values for the config item NOTE: The order matters here, if the same parameters are set but in a different order, they will be removed and replaced in the order specified. New in version 2015.8.0. repo Location of the git repository for which the config value should be set. Required unless global is set to True. user Optional name of a user as whom git config will be run global False If True, this will set a global git config option Changed in version 2015.8.0: Option renamed from is_global to global. For earlier versions, use is_global. Local Config Example: # Single value mylocalrepo: git.config_set: - name: user.email - value: foo@bar.net - repo: /path/to/repo # Multiple values mylocalrepo: git.config_set: - name: mysection.myattribute - multivar: - foo - bar - baz - repo: /path/to/repo Global Config Example (User ``foo``): mylocalrepo: git.config_set: - name: user.name - value: Foo Bar - user: foo - global: True salt.states.git.config_unset(name, value_regex=None, repo=None, user=None, **kwargs) New in version 2015.8.0. Ensure that the named config key is not present name The name of the configuration key to unset. This value can be a regex, but the regex must match the entire key name. For example, foo\. would not match all keys in the foo section, it would be necessary to use foo\..+ to do so. value_regex Regex indicating the values to unset for the matching key(s) NOTE: This option behaves differently depending on whether or not all is set to True. If it is, then all values matching the regex will be deleted (this is the only way to delete mutliple values from a multivar). If all is set to False, then this state will fail if the regex matches more than one value in a multivar. all False If True, unset all matches repo Location of the git repository for which the config value should be set. Required unless global is set to True. user Optional name of a user as whom git config will be run global False If True, this will set a global git config option Examples: # Value matching 'baz' mylocalrepo: git.config_unset: - name: foo.bar - value_regex: 'baz' - repo: /path/to/repo # Ensure entire multivar is unset mylocalrepo: git.config_unset: - name: foo.bar - all: True # Ensure all variables in 'foo' section are unset, including multivars mylocalrepo: git.config_unset: - name: 'foo\..+' - all: True # Ensure that global config value is unset mylocalrepo: git.config_unset: - name: foo.bar - global: True salt.states.git.latest(name, rev='HEAD', target=None, branch=None, user=None, update_head=True, force_checkout=False, force_clone=False, force_fetch=False, force_reset=False, submodules=False, bare=False, mirror=False, remote='origin', fetch_tags=True, depth=None, identity=None, https_user=None, https_pass=None, onlyif=False, unless=False, **kwargs) Make sure the repository is cloned to the given directory and is up-to-date. name Address of the remote repository as passed to "git clone" rev HEAD The remote branch, tag, or revision ID to checkout after clone / before update. If specified, then Salt will also ensure that the tracking branch is set to <remote>/<rev>, unless rev refers to a tag or SHA1, in which case Salt will ensure that the tracking branch is unset. If rev is not specified, it will be assumed to be HEAD, and Salt will not manage the tracking branch at all. Changed in version 2015.8.0: If not specified, rev now defaults to the remote repository's HEAD. target Name of the target directory where repository is about to be cloned branch Name of the branch into which to checkout the specified rev. If not specified, then Salt will not care what branch is being used locally and will just use whatever branch is currently there. NOTE: If not specified, this means that the local branch name will not be changed if the repository is reset to another branch/tag/SHA1. New in version 2015.8.0. user User under which to run git commands. By default, commands are run by the user under which the minion is running. New in version 0.17.0. update_head True If set to False, then the remote repository will be fetched (if necessary) to ensure that the commit to which rev points exists in the local checkout, but no changes will be made to the local HEAD. New in version 2015.8.3. force False Deprecated since version 2015.8.0: Use force_clone instead. For earlier Salt versions, force must be used. force_checkout False When checking out the local branch, the state will fail if there are unwritten changes. Set this argument to True to discard unwritten changes when checking out. force_clone False If the target directory exists and is not a git repository, then this state will fail. Set this argument to True to remove the contents of the target directory and clone the repo into it. force_fetch False If a fetch needs to be performed, non-fast-forward fetches will cause this state to fail. Set this argument to True to force the fetch even if it is a non-fast-forward update. New in version 2015.8.0. force_reset False If the update is not a fast-forward, this state will fail. Set this argument to True to force a hard-reset to the remote revision in these cases. submodules False Update submodules on clone or branch change bare False Set to True if the repository is to be a bare clone of the remote repository. mirror Set to True if the repository is to be a mirror of the remote repository. This implies that bare set to True, and thus is incompatible with rev. remote origin Git remote to use. If this state needs to clone the repo, it will clone it using this value as the initial remote name. If the repository already exists, and a remote by this name is not present, one will be added. remote_name Deprecated since version 2015.8.0: Use remote instead. For earlier Salt versions, remote_name must be used. fetch_tags True If True, then when a fetch is performed all tags will be fetched, even those which are not reachable by any branch on the remote. depth Defines depth in history when git a clone is needed in order to ensure latest. E.g. depth: 1 is useful when deploying from a repository with a long history. Use rev to specify branch. This is not compatible with tags or revision IDs. identity Path to a private key to use for ssh URLs. This can be either a single string, or a list of strings. For example: # Single key git@github.com:user/repo.git: git.latest: - user: deployer - identity: /home/deployer/.ssh/id_rsa # Two keys git@github.com:user/repo.git: git.latest: - user: deployer - identity: - /home/deployer/.ssh/id_rsa - /home/deployer/.ssh/id_rsa_alternate If multiple keys are specified, they will be tried one-by-one in order for each git command which needs to authenticate. WARNING: Unless Salt is invoked from the minion using salt-call, the key(s) must be passphraseless. For greater security with passphraseless private keys, see the sshd(8) manpage for information on securing the keypair from the remote side in the authorized_keys file. Changed in version 2015.8.7: Salt will no longer attempt to use passphrase-protected keys unless invoked from the minion using salt-call, to prevent blocking waiting for user input. https_user HTTP Basic Auth username for HTTPS (only) clones New in version 2015.5.0. https_pass HTTP Basic Auth password for HTTPS (only) clones New in version 2015.5.0. onlyif A command to run as a check, run the named command only if the command passed to the onlyif option returns true unless A command to run as a check, only run the named command if the command passed to the unless option returns false NOTE: Clashing ID declarations can be avoided when including different branches from the same git repository in the same sls file by using the name declaration. The example below checks out the gh-pages and gh-pages-prod branches from the same repository into separate directories. The example also sets up the ssh_known_hosts ssh key required to perform the git checkout. gitlab.example.com: ssh_known_hosts: - present - user: root - enc: ecdsa - fingerprint: 4e:94:b0:54:c1:5b:29:a2:70:0e:e1:a3:51:ee:ee:e3 git-website-staging: git.latest: - name: git@gitlab.example.com:user/website.git - rev: gh-pages - target: /usr/share/nginx/staging - identity: /root/.ssh/website_id_rsa - require: - pkg: git - ssh_known_hosts: gitlab.example.com git-website-prod: git.latest: - name: git@gitlab.example.com:user/website.git - rev: gh-pages-prod - target: /usr/share/nginx/prod - identity: /root/.ssh/website_id_rsa - require: - pkg: git - ssh_known_hosts: gitlab.example.com salt.states.git.mod_run_check(cmd_kwargs, onlyif, unless) Execute the onlyif and unless logic. Return a result dict if: • onlyif failed (onlyif != 0) • unless succeeded (unless == 0) Otherwise, returns True salt.states.git.present(name, force=False, bare=True, template=None, separate_git_dir=None, shared=None, user=None) Ensure that a repository exists in the given directory WARNING: If the minion has Git 2.5 or later installed, name points to a worktree, and force is set to True, then the worktree will be deleted. This has been corrected in Salt 2015.8.0. name Path to the directory Changed in version 2015.8.0: This path must now be absolute force False If True, and if name points to an existing directory which does not contain a git repository, then the contents of that directory will be recursively removed and a new repository will be initialized in its place. bare True If True, and a repository must be initialized, then the repository will be a bare repository. NOTE: This differs from the default behavior of git.init, make sure to set this value to False if a bare repo is not desired. template If a new repository is initialized, this argument will specify an alternate `template directory`_ New in version 2015.8.0. separate_git_dir If a new repository is initialized, this argument will specify an alternate $GIT_DIR New in version 2015.8.0. shared Set sharing permissions on git repo. See git-init(1) for more details. New in version 2015.5.0. user User under which to run git commands. By default, commands are run by the user under which the minion is running. New in version 0.17.0. salt.states.glance Managing Images in OpenStack Glance salt.states.glance.image_present(name, visibility='public', protected=None, checksum=None, location=None, wait_for=None, timeout=30) Checks if given image is present with properties set as specified. An image should got through the stages 'queued', 'saving' before becoming 'active'. The attribute 'checksum' can only be checked once the image is active. If you don't specify 'wait_for' but 'checksum' the function will wait for the image to become active before comparing checksums. If you don't specify checksum either the function will return when the image reached 'saving'. The default timeout for both is 30 seconds. Supported properties: • visibility ('public' or 'private') • protected (bool) • checksum (string, md5sum) • location (URL, to copy from) salt.states.glusterfs Manage glusterfs pool. salt.states.glusterfs.add_volume_bricks(name, bricks) Add brick(s) to an existing volume name Volume name bricks List of bricks to add to the volume myvolume: glusterfs.add_volume_bricks: - bricks: - host1:/srv/gluster/drive1 - host2:/srv/gluster/drive2 Replicated Volume: glusterfs.add_volume_bricks: - name: volume2 - bricks: - host1:/srv/gluster/drive2 - host2:/srv/gluster/drive3 salt.states.glusterfs.created(name, bricks, stripe=False, replica=False, device_vg=False, transport='tcp', start=False, force=False) Check if volume already exists name name of the volume myvolume: glusterfs.created: - bricks: - host1:/srv/gluster/drive1 - host2:/srv/gluster/drive2 Replicated Volume: glusterfs.created: - name: volume2 - bricks: - host1:/srv/gluster/drive2 - host2:/srv/gluster/drive3 - replica: 2 - start: True salt.states.glusterfs.peered(name) Check if node is peered. name The remote host with which to peer. peer-cluster: glusterfs.peered: - name: two peer-clusters: glusterfs.peered: - names: - one - two - three - four salt.states.glusterfs.started(name) Check if volume has been started name name of the volume mycluster: glusterfs.started: [] salt.states.gnomedesktop Configuration of the GNOME desktop Control the GNOME settings localdesktop_wm_prefs: gnomedesktop.wm_preferences: - user: username - audible_bell: false - action_double_click_titlebar: 'toggle-maximize' - visual_bell: true - num_workspaces: 6 localdesktop_lockdown: gnomedesktop.desktop_lockdown: - user: username - disable_user_switching: true localdesktop_interface: gnomedesktop.desktop_interface: - user: username - clock_show_date: true - clock_format: 12h salt.states.gnomedesktop.desktop_interface(name, user=None, automatic_mnemonics=None, buttons_have_icons=None, can_change_accels=None, clock_format=None, clock_show_date=None, clock_show_seconds=None, cursor_blink=None, cursor_blink_time=None, cursor_blink_timeout=None, cursor_size=None, cursor_theme=None, document_font_name=None, enable_animations=None, font_name=None, gtk_color_palette=None, gtk_color_scheme=None, gtk_im_module=None, gtk_im_preedit_style=None, gtk_im_status_style=None, gtk_key_theme=None, gtk_theme=None, gtk_timeout_initial=None, gtk_timeout_repeat=None, icon_theme=None, menubar_accel=None, menubar_detachable=None, menus_have_icons=None, menus_have_tearoff=None, monospace_font_name=None, show_input_method_menu=None, show_unicode_menu=None, text_scaling_factor=None, toolbar_detachable=None, toolbar_icons_size=None, toolbar_style=None, toolkit_accessibility=None, **kwargs) desktop_interface: sets values in the org.gnome.desktop.interface schema salt.states.gnomedesktop.desktop_lockdown(name, user=None, disable_application_handlers=None, disable_command_line=None, disable_lock_screen=None, disable_log_out=None, disable_print_setup=None, disable_printing=None, disable_save_to_disk=None, disable_user_switching=None, user_administration_disabled=None, **kwargs) desktop_lockdown: sets values in the org.gnome.desktop.lockdown schema salt.states.gnomedesktop.wm_preferences(name, user=None, action_double_click_titlebar=None, action_middle_click_titlebar=None, action_right_click_titlebar=None, application_based=None, audible_bell=None, auto_raise=None, auto_raise_delay=None, button_layout=None, disable_workarounds=None, focus_mode=None, focus_new_windows=None, mouse_button_modifier=None, num_workspaces=None, raise_on_click=None, resize_with_right_button=None, theme=None, titlebar_font=None, titlebar_uses_system_font=None, visual_bell=None, visual_bell_type=None, workspace_names=None, **kwargs) wm_preferences: sets values in the org.gnome.desktop.wm.preferences schema salt.states.grafana Manage Grafana Dashboards This module uses elasticsearch, which can be installed via package, or pip. You can specify elasticsearch hosts directly to the module, or you can use an elasticsearch profile via pillars: mygrafanaprofile: hosts: - es1.example.com:9200 - es2.example.com:9200 index: grafana-dash # Basic usage (uses default pillar profile key 'grafana') Ensure myservice dashboard is managed: grafana.dashboard_present: - name: myservice - dashboard_from_pillar: default - rows_from_pillar: - systemhealth - requests # Passing hosts in Ensure myservice dashboard is managed: grafana.dashboard_present: - name: myservice - dashboard_from_pillar: default - rows: - collapse: false editable: true height: 150px title: System Health panels: - aliasColors: {} id: 200000 annotate: enable: false bars: false datasource: null editable: true error: false fill: 7 grid: leftMax: 100 leftMin: null rightMax: null rightMin: null threshold1: 60 threshold1Color: rgb(216, 27, 27) threshold2: null threshold2Color: rgba(234, 112, 112, 0.22) leftYAxisLabel: '' legend: avg: false current: false max: false min: false show: false total: false values: false lines: true linewidth: 1 nullPointMode: connected percentage: false pointradius: 5 points: false renderer: flot resolution: 100 scale: 1 seriesOverrides: [] span: 4 stack: false steppedLine: false targets: - target: cloudwatch.aws.ec2.mysrv.cpuutilization.average title: CPU (asg average) tooltip: query_as_alias: true shared: false value_type: cumulative type: graph x-axis: true y-axis: true y_formats: - short - short zerofill: true - rows_from_pillar: - systemhealth - requests - profile: hosts: - es1.example.com:9200 - es2.example.com:9200 index: grafana-dash # Using a profile from pillars Ensure myservice dashboard is managed: grafana.dashboard_present: - name: myservice - dashboard: annotations: enable: true list: [] editable: true hideAllLegends: false hideControls: false nav: - collapse: false enable: true notice: false now: true refresh_intervals: - 10s - 30s - 1m - 5m - 15m - 30m - 1h - 2h - 1d status: Stable time_options: - 5m - 15m - 1h - 2h - 3h - 4h - 6h - 12h - 1d - 2d - 4d - 7d - 16d - 30d type: timepicker originalTitle: dockerregistry refresh: 1m rows: [] sharedCrosshair: false style: dark tags: [] templating: enable: true list: [] time: from: now-2h to: now timezone: browser - rows_from_pillars: - systemhealth - requests - profile: mygrafanaprofile The behavior of this module is to create dashboards if they do not exist, to add rows if they do not exist in existing dashboards, and to update rows if they exist in dashboards. The module will not manage rows that are not defined, allowing users to manage their own custom rows. salt.states.grafana.dashboard_absent(name, hosts=None, profile='grafana') Ensure the named grafana dashboard is deleted. name Name of the grafana dashboard. profile A pillar key or dict that contains a list of hosts and an elasticsearch index to use. salt.states.grafana.dashboard_present(name, dashboard=None, dashboard_from_pillar=None, rows=None, rows_from_pillar=None, profile='grafana') Ensure the grafana dashboard exists and is managed. name Name of the grafana dashboard. dashboard A dict that defines a dashboard that should be managed. dashboard_from_pillar A pillar key that contains a grafana dashboard dict. Mutually exclusive with dashboard. rows A list of grafana rows. rows_from_pillar A list of pillar keys that contain lists of grafana dashboard rows. Rows defined in the pillars will be appended to the rows defined in the state. profile A pillar key or dict that contains a list of hosts and an elasticsearch index to use. salt.states.grains Manage grains on the minion This state allows for grains to be set. Grains set or altered this way are stored in the 'grains' file on the minions, by default at: /etc/salt/grains Note: This does NOT override any grains set in the minion file. salt.states.grains.absent(name, destructive=False, delimiter=':', force=False) New in version 2014.7.0. Delete a grain from the grains config file name The grain name Parameters • destructive -- If destructive is True, delete the entire grain. If destructive is False, set the grain's value to None. Defaults to False. • force -- If force is True, the existing grain will be overwritten regardless of its existing or provided value type. Defaults to False New in version Boron. • delimiter -- A delimiter different from the default can be provided. New in version Boron. Changed in version Boron. This state now support nested grains and complex values. It is also more conservative: if a grain has a value that is a list or a dict, it will not be removed unless the force parameter is True. grain_name: grains.absent: [] salt.states.grains.append(name, value, convert=False, delimiter=':') New in version 2014.7.0. Append a value to a list in the grains config file. The grain that is being appended to (name) must exist before the new value can be added. name The grain name value The value to append Parameters • convert -- If convert is True, convert non-list contents into a list. If convert is False and the grain contains non-list contents, an error is given. Defaults to False. • delimiter -- A delimiter different from the default can be provided. New in version Boron. grain_name: grains.append: - value: to_be_appended salt.states.grains.list_absent(name, value, delimiter=':') Delete a value from a grain formed as a list. New in version 2014.1.0. name The grain name. value The value to delete from the grain list. Parameters delimiter -- A delimiter different from the default : can be provided. New in version Boron. The grain should be list type roles: grains.list_absent: - value: db For multiple grains, the syntax looks like: roles: grains.list_absent: - value: - web - dev salt.states.grains.list_present(name, value, delimiter=':') New in version 2014.1.0. Ensure the value is present in the list-type grain. Note: If the grain that is provided in name is not present on the system, this new grain will be created with the corresponding provided value. name The grain name. value The value is present in the list type grain. Parameters delimiter -- A delimiter different from the default : can be provided. New in version Boron. The grain should be list type roles: grains.list_present: - value: web For multiple grains, the syntax looks like: roles: grains.list_present: - value: - web - dev salt.states.grains.present(name, value, delimiter=':', force=False) Ensure that a grain is set Changed in version Boron. name The grain name value The value to set on the grain Parameters • force -- If force is True, the existing grain will be overwritten regardless of its existing or provided value type. Defaults to False New in version Boron. • delimiter -- A delimiter different from the default can be provided. New in version Boron. It is now capable to set a grain to a complex value (ie. lists and dicts) and supports nested grains as well. If the grain does not yet exist, a new grain is set to the given value. For a nested grain, the necessary keys are created if they don't exist. If a given key is an existing value, it will be converted, but an existing value different from the given key will fail the state. If the grain with the given name exists, its value is updated to the new value unless its existing or provided value is complex (list or dict). Use force: True to overwrite. cheese: grains.present: - value: edam nested_grain_with_complex_value: grains.present: - name: icinga:Apache SSL - value: - command: check_https - params: -H localhost -p 443 -S with,a,custom,delimiter: grains.present: - value: yay - delimiter: , salt.states.group Management of user groups The group module is used to create and manage unix group settings, groups can be either present or absent: cheese: group.present: - gid: 7648 - system: True - addusers: - user1 - users2 - delusers: - foo cheese: group.present: - gid: 7648 - system: True - members: - foo - bar - user1 - user2 salt.states.group.absent(name) Ensure that the named group is absent name The name of the group to remove salt.states.group.present(name, gid=None, system=False, addusers=None, delusers=None, members=None) Ensure that a group is present name The name of the group to manage gid The group id to assign to the named group; if left empty, then the next available group id will be assigned system Whether or not the named group is a system group. This is essentially the '-r' option of 'groupadd'. addusers List of additional users to be added as a group members. delusers Ensure these user are removed from the group membership. members Replace existing group members with a list of new members. Note: Options 'members' and 'addusers/delusers' are mutually exclusive and can not be used together. salt.states.hg Interaction with Mercurial repositories Before using hg over ssh, make sure the remote host fingerprint already exists in ~/.ssh/known_hosts, and the remote host has this host's public key. https://bitbucket.org/example_user/example_repo: hg.latest: - rev: tip - target: /tmp/example_repo salt.states.hg.latest(name, rev=None, target=None, clean=False, user=None, identity=None, force=False, opts=False) Make sure the repository is cloned to the given directory and is up to date name Address of the remote repository as passed to "hg clone" rev The remote branch, tag, or revision hash to clone/pull target Target destination directory path on minion to clone into clean Force a clean update with -C (Default: False) user Name of the user performing repository management operations New in version 0.17.0. identity Private SSH key on the minion server for authentication (ssh://) New in version 2015.5.0. force Force hg to clone into pre-existing directories (deletes contents) opts Include additional arguments and options to the hg command line salt.states.hipchat Send a message to Hipchat This state is useful for sending messages to Hipchat during state runs. New in version 2015.5.0. hipchat-message: hipchat.send_message: - room_id: 123456 - from_name: SuperAdmin - message: 'This state was executed successfully.' - api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 - api_version: v1 The api key can be specified in the master or minion configuration like below: hipchat: api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 api_version: v1 salt.states.hipchat.send_message(name, room_id, from_name, message, api_key=None, api_version=None, message_color='yellow', notify=False) Send a message to a Hipchat room. hipchat-message: hipchat.send_message: - room_id: 123456 - from_name: SuperAdmin - message: 'This state was executed successfully.' - api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 - api_version: v1 - color: green - notify: True The following parameters are required: name The unique name for this event. room_id The room to send the message to. Can either be the ID or the name. from_name The name of that is to be shown in the "from" field. If not specified, defaults to. message The message that is to be sent to the Hipchat room. The following parameters are optional: api_key The api key for Hipchat to use for authentication, if not specified in the configuration options of master or minion. api_version The api version for Hipchat to use, if not specified in the configuration options of master or minion. color The color the Hipchat message should be displayed in. One of the following, default: yellow "yellow", "red", "green", "purple", "gray", or "random". notify Should a notification in the room be raised. salt.states.host Management of addresses and names in hosts file The /etc/hosts file can be managed to contain definitions for specific hosts: salt-master: host.present: - ip: 192.168.0.42 Or using the names directive, you can put several names for the same IP. (Do not try one name with space-separated values). server1: host.present: - ip: 192.168.0.42 - names: - server1 - florida NOTE: Changing the names in host.present does not cause an update to remove the old entry. server1: host.present: - ip: - 192.168.0.42 - 192.168.0.43 - 192.168.0.44 - names: - server1 salt.states.host.absent(name, ip) Ensure that the named host is absent name The host to remove ip The ip addr(s) of the host to remove salt.states.host.present(name, ip) Ensures that the named host is present with the given ip name The host to assign an ip to ip The ip addr(s) to apply to the host salt.states.htpasswd Support for htpasswd module. Requires the apache2-utils package for Debian-based distros. New in version 2014.7.0. username: webutil.user_exists: - password: secr3t - htpasswd_file: /etc/nginx/htpasswd - options: d - force: true salt.states.htpasswd.user_exists(name, password=None, htpasswd_file=None, options='', force=False, runas=None) Make sure the user is inside the specified htpasswd file name User name password User password htpasswd_file Path to the htpasswd file options See salt.modules.htpasswd.useradd force Touch the file even if user already created runas The system user to run htpasswd command with salt.states.http HTTP monitoring states Perform an HTTP query and statefully return the result New in version 2015.5.0. salt.states.http.query(name, match=None, match_type='string', status=None, **kwargs) Perform an HTTP query and statefully return the result New in version 2015.5.0. salt.states.ifttt Trigger an event in IFTTT This state is useful for trigging events in IFTTT. New in version 2015.8.0. ifttt-event: ifttt.trigger_event: - event: TestEvent - value1: 'This state was executed successfully.' - value2: 'Another value we can send.' - value3: 'A third value we can send.' The api key can be specified in the master or minion configuration like below: ifttt: secret_key: bzMRb-KKIAaNOwKEEw792J7Eb-B3z7muhdhYblJn4V6 salt.states.ifttt.trigger_event(name, event, value1=None, value2=None, value3=None) Trigger an event in IFTTT ifttt-event: ifttt.trigger_event: - event: TestEvent - value1: 'A value that we want to send.' - value2: 'A second value that we want to send.' - value3: 'A third value that wen want to send.' The following parameters are required: name The unique name for this event. event The name of the event to trigger in IFTTT. The following parameters are optional: value1 One of the values that we can send to IFTT. value2 One of the values that we can send to IFTT. value3 One of the values that we can send to IFTT. salt.states.incron Management of incron, the inotify cron The incron state module allows for user incrontabs to be cleanly managed. Incron declarations require a number of parameters. The parameters needed to be declared: path, mask, and cmd. The user whose incrontab is to be edited also needs to be defined. When making changes to an existing incron job, the path declaration is the unique factor, so if an existing cron that looks like this: Watch for modifications in /home/user: incron.present: - user: root - path: /home/user - mask: - IN_MODIFY - cmd: 'echo "$$ $@"' Is changed to this: Watch for modifications and access in /home/user: incron.present: - user: root - path: /home/user - mask: - IN_MODIFY - IN_ACCESS - cmd: 'echo "$$ $@"' Then the existing cron will be updated, but if the cron command is changed, then a new cron job will be added to the user's crontab. New in version 0.17.0. salt.states.incron.absent(name, path, mask, cmd, user='root') Verifies that the specified incron job is absent for the specified user; only the name is matched when removing a incron job. name Unique comment describing the entry path The path that should be watched user The name of the user who's crontab needs to be modified, defaults to the root user mask The mask of events that should be monitored for cmd The cmd that should be executed salt.states.incron.present(name, path, mask, cmd, user='root') Verifies that the specified incron job is present for the specified user. For more advanced information about what exactly can be set in the cron timing parameters, check your incron system's documentation. Most Unix-like systems' incron documentation can be found via the incrontab man page: man 5 incrontab. name Unique comment describing the entry path The path that should be watched user The name of the user who's crontab needs to be modified, defaults to the root user mask The mask of events that should be monitored for cmd The cmd that should be executed salt.states.influxdb_database Management of InfluxDB databases (compatible with InfluxDB version 0.5+) New in version 2014.7.0. salt.states.influxdb_database.absent(name, user=None, password=None, host=None, port=None) Ensure that the named database is absent name The name of the database to remove user The user to connect as (must be able to remove the database) password The password of the user host The host to connect to port The port to connect to salt.states.influxdb_database.present(name, user=None, password=None, host=None, port=None) Ensure that the named database is present name The name of the database to create user The user to connect as (must be able to remove the database) password The password of the user host The host to connect to port The port to connect to salt.states.influxdb_user Management of InfluxDB users (compatible with InfluxDB version 0.5+) New in version 2014.7.0. salt.states.influxdb_user.absent(name, database=None, user=None, password=None, host=None, port=None) Ensure that the named cluster admin or database user is absent. name The name of the user to remove database The database to remove the user from user The user to connect as (must be able to remove the user) password The password of the user host The host to connect to port The port to connect to salt.states.influxdb_user.present(name, passwd, database=None, user=None, password=None, host=None, port=None) Ensure that the cluster admin or database user is present. name The name of the user to manage passwd The password of the user database The database to create the user in user The user to connect as (must be able to create the user) password The password of the user host The host to connect to port The port to connect to salt.states.ini_manage Manage ini files maintainer <akilesh1597@gmail.com> maturity new depends re platform all use section as DEFAULT_IMPLICIT if your ini file does not have any section for example /etc/sysctl.conf salt.states.ini_manage.options_absent(name, sections=None) /home/saltminion/api-paste.ini: ini.options_present: - sections: test: - testkey - secondoption test1: - testkey1 options present in file and not specified in sections dict will be untouched changes dict will contain the list of changes made salt.states.ini_manage.options_present(name, sections=None) /home/saltminion/api-paste.ini: ini.options_present: - sections: test: testkey: 'testval' secondoption: 'secondvalue' test1: testkey1: 'testval121' options present in file and not specified in sections dict will be untouched changes dict will contain the list of changes made salt.states.ini_manage.sections_absent(name, sections=None) /home/saltminion/api-paste.ini: ini.sections_absent: - sections: - test - test1 options present in file and not specified in sections will be deleted changes dict will contain the sections that changed salt.states.ini_manage.sections_present(name, sections=None) /home/saltminion/api-paste.ini: ini.sections_present: - sections: test: testkey: testval secondoption: secondvalue test1: testkey1: 'testval121' options present in file and not specified in sections will be deleted changes dict will contain the sections that changed salt.states.ipmi Manage IPMI devices over LAN The following configuration defaults can be defined in the minion, master config or pillar: ipmi.config: api_host: 127.0.0.1 api_user: admin api_pass: apassword api_port: 623 api_kg: None Every call can override the config defaults: ensure myipmi system is set to network boot: ipmi.boot_device: - name: network - api_host: myipmi.hostname.com - api_user: root - api_pass: apassword - api_kg: None ensure myipmi system is powered on: ipmi.power: - name: boot - api_host: myipmi.hostname.com - api_user: root - api_pass: apassword salt.states.ipmi.boot_device(name='default', **kwargs) Request power state change name = default • network -- Request network boot • hd -- Boot from hard drive • safe -- Boot from hard drive, requesting 'safe mode' • optical -- boot from CD/DVD/BD drive • setup -- Boot into setup utility • default -- remove any IPMI directed boot device request kwargs • api_host=localhost • api_user=admin • api_pass= • api_port=623 • api_kg=None salt.states.ipmi.power(name='power_on', wait=300, **kwargs) Request power state change name Ensure power state one of: • power_on -- system turn on • power_off -- system turn off (without waiting for OS) • shutdown -- request OS proper shutdown • reset -- reset (without waiting for OS) • boot -- If system is off, then 'on', else 'reset' wait wait X seconds for the job to complete before forcing. (defaults to 300 seconds) kwargs • api_host=localhost • api_user=admin • api_pass= • api_port=623 • api_kg=None salt.states.ipmi.user_absent(name, channel=14, **kwargs) Remove user Delete all user (uid) records having the matching name. name string name of user to delete channel channel to remove user access from defaults to 14 for auto. kwargs • api_host=localhost • api_user=admin • api_pass= • api_port=623 • api_kg=None salt.states.ipmi.user_present(name, uid, password, channel=14, callback=False, link_auth=True, ipmi_msg=True, privilege_level='administrator', **kwargs) Ensure IPMI user and user privileges. name name of user (limit 16 bytes) uid user id number (1 to 7) password user password (limit 16 bytes) channel ipmi channel defaults to 14 for auto callback User Restricted to Callback False = User Privilege Limit is determined by the User Privilege Limit parameter privilege_level, for both callback and non-callback connections. True = User Privilege Limit is determined by the privilege_level parameter for callback connections, but is restricted to Callback level for non-callback connections. Thus, a user can only initiate a Callback when they 'call in' to the BMC, but once the callback connection has been made, the user could potentially establish a session as an Operator. link_auth User Link authentication True/False user name and password information will be used for link authentication, e.g. PPP CHAP) for the given channel. Link authentication itself is a global setting for the channel and is enabled/disabled via the serial/modem configuration parameters. ipmi_msg User IPMI Messaging True/False user name and password information will be used for IPMI Messaging. In this case, 'IPMI Messaging' refers to the ability to execute generic IPMI commands that are not associated with a particular payload type. For example, if IPMI Messaging is disabled for a user, but that user is enabled for activating the SOL payload type, then IPMI commands associated with SOL and session management, such as Get SOL Configuration Parameters and Close Session are available, but generic IPMI commands such as Get SEL Time are unavailable.) ipmi_msg privilege_level • callback • user • operator • administrator • proprietary • no_access kwargs • api_host=localhost • api_user=admin • api_pass= • api_port=623 • api_kg=None salt.states.ipset Management of ipsets This is an ipset-specific module designed to manage IPSets for use in IPTables Firewalls. setname: ipset.set_present: - set_type: bitmap:ip - range: 192.168.0.0/16 - comment: True setname: ipset.set_absent: - set_type: bitmap:ip - range: 192.168.0.0/16 - comment: True setname_entries: ipset.present: - set_name: setname - entry: 192.168.0.3 - comment: Hello - require: - ipset: baz setname_entries: ipset.present: - set_name: setname - entry: - 192.168.0.3 - 192.168.1.3 - comment: Hello - require: - ipset: baz setname_entries: ipset.absent: - set_name: setname - entry: - 192.168.0.3 - 192.168.1.3 - comment: Hello - require: - ipset: baz setname: ipset.flush: salt.states.ipset.absent(name, entry=None, entries=None, family='ipv4', **kwargs) New in version 2014.7.0. Remove a entry or entries from a chain name A user-defined name to call this entry by in another part of a state or formula. This should not be an actual entry. family Network family, ipv4 or ipv6. salt.states.ipset.flush(name, family='ipv4', **kwargs) New in version 2014.7.0. Flush current ipset set family Networking family, either ipv4 or ipv6 salt.states.ipset.present(name, entry=None, family='ipv4', **kwargs) New in version 2014.7.0. Append a entry to a set name A user-defined name to call this entry by in another part of a state or formula. This should not be an actual entry. entry A single entry to add to a set or a list of entries to add to a set family Network family, ipv4 or ipv6. salt.states.ipset.set_absent(name, family='ipv4', **kwargs) New in version 2014.7.0. Verify the set is absent. family Networking family, either ipv4 or ipv6 salt.states.ipset.set_present(name, set_type, family='ipv4', **kwargs) New in version 2014.7.0. Verify the chain is exist. name A user-defined set name. set_type The type for the set family Networking family, either ipv4 or ipv6 salt.states.iptables Management of iptables This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state. httpd: iptables.append: - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.append: - table: filter - chain: INPUT - jump: ACCEPT - match: - state - comment - comment: "Allow HTTP" - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.append: - table: filter - chain: INPUT - jump: ACCEPT - match: - state - comment - comment: "Allow HTTP" - connstate: NEW - source: '127.0.0.1' - dport: 80 - proto: tcp - sport: 1025:65535 - save: True .. Invert Rule httpd: iptables.append: - table: filter - chain: INPUT - jump: ACCEPT - match: - state - comment - comment: "Allow HTTP" - connstate: NEW - source: '! 127.0.0.1' - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.append: - table: filter - chain: INPUT - jump: ACCEPT - match: - state - comment - comment: "Allow HTTP" - connstate: NEW - source: 'not 127.0.0.1' - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.append: - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.append: - table: filter - family: ipv4 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dports: - 80 - 443 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.insert: - position: 1 - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.insert: - position: 1 - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.delete: - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.delete: - position: 1 - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: iptables.delete: - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True default to accept: iptables.set_policy: - chain: INPUT - policy: ACCEPT NOTE: Various functions of the iptables module use the --check option. If the version of iptables on the target system does not include this option, an alternate version of this check will be performed using the output of iptables-save. This may have unintended consequences on legacy releases of iptables. salt.states.iptables.append(name, table='filter', family='ipv4', **kwargs) New in version 0.17.0. Append a rule to a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. table The table that owns the chain which should be modified family Network family, ipv4 or ipv6. All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). Jump options that doesn't take arguments should be passed in with an empty string. salt.states.iptables.chain_absent(name, table='filter', family='ipv4') New in version 2014.1.0. Verify the chain is absent. table The table to remove the chain from family Networking family, either ipv4 or ipv6 salt.states.iptables.chain_present(name, table='filter', family='ipv4') New in version 2014.1.0. Verify the chain is exist. name A user-defined chain name. table The table to own the chain. family Networking family, either ipv4 or ipv6 salt.states.iptables.delete(name, table='filter', family='ipv4', **kwargs) New in version 2014.1.0. Delete a rule to a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. table The table that owns the chain that should be modified family Networking family, either ipv4 or ipv6 All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). Jump options that doesn't take arguments should be passed in with an empty string. salt.states.iptables.flush(name, table='filter', family='ipv4', **kwargs) New in version 2014.1.0. Flush current iptables state table The table that owns the chain that should be modified family Networking family, either ipv4 or ipv6 salt.states.iptables.insert(name, table='filter', family='ipv4', **kwargs) New in version 2014.1.0. Insert a rule into a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. table The table that owns the chain that should be modified family Networking family, either ipv4 or ipv6 All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). Jump options that doesn't take arguments should be passed in with an empty string. salt.states.iptables.mod_aggregate(low, chunks, running) The mod_aggregate function which looks up all rules in the available low chunks and merges them into a single rules ref in the present low data salt.states.iptables.set_policy(name, table='filter', family='ipv4', **kwargs) New in version 2014.1.0. Sets the default policy for iptables firewall tables table The table that owns the chain that should be modified family Networking family, either ipv4 or ipv6 policy The requested table policy salt.states.jboss7 Manage JBoss 7 Application Server via CLI interface New in version 2015.5.0. This state uses jboss-cli.sh script from JBoss installation and parses its output to determine execution result. In order to run each state, jboss_config dictionary with the following properties must be passed: jboss: cli_path: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' controller: 10.11.12.13:9999 cli_user: 'jbossadm' cli_password: 'jbossadm' If controller doesn't require password, then passing cli_user and cli_password parameters is not obligatory. Example of application deployment: application_deployed: jboss7.deployed: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'ext-release-local' artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' version: '0.1' target_dir: '/tmp' - jboss_config: cli_path: '/opt/jboss/jboss-7.0/bin/jboss-cli.sh' controller: 10.11.12.13:9999 cli_user: 'jbossadm' cli_password: 'jbossadm' Since same dictionary with configuration will be used in all the states, it is much more convenient to move jboss configuration and other properties to pillar. For example, configuration of jboss server, artifactory address and application version could be moved to pillars: application_deployed: jboss7.deployed: - artifact: artifactory_url: {{ pillar['artifactory']['url'] }} repository: {{ pillar['artifactory']['repository'] }} artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' version: {{ pillar['webcomponent-artifact']['version'] }} latest_snapshot: {{ pillar['webcomponent-artifact']['latest_snapshot'] }} repository: {{ pillar['webcomponent-artifact']['repository'] }} - jboss_config: {{ pillar['jboss'] }} Configuration in pillars: artifactory: url: 'http://artifactory.intranet.example.com/artifactory' repository: 'libs-snapshots-local' webcomponent-artifact: repository: 'libs-snapshots-local' latest_snapshot: True version: -1 #If latest_snapshot then version is ignored For the sake of brevity, examples for each state assume that jboss_config is moved to pillars. salt.states.jboss7.bindings_exist(name, jboss_config, bindings) Ensures that given JNDI binding are present on the server. If a binding doesn't exist on the server it will be created. If it already exists its value will be changed. jboss_config: Dict with connection properties (see state description) bindings: Dict with bindings to set. Example: jndi_entries_created: jboss7.bindings_exist: - bindings: 'java:global/sampleapp/environment': 'DEV' 'java:global/sampleapp/configurationFile': '/var/opt/sampleapp/config.properties' - jboss_config: {{ pillar['jboss'] }} salt.states.jboss7.datasource_exists(name, jboss_config, datasource_properties, recreate=False) Ensures that a datasource with given properties exist on the jboss instance. If datasource doesn't exist, it is created, otherwise only the properties that are different will be updated. name Datasource property name jboss_config Dict with connection properties (see state description) datasource_properties Dict with datasource properties recreate False If set to True and datasource exists it will be removed and created again. However, if there are deployments that depend on the datasource, it will not me possible to remove it. Example: sampleDS: jboss7.datasource_exists: - recreate: False - datasource_properties: driver-name: mysql connection-url: 'jdbc:mysql://localhost:3306/sampleDatabase' jndi-name: 'java:jboss/datasources/sampleDS' user-name: sampleuser password: secret min-pool-size: 3 use-java-context: True - jboss_config: {{ pillar['jboss'] }} salt.states.jboss7.deployed(name, jboss_config, artifact=None, salt_source=None) Ensures that the given application is deployed on server. jboss_config: Dict with connection properties (see state description) artifact: If set, the artifact will be fetched from artifactory. This is a Dict object with the following properties: • artifactory_url: Full url to artifactory instance, for example: http://artifactory.intranet.example.com/artifactory • repository: One of the repositories, for example: libs-snapshots, ext-release-local, etc.. • artifact_id: Artifact ID of the artifact • group_id: Group ID of the artifact • packaging: war/jar/ear, etc... • version: Artifact version. If latest_snapshot is set to True, the value of this attribute will be ignored, and newest snapshot will be taken instead. • latest_snapshot: If set to True and repository is a snapshot repository it will automatically select the newest snapshot. • snapshot_version: Exact version of the snapshot (with timestamp). A snapshot version may have several builds and a way to differentiate is to provide a build timestamp. • target_dir: Temporary directory on minion where artifacts will be downloaded salt_source: If set, the artifact to be deployed will be fetched from salt master. This is a Dict object with the following properties: • source: File on salt master (eg. salt://application-web-0.39.war) • target_file: Temporary file on minion to save file to (eg. '/tmp/application-web-0.39.war') • undeploy: Regular expression to match against existing deployments. If any deployment matches the regular expression then it will be undeployed. The deployment consists of the following steps: • Fetch artifact (salt filesystem, artifact or filesystem on minion) • Check if same artifact is not deployed yet (perhaps with different version) • Undeploy the artifact if it is already deployed • Deploy the new artifact Examples: Deployment of a file from Salt file system: application_deployed: jboss7.deployed: - salt_source: source: salt://application-web-0.39.war target_file: '/tmp/application-web-0.39.war' undeploy: 'application-web-.*' - jboss_config: {{ pillar['jboss'] }} Here, application-web-0.39.war file is downloaded from Salt file system to /tmp/application-web-0.39.war file on minion. Existing deployments are checked if any of them matches 'application-web-.*' regular expression, and if so then it is undeployed before deploying the application. This is useful to automate deployment of new application versions. JBoss state is capable of deploying artifacts directly from Artifactory repository. Here are some examples of deployments: 1. Deployment of released version of artifact from Artifactory. application_deployed: jboss7.deployed: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'ext-release-local' artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' version: '0.1' target_dir: '/tmp' - jboss_config: {{ pillar['jboss'] }} This performs the following operations: • Download artifact from artifactory. In the example above the artifact will be fetched from: http://artifactory.intranet.example.com/artifactory/ext-release-local/com/company/application/webcomponent/0.1/webcomponent-0.1.war As a rule, for released versions the artifacts are downloaded from: artifactory_url/repository/group_id_with_slashed_instead_of_dots/artifact_id/version/artifact_id-version.packaging' This follows artifactory convention for artifact resolution. By default the artifact will be downloaded to /tmp directory on minion. • Connect to JBoss via controller (defined in jboss_config dict) and check if the artifact is not deployed already. In case of artifactory it will check if any deployment's name starts with artifact_id value. If deployment already exists it will be undeployed • Deploy the downloaded artifact to JBoss via cli interface. 2. Deployment of last updated version of given SNAPSHOT version of artifact from Artifactory. application_deployed: jboss7.deployed: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'ext-snapshot-local' artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' version: '0.1-SNAPSHOT' - jboss_config: {{ pillar['jboss'] }} Deploying snapshot version involves an additional step of resolving the exact version of the artifact (including the timestamp), which is not necessary when deploying a release. In the example above first a request will be made to retrieve the update timestamp from: http://artifactory.intranet.example.com/artifactory/ext-snapshot-local/com/company/application/webcomponent/0.1-SNAPSHOT/maven-metadata.xml Then the artifact will be fetched from http://artifactory.intranet.example.com/artifactory/ext-snapshot-local/com/company/application/webcomponent/0.1-SNAPSHOT/webcomponent-RESOLVED_SNAPSHOT_VERSION.war NOTE: In order to perform a snapshot deployment you have to: • Set repository to a snapshot repository. • Choose a version that ends with "SNAPSHOT" string. Snapshot repositories have a different layout and provide some extra information that is needed for deployment of the last or a specific snapshot. 3. Deployment of SNAPSHOT version (with exact timestamp) of artifact from Artifactory. If you need to deploy an exact version of the snapshot you may provide snapshot_version parameter. application_deployed: jboss7.deployed: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'ext-snapshot-local' artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' version: '0.1-SNAPSHOT' snapshot_version: '0.1-20141023.131756-19' - jboss_config: {{ pillar['jboss'] }} In this example the artifact will be retrieved from: http://artifactory.intranet.example.com/artifactory/ext-snapshot-local/com/company/application/webcomponent/0.1-SNAPSHOT/webcomponent-0.1-20141023.131756-19.war 4. Deployment of latest snapshot of artifact from Artifactory. application_deployed: jboss7.deployed: - artifact: artifactory_url: http://artifactory.intranet.example.com/artifactory repository: 'ext-snapshot-local' artifact_id: 'webcomponent' group_id: 'com.company.application' packaging: 'war' latest_snapshot: True - jboss_config: {{ pillar['jboss'] }} Instead of providing an exact version of a snapshot it is sometimes more convenient to get the newest version. If artifact.latest_snapshot is set to True, then the newest snapshot will be downloaded from Artifactory. In this case it is not necessary to specify version. This is particulary useful when integrating with CI tools that will deploy the current snapshot to the Artifactory. salt.states.jboss7.reloaded(name, jboss_config, timeout=60, interval=5) Reloads configuration of jboss server. jboss_config: Dict with connection properties (see state description) timeout: Time to wait until jboss is back in running state. Default timeout is 60s. interval: Interval between state checks. Default interval is 5s. Decreasing the interval may slightly decrease waiting time but be aware that every status check is a call to jboss-cli which is a java process. If interval is smaller than process cleanup time it may easily lead to excessive resource consumption. This step performs the following operations: • Ensures that server is in running or reload-required state (by reading server-state attribute) • Reloads configuration • Waits for server to reload and be in running state Example: configuration_reloaded: jboss7.reloaded: - jboss_config: {{ pillar['jboss'] }} salt.states.keyboard Management of keyboard layouts The keyboard layout can be managed for the system: us: keyboard.system Or it can be managed for XOrg: us: keyboard.xorg salt.states.keyboard.system(name) Set the keyboard layout for the system name The keyboard layout to use salt.states.keyboard.xorg(name) Set the keyboard layout for XOrg layout The keyboard layout to use salt.states.keystone Management of Keystone users depends • keystoneclient Python module configuration See salt.modules.keystone for setup instructions. Keystone tenants: keystone.tenant_present: - names: - admin - demo - service Keystone roles: keystone.role_present: - names: - admin - Member admin: keystone.user_present: - password: R00T_4CC3SS - email: admin@domain.com - roles: admin: # tenants - admin # roles service: - admin - Member - require: - keystone: Keystone tenants - keystone: Keystone roles nova: keystone.user_present: - password: '$up3rn0v4' - email: nova@domain.com - tenant: service - roles: service: - admin - require: - keystone: Keystone tenants - keystone: Keystone roles demo: keystone.user_present: - password: 'd3m0n$trati0n' - email: demo@domain.com - tenant: demo - roles: demo: - Member - require: - keystone: Keystone tenants - keystone: Keystone roles nova service: keystone.service_present: - name: nova - service_type: compute - description: OpenStack Compute Service salt.states.keystone.endpoint_absent(name, profile=None, **connection_args) Ensure that the endpoint for a service doesn't exist in Keystone catalog name The name of the service whose endpoints should not exist salt.states.keystone.endpoint_present(name, publicurl=None, internalurl=None, adminurl=None, region='RegionOne', profile=None, **connection_args) Ensure the specified endpoints exists for service name The Service name public url The public url of service endpoint internal url The internal url of service endpoint admin url The admin url of the service endpoint region The region of the endpoint salt.states.keystone.role_absent(name, profile=None, **connection_args) Ensure that the keystone role is absent. name The name of the role that should not exist salt.states.keystone.role_present(name, profile=None, **connection_args) ' Ensures that the keystone role exists name The name of the role that should be present salt.states.keystone.service_absent(name, profile=None, **connection_args) Ensure that the service doesn't exist in Keystone catalog name The name of the service that should not exist salt.states.keystone.service_present(name, service_type, description=None, profile=None, **connection_args) Ensure service present in Keystone catalog name The name of the service service_type The type of Openstack Service description (optional) Description of the service salt.states.keystone.tenant_absent(name, profile=None, **connection_args) Ensure that the keystone tenant is absent. name The name of the tenant that should not exist salt.states.keystone.tenant_present(name, description=None, enabled=True, profile=None, **connection_args) Ensures that the keystone tenant exists name The name of the tenant to manage description The description to use for this tenant enabled Availability state for this tenant salt.states.keystone.user_absent(name, profile=None, **connection_args) Ensure that the keystone user is absent. name The name of the user that should not exist salt.states.keystone.user_present(name, password, email, tenant=None, enabled=True, roles=None, profile=None, **connection_args) Ensure that the keystone user is present with the specified properties. name The name of the user to manage password The password to use for this user email The email address for this user tenant The tenant for this user enabled Availability state for this user roles The roles the user should have under given tenants. Passed as a dictionary mapping tenant names to a list of roles in this tenant, i.e.: roles: admin: # tenant - admin # role service: - admin - Member salt.states.kmod Loading and unloading of kernel modules The Kernel modules on a system can be managed cleanly with the kmod state module: kvm_amd: kmod.present pcspkr: kmod.absent salt.states.kmod.absent(name, persist=False, comment=True) Verify that the named kernel module is not loaded name The name of the kernel module to verify is not loaded persist Delete module from /etc/modules comment Don't remove module from /etc/modules, only comment it salt.states.kmod.present(name, persist=False) Ensure that the specified kernel module is loaded name The name of the kernel module to verify is loaded persist Also add module to /etc/modules salt.states.layman Management of Gentoo Overlays using layman A state module to manage Gentoo package overlays via layman sunrise: layman.present salt.states.layman.absent(name) Verify that the overlay is absent name The name of the overlay to delete salt.states.layman.present(name) Verify that the overlay is present name The name of the overlay to add salt.states.libvirt Manage libvirt certificates This state uses the external pillar in the master to call for the generation and signing of certificates for systems running libvirt: libvirt_keys: libvirt.keys salt.states.libvirt.keys(name, basepath='/etc/pki') Manage libvirt keys. name The name variable used to track the execution basepath Defaults to /etc/pki, this is the root location used for libvirt keys on the hypervisor salt.states.linux_acl Linux File Access Control Lists Ensure a Linux ACL is present root: acl.present: - name: /root - acl_type: user - acl_name: damian - perms: rwx Ensure a Linux ACL does not exist root: acl.absent: - name: /root - acl_type: user - acl_name: damian - perms: rwx salt.states.linux_acl.absent(name, acl_type, acl_name='', perms='', recurse=False) Ensure a Linux ACL does not exist salt.states.linux_acl.present(name, acl_type, acl_name='', perms='', recurse=False) Ensure a Linux ACL is present salt.states.locale Management of languages/locales Manage the available locales and the system default: us_locale: locale.present: - name: en_US.UTF-8 default_locale: locale.system: - name: en_US.UTF-8 - require: - locale: us_locale salt.states.locale.present(name) Generate a locale if it is not present New in version 2014.7.0. name The name of the locale to be present. Some distributions require the charmap to be specified as part of the locale at this point. salt.states.locale.system(name) Set the locale for the system name The name of the locale to use salt.states.lvm Management of Linux logical volumes A state module to manage LVMs /dev/sda: lvm.pv_present my_vg: lvm.vg_present: - devices: /dev/sda lvroot: lvm.lv_present: - vgname: my_vg - size: 10G - stripes: 5 - stripesize: 8K salt.states.lvm.lv_absent(name, vgname=None) Remove a given existing logical volume from a named existing volume group name The logical volume to remove vgname The volume group name salt.states.lvm.lv_present(name, vgname=None, size=None, extents=None, snapshot=None, pv='', **kwargs) Create a new logical volume name The name of the logical volume vgname The volume group name for this logical volume size The initial size of the logical volume extents The number of logical extents to allocate snapshot The name of the snapshot pv The physical volume to use kwargs Any supported options to lvcreate. See linux_lvm for more details. salt.states.lvm.pv_absent(name) Ensure that a Physical Device is not being used by lvm name The device name to initialize. salt.states.lvm.pv_present(name, **kwargs) Set a physical device to be used as an LVM physical volume name The device name to initialize. kwargs Any supported options to pvcreate. See linux_lvm for more details. salt.states.lvm.vg_absent(name) Remove an LVM volume group name The volume group to remove salt.states.lvm.vg_present(name, devices=None, **kwargs) Create an LVM volume group name The volume group name to create devices A list of devices that will be added to the volume group kwargs Any supported options to vgcreate. See linux_lvm for more details. salt.states.lvs_server Management of LVS (Linux Virtual Server) Real Server salt.states.lvs_server.absent(name, protocol=None, service_address=None, server_address=None) Ensure the LVS Real Server in specified service is absent. name The name of the LVS server. protocol The service protocol(only support tcp, udp and fwmark service). service_address The LVS service address. server_address The LVS real server address. salt.states.lvs_server.present(name, protocol=None, service_address=None, server_address=None, packet_forward_method='dr', weight=1) Ensure that the named service is present. name The LVS server name protocol The service protocol service_address The LVS service address server_address The real server address. packet_forward_method The LVS packet forwarding method(dr for direct routing, tunnel for tunneling, nat for network access translation). weight The capacity of a server relative to the others in the pool. lvsrs: lvs_server.present: - protocol: tcp - service_address: 1.1.1.1:80 - server_address: 192.168.0.11:8080 - packet_forward_method: dr - weight: 10 salt.states.lvs_service Management of LVS (Linux Virtual Server) Service salt.states.lvs_service.absent(name, protocol=None, service_address=None) Ensure the LVS service is absent. name The name of the LVS service protocol The service protocol service_address The LVS service address salt.states.lvs_service.present(name, protocol=None, service_address=None, scheduler='wlc') Ensure that the named service is present. name The LVS service name protocol The service protocol service_address The LVS service address scheduler Algorithm for allocating TCP connections and UDP datagrams to real servers. lvstest: lvs_service.present: - service_address: 1.1.1.1:80 - protocol: tcp - scheduler: rr salt.states.lxc Manage Linux Containers salt.states.lxc.absent(name, stop=False, path=None) Ensure a container is not present, destroying it if present name Name of the container to destroy stop stop before destroying default: false New in version 2015.5.2. path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. web01: lxc.absent salt.states.lxc.cloned(name, orig, snapshot=True, size=None, vgname=None, path=None, profile=None) Deprecated since version 2015.5.0: Use lxc.present salt.states.lxc.created(name, **kwargs) Deprecated since version 2015.5.0: Use lxc.present salt.states.lxc.edited_conf(name, lxc_conf=None, lxc_conf_unset=None) WARNING: This state is unsuitable for setting parameters that appear more than once in an LXC config file, or parameters which must appear in a certain order (such as when configuring more than one network interface). It is slated to be replaced, and as of version 2015.5.0 it is deprecated. Edit LXC configuration options path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. setconf: lxc.edited_conf: - name: ubuntu - lxc_conf: - network.ipv4.ip: 10.0.3.6 - lxc_conf_unset: - lxc.utsname salt.states.lxc.frozen(name, start=True, path=None) New in version 2015.5.0. Ensure that a container is frozen NOTE: This state does not enforce the existence of the named container, it just freezes the container if it is running. To ensure that the named container exists, use lxc.present. name The name of the container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. start True Start container first, if necessary. If False, then this state will fail if the container is not running. web01: lxc.frozen web02: lxc.frozen: - start: False salt.states.lxc.present(name, running=None, clone_from=None, snapshot=False, profile=None, network_profile=None, template=None, options=None, image=None, config=None, fstype=None, size=None, backing=None, vgname=None, lvname=None, path=None) Changed in version 2015.8.0: The lxc.created state has been renamed to lxc.present, and the lxc.cloned state has been merged into this state. Create the named container if it does not exist name The name of the container to be created path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. running False.INDENT 7.0 • If True, ensure that the container is running • If False, ensure that the container is stopped • If None, do nothing with regards to the running state of the container New in version 2015.8.0. clone_from Create named container as a clone of the specified container snapshot False Use Copy On Write snapshots (LVM). Only supported with clone_from. profile Profile to use in container creation (see the LXC Tutorial for more information). Values in a profile will be overridden by the parameters listed below. network_profile Network Profile to use in container creation (see the LXC Tutorial for more information). Values in a profile will be overridden by the parameters listed below. New in version 2015.5.2. Container Creation Arguments template The template to use. E.g., 'ubuntu' or 'fedora'. Conflicts with the image argument. NOTE: The download template requires the following three parameters to be defined in options: • dist - The name of the distribution • release - Release name/version • arch - Architecture of the container The available images can be listed using the lxc.images function. options New in version 2015.5.0. Template-specific options to pass to the lxc-create command. These correspond to the long options (ones beginning with two dashes) that the template script accepts. For example: web01: lxc.present: - template: download - options: dist: centos release: 6 arch: amd64 Remember to double-indent the options, due to how PyYAML works. image A tar archive to use as the rootfs for the container. Conflicts with the template argument. backing The type of storage to use. Set to lvm to use an LVM group. Defaults to filesystem within /var/lib/lxc. fstype Filesystem type to use on LVM logical volume size Size of the volume to create. Only applicable if backing is set to lvm. vgname lxc Name of the LVM volume group in which to create the volume for this container. Only applicable if backing is set to lvm. lvname Name of the LVM logical volume in which to create the volume for this container. Only applicable if backing is set to lvm. salt.states.lxc.running(name, restart=False, path=None) Changed in version 2015.5.0: The lxc.started state has been renamed to lxc.running Ensure that a container is running NOTE: This state does not enforce the existence of the named container, it just starts the container if it is not running. To ensure that the named container exists, use lxc.present. name The name of the container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. restart False Restart container if it is already running web01: lxc.running web02: lxc.running: - restart: True salt.states.lxc.set_pass(name, **kwargs) Deprecated since version 2015.5.0. This state function has been disabled, as it did not conform to design guidelines. Specifically, due to the fact that lxc.set_password uses chpasswd(8) to set the password, there was no method to make this action idempotent (in other words, the password would be changed every time). This makes this state redundant, since the following state will do the same thing: setpass: module.run: - name: set_pass - m_name: root - password: secret salt.states.lxc.started(name, path=None, restart=False) Deprecated since version 2015.5.0: Use lxc.running salt.states.lxc.stopped(name, kill=False, path=None) Ensure that a container is stopped NOTE: This state does not enforce the existence of the named container, it just stops the container if it running or frozen. To ensure that the named container exists, use lxc.present, or use the lxc.absent state to ensure that the container does not exist. name The name of the container path path to the container parent default: /var/lib/lxc (system default) New in version 2015.8.0. kill False Do not wait for the container to stop, kill all tasks in the container. Older LXC versions will stop containers like this irrespective of this argument. New in version 2015.5.0. web01: lxc.stopped salt.states.makeconf Management of Gentoo make.conf A state module to manage Gentoo's make.conf file makeopts: makeconf.present: - value: '-j3' salt.states.makeconf.absent(name) Verify that the variable is not in the make.conf. name The variable name. This will automatically be converted to upper case since variables in make.conf are in upper case salt.states.makeconf.present(name, value=None, contains=None, excludes=None) Verify that the variable is in the make.conf and has the provided settings. If value is set, contains and excludes will be ignored. name The variable name. This will automatically be converted to upper case since variables in make.conf are in upper case value Enforce that the value of the variable is set to the provided value contains Enforce that the value of the variable contains the provided value excludes Enforce that the value of the variable does not contain the provided value. salt.states.mdadm Managing software RAID with mdadm A state module for creating or destroying software RAID devices. /dev/md0: raid.present: - level: 5 - devices: - /dev/xvdd - /dev/xvde - /dev/xvdf - chunk: 256 - run: True salt.states.mdadm.absent(name) Verify that the raid is absent name The name of raid device to be destroyed /dev/md0: raid: - absent salt.states.mdadm.present(name, level, devices, **kwargs) Verify that the raid is present Changed in version 2014.7.0. name The name of raid device to be created level The RAID level to use when creating the raid. devices A list of devices used to build the array. kwargs Optional arguments to be passed to mdadm. Example: /dev/md0: raid.present: - level: 5 - devices: - /dev/xvdd - /dev/xvde - /dev/xvdf - chunk: 256 - run: True salt.states.memcached States for Management of Memcached Keys New in version 2014.1.0. salt.states.memcached.absent(name, value=None, host='127.0.0.1', port=11211, time=0) Ensure that a memcached key is not present. name The key value None If specified, only ensure that the key is absent if it matches the specified value. host The memcached server IP address port The memcached server port foo: memcached.absent bar: memcached.absent: - host: 10.0.0.1 salt.states.memcached.managed(name, value=None, host='127.0.0.1', port=11211, time=0, min_compress_len=0) Manage a memcached key. name The key to manage value The value to set for that key host The memcached server IP address port The memcached server port foo: memcached.managed: - value: bar salt.states.modjk State to control Apache modjk salt.states.modjk.worker_activated(name, workers=None, profile='default') Activate all the workers in the modjk load balancer Example: loadbalancer: modjk.worker_activated: - workers: - app1 - app2 salt.states.modjk.worker_disabled(name, workers=None, profile='default') Disable all the workers in the modjk load balancer Example: loadbalancer: modjk.worker_disabled: - workers: - app1 - app2 salt.states.modjk.worker_recover(name, workers=None, profile='default') Recover all the workers in the modjk load balancer Example: loadbalancer: modjk.worker_recover: - workers: - app1 - app2 salt.states.modjk.worker_stopped(name, workers=None, profile='default') Stop all the workers in the modjk load balancer Example: loadbalancer: modjk.worker_stopped: - workers: - app1 - app2 salt.states.modjk_worker Manage modjk workers Send commands to a modjk load balancer via the peer system. This module can be used with the prereq requisite to remove/add the worker from the load balancer before deploying/restarting service. Mandatory Settings: • The minion needs to have permission to publish the modjk.* functions (see here for information on configuring peer publishing permissions) • The modjk load balancer must be configured as stated in the modjk execution module documentation salt.states.modjk_worker.activate(name, lbn, target, profile='default', expr_form='glob') Activate the named worker from the lbn load balancers at the targeted minions Example: disable-before-deploy: modjk_worker.activate: - name: {{ grains['id'] }} - lbn: application - target: 'roles:balancer' - expr_form: grain salt.states.modjk_worker.disable(name, lbn, target, profile='default', expr_form='glob') Disable the named worker from the lbn load balancers at the targeted minions. The worker will get traffic only for current sessions and won't get new ones. Example: disable-before-deploy: modjk_worker.disable: - name: {{ grains['id'] }} - lbn: application - target: 'roles:balancer' - expr_form: grain salt.states.modjk_worker.stop(name, lbn, target, profile='default', expr_form='glob') Stop the named worker from the lbn load balancers at the targeted minions The worker won't get any traffic from the lbn Example: disable-before-deploy: modjk_worker.stop: - name: {{ grains['id'] }} - lbn: application - target: 'roles:balancer' - expr_form: grain salt.states.module Execution of Salt modules from within states These states allow individual execution module calls to be made via states. To call a single module function use a module.run state: mine.send: module.run: - name: network.interfaces Note that this example is probably unnecessary to use in practice, since the mine_functions and mine_interval config parameters can be used to schedule updates for the mine (see here for more info). It is sometimes desirable to trigger a function call after a state is executed, for this the module.wait state can be used: mine.send: module.wait: - name: network.interfaces - watch: - file: /etc/network/interfaces All arguments that the module state does not consume are passed through to the execution module function being executed: fetch_out_of_band: module.run: - name: git.fetch - cwd: /path/to/my/repo - user: myuser - opts: '--all' Due to how the state system works, if a module function accepts an argument called, name, then m_name must be used to specify that argument, to avoid a collision with the name argument. Here is a list of keywords hidden by the state system, which must be prefixed with m_: • fun • name • names • state For example: disable_nfs: module.run: - name: service.disable - m_name: nfs Note that some modules read all or some of the arguments from a list of keyword arguments. For example: mine.send: module.run: - func: network.ip_addrs - kwargs: interface: eth0 cloud.create: module.run: - func: cloud.create - provider: test-provider - m_names: - test-vlad - kwargs: { ssh_username: 'ubuntu', image: 'ami-8d6d9daa', securitygroup: 'default', size: 'c3.large', location: 'ap-northeast-1', delvol_on_destroy: 'True' } salt.states.module.mod_watch(name, **kwargs) This function is an alias of run. Run a single module function name The module function to execute returner Specify the returner to send the return of the module execution to **kwargs Pass any arguments needed to execute the function salt.states.module.run(name, **kwargs) Run a single module function name The module function to execute returner Specify the returner to send the return of the module execution to **kwargs Pass any arguments needed to execute the function salt.states.module.wait(name, **kwargs) Run a single module function only if the watch statement calls it name The module function to execute **kwargs Pass any arguments needed to execute the function NOTE: Like the cmd.run state, this state will return True but not actually execute, unless one of the following two things happens: 1. The state has a watch requisite, and the state which it is watching changes. 2. Another state has a watch_in requisite which references this state, and the state wth the watch_in changes. salt.states.mongodb_database Management of Mongodb databases Only deletion is supported, creation doesn't make sense and can be done using mongodb_user.present salt.states.mongodb_database.absent(name, user=None, password=None, host=None, port=None) Ensure that the named database is absent name The name of the database to remove user The user to connect as (must be able to create the user) password The password of the user host The host to connect to port The port to connect to salt.states.mongodb_user Management of Mongodb users NOTE: This module requires PyMongo to be installed. salt.states.mongodb_user.absent(name, user=None, password=None, host=None, port=None, database='admin') Ensure that the named user is absent name The name of the user to remove user MongoDB user with sufficient privilege to create the user password Password for the admin user specified by the user parameter host The hostname/IP address of the MongoDB server port The port on which MongoDB is listening database The database from which to remove the user specified by the name parameter salt.states.mongodb_user.present(name, passwd, database='admin', user=None, password=None, host='localhost', port=27017) Ensure that the user is present with the specified properties name The name of the user to manage passwd The password of the user to manage user MongoDB user with sufficient privilege to create the user password Password for the admin user specified with the user parameter host The hostname/IP address of the MongoDB server port The port on which MongoDB is listening database The database in which to create the user NOTE: If the database doesn't exist, it will be created. Example: mongouser-myapp: mongodb_user.present: - name: myapp - passwd: password-of-myapp # Connect as admin:sekrit - user: admin - password: sekrit salt.states.monit Monit state Manage monit states monit_enable_service_monitoring: monit.monitor: • name: service monit_disable_service_monitoring: monit.unmonitor: • name: service NOTE: Use of these states require that the monit execution module is available. salt.states.monit.monitor(name) Get the summary from module monit and try to see if service is being monitored. If not then monitor the service. salt.states.monit.unmonitor(name) Get the summary from module monit and try to see if service is being monitored. If it is then stop monitoring the service. salt.states.mount Mounting of filesystems Mount any type of mountable filesystem with the mounted function: /mnt/sdb: mount.mounted: - device: /dev/sdb1 - fstype: ext4 - mkmnt: True - opts: - defaults /srv/bigdata: mount.mounted: - device: UUID=066e0200-2867-4ebe-b9e6-f30026ca2314 - fstype: xfs - opts: nobootwait,noatime,nodiratime,nobarrier,logbufs=8 - dump: 0 - pass_num: 2 - persist: True - mkmnt: True salt.states.mount.mod_watch(name, user=None, **kwargs) The mounted watcher, called to invoke the watch command. name The name of the mount point salt.states.mount.mounted(name, device, fstype, mkmnt=False, opts='defaults', dump=0, pass_num=0, config='/etc/fstab', persist=True, mount=True, user=None, match_on='auto', hidden_opts=None) Verify that a device is mounted name The path to the location where the device is to be mounted device The device name, typically the device node, such as /dev/sdb1 or UUID=066e0200-2867-4ebe-b9e6-f30026ca2314 or LABEL=DATA fstype The filesystem type, this will be xfs, ext2/3/4 in the case of classic filesystems, and fuse in the case of fuse mounts mkmnt If the mount point is not present then the state will fail, set mkmnt: True to create the mount point if it is otherwise not present opts A list object of options or a comma delimited list dump The dump value to be passed into the fstab, Default is 0 pass_num The pass value to be passed into the fstab, Default is 0 config Set an alternative location for the fstab, Default is /etc/fstab persist Set if the mount should be saved in the fstab, Default is True mount Set if the mount should be mounted immediately, Default is True user The user to own the mount; this defaults to the user salt is running as on the minion match_on A name or list of fstab properties on which this state should be applied. Default is auto, a special value indicating to guess based on fstype. In general, auto matches on name for recognized special devices and device otherwise. hidden_opts A list of mount options that will be ignored when considering a remount as part of the state application New in version 2015.8.2. salt.states.mount.swap(name, persist=True, config='/etc/fstab') Activates a swap device /root/swapfile: mount.swap NOTE: swap does not currently support LABEL salt.states.mount.unmounted(name, device=None, config='/etc/fstab', persist=False, user=None) New in version 0.17.0. Verify that a device is not mounted name The path to the location where the device is to be unmounted from device The device to be unmounted. This is optional because the device could be mounted in multiple places. New in version 2015.5.0. config Set an alternative location for the fstab, Default is /etc/fstab persist Set if the mount should be purged from the fstab, Default is False user The user to own the mount; this defaults to the user salt is running as on the minion salt.states.mysql_database Management of MySQL databases (schemas) depends • MySQLdb Python module configuration See salt.modules.mysql for setup instructions. The mysql_database module is used to create and manage MySQL databases. Databases can be set as either absent or present. frank: mysql_database.present salt.states.mysql_database.absent(name, **connection_args) Ensure that the named database is absent name The name of the database to remove salt.states.mysql_database.present(name, **connection_args) Ensure that the named database is present with the specified properties name The name of the database to manage salt.states.mysql_grants Management of MySQL grants (user permissions) depends • MySQLdb Python module configuration See salt.modules.mysql for setup instructions. The mysql_grants module is used to grant and revoke MySQL permissions. The name you pass in purely symbolic and does not have anything to do with the grant itself. The database parameter needs to specify a 'priv_level' in the same specification as defined in the MySQL documentation: • * • *.* • db_name.* • db_name.tbl_name • etc... This state is not able to set password for the permission from the specified host. See salt.states.mysql_user for further instructions. frank_exampledb: mysql_grants.present: - grant: select,insert,update - database: exampledb.* - user: frank - host: localhost frank_otherdb: mysql_grants.present: - grant: all privileges - database: otherdb.* - user: frank restricted_singletable: mysql_grants.present: - grant: select - database: somedb.sometable - user: joe salt.states.mysql_grants.absent(name, grant=None, database=None, user=None, host='localhost', grant_option=False, escape=True, **connection_args) Ensure that the grant is absent name The name (key) of the grant to add grant The grant priv_type (i.e. select,insert,update OR all privileges) database The database priv_level (i.e. db.tbl OR db.*) user The user to apply the grant to host The network/host that the grant should apply to salt.states.mysql_grants.present(name, grant=None, database=None, user=None, host='localhost', grant_option=False, escape=True, revoke_first=False, ssl_option=False, **connection_args) Ensure that the grant is present with the specified properties name The name (key) of the grant to add grant The grant priv_type (i.e. select,insert,update OR all privileges) database The database priv_level (i.e. db.tbl OR db.*) user The user to apply the grant to host The network/host that the grant should apply to grant_option Adds the WITH GRANT OPTION to the defined grant. Default is False escape Defines if the database value gets escaped or not. Default is True revoke_first By default, MySQL will not do anything if you issue a command to grant privileges that are more restrictive than what's already in place. This effectively means that you cannot downgrade permissions without first revoking permissions applied to a db.table/user pair first. To have Salt forcibly revoke perms before applying a new grant, enable the 'revoke_first options. WARNING: This will remove permissions for a database before attempting to apply new permissions. There is no guarantee that new permissions will be applied correctly which can leave your database security in an unknown and potentially dangerous state. Use with caution! Default is False ssl_option Adds the specified ssl options for the connecting user as requirements for this grant. Value is a list of single-element dicts corresponding to the list of ssl options to use. Possible key/value pairings for the dicts in the value: - SSL: True - X509: True - SUBJECT: <subject> - ISSUER: <issuer> - CIPHER: <cipher> The non-boolean ssl options take a string as their values, which should be an appropriate value as specified by the MySQL documentation for these options. Default is False (no ssl options will be used) salt.states.mysql_query Execution of MySQL queries New in version 2014.7.0. depends • MySQLdb Python module configuration See salt.modules.mysql for setup instructions. The mysql_query module is used to execute queries on MySQL databases. Its output may be stored in a file or in a grain. query_id: mysql_query.run - database: my_database - query: "SELECT * FROM table;" - output: "/tmp/query_id.txt" salt.states.mysql_query.run(name, database, query, output=None, grain=None, key=None, overwrite=True, **connection_args) Execute an arbitrary query on the specified database name Used only as an ID database The name of the database to execute the query on query The query to execute output grain: output in a grain other: the file to store results None: output to the result comment (default) grain: grain to store the output (need output=grain) key: the specified grain will be treated as a dictionary, the result of this state will be stored under the specified key. overwrite: The file or grain will be overwritten if it already exists (default) salt.states.mysql_user Management of MySQL users depends • MySQLdb Python module configuration See salt.modules.mysql for setup instructions. frank: mysql_user.present: - host: localhost - password: bobcat New in version 0.16.2: Authentication overrides have been added. The MySQL authentication information specified in the minion config file can be overridden in states using the following arguments: connection_host, connection_port, connection_user, connection_pass, connection_db, connection_unix_socket, connection_default_file and connection_charset. frank: mysql_user.present: - host: localhost - password: "bob@cat" - connection_user: someuser - connection_pass: somepass - connection_charset: utf8 - saltenv: - LC_ALL: "en_US.utf8" This state is not able to grant permissions for the user. See salt.states.mysql_grants for further instructions. salt.states.mysql_user.absent(name, host='localhost', **connection_args) Ensure that the named user is absent name The name of the user to remove salt.states.mysql_user.present(name, host='localhost', password=None, password_hash=None, allow_passwordless=False, unix_socket=False, **connection_args) Ensure that the named user is present with the specified properties. A passwordless user can be configured by omitting password and password_hash, and setting allow_passwordless to True. name The name of the user to manage host Host for which this user/password combo applies password The password to use for this user. Will take precedence over the password_hash option if both are specified. password_hash The password in hashed form. Be sure to quote the password because YAML doesn't like the *. A password hash can be obtained from the mysql command-line client like so: mysql> SELECT PASSWORD('mypass'); +-------------------------------------------+ | PASSWORD('mypass') | +-------------------------------------------+ | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | +-------------------------------------------+ 1 row in set (0.00 sec) allow_passwordless If True, then password and password_hash can be omitted to permit a passwordless login. New in version 0.16.2. unix_socket If True and allow_passwordless is True, the unix_socket auth plugin will be used. salt.states.network Configuration of network interfaces The network module is used to create and manage network settings, interfaces can be set as either managed or ignored. By default all interfaces are ignored unless specified. NOTE: Prior to version 2014.1.0, only RedHat-based systems (RHEL, CentOS, Scientific Linux, etc.) are supported. Support for Debian/Ubuntu is new in 2014.1.0 and should be considered experimental. Other platforms are not yet supported. system: network.system: - enabled: True - hostname: server1.example.com - gateway: 192.168.0.1 - gatewaydev: eth0 - nozeroconf: True - nisdomain: example.com - require_reboot: True eth0: network.managed: - enabled: True - type: eth - proto: none - ipaddr: 10.1.0.1 - netmask: 255.255.255.0 - dns: - 8.8.8.8 - 8.8.4.4 eth0-range0: network.managed: - type: eth - ipaddr_start: 192.168.1.1 - ipaddr_end: 192.168.1.10 - clonenum_start: 10 - mtu: 9000 bond0-range0: network.managed: - type: eth - ipaddr_start: 192.168.1.1 - ipaddr_end: 192.168.1.10 - clonenum_start: 10 - mtu: 9000 eth1.0-range0: network.managed: - type: eth - ipaddr_start: 192.168.1.1 - ipaddr_end: 192.168.1.10 - clonenum_start: 10 - vlan: True - mtu: 9000 bond0.1-range0: network.managed: - type: eth - ipaddr_start: 192.168.1.1 - ipaddr_end: 192.168.1.10 - clonenum_start: 10 - vlan: True - mtu: 9000 .. note:: add support of ranged interfaces (vlan, bond and eth) for redhat system, Important:type must be eth. routes: network.routes: - name: eth0 - routes: - name: secure_network ipaddr: 10.2.0.0 netmask: 255.255.255.0 gateway: 10.1.0.3 - name: HQ_network ipaddr: 10.100.0.0 netmask: 255.255.0.0 gateway: 10.1.0.10 eth2: network.managed: - enabled: True - type: slave - master: bond0 eth3: network.managed: - enabled: True - type: slave - master: bond0 eth4: network.managed: - enabled: True - type: eth - proto: dhcp - bridge: br0 bond0: network.managed: - type: bond - ipaddr: 10.1.0.1 - netmask: 255.255.255.0 - mode: active-backup - proto: static - dns: - 8.8.8.8 - 8.8.4.4 - ipv6: - enabled: False - slaves: eth2 eth3 - require: - network: eth2 - network: eth3 - miimon: 100 - arp_interval: 250 - downdelay: 200 - lacp_rate: fast - max_bonds: 1 - updelay: 0 - use_carrier: on - xmit_hash_policy: layer2 - mtu: 9000 - autoneg: on - speed: 1000 - duplex: full - rx: on - tx: off - sg: on - tso: off - ufo: off - gso: off - gro: off - lro: off bond0.2: network.managed: - type: vlan - ipaddr: 10.1.0.2 - use: - network: bond0 - require: - network: bond0 bond0.3: network.managed: - type: vlan - ipaddr: 10.1.0.3 - use: - network: bond0 - require: - network: bond0 bond0.10: network.managed: - type: vlan - ipaddr: 10.1.0.4 - use: - network: bond0 - require: - network: bond0 bond0.12: network.managed: - type: vlan - ipaddr: 10.1.0.5 - use: - network: bond0 - require: - network: bond0 br0: network.managed: - enabled: True - type: bridge - proto: dhcp - bridge: br0 - delay: 0 - ports: eth4 - bypassfirewall: True - use: - network: eth4 - require: - network: eth4 system: network.system: - enabled: True - hostname: server1.example.com - gateway: 192.168.0.1 - gatewaydev: eth0 - nozeroconf: True - nisdomain: example.com - require_reboot: True - apply_hostname: True lo: network.managed: - name: lo - type: eth - onboot: yes - userctl: no - ipv6_autoconf: no - enable_ipv6: true - ipaddrs: - 127.0.0.1/8 - 10.1.0.4/32 - 10.1.0.12/32 - ipv6addrs: - fc00::1/128 - fc00::100/128 .. note:: Apply changes to hostname immediately. .. versionadded:: 2015.5.0 NOTE: When managing bridged interfaces on a Debian or Ubuntu based system, the ports argument is required. Red Hat systems will ignore the argument. salt.states.network.managed(name, type, enabled=True, **kwargs) Ensure that the named interface is configured properly. name The name of the interface to manage type Type of interface and configuration. enabled Designates the state of this interface. kwargs The IP parameters for this interface. salt.states.network.routes(name, **kwargs) Manage network interface static routes. name Interface name to apply the route to. kwargs Named routes salt.states.network.system(name, **kwargs) Ensure that global network settings are configured properly. name Custom name to represent this configuration change. kwargs The global parameters for the system. salt.states.nftables Management of nftables This is an nftables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state. httpd: nftables.append: - table: filter - chain: input - jump: accept - match: state - connstate: new - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.append: - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.insert: - position: 1 - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.insert: - position: 1 - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.delete: - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.delete: - position: 1 - table: filter - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True httpd: nftables.delete: - table: filter - family: ipv6 - chain: INPUT - jump: ACCEPT - match: state - connstate: NEW - dport: 80 - proto: tcp - sport: 1025:65535 - save: True salt.states.nftables.append(name, family='ipv4', **kwargs) New in version 0.17.0. Append a rule to a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. family Network family, ipv4 or ipv6. All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). salt.states.nftables.chain_absent(name, table='filter', family='ipv4') New in version 2014.7.0. Verify the chain is absent. family Networking family, either ipv4 or ipv6 salt.states.nftables.chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4') New in version 2014.7.0. Verify the chain is exist. name A user-defined chain name. table The table to own the chain. family Networking family, either ipv4 or ipv6 salt.states.nftables.delete(name, family='ipv4', **kwargs) New in version 2014.7.0. Delete a rule to a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. family Networking family, either ipv4 or ipv6 All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). salt.states.nftables.flush(name, family='ipv4', **kwargs) New in version 2014.7.0. Flush current nftables state family Networking family, either ipv4 or ipv6 salt.states.nftables.insert(name, family='ipv4', **kwargs) New in version 2014.7.0. Insert a rule into a chain name A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule. family Networking family, either ipv4 or ipv6 All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate). salt.states.npm Installation of NPM Packages These states manage the installed packages for node.js using the Node Package Manager (npm). Note that npm must be installed for these states to be available, so npm states should include a requisite to a pkg.installed state for the package which provides npm (simply npm in most cases). Example: npm: pkg.installed yaml: npm.installed: - require: - pkg: npm salt.states.npm.bootstrap(name, user=None, silent=True) Bootstraps a node.js application. Will execute 'npm install --json' on the specified directory. user The user to run NPM with New in version 0.17.0. salt.states.npm.installed(name, pkgs=None, dir=None, user=None, force_reinstall=False, registry=None, env=None) Verify that the given package is installed and is at the correct version (if specified). coffee-script: npm.installed: - user: someuser coffee-script@1.0.1: npm.installed: [] name The package to install Changed in version 2014.7.2: This parameter is no longer lowercased by salt so that case-sensitive NPM package names will work. pkgs A list of packages to install with a single npm invocation; specifying this argument will ignore the name argument New in version 2014.7.0. dir The target directory in which to install the package, or None for global installation user The user to run NPM with New in version 0.17.0. registry The NPM registry from which to install the package New in version 2014.7.0. env A list of environment variables to be set prior to execution. The format is the same as the cmd.run. state function. New in version 2014.7.0. force_reinstall Install the package even if it is already installed salt.states.npm.removed(name, dir=None, user=None) Verify that the given package is not installed. dir The target directory in which to install the package, or None for global installation user The user to run NPM with New in version 0.17.0. salt.states.ntp Management of NTP servers New in version 2014.1.0. This state is used to manage NTP servers. Currently only Windows is supported. win_ntp: ntp.managed: - servers: - pool.ntp.org - us.pool.ntp.org salt.states.ntp.managed(name, servers=None) Manage NTP servers servers A list of NTP servers salt.states.openstack_config Manage OpenStack configuration file settings. maintainer Jeffrey C. Ollie <jeff@ocjtech.us> maturity new depends platform linux salt.states.openstack_config.absent(name, filename, section, parameter=None) Ensure a value is not set in an OpenStack configuration file. filename The full path to the configuration file section The section in which the parameter will be set parameter (optional) The parameter to change. If the parameter is not supplied, the name will be used as the parameter. salt.states.openstack_config.present(name, filename, section, value, parameter=None) Ensure a value is set in an OpenStack configuration file. filename The full path to the configuration file section The section in which the parameter will be set parameter (optional) The parameter to change. If the parameter is not supplied, the name will be used as the parameter. value The value to set salt.states.pagerduty Create an Event in PagerDuty New in version 2014.1.0. This state is useful for creating events on the PagerDuty service during state runs. server-warning-message: pagerduty.create_event: - name: 'This is a server warning message' - details: 'This is a much more detailed message' - service_key: 9abcd123456789efabcde362783cdbaf - profile: my-pagerduty-account salt.states.pagerduty.create_event(name, details, service_key, profile) Create an event on the PagerDuty service server-warning-message: pagerduty.create_event: - name: 'This is a server warning message' - details: 'This is a much more detailed message' - service_key: 9abcd123456789efabcde362783cdbaf - profile: my-pagerduty-account The following parameters are required: name This is a short description of the event. details This can be a more detailed description of the event. service_key This key can be found by using pagerduty.list_services. profile This refers to the configuration profile to use to connect to the PagerDuty service. salt.states.pagerduty_escalation_policy Manage PagerDuty escalation policies. Schedules and users can be referenced by pagerduty ID, or by name, or by email address. For example: ensure test escalation policy: pagerduty_escalation_policy.present: - name: bruce test escalation policy - escalation_rules: - targets: - type: schedule id: 'bruce test schedule level1' - type: user id: 'Bruce Sherrod' escalation_delay_in_minutes: 15 - targets: - type: schedule id: 'bruce test schedule level2' escalation_delay_in_minutes: 15 - targets: - type: user id: 'Bruce TestUser1' - type: user id: 'Bruce TestUser2' - type: user id: 'Bruce TestUser3' - type: user id: 'bruce+test4@lyft.com' escalation_delay_in_minutes: 15 salt.states.pagerduty_escalation_policy.absent(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure that a PagerDuty escalation policy does not exist. Accepts all the arguments that pagerduty_escalation_policy.present accepts; but ignores all arguments except the name. Name can be the escalation policy id or the escalation policy name. salt.states.pagerduty_escalation_policy.present(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure that a pagerduty escalation policy exists. Will create or update as needed. This method accepts as args everything defined in https://developer.pagerduty.com/documentation/rest/escalation_policies/create. In additonal, user and schedule id's will be translated from name (or email address) into PagerDuty unique ids. For example: pagerduty_escalation_policy.present: • name: bruce test escalation policy • escalation_rules: • targets: • type: schedule id: 'bruce test schedule level1' • type: user id: 'Bruce Sherrod' In this example, 'Bruce Sherrod' will be looked up and replaced with the PagerDuty id (usually a 7 digit all-caps string, e.g. PX6GQL7) salt.states.pagerduty_schedule Manage PagerDuty schedules. Example: ensure test schedule: pagerduty_schedule.present: • name: 'bruce test schedule level1' • schedule: name: 'bruce test schedule level1' time_zone: 'Pacific Time (US & Canada)' schedule_layers: • name: 'Schedule Layer 1' start: '2015-01-01T00:00:00' users: • user: 'id': 'Bruce TestUser1' member_order: 1 • user: 'id': 'Bruce TestUser2' member_order: 2 • user: 'id': 'bruce+test3@lyft.com' member_order: 3 • user: 'id': 'bruce+test4@lyft.com' member_order: 4 rotation_virtual_start: '2015-01-01T00:00:00' priority: 1 rotation_turn_length_seconds: 604800 salt.states.pagerduty_schedule.absent(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure that a pagerduty schedule does not exist. Name can be pagerduty schedule id or pagerduty schedule name. salt.states.pagerduty_schedule.present(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure that a pagerduty schedule exists. This method accepts as args everything defined in https://developer.pagerduty.com/documentation/rest/schedules/create. This means that most arguments are in a dict called "schedule." User id's can be pagerduty id, or name, or email address. salt.states.pagerduty_service Manage PagerDuty services Escalation policies can be referenced by pagerduty ID or by namea. For example: ensure test service pagerduty_service.present: • name: 'my service' • escalation_policy_id: 'my escalation policy' • type: nagios [etc] salt.states.pagerduty_service.absent(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure a pagerduty service does not exist. Name can be the service name or pagerduty service id. salt.states.pagerduty_service.present(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure pagerduty service exists. This method accepts as arguments everything defined in https://developer.pagerduty.com/documentation/rest/services/create Note that many arguments are mutually exclusive, depending on the "type" argument. Examples: # create a PagerDuty email service at test-email@DOMAIN.pagerduty.com ensure generic email service exists: pagerduty_service.present: • name: my email service • service: description: "email service controlled by salt" escalation_policy_id: "my escalation policy" type: "generic_email" service_key: "test-email" # create a pagerduty service using cloudwatch integration ensure my cloudwatch service exists: pagerduty_service.present: • name: my cloudwatch service • service: escalation_policy_id: "my escalation policy" type: aws_cloudwatch description: "my cloudwatch service controlled by salt" TODO: aws_cloudwatch type should be integrated with boto_sns salt.states.pagerduty_user Manage PagerDuty users. Example: ensure bruce test user 1: pagerduty.user_present: • name: 'Bruce TestUser1' • email: bruce+test1@lyft.com • requester_id: P1GV5NT salt.states.pagerduty_user.absent(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure pagerduty user does not exist. Name can be pagerduty id, email address, or user name. salt.states.pagerduty_user.present(profile='pagerduty', subdomain=None, api_key=None, **kwargs) Ensure pagerduty user exists. Arguments match those supported by https://developer.pagerduty.com/documentation/rest/users/create. salt.states.pecl Installation of PHP Extensions Using pecl These states manage the installed pecl extensions. Note that php-pear must be installed for these states to be available, so pecl states should include a requisite to a pkg.installed state for the package which provides pecl (php-pear in most cases). Example: php-pear: pkg.installed mongo: pecl.installed: - require: - pkg: php-pear salt.states.pecl.installed(name, version=None, defaults=False, force=False, preferred_state='stable') New in version 0.17.0. Make sure that a pecl extension is installed. name The pecl extension name to install version The pecl extension version to install. This option may be ignored to install the latest stable version. defaults Use default answers for extensions such as pecl_http which ask questions before installation. Without this option, the pecl.installed state will hang indefinitely when trying to install these extensions. force Whether to force the installed version or not preferred_state The pecl extension state to install salt.states.pecl.removed(name) Make sure that a pecl extension is not installed. name The pecl extension name to uninstall salt.states.pip_state Installation of Python Packages Using pip These states manage system installed python packages. Note that pip must be installed for these states to be available, so pip states should include a requisite to a pkg.installed state for the package which provides pip (python-pip in most cases). Example: python-pip: pkg.installed virtualenvwrapper: pip.installed: - require: - pkg: python-pip salt.states.pip_state.installed(name, pkgs=None, pip_bin=None, requirements=None, env=None, bin_env=None, use_wheel=False, no_use_wheel=False, log=None, proxy=None, timeout=None, repo=None, editable=None, find_links=None, index_url=None, extra_index_url=None, no_index=False, mirrors=None, build=None, target=None, download=None, download_cache=None, source=None, upgrade=False, force_reinstall=False, ignore_installed=False, exists_action=None, no_deps=False, no_install=False, no_download=False, install_options=None, global_options=None, user=None, no_chown=False, cwd=None, activate=False, pre_releases=False, cert=None, allow_all_external=False, allow_external=None, allow_unverified=None, process_dependency_links=False, env_vars=None, use_vt=False, trusted_host=None) Make sure the package is installed name The name of the python package to install. You can also specify version numbers here using the standard operators ==, >=, <=. If requirements is given, this parameter will be ignored. Example: django: pip.installed: - name: django >= 1.6, <= 1.7 - require: - pkg: python-pip This will install the latest Django version greater than 1.6 but less than 1.7. requirements Path to a pip requirements file. If the path begins with salt:// the file will be transferred from the master file server. user The user under which to run pip use_wheel False Prefer wheel archives (requires pip>=1.4) no_use_wheel False Force to not use wheel archives (requires pip>=1.4) log Log file where a complete (maximum verbosity) record will be kept proxy Specify a proxy in the form user:passwd@proxy.server:port. Note that the user:password@ is optional and required only if you are behind an authenticated proxy. If you provide user@proxy.server:port then you will be prompted for a password. timeout Set the socket timeout (default 15 seconds) editable install something editable (i.e. git+https://github.com/worldcompany/djangoembed.git#egg=djangoembed) find_links URL to look for packages at index_url Base URL of Python Package Index extra_index_url Extra URLs of package indexes to use in addition to index_url no_index Ignore package index mirrors Specific mirror URL(s) to query (automatically adds --use-mirrors) build Unpack packages into build dir target Install packages into target dir download Download packages into download instead of installing them download_cache Cache downloaded packages in download_cache dir source Check out editable packages into source dir upgrade Upgrade all packages to the newest available version force_reinstall When upgrading, reinstall all packages even if they are already up-to-date. ignore_installed Ignore the installed packages (reinstalling instead) exists_action Default action when a path already exists: (s)witch, (i)gnore, (w)ipe, (b)ackup no_deps Ignore package dependencies no_install Download and unpack all packages, but don't actually install them no_chown When user is given, do not attempt to copy and chown a requirements file cwd Current working directory to run pip from activate Activates the virtual environment, if given via bin_env, before running install. Deprecated since version 2014.7.2: If bin_env is given, pip will already be sourced from that virualenv, making activate effectively a noop. pre_releases Include pre-releases in the available versions cert Provide a path to an alternate CA bundle allow_all_external Allow the installation of all externally hosted files allow_external Allow the installation of externally hosted files (comma separated list) allow_unverified Allow the installation of insecure and unverifiable files (comma separated list) process_dependency_links Enable the processing of dependency links bin_env None Absolute path to a virtual environment directory or absolute path to a pip executable. The example below assumes a virtual environment has been created at /foo/.virtualenvs/bar. env_vars Add or modify environment variables. Useful for tweaking build steps, such as specifying INCLUDE or LIBRARY paths in Makefiles, build scripts or compiler calls. This must be in the form of a dictionary or a mapping. Example: django: pip.installed: - name: django_app - env_vars: CUSTOM_PATH: /opt/django_app VERBOSE: True use_vt Use VT terminal emulation (see ouptut while installing) trusted_host Mark this host as trusted, even though it does not have valid or any HTTPS. Example: django: pip.installed: - name: django >= 1.6, <= 1.7 - bin_env: /foo/.virtualenvs/bar - require: - pkg: python-pip Or Example: django: pip.installed: - name: django >= 1.6, <= 1.7 - bin_env: /foo/.virtualenvs/bar/bin/pip - require: - pkg: python-pip Attention The following arguments are deprecated, do not use. pip_bin None Deprecated, use bin_env env None Deprecated, use bin_env Changed in version 0.17.0: use_wheel option added. install_options Extra arguments to be supplied to the setup.py install command. If you are using an option with a directory path, be sure to use absolute path. Example: django: pip.installed: - name: django - install_options: - --prefix=/blah - require: - pkg: python-pip global_options Extra global options to be supplied to the setup.py call before the install command. New in version 2014.1.3. Attention As of Salt 0.17.0 the pip state needs an importable pip module. This usually means having the system's pip package installed or running Salt from an active virtualenv. The reason for this requirement is because pip already does a pretty good job parsing its own requirements. It makes no sense for Salt to do pip requirements parsing and validation before passing them to the pip library. It's functionality duplication and it's more error prone. Attention Please set reload_modules: True to have the salt minion import this module after installation. Example: pyopenssl: pip.installed: - name: pyOpenSSL - reload_modules: True - exists_action: i salt.states.pip_state.removed(name, requirements=None, bin_env=None, log=None, proxy=None, timeout=None, user=None, cwd=None, use_vt=False) Make sure that a package is not installed. name The name of the package to uninstall user The user under which to run pip bin_env None the pip executable or virtualenenv to use use_vt Use VT terminal emulation (see ouptut while installing) salt.states.pip_state.uptodate(name, bin_env=None, user=None, cwd=None, use_vt=False) New in version 2015.5.0. Verify that the system is completely up to date. name The name has no functional value and is only used as a tracking reference user The user under which to run pip bin_env the pip executable or virtualenenv to use use_vt Use VT terminal emulation (see ouptut while installing) salt.states.pkg Installation of packages using OS package managers such as yum or apt-get Salt can manage software packages via the pkg state module, packages can be set up to be installed, latest, removed and purged. Package management declarations are typically rather simple: vim: pkg.installed A more involved example involves pulling from a custom repository. base: pkgrepo.managed: - humanname: Logstash PPA - name: ppa:wolfnet/logstash - dist: precise - file: /etc/apt/sources.list.d/logstash.list - keyid: 28B04E4A - keyserver: keyserver.ubuntu.com logstash: pkg.installed - fromrepo: ppa:wolfnet/logstash Multiple packages can also be installed with the use of the pkgs state module dotdeb.repo: pkgrepo.managed: - humanname: Dotdeb - name: deb http://packages.dotdeb.org wheezy-php55 all - dist: wheezy-php55 - file: /etc/apt/sources.list.d/dotbeb.list - keyid: 89DF5277 - keyserver: keys.gnupg.net - refresh_db: true php.packages: pkg.installed: - fromrepo: wheezy-php55 - pkgs: - php5-fpm - php5-cli - php5-curl WARNING: Package names are currently case-sensitive. If the minion is using a package manager which is not case-sensitive (such as pkgng), then this state will fail if the proper case is not used. This will be addressed in a future release of Salt. salt.states.pkg.group_installed(name, skip=None, include=None, **kwargs) New in version 2015.8.0. Ensure that an entire package group is installed. This state is currently only supported for the yum package manager. skip Packages that would normally be installed by the package group ("default" packages), which should not be installed. Load Balancer: pkg.group_installed: - skip: - piranha include Packages which are included in a group, which would not normally be installed by a yum groupinstall ("optional" packages). Note that this will not enforce group membership; if you include packages which are not members of the specified groups, they will still be installed. Load Balancer: pkg.group_installed: - include: - haproxy Changed in version Boron: This option can no longer be passed as a comma-separated list, it must now be passed as a list (as shown in the above example). NOTE: Because this is essentially a wrapper around pkg.install, any argument which can be passed to pkg.install may also be included here, and it will be passed on to the call to pkg.install. salt.states.pkg.installed(name, version=None, refresh=None, fromrepo=None, skip_verify=False, skip_suggestions=False, pkgs=None, sources=None, allow_updates=False, pkg_verify=False, normalize=True, **kwargs) Ensure that the package is installed, and that it is the correct version (if specified). Parameters • name (str) -- The name of the package to be installed. This parameter is ignored if either "pkgs" or "sources" is used. Additionally, please note that this option can only be used to install packages from a software repository. To install a package file manually, use the "sources" option detailed below. • version (str) -- Install a specific version of a package. This option is ignored if "sources" is used. Currently, this option is supported for the following pkg providers: apt, ebuild, pacman, yumpkg, and zypper. The version number includes the release designation where applicable, to allow Salt to target a specific release of a given version. When in doubt, using the pkg.latest_version function for an uninstalled package will tell you the version available. # salt myminion pkg.latest_version httpd myminion: 2.2.15-30.el6.centos Also, while this function is not yet implemented for all pkg frontends, pkg.list_repo_pkgs will show all versions available in the various repositories for a given package, irrespective of whether or not it is installed. # salt myminion pkg.list_repo_pkgs httpd myminion: ---------- base: |_ ---------- httpd: 2.2.15-29.el6.centos updates: |_ ---------- httpd: 2.2.15-30.el6.centos The version strings returned by either of these functions can be used as version specifiers in pkg states. You can install a specific version when using the pkgs argument by including the version after the package: common_packages: pkg.installed: - pkgs: - unzip - dos2unix - salt-minion: 2015.8.5-1.el6 • refresh (bool) -- Update the repo database of available packages prior to installing the requested package. • fromrepo (str) -- Specify a repository from which to install NOTE: Distros which use APT (Debian, Ubuntu, etc.) do not have a concept of repositories, in the same way as YUM-based distros do. When a source is added, it is assigned to a given release. Consider the following source configuration: deb http://ppa.launchpad.net/saltstack/salt/ubuntu precise main The packages provided by this source would be made available via the precise release, therefore fromrepo would need to be set to precise for Salt to install the package from this source. Having multiple sources in the same release may result in the default install candidate being newer than what is desired. If this is the case, the desired version must be specified using the version parameter. If the pkgs parameter is being used to install multiple packages in the same state, then instead of using version, use the method of version specification described in the Multiple Package Installation Options section below. Running the shell command apt-cache policy pkgname on a minion can help elucidate the APT configuration and aid in properly configuring states: root@saltmaster:~# salt ubuntu01 cmd.run 'apt-cache policy ffmpeg' ubuntu01: ffmpeg: Installed: (none) Candidate: 7:0.10.11-1~precise1 Version table: 7:0.10.11-1~precise1 0 500 http://ppa.launchpad.net/jon-severinsson/ffmpeg/ubuntu/ precise/main amd64 Packages 4:0.8.10-0ubuntu0.12.04.1 0 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages 4:0.8.1-0ubuntu1 0 500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages The release is located directly after the source's URL. The actual release name is the part before the slash, so to install version 4:0.8.10-0ubuntu0.12.04.1 either precise-updates or precise-security could be used for the fromrepo value. • skip_verify (bool) -- Skip the GPG verification check for the package to be installed • skip_suggestions (bool) -- Force strict package naming. Disables lookup of package alternatives. New in version 2014.1.1. • pkgs (list) -- A list of packages to install from a software repository. All packages listed under pkgs will be installed via a single command. Example: mypkgs: pkg.installed: - pkgs: - foo - bar - baz - hold: True NOTE: For apt, ebuild, pacman, yumpkg, and zypper, version numbers can be specified in the pkgs argument. For example: mypkgs: pkg.installed: - pkgs: - foo - bar: 1.2.3-4 - baz Additionally, ebuild, pacman and zypper support the <, <=, >=, and > operators for more control over what versions will be installed. For Example: mypkgs: pkg.installed: - pkgs: - foo - bar: '>=1.2.3-4' - baz NOTE: When using comparison operators, the expression must be enclosed in quotes to avoid a YAML render error. With ebuild is also possible to specify a use flag list and/or if the given packages should be in package.accept_keywords file and/or the overlay from which you want the package to be installed. For example: mypkgs: pkg.installed: - pkgs: - foo: '~' - bar: '~>=1.2:slot::overlay[use,-otheruse]' - baz Multiple Package Installation Options: (not supported in Windows or pkgng) • sources (list) -- A list of packages to install, along with the source URI or local path from which to install each package. In the example below, foo, bar, baz, etc. refer to the name of the package, as it would appear in the output of the pkg.version or pkg.list_pkgs salt CLI commands. mypkgs: pkg.installed: - sources: - foo: salt://rpms/foo.rpm - bar: http://somesite.org/bar.rpm - baz: ftp://someothersite.org/baz.rpm - qux: /minion/path/to/qux.rpm • allow_updates (bool) -- Allow the package to be updated outside Salt's control (e.g. auto updates on Windows). This means a package on the Minion can have a newer version than the latest available in the repository without enforcing a re-installation of the package. New in version 2014.7.0. Example: httpd: pkg.installed: - fromrepo: mycustomrepo - skip_verify: True - skip_suggestions: True - version: 2.0.6~ubuntu3 - refresh: True - allow_updates: True - hold: False • pkg_verify (bool) -- New in version 2014.7.0. For requested packages that are already installed and would not be targeted for upgrade or downgrade, use pkg.verify to determine if any of the files installed by the package have been altered. If files have been altered, the reinstall option of pkg.install is used to force a reinstall. Types to ignore can be passed to pkg.verify (see example below). Currently, this option is supported for the following pkg providers: yumpkg. Examples: httpd: pkg.installed: - version: 2.2.15-30.el6.centos - pkg_verify: True mypkgs: pkg.installed: - pkgs: - foo - bar: 1.2.3-4 - baz - pkg_verify: - ignore_types: [config,doc] • normalize (bool) -- Normalize the package name by removing the architecture, if the architecture of the package is different from the architecture of the operating system. The ability to disable this behavior is useful for poorly-created packages which include the architecture as an actual part of the name, such as kernel modules which match a specific kernel version. New in version 2014.7.0. Example: gpfs.gplbin-2.6.32-279.31.1.el6.x86_64: pkg.installed: - normalize: False • kwargs -- These are specific to each OS. If it does not apply to the execution module for your OS, it is ignored. param bool hold Force the package to be held at the current installed version. Currently works with YUM & APT based systems. New in version 2014.7.0. param list names A list of packages to install from a software repository. Each package will be installed individually by the package manager. WARNING: Unlike pkgs, the names parameter cannot specify a version. In addition, it makes a separate call to the package management frontend to install each package, whereas pkgs makes just a single call. It is therefore recommended to use pkgs instead of names to install multiple packages, both for the additional features and the performance improvement that it brings. param bool install_recommends Whether to install the packages marked as recommended. Default is True. Currently only works with APT-based systems. New in version 2015.5.0. httpd: pkg.installed: - install_recommends: False param bool only_upgrade Only upgrade the packages, if they are already installed. Default is False. Currently only works with APT-based systems. New in version 2015.5.0. httpd: pkg.installed: - only_upgrade: True Returns A dictionary containing the state of the software installation Rtype dict salt.states.pkg.latest(name, refresh=None, fromrepo=None, skip_verify=False, pkgs=None, watch_flags=True, **kwargs) Ensure that the named package is installed and the latest available package. If the package can be updated, this state function will update the package. Generally it is better for the installed function to be used, as latest will update the package whenever a new package is available. name The name of the package to maintain at the latest available version. This parameter is ignored if "pkgs" is used. fromrepo Specify a repository from which to install skip_verify Skip the GPG verification check for the package to be installed refresh Update the repo database of available packages prior to installing the requested package. Multiple Package Installation Options: (Not yet supported for: Windows, FreeBSD, OpenBSD, MacOS, and Solaris pkgutil) pkgs A list of packages to maintain at the latest available version. mypkgs: pkg.latest: - pkgs: - foo - bar - baz install_recommends Whether to install the packages marked as recommended. Default is True. Currently only works with APT-based systems. New in version 2015.5.0. httpd: pkg.latest: - install_recommends: False only_upgrade Only upgrade the packages, if they are already installed. Default is False. Currently only works with APT-based systems. New in version 2015.5.0. httpd: pkg.latest: - only_upgrade: True salt.states.pkg.mod_aggregate(low, chunks, running) The mod_aggregate function which looks up all packages in the available low chunks and merges them into a single pkgs ref in the present low data salt.states.pkg.purged(name, version=None, pkgs=None, normalize=True, **kwargs) Verify that a package is not installed, calling pkg.purge if necessary to purge the package. All configuration files are also removed. name The name of the package to be purged. version The version of the package that should be removed. Don't do anything if the package is installed with an unmatching version. normalize True Normalize the package name by removing the architecture, if the architecture of the package is different from the architecture of the operating system. The ability to disable this behavior is useful for poorly-created packages which include the architecture as an actual part of the name, such as kernel modules which match a specific kernel version. New in version 2015.8.0. Multiple Package Options: pkgs A list of packages to purge. Must be passed as a python list. The name parameter will be ignored if this option is passed. It accepts version numbers as well. New in version 0.16.0. salt.states.pkg.removed(name, version=None, pkgs=None, normalize=True, **kwargs) Verify that a package is not installed, calling pkg.remove if necessary to remove the package. name The name of the package to be removed. version The version of the package that should be removed. Don't do anything if the package is installed with an unmatching version. normalize True Normalize the package name by removing the architecture, if the architecture of the package is different from the architecture of the operating system. The ability to disable this behavior is useful for poorly-created packages which include the architecture as an actual part of the name, such as kernel modules which match a specific kernel version. New in version 2015.8.0. Multiple Package Options: pkgs A list of packages to remove. Must be passed as a python list. The name parameter will be ignored if this option is passed. It accepts version numbers as well. New in version 0.16.0. salt.states.pkg.uptodate(name, refresh=False, **kwargs) New in version 2014.7.0. Verify that the system is completely up to date. name The name has no functional value and is only used as a tracking reference refresh refresh the package database before checking for new upgrades kwargs Any keyword arguments to pass through to pkg.upgrade. New in version 2015.5.0. salt.states.pkgbuild The pkgbuild state is the front of Salt package building backend. It automatically New in version 2015.8.0. salt_2015.5.2: pkgbuild.built: - runas: thatch - results: - salt-2015.5.2-2.el7.centos.noarch.rpm - salt-api-2015.5.2-2.el7.centos.noarch.rpm - salt-cloud-2015.5.2-2.el7.centos.noarch.rpm - salt-master-2015.5.2-2.el7.centos.noarch.rpm - salt-minion-2015.5.2-2.el7.centos.noarch.rpm - salt-ssh-2015.5.2-2.el7.centos.noarch.rpm - salt-syndic-2015.5.2-2.el7.centos.noarch.rpm - dest_dir: /tmp/pkg - spec: salt://pkg/salt/spec/salt.spec - template: jinja - deps: - salt://pkg/salt/sources/required_dependency.rpm - tgt: epel-7-x86_64 - sources: - salt://pkg/salt/sources/logrotate.salt - salt://pkg/salt/sources/README.fedora - salt://pkg/salt/sources/salt-2015.5.2.tar.gz - salt://pkg/salt/sources/salt-2015.5.2-tests.patch - salt://pkg/salt/sources/salt-api - salt://pkg/salt/sources/salt-api.service - salt://pkg/salt/sources/salt-master - salt://pkg/salt/sources/salt-master.service - salt://pkg/salt/sources/salt-minion - salt://pkg/salt/sources/salt-minion.service - salt://pkg/salt/sources/saltpkg.sls - salt://pkg/salt/sources/salt-syndic - salt://pkg/salt/sources/salt-syndic.service - salt://pkg/salt/sources/SaltTesting-2015.5.8.tar.gz /tmp/pkg: pkgbuild.repo salt.states.pkgbuild.built(name, runas, dest_dir, spec, sources, tgt, template=None, deps=None, env=None, results=None, force=False, always=None, saltenv='base', log_dir='/var/log/salt/pkgbuild') Ensure that the named package is built and exists in the named directory name The name to track the build, the name value is otherwise unused runas The user to run the build process as dest_dir The directory on the minion to place the built package(s) spec The location of the spec file (used for rpms) sources The list of package sources tgt The target platform to run the build on template Run the spec file through a templating engine Changed in version 2015.8.2: This argument is now optional, allowing for no templating engine to be used if none is desired. deps Packages required to ensure that the named package is built can be hosted on either the salt master server or on an HTTP or FTP server. Both HTTPS and HTTP are supported as well as downloading directly from Amazon S3 compatible URLs with both pre-configured and automatic IAM credentials env A dictionary of environment variables to be set prior to execution. Example: - env: DEB_BUILD_OPTIONS: 'nocheck' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. results The names of the expected rpms that will be built force False If True, packages will be built even if they already exist in the dest_dir. This is useful when building a package for continuous or nightly package builds. New in version 2015.8.2. always If True, packages will be built even if they already exist in the dest_dir. This is useful when building a package for continuous or nightly package builds. Deprecated since version 2015.8.2: Use force instead. saltenv The saltenv to use for files downloaded from the salt filesever log_dir /var/log/salt/rpmbuild Root directory for log files created from the build. Logs will be organized by package name, version, OS release, and CPU architecture under this directory. New in version 2015.8.2. salt.states.pkgbuild.repo(name, keyid=None, env=None) Make a package repository, the name is directoty to turn into a repo. This state is best used with onchanges linked to your package building states name The directory to find packages that will be in the repository keyid Optional Key ID to use in signing repository env A dictionary of environment variables to be utlilized in creating the repository. Example: - env: OPTIONS: 'ask-passphrase' WARNING: The above illustrates a common PyYAML pitfall, that yes, no, on, off, true, and false are all loaded as boolean True and False values, and must be enclosed in quotes to be used as strings. More info on this (and other) PyYAML idiosyncrasies can be found here. Use of OPTIONS on some platforms, for example: ask-passphrase, will require gpg-agent or similar to cache passphrases. salt.states.pkgng Manage package remote repo using FreeBSD pkgng Salt can manage the URL pkgng pulls packages from. ATM the state and module are small so use cases are typically rather simple: pkgng_clients: pkgng.update_packaging_site: - name: "http://192.168.0.2" salt.states.pkgng.update_packaging_site(name) salt.states.pkgrepo Management of APT/YUM package repos Package repositories for APT-based and YUM-based distros can be managed with these states. Here is some example SLS: base: pkgrepo.managed: - humanname: CentOS-$releasever - Base - mirrorlist: http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os - comments: - '#http://mirror.centos.org/centos/$releasever/os/$basearch/' - gpgcheck: 1 - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 base: pkgrepo.managed: - humanname: Logstash PPA - name: deb http://ppa.launchpad.net/wolfnet/logstash/ubuntu precise main - dist: precise - file: /etc/apt/sources.list.d/logstash.list - keyid: 28B04E4A - keyserver: keyserver.ubuntu.com - require_in: - pkg: logstash pkg.latest: - name: logstash - refresh: True base: pkgrepo.managed: - humanname: deb-multimedia - name: deb http://www.deb-multimedia.org stable main - file: /etc/apt/sources.list.d/deb-multimedia.list - key_url: salt://deb-multimedia/files/marillat.pub base: pkgrepo.managed: - humanname: Google Chrome - name: deb http://dl.google.com/linux/chrome/deb/ stable main - dist: stable - file: /etc/apt/sources.list.d/chrome-browser.list - require_in: - pkg: google-chrome-stable - gpgcheck: 1 - key_url: https://dl-ssl.google.com/linux/linux_signing_key.pub base: pkgrepo.managed: - ppa: wolfnet/logstash pkg.latest: - name: logstash - refresh: True NOTE: On Ubuntu systems, the python-software-properties package should be installed for better support of PPA repositories. To check if this package is installed, run dpkg -l python-software-properties. Also, some Ubuntu releases have a bug in their python-software-properties package, a missing dependency on pycurl, so python-pycurl will need to be manually installed if it is not present once python-software-properties is installed. On Ubuntu & Debian systems, the `python-apt package is required to be installed. To check if this package is installed, run dpkg -l python-software-properties. python-apt will need to be manually installed if it is not present. salt.states.pkgrepo.absent(name, **kwargs) This function deletes the specified repo on the system, if it exists. It is essentially a wrapper around pkg.del_repo. name The name of the package repo, as it would be referred to when running the regular package manager commands. UBUNTU-SPECIFIC OPTIONS ppa On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name. logstash-ppa: pkgrepo.absent: - ppa: wolfnet/logstash ppa_auth For Ubuntu PPAs there can be private PPAs that require authentication to access. For these PPAs the username/password can be specified. This is required for matching if the name format uses the ppa: specifier and is private (requires username/password to access, which is encoded in the URI). logstash-ppa: pkgrepo.absent: - ppa: wolfnet/logstash - ppa_auth: username:password keyid If passed, then the GPG key corresponding to the passed KeyID will also be removed. keyid_ppa False If set to True, the GPG key's ID will be looked up from ppa.launchpad.net and removed, and the keyid argument will be ignored. NOTE: This option will be disregarded unless the ppa argument is present. salt.states.pkgrepo.managed(name, **kwargs) This function manages the configuration on a system that points to the repositories for the system's package manager. name The name of the package repo, as it would be referred to when running the regular package manager commands. For yum-based systems, take note of the following configuration values: humanname On yum-based systems, this is stored as the "name" value in the .repo file in /etc/yum.repos.d/. On yum-based systems, this is required. baseurl On yum-based systems, baseurl refers to a direct URL to be used for this yum repo. One of baseurl or mirrorlist is required. mirrorlist a URL which contains a collection of baseurls to choose from. On yum-based systems. One of baseurl or mirrorlist is required. comments Sometimes you want to supply additional information, but not as enabled configuration. Anything supplied for this list will be saved in the repo configuration with a comment marker (#) in front. Additional configuration values, such as gpgkey or gpgcheck, are used verbatim to update the options for the yum repo in question. For apt-based systems, take note of the following configuration values: ppa On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name. The keyid will be queried from launchpad and everything else is set automatically. You can override any of the below settings by simply setting them as you would normally. For example: logstash-ppa: pkgrepo.managed: - ppa: wolfnet/logstash ppa_auth For Ubuntu PPAs there can be private PPAs that require authentication to access. For these PPAs the username/password can be passed as an HTTP Basic style username/password combination. logstash-ppa: pkgrepo.managed: - ppa: wolfnet/logstash - ppa_auth: username:password name On apt-based systems this must be the complete entry as it would be seen in the sources.list file. This can have a limited subset of components (i.e. 'main') which can be added/modified with the "comps" option. precise-repo: pkgrepo.managed: - name: deb http://us.archive.ubuntu.com/ubuntu precise main disabled Toggles whether or not the repo is used for resolving dependencies and/or installing packages. comps On apt-based systems, comps dictate the types of packages to be installed from the repository (e.g. main, nonfree, ...). For purposes of this, comps should be a comma-separated list. file The filename for the .list that the repository is configured in. It is important to include the full-path AND make sure it is in a directory that APT will look in when handling packages dist This dictates the release of the distro the packages should be built for. (e.g. unstable). This option is rarely needed. keyid The KeyID of the GPG key to install. This option also requires the keyserver option to be set. keyserver This is the name of the keyserver to retrieve gpg keys from. The keyid option must also be set for this option to work. key_url URL to retrieve a GPG key from. Allows the usage of http://, https:// as well as salt://. NOTE: Use either keyid/keyserver or key_url, but not both. consolidate If set to true, this will consolidate all sources definitions to the sources.list file, cleanup the now unused files, consolidate components (e.g. main) for the same URI, type, and architecture to a single line, and finally remove comments from the sources.list file. The consolidate will run every time the state is processed. The option only needs to be set on one repo managed by salt to take effect. clean_file If set to true, empty file before config repo, dangerous if use multiple sources in one file. New in version 2015.8.0. refresh_db If set to false this will skip refreshing the apt package database on debian based systems. require_in Set this to a list of pkg.installed or pkg.latest to trigger the running of apt-get update prior to attempting to install these packages. Setting a require in the pkg will not work for this. salt.states.portage_config Management of Portage package configuration on Gentoo A state module to manage Portage configuration on Gentoo salt: portage_config.flags: - use: - openssl salt.states.portage_config.flags(name, use=None, accept_keywords=None, env=None, license=None, properties=None, unmask=False, mask=False) Enforce the given flags on the given package or DEPEND atom. WARNING: In most cases, the affected package(s) need to be rebuilt in order to apply the changes. name The name of the package or its DEPEND atom use A list of USE flags accept_keywords A list of keywords to accept. ~ARCH means current host arch, and will be translated into a line without keywords env A list of environment files license A list of accepted licenses properties A list of additional properties unmask A boolean to unmask the package mask A boolean to mask the package salt.states.ports Manage software from FreeBSD ports New in version 2014.1.0. NOTE: It may be helpful to use a higher timeout when running a ports.installed state, since compiling the port may exceed Salt's timeout. salt -t 1200 '*' state.highstate salt.states.ports.installed(name, options=None) Verify that the desired port is installed, and that it was compiled with the desired options. options Make sure that the desired non-default options are set WARNING: Any build options not passed here assume the default values for the port, and are not just differences from the existing cached options from a previous make config. Example usage: security/nmap: ports.installed: - options: - IPV6: off salt.states.postgres_database Management of PostgreSQL databases The postgres_database module is used to create and manage Postgres databases. Databases can be set as either absent or present frank: postgres_database.present salt.states.postgres_database.absent(name, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named database is absent name The name of the database to remove db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default user System user all operations should be performed on behalf of New in version 0.17.0. salt.states.postgres_database.present(name, tablespace=None, encoding=None, lc_collate=None, lc_ctype=None, owner=None, owner_recurse=False, template=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named database is present with the specified properties. For more information about all of these options see man createdb(1) name The name of the database to manage tablespace Default tablespace for the database encoding The character encoding scheme to be used in this database lc_collate The LC_COLLATE setting to be used in this database lc_ctype The LC_CTYPE setting to be used in this database owner The username of the database owner owner_recurse Recurse owner change to all relations in the database template The template database from which to build this database user System user all operations should be performed on behalf of db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default New in version 0.17.0. salt.states.postgres_extension Management of PostgreSQL extensions (e.g.: postgis) The postgres_extensions module is used to create and manage Postgres extensions. adminpack: postgres_extension.present New in version 2014.7.0. salt.states.postgres_extension.absent(name, if_exists=None, restrict=None, cascade=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named extension is absent name Extension name of the extension to remove cascade Drop on cascade if_exists Add if exist slug restrict Add restrict slug maintenance_db Database to act on user System user all operations should be performed on behalf of db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_extension.present(name, if_not_exists=None, schema=None, ext_version=None, from_version=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named extension is present with the specified privileges name The name of the extension to manage if_not_exists Add a if_not_exists switch to the ddl statement schema Schema to install the extension into from_version Old extension version if already installed ext_version version to install user System user all operations should be performed on behalf of maintenance_db Database to act on db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_group Management of PostgreSQL groups (roles) The postgres_group module is used to create and manage Postgres groups. frank: postgres_group.present salt.states.postgres_group.absent(name, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named group is absent name The groupname of the group to remove user System user all operations should be performed on behalf of New in version 0.17.0. db_user database username if different from config or defaul db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_group.present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, inherit=None, login=None, replication=None, password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named group is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the group to manage createdb Is the group allowed to create databases? createroles Is the group allowed to create other roles/users createuser Alias to create roles, and history problem, in pgsql normally createuser == superuser encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new group be a "superuser" replication Should the new group be allowed to initiate streaming replication password The Group's password It can be either a plain string or a md5 postgresql hashed password: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is True, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the group should be in user System user all operations should be performed on behalf of New in version 0.17.0. db_user database username if different from config or defaul db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_schema Management of PostgreSQL schemas The postgres_schemas module is used to create and manage Postgres schemas. public: postgres_schema.present 'dbname' 'name' salt.states.postgres_schema.absent(dbname, name, db_user=None, db_password=None, db_host=None, db_port=None) Ensure that the named schema is absent dbname The database's name will work on name The name of the schema to remove db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_schema.present(dbname, name, owner=None, db_user=None, db_password=None, db_host=None, db_port=None) Ensure that the named schema is present in the database. dbname The database's name will work on name The name of the schema to manage db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_tablespace Management of PostgreSQL tablespace A module used to create and manage PostgreSQL tablespaces. ssd-tablespace: postgres_tablespace.present: - name: indexes - directory: /mnt/ssd-data New in version 2015.8.0. salt.states.postgres_tablespace.absent(name, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named database is absent. name The name of the database to remove db_user database username if different from config or defaul db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default user System user all operations should be performed on behalf of salt.states.postgres_tablespace.present(name, directory, options=None, owner=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named tablespace is present with the specified properties. For more information about all of these options see man create_tablespace(1). name The name of the tablespace to create/manage. directory The directory where the tablespace will be located, must already exist. options A dictionary of options to specify for the table. Currently, the only tablespace options supported are seq_page_cost - float; default=1.0 random_page_cost - float; default=4.0 owner The database user that will be the owner of the tablespace Defaults to the user executing the command (i.e. the user option) db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default user System user all operations should be performed on behalf of salt.states.postgres_user Management of PostgreSQL users (roles) The postgres_users module is used to create and manage Postgres users. frank: postgres_user.present salt.states.postgres_user.absent(name, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named user is absent name The username of the user to remove user System user all operations should be performed on behalf of New in version 0.17.0. db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default salt.states.postgres_user.present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, replication=None, inherit=None, login=None, password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None) Ensure that the named user is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the system user to manage. createdb Is the user allowed to create databases? createroles Is the user allowed to create other users? createuser Alias to create roles encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new user be a "superuser" replication Should the new user be allowed to initiate streaming replication password The system user's password. It can be either a plain string or a md5 postgresql hashed password: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is True, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the user should be in user System user all operations should be performed on behalf of New in version 0.17.0. db_user Postres database username, if different from config or default. db_password Postgres user's password, if any password, for a specified db_user. db_host Postgres database host, if different from config or default. db_port Postgres database port, if different from config or default. salt.states.powerpath Powerpath configuration support Allows configuration of EMC Powerpath. Currently only addition/deletion of licenses is supported. key: powerpath.license_present: [] salt.states.powerpath.license_absent(name) Ensures that the specified PowerPath license key is absent on the host. name The license key to ensure is absent salt.states.powerpath.license_present(name) Ensures that the specified PowerPath license key is present on the host. name The license key to ensure is present salt.states.process Process Management Ensure a process matching a given pattern is absent. httpd-absent: process.absent: - name: apache2 salt.states.process.absent(name, user=None, signal=None) Ensures that the named command is not running. name The pattern to match. user The user process belongs signal Signal to send to the process(es). salt.states.pushover Send a message to PushOver This state is useful for sending messages to PushOver during state runs. New in version Lithium. pushover-message: pushover.post_message: - user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - title: Salt Returner - device: phone - priority: -1 - expire: 3600 - retry: 5 - message: 'This state was executed successfully.' The api key can be specified in the master or minion configuration like below: pushover: token: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.states.pushover.post_message(name, user=None, device=None, message=None, title=None, priority=None, expire=None, retry=None, sound=None, api_version=1, token=None) Send a message to a PushOver channel. pushover-message: pushover.post_message: - user: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - title: Salt Returner - device: phone - priority: -1 - expire: 3600 - retry: 5 The following parameters are required: name The unique name for this event. user The user or group of users to send the message to. Must be ID of user, not name or email address. message The message that is to be sent to the PushOver channel. The following parameters are optional: title The title to use for the message. device The device for the user to send the message to. priority The priority for the message. expire The message should expire after specified amount of seconds. retry The message should be resent this many times. token The token for PushOver to use for authentication, if not specified in the configuration options of master or minion. salt.states.pyenv Managing python installations with pyenv This module is used to install and manage python installations with pyenv. Different versions of python can be installed, and uninstalled. pyenv will be installed automatically the first time it is needed and can be updated later. This module will not automatically install packages which pyenv will need to compile the versions of python. If pyenv is run as the root user then it will be installed to /usr/local/pyenv, otherwise it will be installed to the users ~/.pyenv directory. To make pyenv available in the shell you may need to add the pyenv/shims and pyenv/bin directories to the users PATH. If you are installing as root and want other users to be able to access pyenv then you will need to add pyenv_ROOT to their environment. This is how a state configuration could look like: pyenv-deps: pkg.installed: - pkgs: - make - build-essential - libssl-dev - zlib1g-dev - libbz2-dev - libreadline-dev - libsqlite3-dev - wget - curl - llvm python-2.6: pyenv.absent: - require: - pkg: pyenv-deps python-2.7.6: pyenv.installed: - default: True - require: - pkg: pyenv-deps salt.states.pyenv.absent(name, user=None) Verify that the specified python is not installed with pyenv. pyenv is installed if necessary. name The version of python to uninstall user: None The user to run pyenv as. New in version 0.17.0. New in version 0.16.0. salt.states.pyenv.install_pyenv(name, user=None) Install pyenv if not installed. Allows you to require pyenv be installed prior to installing the plugins. Useful if you want to install pyenv plugins via the git or file modules and need them installed before installing any rubies. Use the pyenv.root configuration option to set the path for pyenv if you want a system wide install that is not in a user home dir. user: None The user to run pyenv as. salt.states.pyenv.installed(name, default=False, user=None) Verify that the specified python is installed with pyenv. pyenv is installed if necessary. name The version of python to install default False Whether to make this python the default. user: None The user to run pyenv as. New in version 0.17.0. New in version 0.16.0. salt.states.pyrax_queues Manage Rackspace Queues New in version 2015.5.0. Create and destroy Rackspace queues. Be aware that this interacts with Rackspace's services, and so may incur charges. This module uses pyrax, which can be installed via package, or pip. This module is greatly inspired by boto_* modules from SaltStack code source. myqueue: pyrax_queues.present: - provider: my-pyrax myqueue: pyrax_queues.absent: - provider: my-pyrax salt.states.pyrax_queues.absent(name, provider) Ensure the named Rackspace queue is deleted. name Name of the Rackspace queue. provider Salt Cloud provider salt.states.pyrax_queues.present(name, provider) Ensure the RackSpace queue exists. name Name of the Rackspace queue. provider Salt Cloud Provider salt.states.quota Management of POSIX Quotas The quota can be managed for the system: /: quota.mode: mode: off quotatype: user salt.states.quota.mode(name, mode, quotatype) Set the quota for the system name The filesystem to set the quota mode on mode Whether the quota system is on or off quotatype Must be user or group salt.states.rabbitmq_cluster Manage RabbitMQ Clusters Example: rabbit@rabbit.example.com: rabbitmq_cluster.join: - user: rabbit - host: rabbit.example.com salt.states.rabbitmq_cluster.join(name, host, user='rabbit', ram_node=None, runas='root') This function is an alias of joined. Ensure the current node joined to a cluster with node user@host name Irrelevant, not used (recommended: user@host) user The user of node to join to (default: rabbit) host The host of node to join to ram_node Join node as a RAM node runas The user to run the rabbitmq command as salt.states.rabbitmq_cluster.joined(name, host, user='rabbit', ram_node=None, runas='root') Ensure the current node joined to a cluster with node user@host name Irrelevant, not used (recommended: user@host) user The user of node to join to (default: rabbit) host The host of node to join to ram_node Join node as a RAM node runas The user to run the rabbitmq command as salt.states.rabbitmq_plugin Manage RabbitMQ Plugins New in version 2014.1.0. Example: some_plugin: rabbitmq_plugin.enabled: [] salt.states.rabbitmq_plugin.disabled(name, runas=None) Ensure the RabbitMQ plugin is disabled. name The name of the plugin runas The user to run the rabbitmq-plugin command as salt.states.rabbitmq_plugin.enabled(name, runas=None) Ensure the RabbitMQ plugin is enabled. name The name of the plugin runas The user to run the rabbitmq-plugin command as salt.states.rabbitmq_policy Manage RabbitMQ Policies maintainer Benn Eichhorn <benn@getlocalmeasure.com> maturity new platform all Example: rabbit_policy: rabbitmq_policy.present: - name: HA - pattern: '.*' - definition: '{"ha-mode": "all"}' salt.states.rabbitmq_policy.absent(name, vhost='/', runas=None) Ensure the named policy is absent Reference: http://www.rabbitmq.com/ha.html name The name of the policy to remove runas Name of the user to run the command as salt.states.rabbitmq_policy.present(name, pattern, definition, priority=0, vhost='/', runas=None) Ensure the RabbitMQ policy exists. Reference: http://www.rabbitmq.com/ha.html name Policy name pattern A regex of queues to apply the policy to definition A json dict describing the policy priority Priority (defaults to 0) vhost Virtual host to apply to (defaults to '/') runas Name of the user to run the command as salt.states.rabbitmq_user Manage RabbitMQ Users Example: rabbit_user: rabbitmq_user.present: - password: password - force: True - tags: - monitoring - user - perms: - '/': - '.*' - '.*' - '.*' - runas: rabbitmq salt.states.rabbitmq_user.absent(name, runas=None) Ensure the named user is absent name The name of the user to remove runas User to run the command salt.states.rabbitmq_user.present(name, password=None, force=False, tags=None, perms=(), runas=None) Ensure the RabbitMQ user exists. name User name password User's password, if one needs to be set force If user exists, forcibly change the password tags Optional list of tags for the user perms A list of dicts with vhost keys and 3-tuple values runas Name of the user to run the command salt.states.rabbitmq_vhost Manage RabbitMQ Virtual Hosts Example: virtual_host: rabbitmq_vhost.present: - user: rabbit_user - conf: .* - write: .* - read: .* salt.states.rabbitmq_vhost.absent(name) Ensure the RabbitMQ Virtual Host is absent name Name of the Virtual Host to remove runas User to run the command Deprecated since version 2015.8.0. salt.states.rabbitmq_vhost.present(name) Ensure the RabbitMQ VHost exists. name VHost name user Initial user permission to set on the VHost, if present Deprecated since version 2015.8.0. owner Initial owner permission to set on the VHost, if present Deprecated since version 2015.8.0. conf Initial conf string to apply to the VHost and user. Defaults to .* Deprecated since version 2015.8.0. write Initial write permissions to apply to the VHost and user. Defaults to .* Deprecated since version 2015.8.0. read Initial read permissions to apply to the VHost and user. Defaults to .* Deprecated since version 2015.8.0. runas Name of the user to run the command Deprecated since version 2015.8.0. salt.states.rbenv Managing Ruby installations with rbenv This module is used to install and manage ruby installations with rbenv and the ruby-build plugin. Different versions of ruby can be installed, and uninstalled. Rbenv will be installed automatically the first time it is needed and can be updated later. This module will not automatically install packages which rbenv will need to compile the versions of ruby. If your version of ruby fails to install, refer to the ruby-build documentation to verify you are not missing any dependencies: https://github.com/sstephenson/ruby-build/wiki If rbenv is run as the root user then it will be installed to /usr/local/rbenv, otherwise it will be installed to the users ~/.rbenv directory. To make rbenv available in the shell you may need to add the rbenv/shims and rbenv/bin directories to the users PATH. If you are installing as root and want other users to be able to access rbenv then you will need to add RBENV_ROOT to their environment. The following state configuration demonstrates how to install Ruby 1.9.x and 2.x using rbenv on Ubuntu/Debian: rbenv-deps: pkg.installed: - names: - bash - git - openssl - libssl-dev - make - curl - autoconf - bison - build-essential - libffi-dev - libyaml-dev - libreadline6-dev - zlib1g-dev - libncurses5-dev ruby-1.9.3-p429: rbenv.absent: - require: - pkg: rbenv-deps ruby-2.0.0-p598: rbenv.installed: - default: True - require: - pkg: rbenv-deps salt.states.rbenv.absent(name, user=None) Verify that the specified ruby is not installed with rbenv. Rbenv is installed if necessary. name The version of ruby to uninstall user: None The user to run rbenv as. New in version 0.17.0. New in version 0.16.0. salt.states.rbenv.install_rbenv(name, user=None) Install rbenv if not installed. Allows you to require rbenv be installed prior to installing the plugins. Useful if you want to install rbenv plugins via the git or file modules and need them installed before installing any rubies. Use the rbenv.root configuration option to set the path for rbenv if you want a system wide install that is not in a user home dir. user: None The user to run rbenv as. salt.states.rbenv.installed(name, default=False, user=None) Verify that the specified ruby is installed with rbenv. Rbenv is installed if necessary. name The version of ruby to install default False Whether to make this ruby the default. user: None The user to run rbenv as. New in version 0.17.0. New in version 0.16.0. salt.states.rdp Manage RDP Service on Windows servers salt.states.rdp.disabled(name) Disable the RDP service salt.states.rdp.enabled(name) Enable the RDP service and make sure access to the RDP port is allowed in the firewall configuration salt.states.redismod Management of Redis server New in version 2014.7.0. depends • redis Python module configuration See salt.modules.redis for setup instructions. key_in_redis: redis.string: - value: string data The redis server information specified in the minion config file can be overridden in states using the following arguments: host, post, db, password. key_in_redis: redis.string: - value: string data - host: localhost - port: 6379 - db: 0 - password: somuchkittycat salt.states.redismod.absent(name, keys=None, **connection_args) Ensure key absent from redis name Key to ensure absent from redis keys list of keys to ensure absent, name will be ignored if this is used salt.states.redismod.string(name, value, expire=None, expireat=None, **connection_args) Ensure that the key exists in redis with the value specified name Redis key to manage value Data to persist in key expire Sets time to live for key in seconds expireat Sets expiration time for key via UNIX timestamp, overrides expire salt.states.reg Manage the Windows registry Many python developers think of registry keys as if they were python keys in a dictionary which is not the case. The windows registry is broken down into the following components: Hives This is the top level of the registry. They all begin with HKEY. - HKEY_CLASSES_ROOT (HKCR) - HKEY_CURRENT_USER(HKCU) - HKEY_LOCAL MACHINE (HKLM) - HKEY_USER (HKU) - HKEY_CURRENT_CONFIG Keys Hives contain keys. These are basically the folders beneath the hives. They can contain any number of subkeys. Values or Entries Values or Entries are the name/data pairs beneath the keys and subkeys. All keys have a default name/data pair. It is usually "(Default)"="(value not set)". The actual value for the name and the date is Null. The registry editor will display "(Default)" and "(value not set)". Example The following example is taken from the windows startup portion of the registry: ` [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDVCPL"="\"C:\\Program Files\\Realtek\\Audio\\HDA\\RtkNGUI64.exe\" -s" "NvBackend"="\"C:\\Program Files (x86)\\NVIDIA Corporation\\Update Core\\NvBackend.exe\"" "BTMTrayAgent"="rundll32.exe \"C:\\Program Files (x86)\\Intel\\Bluetooth\\btmshellex.dll\",TrayApp" ` In this example these are the values for each: Hive: HKEY_LOCAL_MACHINE Key and subkeys: SOFTWAREMicrosoftWindowsCurrentVersionRun Value: • There are 3 value names: RTHDVCPL, NvBackend, and BTMTrayAgent • Each value name has a corresponding value salt.states.reg.absent(name, vname=None, use_32bit_registry=False) Ensure a registry value is removed. To remove a key use key_absent. Parameters name (str) -- A string value representing the full path of the key to include the HIVE, Key, and all Subkeys. For example: HKEY_LOCAL_MACHINE\SOFTWARE\Salt Valid hive values include: • HKEY_CURRENT_USER or HKCU • HKEY_LOCAL_MACHINE or HKLM • HKEY_USERS or HKU Parameters vname (str) -- The name of the value you'd like to create beneath the Key. If this parameter is not passed it will assume you want to set the (Default) value Parameters use_32bit_registry (bool) -- Use the 32bit portion of the registry. Applies only to 64bit windows. 32bit Windows will ignore this parameter. Default if False. Returns Returns a dictionary showing the results of the registry operation. Return type dict CLI Example: 'HKEY_CURRENT_USER\SOFTWARE\Salt\version': reg.absent In the above example the path is interpreted as follows: • HKEY_CURRENT_USER is the hive • SOFTWARE\Salt is the key • version is the value name So the value version will be deleted from the SOFTWARE\Salt key in the HKEY_CURRENT_USER hive. salt.states.reg.key_absent(name, force=False, use_32bit_registry=False) New in version 2015.5.4. Ensure a registry key is removed. This will remove a key and all value entries it contains. It will fail if the key contains subkeys. Parameters name (str) -- A string representing the full path to the key to be removed to include the hive and the keypath. The hive can be any of the following: • HKEY_LOCAL_MACHINE or HKLM • HKEY_CURRENT_USER or HKCU • HKEY_USER or HKU Parameters force (bool) -- A boolean value indicating that all subkeys should be deleted with the key. If force=False and subkeys exists beneath the key you want to delete, key_absent will fail. Use with caution. The default is False. Returns Returns a dictionary showing the results of the registry operation. Return type dict The following example will delete the SOFTWARE\Salt key and all subkeys under the HKEY_CURRENT_USER hive. Example: 'HKEY_CURRENT_USER\SOFTWARE\Salt': reg.key_absent: - force: True In the above example the path is interpreted as follows: • HKEY_CURRENT_USER is the hive • SOFTWARE\Salt is the key salt.states.reg.present(name, value=None, vname=None, vdata=None, vtype='REG_SZ', reflection=True, use_32bit_registry=False) Ensure a registry key or value is present. Parameters name (str) -- A string value representing the full path of the key to include the HIVE, Key, and all Subkeys. For example: HKEY_LOCAL_MACHINE\SOFTWARE\Salt Valid hive values include: - HKEY_CURRENT_USER or HKCU - HKEY_LOCAL_MACHINE or HKLM - HKEY_USERS or HKU Parameters value (str) -- Deprecated. Use vname and vdata instead. Included here for backwards compatibility. Parameters vname (str) -- The name of the value you'd like to create beneath the Key. If this parameter is not passed it will assume you want to set the (Default) value Parameters vdata (str) -- The value you'd like to set for the Key. If a value name (vname) is passed, this will be the data for that value name. If not, this will be the (Default) value for the key. The type for the (Default) value is always REG_SZ and cannot be changed. This parameter is optional. If not passed, the Key will be created with no associated item/value pairs. Parameters vtype (str) -- The value type for the data you wish to store in the registry. Valid values are: • REG_BINARY • REG_DWORD • REG_EXPAND_SZ • REG_MULTI_SZ • REG_SZ (Default) Parameters reflection (bool) -- On 64 bit machines a duplicate value will be created in the Wow6432Node for 32bit programs. This only applies to the SOFTWARE key. This option is ignored on 32bit operating systems. This value defaults to True. Set it to False to disable reflection. Deprecated since version 2015.8.2: Use use_32bit_registry instead. The parameter seems to have no effect since Windows 7 / Windows 2008R2 removed support for reflection. The parameter will be removed in Boron. Parameters use_32bit_registry (bool) -- Use the 32bit portion of the registry. Applies only to 64bit windows. 32bit Windows will ignore this parameter. Default if False. Returns Returns a dictionary showing the results of the registry operation. Return type dict The following example will set the (Default) value for the SOFTWARE\Salt key in the HKEY_CURRENT_USER hive to 0.15.3. The value will not be reflected in Wow6432Node: Example: HKEY_CURRENT_USER\SOFTWARE\Salt: reg.present: - vdata: 0.15.3 - reflection: False The following example will set the value for the version entry under the SOFTWARE\Salt key in the HKEY_CURRENT_USER hive to 0.15.3. The value will be reflected in Wow6432Node: Example: HKEY_CURRENT_USER\SOFTWARE\Salt: reg.present: - vname: version - vdata: 0.15.3 In the above example the path is interpreted as follows: - HKEY_CURRENT_USER is the hive - SOFTWARE\Salt is the key - vname is the value name ('version') that will be created under the key - vdata is the data that will be assigned to 'version' salt.states.rvm Managing Ruby installations and gemsets with Ruby Version Manager (RVM) This module is used to install and manage ruby installations and gemsets with RVM, the Ruby Version Manager. Different versions of ruby can be installed and gemsets created. RVM itself will be installed automatically if it's not present. This module will not automatically install packages that RVM depends on or ones that are needed to build ruby. If you want to run RVM as an unprivileged user (recommended) you will have to create this user yourself. This is how a state configuration could look like: rvm: group.present: [] user.present: - gid: rvm - home: /home/rvm - require: - group: rvm rvm-deps: pkg.installed: - pkgs: - bash - coreutils - gzip - bzip2 - gawk - sed - curl - git-core - subversion mri-deps: pkg.installed: - pkgs: - build-essential - openssl - libreadline6 - libreadline6-dev - curl - git-core - zlib1g - zlib1g-dev - libssl-dev - libyaml-dev - libsqlite3-0 - libsqlite3-dev - sqlite3 - libxml2-dev - libxslt1-dev - autoconf - libc6-dev - libncurses5-dev - automake - libtool - bison - subversion - ruby jruby-deps: pkg.installed: - pkgs: - curl - g++ - openjdk-6-jre-headless ruby-1.9.2: rvm.installed: - default: True - user: rvm - require: - pkg: rvm-deps - pkg: mri-deps - user: rvm jruby: rvm.installed: - user: rvm - require: - pkg: rvm-deps - pkg: jruby-deps - user: rvm jgemset: rvm.gemset_present: - ruby: jruby - user: rvm - require: - rvm: jruby mygemset: rvm.gemset_present: - ruby: ruby-1.9.2 - user: rvm - require: - rvm: ruby-1.9.2 salt.states.rvm.gemset_present(name, ruby='default', user=None) Verify that the gemset is present. name The name of the gemset. ruby: default The ruby version this gemset belongs to. user: None The user to run rvm as. New in version 0.17.0. salt.states.rvm.installed(name, default=False, user=None) Verify that the specified ruby is installed with RVM. RVM is installed when necessary. name The version of ruby to install default False Whether to make this ruby the default. user: None The user to run rvm as. New in version 0.17.0. salt.states.saltmod Control the Salt command interface This state is intended for use from the Salt Master. It provides access to sending commands down to minions as well as access to executing master-side modules. These state functions wrap Salt's Python API. SEE ALSO: More Orchestrate documentation • Full Orchestrate Tutorial • The Orchestrate runner salt.states.saltmod.function(name, tgt, ssh=False, tgt_type=None, expr_form=None, ret='', expect_minions=False, fail_minions=None, fail_function=None, arg=None, kwarg=None, timeout=None) Execute a single module function on a remote minion via salt or salt-ssh name The name of the function to run, aka cmd.run or pkg.install tgt The target specification, aka '*' for all minions tgt_type | expr_form The target type, defaults to glob arg The list of arguments to pass into the function kwarg The list of keyword arguments to pass into the function ret Optionally set a single or a list of returners to use expect_minions An optional boolean for failing if some minions do not respond fail_minions An optional list of targeted minions where failure is an option fail_function An optional string that points to a salt module that returns True or False based on the returned data dict for individual minions ssh Set to True to use the ssh client instead of the standard salt client salt.states.saltmod.runner(name, **kwargs) Execute a runner module on the master New in version 2014.7.0. name The name of the function to run kwargs Any keyword arguments to pass to the runner function run-manage-up: salt.runner: - name: manage.up salt.states.saltmod.state(name, tgt, ssh=False, tgt_type=None, expr_form=None, ret='', highstate=None, sls=None, top=None, env=None, test=False, pillar=None, expect_minions=False, fail_minions=None, allow_fail=0, concurrent=False, timeout=None, queue=False) Invoke a state run on a given target name An arbitrary name used to track the state execution tgt The target specification for the state run. tgt_type | expr_form The target type to resolve, defaults to glob ret Optionally set a single or a list of returners to use highstate Defaults to None, if set to True the target systems will ignore any sls references specified in the sls option and call state.highstate on the targeted minions top Should be the name of a top file. If set state.top is called with this top file instead of state.sls. sls A group of sls files to execute. This can be defined as a single string containing a single sls file, or a list of sls files test Pass test=true through to the state function pillar Pass the pillar kwarg through to the state function saltenv The default salt environment to pull sls files from ssh Set to True to use the ssh client instead of the standard salt client roster In the event of using salt-ssh, a roster system can be set expect_minions An optional boolean for failing if some minions do not respond fail_minions An optional list of targeted minions where failure is an option allow_fail Pass in the number of minions to allow for failure before setting the result of the execution to False concurrent Allow multiple state runs to occur at once. WARNING: This flag is potentially dangerous. It is designed for use when multiple state runs can safely be run at the same Do not use this flag for performance optimization. queue Pass queue=true through to the state function Examples: Run a list of sls files via state.sls on target minions: webservers: salt.state: - tgt: 'web*' - sls: - apache - django - core - saltenv: prod Run a full state.highstate on target mininons. databases: salt.state: - tgt: role:database - tgt_type: grain - highstate: True salt.states.saltmod.wait_for_event(name, id_list, event_id='id', timeout=300) Watch Salt's event bus and block until a condition is met New in version 2014.7.0. name An event tag to watch for; supports Reactor-style globbing. id_list A list of event identifiers to watch for -- usually the minion ID. Each time an event tag is matched the event data is inspected for event_id, if found it is removed from id_list. When id_list is empty this function returns success. event_id id The name of a key in the event data. Default is id for the minion ID, another common value is name for use with orchestrating salt-cloud events. timeout 300 The maximum time in seconds to wait before failing. The following example blocks until all the listed minions complete a restart and reconnect to the Salt master: reboot_all_minions: salt.function: - name: system.reboot - tgt: '*' wait_for_reboots: salt.wait_for_event: - name: salt/minion/*/start - id_list: - jerry - stuart - dave - phil - kevin - mike - require: - salt: reboot_all_minions salt.states.saltmod.wheel(name, **kwargs) Execute a wheel module on the master New in version 2014.7.0. name The name of the function to run kwargs Any keyword arguments to pass to the wheel function accept_minion_key: salt.wheel: - name: key.accept - match: frank salt.states.schedule Management of the Salt scheduler job3: schedule.present: - function: test.ping - seconds: 3600 - splay: 10 This will schedule the command: test.ping every 3600 seconds (every hour) splaying the time between 0 and 10 seconds job2: schedule.present: - function: test.ping - seconds: 15 - splay: - start: 10 - end: 20 This will schedule the command: test.ping every 3600 seconds (every hour) splaying the time between 10 and 20 seconds job1: schedule.present: - function: state.sls - job_args: - httpd - job_kwargs: test: True - when: - Monday 5:00pm - Tuesday 3:00pm - Wednesday 5:00pm - Thursday 3:00pm - Friday 5:00pm This will schedule the command: state.sls httpd test=True at 5pm on Monday, Wednesday and Friday, and 3pm on Tuesday and Thursday. Requires that python-dateutil is installed on the minion. job1: schedule.present: - function: state.sls - job_args: - httpd - job_kwargs: test: True - cron: '*/5 * * * *' Scheduled jobs can also be specified using the format used by cron. This will schedule the command: state.sls httpd test=True to run every 5 minutes. Requires that python-croniter is installed on the minion. job1: schedule.present: - function: state.sls - job_args: - httpd - job_kwargs: test: True - when: - Monday 5:00pm - Tuesday 3:00pm - Wednesday 5:00pm - Thursday 3:00pm - Friday 5:00pm - returner: xmpp - return_config: xmpp_state_run This will schedule the command: state.sls httpd test=True at 5pm on Monday, Wednesday and Friday, and 3pm on Tuesday and Thursday. Using the xmpp returner to return the results of the scheduled job, with the alternative configuration options found in the xmpp_state_run section. salt.states.schedule.absent(name, **kwargs) Ensure a job is absent from the schedule name The unique name that is given to the scheduled job. persist Whether the job should persist between minion restarts, defaults to True. salt.states.schedule.disabled(name, **kwargs) Ensure a job is disabled in the schedule name The unique name that is given to the scheduled job. persist Whether the job should persist between minion restarts, defaults to True. salt.states.schedule.enabled(name, **kwargs) Ensure a job is enabled in the schedule name The unique name that is given to the scheduled job. persist Whether the job should persist between minion restarts, defaults to True. salt.states.schedule.present(name, **kwargs) Ensure a job is present in the schedule name The unique name that is given to the scheduled job. seconds The scheduled job will be executed after the specified number of seconds have passed. minutes The scheduled job will be executed after the specified number of minutes have passed. hours The scheduled job will be executed after the specified number of hours have passed. days The scheduled job will be executed after the specified number of days have passed. when This will schedule the job at the specified time(s). The when parameter must be a single value or a dictionary with the date string(s) using the dateutil format. Requires python-dateutil. cron This will schedule the job at the specified time(s) using the crontab format. Requires python-croniter. function The function that should be executed by the scheduled job. job_args The arguments that will be used by the scheduled job. job_kwargs The keyword arguments that will be used by the scheduled job. maxrunning Ensure that there are no more than N copies of a particular job running. jid_include Include the job into the job cache. splay The amount of time in seconds to splay a scheduled job. Can be specified as a single value in seconds or as a dictionary range with 'start' and 'end' values. range This will schedule the command within the range specified. The range parameter must be a dictionary with the date strings using the dateutil format. Requires python-dateutil. once This will schedule a job to run once on the specified date. once_fmt The default date format is ISO 8601 but can be overridden by also specifying the once_fmt option. enabled Whether the job should be enabled or disabled. Value should be a boolean. return_job Whether to return information to the Salt master upon job completion. metadata Using the metadata parameter special values can be associated with a scheduled job. These values are not used in the execution of the job, but can be used to search for specific jobs later if combined with the return_job parameter. The metadata parameter must be specified as a dictionary, othewise it will be ignored. returner The returner to use to return the results of the scheduled job. return_config The alternative configuration to use for returner configuration options. persist Whether the job should persist between minion restarts, defaults to True. salt.states.selinux Management of SELinux rules If SELinux is available for the running system, the mode can be managed and booleans can be set. enforcing: selinux.mode samba_create_home_dirs: selinux.boolean: - value: True - persist: True NOTE: Use of these states require that the selinux execution module is available. salt.states.selinux.boolean(name, value, persist=False) Set up an SELinux boolean name The name of the boolean to set value The value to set on the boolean persist Defaults to False, set persist to true to make the boolean apply on a reboot salt.states.selinux.mode(name) Verifies the mode SELinux is running in, can be set to enforcing or permissive name The mode to run SELinux in, permissive or enforcing salt.states.serverdensity_device Monitor Server with Server Density New in version 2014.7.0. Server Density Is a hosted monitoring service. WARNING: This state module is beta. It might be changed later to include more or less automation. NOTE: This state module requires a pillar for authentication with Server Density: serverdensity: api_token: "b97da80a41c4f61bff05975ee51eb1aa" account_url: "https://your-account.serverdensity.io" NOTE: Although Server Density allows duplicate device names in its database, this module will raise an exception if you try monitoring devices with the same name. Example: 'server_name': serverdensity_device.monitored salt.states.serverdensity_device.monitored(name, group=None, salt_name=True, salt_params=True, **params) Device is monitored with Server Density. name Device name in Server Density. salt_name If True (default), takes the name from the id grain. If False, the provided name is used. group Group name under with device will appear in Server Density dashboard. Default - None. salt_params If True (default), needed config parameters will be sourced from grains and from status.all_status. params Add parameters that you want to appear in the Server Density dashboard. Will overwrite the salt_params parameters. For more info, see the API docs. Usage example: 'server_name': serverdensity_device.monitored 'server_name': serverdensity_device.monitored: - group: web-servers 'my_special_server': serverdensity_device.monitored: - salt_name: False - group: web-servers - cpuCores: 2 - os: CentOS salt.states.service Starting or restarting of services and daemons Services are defined as system daemons typically started with system init or rc scripts. Services can be defined as running or dead. NOTE: The current status of a service is determined by the return code of the init/rc script status command. A status return code of 0 it is considered running. Any other return code is considered dead. httpd: service.running: [] The service can also be set to be started at runtime via the enable option: openvpn: service.running: - enable: True By default if a service is triggered to refresh due to a watch statement the service is by default restarted. If the desired behavior is to reload the service, then set the reload value to True: redis: service.running: - enable: True - reload: True - watch: - pkg: redis NOTE: More details regarding watch can be found in the Requisites documentation. salt.states.service.dead(name, enable=None, sig=None, **kwargs) Ensure that the named service is dead by stopping the service if it is running name The name of the init or rc script used to manage the service enable Set the service to be enabled at boot time, True sets the service to be enabled, False sets the named service to be disabled. The default is None, which does not enable or disable anything. sig The string to search for when looking for the service process with ps salt.states.service.disabled(name, **kwargs) Verify that the service is disabled on boot, only use this state if you don't want to manage the running process, remember that if you want to disable a service to use the enable: False option for the running or dead function. name The name of the init or rc script used to manage the service salt.states.service.enabled(name, **kwargs) Verify that the service is enabled on boot, only use this state if you don't want to manage the running process, remember that if you want to enable a running service to use the enable: True option for the running or dead function. name The name of the init or rc script used to manage the service salt.states.service.mod_watch(name, sfun=None, sig=None, reload=False, full_restart=False, init_delay=None, force=False, **kwargs) The service watcher, called to invoke the watch command. name The name of the init or rc script used to manage the service sfun The original function which triggered the mod_watch call (service.running, for example). sig The string to search for when looking for the service process with ps salt.states.service.running(name, enable=None, sig=None, init_delay=None, **kwargs) Verify that the service is running name The name of the init or rc script used to manage the service enable Set the service to be enabled at boot time, True sets the service to be enabled, False sets the named service to be disabled. The default is None, which does not enable or disable anything. sig The string to search for when looking for the service process with ps init_delay Some services may not be truly available for a short period after their startup script indicates to the system that they are. Provide an 'init_delay' to specify that this state should wait an additional given number of seconds after a service has started before returning. Useful for requisite states wherein a dependent state might assume a service has started but is not yet fully initialized. salt.states.slack Send a message to Slack This state is useful for sending messages to Slack during state runs. New in version 2015.5.0. slack-message: slack.post_message: - channel: '#general' - from_name: SuperAdmin - message: 'This state was executed successfully.' - api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 The api key can be specified in the master or minion configuration like below: slack: api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 salt.states.slack.post_message(name, channel, from_name, message, api_key=None) Send a message to a Slack channel. slack-message: slack.post_message: - channel: '#general' - from_name: SuperAdmin - message: 'This state was executed successfully.' - api_key: peWcBiMOS9HrZG15peWcBiMOS9HrZG15 The following parameters are required: name The unique name for this event. channel The channel to send the message to. Can either be the ID or the name. from_name The name of that is to be shown in the "from" field. message The message that is to be sent to the Slack channel. The following parameters are optional: api_key The api key for Slack to use for authentication, if not specified in the configuration options of master or minion. salt.states.smtp Sending Messages via SMTP New in version 2014.7.0. This state is useful for firing messages during state runs, using the SMTP protocol server-warning-message: smtp.send_msg: - name: 'This is a server warning message' - profile: my-smtp-account - recipient: admins@example.com salt.states.smtp.send_msg(name, recipient, subject, sender, profile, use_ssl='True') Send a message via SMTP server-warning-message: smtp.send_msg: - name: 'This is a server warning message' - profile: my-smtp-account - subject: 'Message from Salt' - recipient: admin@example.com - sender: admin@example.com - use_ssl: True name The message to send via SMTP salt.states.splunk_search Splunk Search State Module New in version 2015.5.0. This state is used to ensure presence of splunk searches. server-warning-message: splunk_search.present: - name: This is the splunk search name - search: index=main sourcetype= salt.states.splunk_search.absent(name, profile='splunk') Ensure a search is absent API Error Search: splunk_search.absent The following parameters are required: name This is the name of the search in splunk salt.states.splunk_search.present(name, profile='splunk', **kwargs) Ensure a search is present API Error Search: splunk_search.present: search: index=main sourcetype=blah template: alert_5min The following parameters are required: name This is the name of the search in splunk salt.states.ssh_auth Control of entries in SSH authorized_key files The information stored in a user's SSH authorized key file can be easily controlled via the ssh_auth state. Defaults can be set by the enc, options, and comment keys. These defaults can be overridden by including them in the name. Since the YAML specification limits the length of simple keys to 1024 characters, and since SSH keys are often longer than that, you may have to use a YAML 'explicit key', as demonstrated in the second example below. AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==: ssh_auth.present: - user: root - enc: ssh-dss ? AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==... : ssh_auth.present: - user: root - enc: ssh-dss thatch: ssh_auth.present: - user: root - source: salt://ssh_keys/thatch.id_rsa.pub - config: %h/.ssh/authorized_keys sshkeys: ssh_auth.present: - user: root - enc: ssh-rsa - options: - option1="value1" - option2="value2 flag2" - comment: myuser - names: - AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY== - ssh-dss AAAAB3NzaCL0sQ9fJ5bYTEyY== user@domain - option3="value3" ssh-dss AAAAB3NzaC1kcQ9J5bYTEyY== other@testdomain - AAAAB3NzaC1kcQ9fJFF435bYTEyY== newcomment salt.states.ssh_auth.absent(name, user, enc='ssh-rsa', comment='', source='', options=None, config='.ssh/authorized_keys') Verifies that the specified SSH key is absent name The SSH key to manage user The user who owns the SSH authorized keys file to modify enc Defines what type of key is being used; can be ed25519, ecdsa, ssh-rsa or ssh-dss comment The comment to be placed with the SSH public key options The options passed to the key, pass a list object source The source file for the key(s). Can contain any number of public keys, in standard "authorized_keys" format. If this is set, comment, enc and options will be ignored. New in version 2015.8.0. config The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/authorized_keys". Token expansion %u and %h for username and home path supported. salt.states.ssh_auth.present(name, user, enc='ssh-rsa', comment='', source='', options=None, config='.ssh/authorized_keys', **kwargs) Verifies that the specified SSH key is present for the specified user name The SSH key to manage user The user who owns the SSH authorized keys file to modify enc Defines what type of key is being used; can be ed25519, ecdsa, ssh-rsa or ssh-dss comment The comment to be placed with the SSH public key source The source file for the key(s). Can contain any number of public keys, in standard "authorized_keys" format. If this is set, comment and enc will be ignored. NOTE: The source file must contain keys in the format <enc> <key> <comment>. If you have generated a keypair using PuTTYgen, then you will need to do the following to retrieve an OpenSSH-compatible public key. 1. In PuTTYgen, click Load, and select the private key file (not the public key), and click Open. 2. Copy the public key from the box labeled Public key for pasting into OpenSSH authorized_keys file. 3. Paste it into a new file. options The options passed to the key, pass a list object config The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/authorized_keys". Token expansion %u and %h for username and home path supported. salt.states.ssh_known_hosts Control of SSH known_hosts entries Manage the information stored in the known_hosts files. github.com: ssh_known_hosts: - present - user: root - fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 example.com: ssh_known_hosts: - absent - user: root salt.states.ssh_known_hosts.absent(name, user=None, config=None) Verifies that the specified host is not known by the given user name The host name user The user who owns the ssh authorized keys file to modify config The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/known_hosts". If no user is specified, defaults to "/etc/ssh/ssh_known_hosts". If present, must be an absolute path when a user is not specified. salt.states.ssh_known_hosts.present(name, user=None, fingerprint=None, key=None, port=None, enc=None, config=None, hash_hostname=True, hash_known_hosts=True) Verifies that the specified host is known by the specified user On many systems, specifically those running with openssh 4 or older, the enc option must be set, only openssh 5 and above can detect the key type. name The name of the remote host (e.g. "github.com") user The user who owns the ssh authorized keys file to modify fingerprint The fingerprint of the key which must be present in the known_hosts file (optional if key specified) key The public key which must be present in the known_hosts file (optional if fingerprint specified) port optional parameter, port which will be used to when requesting the public key from the remote host, defaults to port 22. enc Defines what type of key is being used, can be ed25519, ecdsa ssh-rsa or ssh-dss config The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/known_hosts". If no user is specified, defaults to "/etc/ssh/ssh_known_hosts". If present, must be an absolute path when a user is not specified. hash_hostname True Hash all hostnames and addresses in the known hosts file. Deprecated since version Carbon: Please use hash_known_hosts instead. hash_known_hosts True Hash all hostnames and addresses in the known hosts file. salt.states.stateconf Stateconf System The stateconf system is intended for use only with the stateconf renderer. This State module presents the set function. This function does not execute any functionality, but is used to interact with the stateconf renderer. salt.states.stateconf.context(name, **kwargs) No-op state to support state config via the stateconf renderer. salt.states.stateconf.set(name, **kwargs) No-op state to support state config via the stateconf renderer. salt.states.status Minion status monitoring Maps to the status execution module. salt.states.status.loadavg(name, maximum=None, minimum=None) Return the current load average for the specified minion. Available values for name are 1-min, 5-min and 15-min. minimum and maximum values should be passed in as strings. salt.states.status.process(name) Return whether the specified signature is found in the process tree. This differs slightly from the services states, in that it may refer to a process that is not managed via the init system. salt.states.stormpath_account Support for Stormpath. New in version 2015.8.0. salt.states.stormpath_account.absent(name, directory_id=None) Ensure that an account associated with the given email address is absent. Will search all directories for the account, unless a directory_id is specified. name The email address of the account to delete. directory_id Optional. The ID of the directory that the account is expected to belong to. If not specified, then a list of directories will be retrieved, and each will be scanned for the account. Specifying a directory_id will therefore cut down on the number of requests to Stormpath, and increase performance of this state. salt.states.stormpath_account.present(name, **kwargs) Ensure that an account is present and properly configured name The email address associated with the Stormpath account directory_id The ID of a directory which the account belongs to. Required. password Required when creating a new account. If specified, it is advisable to reference the password in another database using an sdb:// URL. Will NOT update the password if an account already exists. givenName Required when creating a new account. surname Required when creating a new account. username Optional. Must be unique across the owning directory. If not specified, the username will default to the email field. middleName Optional. status enabled accounts are able to login to their assigned applications, disabled accounts may not login to applications, unverified accounts are disabled and have not verified their email address. customData. Optional. Must be specified as a dict. salt.states.supervisord Interaction with the Supervisor daemon wsgi_server: supervisord.running: - require: - pkg: supervisor - watch: - file: /etc/nginx/sites-enabled/wsgi_server.conf salt.states.supervisord.dead(name, user=None, conf_file=None, bin_env=None) Ensure the named service is dead (not running). name Service name as defined in the supervisor configuration file user Name of the user to run the supervisorctl command New in version 0.17.0. conf_file path to supervisorctl config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed salt.states.supervisord.mod_watch(name, restart=True, update=False, user=None, conf_file=None, bin_env=None, **kwargs) salt.states.supervisord.running(name, restart=False, update=False, user=None, conf_file=None, bin_env=None) Ensure the named service is running. name Service name as defined in the supervisor configuration file restart Whether to force a restart update Whether to update the supervisor configuration. user Name of the user to run the supervisorctl command New in version 0.17.0. conf_file path to supervisorctl config file bin_env path to supervisorctl bin or path to virtualenv with supervisor installed salt.states.svn Manage SVN repositories Manage repository checkouts via the svn vcs system. Note that subversion must be installed for these states to be available, so svn states should include a requisite to a pkg.installed state for the package which provides subversion (subversion in most cases). Example: subversion: pkg.installed http://unladen-swallow.googlecode.com/svn/trunk/: svn.latest: - target: /tmp/swallow salt.states.svn.dirty(name, target, user=None, username=None, password=None, ignore_unversioned=False) Determine if the working directory has been changed. salt.states.svn.export(name, target=None, rev=None, user=None, username=None, password=None, force=False, overwrite=False, externals=True, trust=False) Export a file or directory from an SVN repository name Address and path to the file or directory to be exported. target Name of the target directory where the checkout will put the working directory rev None The name revision number to checkout. Enable "force" if the directory already exists. user None Name of the user performing repository management operations username None The user to access the name repository with. The svn default is the current user password Connect to the Subversion server with this password New in version 0.17.0. force False Continue if conflicts are encountered overwrite False Overwrite existing target externals True Change to False to not checkout or update externals trust False Automatically trust the remote server. SVN's --trust-server-cert salt.states.svn.latest(name, target=None, rev=None, user=None, username=None, password=None, force=False, externals=True, trust=False) Checkout or update the working directory to the latest revision from the remote repository. name Address of the name repository as passed to "svn checkout" target Name of the target directory where the checkout will put the working directory rev None The name revision number to checkout. Enable "force" if the directory already exists. user None Name of the user performing repository management operations username None The user to access the name repository with. The svn default is the current user password Connect to the Subversion server with this password New in version 0.17.0. force False Continue if conflicts are encountered externals True Change to False to not checkout or update externals trust False Automatically trust the remote server. SVN's --trust-server-cert salt.states.sysctl Configuration of the Linux kernel using sysctl Control the kernel sysctl system. vm.swappiness: sysctl.present: - value: 20 salt.states.sysctl.present(name, value, config=None) Ensure that the named sysctl value is set in memory and persisted to the named configuration file. The default sysctl configuration file is /etc/sysctl.conf name The name of the sysctl value to edit value The sysctl value to apply config The location of the sysctl configuration file. If not specified, the proper location will be detected based on platform. salt.states.syslog_ng State module for syslog_ng maintainer Tibor Benke <btibi@sch.bme.hu> maturity new depends cmd, ps, syslog_ng platform all Users can generate syslog-ng configuration files from YAML format or use plain ones and reload, start, or stop their syslog-ng by using this module. Details The service module is not available on all system, so this module includes syslog_ng.reloaded, syslog_ng.stopped, and syslog_ng.started functions. If the service module is available on the computers, users should use that. Users can generate syslog-ng configuration with syslog_ng.config function. For more information see syslog-ng state usage. Syslog-ng configuration file format The syntax of a configuration snippet in syslog-ng.conf: object_type object_id {<options>}; These constructions are also called statements. There are options inside of them: option(parameter1, parameter2); option2(parameter1, parameter2); You can find more information about syslog-ng's configuration syntax in the Syslog-ng Admin guide: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-v3.5-guide-admin/html-single/index.html#syslog-ng.conf.5 salt.states.syslog_ng.config(name, config, write=True) Builds syslog-ng configuration. name : the id of the Salt document config : the parsed YAML code write : if True, it writes the config into the configuration file, otherwise just returns it salt.states.syslog_ng.reloaded(name) Reloads syslog-ng. salt.states.syslog_ng.started(name=None, user=None, group=None, chroot=None, caps=None, no_caps=False, pidfile=None, enable_core=False, fd_limit=None, verbose=False, debug=False, trace=False, yydebug=False, persist_file=None, control=None, worker_threads=None, *args, **kwargs) Ensures, that syslog-ng is started via the given parameters. Users shouldn't use this function, if the service module is available on their system. salt.states.syslog_ng.stopped(name=None) Kills syslog-ng. salt.states.sysrc salt.states.sysrc.absent(name, **kwargs) Ensure a sysrc variable is absent. name The variable name to set file (optional) The rc file to add the variable to. jail (option) the name or JID of the jail to set the value in. salt.states.sysrc.managed(name, value, **kwargs) Ensure a sysrc variable is set to a specific value. name The variable name to set value Value to set the variable to file (optional) The rc file to add the variable to. jail (option) the name or JID of the jail to set the value in. salt.states.test Test States Provide test case states that enable easy testing of things to do with state calls, e.g. running, calling, logging, output filtering etc. always-passes-with-any-kwarg: test.nop: - name: foo - something: else - foo: bar always-passes: test.succeed_without_changes: - name: foo always-fails: test.fail_without_changes: - name: foo always-changes-and-succeeds: test.succeed_with_changes: - name: foo always-changes-and-fails: test.fail_with_changes: - name: foo my-custom-combo: test.configurable_test_state: - name: foo - changes: True - result: False - comment: bar.baz is-pillar-foo-present-and-bar-is-int: test.check_pillar: - present: - foo - integer: - bar salt.states.test.check_pillar(name, present=None, boolean=None, integer=None, string=None, listing=None, dictionary=None, verbose=False) Checks the presence and, optionally, the type of given keys in Pillar. Supported kwargs for types are: - boolean (bool) - integer (int) - string (str) - listing (list) - dictionary (dict) Checking for None type pillars is not implemented yet. is-pillar-foo-present-and-bar-is-int: test.check_pillar: - present: - foo - integer: - bar salt.states.test.configurable_test_state(name, changes=True, result=True, comment='') A configurable test state which determines its output based on the inputs. New in version 2014.7.0. name: A unique string. changes: Do we return anything in the changes field? Accepts True, False, and 'Random' Default is True result: Do we return successfully or not? Accepts True, False, and 'Random' Default is True comment: String to fill the comment field with. Default is '' salt.states.test.fail_with_changes(name) Returns failure and changes is not empty. New in version 2014.7.0. name: A unique string. salt.states.test.fail_without_changes(name) Returns failure. New in version 2014.7.0. name: A unique string. salt.states.test.mod_watch(name, sfun=None, **kwargs) ' Call this function via a watch statement New in version 2014.7.0. Any parameters in the state return dictionary can be customized by adding the keywords result, comment, and changes. this_state_will_return_changes: test.succeed_with_changes this_state_will_NOT_return_changes: test.succeed_without_changes this_state_is_watching_another_state: test.succeed_without_changes: - comment: 'This is a custom comment' - watch: - test: this_state_will_return_changes - test: this_state_will_NOT_return_changes this_state_is_also_watching_another_state: test.succeed_without_changes: - watch: - test: this_state_will_NOT_return_changes salt.states.test.nop(name, **kwargs) A no-op state that does nothing. Useful in conjunction with the use requisite, or in templates which could otherwise be empty due to jinja rendering New in version 2015.8.1. salt.states.test.show_notification(name, text=None, **kwargs) Simple notification using text argument. New in version 2015.8.0. name A unique string. text Text to return in the comment. salt.states.test.succeed_with_changes(name) Returns successful and changes is not empty New in version 2014.7.0. name: A unique string. salt.states.test.succeed_without_changes(name) Returns successful. New in version 2014.7.0. name A unique string. salt.states.timezone Management of timezones The timezone can be managed for the system: America/Denver: timezone.system The system and the hardware clock are not necessarily set to the same time. By default, the hardware clock is set to localtime, meaning it is set to the same time as the system clock. If utc is set to True, then the hardware clock will be set to UTC, and the system clock will be an offset of that. America/Denver: timezone.system: - utc: True The Ubuntu community documentation contains an explanation of this setting, as it applies to systems that dual-boot with Windows. This is explained in greater detail here. salt.states.timezone.system(name, utc=True) Set the timezone for the system. name The name of the timezone to use (e.g.: America/Denver) utc Whether or not to set the hardware clock to UTC (default is True) salt.states.tls Enforce state for SSL/TLS salt.states.tls.valid_certificate(name, weeks=0, days=0, hours=0, minutes=0, seconds=0) Verify that a TLS certificate is valid now and (optionally) will be valid for the time specified through weeks, days, hours, minutes, and seconds. salt.states.tomcat This state uses the manager webapp to manage Apache tomcat webapps This state requires the manager webapp to be enabled The following grains/pillar should be set: tomcat-manager:user: admin user name tomcat-manager:passwd: password and also configure a user in the conf/tomcat-users.xml file: <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager-script"/> <user username="tomcat" password="tomcat" roles="manager-script"/> </tomcat-users> Notes: • Not supported multiple version on the same context path • More information about tomcat manager: http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html • if you use only this module for deployments you might want to restrict access to the manager so its only accessible via localhost for more info: http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access • Tested on: JVM Vendor: Sun Microsystems Inc. JVM Version: 1.6.0_43-b01 OS Architecture: amd64 OS Name: Linux OS Version: 2.6.32-358.el6.x86_64 Tomcat Version: Apache Tomcat/7.0.37 salt.states.tomcat.mod_watch(name, url='http://localhost:8080/manager', timeout=180) The tomcat watcher function. When called it will reload the webapp in question salt.states.tomcat.undeployed(name, url='http://localhost:8080/manager', timeout=180) Enforce that the WAR will be un-deployed from the server name the context path to deploy url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request to the tomcat manager Example: jenkins: tomcat.undeployed: - name: /ran - require: - service: application-service salt.states.tomcat.wait(name, url='http://localhost:8080/manager', timeout=180) Wait for the tomcat manager to load Notice that if tomcat is not running we won't wait for it start and the state will fail. This state can be required in the tomcat.war_deployed state to make sure tomcat is running and that the manager is running as well and ready for deployment url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request to the tomcat manager Example: tomcat-service: service.running: - name: tomcat - enable: True wait-for-tomcatmanager: tomcat.wait: - timeout: 300 - require: - service: tomcat-service jenkins: tomcat.war_deployed: - name: /ran - war: salt://jenkins-1.2.4.war - require: - tomcat: wait-for-tomcatmanager salt.states.tomcat.war_deployed(name, war, force=False, url='http://localhost:8080/manager', timeout=180, temp_war_location=None, version='') Enforce that the WAR will be deployed and started in the context path it will make use of WAR versions for more info: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Naming name the context path to deploy war absolute path to WAR file (should be accessible by the user running tomcat) or a path supported by the salt.modules.cp.get_url function force force deploy even if version strings are the same, False by default. url http://localhost:8080/manager the URL of the server manager webapp timeout 180 timeout for HTTP request to the tomcat manager temp_war_location None use another location to temporarily copy to war file by default the system's temp directory is used version '' Specify the war version. If this argument is provided, it overrides the version encoded in the war file name, if one is present. New in version 2015.8.6. Example: jenkins: tomcat.war_deployed: - name: /ran - war: salt://jenkins-1.2.4.war - require: - service: application-service salt.states.trafficserver Control Apache Traffic Server New in version 2015.8.0. salt.states.trafficserver.bounce_cluster(name) Bounce all Traffic Server nodes in the cluster. Bouncing Traffic Server shuts down and immediately restarts Traffic Server, node-by-node. bounce_ats_cluster: trafficserver.bounce_cluster salt.states.trafficserver.bounce_local(name, drain=False) Bounce Traffic Server on the local node. Bouncing Traffic Server shuts down and immediately restarts the Traffic Server node. This option modifies the behavior of traffic_line -b and traffic_line -L such that traffic_server is not shut down until the number of active client connections drops to the number given by the proxy.config.restart.active_client_threshold configuration variable. bounce_ats_local: trafficserver.bounce_local bounce_ats_local: trafficserver.bounce_local - drain: True salt.states.trafficserver.clear_cluster(name) Clears accumulated statistics on all nodes in the cluster. clear_ats_cluster: trafficserver.clear_cluster salt.states.trafficserver.clear_node(name) Clears accumulated statistics on the local node. clear_ats_node: trafficserver.clear_node salt.states.trafficserver.offline(name, path) Mark a cache storage device as offline. The storage is identified by a path which must match exactly a path specified in storage.config. This removes the storage from the cache and redirects requests that would have used this storage to other storage. This has exactly the same effect as a disk failure for that storage. This does not persist across restarts of the traffic_server process. offline_ats_path: trafficserver.offline: - path: /path/to/cache salt.states.trafficserver.refresh(name) Initiate a Traffic Server configuration file reread. Use this command to update the running configuration after any configuration file modification. The timestamp of the last reconfiguration event (in seconds since epoch) is published in the proxy.node.config.reconfigure_time metric. refresh_ats: trafficserver.refresh salt.states.trafficserver.restart_cluster(name) Restart the traffic_manager process and the traffic_server process on all the nodes in a cluster. restart_ats_cluster: trafficserver.restart_cluster salt.states.trafficserver.restart_local(name, drain=False) Restart the traffic_manager and traffic_server processes on the local node. This option modifies the behavior of traffic_line -b and traffic_line -L such that traffic_server is not shut down until the number of active client connections drops to the number given by the proxy.config.restart.active_client_threshold configuration variable. restart_ats_local: trafficserver.restart_local restart_ats_local_drain: trafficserver.restart_local - drain: True salt.states.trafficserver.set_var(name, value) Set Traffic Server variable values proxy.config.proxy_name: trafficserver.set_var: - value: cdn.site.domain.tld OR traffic_server_setting: trafficserver.set_var: - name: proxy.config.proxy_name - value: cdn.site.domain.tld salt.states.trafficserver.shutdown(name) Shut down Traffic Server on the local node. shutdown_ats: trafficserver.shutdown salt.states.trafficserver.startup(name) Start Traffic Server on the local node. startup_ats: trafficserver.startup salt.states.trafficserver.zero_cluster(name) Reset performance statistics to zero across the cluster. zero_ats_cluster: trafficserver.zero_cluster salt.states.trafficserver.zero_node(name) Reset performance statistics to zero on the local node. zero_ats_node: trafficserver.zero_node salt.states.tuned Interface to Red Hat tuned-adm module maintainer Syed Ali <alicsyed@gmail.com> maturity new depends cmd.run platform Linux salt.states.tuned.off(name=None) Turns 'tuned' off. Example tuned.sls file for turning tuned off: tuned: tuned.off: [] To see a valid list of states call execution module: tuned.list salt.states.tuned.profile(name) This state module allows you to modify system tuned parameters Example tuned.sls file to set profile to virtual-guest tuned: tuned: • profile • name: virtual-guest name tuned profile name to set the system to To see a valid list of states call execution module: tuned.list salt.states.uptime Monitor Web Server with Uptime Uptime is an open source remote monitoring application using Node.js, MongoDB, and Twitter Bootstrap. WARNING: This state module is beta. It might be changed later to include more or less automation. NOTE: This state module requires a pillar to specify the location of your uptime install uptime: application_url: "http://uptime-url.example.org" Example: url: uptime.monitored url/sitemap.xml: uptime.monitored: - polling: 600 # every hour salt.states.uptime.monitored(name, **params) Makes sure an URL is monitored by uptime. Checks if URL is already monitored, and if not, adds it. salt.states.user Management of user accounts The user module is used to create and manage user settings, users can be set as either absent or present fred: user.present: - fullname: Fred Jones - shell: /bin/zsh - home: /home/fred - uid: 4000 - gid: 4000 - groups: - wheel - storage - games testuser: user.absent salt.states.user.absent(name, purge=False, force=False) Ensure that the named user is absent name The name of the user to remove purge Set purge to True to delete all of the user's files as well as the user, Default is False. force If the user is logged in, the absent state will fail. Set the force option to True to remove the user even if they are logged in. Not supported in FreeBSD and Solaris, Default is False. salt.states.user.present(name, uid=None, gid=None, gid_from_name=False, groups=None, optional_groups=None, remove_groups=True, home=None, createhome=True, password=None, enforce_password=True, empty_password=False, shell=None, unique=True, system=False, fullname=None, roomnumber=None, workphone=None, homephone=None, loginclass=None, date=None, mindays=None, maxdays=None, inactdays=None, warndays=None, expire=None, win_homedrive=None, win_profile=None, win_logonscript=None, win_description=None) Ensure that the named user is present with the specified properties name The name of the user to manage uid The user id to assign, if left empty then the next available user id will be assigned gid The default group id. Also accepts group name. gid_from_name If True, the default group id will be set to the id of the group with the same name as the user, Default is False. groups A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will fail. If set to the empty list, the user will be removed from all groups except the default group. optional_groups A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will silently ignore it. NOTE: If the same group is specified in both "groups" and "optional_groups", then it will be assumed to be required and not optional. remove_groups Remove groups that the user is a member of that weren't specified in the state, Default is True. home The custom login directory of user. Uses default value of underlying system if not set. Notice that this directory does not have to exists. This also the location of the home directory to create if createhome is set to True. createhome If False, the home directory will not be created if it doesn't exist. Please note that directories leading up to the home directory will NOT be created, Default is True. password A password hash to set for the user. This field is only supported on Linux, FreeBSD, NetBSD, OpenBSD, and Solaris. If the empty_password argument is set to True then password is ignored. For Windows this is the plain text password. Changed in version 0.16.0: BSD support added. enforce_password Set to False to keep the password from being changed if it has already been set and the password hash differs from what is specified in the "password" field. This option will be ignored if "password" is not specified, Default is True. empty_password Set to True to enable password-less login for user, Default is False. shell The login shell, defaults to the system default shell unique Require a unique UID, Default is True. system Choose UID in the range of FIRST_SYSTEM_UID and LAST_SYSTEM_UID, Default is False. loginclass The login class, defaults to empty (BSD only) User comment field (GECOS) support (currently Linux, BSD, and MacOS only): The below values should be specified as strings to avoid ambiguities when the values are loaded. (Especially the phone and room number fields which are likely to contain numeric data) fullname The user's full name roomnumber The user's room number (not supported in MacOS) workphone The user's work phone number (not supported in MacOS) homephone The user's home phone number (not supported in MacOS) Changed in version 2014.7.0: Shadow attribute support added. Shadow attributes support (currently Linux only): The below values should be specified as integers. date Date of last change of password, represented in days since epoch (January 1, 1970). mindays The minimum number of days between password changes. maxdays The maximum number of days between password changes. inactdays The number of days after a password expires before an account is locked. warndays Number of days prior to maxdays to warn users. expire Date that account expires, represented in days since epoch (January 1, 1970). The below parameters apply to windows only: win_homedrive (Windows Only) The drive letter to use for the home directory. If not specified the home directory will be a unc path. Otherwise the home directory will be mapped to the specified drive. Must be a letter followed by a colon. Because of the colon, the value must be surrounded by single quotes. ie: - win_homedrive: 'U: Changed in version 2015.8.0. win_profile (Windows Only) The custom profile directory of the user. Uses default value of underlying system if not set. Changed in version 2015.8.0. win_logonscript (Windows Only) The full path to the logon script to run when the user logs in. Changed in version 2015.8.0. win_description (Windows Only) A brief description of the purpose of the users account. Changed in version 2015.8.0. salt.states.vbox_guest VirtualBox Guest Additions installer state salt.states.vbox_guest.additions_installed(name, reboot=False, upgrade_os=False) Ensure that the VirtualBox Guest Additions are installed. Uses the CD, connected by VirtualBox. name The name has no functional value and is only used as a tracking reference. reboot False Restart OS to complete installation. upgrade_os False Upgrade OS (to ensure the latests version of kernel and developer tools installed). salt.states.vbox_guest.additions_removed(name, force=False) Ensure that the VirtualBox Guest Additions are removed. Uses the CD, connected by VirtualBox. To connect VirtualBox Guest Additions via VirtualBox graphical interface press 'Host+D' ('Host' is usually 'Right Ctrl'). name The name has no functional value and is only used as a tracking reference. force Force VirtualBox Guest Additions removing. salt.states.vbox_guest.grant_access_to_shared_folders_to(name, users=None) Grant access to auto-mounted shared folders to the users. User is specified by it's name. To grant access for several users use argument users. name Name of the user to grant access to auto-mounted shared folders to. users List of names of users to grant access to auto-mounted shared folders to. If specified, name will not be taken into account. salt.states.victorops Create an Event in VictorOps New in version 2015.8.0. This state is useful for creating events on the VictorOps service during state runs. webserver-warning-message: victorops.create_event: - message_type: 'CRITICAL' - entity_id: 'webserver/diskspace' - state_message: 'Webserver diskspace is low.' salt.states.victorops.create_event(name, message_type, routing_key='everyone', **kwargs) Create an event on the VictorOps service webserver-warning-message: victorops.create_event: - message_type: 'CRITICAL' - entity_id: 'webserver/diskspace' - state_message: 'Webserver diskspace is low.' database-server-warning-message: victorops.create_event: - message_type: 'WARNING' - entity_id: 'db_server/load' - state_message: 'Database Server load is high.' - entity_is_host: True - entity_display_name: 'dbdserver.example.com' The following parameters are required: name This is a short description of the event. message_type One of the following values: INFO, WARNING, ACKNOWLEDGEMENT, CRITICAL, RECOVERY. The following parameters are optional: routing_key The key for where messages should be routed. By default, sent to 'everyone' route. entity_id The name of alerting entity. If not provided, a random name will be assigned. timestamp Timestamp of the alert in seconds since epoch. Defaults to the time the alert is received at VictorOps. timestamp_fmt The date format for the timestamp parameter. Defaults to ''%Y-%m-%dT%H:%M:%S'. state_start_time The time this entity entered its current state (seconds since epoch). Defaults to the time alert is received. state_start_time_fmt The date format for the timestamp parameter. Defaults to '%Y-%m-%dT%H:%M:%S'. state_message Any additional status information from the alert item. entity_is_host Used within VictorOps to select the appropriate display format for the incident. entity_display_name Used within VictorOps to display a human-readable name for the entity. ack_message A user entered comment for the acknowledgment. ack_author The user that acknowledged the incident. salt.states.virtualenv Setup of Python virtualenv sandboxes. New in version 0.17.0. salt.states.virtualenv_mod.managed(name, venv_bin=None, requirements=None, system_site_packages=False, distribute=False, use_wheel=False, clear=False, python=None, extra_search_dir=None, never_download=None, prompt=None, user=None, no_chown=False, cwd=None, index_url=None, extra_index_url=None, pre_releases=False, no_deps=False, pip_download=None, pip_download_cache=None, pip_exists_action=None, proxy=None, use_vt=False, env_vars=None, pip_upgrade=False, pip_pkgs=None) Create a virtualenv and optionally manage it with pip name Path to the virtualenv. requirements Path to a pip requirements file. If the path begins with salt:// the file will be transferred from the master file server. cwd Path to the working directory where pip install is executed. user The user under which to run virtualenv and pip. no_chown: False When user is given, do not attempt to copy and chown a requirements file (needed if the requirements file refers to other files via relative paths, as the copy-and-chown procedure does not account for such files) use_wheel False Prefer wheel archives (requires pip >= 1.4). no_deps: False Pass --no-deps to pip install. pip_exists_action: None Default action of pip when a path already exists: (s)witch, (i)gnore, (w)ipe, (b)ackup proxy: None Proxy address which is passed to pip install. env_vars Set environment variables that some builds will depend on. For example, a Python C-module may have a Makefile that needs INCLUDE_PATH set to pick up a header file while compiling. pip_upgrade: False Pass --upgrade to pip install. pip_pkgs: None As an alternative to requirements, pass a list of pip packages that should be installed. Also accepts any kwargs that the virtualenv module will. However, some kwargs require - distribute: True /var/www/myvirtualenv.com: virtualenv.managed: - system_site_packages: False - requirements: salt://REQUIREMENTS.txt salt.states.win_dacl Windows Object Access Control Lists Ensure an ACL is present parameters: name - the path of the object objectType - Registry/File/Directory user - user account for the ace permission - permission for the ace (see module win_acl for available permissions for each objectType) acetype - Allow/Deny propagation - how the ACL should apply to child objects (see module win_acl for available propagation types) addAcl: win_dacl.present: - name: HKEY_LOCAL_MACHINE\SOFTWARE\mykey - objectType: Registry - user: FakeUser - permission: FulLControl - acetype: ALLOW - propagation: KEY&SUBKEYS Ensure an ACL does not exist parameters: name - the path of the object objectType - Registry/File/Directory user - user account for the ace permission - permission for the ace (see module win_acl for available permissions for each objectType) acetype - Allow/Deny propagation - how the ACL should apply to child objects (see module win_acl for available propagation types) removeAcl: win_dacl.absent: • name: HKEY_LOCAL_MACHINESOFTWAREmykey • objectType: Registry • user: FakeUser • permission: FulLControl • acetype: ALLOW • propagation: KEY&SUBKEYS Ensure an object is inheriting permissions parameters: name - the path of the object objectType - Registry/File/Directory clear_existing_acl - True/False - when inheritance is enabled, should the existing ACL be kept or cleared out eInherit: win_dacl.enableinheritance: • name: HKEY_LOCAL_MACHINESOFTWAREmykey • objectType: Registry • clear_existing_acl: True Ensure an object is not inheriting permissions parameters: name - the path of the object objectType - Registry/File/Directory copy_inherited_acl - True/False - if inheritance is enabled, should the inherited permissions be copied to the ACL when inheritance is disabled dInherit: win_dacl.disableinheritance: • name: HKEY_LOCAL_MACHINESOFTWAREmykey • objectType: Registry • copy_inherited_acl: False salt.states.win_dacl.absent(name, objectType, user, permission, acetype, propagation) Ensure a Linux ACL does not exist salt.states.win_dacl.disinherit(name, objectType, copy_inherited_acl=True) Ensure an object is not inheriting ACLs from its parent salt.states.win_dacl.inherit(name, objectType, clear_existing_acl=False) Ensure an object is inheriting ACLs from its parent salt.states.win_dacl.present(name, objectType, user, permission, acetype, propagation) Ensure an ACE is present salt.states.win_dns_client Module for configuring DNS Client on Windows systems salt.states.win_dns_client.dns_dhcp(name, interface='Local Area Connection') Configure the DNS server list from DHCP Server salt.states.win_dns_client.dns_exists(name, servers=None, interface='Local Area Connection', replace=False) Configure the DNS server list in the specified interface Example: config_dns_servers: win_dns_client.dns_exists: - replace: True #remove any servers not in the "servers" list, default is False - servers: - 8.8.8.8 - 8.8.8.9 salt.states.win_dns_client.primary_suffix(name, suffix=None, updates=False) New in version 2014.7.0. Configure the global primary DNS suffix of a DHCP client. suffix None The suffix which is advertised for this client when acquiring a DHCP lease When none is set, the explicitly configured DNS suffix will be removed. updates False Allow syncing the DNS suffix with the AD domain when the client's AD domain membership changes primary_dns_suffix: win_dns_client.primary_suffix: - suffix: sub.domain.tld - updates: True salt.states.win_firewall State for configuring Windows Firewall salt.states.win_firewall.add_rule(name, localport, protocol='tcp', action='allow', dir='in') Add a new firewall rule (Windows only) salt.states.win_firewall.disabled(name) Disable all the firewall profiles (Windows only) salt.states.win_network Configuration of network interfaces on Windows hosts New in version 2014.1.0. This module provides the network state(s) on Windows hosts. DNS servers, IP addresses and default gateways can currently be managed. Below is an example of the configuration for an interface that uses DHCP for both DNS servers and IP addresses: Local Area Connection #2: network.managed: - dns_proto: dhcp - ip_proto: dhcp NOTE: Both the dns_proto and ip_proto arguments are required. Static DNS and IP addresses can be configured like so: Local Area Connection #2: network.managed: - dns_proto: static - dns_servers: - 8.8.8.8 - 8.8.4.4 - ip_proto: static - ip_addrs: - 10.2.3.4/24 NOTE: IP addresses are specified using the format <ip-address>/<subnet-length>. Salt provides a convenience function called ip.get_subnet_length to calculate the subnet length from a netmask. Optionally, if you are setting a static IP address, you can also specify the default gateway using the gateway parameter: Local Area Connection #2: network.managed: - dns_proto: static - dns_servers: - 8.8.8.8 - 8.8.4.4 - ip_proto: static - ip_addrs: - 10.2.3.4/24 - gateway: 10.2.3.1 salt.states.win_network.managed(name, dns_proto=None, dns_servers=None, ip_proto=None, ip_addrs=None, gateway=None, enabled=True, **kwargs) Ensure that the named interface is configured properly. name The name of the interface to manage dns_proto None Set to static and use the dns_servers parameter to provide a list of DNS nameservers. set to dhcp to use DHCP to get the DNS servers. dns_servers None A list of static DNS servers. ip_proto None Set to static and use the ip_addrs and (optionally) gateway parameters to provide a list of static IP addresses and the default gateway. Set to dhcp to use DHCP. ip_addrs None A list of static IP addresses. gateway None A list of static IP addresses. enabled True Set to False to ensure that this interface is disabled. salt.states.win_path Manage the Windows System PATH salt.states.win_path.absent(name) Remove the directory from the SYSTEM path index: where the directory should be placed in the PATH (default: 0) Example: 'C:\sysinternals': win_path.absent salt.states.win_path.exists(name, index=None) Add the directory to the system PATH at index location index: where the directory should be placed in the PATH (default: None) [Note: Providing no index will append directory to PATH and will not enforce its location within the PATH.] Example: 'C:\python27': win_path.exists 'C:\sysinternals': win_path.exists: index: 0 salt.states.win_powercfg This module allows you to control the power settings of a windows minion via powercfg. New in version 2015.8.0. monitor: powercfg.set_timeout: - value: 30 - power: dc salt.states.win_powercfg.set_timeout(name, value, power='ac') Set the sleep timeouts of specific items such as disk, monitor. CLI Example: monitor: powercfg.set_timeout: - value: 30 - power: dc disk: powercfg.set_timeout: - value: 12 - power: ac name The setting to change, can be one of the following: monitor, disk, standby, hibernate timeout The amount of time in minutes before the item will timeout i.e the monitor power Should we set the value for AC or DC (battery)? Valid options ac,dc. salt.states.win_servermanager Manage Windows features via the ServerManager powershell module salt.states.win_servermanager.installed(name, recurse=False, force=False) Install the windows feature name: short name of the feature (the right column in win_servermanager.list_available) recurse: install all sub-features as well force: if the feature is installed but on of its sub-features are not installed set this to True to force the installation of the sub-features Note: Some features require reboot after un/installation. If so, until the server is restarted other features can not be installed! Example: Run salt MinionName win_servermanager.list_available to get a list of available roles and features. Use the name in the right column. Do not use the role or feature names mentioned in the PKGMGR documentation. In this example for IIS-WebServerRole the name to be used is Web-Server. ISWebserverRole: win_servermanager.installed: - force: True - recurse: True - name: Web-Server salt.states.win_servermanager.removed(name) Remove the windows feature name: short name of the feature (the right column in win_servermanager.list_available) NOTE: Some features require a reboot after uninstallation. If so the feature will not be completely uninstalled until the server is restarted. Example: Run salt MinionName win_servermanager.list_installed to get a list of all features installed. Use the top name listed for each feature, not the indented one. Do not use the role or feature names mentioned in the PKGMGR documentation. ISWebserverRole: win_servermanager.removed: - name: Web-Server salt.states.win_system Management of Windows system information New in version 2014.1.0. This state is used to manage system information such as the computer name and description. ERIK-WORKSTATION: system.computer_name: [] This is Erik's computer, don't touch!: system.computer_desc: [] salt.states.win_system.computer_desc(name) Manage the computer's description field name The desired computer description salt.states.win_system.computer_name(name) Manage the computer's name name The desired computer name salt.states.win_update Management of the windows update agent New in version 2014.7.0. Set windows updates to run by category. Default behavior is to install all updates that do not require user interaction to complete. Optionally set category to a category of your choice to only install certain updates. Default is to set to install all available updates. The following example will install all Security and Critical Updates, and download but not install standard updates. updates: win_update.installed: - categories: - 'Critical Updates' - 'Security Updates' - skips: - downloaded win_update.downloaded: - categories: - 'Updates' - skips: - downloaded You can also specify a number of features about the update to have a fine grain approach to specific types of updates. These are the following features/states of updates available for configuring: 'UI' - User interaction required, skipped by default 'downloaded' - Already downloaded, included by default 'present' - Present on computer, skipped by default 'installed' - Already installed, skipped by default 'reboot' - Reboot required, included by default 'hidden' - Skip updates that have been hidden, skipped by default 'software' - Software updates, included by default 'driver' - driver updates, included by default The following example installs all driver updates that don't require a reboot: gryffindor: win_update.installed: • skips: - driver: True - software: False - reboot: False To just update your windows machine, add this your sls: class salt.states.win_update.PyWinUpdater(categories=None, skipUI=True, skipDownloaded=False, skipInstalled=True, skipReboot=False, skipPresent=False, skipSoftwareUpdates=False, skipDriverUpdates=False, skipHidden=True) AutoSearch() Download() GetAvailableCategories() GetCategories() GetDownloadResults() GetInstallationResults() Install() Search(searchString) SetCategories(categories) SetSkip(skip, state) SetSkips(skips) salt.states.win_update.downloaded(name, categories=None, skips=None, retries=10) Cache updates for later install. name: if categories is left empty, it will be assumed that you are passing the category option through the name. These are separate because you can only have one name, but can have multiple categories. categories: the list of categories to be downloaded. These are simply strings in the update's information, so there is no enumeration of the categories available. Some known categories: Updates Windows 7 Critical Updates Security Updates Update Rollups skips: a list of features of the updates to cull by. Available features: 'UI' - User interaction required, skipped by default 'downloaded' - Already downloaded, skipped by default (downloading) 'present' - Present on computer, included by default (installing) 'installed' - Already installed, skipped by default 'reboot' - Reboot required, included by default 'hidden' - skip those updates that have been hidden. 'software' - Software updates, included by default 'driver' - driver updates, skipped by default retries Number of retries to make before giving up. This is total, not per step. salt.states.win_update.installed(name, categories=None, skips=None, retries=10) Install specified windows updates. name: if categories is left empty, it will be assumed that you are passing the category option through the name. These are separate because you can only have one name, but can have multiple categories. categories: the list of categories to be downloaded. These are simply strings in the update's information, so there is no enumeration of the categories available. Some known categories: Updates Windows 7 Critical Updates Security Updates Update Rollups skips: a list of features of the updates to cull by. Available features: 'UI' - User interaction required, skipped by default 'downloaded' - Already downloaded, skipped by default (downloading) 'present' - Present on computer, included by default (installing) 'installed' - Already installed, skipped by default 'reboot' - Reboot required, included by default 'hidden' - skip those updates that have been hidden. 'software' - Software updates, included by default 'driver' - driver updates, skipped by default retries Number of retries to make before giving up. This is total, not per step. salt.states.winrepo Manage Windows Package Repository salt.states.winrepo.genrepo(name, force=False, allow_empty=False) Refresh the winrepo.p file of the repository (salt-run winrepo.genrepo) If force is True no checks will be made and the repository will be generated if allow_empty is True then the state will not return an error if there are 0 packages, NOTE: This state only loads on minions that have the roles: salt-master grain set. Example: winrepo: winrepo.genrepo salt.states.x509 Manage X509 Certificates New in version 2015.8.0. This module can enable managing a complete PKI infrastructure including creating private keys, CA's, certificates and CRLs. It includes the ability to generate a private key on a server, and have the corresponding public key sent to a remote CA to create a CA signed certificate. This can be done in a secure manner, where private keys are always generated locally and never moved across the network. Here is a simple example scenario. In this example ca is the ca server, and www is a web server that needs a certificate signed by ca. For remote signing, peers must be permitted to remotely call the sign_remote_certificate function. /etc/salt/master.d/peer.conf peer: .*: - x509.sign_remote_certificate /srv/salt/top.sls base: '*': - cert 'ca': - ca 'www': - www This state creates the CA key, certificate and signing policy. It also publishes the certificate to the mine where it can be easily retrieved by other minions. /srv/salt/ca.sls salt-minion: service.running: - enable: True - listen: - file: /etc/salt/minion.d/signing_policies.conf /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://signing_policies.conf /etc/pki: file.directory: [] /etc/pki/issued_certs: file.directory: [] /etc/pki/ca.key: x509.private_key_managed: - bits: 4096 - backup: True - require: - file: /etc/pki /etc/pki/ca.crt: x509.certificate_managed: - signing_private_key: /etc/pki/ca.key - CN: ca.example.com - C: US - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:true" - keyUsage: "critical cRLSign, keyCertSign" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 3650 - days_remaining: 0 - backup: True - require: - x509: /etc/pki/ca.key mine.send: module.run: - func: x509.get_pem_entries - kwargs: glob_path: /etc/pki/ca.crt - onchanges: - x509: /etc/pki/ca.crt The signing policy defines properties that override any property requested or included in a CRL. It also can define a restricted list of minons which are allowed to remotely invoke this signing policy. /srv/salt/signing_policies.conf x509_signing_policies: www: - minions: 'www' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt - C: US - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - keyUsage: "critical cRLSign, keyCertSign" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 90 - copypath: /etc/pki/issued_certs/ This state will instruct all minions to trust certificates signed by our new CA. Using jinja to strip newlines from the text avoids dealing with newlines in the rendered yaml, and the sign_remote_certificate state will handle properly formatting the text before writing the output. /srv/salt/cert.sls /usr/local/share/ca-certificates: file.directory: [] /usr/local/share/ca-certificates/intca.crt: x509.pem_managed: - text: {{ salt['mine.get']('ca', 'x509.get_pem_entries')['ca']['/etc/pki/ca.crt']|replace('\n', '') }} This state creates a private key then requests a certificate signed by ca according to the www policy. /srv/salt/www.sls /etc/pki/www.key: x509.private_key_managed: - bits: 4096 /etc/pki/www.crt: x509.certificate_managed: - ca_server: ca - signing_policy: www - public_key: /etc/pki/www.key - CN: www.example.com - days_remaining: 30 - backup: True salt.states.x509.certificate_managed(name, days_remaining=90, backup=False, **kwargs) Manage a Certificate name: Path to the certificate days_remaining: The minimum number of days remaining when the certificate should be recreated. Default is 90. A value of 0 disables automatic renewal. backup: When replacing an existing file, backup the old file on the minion. Default is False. kwargs: Any arguments supported by x509.create_certificate are supported. Examples: /etc/pki/ca.crt: x509.certificate_managed: - signing_private_key: /etc/pki/ca.key - CN: ca.example.com - C: US - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:true" - keyUsage: "critical cRLSign, keyCertSign" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 3650 - days_remaining: 0 - backup: True /etc/ssl/www.crt: x509.certificate_managed: - ca_server: pki - signing_policy: www - public_key: /etc/ssl/www.key - CN: www.example.com - days_valid: 90 - days_remaining: 30 - backup: True salt.states.x509.crl_managed(name, signing_private_key, signing_cert=None, revoked=None, days_valid=100, days_remaining=30, include_expired=False, backup=False) Manage a Certificate Revocation List name: Path to the certificate signing_private_key: The private key that will be used to sign this crl. This is usually your CA's private key. signing_cert: The certificate of the authority that will be used to sign this crl. This is usually your CA's certificate. revoked: A list of certificates to revoke. Must include either a serial number or a the certificate itself. Can optionally include the revocation date and notAfter date from the certificate. See example below for details. days_valid: The number of days the certificate should be valid for. Default is 100. days_remaining: The crl should be automatically recreated if there are less than days_remaining days until the crl expires. Set to 0 to disable automatic renewal. Default is 30. include_expired: Include expired certificates in the CRL. Default is False. backup: When replacing an existing file, backup the old file onthe minion. Default is False. Example: /etc/pki/ca.crl: x509.crl_managed: - signing_private_key: /etc/pki/myca.key - signing_cert: /etc/pki/myca.crt - revoked: - compromized_Web_key: - certificate: /etc/pki/certs/badweb.crt - revocation_date: 2015-03-01 00:00:00 - reason: keyCompromise - terminated_vpn_user: - serial_number: D6:D2:DC:D8:4D:5C:C0:F4 - not_after: 2016-01-01 00:00:00 - revocation_date: 2015-02-25 00:00:00 - reason: cessationOfOperation salt.states.x509.csr_managed(name, backup=False, **kwargs) Manage a Certificate Signing Request name: Path to the CSR properties: The properties to be added to the certificate request, including items like subject, extensions and public key. See above for valid properties. Example: /etc/pki/mycert.csr: x509.csr_managed: - public_key: /etc/pki/mycert.key - CN: www.example.com - C: US - ST: Utah - L: Salt Lake City - keyUsage: 'critical dataEncipherment' salt.states.x509.pem_managed(name, text, backup=False) Manage the contents of a PEM file directly with the content in text, ensuring correct formatting. name: The path to the file to manage text: The PEM formatted text to write. backup: When replacing an existing file, backup the old file on the minion. Default is False. salt.states.x509.private_key_managed(name, bits=2048, new=False, backup=False) Manage a private key's existence. name: Path to the private key bits: Key length in bits. Default 2048. new: Always create a new key. Defaults to False. Combining new with prereq can allow key rotation whenever a new certificiate is generated. backup: When replacing an existing file, backup the old file onthe minion. Default is False. Example: The jinja templating in this example ensures a private key is generated if the file doesn't exist and that a new private key is generated whenever the certificate that uses it is to be renewed. /etc/pki/www.key: x509.private_key_managed: - bits: 4096 - new: True {% if salt['file.file_exists']('/etc/pki/ca.key') -%} - prereq: - x509: /etc/pki/www.crt {%- endif %} salt.states.xmpp Sending Messages over XMPP New in version 2014.1.0. This state is useful for firing messages during state runs, using the XMPP protocol server-warning-message: xmpp.send_msg: - name: 'This is a server warning message' - profile: my-xmpp-account - recipient: admins@xmpp.example.com/salt salt.states.xmpp.send_msg(name, recipient, profile) Send a message to an XMPP user server-warning-message: xmpp.send_msg: - name: 'This is a server warning message' - profile: my-xmpp-account - recipient: admins@xmpp.example.com/salt name The message to send to the XMPP user salt.states.xmpp.send_msg_multi(name, profile, recipients=None, rooms=None) Send a message to an list of recipients or rooms server-warning-message: xmpp.send_msg: - name: 'This is a server warning message' - profile: my-xmpp-account - recipients: - admins@xmpp.example.com/salt - rooms: - qa@conference.xmpp.example.com name The message to send to the XMPP user salt.states.zcbuildout Management of zc.buildout This module is inspired from minitage's buildout maker (‐ https://github.com/minitage/minitage/blob/master/src/minitage/core/makers/buildout.py) New in version Boron. NOTE: This state module is beta; the API is subject to change and no promise as to performance or functionality is yet present Available Functions • built installed1 buildout.installed: - name: /path/to/buildout installed2 buildout.installed: - name: /path/to/buildout - parts: - a - b - python: /path/to/pythonpath/bin/python - unless: /bin/test_something_installed - onlyif: /bin/test_else_installed salt.states.zcbuildout.installed(name, config='buildout.cfg', quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python='/usr/bin/python', debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel='debug', **kwargs) Install buildout in a specific directory It is a thin wrapper to modules.buildout.buildout name directory to execute in quiet do not output console & logs config buildout config to use (default: buildout.cfg) parts specific buildout parts to run user user used to run buildout as New in version 2014.1.4. env environment variables to set when running buildout_ver force a specific buildout version (1 | 2) test_release buildout accept test release new_st Forcing use of setuptools >= 0.7 distribute use distribute over setuptools if possible offline does buildout run offline python python to use debug run buildout with -D debug flag onlyif Only execute cmd if statement on the host return 0 unless Do not execute cmd if statement on the host return 0 newest run buildout in newest mode verbose run buildout in verbose mode (-vvvvv) use_vt Use the new salt VT to stream output [experimental] loglevel loglevel for buildout commands salt.states.zk_concurrency Control concurrency of steps within state execution using zookeeper This module allows you to "wrap" a state's execution with concurrency control. This is useful to protect against all hosts executing highstate simultaneously if your services don't all HUP restart. The common way of protecting against this is to run in batch mode, but that doesn't protect from another person running the same batch command (and thereby having 2x the number of nodes deploying at once). This module will bock while acquiring a slot, meaning that however the command gets called it will coordinate with zookeeper to ensure that no more than max_concurrency steps are executing with a single path. acquire_lock: zk_concurrency.lock: - name: /trafficeserver - zk_hosts: 'zookeeper:2181' - max_concurrency: 4 - prereq: - service: trafficserver trafficserver: service.running: - watch: - file: /etc/trafficserver/records.config /etc/trafficserver/records.config: file.managed: - source: salt://records.config release_lock: zk_concurrency.unlock: - name: /trafficserver - require: - service: trafficserver This example would allow the file state to change, but would limit the concurrency of the trafficserver service restart to 4. salt.states.zk_concurrency.lock(name, zk_hosts, identifier=None, max_concurrency=1, timeout=None, ephemeral_lease=False) Block state execution until you are able to get the lock (or hit the timeout) salt.states.zk_concurrency.min_party(name, zk_hosts, min_nodes) Ensure that there are min_nodes in the party at name. salt.states.zk_concurrency.unlock(name, zk_hosts=None, identifier=None, max_concurrency=1, ephemeral_lease=False) Remove lease from semaphore. Execution Modules Salt execution modules are the functions called by the salt command. NOTE: Salt execution modules are different from state modules and cannot be called directly within state files. You must use the module state module to call execution modules within state runs. SEE ALSO: Full list of builtin modules Salt ships with many modules that cover a wide variety of tasks. Modules Are Easy to Write! Writing Salt execution modules is straightforward. A Salt execution modules is a Python or Cython module placed in a directory called _modules/ within the file_roots as specified by the master config file. By default this is /srv/salt/_modules on Linux systems. Modules placed in _modules/ will be synced to the minions when any of the following Salt functions are called: • state.highstate • saltutil.sync_modules • saltutil.sync_all Note that a module's default name is its filename (i.e. foo.py becomes module foo), but that its name can be overridden by using a __virtual__ function. If a Salt module has errors and cannot be imported, the Salt minion will continue to load without issue and the module with errors will simply be omitted. If adding a Cython module the file must be named <modulename>.pyx so that the loader knows that the module needs to be imported as a Cython module. The compilation of the Cython module is automatic and happens when the minion starts, so only the *.pyx file is required. Zip Archives as Modules Python 2.3 and higher allows developers to directly import zip archives containing Python code. By setting enable_zip_modules to True in the minion config, the Salt loader will be able to import .zip files in this fashion. This allows Salt module developers to package dependencies with their modules for ease of deployment, isolation, etc. For a user, Zip Archive modules behave just like other modules. When executing a function from a module provided as the file my_module.zip, a user would call a function within that module as my_module.<function>. Creating a Zip Archive Module A Zip Archive module is structured similarly to a simple Python package. The .zip file contains a single directory with the same name as the module. The module code traditionally in <module_name>.py goes in <module_name>/__init__.py. The dependency packages are subdirectories of <module_name>/. Here is an example directory structure for the lumberjack module, which has two library dependencies (sleep and work) to be included. modules $ ls -R lumberjack __init__.py sleep work lumberjack/sleep: __init__.py lumberjack/work: __init__.py The contents of lumberjack/__init__.py show how to import and use these included libraries. # Libraries included in lumberjack.zip from lumberjack import sleep, work def is_ok(person): ''' Checks whether a person is really a lumberjack ''' return sleep.all_night(person) and work.all_day(person) Then, create the zip: modules $ zip -r lumberjack lumberjack adding: lumberjack/ (stored 0%) adding: lumberjack/__init__.py (deflated 39%) adding: lumberjack/sleep/ (stored 0%) adding: lumberjack/sleep/__init__.py (deflated 7%) adding: lumberjack/work/ (stored 0%) adding: lumberjack/work/__init__.py (deflated 7%) modules $ unzip -l lumberjack.zip Archive: lumberjack.zip Length Date Time Name -------- ---- ---- ---- 0 08-21-15 20:08 lumberjack/ 348 08-21-15 20:08 lumberjack/__init__.py 0 08-21-15 19:53 lumberjack/sleep/ 83 08-21-15 19:53 lumberjack/sleep/__init__.py 0 08-21-15 19:53 lumberjack/work/ 81 08-21-15 19:21 lumberjack/work/__init__.py -------- ------- 512 6 files Once placed in file_roots, Salt users can distribute and use lumberjack.zip like any other module. $ sudo salt minion1 saltutil.sync_modules minion1: - modules.lumberjack $ sudo salt minion1 lumberjack.is_ok 'Michael Palin' minion1: True Cross Calling Execution Modules All of the Salt execution modules are available to each other and modules can call functions available in other execution modules. The variable __salt__ is packed into the modules after they are loaded into the Salt minion. The __salt__ variable is a Python dictionary containing all of the Salt functions. Dictionary keys are strings representing the names of the modules and the values are the functions themselves. Salt modules can be cross-called by accessing the value in the __salt__ dict: def foo(bar): return __salt__['cmd.run'](bar) This code will call the run function in the cmd module and pass the argument bar to it. Preloaded Execution Module Data When interacting with execution modules often it is nice to be able to read information dynamically about the minion or to load in configuration parameters for a module. Salt allows for different types of data to be loaded into the modules by the minion. Grains Data The values detected by the Salt Grains on the minion are available in a dict named __grains__ and can be accessed from within callable objects in the Python modules. To see the contents of the grains dictionary for a given system in your deployment run the grains.items() function: salt 'hostname' grains.items --output=pprint Any value in a grains dictionary can be accessed as any other Python dictionary. For example, the grain representing the minion ID is stored in the id key and from an execution module, the value would be stored in __grains__['id']. Module Configuration Since parameters for configuring a module may be desired, Salt allows for configuration information from the minion configuration file to be passed to execution modules. Since the minion configuration file is a YAML document, arbitrary configuration data can be passed in the minion config that is read by the modules. It is therefore strongly recommended that the values passed in the configuration file match the module name. A value intended for the test execution module should be named test.<value>. The test execution module contains usage of the module configuration and the default configuration file for the minion contains the information and format used to pass data to the modules. salt.modules.test, conf/minion. Printout Configuration Since execution module functions can return different data, and the way the data is printed can greatly change the presentation, Salt has a printout configuration. When writing a module the __outputter__ dictionary can be declared in the module. The __outputter__ dictionary contains a mapping of function name to Salt Outputter. __outputter__ = { 'run': 'txt' } This will ensure that the text outputter is used. Virtual Modules Virtual modules let you override the name of a module in order to use the same name to refer to one of several similar modules. The specific module that is loaded for a virtual name is selected based on the current platform or environment. For example, packages are managed across platforms using the pkg module. pkg is a virtual module name that is an alias for the specific package manager module that is loaded on a specific system (for example, yumpkg on RHEL/CentOS systems , and aptpkg on Ubuntu). Virtual module names are set using the __virtual__ function and the virtual name. __virtual__ Function The __virtual__ function returns either a string, True, False, or False with an error string. If a string is returned then the module is loaded using the name of the string as the virtual name. If True is returned the module is loaded using the current module name. If False is returned the module is not loaded. False lets the module perform system checks and prevent loading if dependencies are not met. Since __virtual__ is called before the module is loaded, __salt__ will be unavailable as it will not have been packed into the module at this point in time. NOTE: Modules which return a string from __virtual__ that is already used by a module that ships with Salt will _override_ the stock module. Returning Error Information from __virtual__ Optionally, Salt plugin modules, such as execution, state, returner, beacon, etc. modules may additionally return a string containing the reason that a module could not be loaded. For example, an execution module called cheese and a corresponding state module also called cheese, both depending on a utility called enzymes should have __virtual__ functions that handle the case when the dependency is unavailable. ''' Cheese execution (or returner/beacon/etc.) module ''' try: import enzymes HAS_ENZYMES = True except ImportError: HAS_ENZYMES = False def __virtual__(): ''' only load cheese if enzymes are available ''' if HAS_ENZYMES: return 'cheese' else: return (False, 'The cheese execution module cannot be loaded: enzymes unavailable.') ''' Cheese state module ''' def __virtual__(): ''' only load cheese if enzymes are available ''' # predicate loading of the cheese state on the corresponding execution module if 'cheese.slice' in __salt__: return 'cheese' else: return (False, 'The cheese state module cannot be loaded: enzymes unavailable.') Examples The package manager modules are among the best examples of using the __virtual__ function. Some examples: • pacman.py • yumpkg.py • aptpkg.py • at.py __virtualname__ __virtualname__ is a variable that is used by the documentation build system to know the virtual name of a module without calling the __virtual__ function. Modules that return a string from the __virtual__ function must also set the __virtualname__ variable. To avoid setting the virtual name string twice, you can implement __virtual__ to return the value set for __virtualname__ using a pattern similar to the following: # Define the module's virtual name __virtualname__ = 'pkg' def __virtual__(): ''' Confine this module to Mac OS with Homebrew. ''' if salt.utils.which('brew') and __grains__['os'] == 'MacOS': return __virtualname__ return False Documentation Salt execution modules are documented. The sys.doc() function will return the documentation for all available modules: salt '*' sys.doc The sys.doc function simply prints out the docstrings found in the modules; when writing Salt execution modules, please follow the formatting conventions for docstrings as they appear in the other modules. Adding Documentation to Salt Modules It is strongly suggested that all Salt modules have documentation added. To add documentation add a Python docstring to the function. def spam(eggs): ''' A function to make some spam with eggs! CLI Example:: salt '*' test.spam eggs ''' return eggs Now when the sys.doc call is executed the docstring will be cleanly returned to the calling terminal. Documentation added to execution modules in docstrings will automatically be added to the online web-based documentation. Add Execution Module Metadata When writing a Python docstring for an execution module, add information about the module using the following field lists: :maintainer: Thomas Hatch <thatch@saltstack.com, Seth House <shouse@saltstack.com> :maturity: new :depends: python-mysqldb :platform: all The maintainer field is a comma-delimited list of developers who help maintain this module. The maturity field indicates the level of quality and testing for this module. Standard labels will be determined. The depends field is a comma-delimited list of modules that this module depends on. The platform field is a comma-delimited list of platforms that this module is known to run on. Log Output You can call the logger from custom modules to write messages to the minion logs. The following code snippet demonstrates writing log messages: import logging log = logging.getLogger(__name__) log.info('Here is Some Information') log.warning('You Should Not Do That') log.error('It Is Busted') Private Functions In Salt, Python callable objects contained within an execution module are made available to the Salt minion for use. The only exception to this rule is a callable object with a name starting with an underscore _. Objects Loaded Into the Salt Minion def foo(bar): return bar class baz: def __init__(self, quo): pass Objects NOT Loaded into the Salt Minion def _foobar(baz): # Preceded with an _ return baz cheese = {} # Not a callable Python object NOTE: Some callable names also end with an underscore _, to avoid keyword clashes with Python keywords. When using execution modules, or state modules, with these in them the trailing underscore should be omitted. Useful Decorators for Modules Depends Decorator When writing execution modules there are many times where some of the module will work on all hosts but some functions have an external dependency, such as a service that needs to be installed or a binary that needs to be present on the system. Instead of trying to wrap much of the code in large try/except blocks, a decorator can be used. If the dependencies passed to the decorator don't exist, then the salt minion will remove those functions from the module on that host. If a "fallback_function" is defined, it will replace the function instead of removing it import logging from salt.utils.decorators import depends log = logging.getLogger(__name__) try: import dependency_that_sometimes_exists except ImportError as e: log.trace('Failed to import dependency_that_sometimes_exists: {0}'.format(e)) @depends('dependency_that_sometimes_exists') def foo(): ''' Function with a dependency on the "dependency_that_sometimes_exists" module, if the "dependency_that_sometimes_exists" is missing this function will not exist ''' return True def _fallback(): ''' Fallback function for the depends decorator to replace a function with ''' return '"dependency_that_sometimes_exists" needs to be installed for this function to exist' @depends('dependency_that_sometimes_exists', fallback_function=_fallback) def foo(): ''' Function with a dependency on the "dependency_that_sometimes_exists" module. If the "dependency_that_sometimes_exists" is missing this function will be replaced with "_fallback" ''' return True In addition to global dependencies the depends decorator also supports raw booleans. from salt.utils.decorators import depends HAS_DEP = False try: import dependency_that_sometimes_exists HAS_DEP = True except ImportError: pass @depends(HAS_DEP) def foo(): return True Master Tops Salt includes a number of built-in subsystems to generate top file data, they are listed listed at all-salt.tops. The source for the built-in Salt master tops can be found here: https://github.com/saltstack/salt/blob/develop/salt/tops Full list of builtin master tops modules ┌────────────────┬──────────────────────────────────┐ │cobbler │ Cobbler Tops │ ├────────────────┼──────────────────────────────────┤ │ext_nodes │ External Nodes Classifier │ ├────────────────┼──────────────────────────────────┤ │mongo │ Read tops data from a mongodb │ │ │ collection │ ├────────────────┼──────────────────────────────────┤ │reclass_adapter │ Read tops data from a reclass │ │ │ database │ └────────────────┴──────────────────────────────────┘ salt.tops.cobbler Cobbler Tops Cobbler Tops is a master tops subsystem used to look up mapping information from Cobbler via its API. The same cobbler.* parameters are used for both the Cobbler tops and Cobbler pillar modules. master_tops: cobbler: {} cobbler.url: https://example.com/cobbler_api #default is http://localhost/cobbler_api cobbler.user: username # default is no username cobbler.password: password # default is no password Module Documentation salt.tops.cobbler.top(**kwargs) Look up top data in Cobbler for a minion. salt.tops.ext_nodes External Nodes Classifier The External Nodes Classifier is a master tops subsystem that retrieves mapping information from major configuration management systems. One of the most common external nodes classifiers system is provided by Cobbler and is called cobbler-ext-nodes. The cobbler-ext-nodes command can be used with this configuration: master_tops: ext_nodes: cobbler-ext-nodes It is noteworthy that the Salt system does not directly ingest the data sent from the cobbler-ext-nodes command, but converts the data into information that is used by a Salt top file. Any command can replace the call to 'cobbler-ext-nodes' above, but currently the data must be formatted in the same way that the standard 'cobbler-ext-nodes' does. See (admittedly degenerate and probably not complete) example: classes: - basepackages - database The above essentially is the same as a top.sls containing the following: base: '*': - basepackages - database base: '*': - basepackages - database salt.tops.ext_nodes.top(**kwargs) Run the command configured salt.tops.mongo Read tops data from a mongodb collection This module will load tops data from a mongo collection. It uses the node's id for lookups. Salt Master Mongo Configuration The module shares the same base mongo connection variables as salt.returners.mongo_return. These variables go in your master config file. • mongo.db - The mongo database to connect to. Defaults to 'salt'. • mongo.host - The mongo host to connect to. Supports replica sets by specifying all hosts in the set, comma-delimited. Defaults to 'salt'. • mongo.port - The port that the mongo database is running on. Defaults to 27017. • mongo.user - The username for connecting to mongo. Only required if you are using mongo authentication. Defaults to ''. • mongo.password - The password for connecting to mongo. Only required if you are using mongo authentication. Defaults to ''. Configuring the Mongo Tops Subsystem master_tops: mongo: collection: tops id_field: _id re_replace: "" re_pattern: \.example\.com states_field: states environment_field: environment Module Documentation salt.tops.mongo.top(**kwargs) Connect to a mongo database and read per-node tops data. Parameters: • collection: The mongodb collection to read data from. Defaults to 'tops'. • id_field: The field in the collection that represents an individual minion id. Defaults to '_id'. • re_pattern: If your naming convention in the collection is shorter than the minion id, you can use this to trim the name. re_pattern will be used to match the name, and re_replace will be used to replace it. Backrefs are supported as they are in the Python standard library. If None, no mangling of the name will be performed - the collection will be searched with the entire minion id. Defaults to None. • re_replace: Use as the replacement value in node ids matched with re_pattern. Defaults to ''. Feel free to use backreferences here. • states_field: The name of the field providing a list of states. • environment_field: The name of the field providing the environment. Defaults to environment. salt.tops.reclass_adapter Read tops data from a reclass database This master_tops plugin provides access to the reclass database, such that state information (top data) are retrieved from reclass. You can find more information about reclass at http://reclass.pantsfullofunix.net. To use the plugin, add it to the master_tops list in the Salt master config and tell reclass by way of a few options how and where to find the inventory: master_tops: reclass: storage_type: yaml_fs inventory_base_uri: /srv/salt This would cause reclass to read the inventory from YAML files in /srv/salt/nodes and /srv/salt/classes. If you are also using reclass as ext_pillar plugin, and you want to avoid having to specify the same information for both, use YAML anchors (take note of the differing data types for ext_pillar and master_tops): reclass: &reclass storage_type: yaml_fs inventory_base_uri: /srv/salt reclass_source_path: ~/code/reclass ext_pillar: - reclass: *reclass master_tops: reclass: *reclass If you want to run reclass from source, rather than installing it, you can either let the master know via the PYTHONPATH environment variable, or by setting the configuration option, like in the example above. salt.tops.reclass_adapter.top(**kwargs) Query reclass for the top data (states of the minions). Full list of builtin wheel modules ┌─────────────┬──────────────────────────────────┐ │config │ Manage the master configuration │ │ │ file │ ├─────────────┼──────────────────────────────────┤ │error │ Error generator to enable │ │ │ integration testing of salt │ │ │ wheel error handling │ ├─────────────┼──────────────────────────────────┤ │file_roots │ Read in files from the file_root │ │ │ and save files to the file root │ ├─────────────┼──────────────────────────────────┤ │key │ Wheel system wrapper for key │ │ │ system │ ├─────────────┼──────────────────────────────────┤ │minions │ Wheel system wrapper for │ │ │ connected minions │ ├─────────────┼──────────────────────────────────┤ │pillar_roots │ The pillar_roots wheel module is │ │ │ used to manage files under the │ │ │ pillar roots directories on the │ │ │ master server. │ └─────────────┴──────────────────────────────────┘ salt.wheel.config Manage the master configuration file salt.wheel.config.apply(key, value) Set a single key NOTE: This will strip comments from your config file salt.wheel.config.update_config(file_name, yaml_contents) Update master config with yaml_contents. Writes yaml_contents to a file named file_name.conf under the folder specified by default_include. This folder is named master.d by default. Please look at include-configuration for more information. Example low data: data = { 'username': 'salt', 'password': 'salt', 'fun': 'config.update_config', 'file_name': 'gui', 'yaml_contents': {'id': 1}, 'client': 'wheel', 'eauth': 'pam', } salt.wheel.config.values() Return the raw values of the config file salt.wheel.error Error generator to enable integration testing of salt wheel error handling salt.wheel.error.error(name=None, message='') If name is None Then return empty dict Otherwise raise an exception with __name__ from name, message from message CLI Example: salt-wheel error salt-wheel error.error name="Exception" message="This is an error." salt.wheel.file_roots Read in files from the file_root and save files to the file root salt.wheel.file_roots.find(path, saltenv='base', env=None) Return a dict of the files located with the given path and environment salt.wheel.file_roots.list_env(saltenv='base', env=None) Return all of the file paths found in an environment salt.wheel.file_roots.list_roots() Return all of the files names in all available environments salt.wheel.file_roots.read(path, saltenv='base', env=None) Read the contents of a text file, if the file is binary then salt.wheel.file_roots.write(data, path, saltenv='base', index=0, env=None) Write the named file, by default the first file found is written, but the index of the file can be specified to write to a lower priority file root salt.wheel.key Wheel system wrapper for key system salt.wheel.key.accept(match) Accept keys based on a glob match salt.wheel.key.accept_dict(match) Accept keys based on a dict of keys Example to move a list of keys from the minions_pre (pending) directory to the minions (accepted) directory: { 'minions_pre': [ 'jerry', 'stuart', 'bob', ], } salt.wheel.key.delete(match) Delete keys based on a glob match salt.wheel.key.delete_dict(match) Delete keys based on a dict of keys salt.wheel.key.finger(match) Return the matching key fingerprints salt.wheel.key.gen(id_=None, keysize=2048) Generate a key pair. No keys are stored on the master, a keypair is returned as a dict containing pub and priv keys salt.wheel.key.gen_accept(id_, keysize=2048, force=False) Generate a key pair then accept the public key. This function returns the key pair in a dict, only the public key is preserved on the master. salt.wheel.key.key_str(match) Return the key strings salt.wheel.key.list(match) List all the keys under a named status salt.wheel.key.list_all() List all the keys salt.wheel.key.reject(match) Reject keys based on a glob match salt.wheel.key.reject_dict(match) Reject keys based on a dict of keys salt.wheel.minions Wheel system wrapper for connected minions salt.wheel.minions.connected() List all connected minions on a salt-master salt.wheel.pillar_roots The pillar_roots wheel module is used to manage files under the pillar roots directories on the master server. salt.wheel.pillar_roots.find(path, saltenv='base', env=None) Return a dict of the files located with the given path and environment salt.wheel.pillar_roots.list_env(saltenv='base', env=None) Return all of the file paths found in an environment salt.wheel.pillar_roots.list_roots() Return all of the files names in all available environments salt.wheel.pillar_roots.read(path, saltenv='base', env=None) Read the contents of a text file, if the file is binary then salt.wheel.pillar_roots.write(data, path, saltenv='base', index=0, env=None) Write the named file, by default the first file found is written, but the index of the file can be specified to write to a lower priority file root Full list of builtin beacon modules ┌───────────────┬──────────────────────────────────┐ │btmp │ Beacon to fire events at failed │ │ │ login of users │ ├───────────────┼──────────────────────────────────┤ │diskusage │ Beacon to monitor disk usage. │ ├───────────────┼──────────────────────────────────┤ │inotify │ Watch files and translate the │ │ │ changes into salt events │ ├───────────────┼──────────────────────────────────┤ │journald │ A simple beacon to watch │ │ │ journald for specific entries │ ├───────────────┼──────────────────────────────────┤ │load │ Beacon to emit system load │ │ │ averages │ ├───────────────┼──────────────────────────────────┤ │network_info │ Beacon to monitor statistics │ │ │ from ethernet adapters │ ├───────────────┼──────────────────────────────────┤ │ps │ Send events covering service │ │ │ status │ ├───────────────┼──────────────────────────────────┤ │service │ Send events covering service │ │ │ status │ ├───────────────┼──────────────────────────────────┤ │sh │ Watch the shell commands being │ │ │ executed actively. │ ├───────────────┼──────────────────────────────────┤ │twilio_txt_msg │ Beacon to emit Twilio text │ │ │ messages │ ├───────────────┼──────────────────────────────────┤ │wtmp │ Beacon to fire events at login │ │ │ of users as registered in the │ │ │ wtmp file │ └───────────────┴──────────────────────────────────┘ salt.beacons.btmp Beacon to fire events at failed login of users beacons: btmp: {} salt.beacons.btmp.beacon(config) Read the last btmp file and return information on the failed logins beacons: btmp: {} salt.beacons.btmp.validate(config) Validate the beacon configuration salt.beacons.diskusage Beacon to monitor disk usage. New in version 2015.5.0. depends python-psutil salt.beacons.diskusage.beacon(config) Monitor the disk usage of the minion Specify thresholds for each disk and only emit a beacon if any of them are exceeded. beacons: diskusage: - /: 63% - /mnt/nfs: 50% salt.beacons.diskusage.validate(config) Validate the beacon configuration salt.beacons.inotify Watch files and translate the changes into salt events depends • pyinotify Python module >= 0.9.5 Caution Using generic mask options like open, access, ignored, and closed_nowrite with reactors can easily cause the reactor to loop on itself. To mitigate this behavior, consider setting the disable_during_state_run flag to True in the beacon configuration. salt.beacons.inotify.beacon(config) Watch the configured files Example Config beacons: inotify: /path/to/file/or/dir: mask: - open - create - close_write recurse: True auto_add: True The mask list can contain the following events (the default mask is create, delete, and modify): • access File accessed • attrib File metadata changed • close_nowrite Unwritable file closed • close_write Writable file closed • create File created in watched directory • delete File deleted from watched directory • delete_self Watched file or directory deleted • modify File modified • moved_from File moved out of watched directory • moved_to File moved into watched directory • move_self Watched file moved • open File opened The mask can also contain the following options: • dont_follow Don't dereference symbolic links • excl_unlink Omit events for children after they have been unlinked • oneshot Remove watch after one event • onlydir Operate only if name is directory recurse: Recursively watch files in the directory auto_add: Automatically start watching files that are created in the watched directory salt.beacons.inotify.validate(config) Validate the beacon configuration salt.beacons.journald A simple beacon to watch journald for specific entries salt.beacons.journald.beacon(config) The journald beacon allows for the systemd journal to be parsed and linked objects to be turned into events. This beacons config will return all sshd jornal entries beacons: journald: sshd: SYSLOG_IDENTIFIER: sshd PRIORITY: 6 salt.beacons.journald.validate(config) Validate the beacon configuration salt.beacons.load Beacon to emit system load averages salt.beacons.load.beacon(config) Emit the load averages of this host. Specify thresholds for each load average and only emit a beacon if any of them are exceeded. beacons: load: 1m: - 0.0 - 2.0 5m: - 0.0 - 1.5 15m: - 0.1 - 1.0 salt.beacons.load.validate(config) Validate the beacon configuration salt.beacons.network_info Beacon to monitor statistics from ethernet adapters New in version 2015.5.0. salt.beacons.network_info.beacon(config) Emit the network statistics of this host. Specify thresholds for each network stat and only emit a beacon if any of them are exceeded. Emit beacon when any values are equal to configured values. beacons: network_info: eth0: - type: equal - bytes_sent: 100000 - bytes_recv: 100000 - packets_sent: 100000 - packets_recv: 100000 - errin: 100 - errout: 100 - dropin: 100 - dropout: 100 Emit beacon when any values are greater than to configured values. beacons: network_info: eth0: - type: greater - bytes_sent: 100000 - bytes_recv: 100000 - packets_sent: 100000 - packets_recv: 100000 - errin: 100 - errout: 100 - dropin: 100 - dropout: 100 salt.beacons.network_info.validate(config) Validate the beacon configuration salt.beacons.ps module Send events covering service status salt.beacons.ps.beacon(config) Scan for processes and fire events Example Config beacons: ps: salt-master: running mysql: stopped The config above sets up beacons to check that processes are running or stopped. salt.beacons.ps.validate(config) Validate the beacon configuration salt.beacons.service Send events covering service status salt.beacons.service.beacon(config) Scan for the configured services and fire events Example Config beacons: service: salt-master: mysql: The config above sets up beacons to check for the salt-master and mysql services. The config also supports two other parameters for each service: onchangeonly: when onchangeonly is True the beacon will fire events only when the service status changes. Otherwise, it will fire an event at each beacon interval. The default is False. uncleanshutdown: If uncleanshutdown is present it should point to the location of a pid file for the service. Most services will not clean up this pid file if they are shutdown uncleanly (e.g. via kill -9) or if they are terminated through a crash such as a segmentation fault. If the file is present, then the beacon will add uncleanshutdown: True to the event. If not present, the field will be False. The field is only added when the service is NOT running. Omitting the configuration variable altogether will turn this feature off. Please note that some init systems can remove the pid file if the service registers as crashed. One such example is nginx on CentOS 7, where the service unit removes the pid file when the service shuts down (IE: the pid file is observed as removed when kill -9 is sent to the nginx master process). The 'uncleanshutdown' option might not be of much use there, unless the unit file is modified. Here is an example that will fire an event whenever the state of nginx changes and report an uncleanshutdown. This example is for Arch, which places nginx's pid file in /run. beacons: service: nginx: onchangeonly: True uncleanshutdown: /run/nginx.pid salt.beacons.service.validate(config) Validate the beacon configuration salt.beacons.sh Watch the shell commands being executed actively. This beacon requires strace. salt.beacons.sh.beacon(config) Scan the shell execve routines. This beacon will convert all login shells beacons: sh: {} salt.beacons.sh.validate(config) Validate the beacon configuration salt.beacons.twilio_txt_msg Beacon to emit Twilio text messages salt.beacons.twilio_txt_msg.beacon(config) Emit a dict name "texts" whose value is a list of texts. beacons: twilio_txt_msg: account_sid: "<account sid>" auth_token: "<auth token>" twilio_number: "+15555555555" interval: 10 salt.beacons.twilio_txt_msg.validate(config) Validate the beacon configuration salt.beacons.wtmp Beacon to fire events at login of users as registered in the wtmp file beacons: wtmp: {} salt.beacons.wtmp.beacon(config) Read the last wtmp file and return information on the logins beacons: wtmp: {} salt.beacons.wtmp.validate(config) Validate the beacon configuration Full list of builtin engine modules ┌───────────┬──────────────────────────────────┐ │logstash │ An engine that reads messages │ │ │ from the salt event bus and │ │ │ pushes them onto a logstash │ │ │ endpoint. │ ├───────────┼──────────────────────────────────┤ │sqs_events │ An engine that continuously │ │ │ reads messages from SQS and │ │ │ fires them as events. │ ├───────────┼──────────────────────────────────┤ │test │ A simple test engine, not │ │ │ intended for real use but as an │ │ │ example │ └───────────┴──────────────────────────────────┘ salt.engines.logstash An engine that reads messages from the salt event bus and pushes them onto a logstash endpoint. configuration Example configuration engines: • logstash: host: log.my_network.com port: 5959 depends logstash salt.engines.logstash.start(host, port=5959, tag='salt/engine/logstash') Listen to salt events and forward them to logstash salt.engines.sqs_events An engine that continuously reads messages from SQS and fires them as events. Note that long polling is utilized to avoid excessive CPU usage. New in version 2015.8.0. configuration This engine can be run on the master or on a minion. Example Config: engines: • sqs_events: queue: test profile: my-sqs-profile #optional Explicit sqs credentials are accepted but this engine can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html If IAM roles are not used you need to specify them either in a pillar or in the config file of the master or minion, as appropriate: sqs.keyid: GKTADJGHEIQSXMKKRBJ08H sqs.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs A region may also be specified in the configuration: sqs.region: us-east-1 If a region is not specified, the default is us-east-1. It's also possible to specify key, keyid and region via a profile: myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 depends boto salt.engines.sqs_events.start(queue, profile=None, tag='salt/engine/sqs') Listen to events and write them to a log file salt.engines.test A simple test engine, not intended for real use but as an example salt.engines.test.start() Listen to events and write them to a log file Full list of builtin sdb modules ┌───────────┬─────────────────────────┐ │couchdb │ CouchDB sdb Module │ ├───────────┼─────────────────────────┤ │etcd_db │ etcd Database Module │ ├───────────┼─────────────────────────┤ │keyring_db │ Keyring Database Module │ ├───────────┼─────────────────────────┤ │memcached │ Memcached sdb Module │ ├───────────┼─────────────────────────┤ │sqlite3 │ SQLite sdb Module │ └───────────┴─────────────────────────┘ salt.sdb.couchdb CouchDB sdb Module maintainer SaltStack maturity New depends python2-couchdb platform all This allow interaction between Salt and a CouchDB [couchdb.apache.org] database. It uses salt's sdb system to allow for inserts and retrevals using the sdb:// prefix in salt configuration files. To use the couchbase sdb module, it must first be configured in the salt master or minion config. The following arguments are required: couchdb_sdb: driver: couchdb host: localhost port: 5984 database: salt_sdb One could then query the CouchDB instance via an sdb:// URI such as the following: password: sdb://couchdb_sdb/mykey To use this interface, you must track IDs on your own or have another source to do the map-reduce logic necessary to calculate the ID you wish to fetch. Additional contributions to build true map-reduce functionality into this module would be welcome. salt.sdb.couchdb.get(key, profile=None) Get a value from couchdb by id salt.sdb.couchdb.set(key, value, profile=None) Set a key/value pair in couchdb salt.sdb.etcd_db etcd Database Module maintainer SaltStack maturity New depends python-etcd platform all New in version 2015.5.0. This module allows access to the etcd database using an sdb:// URI. This package is located at https://pypi.python.org/pypi/python-etcd. Like all sdb modules, the etcd module requires a configuration profile to be configured in either the minion or master configuration file. This profile requires very little. In the example: myetcd: driver: etcd etcd.host: 127.0.0.1 etcd.port: 4001 The driver refers to the etcd module, etcd.host refers to the host that is hosting the etcd database and etcd.port refers to the port on that host. password: sdb://myetcd/mypassword salt.sdb.etcd_db.get(key, service=None, profile=None) Get a value from the etcd service salt.sdb.etcd_db.set(key, value, service=None, profile=None) Set a key/value pair in the etcd service salt.sdb.keyring_db Keyring Database Module maintainer SaltStack maturity New depends keyring platform all This module allows access to the keyring package using an sdb:// URI. This package is located at https://pypi.python.org/pypi/keyring. Care must be taken when using keyring. Not all keyend backends are supported on all operating systems. Also, many backends require an agent to be running in order to work. For instance, the "Secret Service" backend requires a compatible agent such as gnome-keyring-daemon or kwallet to be running. The keyczar backend does not seem to enjoy the benefits of an agent, and so using it will require either that the password is typed in manually (which is unreasonable for the salt-minion and salt-master daemons, especially in production) or an agent is written for it. Like all sdb modules, the keyring module requires a configuration profile to be configured in either the minion or master configuration file. This profile requires very little. In the example: mykeyring: driver: keyring service: system The driver refers to the keyring module, service refers to the service that will be used inside of keyring (which may be likened unto a database table) and mykeyring refers to the name that will appear in the URI: password: sdb://mykeyring/mypassword The underlying backend configuration must be configured via keyring itself. For examples and documentation, see keyring: https://pypi.python.org/pypi/keyring New in version 2014.1.4. salt.sdb.keyring_db.get(key, service=None, profile=None) Get a value from a keyring service salt.sdb.keyring_db.set(key, value, service=None, profile=None) Set a key/value pair in a keyring service salt.sdb.memcached Memcached sdb Module maintainer SaltStack maturity New depends python-memcached platform all This module allows access to memcached using an sdb:// URI. This package is located at https://pypi.python.org/pypi/python-memcached. Like all sdb modules, the memcached module requires a configuration profile to be configured in either the minion or master configuration file. This profile requires very little. In the example: mymemcache: driver: memcached host: localhost port: 11211 The driver refers to the memcached module, host and port the memcached server to connect to (defaults to localhost and 11211, and mymemcached refers to the name that will appear in the URI: password: sdb://mymemcached/mykey salt.sdb.memcached.get(key, profile=None) Get a value from memcached salt.sdb.memcached.set(key, value, profile=None) Set a key/value pair in memcached salt.sdb.sqlite3 SQLite sdb Module maintainer SaltStack maturity New platform all This module allows access to sqlite3 using an sdb:// URI Like all sdb modules, the sqlite3 module requires a configuration profile to be configured in either the minion or master configuration file. This profile requires very little. For example: mysqlite: driver: sqlite3 database: /tmp/sdb.sqlite table: sdb create_table: True The driver refers to the sqlite3 module, database refers to the sqlite3 database file. table is the table within the db that will hold keys and values (defaults to sdb). The database and table will be created if they do not exist. Advanced Usage: Instead of a table name, it is possible to provide custom SQL statements to create the table(s) and get and set values. salt.sdb.sqlite3.get(key, profile=None) Get a value from sqlite3 salt.sdb.sqlite3.set(key, value, profile=None) Set a key/value pair in sqlite3 Full list of builtin serializers ┌────────┬──────────────────────────┐ │json │ salt.serializers.json │ ├────────┼──────────────────────────┤ │msgpack │ salt.serializers.msgpack │ ├────────┼──────────────────────────┤ │yaml │ salt.serializers.yaml │ ├────────┼──────────────────────────┤ │yamlex │ salt.serializers.yamlex │ └────────┴──────────────────────────┘ salt.serializers.json salt.serializers.json Implements JSON serializer. It's just a wrapper around json (or simplejson if available). salt.serializers.json.deserialize(stream_or_string, **options) Deserialize any string of stream like object into a Python data structure. Parameters • stream_or_string -- stream or string to deserialize. • options -- options given to lower json/simplejson module. salt.serializers.json.serialize(obj, **options) Serialize Python data to JSON. Parameters • obj -- the data structure to serialize • options -- options given to lower json/simplejson module. salt.serializers.msgpack salt.serializers.msgpack Implements MsgPack serializer. salt.serializers.msgpack.deserialize(stream_or_string, **options) Deserialize any string of stream like object into a Python data structure. Parameters • stream_or_string -- stream or string to deserialize. • options -- options given to lower msgpack module. salt.serializers.msgpack.serialize(obj, **options) Serialize Python data to MsgPack. Parameters • obj -- the data structure to serialize • options -- options given to lower msgpack module. salt.serializers.yaml salt.serializers.yaml Implements YAML serializer. Underneath, it is based on pyyaml and use the safe dumper and loader. It also use C bindings if they are available. salt.serializers.yaml.deserialize(stream_or_string, **options) Deserialize any string of stream like object into a Python data structure. Parameters • stream_or_string -- stream or string to deserialize. • options -- options given to lower yaml module. salt.serializers.yaml.serialize(obj, **options) Serialize Python data to YAML. Parameters • obj -- the data structure to serialize • options -- options given to lower yaml module. salt.serializers.yamlex salt.serializers.yamlex YAMLEX is a format that allows for things like sls files to be more intuitive. It's an extension of YAML that implements all the salt magic: - it implies omap for any dict like. - it implies that string like data are str, not unicode - ... For example, the file states.sls has this contents: foo: bar: 42 baz: [1, 2, 3] The file can be parsed into Python like this from salt.serializers import yamlex with open('state.sls', 'r') as stream: obj = yamlex.deserialize(stream) Check that obj is an OrderedDict from salt.utils.odict import OrderedDict assert isinstance(obj, dict) assert isinstance(obj, OrderedDict) yamlex __repr__ and __str__ objects' methods render YAML understandable string. It means that they are template friendly. print '{0}'.format(obj) returns: {foo: {bar: 42, baz: [1, 2, 3]}} and they are still valid YAML: from salt.serializers import yaml yml_obj = yaml.deserialize(str(obj)) assert yml_obj == obj yamlex implements also custom tags: !aggregate this tag allows structures aggregation. For example: placeholder: !aggregate foo placeholder: !aggregate bar placeholder: !aggregate baz is rendered as placeholder: [foo, bar, baz] !reset this tag flushes the computing value. placeholder: {!aggregate foo: {foo: 42}} placeholder: {!aggregate foo: {bar: null}} !reset placeholder: {!aggregate foo: {baz: inga}} is roughly equivalent to placeholder: {!aggregate foo: {baz: inga}} Document is defacto an aggregate mapping. salt.serializers.yamlex.deserialize(stream_or_string, **options) Deserialize any string of stream like object into a Python data structure. Parameters • stream_or_string -- stream or string to deserialize. • options -- options given to lower yaml module. salt.serializers.yamlex.serialize(obj, **options) Serialize Python data to YAML. Parameters • obj -- the data structure to serialize • options -- options given to lower yaml module. Full list of builtin queues ┌─────────────┬──────────────────────────┐ │sqlite_queue │ New in version 2014.7.0. │ └─────────────┴──────────────────────────┘ salt.queues.sqlite_queue module New in version 2014.7.0. This is the default local master event queue built on sqlite. By default, an sqlite3 database file is created in the sqlite_queue_dir which is found at: /var/cache/salt/master/queues It's possible to store the sqlite3 database files by setting sqlite_queue_dir to another location: sqlite_queue_dir: /home/myuser/salt/master/queues salt.queues.sqlite_queue.delete(queue, items) Delete an item or items from a queue salt.queues.sqlite_queue.insert(queue, items) Add an item or items to a queue salt.queues.sqlite_queue.list_items(queue) List contents of a queue salt.queues.sqlite_queue.list_length(queue) Provide the number of items in a queue salt.queues.sqlite_queue.list_queues() Return a list of Salt Queues on the Salt Master salt.queues.sqlite_queue.pop(queue, quantity=1) Pop one or more or all items from the queue return them.
SALT BEST PRACTICES
Salt's extreme flexibility leads to many questions concerning the structure of configuration files. This document exists to clarify these points through examples and code. General rules 1. Modularity and clarity should be emphasized whenever possible. 2. Create clear relations between pillars and states. 3. Use variables when it makes sense but don't overuse them. 4. Store sensitive data in pillar. 5. Don't use grains for matching in your pillar top file for any sensitive pillars. Structuring States and Formulas When structuring Salt States and Formulas it is important to begin with the directory structure. A proper directory structure clearly defines the functionality of each state to the user via visual inspection of the state's name. Reviewing the MySQL Salt Formula it is clear to see the benefits to the end-user when reviewing a sample of the available states: /srv/salt/mysql/files/ /srv/salt/mysql/client.sls /srv/salt/mysql/map.jinja /srv/salt/mysql/python.sls /srv/salt/mysql/server.sls This directory structure would lead to these states being referenced in a top file in the following way: base: 'web*': - mysql.client - mysql.python 'db*': - mysql.server This clear definition ensures that the user is properly informed of what each state will do. Another example comes from the vim-formula: /srv/salt/vim/files/ /srv/salt/vim/absent.sls /srv/salt/vim/init.sls /srv/salt/vim/map.jinja /srv/salt/vim/nerdtree.sls /srv/salt/vim/pyflakes.sls /srv/salt/vim/salt.sls Once again viewing how this would look in a top file: /srv/salt/top.sls: base: 'web*': - vim - vim.nerdtree - vim.pyflakes - vim.salt 'db*': - vim.absent The usage of a clear top-level directory as well as properly named states reduces the overall complexity and leads a user to both understand what will be included at a glance and where it is located. In addition Formulas should be used as often as possible. NOTE: Formulas repositories on the saltstack-formulas GitHub organization should not be pointed to directly from systems that automatically fetch new updates such as GitFS or similar tooling. Instead formulas repositories should be forked on GitHub or cloned locally, where unintended, automatic changes will not take place. Structuring Pillar Files Pillars are used to store secure and insecure data pertaining to minions. When designing the structure of the /srv/pillar directory, the pillars contained within should once again be focused on clear and concise data which users can easily review, modify, and understand. The /srv/pillar/ directory is primarily controlled by top.sls. It should be noted that the pillar top.sls is not used as a location to declare variables and their values. The top.sls is used as a way to include other pillar files and organize the way they are matched based on environments or grains. An example top.sls may be as simple as the following: /srv/pillar/top.sls: base: '*': - packages Any number of matchers can be added to the base environment. For example, here is an expanded version of the Pillar top file stated above: /srv/pillar/top.sls: base: '*': - packages 'web*': - apache - vim Or an even more complicated example, using a variety of matchers in numerous environments: /srv/pillar/top.sls: base: '*': - apache dev: 'os:Debian': - match: grain - vim test: '* and not G@os: Debian': - match: compound - emacs It is clear to see through these examples how the top file provides users with power but when used incorrectly it can lead to confusing configurations. This is why it is important to understand that the top file for pillar is not used for variable definitions. Each SLS file within the /srv/pillar/ directory should correspond to the states which it matches. This would mean that the apache pillar file should contain data relevant to Apache. Structuring files in this way once again ensures modularity, and creates a consistent understanding throughout our Salt environment. Users can expect that pillar variables found in an Apache state will live inside of an Apache pillar: /srv/pillar/apache.sls: apache: lookup: name: httpd config: tmpl: /etc/httpd/httpd.conf While this pillar file is simple, it shows how a pillar file explicitly relates to the state it is associated with. Variable Flexibility Salt allows users to define variables in SLS files. When creating a state variables should provide users with as much flexibility as possible. This means that variables should be clearly defined and easy to manipulate, and that sane defaults should exist in the event a variable is not properly defined. Looking at several examples shows how these different items can lead to extensive flexibility. Although it is possible to set variables locally, this is generally not preferred: /srv/salt/apache/conf.sls: {% set name = 'httpd' %} {% set tmpl = 'salt://apache/files/httpd.conf' %} include: - apache apache_conf: file.managed: - name: {{ name }} - source: {{ tmpl }} - template: jinja - user: root - watch_in: - service: apache When generating this information it can be easily transitioned to the pillar where data can be overwritten, modified, and applied to multiple states, or locations within a single state: /srv/pillar/apache.sls: apache: lookup: name: httpd config: tmpl: salt://apache/files/httpd.conf /srv/salt/apache/conf.sls: {% from "apache/map.jinja" import apache with context %} include: - apache apache_conf: file.managed: - name: {{ salt['pillar.get']('apache:lookup:name') }} - source: {{ salt['pillar.get']('apache:lookup:config:tmpl') }} - template: jinja - user: root - watch_in: - service: apache This flexibility provides users with a centralized location to modify variables, which is extremely important as an environment grows. Modularity Within States Ensuring that states are modular is one of the key concepts to understand within Salt. When creating a state a user must consider how many times the state could be re-used, and what it relies on to operate. Below are several examples which will iteratively explain how a user can go from a state which is not very modular to one that is: /srv/salt/apache/init.sls: httpd: pkg.installed: [] service.running: - enable: True /etc/httpd/httpd.conf: file.managed: - source: salt://apache/files/httpd.conf - template: jinja - watch_in: - service: httpd The example above is probably the worst-case scenario when writing a state. There is a clear lack of focus by naming both the pkg/service, and managed file directly as the state ID. This would lead to changing multiple requires within this state, as well as others that may depend upon the state. Imagine if a require was used for the httpd package in another state, and then suddenly it's a custom package. Now changes need to be made in multiple locations which increases the complexity and leads to a more error prone configuration. There is also the issue of having the configuration file located in the init, as a user would be unable to simply install the service and use the default conf file. Our second revision begins to address the referencing by using - name, as opposed to direct ID references: /srv/salt/apache/init.sls: apache: pkg.installed: - name: httpd service.running: - name: httpd - enable: True apache_conf: file.managed: - name: /etc/httpd/httpd.conf - source: salt://apache/files/httpd.conf - template: jinja - watch_in: - service: apache The above init file is better than our original, yet it has several issues which lead to a lack of modularity. The first of these problems is the usage of static values for items such as the name of the service, the name of the managed file, and the source of the managed file. When these items are hard coded they become difficult to modify and the opportunity to make mistakes arises. It also leads to multiple edits that need to occur when changing these items (imagine if there were dozens of these occurrences throughout the state!). There is also still the concern of the configuration file data living in the same state as the service and package. In the next example steps will be taken to begin addressing these issues. Starting with the addition of a map.jinja file (as noted in the Formula documentation), and modification of static values: /srv/salt/apache/map.jinja: {% set apache = salt['grains.filter_by']({ 'Debian': { 'server': 'apache2', 'service': 'apache2', 'conf': '/etc/apache2/apache.conf', }, 'RedHat': { 'server': 'httpd', 'service': 'httpd', 'conf': '/etc/httpd/httpd.conf', }, }, merge=salt['pillar.get']('apache:lookup')) %} /srv/pillar/apache.sls: apache: lookup: config: tmpl: salt://apache/files/httpd.conf /srv/salt/apache/init.sls: {% from "apache/map.jinja" import apache with context %} apache: pkg.installed: - name: {{ apache.server }} service.running: - name: {{ apache.service }} - enable: True apache_conf: file.managed: - name: {{ apache.conf }} - source: {{ salt['pillar.get']('apache:lookup:config:tmpl') }} - template: jinja - user: root - watch_in: - service: apache The changes to this state now allow us to easily identify the location of the variables, as well as ensuring they are flexible and easy to modify. While this takes another step in the right direction, it is not yet complete. Suppose the user did not want to use the provided conf file, or even their own configuration file, but the default apache conf. With the current state setup this is not possible. To attain this level of modularity this state will need to be broken into two states. /srv/salt/apache/map.jinja: {% set apache = salt['grains.filter_by']({ 'Debian': { 'server': 'apache2', 'service': 'apache2', 'conf': '/etc/apache2/apache.conf', }, 'RedHat': { 'server': 'httpd', 'service': 'httpd', 'conf': '/etc/httpd/httpd.conf', }, }, merge=salt['pillar.get']('apache:lookup')) %} /srv/pillar/apache.sls: apache: lookup: config: tmpl: salt://apache/files/httpd.conf /srv/salt/apache/init.sls: {% from "apache/map.jinja" import apache with context %} apache: pkg.installed: - name: {{ apache.server }} service.running: - name: {{ apache.service }} - enable: True /srv/salt/apache/conf.sls: {% from "apache/map.jinja" import apache with context %} include: - apache apache_conf: file.managed: - name: {{ apache.conf }} - source: {{ salt['pillar.get']('apache:lookup:config:tmpl') }} - template: jinja - user: root - watch_in: - service: apache This new structure now allows users to choose whether they only wish to install the default Apache, or if they wish, overwrite the default package, service, configuration file location, or the configuration file itself. In addition to this the data has been broken between multiple files allowing for users to identify where they need to change the associated data. Storing Secure Data Secure data refers to any information that you would not wish to share with anyone accessing a server. This could include data such as passwords, keys, or other information. As all data within a state is accessible by EVERY server that is connected it is important to store secure data within pillar. This will ensure that only those servers which require this secure data have access to it. In this example a use can go from an insecure configuration to one which is only accessible by the appropriate hosts: /srv/salt/mysql/testerdb.sls: testdb: mysql_database.present: - name: testerdb /srv/salt/mysql/user.sls: include: - mysql.testerdb testdb_user: mysql_user.present: - name: frank - password: "test3rdb" - host: localhost - require: - sls: mysql.testerdb Many users would review this state and see that the password is there in plain text, which is quite problematic. It results in several issues which may not be immediately visible. The first of these issues is clear to most users -- the password being visible in this state. This means that any minion will have a copy of this, and therefore the password which is a major security concern as minions may not be locked down as tightly as the master server. The other issue that can be encountered is access by users on the master. If everyone has access to the states (or their repository), then they are able to review this password. Keeping your password data accessible by only a few users is critical for both security and peace of mind. There is also the issue of portability. When a state is configured this way it results in multiple changes needing to be made. This was discussed in the sections above but it is a critical idea to drive home. If states are not portable it may result in more work later! Fixing this issue is relatively simple, the content just needs to be moved to the associated pillar: /srv/pillar/mysql.sls: mysql: lookup: name: testerdb password: test3rdb user: frank host: localhost /srv/salt/mysql/testerdb.sls: testdb: mysql_database.present: - name: {{ salt['pillar.get']('mysql:lookup:name') }} /srv/salt/mysql/user.sls: include: - mysql.testerdb testdb_user: mysql_user.present: - name: {{ salt['pillar.get']('mysql:lookup:user') }} - password: {{ salt['pillar.get']('mysql:lookup:password') }} - host: {{ salt['pillar.get']('mysql:lookup:host') }} - require: - sls: mysql.testerdb Now that the database details have been moved to the associated pillar file, only machines which are targeted via pillar will have access to these details. Access to users who should not be able to review these details can also be prevented while ensuring that they are still able to write states which take advantage of this information.
HARDENING SALT
This topic contains tips you can use to secure and harden your Salt environment. How you best secure and harden your Salt environment depends heavily on how you use Salt, where you use Salt, how your team is structured, where you get data from, and what kinds of access (internal and external) you require. General hardening tips • Restrict who can directly log into your Salt master system. • Use SSH keys secured with a passphrase to gain access to the Salt master system. • Track and secure SSH keys and any other login credentials you and your team need to gain access to the Salt master system. • Use a hardened bastion server or a VPN to restrict direct access to the Salt master from the internet. • Don't expose the Salt master any more than what is required. • Harden the system as you would with any high-priority target. • Keep the system patched and up-to-date. • Use tight firewall rules. Salt hardening tips • Subscribe to salt-users or salt-announce so you know when new Salt releases are available. Keep your systems up-to-date with the latest patches. • Use Salt's Client ACL system to avoid having to give out root access in order to run Salt commands. • Use Salt's Client ACL system to restrict which users can run what commands. • Use external Pillar to pull data into Salt from external sources so that non-sysadmins (other teams, junior admins, developers, etc) can provide configuration data without needing access to the Salt master. • Make heavy use of SLS files that are version-controlled and go through a peer-review/code-review process before they're deployed and run in production. This is good advice even for "one-off" CLI commands because it helps mitigate typos and mistakes. • Use salt-api, SSL, and restrict authentication with the external auth system if you need to expose your Salt master to external services. • Make use of Salt's event system and reactor to allow minions to signal the Salt master without requiring direct access. • Run the salt-master daemon as non-root. • Disable which modules are loaded onto minions with the disable_modules setting. (for example, disable the cmd module if it makes sense in your environment.) • Look through the fully-commented sample master and minion config files. There are many options for securing an installation. • Run masterless-mode minions on particularly sensitive minions. There is also salt-ssh or the modules.sudo if you need to further restrict a minion.
TROUBLESHOOTING
The intent of the troubleshooting section is to introduce solutions to a number of common issues encountered by users and the tools that are available to aid in developing States and Salt code. Troubleshooting the Salt Master If your Salt master is having issues such as minions not returning data, slow execution times, or a variety of other issues, the following links contain details on troubleshooting the most common issues encountered: Troubleshooting the Salt Master Running in the Foreground A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the master in the foreground: # salt-master -l debug Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground. What Ports does the Master Need Open? For the master, TCP ports 4505 and 4506 need to be open. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall interfering with the connection. See our firewall configuration page for help opening the firewall on various platforms. If you've opened the correct TCP ports and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt. Too many open files The salt-master needs at least 2 sockets per host that connects to it, one for the Publisher and one for response port. Thus, large installations may, upon scaling up the number of minions accessing a given master, encounter: 12:45:29,289 [salt.master ][INFO ] Starting Salt worker process 38 Too many open files sock != -1 (tcp_listener.cpp:335) The solution to this would be to check the number of files allowed to be opened by the user running salt-master (root by default): [root@salt-master ~]# ulimit -n 1024 If this value is not equal to at least twice the number of minions, then it will need to be raised. For example, in an environment with 1800 minions, the nofile limit should be set to no less than 3600. This can be done by creating the file /etc/security/limits.d/99-salt.conf, with the following contents: root hard nofile 4096 root soft nofile 4096 Replace root with the user under which the master runs, if different. If your master does not have an /etc/security/limits.d directory, the lines can simply be appended to /etc/security/limits.conf. As with any change to resource limits, it is best to stay logged into your current shell and open another shell to run ulimit -n again and verify that the changes were applied correctly. Additionally, if your master is running upstart, it may be necessary to specify the nofile limit in /etc/default/salt-master if upstart isn't respecting your resource limits: limit nofile 4096 4096 NOTE: The above is simply an example of how to set these values, and you may wish to increase them even further if your Salt master is doing more than just running Salt. Salt Master Stops Responding There are known bugs with ZeroMQ versions less than 2.1.11 which can cause the Salt master to not respond properly. If you're running a ZeroMQ version greater than or equal to 2.1.9, you can work around the bug by setting the sysctls net.core.rmem_max and net.core.wmem_max to 16777216. Next, set the third field in net.ipv4.tcp_rmem and net.ipv4.tcp_wmem to at least 16777216. You can do it manually with something like: # echo 16777216 > /proc/sys/net/core/rmem_max # echo 16777216 > /proc/sys/net/core/wmem_max # echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem # echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem Or with the following Salt state: net.core.rmem_max: sysctl: - present - value: 16777216 net.core.wmem_max: sysctl: - present - value: 16777216 net.ipv4.tcp_rmem: sysctl: - present - value: 4096 87380 16777216 net.ipv4.tcp_wmem: sysctl: - present - value: 4096 87380 16777216 Live Python Debug Output If the master seems to be unresponsive, a SIGUSR1 can be passed to the salt-master threads to display what piece of code is executing. This debug information can be invaluable in tracking down bugs. To pass a SIGUSR1 to the master, first make sure the minion is running in the foreground. Stop the service if it is running as a daemon, and start it in the foreground like so: # salt-master -l debug Then pass the signal to the master when it seems to be unresponsive: # killall -SIGUSR1 salt-master When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon, be sure to include this information if possible. Live Salt-Master Profiling When faced with performance problems one can turn on master process profiling by sending it SIGUSR2. # killall -SIGUSR2 salt-master This will activate yappi profiler inside salt-master code, then after some time one must send SIGUSR2 again to stop profiling and save results to file. If run in foreground salt-master will report filename for the results, which are usually located under /tmp on Unix-based OSes and c:\temp on windows. Results can then be analyzed with kcachegrind or similar tool. Commands Time Out or Do Not Return Output Depending on your OS (this is most common on Ubuntu due to apt-get) you may sometimes encounter times where your highstate, or other long running commands do not return output. By default the timeout is set to 5 seconds. The timeout value can easily be increased by modifying the timeout line within your /etc/salt/master configuration file. Having keys accepted for Salt minions that no longer exist or are not reachable also increases the possibility of timeouts, since the Salt master waits for those systems to return command results. Passing the -c Option to Salt Returns a Permissions Error Using the -c option with the Salt command modifies the configuration directory. When the configuration file is read it will still base data off of the root_dir setting. This can result in unintended behavior if you are expecting files such as /etc/salt/pki to be pulled from the location specified with -c. Modify the root_dir setting to address this behavior. Salt Master Doesn't Return Anything While Running jobs When a command being run via Salt takes a very long time to return (package installations, certain scripts, etc.) the master may drop you back to the shell. In most situations the job is still running but Salt has exceeded the set timeout before returning. Querying the job queue will provide the data of the job but is inconvenient. This can be resolved by either manually using the -t option to set a longer timeout when running commands (by default it is 5 seconds) or by modifying the master configuration file: /etc/salt/master and setting the timeout value to change the default timeout for all commands, and then restarting the salt-master service. Salt Master Auth Flooding In large installations, care must be taken not to overwhealm the master with authentication requests. Several options can be set on the master which mitigate the chances of an authentication flood from causing an interuption in service. NOTE: recon_default: The average number of seconds to wait between reconnection attempts. recon_max: The maximum number of seconds to wait between reconnection attempts. recon_randomize: A flag to indicate whether the recon_default value should be randomized. acceptance_wait_time: The number of seconds to wait for a reply to each authentication request. random_reauth_delay: The range of seconds across which the minions should attempt to randomize authentication attempts. auth_timeout: The total time to wait for the authentication process to complete, regardless of the number of attempts. Running state locally To debug the states, you can use call locally. salt-call -l trace --local state.highstate The top.sls file is used to map what SLS modules get loaded onto what minions via the state system. It is located in the file defined in the file_roots variable of the salt master configuration file which is defined by found in CONFIG_DIR/master, normally /etc/salt/master The default configuration for the file_roots is: file_roots: base: - /srv/salt So the top file is defaulted to the location /srv/salt/top.sls Salt Master Umask The salt master uses a cache to track jobs as they are published and returns come back. The recommended umask for a salt-master is 022, which is the default for most users on a system. Incorrect umasks can result in permission-denied errors when the master tries to access files in its cache. Troubleshooting the Salt Minion In the event that your Salt minion is having issues, a variety of solutions and suggestions are available. Please refer to the following links for more information: Troubleshooting the Salt Minion Running in the Foreground A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the minion in the foreground: # salt-minion -l debug Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground. What Ports does the Minion Need Open? No ports need to be opened on the minion, as it makes outbound connections to the master. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall interfering with the connection. See our firewall configuration page for help opening the firewall on various platforms. If you have netcat installed, you can check port connectivity from the minion with the nc command: $ nc -v -z salt.master.ip.addr 4505 Connection to salt.master.ip.addr 4505 port [tcp/unknown] succeeded! $ nc -v -z salt.master.ip.addr 4506 Connection to salt.master.ip.addr 4506 port [tcp/unknown] succeeded! The Nmap utility can also be used to check if these ports are open: # nmap -sS -q -p 4505-4506 salt.master.ip.addr Starting Nmap 6.40 ( http://nmap.org ) at 2013-12-29 19:44 CST Nmap scan report for salt.master.ip.addr (10.0.0.10) Host is up (0.0026s latency). PORT STATE SERVICE 4505/tcp open unknown 4506/tcp open unknown MAC Address: 00:11:22:AA:BB:CC (Intel) Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds If you've opened the correct TCP ports and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt. Using salt-call The salt-call command was originally developed for aiding in the development of new Salt modules. Since then, many applications have been developed for running any Salt module locally on a minion. These range from the original intent of salt-call, development assistance, to gathering more verbose output from calls like state.highstate. When initially creating your state tree, it is generally recommended to invoke state.highstate from the minion with salt-call. This displays far more information about the highstate execution than calling it remotely. For even more verbosity, increase the loglevel with the same argument as salt-minion: # salt-call -l debug state.highstate The main difference between using salt and using salt-call is that salt-call is run from the minion, and it only runs the selected function on that minion. By contrast, salt is run from the master, and requires you to specify the minions on which to run the command using salt's targeting system. Live Python Debug Output If the minion seems to be unresponsive, a SIGUSR1 can be passed to the process to display what piece of code is executing. This debug information can be invaluable in tracking down bugs. To pass a SIGUSR1 to the minion, first make sure the minion is running in the foreground. Stop the service if it is running as a daemon, and start it in the foreground like so: # salt-minion -l debug Then pass the signal to the minion when it seems to be unresponsive: # killall -SIGUSR1 salt-minion When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon, be sure to include this information if possible. Multiprocessing in Execution Modules As is outlined in github issue #6300, Salt cannot use python's multiprocessing pipes and queues from execution modules. Multiprocessing from the execution modules is perfectly viable, it is just necessary to use Salt's event system to communicate back with the process. The reason for this difficulty is that python attempts to pickle all objects in memory when communicating, and it cannot pickle function objects. Since the Salt loader system creates and manages function objects this causes the pickle operation to fail. Salt Minion Doesn't Return Anything While Running Jobs Locally When a command being run via Salt takes a very long time to return (package installations, certain scripts, etc.) the minion may drop you back to the shell. In most situations the job is still running but Salt has exceeded the set timeout before returning. Querying the job queue will provide the data of the job but is inconvenient. This can be resolved by either manually using the -t option to set a longer timeout when running commands (by default it is 5 seconds) or by modifying the minion configuration file: /etc/salt/minion and setting the timeout value to change the default timeout for all commands, and then restarting the salt-minion service. NOTE: Modifying the minion timeout value is not required when running commands from a Salt Master. It is only required when running commands locally on the minion. Running in the Foreground A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the minion and/or master in the foreground: salt-master -l debug salt-minion -l debug Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground. What Ports do the Master and Minion Need Open? No ports need to be opened up on each minion. For the master, TCP ports 4505 and 4506 need to be open. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall. You can check port connectivity from the minion with the nc command: nc -v -z salt.master.ip 4505 nc -v -z salt.master.ip 4506 There is also a firewall configuration document that might help as well. If you've enabled the right TCP ports on your operating system or Linux distribution's firewall and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt. Using salt-call The salt-call command was originally developed for aiding in the development of new Salt modules. Since then, many applications have been developed for running any Salt module locally on a minion. These range from the original intent of salt-call, development assistance, to gathering more verbose output from calls like state.highstate. When creating your state tree, it is generally recommended to invoke state.highstate with salt-call. This displays far more information about the highstate execution than calling it remotely. For even more verbosity, increase the loglevel with the same argument as salt-minion: salt-call -l debug state.highstate The main difference between using salt and using salt-call is that salt-call is run from the minion, and it only runs the selected function on that minion. By contrast, salt is run from the master, and requires you to specify the minions on which to run the command using salt's targeting system. Too many open files The salt-master needs at least 2 sockets per host that connects to it, one for the Publisher and one for response port. Thus, large installations may, upon scaling up the number of minions accessing a given master, encounter: 12:45:29,289 [salt.master ][INFO ] Starting Salt worker process 38 Too many open files sock != -1 (tcp_listener.cpp:335) The solution to this would be to check the number of files allowed to be opened by the user running salt-master (root by default): [root@salt-master ~]# ulimit -n 1024 And modify that value to be at least equal to the number of minions x 2. This setting can be changed in limits.conf as the nofile value(s), and activated upon new a login of the specified user. So, an environment with 1800 minions, would need 1800 x 2 = 3600 as a minimum. Salt Master Stops Responding There are known bugs with ZeroMQ versions less than 2.1.11 which can cause the Salt master to not respond properly. If you're running a ZeroMQ version greater than or equal to 2.1.9, you can work around the bug by setting the sysctls net.core.rmem_max and net.core.wmem_max to 16777216. Next, set the third field in net.ipv4.tcp_rmem and net.ipv4.tcp_wmem to at least 16777216. You can do it manually with something like: # echo 16777216 > /proc/sys/net/core/rmem_max # echo 16777216 > /proc/sys/net/core/wmem_max # echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_rmem # echo "4096 87380 16777216" > /proc/sys/net/ipv4/tcp_wmem Or with the following Salt state: net.core.rmem_max: sysctl: - present - value: 16777216 net.core.wmem_max: sysctl: - present - value: 16777216 net.ipv4.tcp_rmem: sysctl: - present - value: 4096 87380 16777216 net.ipv4.tcp_wmem: sysctl: - present - value: 4096 87380 16777216 Salt and SELinux Currently there are no SELinux policies for Salt. For the most part Salt runs without issue when SELinux is running in Enforcing mode. This is because when the minion executes as a daemon the type context is changed to initrc_t. The problem with SELinux arises when using salt-call or running the minion in the foreground, since the type context stays unconfined_t. This problem is generally manifest in the rpm install scripts when using the pkg module. Until a full SELinux Policy is available for Salt the solution to this issue is to set the execution context of salt-call and salt-minion to rpm_exec_t: # CentOS 5 and RHEL 5: chcon -t system_u:system_r:rpm_exec_t:s0 /usr/bin/salt-minion chcon -t system_u:system_r:rpm_exec_t:s0 /usr/bin/salt-call # CentOS 6 and RHEL 6: chcon system_u:object_r:rpm_exec_t:s0 /usr/bin/salt-minion chcon system_u:object_r:rpm_exec_t:s0 /usr/bin/salt-call This works well, because the rpm_exec_t context has very broad control over other types. Red Hat Enterprise Linux 5 Salt requires Python 2.6 or 2.7. Red Hat Enterprise Linux 5 and its variants come with Python 2.4 installed by default. When installing on RHEL 5 from the EPEL repository this is handled for you. But, if you run Salt from git, be advised that its dependencies need to be installed from EPEL and that Salt needs to be run with the python26 executable. Common YAML Gotchas An extensive list of YAML idiosyncrasies has been compiled: YAML Idiosyncrasies One of Salt's strengths, the use of existing serialization systems for representing SLS data, can also backfire. YAML is a general purpose system and there are a number of things that would seem to make sense in an sls file that cause YAML issues. It is wise to be aware of these issues. While reports or running into them are generally rare they can still crop up at unexpected times. Spaces vs Tabs YAML uses spaces, period. Do not use tabs in your SLS files! If strange errors are coming up in rendering SLS files, make sure to check that no tabs have crept in! In Vim, after enabling search highlighting with: :set hlsearch, you can check with the following key sequence in normal mode(you can hit ESC twice to be sure): /, Ctrl-v, Tab, then hit Enter. Also, you can convert tabs to 2 spaces by these commands in Vim: :set tabstop=2 expandtab and then :retab. Indentation The suggested syntax for YAML files is to use 2 spaces for indentation, but YAML will follow whatever indentation system that the individual file uses. Indentation of two spaces works very well for SLS files given the fact that the data is uniform and not deeply nested. Nested Dictionaries When dicts are nested within other data structures (particularly lists), the indentation logic sometimes changes. Examples of where this might happen include context and default options from the file.managed state: /etc/http/conf/http.conf: file: - managed - source: salt://apache/http.conf - user: root - group: root - mode: 644 - template: jinja - context: custom_var: "override" - defaults: custom_var: "default value" other_var: 123 Notice that while the indentation is two spaces per level, for the values under the context and defaults options there is a four-space indent. If only two spaces are used to indent, then those keys will be considered part of the same dictionary that contains the context key, and so the data will not be loaded correctly. If using a double indent is not desirable, then a deeply-nested dict can be declared with curly braces: /etc/http/conf/http.conf: file: - managed - source: salt://apache/http.conf - user: root - group: root - mode: 644 - template: jinja - context: { custom_var: "override" } - defaults: { custom_var: "default value", other_var: 123 } Here is a more concrete example of how YAML actually handles these indentations, using the Python interpreter on the command line: >>> import yaml >>> yaml.safe_load('''mystate: ... file.managed: ... - context: ... some: var''') {'mystate': {'file.managed': [{'context': {'some': 'var'}}]}} >>> yaml.safe_load('''mystate: ... file.managed: ... - context: ... some: var''') {'mystate': {'file.managed': [{'some': 'var', 'context': None}]}} Note that in the second example, some is added as another key in the same dictionary, whereas in the first example, it's the start of a new dictionary. That's the distinction. context is a common example because it is a keyword arg for many functions, and should contain a dictionary. True/False, Yes/No, On/Off PyYAML will load these values as boolean True or False. Un-capitalized versions will also be loaded as booleans (true, false, yes, no, on, and off). This can be especially problematic when constructing Pillar data. Make sure that your Pillars which need to use the string versions of these values are enclosed in quotes. Integers are Parsed as Integers NOTE: This has been fixed in salt 0.10.0, as of this release passing an integer that is preceded by a 0 will be correctly parsed When passing integers into an SLS file, they are passed as integers. This means that if a state accepts a string value and an integer is passed, that an integer will be sent. The solution here is to send the integer as a string. This is best explained when setting the mode for a file: /etc/vimrc: file: - managed - source: salt://edit/vimrc - user: root - group: root - mode: 644 Salt manages this well, since the mode is passed as 644, but if the mode is zero padded as 0644, then it is read by YAML as an integer and evaluated as an octal value, 0644 becomes 420. Therefore, if the file mode is preceded by a 0 then it needs to be passed as a string: /etc/vimrc: file: - managed - source: salt://edit/vimrc - user: root - group: root - mode: '0644' YAML does not like Double Short Decs If I can find a way to make YAML accept "Double Short Decs" then I will, since I think that double short decs would be awesome. So what is a "Double Short Dec"? It is when you declare a multiple short decs in one ID. Here is a standard short dec, it works great: vim: pkg.installed The short dec means that there are no arguments to pass, so it is not required to add any arguments, and it can save space. YAML though, gets upset when declaring multiple short decs, for the record... THIS DOES NOT WORK: vim: pkg.installed user.present Similarly declaring a short dec in the same ID dec as a standard dec does not work either... ALSO DOES NOT WORK: fred: user.present ssh_auth.present: - name: AAAAB3NzaC... - user: fred - enc: ssh-dss - require: - user: fred The correct way is to define them like this: vim: pkg.installed: [] user.present: [] fred: user.present: [] ssh_auth.present: - name: AAAAB3NzaC... - user: fred - enc: ssh-dss - require: - user: fred Alternatively, they can be defined the "old way", or with multiple "full decs": vim: pkg: - installed user: - present fred: user: - present ssh_auth: - present - name: AAAAB3NzaC... - user: fred - enc: ssh-dss - require: - user: fred YAML support only plain ASCII According to YAML specification, only ASCII characters can be used. Within double-quotes, special characters may be represented with C-style escape sequences starting with a backslash ( \ ). Examples: - micro: "\u00b5" - copyright: "\u00A9" - A: "\x41" - alpha: "\u0251" - Alef: "\u05d0" List of usable Unicode characters will help you to identify correct numbers. Python can also be used to discover the Unicode number for a character: repr(u"Text with wrong characters i need to figure out") This shell command can find wrong characters in your SLS files: find . -name '*.sls' -exec grep --color='auto' -P -n '[^\x00-\x7F]' \{} \; Alternatively you can toggle the yaml_utf8 setting in your master configuration file. This is still an experimental setting but it should manage the right encoding conversion in salt after yaml states compilations. Underscores stripped in Integer Definitions If a definition only includes numbers and underscores, it is parsed by YAML as an integer and all underscores are stripped. To ensure the object becomes a string, it should be surrounded by quotes. More information here. Here's an example: >>> import yaml >>> yaml.safe_load('2013_05_10') 20130510 >>> yaml.safe_load('"2013_05_10"') '2013_05_10' Automatic datetime conversion If there is a value in a YAML file formatted 2014-01-20 14:23:23 or similar, YAML will automatically convert this to a Python datetime object. These objects are not msgpack serializable, and so may break core salt functionality. If values such as these are needed in a salt YAML file (specifically a configuration file), they should be formatted with surrounding strings to force YAML to serialize them as strings: >>> import yaml >>> yaml.safe_load('2014-01-20 14:23:23') datetime.datetime(2014, 1, 20, 14, 23, 23) >>> yaml.safe_load('"2014-01-20 14:23:23"') '2014-01-20 14:23:23' Additionally, numbers formatted like XXXX-XX-XX will also be converted (or YAML will attempt to convert them, and error out if it doesn't think the date is a real one). Thus, for example, if a minion were to have an ID of 4017-16-20 the minion would not start because YAML would complain that the date was out of range. The workaround is the same, surround the offending string with quotes: >>> import yaml >>> yaml.safe_load('4017-16-20') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python2.7/site-packages/yaml/__init__.py", line 93, in safe_load return load(stream, SafeLoader) File "/usr/local/lib/python2.7/site-packages/yaml/__init__.py", line 71, in load return loader.get_single_data() File "/usr/local/lib/python2.7/site-packages/yaml/constructor.py", line 39, in get_single_data return self.construct_document(node) File "/usr/local/lib/python2.7/site-packages/yaml/constructor.py", line 43, in construct_document data = self.construct_object(node) File "/usr/local/lib/python2.7/site-packages/yaml/constructor.py", line 88, in construct_object data = constructor(self, node) File "/usr/local/lib/python2.7/site-packages/yaml/constructor.py", line 312, in construct_yaml_timestamp return datetime.date(year, month, day) ValueError: month must be in 1..12 >>> yaml.safe_load('"4017-16-20"') '4017-16-20' Live Python Debug Output If the minion or master seems to be unresponsive, a SIGUSR1 can be passed to the processes to display where in the code they are running. If encountering a situation like this, this debug information can be invaluable. First make sure the master of minion are running in the foreground: salt-master -l debug salt-minion -l debug Then pass the signal to the master or minion when it seems to be unresponsive: killall -SIGUSR1 salt-master killall -SIGUSR1 salt-minion Also under BSD and Mac OS X in addition to SIGUSR1 signal, debug subroutine set up for SIGINFO which has an advantage of being sent by Ctrl+T shortcut. When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon this information can be invaluable. Salt 0.16.x minions cannot communicate with a 0.17.x master As of release 0.17.1 you can no longer run different versions of Salt on your Master and Minion servers. This is due to a protocol change for security purposes. The Salt team will continue to attempt to ensure versions are as backwards compatible as possible. Debugging the Master and Minion A list of common master and minion troubleshooting steps provide a starting point for resolving issues you may encounter.
DEVELOPING SALT
Overview In its most typical use, Salt is a software application in which clients, called "minions" can be commanded and controlled from a central command server called a "master". Commands are normally issued to the minions (via the master) by calling a client script simply called, 'salt'. Salt features a pluggable transport system to issue commands from a master to minions. The default transport is ZeroMQ. Salt Client Overview The salt client is run on the same machine as the Salt Master and communicates with the salt-master to issue commands and to receive the results and display them to the user. The primary abstraction for the salt client is called 'LocalClient'. When LocalClient wants to publish a command to minions, it connects to the master by issuing a request to the master's ReqServer (TCP: 4506) The LocalClient system listens to responses for its requests by listening to the master event bus publisher (master_event_pub.ipc). Salt Master Overview The salt-master daemon runs on the designated Salt master and performs functions such as authenticating minions, sending, and receiving requests from connected minions and sending and receiving requests and replies to the 'salt' CLI. Moving Pieces When a Salt master starts up, a number of processes are started, all of which are called 'salt-master' in a process-list but have various role categories. Among those categories are: • Publisher • EventPublisher • MWorker Publisher The Publisher process is responsible for sending commands over the designated transport to connected minions. The Publisher is bound to the following: • TCP: port 4505 • IPC: publish_pull.ipc Each salt minion establishes a connection to the master Publisher. EventPublisher The EventPublisher publishes events onto the event bus. It is bound to the following: • IPC: master_event_pull.ipc • IPC: master_event_pub.ipc MWorker Worker processes manage the back-end operations for the Salt Master. The number of workers is equivalent to the number of 'worker_threads' specified in the master configuration and is always at least one. Workers are bound to the following: • IPC: workers.ipc ReqServer The Salt request server takes requests and distributes them to available MWorker processes for processing. It also receives replies back from minions. The ReqServer is bound to the following: • TCP: 4506 • IPC: workers.ipc Each salt minion establishes a connection to the master ReqServer. Job Flow The Salt master works by always publishing commands to all connected minions and the minions decide if the command is meant for them by checking themselves against the command target. The typical lifecycle of a salt job from the perspective of the master might be as follows: 1. A command is issued on the CLI. For example, 'salt my_minion test.ping'. 2) The 'salt' command uses LocalClient to generate a request to the salt master by connecting to the ReqServer on TCP:4506 and issuing the job. 3) The salt-master ReqServer sees the request and passes it to an available MWorker over workers.ipc. 4) A worker picks up the request and handles it. First, it checks to ensure that the requested user has permissions to issue the command. Then, it sends the publish command to all connected minions. For the curious, this happens in ClearFuncs.publish(). 5) The worker announces on the master event bus that it is about to publish a job to connected minions. This happens by placing the event on the master event bus (master_event_pull.ipc) where the EventPublisher picks it up and distributes it to all connected event listeners on master_event_pub.ipc. 6) The message to the minions is encrypted and sent to the Publisher via IPC on publish_pull.ipc. 7) Connected minions have a TCP session established with the Publisher on TCP port 4505 where they await commands. When the Publisher receives the job over publish_pull, it sends the jobs across the wire to the minions for processing. 8) After the minions receive the request, they decrypt it and perform any requested work, if they determine that they are targeted to do so. 9) When the minion is ready to respond, it publishes the result of its job back to the master by sending the encrypted result back to the master on TCP 4506 where it is again picked up by the ReqServer and forwarded to an available MWorker for processing. (Again, this happens by passing this message across workers.ipc to an available worker.) 10) When the MWorker receives the job it decrypts it and fires an event onto the master event bus (master_event_pull.ipc). (Again for the curious, this happens in AESFuncs._return(). 11) The EventPublisher sees this event and re-publishes it on the bus to all connected listeners of the master event bus (on master_event_pub.ipc). This is where the LocalClient has been waiting, listening to the event bus for minion replies. It gathers the job and stores the result. 12) When all targeted minions have replied or the timeout has been exceeded, the salt client displays the results of the job to the user on the CLI. Salt Minion Overview The salt-minion is a single process that sits on machines to be managed by Salt. It can either operate as a stand-alone daemon which accepts commands locally via 'salt-call' or it can connect back to a master and receive commands remotely. When starting up, salt minions connect _back_ to a master defined in the minion config file. The connect to two ports on the master: • TCP: 4505 This is the connection to the master Publisher. It is on this port that the minion receives jobs from the master. • TCP: 4506 This is the connection to the master ReqServer. It is on this port that the minion sends job results back to the master. Event System Similar to the master, a salt-minion has its own event system that operates over IPC by default. The minion event system operates on a push/pull system with IPC files at minion_event_<unique_id>_pub.ipc and minion_event_<unique_id>_pull.ipc. The astute reader might ask why have an event bus at all with a single-process daemon. The answer is that the salt-minion may fork other processes as required to do the work without blocking the main salt-minion process and this necessitates a mechanism by which those processes can communicate with each other. Secondarily, this provides a bus by which any user with sufficient permissions can read or write to the bus as a common interface with the salt minion. Job Flow When a salt minion starts up, it attempts to connect to the Publisher and the ReqServer on the salt master. It then attempts to authenticate and once the minion has successfully authenticated, it simply listens for jobs. Jobs normally come either come from the 'salt-call' script run by a local user on the salt minion or they can come directly from a master. Master Job Flow 1) A master publishes a job that is received by a minion as outlined by the master's job flow above. 2) The minion is polling its receive socket that's connected to the master Publisher (TCP 4505 on master). When it detects an incoming message, it picks it up from the socket and decrypts it. 3) A new minion process or thread is created and provided with the contents of the decrypted message. The _thread_return() method is provided with the contents of the received message. 4) The new minion thread is created. The _thread_return() function starts up and actually calls out to the requested function contained in the job. 5. The requested function runs and returns a result. [Still in thread.] 6) The result of the function that's run is encrypted and returned to the master's ReqServer (TCP 4506 on master). [Still in thread.] 7) Thread exits. Because the main thread was only blocked for the time that it took to initialize the worker thread, many other requests could have been received and processed during this time. A Note on ClearFuncs vs. AESFuncs A common source of confusion is determining when messages are passed in the clear and when they are passed using encryption. There are two rules governing this behaviour: 1) ClearFuncs is used for intra-master communication and during the initial authentication handshake between a minion and master during the key exhange. 2. AESFuncs is used everywhere else. Contributing There is a great need for contributions to Salt and patches are welcome! The goal here is to make contributions clear, make sure there is a trail for where the code has come from, and most importantly, to give credit where credit is due! There are a number of ways to contribute to Salt development. For details on how to contribute documentation improvements please review Writing Salt Documentation. Salt Coding Style SaltStack has its own coding style guide that informs contributors on various coding approaches. Please review the :ref:`Salt Coding Style<coding-style>`_ documentation for information about Salt's particular coding patterns. Within the :ref:`Salt Coding Style<coding-style>`_ documentation, there is a section about running Salt's .pylintrc file. SaltStack recommends running the .pylintrc file on any files you are changing with your code contribution before submitting a pull request to Salt's repository. Please see the :ref:`Linting<pylint-instructions>`_ documentation for more information. Sending a GitHub pull request Sending pull requests on GitHub is the preferred method for receiving contributions. The workflow advice below mirrors GitHub's own guide and is well worth reading. 1. Fork saltstack/salt on GitHub. 2. Make a local clone of your fork. git clone git@github.com:my-account/salt.git cd salt 3. Add saltstack/salt as a git remote. git remote add upstream https://github.com/saltstack/salt.git 4. Create a new branch in your clone. NOTE: A branch should have one purpose. For example, "Fix bug X," or "Add feature Y". Multiple unrelated fixes and/or features should be isolated into separate branches. If you're working on a bug or documentation fix, create your branch from the oldest release branch that contains the bug or requires the documentation update. See Which Salt Branch?. git fetch upstream git checkout -b fix-broken-thing upstream/2015.5 If you're working on a feature, create your branch from the develop branch. git fetch upstream git checkout -b add-cool-feature upstream/develop 5. Edit and commit changes to your branch. vim path/to/file1 path/to/file2 git diff git add path/to/file1 path/to/file2 git commit Write a short, descriptive commit title and a longer commit message if necessary. NOTE: If your change fixes a bug or implements a feature already filed in the issue tracker, be sure to reference the issue number in the commit message body. fix broken things in file1 and file2 Fixes #31337. The issue is now eradicated from file1 and file2. # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # On branch fix-broken-thing # Changes to be committed: # modified: path/to/file1 # modified: path/to/file2 If you get stuck, there are many introductory Git resources on http://help.github.com. 6. Push your locally-committed changes to your GitHub fork, NOTE: You may want to rebase before pushing to work out any potential conflicts. git fetch upstream git rebase upstream/2015.5 fix-broken-thing git push --set-upstream origin fix-broken-thing or, git fetch upstream git rebase upstream/develop add-cool-feature git push --set-upstream origin add-cool-feature 7. Find the branch on your GitHub salt fork. https://github.com/my-account/salt/branches/fix-broken-thing 8. Open a new pull request. Click on Pull Request on the right near the top of the page, https://github.com/my-account/salt/pull/new/fix-broken-thing 1. If your branch is a fix for a release branch, choose that as the base branch (e.g. 2015.5), https://github.com/my-account/salt/compare/saltstack:2015.5...fix-broken-thing If your branch is a feature, choose develop as the base branch, https://github.com/my-account/salt/compare/saltstack:develop...add-cool-feature 2. Review that the proposed changes are what you expect. 3. Write a descriptive comment. Include links to related issues (e.g. 'Fixes #31337.') in the comment field. 4. Click Create pull request. 9. Salt project members will review your pull request and automated tests will run on it. If you recognize any test failures as being related to your proposed changes or if a reviewer asks for modifications: 1. Make the new changes in your local clone on the same local branch. 2. Push the branch to GitHub again using the same commands as before. 3. New and updated commits will be added to the pull request automatically. 4. Feel free to add a comment to the discussion. NOTE: Jenkins Pull request against saltstack/salt are automatically tested on a variety of operating systems and configurations. On average these tests take 30 minutes. Depending on your GitHub notification settings you may also receive an email message about the test results. Test progress and results can be found at http://jenkins.saltstack.com/. Which Salt branch? GitHub will open pull requests against Salt's main branch, develop, by default. Ideally, features should go into develop and bug fixes and documentation changes should go into the oldest supported release branch affected by the bug or documentation update. See Sending a GitHub pull request. If you have a bug fix or doc change and have already forked your working branch from develop and do not know how to rebase your commits against another branch, then submit it to develop anyway and we'll be sure to back-port it to the correct place. The current release branch The current release branch is the most recent stable release. Pull requests containing bug fixes should be made against the release branch. The branch name will be a date-based name such as 2015.5. Bug fixes are made on this branch so that minor releases can be cut from this branch without introducing surprises and new features. This approach maximizes stability. The Salt development team will "merge-forward" any fixes made on the release branch to the develop branch once the pull request has been accepted. This keeps the fix in isolation on the release branch and also keeps the develop branch up-to-date. NOTE: Closing GitHub issues from commits This "merge-forward" strategy requires that the magic keywords to close a GitHub issue appear in the commit message text directly. Only including the text in a pull request will not close the issue. GitHub will close the referenced issue once the commit containing the magic text is merged into the default branch (develop). Any magic text input only into the pull request description will not be seen at the Git-level when those commits are merged-forward. In other words, only the commits are merged-forward and not the pull request. The develop branch The develop branch is unstable and bleeding-edge. Pull requests containing feature additions or non-bug-fix changes should be made against the develop branch. The Salt development team will back-port bug fixes made to develop to the current release branch if the contributor cannot create the pull request against that branch. Keeping Salt Forks in Sync Salt is advancing quickly. It is therefore critical to pull upstream changes from upstream into your fork on a regular basis. Nothing is worse than putting hard work into a pull request only to see bunches of merge conflicts because it has diverged too far from upstream. SEE ALSO: GitHub Fork a Repo Guide The following assumes origin is the name of your fork and upstream is the name of the main saltstack/salt repository. 1. View existing remotes. git remote -v 2. Add the upstream remote. # For ssh github git remote add upstream git@github.com:saltstack/salt.git # For https github git remote add upstream https://github.com/saltstack/salt.git 3. Pull upstream changes into your clone. git fetch upstream 4. Update your copy of the develop branch. git checkout develop git merge --ff-only upstream/develop If Git complains that a fast-forward merge is not possible, you have local commits. • Run git pull --rebase origin develop to rebase your changes on top of the upstream changes. • Or, run git branch <branch-name> to create a new branch with your commits. You will then need to reset your develop branch before updating it with the changes from upstream. If Git complains that local files will be overwritten, you have changes to files in your working directory. Run git status to see the files in question. 5. Update your fork. git push origin develop 6. Repeat the previous two steps for any other branches you work with, such as the current release branch. Posting patches to the mailing list Patches will also be accepted by email. Format patches using git format-patch and send them to the salt-users mailing list. The contributor will then get credit for the patch, and the Salt community will have an archive of the patch and a place for discussion. Backporting Pull Requests If a bug is fixed on develop and the bug is also present on a currently-supported release branch it will need to be back-ported to all applicable branches. NOTE: Most Salt contributors can skip these instructions These instructions do not need to be read in order to contribute to the Salt project! The SaltStack team will back-port fixes on behalf of contributors in order to keep the contribution process easy. These instructions are intended for frequent Salt contributors, advanced Git users, SaltStack employees, or independent souls who wish to back-port changes themselves. It is often easiest to fix a bug on the oldest supported release branch and then merge that branch forward into develop (as described earlier in this document). When that is not possible the fix must be back-ported, or copied, into any other affected branches. These steps assume a pull request #1234 has been merged into develop. And upstream is the name of the remote pointing to the main Salt repo. 1. Identify the oldest supported release branch that is affected by the bug. 2. Create a new branch for the back-port by reusing the same branch from the original pull request. Name the branch bp-<NNNN> and use the number of the original pull request. git fetch upstream refs/pull/1234/head:bp-1234 git checkout bp-1234 3. Find the parent commit of the original pull request. The parent commit of the original pull request must be known in order to rebase onto a release branch. The easiest way to find this is on GitHub. Open the original pull request on GitHub and find the first commit in the list of commits. Select and copy the SHA for that commit. The parent of that commit can be specified by appending ~1 to the end. 4. Rebase the new branch on top of the release branch. • <release-branch> is the branch identified in step #1. • <orig-base> is the SHA identified in step #3 -- don't forget to add ~1 to the end! git rebase --onto <release-branch> <orig-base> bp-1234 Note, release branches prior to 2015.5 will not be able to make use of rebase and must use cherry-picking instead. 5. Push the back-port branch to GitHub and open a new pull request. Opening a pull request for the back-port allows for the test suite and normal code-review process. git push -u origin bp-1234 Issue and Pull Request Labeling System SaltStack uses several labeling schemes to help facilitate code contributions and bug resolution. See the Labels and Milestones documentation for more information. Deprecating Code Salt should remain backwards compatible, though sometimes, this backwards compatibility needs to be broken because a specific feature and/or solution is no longer necessary or required. At first one might think, let me change this code, it seems that it's not used anywhere else so it should be safe to remove. Then, once there's a new release, users complain about functionality which was removed and they where using it, etc. This should, at all costs, be avoided, and, in these cases, that specific code should be deprecated. In order to give users enough time to migrate from the old code behavior to the new behavior, the deprecation time frame should be carefully determined based on the significance and complexity of the changes required by the user. Salt feature releases are based on the Periodic Table. Any new features going into the develop branch will be named after the next element in the Periodic Table. For example, Beryllium was the feature release name of the develop branch before the 2015.8 branch was tagged. At that point in time, any new features going into the develop branch after 2015.8 was branched were part of the Boron feature release. A deprecation warning should be in place for at least two major releases before the deprecated code and its accompanying deprecation warning are removed. More time should be given for more complex changes. For example, if the current release under development is Sodium, the deprecated code and associated warnings should remain in place and warn for at least Aluminum. To help in this deprecation task, salt provides salt.utils.warn_until. The idea behind this helper function is to show the deprecation warning to the user until salt reaches the provided version. Once that provided version is equaled salt.utils.warn_until will raise a RuntimeError making salt stop its execution. This stoppage is unpleasant and will remind the developer that the deprecation limit has been reached and that the code can then be safely removed. Consider the following example: def some_function(bar=False, foo=None): if foo is not None: salt.utils.warn_until( 'Aluminum', 'The \'foo\' argument has been deprecated and its ' 'functionality removed, as such, its usage is no longer ' 'required.' ) Development begins on the Aluminum release when the Magnesium branch is forked from the develop branch. Once this occurs, all uses of the warn_until function targeting Aluminum, along with the code they are warning about should be removed from the code. Dunder Dictionaries Salt provides several special "dunder" dictionaries as a convenience for Salt development. These include __opts__, __context__, __salt__, and others. This document will describe each dictionary and detail where they exist and what information and/or functionality they provide. __opts__ Available in • All loader modules The __opts__ dictionary contains all of the options passed in the configuration file for the master or minion. NOTE: In many places in salt, instead of pulling raw data from the __opts__ dict, configuration data should be pulled from the salt get functions such as config.get, aka - __salt__['config.get']('foo:bar') The get functions also allow for dict traversal via the : delimiter. Consider using get functions whenever using __opts__ or __pillar__ and __grains__ (when using grains for configuration data) The configuration file data made available in the __opts__ dictionary is the configuration data relative to the running daemon. If the modules are loaded and executed by the master, then the master configuration data is available, if the modules are executed by the minion, then the minion configuration is available. Any additional information passed into the respective configuration files is made available __salt__ Available in • Execution Modules • State Modules • Returners __salt__ contains the execution module functions. This allows for all functions to be called as they have been set up by the salt loader. __salt__['cmd.run']('fdisk -l') __salt__['network.ip_addrs']() __grains__ Available in • Execution Modules • State Modules • Returners • External Pillar The __grains__ dictionary contains the grains data generated by the minion that is currently being worked with. In execution modules, state modules and returners this is the grains of the minion running the calls, when generating the external pillar the __grains__ is the grains data from the minion that the pillar is being generated for. __pillar__ Available in • Execution Modules • State Modules • Returners The __pillar__ dictionary contains the pillar for the respective minion. __context__ __context__ exists in state modules and execution modules. During a state run the __context__ dictionary persists across all states that are run and then is destroyed when the state ends. When running an execution module __context__ persists across all module executions until the modules are refreshed; such as when saltutils.sync_all or state.highstate are executed. A great place to see how to use __context__ is in the cp.py module in salt/modules/cp.py. The fileclient authenticates with the master when it is instantiated and then is used to copy files to the minion. Rather than create a new fileclient for each file that is to be copied down, one instance of the fileclient is instantiated in the __context__ dictionary and is reused for each file. Here is an example from salt/modules/cp.py: if not 'cp.fileclient' in __context__: __context__['cp.fileclient'] = salt.fileclient.get_file_client(__opts__) NOTE: Because __context__ may or may not have been destroyed, always be sure to check for the existence of the key in __context__ and generate the key before using it. External Pillars Salt provides a mechanism for generating pillar data by calling external pillar interfaces. This document will describe an outline of an ext_pillar module. Location Salt expects to find your ext_pillar module in the same location where it looks for other python modules. If the extension_modules option in your Salt master configuration is set, Salt will look for a pillar directory under there and load all the modules it finds. Otherwise, it will look in your Python site-packages salt/pillar directory. Configuration The external pillars that are called when a minion refreshes its pillars is controlled by the ext_pillar option in the Salt master configuration. You can pass a single argument, a list of arguments or a dictionary of arguments to your pillar: ext_pillar: - example_a: some argument - example_b: - argumentA - argumentB - example_c: keyA: valueA keyB: valueB The Module Imports and Logging Import modules your external pillar module needs. You should first include generic modules that come with stock Python: import logging And then start logging. This is an idiomatic way of setting up logging in Salt: log = logging.getLogger(__name__) Finally, load modules that are specific to what you are doing. You should catch import errors and set a flag that the __virtual__ function can use later. try: import weird_thing EXAMPLE_A_LOADED = True except ImportError: EXAMPLE_A_LOADED = False Options If you define an __opts__ dictionary, it will be merged into the __opts__ dictionary handed to the ext_pillar function later. This is a good place to put default configuration items. The convention is to name things modulename.option. __opts__ = { 'example_a.someconfig': 137 } Initialization If you define an __init__ function, it will be called with the following signature: def __init__( __opts__ ): # Do init work here Note: The __init__ function is ran every time a particular minion causes the external pillar to be called, so don't put heavy initialization code here. The __init__ functionality is a side-effect of the Salt loader, so it may not be as useful in pillars as it is in other Salt items. __virtual__ If you define a __virtual__ function, you can control whether or not this module is visible. If it returns False then Salt ignores this module. If it returns a string, then that string will be how Salt identifies this external pillar in its ext_pillar configuration. If you're not renaming the module, simply return True in the __virtual__ function, which is the same as if this function did not exist, then, the name Salt's ext_pillar will use to identify this module is its conventional name in Python. This is useful to write modules that can be installed on all Salt masters, but will only be visible if a particular piece of software your module requires is installed. # This external pillar will be known as `example_a` def __virtual__(): if EXAMPLE_A_LOADED: return True return False # This external pillar will be known as `something_else` __virtualname__ = 'something_else' def __virtual__(): if EXAMPLE_A_LOADED: return __virtualname__ return False ext_pillar This is where the real work of an external pillar is done. If this module is active and has a function called ext_pillar, whenever a minion updates its pillar this function is called. How it is called depends on how it is configured in the Salt master configuration. The first argument is always the current pillar dictionary, this contains pillar items that have already been added, starting with the data from pillar_roots, and then from any already-ran external pillars. Using our example above: ext_pillar( id, pillar, 'some argument' ) # example_a ext_pillar( id, pillar, 'argumentA', 'argumentB' ) # example_b ext_pillar( id, pillar, keyA='valueA', keyB='valueB' } ) # example_c In the example_a case, pillar will contain the items from the pillar_roots, in example_b pillar will contain that plus the items added by example_a, and in example_c pillar will contain that plus the items added by example_b. In all three cases, id will contain the ID of the minion making the pillar request. This function should return a dictionary, the contents of which are merged in with all of the other pillars and returned to the minion. Note: this function is called once for each minion that fetches its pillar data. def ext_pillar( minion_id, pillar, *args, **kwargs ): my_pillar = {} # Do stuff return my_pillar You shouldn't just add items to pillar and return that, since that will cause Salt to merge data that already exists. Rather, just return the items you are adding or changing. You could, however, use pillar in your module to make some decision based on pillar data that already exists. This function has access to some useful globals: __opts__ A dictionary of mostly Salt configuration options. If you had an __opts__ dictionary defined in your module, those values will be included. __salt__ A dictionary of Salt module functions, useful so you don't have to duplicate functions that already exist. E.g. __salt__['cmd.run']( 'ls -l' ) Note, runs on the master __grains__ A dictionary of the grains of the minion making this pillar call. Example configuration As an example, if you wanted to add external pillar via the cmd_json external pillar, add something like this to your master config: ext_pillar: - cmd_json: 'echo {\"arg\":\"value\"}' Reminder Just as with traditional pillars, external pillars must be refreshed in order for minions to see any fresh data: salt '*' saltutil.refresh_pillar Installing Salt for development Clone the repository using: git clone https://github.com/saltstack/salt NOTE: tags Just cloning the repository is enough to work with Salt and make contributions. However, fetching additional tags from git is required to have Salt report the correct version for itself. To do this, first add the git repository as an upstream source: git remote add upstream https://github.com/saltstack/salt Fetching tags is done with the git 'fetch' utility: git fetch --tags upstream Create a new virtualenv: virtualenv /path/to/your/virtualenv Avoid making your virtualenv path too long. On Arch Linux, where Python 3 is the default installation of Python, use the virtualenv2 command instead of virtualenv. NOTE: Using system Python modules in the virtualenv To use already-installed python modules in virtualenv (instead of having pip download and compile new ones), run virtualenv --system-site-packages Using this method eliminates the requirement to install the salt dependencies again, although it does assume that the listed modules are all installed in the system PYTHONPATH at the time of virtualenv creation. Activate the virtualenv: source /path/to/your/virtualenv/bin/activate Install Salt (and dependencies) into the virtualenv: pip install M2Crypto # Don't install on Debian/Ubuntu (see below) pip install pyzmq PyYAML pycrypto msgpack-python jinja2 psutil pip install -e ./salt # the path to the salt git clone from above NOTE: Installing M2Crypto swig and libssl-dev are required to build M2Crypto. To fix the error command 'swig' failed with exit status 1 while installing M2Crypto, try installing it with the following command: env SWIG_FEATURES="-cpperraswarn -includeall -D__`uname -m`__ -I/usr/include/openssl" pip install M2Crypto Debian and Ubuntu systems have modified openssl libraries and mandate that a patched version of M2Crypto be installed. This means that M2Crypto needs to be installed via apt: apt-get install python-m2crypto This also means that pulling in the M2Crypto installed using apt requires using --system-site-packages when creating the virtualenv. If you're using a platform other than Debian or Ubuntu, and you are installing M2Crypto via pip instead of a system package, then you will also need the gcc compiler. NOTE: Installing psutil Python header files are required to build this module, otherwise the pip install will fail. If your distribution separates binaries and headers into separate packages, make sure that you have the headers installed. In most Linux distributions which split the headers into their own package, this can be done by installing the python-dev or python-devel package. For other platforms, the package will likely be similarly named. NOTE: Installing dependencies on OS X. You can install needed dependencies on OS X using homebrew or macports. See OS X Installation WARNING: Installing on RedHat-based Distros If installing from pip (or from source using setup.py install), be advised that the yum-utils package is needed for Salt to manage packages on RedHat-based systems. Running a self-contained development version During development it is easiest to be able to run the Salt master and minion that are installed in the virtualenv you created above, and also to have all the configuration, log, and cache files contained in the virtualenv as well. Copy the master and minion config files into your virtualenv: mkdir -p /path/to/your/virtualenv/etc/salt cp ./salt/conf/master ./salt/conf/minion /path/to/your/virtualenv/etc/salt/ Edit the master config file: 1. Uncomment and change the user: root value to your own user. 2. Uncomment and change the root_dir: / value to point to /path/to/your/virtualenv. 3. If you are running version 0.11.1 or older, uncomment, and change the pidfile: /var/run/salt-master.pid value to point to /path/to/your/virtualenv/salt-master.pid. 4. If you are also running a non-development version of Salt you will have to change the publish_port and ret_port values as well. Edit the minion config file: 1. Repeat the edits you made in the master config for the user and root_dir values as well as any port changes. 2. If you are running version 0.11.1 or older, uncomment, and change the pidfile: /var/run/salt-minion.pid value to point to /path/to/your/virtualenv/salt-minion.pid. 3. Uncomment and change the master: salt value to point at localhost. 4. Uncomment and change the id: value to something descriptive like "saltdev". This isn't strictly necessary but it will serve as a reminder of which Salt installation you are working with. 5. If you changed the ret_port value in the master config because you are also running a non-development version of Salt, then you will have to change the master_port value in the minion config to match. NOTE: Using salt-call with a Standalone Minion If you plan to run salt-call with this self-contained development environment in a masterless setup, you should invoke salt-call with -c /path/to/your/virtualenv/etc/salt so that salt can find the minion config file. Without the -c option, Salt finds its config files in /etc/salt. Start the master and minion, accept the minion's key, and verify your local Salt installation is working: cd /path/to/your/virtualenv salt-master -c ./etc/salt -d salt-minion -c ./etc/salt -d salt-key -c ./etc/salt -L salt-key -c ./etc/salt -A salt -c ./etc/salt '*' test.ping Running the master and minion in debug mode can be helpful when developing. To do this, add -l debug to the calls to salt-master and salt-minion. If you would like to log to the console instead of to the log file, remove the -d. NOTE: Too long socket path? Once the minion starts, you may see an error like the following: zmq.core.error.ZMQError: ipc path "/path/to/your/virtualenv/ var/run/salt/minion/minion_event_7824dcbcfd7a8f6755939af70b96249f_pub.ipc" is longer than 107 characters (sizeof(sockaddr_un.sun_path)). This means that the path to the socket the minion is using is too long. This is a system limitation, so the only workaround is to reduce the length of this path. This can be done in a couple different ways: 1. Create your virtualenv in a path that is short enough. 2. Edit the sock_dir minion config variable and reduce its length. Remember that this path is relative to the value you set in root_dir. NOTE: The socket path is limited to 107 characters on Solaris and Linux, and 103 characters on BSD-based systems. NOTE: File descriptor limits Ensure that the system open file limit is raised to at least 2047: # check your current limit ulimit -n # raise the limit. persists only until reboot # use 'limit descriptors 2047' for c-shell ulimit -n 2047 To set file descriptors on OSX, refer to the OS X Installation instructions. Changing Default Paths Instead of updating your configuration files to point to the new root directory and having to pass the new configuration directory path to all of Salt's CLI tools, you can explicitly tweak the default system paths that Salt expects: GENERATE_SALT_SYSPATHS=1 pip install --global-option='--salt-root-dir=/path/to/your/virtualenv/' \ -e ./salt # the path to the salt git clone from above You can now call all of Salt's CLI tools without explicitly passing the configuration directory. Additional Options In case you want to distribute your virtualenv, you probably don't want to include Salt's clone .git/ directory, and, without it, Salt won't report the accurate version. You can tell setup.py to generate the hardcoded version information which is distributable: GENERATE_SALT_SYSPATHS=1 WRITE_SALT_VERSION=1 pip install --global-option='--salt-root-dir=/path/to/your/virtualenv/' \ -e ./salt # the path to the salt git clone from above Instead of passing those two environmental variables, you can just pass a single one which will trigger the other two: MIMIC_SALT_INSTALL=1 pip install --global-option='--salt-root-dir=/path/to/your/virtualenv/' \ -e ./salt # the path to the salt git clone from above This last one will grant you an editable salt installation with hardcoded system paths and version information. Installing Salt from the Python Package Index If you are installing using easy_install, you will need to define a USE_SETUPTOOLS environment variable, otherwise dependencies will not be installed: USE_SETUPTOOLS=1 easy_install salt Editing and previewing the documentation You need sphinx-build command to build the docs. In Debian/Ubuntu this is provided in the python-sphinx package. Sphinx can also be installed to a virtualenv using pip: pip install Sphinx==1.3b2 Change to salt documentation directory, then: cd doc; make html • This will build the HTML docs. Run make without any arguments to see the available make targets, which include html, man, and text. • The docs then are built within the docs/_build/ folder. To update the docs after making changes, run make again. • The docs use reStructuredText for markup. See a live demo at http://rst.ninjs.org/. • The help information on each module or state is culled from the python code that runs for that piece. Find them in salt/modules/ or salt/states/. • To build the docs on Arch Linux, the python2-sphinx package is required. Additionally, it is necessary to tell make where to find the proper sphinx-build binary, like so: make SPHINXBUILD=sphinx-build2 html • To build the docs on RHEL/CentOS 6, the python-sphinx10 package must be installed from EPEL, and the following make command must be used: make SPHINXBUILD=sphinx-1.0-build html Once you've updated the documentation, you can run the following command to launch a simple Python HTTP server to see your changes: cd _build/html; python -m SimpleHTTPServer Running unit and integration tests Run the test suite with following command: ./setup.py test See here for more information regarding the test suite. Issue and Pull Request Labeling System SaltStack uses several labeling schemes to help facilitate code contributions and bug resolution. See the Labels and Milestones documentation for more information. GitHub Labels and Milestones SaltStack uses several label categories, as well as milestones, to triage incoming issues and pull requests in the GitHub issue tracker. Labels are used to sort issues by type, priority, severity, status, functional area, functional group, and targeted release and pull requests by status, functional area, functional group, type of change, and test status. Milestones are used to indicate whether an issue is fully triaged or is scheduled to be fixed by SaltStack in an upcoming sprint. Milestones All issues are assigned to a milestone, whereas pull requests are almost never assigned to a milestone as the mean lifetime of pull requests is short enough that there is no need to track them temporally. SaltStack uses milestones to indicate which issues are blocked on submitter or upstream actions, are approved, or are scheduled to be fixed or implemented in an upcoming sprint. If an issue is not attached to a sprint milestone, you are welcome to work on it at your own desire and convenience. If it is attached to a sprint milestone and you have already begun working on it or have a solution in mind or have other ideas related to the issue, you are encouraged to coordinate with the assignee via the GitHub issue tracker to create the best possible solution or implementation. Approved The issue has been validated and has all necessary information. Blocked The issue is waiting on actions by parties outside of SaltStack, such as receiving more information from the submitter or resolution of an upstream issue. This milestone is usually applied in conjunction with the labels Info Needed, Question, Expected Behavior, Won't Fix For Now, or Upstream Bug. Under Review The issue is having further validation done by a SaltStack engineer. <Sprint> The issue is being actively worked on by a SaltStack engineer. Sprint milestones names are constructed from the chemical symbol of the next release's codename and the number of sprints until that release is made. For example, if the next release codename is Neon and there are five sprints until that release, the corresponding sprint milestone will be called Ne 5. See <topics/releases/version_numbers> for a discussion of Salt's release codenames. Labels Labels are used to sort and describe issues and pull requests. Some labels are usually reserved for one or the other, though most labels may be applied to both. New issues will receive at least one label and a milestone, and new pull requests will receive at least one label. Except for the functional area and functional group label categories, issues will generally receive only up to one label per category. Type Issues are categorized into one of several types. Type labels are almost never used for pull requests. GitHub treats pull requests like issues in many ways, so a pull request could be considered an issue with an implicit Pull Request type label applied. Feature The issue is a request for new functionality including changes, enhancements, refactors, etc. Bug The issue documents broken, incorrect, or confusing behavior. This label is always accompanied by a severity label. Duplicate The issue is a duplicate of another feature request or bug report. Upstream Bug The issue is a result of an upstream issue. Question The issue is more of a question than a request for new features or a report of broken features, but can sometimes lead to further discussion or changes of confusing or incongruous behavior or documentation. Expected Behavior The issue is a bug report of intended functionality. Priority An issue's priority is relative to its functional area. If a bug report, for example, about gitfs indicates that all users of gitfs will encounter this bug, then a P1 label will be applied, even though users who are not using gitfs will not encounter the bug. If a feature is requested by many users, it may be given a high priority. P1 The issue will be seen by all users. P2 The issue will be seen by most users. P3 The issue will be seen by about half of users. P4 The issue will not be seen by most users. Usually the issue is a very specific use case or corner case. Severity Severity labels are almost always only applied to issues labeled Bug. Blocker The issue is blocking an impending release. Critical The issue causes data loss, crashes or hangs salt processes, makes the system unresponsive, etc. High Severity The issue reports incorrect functionality, bad functionality, a confusing user experience, etc. Medium Severity The issue reports cosmetic items, formatting, spelling, colors, etc. Functional Area Many major components of Salt have corresponding GitHub labels. These labels are applied to all issues and pull requests as is reasonably appropriate. They are useful in organizing issues and pull requests according to the source code relevant to issues or the source code changed by pull requests. • Execution Module • File Servers • Grains • Multi-Master • Packaging Related to packaging of Salt, not Salt's support for package management. • Pillar • RAET • Returners • Runners • SPM • Salt-API • Salt-Cloud • Salt-SSH • Salt-Syndic • State Module • Tests • Transport • Windows • ZMQ Functional Group These labels sort issues and pull requests according to the internal SaltStack engineering teams. Core The issue or pull request relates to code that is central or existential to Salt itself. Platform The issue or pull request relates to support and integration with various platforms like traditional operating systems as well as containers, platform-based utilities like filesystems, command schedulers, etc., and system-based applications like webservers, databases, etc. RIoT The issue or pull request relates to support and integration with various abstract systems like cloud providers, hypervisors, API-based services, etc. Console The issue or pull request relates to the SaltStack enterprise console. Documentation The issue or pull request relates to documentation. Status Status labels are used to define and track the state of issues and pull requests. Not all potential statuses correspond to a label, but some statuses are common enough that labels have been created for them. If an issue has not been moved beyond the Blocked milestone, it is very likely that it will only have a status label. Bugfix - back-port The pull request needs to be back-ported to an older release branch. This is done by recreating the pull request against that branch. Once the back-port is completed, this label is replaced with a Bugfix - [Done] back-ported label. Normally, new features should go into the develop and bug fixes into the oldest supported release branch, see <which-salt-branch>. Bugfix - [Done] back-ported The pull request has been back-ported to an older branch. Cannot Reproduce The issue is a bug and has been reviewed by a SaltStack engineer, but it cannot be replicated with the provided information and context. Those involved with the bug will need to work through additional ideas until the bug can be isolated and verified. Confirmed The issue is a bug and has been confirmed by a SaltStack engineer, who often documents a minimal working example that reproduces the bug. Fixed Pending Verification The issue is a bug and has been fixed by one or more pull requests, which should link to the issue. Closure of the issue is contingent upon confirmation of resolution from the submitter. If the submitter reports a negative confirmation, this label is removed. If no response is given after a few weeks, then the issue will be assumed fixed and closed. Info Needed The issue needs more information before it can be verified and resolved. For a feature request this may include a description of the use cases. Almost all bug reports need to include at least the versions of salt and its dependencies, the system type and version, commands used, debug logs, error messages, and relevant configs. Pending Changes The pull request needs additional changes before it can be merged. Pending Discussion The issue or pull request needs more discussion before it can be closed or merged. The status of the issue or pull request is not clear or apparent enough for definite action to be taken, or additional input from SaltStack, the submitter, or another party has been requested. If the issue is not a pull request, once the discussion has arrived at a cogent conclusion, this label will be removed and the issue will be accepted. If it is a pull request, the results of the discussion may require additional changes and thus, a Pending Changes label. Won't Fix for Now The issue is legitimate, but it is not something the SaltStack team is currently able or willing to fix or implement. Issues having this label may be revisited in the future. Type of Change Every pull request should receive a change label. These labels measure the quantity of change as well as the significance of the change. The amount of change and the importance of the code area changed are considered, but often the depth of secondary code review required and the potential repercussions of the change may also advise the label choice. Core code areas include: state compiler, crypto engine, master and minion and syndic daemons, transport, pillar rendering, loader, transport layer, event system, salt.utils, client, cli, logging, netapi, runner engine, templating engine, top file compilation, file client, file server, mine, salt-ssh, test runner, etc. Non-core code usually constitutes the specific set of plugins for each of the several plugin layers of Salt: execution modules, states, runners, returners, clouds, etc. Minor Change • Less than 64 lines changed, or • Less than 8 core lines changed Medium Change • Less than 256 lines changed, or • Less than 64 core lines changed Master Change • More than 256 lines changed, or • More than 64 core lines changed Expert Change • Needs specialized, in-depth review Test Status These labels relate to the status of the automated tests that run on pull requests. If the tests on a pull request fail and are not overridden by one of these labels, the pull request submitter needs to update the code and/or tests so that the tests pass and the pull request can be merged. Lint The pull request has passed all tests except for the code lint checker. Tests Passed The pull request has passed all tests even though some test results are negative. Sometimes the automated testing infrastructure will encounter internal errors unrelated to the code change in the pull request that cause test runs to fail. These errors can be caused by cloud host and network issues and also Jenkins issues like erroneously accumulating workspace artifacts, resource exhaustion, and bugs that arise from long running Jenkins processes. Other These labels indicate miscellaneous issue types or statuses that are common or important enough to be tracked and sorted with labels. Awesome The pull request implements an especially well crafted solution, or a very difficult but necessary change. Low Hanging Fruit The issue is trivial or almost trivial to implement or fix. Issues having this label should be a good starting place for new contributors to Salt. Needs Testcase The issue or pull request relates to a feature that needs test coverage. The pull request containing the tests should reference the issue or pull request having this label, whereupon the label should be removed. Regression The issue is a bug that breaks functionality known to work in previous releases. Story The issue is used by a SaltStack engineer to track progress on multiple related issues in a single place. Stretch The issue is an optional goal for the current sprint but may not be delivered. ZD The issue is related to a Zendesk customer support ticket. <Release> The issue is scheduled to be implemented by <Release>. See <topics/releases/version_numbers> for a discussion of Salt's release codenames. Logging Internals TODO Modular Systems When first working with Salt, it is not always clear where all of the modular components are and what they do. Salt comes loaded with more modular systems than many users are aware of, making Salt very easy to extend in many places. The most commonly used modular systems are execution modules and states. But the modular systems extend well beyond the more easily exposed components and are often added to Salt to make the complete system more flexible. Execution Modules Execution modules make up the core of the functionality used by Salt to interact with client systems. The execution modules create the core system management library used by all Salt systems, including states, which interact with minion systems. Execution modules are completely open ended in their execution. They can be used to do anything required on a minion, from installing packages to detecting information about the system. The only restraint in execution modules is that the defined functions always return a JSON serializable object. For a list of all built in execution modules, click here For information on writing execution modules, see this page. Interactive Debugging Sometimes debugging with print() and extra logs sprinkled everywhere is not the best strategy. IPython is a helpful debug tool that has an interactive python environment which can be embedded in python programs. First the system will require IPython to be installed. # Debian apt-get install ipython # Arch Linux pacman -Syu ipython2 # RHEL/CentOS (via EPEL) yum install python-ipython Now, in the troubling python module, add the following line at a location where the debugger should be started: test = 'test123' import IPython; IPython.embed_kernel() After running a Salt command that hits that line, the following will show up in the log file: [CRITICAL] To connect another client to this kernel, use: [IPKernelApp] --existing kernel-31271.json Now on the system that invoked embed_kernel, run the following command from a shell: # NOTE: use ipython2 instead of ipython for Arch Linux ipython console --existing This provides a console that has access to all the vars and functions, and even supports tab-completion. print(test) test123 To exit IPython and continue running Salt, press Ctrl-d to logout. State Modules State modules are used to define the state interfaces used by Salt States. These modules are restrictive in that they must follow a number of rules to function properly. NOTE: State modules define the available routines in sls files. If calling an execution module directly is desired, take a look at the module state. Auth The auth module system allows for external authentication routines to be easily added into Salt. The auth function needs to be implemented to satisfy the requirements of an auth module. Use the pam module as an example. Fileserver The fileserver module system is used to create fileserver backends used by the Salt Master. These modules need to implement the functions used in the fileserver subsystem. Use the gitfs module as an example. Grains Grain modules define extra routines to populate grains data. All defined public functions will be executed and MUST return a Python dict object. The dict keys will be added to the grains made available to the minion. Output The output modules supply the outputter system with routines to display data in the terminal. These modules are very simple and only require the output function to execute. The default system outputter is the nested module. Pillar Used to define optional external pillar systems. The pillar generated via the filesystem pillar is passed into external pillars. This is commonly used as a bridge to database data for pillar, but is also the backend to the libvirt state used to generate and sign libvirt certificates on the fly. Renderers Renderers are the system used to render sls files into salt highdata for the state compiler. They can be as simple as the py renderer and as complex as stateconf and pydsl. Returners Returners are used to send data from minions to external sources, commonly databases. A full returner will implement all routines to be supported as an external job cache. Use the redis returner as an example. Runners Runners are purely master-side execution sequences. Tops Tops modules are used to convert external data sources into top file data for the state system. Wheel The wheel system is used to manage master side management routines. These routines are primarily intended for the API to enable master configuration. Package Providers This page contains guidelines for writing package providers. Package Functions One of the most important features of Salt is package management. There is no shortage of package managers, so in the interest of providing a consistent experience in pkg states, there are certain functions that should be present in a package provider. Note that these are subject to change as new features are added or existing features are enhanced. list_pkgs This function should declare an empty dict, and then add packages to it by calling pkg_resource.add_pkg, like so: __salt__['pkg_resource.add_pkg'](ret, name, version) The last thing that should be done before returning is to execute pkg_resource.sort_pkglist. This function does not presently do anything to the return dict, but will be used in future versions of Salt. __salt__['pkg_resource.sort_pkglist'](ret) list_pkgs returns a dictionary of installed packages, with the keys being the package names and the values being the version installed. Example return data: {'foo': '1.2.3-4', 'bar': '5.6.7-8'} latest_version Accepts an arbitrary number of arguments. Each argument is a package name. The return value for a package will be an empty string if the package is not found or if the package is up-to-date. The only case in which a non-empty string is returned is if the package is available for new installation (i.e. not already installed) or if there is an upgrade available. If only one argument was passed, this function return a string, otherwise a dict of name/version pairs is returned. This function must also accept **kwargs, in order to receive the fromrepo and repo keyword arguments from pkg states. Where supported, these arguments should be used to find the install/upgrade candidate in the specified repository. The fromrepo kwarg takes precedence over repo, so if both of those kwargs are present, the repository specified in fromrepo should be used. However, if repo is used instead of fromrepo, it should still work, to preserve backwards compatibility with older versions of Salt. version Like latest_version, accepts an arbitrary number of arguments and returns a string if a single package name was passed, or a dict of name/value pairs if more than one was passed. The only difference is that the return values are the currently-installed versions of whatever packages are passed. If the package is not installed, an empty string is returned for that package. upgrade_available Deprecated and destined to be removed. For now, should just do the following: return __salt__['pkg.latest_version'](name) != '' install The following arguments are required and should default to None: 1. name (for single-package pkg states) 2. pkgs (for multiple-package pkg states) 3. sources (for binary package file installation) The first thing that this function should do is call pkg_resource.parse_targets (see below). This function will convert the SLS input into a more easily parsed data structure. pkg_resource.parse_targets may need to be modified to support your new package provider, as it does things like parsing package metadata which cannot be done for every package management system. pkg_params, pkg_type = __salt__['pkg_resource.parse_targets'](name, pkgs, sources) Two values will be returned to the install function. The first of them will be a dictionary. The keys of this dictionary will be package names, though the values will differ depending on what kind of installation is being done: • If name was provided (and pkgs was not), then there will be a single key in the dictionary, and its value will be None. Once the data has been returned, if the version keyword argument was provided, then it should replace the None value in the dictionary. • If pkgs was provided, then name is ignored, and the dictionary will contain one entry for each package in the pkgs list. The values in the dictionary will be None if a version was not specified for the package, and the desired version if specified. See the Multiple Package Installation Options section of the pkg.installed state for more info. • If sources was provided, then name is ignored, and the dictionary values will be the path/URI for the package. The second return value will be a string with two possible values: repository or file. The install function can use this value (if necessary) to build the proper command to install the targeted package(s). Both before and after the installing the target(s), you should run list_pkgs to obtain a list of the installed packages. You should then return the output of salt.utils.compare_dicts() return salt.utils.compare_dicts(old, new) remove Removes the passed package and return a list of the packages removed. Package Repo Functions There are some functions provided by pkg which are specific to package repositories, and not to packages themselves. When writing modules for new package managers, these functions should be made available as stated below, in order to provide compatibility with the pkgrepo state. All repo functions should accept a basedir option, which defines which directory repository configuration should be found in. The default for this is dictated by the repo manager that is being used, and rarely needs to be changed. basedir = '/etc/yum.repos.d' __salt__['pkg.list_repos'](basedir) list_repos Lists the repositories that are currently configured on this system. __salt__['pkg.list_repos']() Returns a dictionary, in the following format: {'reponame': 'config_key_1': 'config value 1', 'config_key_2': 'config value 2', 'config_key_3': ['list item 1 (when appropriate)', 'list item 2 (when appropriate)]} get_repo Displays all local configuration for a specific repository. __salt__['pkg.get_repo'](repo='myrepo') The information is formatted in much the same way as list_repos, but is specific to only one repo. {'config_key_1': 'config value 1', 'config_key_2': 'config value 2', 'config_key_3': ['list item 1 (when appropriate)', 'list item 2 (when appropriate)]} del_repo Removes the local configuration for a specific repository. Requires a repo argument, which must match the locally configured name. This function returns a string, which informs the user as to whether or not the operation was a success. __salt__['pkg.del_repo'](repo='myrepo') mod_repo Modify the local configuration for one or more option for a configured repo. This is also the way to create new repository configuration on the local system; if a repo is specified which does not yet exist, it will be created. The options specified for this function are specific to the system; please refer to the documentation for your specific repo manager for specifics. __salt__['pkg.mod_repo'](repo='myrepo', url='http://myurl.com/repo') Low-Package Functions In general, the standard package functions as describes above will meet your needs. These functions use the system's native repo manager (for instance, yum or the apt tools). In most cases, the repo manager is actually separate from the package manager. For instance, yum is usually a front-end for rpm, and apt is usually a front-end for dpkg. When possible, the package functions that use those package managers directly should do so through the low package functions. It is normal and sane for pkg to make calls to lowpkgs, but lowpkg must never make calls to pkg. This is affects functions which are required by both pkg and lowpkg, but the technique in pkg is more performant than what is available to lowpkg. When this is the case, the lowpkg function that requires that technique must still use the lowpkg version. list_pkgs Returns a dict of packages installed, including the package name and version. Can accept a list of packages; if none are specified, then all installed packages will be listed. installed = __salt__['lowpkg.list_pkgs']('foo', 'bar') Example output: {'foo': '1.2.3-4', 'bar': '5.6.7-8'} verify Many (but not all) package management systems provide a way to verify that the files installed by the package manager have or have not changed. This function accepts a list of packages; if none are specified, all packages will be included. installed = __salt__['lowpkg.verify']('httpd') Example output: {'/etc/httpd/conf/httpd.conf': {'mismatch': ['size', 'md5sum', 'mtime'], 'type': 'config'}} file_list Lists all of the files installed by all packages specified. If not packages are specified, then all files for all known packages are returned. installed = __salt__['lowpkg.file_list']('httpd', 'apache') This function does not return which files belong to which packages; all files are returned as one giant list (hence the file_list function name. However, This information is still returned inside of a dict, so that it can provide any errors to the user in a sane manner. {'errors': ['package apache is not installed'], 'files': ['/etc/httpd', '/etc/httpd/conf', '/etc/httpd/conf.d', '...SNIP...']} file_dict Lists all of the files installed by all packages specified. If not packages are specified, then all files for all known packages are returned. installed = __salt__['lowpkg.file_dict']('httpd', 'apache', 'kernel') Unlike file_list, this function will break down which files belong to which packages. It will also return errors in the same manner as file_list. {'errors': ['package apache is not installed'], 'packages': {'httpd': ['/etc/httpd', '/etc/httpd/conf', '...SNIP...'], 'kernel': ['/boot/.vmlinuz-2.6.32-279.el6.x86_64.hmac', '/boot/System.map-2.6.32-279.el6.x86_64', '...SNIP...']}} Reporting Bugs Salt uses GitHub to track open issues and feature requests. To file a bug, please navigate to the new issue page for the Salt project. In an issue report, please include the following information: • The output of salt --versions-report from the relevant machines. This can also be gathered remotely by using salt <my_tgt> test.versions_report. • A description of the problem including steps taken to cause the issue to occur and the expected behaviour. • Any steps taken to attempt to remediate the problem. • Any configuration options set in a configuration file that may be relevant. • A reproduceable test case. This may be as simple as an SLS file that illustrates a problem or it may be a link to a repository that contains a number of SLS files that can be used together to re-produce a problem. If the problem is transitory, any information that can be used to try and reproduce the problem is helpful. • [Optional] The output of each salt component (master/minion/CLI) running with the -ldebug flag set. NOTE: Please be certain to scrub any logs or SLS files for sensitive data! Community Projects That Use Salt Below is a list of repositories that show real world Salt applications that you can use to get started. Please note that these projects do not adhere to any standards and express a wide variety of ideas and opinions on how an action can be completed with Salt. https://github.com/terminalmage/djangocon2013-sls https://github.com/jesusaurus/hpcs-salt-state https://github.com/gravyboat/hungryadmin-sls https://github.com/wunki/django-salted Salt Topology Salt is based on a powerful, asynchronous, network topology using ZeroMQ. Many ZeroMQ systems are in place to enable communication. The central idea is to have the fastest communication possible. Servers The Salt Master runs 2 network services. First is the ZeroMQ PUB system. This service by default runs on port 4505 and can be configured via the publish_port option in the master configuration. Second is the ZeroMQ REP system. This is a separate interface used for all bi-directional communication with minions. By default this system binds to port 4506 and can be configured via the ret_port option in the master. PUB/SUB The commands sent out via the salt client are broadcast out to the minions via ZeroMQ PUB/SUB. This is done by allowing the minions to maintain a connection back to the Salt Master and then all connections are informed to download the command data at once. The command data is kept extremely small (usually less than 1K) so it is not a burden on the network. Return The PUB/SUB system is a one way communication, so once a publish is sent out the PUB interface on the master has no further communication with the minion. The minion, after running the command, then sends the command's return data back to the master via the ret_port. Translating Documentation If you wish to help translate the Salt documentation to your language, please head over to the Transifex website and signup for an account. Once registered, head over to the Salt Translation Project, and either click on Request Language if you can't find yours, or, select the language for which you wish to contribute and click Join Team. Transifex provides some useful reading resources on their support domain, namely, some useful articles directed to translators. Building A Localized Version of the Documentation While you're working on your translation on Transifex, you might want to have a look at how it's rendering. Install The Transifex Client To interact with the Transifex web service you will need to install the transifex-client: pip install transifex-client Configure The Transifex Client Once installed, you will need to set it up on your computer. We created a script to help you with that: .scripts/setup-transifex-config Download Remote Translations There's a little script which simplifies the download process of the translations(which isn't that complicated in the first place). So, let's assume you're translating pt_PT, Portuguese(Portugal). To download the translations, execute from the doc/ directory of your Salt checkout: make download-translations SPHINXLANG=pt_PT To download pt_PT, Portuguese(Portugal), and nl, Dutch, you can use the helper script directly: .scripts/download-translation-catalog pt_PT nl Build Localized Documentation After the download process finishes, which might take a while, the next step is to build a localized version of the documentation. Following the pt_PT example above: make html SPHINXLANG=pt_PT View Localized Documentation Open your browser, point it to the local documentation path and check the localized output you've just build. Developing Salt Tutorial This tutorial assumes you have: * a web browser * a GitHub account (<my_account>) * a command line (CLI) * git * a text editor Fork In your browser, navigate to the saltstack/salt GitHub repository. Click on Fork (https://github.com/saltstack/salt/#fork-destination-box). NOTE: If you have more than one GitHub presence, for example if you are a member of a team, GitHub will ask you into which area to clone Salt. If you don't know where, then select your personal GitHub account. Clone In your CLI, navigate to the directory into which you want clone the Salt codebase and submit the following command: $ git clone https://github.com/<my_account>/salt.git where <my_account> is the name of your GitHub account. After the clone has completed, add SaltStack as a second remote and fetch any changes from upstream. $ cd salt $ git remote add upstream https://github.com/saltstack/salt.git $ git fetch upstream For this tutorial, we will be working off from the develop branch, which is the default branch for the SaltStack GitHub project. This branch needs to track upstream/develop so that we will get all upstream changes when they happen. $ git checkout develop $ git branch --set-upstream-to upstream/develop Fetch Fetch any upstream changes on the develop branch and sync them to your local copy of the branch with a single command: $ git pull --rebase NOTE: For an explanation on pull vs pull --rebase and other excellent points, see this article by Mislav Marohnić. Branch Now we are ready to get to work. Consult the sprint beginner bug list and select an execution module whose __virtual__ function needs to be updated. I'll select the alternatives module. Create a new branch off from develop. Be sure to name it something short and descriptive. $ git checkout -b virt_ret Edit Edit the file you have selected, and verify that the changes are correct. $ vim salt/modules/alternatives.py $ git diff diff --git a/salt/modules/alternatives.py b/salt/modules/alternatives.py index 1653e5f..30c0a59 100644 --- a/salt/modules/alternatives.py +++ b/salt/modules/alternatives.py @@ -30,7 +30,7 @@ def __virtual__(): ''' if os.path.isdir('/etc/alternatives'): return True - return False + return (False, 'Cannot load alternatives module: /etc/alternatives dir not found') def _get_cmd(): Commit Stage and commit the changes. Write a descriptive commit summary, but try to keep it less than 50 characters. Review your commit. $ git add salt/modules/alternatives.py $ git commit -m 'modules.alternatives: __virtual__ return err msg' $ git show NOTE: If you need more room to describe the changes in your commit, run git commit (without the -m, message, option) and you will be presented with an editor. The first line is the commit summary and should still be 50 characters or less. The following paragraphs you create are free form and will be preserved as part of the commit. Push Push your branch to your GitHub account. You will likely need to enter your GitHub username and password. $ git push origin virt_ret Username for 'https://github.com': <my_account> Password for 'https://<my_account>@github.com': NOTE: If authentication over https does not work, you can alternatively setup ssh keys. Once you have done this, you may need add the keys to your git repository configuration $ git config ssh.key ~/.ssh/<key_name> where <key_name> is the file name of the private key you created. Merge In your browser, navigate to the new pull request page on the saltstack/salt GitHub repository and click on compare across forks. Select <my_account> from the list of head forks and the branch you are wanting to merge into develop (virt_ret in this case). When you have finished reviewing the changes, click Create pull request. If your pull request contains only a single commit, the title and comment will be taken from that commit's summary and message, otherwise the branch name is used for the title. Edit these fields as necessary and click Create pull request. NOTE: Although these instructions seem to be the official pull request proceedure on github's website, here are two alternative methods that are simpler. • If you navigate to your clone of salt, https://github.com/<my_account>/salt, depending on how old your branch is or how recently you pushed updates on it, you may be presented with a button to create a pull request with your branch. • I find it easiest to edit the following URL: https://github.com/saltstack/salt/compare/develop...<my_account>:virt_ret Resources GitHub offers many great tutorials on various aspects of the git- and GitHub-centric development workflow: https://help.github.com/ There are many topics covered by the Salt Developer documentation: https://docs.saltstack.com/en/latest/topics/development/index.html The contributing documentation presents more details on specific contributing topics: https://docs.saltstack.com/en/latest/topics/development/contributing.html Salt's Test Suite Salt comes with a powerful integration and unit test suite allowing for the fully automated run of integration and/or unit tests from a single interface. To learn the basics of how Salt's test suite works, be sure to check out the Salt's Test Suite: An Introduction tutorial. Test Directory Structure Salt's test suite is located in the tests directory in the root of Salt's codebase. The test suite is divided into two main groups: • Integration Tests • Unit Tests Within each of these groups, the directory structure roughly mirrors the structure of Salt's own codebase. Notice that there are directories for states, modules, runners, output, and more in each testing group. The files that are housed in the modules directory of either the unit or the integration testing factions contain respective integration or unit test files for Salt execution modules. Integration Tests The Integration section of Salt's test suite start up a number of Salt daemons to test functionality in a live environment. These daemons include two Salt Masters, one Syndic, and two Minions. This allows the Syndic interface to be tested and Master/Minion communication to be verified. All of the integration tests are executed as live Salt commands sent through the started daemons. Integration tests are particularly good at testing modules, states, and shell commands, among other segments of Salt's ecosystem. By utilizing the integration test daemons, integration tests are easy to write. They are also SaltStack's gerneally preferred method of adding new tests. The discussion in the Integration vs. Unit section of the testing tutorial is beneficial in learning why you might want to write integration tests vs. unit tests. Both testing arenas add value to Salt's test suite and you should consider adding both types of tests if possible and appropriate when contributing to Salt. • Integration Test Documentation Unit Tests Unit tests do not spin up any Salt daemons, but instead find their value in testing singular implementations of individual functions. Instead of testing against specific interactions, unit tests should be used to test a function's logic as well as any return or raises statements. Unit tests also rely heavily on mocking external resources. The discussion in the Integration vs. Unit section of the testing tutorial is useful in determining when you should consider writing unit tests instead of, or in addition to, integration tests when contributing to Salt. • Unit Test Documentation Running The Tests There are requirements, in addition to Salt's requirements, which need to be installed in order to run the test suite. Install one of the lines below, depending on the relevant Python version: pip install -r requirements/dev_python26.txt pip install -r requirements/dev_python27.txt NOTE: In Salt 0.17, testing libraries were migrated into their own repo. To install them: pip install git+https://github.com/saltstack/salt-testing.git#egg=SaltTesting Failure to install SaltTesting will result in import errors similar to the following: ImportError: No module named salttesting Once all requirements are installed, use tests/runtests.py to run all of the tests included in Salt's test suite: python tests/runtests.py For more information about options you can pass the test runner, see the --help option: python tests/runtests.py --help An alternative way of invoking the test suite is available in setup.py: ./setup.py test Running Test Subsections Instead of running the entire test suite all at once, which can take a long time, there are several ways to run only specific groups of tests or individual tests: • Run unit tests only: ./tests/runtests.py --unit-tests • Run unit and integration tests for states: ./tests/runtests.py --state • Run integration tests for an individual module: ./tests/runtests.py -n integration.modules.virt • Run unit tests for an individual module: ./tests/runtests.py -n unit.modules.virt_test • Run an individual test by using the class and test name (this example is for the test_default_kvm_profile test in the integration.module.virt): ./tests/runtests.py -n integration.module.virt.VirtTest.test_default_kvm_profile For more specific examples of how to run various test subsections or individual tests, please see the Test Selection Options documentation or the Running Specific Tests section of the Salt's Test Suite: An Introduction tutorial. Running Unit Tests Without Integration Test Daemons Since the unit tests do not require a master or minion to execute, it is often useful to be able to run unit tests individually, or as a whole group, without having to start up the integration testing daemons. Starting up the master, minion, and syndic daemons takes a lot of time before the tests can even start running and is unnecessary to run unit tests. To run unit tests without invoking the integration test daemons, simple remove the /tests portion of the runtests.py command: ./runtests.py --unit All of the other options to run individual tests, entire classes of tests, or entire test modules still apply. Running Destructive Integration Tests Salt is used to change the settings and behavior of systems. In order to effectively test Salt's functionality, some integration tests are written to make actual changes to the underlying system. These tests are referred to as "destructive tests". Some examples of destructive tests are changes may be testing the addition of a user or installing packages. By default, destructive tests are disabled and will be skipped. Generally, destructive tests should clean up after themselves by attempting to restore the system to its original state. For instance, if a new user is created during a test, the user should be deleted after the related test(s) have completed. However, no guarantees are made that test clean-up will complete successfully. Therefore, running destructive tests should be done with caution. NOTE: Running destructive tests will change the underlying system. Use caution when running destructive tests. To run tests marked as destructive, set the --run-destructive flag: ./tests/runtests.py --run-destructive Running Cloud Provider Tests Salt's testing suite also includes integration tests to assess the successful creation and deletion of cloud instances using Salt-Cloud for providers supported by Salt-Cloud. The cloud provider tests are off by default and run on sample configuration files provided in tests/integration/files/conf/cloud.providers.d/. In order to run the cloud provider tests, valid credentials, which differ per provider, must be supplied. Each credential item that must be supplied is indicated by an empty string value and should be edited by the user before running the tests. For example, DigitalOcean requires a client key and an api key to operate. Therefore, the default cloud provider configuration file for DigitalOcean looks like this: digitalocean-config: driver: digital_ocean client_key: '' api_key: '' location: New York 1 As indicated by the empty string values, the client_key and the api_key must be provided: digitalocean-config: driver: digital_ocean client_key: wFGEwgregeqw3435gDger api_key: GDE43t43REGTrkilg43934t34qT43t4dgegerGEgg location: New York 1 NOTE: When providing credential information in cloud provider configuration files, do not include the single quotes. Once all of the valid credentials for the cloud provider have been supplied, the cloud provider tests can be run by setting the --cloud-provider-tests flag: ./tests/runtests.py --cloud-provider-tests Running The Tests In A Docker Container The test suite can be executed under a docker container using the --docked option flag. The docker container must be properly configured on the system invoking the tests and the container must have access to the internet. Here's a simple usage example: tests/runtests.py --docked=ubuntu-12.04 -v The full docker container repository can also be provided: tests/runtests.py --docked=salttest/ubuntu-12.04 -v The SaltStack team is creating some containers which will have the necessary dependencies pre-installed. Running the test suite on a container allows destructive tests to run without making changes to the main system. It also enables the test suite to run under a different distribution than the one the main system is currently using. The current list of test suite images is on Salt's docker repository. Custom docker containers can be provided by submitting a pull request against Salt's docker Salt test containers repository. Automated Test Runs SaltStack maintains a Jenkins server to allow for the execution of tests across supported platforms. The tests executed from Salt's Jenkins server create fresh virtual machines for each test run, then execute destructive tests on the new, clean virtual machine. SaltStack's Jenkins server continuously runs the entire test suite, including destructive tests, on an array of various supported operating systems throughout the day. Each actively supported branch of Salt's repository runs the tests located in the respective branch's code. Each set of branch tests also includes a pylint run. These branch tests help ensure the viability of Salt code at any given point in time as pull requests are merged into branches throughout the day. In addition to branch tests, SaltStack's Jenkins server also runs tests on pull requests. These pull request tests include a smaller set of virtual machines that run on the branch tests. The pull request tests, like the branch tests, include a pylint test as well. When a pull request is submitted to Salt's repository on GitHub, the suite of pull request tests are started by Jenkins. These tests are used to gauge the pull request's viability to merge into Salt's codebase. If these initial tests pass, the pull request can then merged into the Salt branch by one of Salt's core developers, pending their discretion. If the initial tests fail, core developers may request changes to the pull request. If the failure is unrelated to the changes in question, core developers may merge the pull request despite the initial failure. As soon as the pull request is merged, the changes will be added to the next branch test run on Jenkins. For a full list of currently running test environments, go to http://jenkins.saltstack.com. Using Salt-Cloud on Jenkins For testing Salt on Jenkins, SaltStack uses Salt-Cloud to spin up virtual machines. The script using Salt-Cloud to accomplish this is open source and can be found here: https://github.com/saltstack/salt/blob/develop/tests/jenkins.py Writing Tests The salt testing infrastructure is divided into two classes of tests, integration tests and unit tests. These terms may be defined differently in other contexts, but for Salt they are defined this way: • Unit Test: Tests which validate isolated code blocks and do not require external interfaces such as salt-call or any of the salt daemons. • Integration Test: Tests which validate externally accessible features. Salt testing uses unittest2 from the python standard library and MagicMock. • Writing integration tests • Writing unit tests Naming Conventions Any function in either integration test files or unit test files that is doing the actual testing, such as functions containing assertions, must start with test_: def test_user_present(self): When functions in test files are not prepended with test_, the function acts as a normal, helper function and is not run as a test by the test suite. Submitting New Tests Which branch of the Salt codebase should new tests be written against? The location of where new tests should be submitted depends largely on the reason you're writing the tests. Tests for New Features If you are adding new functionality to Salt, please write the tests for this new feature in the same pull request as the new feature. New features should always be submitted to the develop branch. If you have already submitted the new feature, but did not write tests in the original pull request that has already been merged, please feel free to submit a new pull request containing tests. If the feature was recently added to Salt's develop branch, then the tests should be added there as well. However, if the feature was added to develop some time ago and is already present in one or more release branches, please refer to the Tests for Entire Files or Functions section below for more details about where to submit tests for functions or files that do not already have tests. Tests to Accompany a Bugfix If you are writing tests for code that fixes a bug in Salt, please write the test in the same pull request as the bugfix. If you're unsure of where to submit your bugfix and accompanying test, please review the Which Salt Branch? documentation in Salt's Contributing guide. Tests for Entire Files or Functions Sometimes entire files in Salt are completely untested. If you are writing tests for a file that doesn't have any tests written for it, write your test against the earliest supported release branch that contains the file or function you're testing. Once your tests are submitted in a pull request and is merged into the branch in question, the tests you wrote will be merged-forward by SaltStack core engineers and the new tests will propagate to the newer release branches. That way the tests you wrote will apply to all current and relevant release branches, and not just the develop branch, for example. This methodology will help protect against regressions on older files in Salt's codebase. There may be times when the tests you write against an older branch fail in the merge-forward process because functionality has changed in newer release branches. In these cases, a Salt core developer may reach out to you for advice on the tests in question if the path forward is unclear. NOTE: If tests are written against a file in an older release branch and then merged forward, there may be new functionality in the file that is present in the new release branch that is untested.It would be wise to see if new functionality could use additional testing once the test file has propagated to newer release branches. raet # RAET # Reliable Asynchronous Event Transport Protocol SEE ALSO: RAET Overview Protocol Layering: OSI Layers 7: Application: Format: Data (Stack to Application interface buffering etc) 6: Presentation: Format: Data (Encrypt-Decrypt convert to machine independent format) 5: Session: Format: Data (Interhost communications. Authentication. Groups) 4: Transport: Format: Segments (Reliable delivery of Message, Transactions, Segmentation, Error checking) 3: Network: Format: Packets/Datagrams (Addressing Routing) 2: Link: Format: Frames ( Reliable per frame communications connection, Media access controller ) 1: Physical: Bits (Transceiver communication connection not reliable) Link is hidden from Raet Network is IP host address and Udp Port Transport is Raet transactions, service kind, tail error checking, Could include header signing as part of transport reliable delivery serialization of header Session is session id key exchange for signing. Grouping is Road (like 852 channel) Presentation is Encrypt Decrypt body Serialize Deserialize Body Application is body data dictionary Header signing spans both the Transport and Session layers. Header JSON Header (Tradeoff some processing speed for extensibility, ease of use, readability) Body initially JSON but support for "packed" binary body Packet Header ASCII Safe JSON Header termination: Empty line given by double pair of carriage return linefeed /r/n/r/n 10 13 10 13 ADAD 1010 1101 1010 1101 In json carriage return and newline characters cannot appear in a json encoded string unless they are escaped with backslash, so the 4 byte combination is illegal in valid json that does not have multi-byte unicode characters. These means the header must be ascii safe so no multibyte utf-8 strings allowed in header. Following Header Terminator is variable length signature block. This is binary and the length is provided in the header. Following the signature block is the packet body or data. This may either be JSON or packed binary. The format is given in the json header Finally is an optional tail block for error checking or encryption details Header Fields In UDP header sh = source host sp = source port dh = destination host dp = destination port In RAET Header hk = header kind hl = header length vn = version number sd = Source Device ID dd = Destination Device ID cf = Corresponder Flag mf = Multicast Flag si = Session ID ti = Transaction ID sk = Service Kind pk = Packet Kind bf = Burst Flag (Send all Segments or Ordered packets without interleaved acks) oi = Order Index dt = DateTime Stamp sn = Segment Number sc = Segment Count pf = Pending Segment Flag af = All Flag (Resent all Segments not just one) nk = Auth header kind nl = Auth header length bk = body kind bl = body length tk = tail kind tl = tail length fg = flags packed (Flags) Default '00' hex string 2 byte Hex string with bits (0, 0, af, pf, 0, bf, mf, cf) Zeros are TBD flags Session Bootstrap Minion sends packet with SID of Zero with public key of minions Public Private Key pair Master acks packet with SID of Zero to let minion know it received the request Some time later Master sends packet with SID of zero that accepts the Minion Minion Session Session is important for security. Want one session opened and then multiple transactions within session. Session ID SID sid GUID hash to guarantee uniqueness since no guarantee of nonvolatile storage or require file storage to keep last session ID used. Service Types or Modular Services Four Service Types A. One or more maybe (unacknowledged repeat) maybe means no guarantee B. Exactly one at most (ack with retries) (duplicate detection idempotent) at most means fixed number of retries has finite probability of failing B1) finite retries B2) infinite retries with exponential back-off up to a maximum delay C. Exactly one of sequence at most (sequence numbered) Receiver requests retry of missing packet with same B1 or B2 retry type D. End to End (Application layer Request Response) This is two B sub transactions Initially unicast messaging Eventually support for Multicast The use case for C) is to fragment large packets as once a UDP packet exceeds the frame size its reliability goes way down So its more reliable to fragment large packets. Better approach might be to have more modularity. Services Levels 1. Maybe one or more A. Fire and forget no transaction either side B. Repeat, no ack, no dupdet repeat counter send side, no transaction on receive side C. Repeat, no Ack, dupdet repeat counter send side, dup detection transaction receive side 2. More or Less Once A. retry finite, ack no dupdet retry timer send side, finite number of retires ack receive side no dupdet 3. At most Once A. retry finite, ack, dupdet retry timer send side, finite number of retires ack receive side dupdet 4. Exactly once A. ack retry retry timer send side, ack and duplicate detection receive side Infinite retries with exponential backoff 5. Sequential sequence number A. reorder escrow B. Segmented packets 6. request response to application layer Service Features 1. repeats 2. ack retry transaction id 3. sequence number duplicate detection out of order detection sequencing 4. rep-req Always include transaction id since multiple transactions on same port So get duplicate detection for free if keep transaction alive but if use A) Maybe one or more B1) At Least One B2) Exactly One C) One of sequence D) End to End A) Sender creates transaction id for number of repeats but receiver does not keep transaction alive B1) Sender creates transaction id keeps it for retries. Receiver keeps it to send ack then kills so retry could be duplicate not detected B2) Sender creates transaction id keeps for retries Receiver keeps tid for acks on any retires so no duplicates. C) Sender creates TID and Sequence Number. Receiver checks for out of order sequence and can request retry. D) Application layer sends response. So question is do we keep transaction open or have response be new transaction. No because then we need a rep-req ID so might as well use the same transaction id. Just keep alive until get response. Little advantage to B1 vs B2 not having duplicates. So 4 service types A. Maybe one or more (unacknowledged repeat) B. Exactly One (At most one) (ack with retry) (duplicate detection idempotent) C. One of Sequence (sequence numbered) D. End to End Also multicast or unicast Modular Transaction Table Sender Side: Transaction ID plus transaction source sender or receiver generated transaction id Repeat Counter Retry Timer Retry Counter (finite retries) Redo Timer (infinite redos with exponential backoff) Sequence number without acks (look for resend requests) Sequence with ack (wait for ack before sending next in sequence) Segmentation Receiver Side: Nothing just accept packet Acknowledge (can delete transaction after acknowledge) No duplicate detection Transaction timeout (keep transaction until timeout) Duplicate detection save transaction id duplicate detection timeout Request resend of missing packet in sequence Sequence reordering with escrow timeout wait escrow before requesting resend Unsegmentation (request resends of missing segment) SaltStack Git Policy The SaltStack team follows a git policy to maintain stability and consistency with the repository. The git policy has been developed to encourage contributions and make contributing to Salt as easy as possible. Code contributors to SaltStack projects DO NOT NEED TO READ THIS DOCUMENT, because all contributions come into SaltStack via a single gateway to make it as easy as possible for contributors to give us code. The primary rule of git management in SaltStack is to make life easy on contributors and developers to send in code. Simplicity is always a goal! New Code Entry All new SaltStack code is posted to the develop branch, which is the single point of entry. The only exception is when a bugfix to develop cannot be cleanly merged into a release branch and the bugfix needs to be rewritten for the release branch. Release Branching SaltStack maintains two types of releases, Feature Releases and Point Releases. A feature release is managed by incrementing the first or second release point number, so 0.10.5 -> 0.11.0 signifies a feature release and 0.11.0 -> 0.11.1 signifies a point release, also a hypothetical 0.42.7 -> 1.0.0 would also signify a feature release. Feature Release Branching Each feature release is maintained in a dedicated git branch derived from the last applicable release commit on develop. All file changes relevant to the feature release will be completed in the develop branch prior to the creation of the feature release branch. The feature release branch will be named after the relevant numbers to the feature release, which constitute the first two numbers. This means that the release branch for the 0.11.0 series is named 0.11. A feature release branch is created with the following command: # git checkout -b 0.11 # From the develop branch # git push origin 0.11 Point Releases Each point release is derived from its parent release branch. Constructing point releases is a critical aspect of Salt development and is managed by members of the core development team. Point releases comprise bug and security fixes which are cherry picked from develop onto the aforementioned release branch. At the time when a core developer accepts a pull request a determination needs to be made if the commits in the pull request need to be backported to the release branch. Some simple criteria are used to make this determination: • Is this commit fixing a bug? Backport • Does this commit change or add new features in any way? Don't backport • Is this a PEP8 or code cleanup commit? Don't backport • Does this commit fix a security issue? Backport Determining when a point release is going to be made is up to the project leader (Thomas Hatch). Generally point releases are made every 1-2 weeks or if there is a security fix they can be made sooner. The point release is only designated by tagging the commit on the release branch with release number using the existing convention (version 0.11.1 is tagged with v0.11.1). From the tag point a new source tarball is generated and published to PyPI, and a release announcement is made. Salt Conventions Writing Salt Documentation Salt's documentation is built using the Sphinx documentation system. It can be built in a large variety of output formats including HTML, PDF, ePub, and manpage. All the documentation is contained in the main Salt repository. Speaking broadly, most of the narrative documentation is contained within the https://github.com/saltstack/salt/blob/develop/doc subdirectory and most of the reference and API documentation is written inline with Salt's Python code and extracted using a Sphinx extension. Style The Salt project recommends the IEEE style guide as a general reference for writing guidelines. Those guidelines are not strictly enforced but rather serve as an excellent resource for technical writing questions. The NCBI style guide is another very approachable resource. Point-of-view Use third-person perspective and avoid "I", "we", "you" forms of address. Identify the addressee specifically e.g., "users should", "the compiler does", etc. Active voice Use active voice and present-tense. Avoid filler words. Title capitalization Document titles and section titles within a page should follow normal sentence capitalization rules. Words that are capitalized as part of a regular sentence should be capitalized in a title and otherwise left as lowercase. Punctuation can be omitted unless it aids the intent of the title (e.g., exclamation points or question marks). For example: This is a main heading ====================== Paragraph. This is an exciting sub-heading! -------------------------------- Paragraph. Serial Commas According to Wikipedia: In English punctuation, a serial comma or series comma (also called Oxford comma and Harvard comma) is a comma placed immediately before the coordinating conjunction (usually "and", "or", or "nor") in a series of three or more terms. For example, a list of three countries might be punctuated either as "France, Italy, and Spain" (with the serial comma), or as "France, Italy and Spain" (without the serial comma)." When writing a list that includes three or more items, the serial comma should always be used. Documenting modules Documentation for Salt's various module types is inline in the code. During the documentation build process it is extracted and formatted into the final HTML, PDF, etc format. Inline documentation Python has special multi-line strings called docstrings as the first element in a function or class. These strings allow documentation to live alongside the code and can contain special formatting. For example: def my_function(value): ''' Upper-case the given value Usage: .. code-block:: python val = 'a string' new_val = myfunction(val) print(new_val) # 'A STRING' :param value: a string :return: a copy of ``value`` that has been upper-cased ''' return value.upper() Specify a release for additions or changes New functions or changes to existing functions should include a marker that denotes what Salt release will be affected. For example: def my_function(value): ''' Upper-case the given value .. versionadded:: 2014.7.0 <...snip...> ''' return value.upper() For changes to a function: def my_function(value, strip=False): ''' Upper-case the given value .. versionchanged:: Boron Added a flag to also strip whitespace from the string. <...snip...> ''' if strip: return value.upper().strip() return value.upper() Adding module documentation to the index Each module type has an index listing all modules of that type. For example: all-salt.modules, all-salt.states, all-salt.renderers. New modules must be added to the index manually. 1. Edit the file for the module type: execution modules, state modules, renderer modules, etc. 2. Add the new module to the alphebetized list. 3. Build the documentation which will generate an .rst file for the new module in the same directory as the index.rst. 4. Commit the changes to index.rst and the new .rst file and send a pull request. Cross-references The Sphinx documentation system contains a wide variety of cross-referencing capabilities. Glossary entries Link to glossary entries using the term role. A cross-reference should be added the first time a Salt-specific term is used in a document. A common way to encapsulate master-side functionality is by writing a custom :term:`Runner Function`. Custom Runner Functions are easy to write. Index entries Sphinx automatically generates many kinds of index entries, but it is occasionally useful to manually add items to the index. One method is to use the index directive above the document or section that should appear in the index. .. index:: ! Event, event bus, event system see: Reactor; Event Another method is to use the index role inline with the text that should appear in the index. The index entry is created and the target text is left otherwise intact. Information about the :index:`Salt Reactor` ------------------------------------------- Paragraph. Documents and sections Each document should contain a unique top-level label of the form: .. _my-page: My page ======= Paragraph. Unique labels can be linked using the ref role. This allows cross-references to survive document renames or movement. For more information see :ref:`my-page`. Note, the :doc: role should not be used to link documents together. Modules Cross-references to Salt modules can be added using Sphinx's Python domain roles. For example, to create a link to the test.ping function: A useful execution module to test active communication with a minion is the :py:func:`test.ping <salt.modules.test.ping>` function. Salt modules can be referenced as well: The :py:mod:`test module <salt.modules.test>` contains many useful functions for inspecting an active Salt connection. The same syntax works for all modules types: One of the workhorse state module functions in Salt is the :py:func:`file.managed <salt.states.file.managed>` function. Settings Individual settings in the Salt Master or Salt Minion configuration files are cross-referenced using two custom roles, conf_master, and conf_minion. The :conf_minion:`minion ID <id>` setting is a unique identifier for a single minion. Documentation Changes and Fixes Documentation changes and fixes should be made against the earliest supported release branch that the update applies to. The practice of updating a release branch instead of making all documentation changes against Salt's main, default branch, develop, is necessary in order for the docs to be as up-to-date as possible when the docs are built. The workflow mentioned above is also in line with the recommendations outlined in Salt's contributing page. You can read more about how to choose where to submit documentation fixes by reading the which-salt-branch section. For an explanation of how to submit changes against various branches, see the github-pull-request section. Specifically, see the section describing how to Create a new branch and the steps that follow. Building the documentation 1. Install Sphinx using a system package manager or pip. The package name is often of the form python-sphinx. There are no other dependencies. 2. Build the documentation using the provided Makefile or .bat file on Windows. cd /path/to/salt/doc make html 3. The generated documentation will be written to the doc/_build/<format> directory. 4. A useful method of viewing the HTML documentation locally is to start Python's built-in HTTP server: cd /path/to/salt/doc/_build/html python -m SimpleHTTPServer Then pull up the documentation in a web browser at http://localhost:8000/. Salt Formulas Formulas are pre-written Salt States. They are as open-ended as Salt States themselves and can be used for tasks such as installing a package, configuring, and starting a service, setting up users or permissions, and many other common tasks. All official Salt Formulas are found as separate Git repositories in the "saltstack-formulas" organization on GitHub: https://github.com/saltstack-formulas As a simple example, to install the popular Apache web server (using the normal defaults for the underlying distro) simply include the apache-formula from a top file: base: 'web*': - apache Installation Each Salt Formula is an individual Git repository designed as a drop-in addition to an existing Salt State tree. Formulas can be installed in the following ways. Adding a Formula as a GitFS remote One design goal of Salt's GitFS fileserver backend was to facilitate reusable States. GitFS is a quick and natural way to use Formulas. 1. Install and configure GitFS. 2. Add one or more Formula repository URLs as remotes in the gitfs_remotes list in the Salt Master configuration file: gitfs_remotes: - https://github.com/saltstack-formulas/apache-formula - https://github.com/saltstack-formulas/memcached-formula We strongly recommend forking a formula repository into your own GitHub account to avoid unexpected changes to your infrastructure. Many Salt Formulas are highly active repositories so pull new changes with care. Plus any additions you make to your fork can be easily sent back upstream with a quick pull request! 3. Restart the Salt master. Adding a Formula directory manually Formulas are simply directories that can be copied onto the local file system by using Git to clone the repository or by downloading and expanding a tarball or zip file of the repository. The directory structure is designed to work with file_roots in the Salt master configuration. 1. Clone or download the repository into a directory: mkdir -p /srv/formulas cd /srv/formulas git clone https://github.com/saltstack-formulas/apache-formula.git # or mkdir -p /srv/formulas cd /srv/formulas wget https://github.com/saltstack-formulas/apache-formula/archive/master.tar.gz tar xf apache-formula-master.tar.gz 2. Add the new directory to file_roots: file_roots: base: - /srv/salt - /srv/formulas/apache-formula 3. Restart the Salt Master. Usage Each Formula is intended to be immediately usable with sane defaults without any additional configuration. Many formulas are also configurable by including data in Pillar; see the pillar.example file in each Formula repository for available options. Including a Formula in an existing State tree Formula may be included in an existing sls file. This is often useful when a state you are writing needs to require or extend a state defined in the formula. Here is an example of a state that uses the epel-formula in a require declaration which directs Salt to not install the python26 package until after the EPEL repository has also been installed: include: - epel python26: pkg.installed: - require: - pkg: epel Including a Formula from a Top File Some Formula perform completely standalone installations that are not referenced from other state files. It is usually cleanest to include these Formula directly from a Top File. For example the easiest way to set up an OpenStack deployment on a single machine is to include the openstack-standalone-formula directly from a top.sls file: base: 'myopenstackmaster': - openstack Quickly deploying OpenStack across several dedicated machines could also be done directly from a Top File and may look something like this: base: 'controller': - openstack.horizon - openstack.keystone 'hyper-*': - openstack.nova - openstack.glance 'storage-*': - openstack.swift Configuring Formula using Pillar Salt Formulas are designed to work out of the box with no additional configuration. However, many Formula support additional configuration and customization through Pillar. Examples of available options can be found in a file named pillar.example in the root directory of each Formula repository. Using Formula with your own states Remember that Formula are regular Salt States and can be used with all Salt's normal state mechanisms. Formula can be required from other States with requisites-require declarations, they can be modified using extend, they can made to watch other states with requisites-watch-in. The following example uses the stock apache-formula alongside a custom state to create a vhost on a Debian/Ubuntu system and to reload the Apache service whenever the vhost is changed. # Include the stock, upstream apache formula. include: - apache # Use the watch_in requisite to cause the apache service state to reload # apache whenever the my-example-com-vhost state changes. my-example-com-vhost: file: - managed - name: /etc/apache2/sites-available/my-example-com - watch_in: - service: apache Don't be shy to read through the source for each Formula! Reporting problems & making additions Each Formula is a separate repository on GitHub. If you encounter a bug with a Formula please file an issue in the respective repository! Send fixes and additions as a pull request. Add tips and tricks to the repository wiki. Writing Formulas Each Formula is a separate repository in the saltstack-formulas organization on GitHub. NOTE: Get involved creating new Formulas The best way to create new Formula repositories for now is to create a repository in your own account on GitHub and notify a SaltStack employee when it is ready. We will add you to the contributors team on the saltstack-formulas organization and help you transfer the repository over. Ping a SaltStack employee on IRC (#salt on Freenode) or send an email to the salt-users mailing list. There are a lot of repositories in that organization! Team members can manage which repositories they are subscribed to on GitHub's watching page: https://github.com/watching. Style Maintainability, readability, and reusability are all marks of a good Salt sls file. This section contains several suggestions and examples. # Deploy the stable master branch unless version overridden by passing # Pillar at the CLI or via the Reactor. deploy_myapp: git.latest: - name: git@github.com/myco/myapp.git - version: {{ salt.pillar.get('myapp:version', 'master') }} Use a descriptive State ID The ID of a state is used as a unique identifier that may be referenced via other states in requisites. It must be unique across the whole state tree (it is a key in a dictionary, after all). In addition a state ID should be descriptive and serve as a high-level hint of what it will do, or manage, or change. For example, deploy_webapp, or apache, or reload_firewall. Use module.function notation So-called "short-declaration" notation is preferred for referencing state modules and state functions. It provides a consistent pattern of module.function shared between Salt States, the Reactor, Salt Mine, the Scheduler, as well as with the CLI. # Do apache: pkg.installed: - name: httpd # Don't apache: pkg: - installed - name: httpd Salt's state compiler will transform "short-decs" into the longer format when compiling the human-friendly highstate structure into the machine-friendly lowstate structure. Specify the name parameter Use a unique and permanent identifier for the state ID and reserve name for data with variability. The name declaration is a required parameter for all state functions. The state ID will implicitly be used as name if it is not explicitly set in the state. In many state functions the name parameter is used for data that varies such as OS-specific package names, OS-specific file system paths, repository addresses, etc. Any time the ID of a state changes all references to that ID must also be changed. Use a permanent ID when writing a state the first time to future-proof that state and allow for easier refactors down the road. Comment state files YAML allows comments at varying indentation levels. It is a good practice to comment state files. Use vertical whitespace to visually separate different concepts or actions. # Start with a high-level description of the current sls file. # Explain the scope of what it will do or manage. # Comment individual states as necessary. update_a_config_file: # Provide details on why an unusual choice was made. For example: # # This template is fetched from a third-party and does not fit our # company norm of using Jinja. This must be processed using Mako. file.managed: - name: /path/to/file.cfg - source: salt://path/to/file.cfg.template - template: mako # Provide a description or explanation that did not fit within the state # ID. For example: # # Update the application's last-deployed timestamp. # This is a workaround until Bob configures Jenkins to automate RPM # builds of the app. cmd.run: # FIXME: Joe needs this to run on Windows by next quarter. Switch these # from shell commands to Salt's file.managed and file.replace state # modules. - name: | touch /path/to/file_last_updated sed -e 's/foo/bar/g' /path/to/file_environment - onchanges: - file: a_config_file Be careful to use Jinja comments for commenting Jinja code and YAML comments for commenting YAML code. # BAD EXAMPLE # The Jinja in this YAML comment is still executed! # {% set apache_is_installed = 'apache' in salt.pkg.list_pkgs() %} # GOOD EXAMPLE # The Jinja in this Jinja comment will not be executed. {# {% set apache_is_installed = 'apache' in salt.pkg.list_pkgs() %} #} Easy on the Jinja! Jinja templating provides vast flexibility and power when building Salt sls files. It can also create an unmaintainable tangle of logic and data. Speaking broadly, Jinja is best used when kept apart from the states (as much as is possible). Below are guidelines and examples of how Jinja can be used effectively. Know the evaluation and execution order High-level knowledge of how Salt states are compiled and run is useful when writing states. The default renderer setting in Salt is Jinja piped to YAML. Each is a separate step. Each step is not aware of the previous or following step. Jinja is not YAML aware, YAML is not Jinja aware; they cannot share variables or interact. • Whatever the Jinja step produces must be valid YAML. • Whatever the YAML step produces must be a valid highstate data structure. (This is also true of the final step for any of the alternate renderers in Salt.) • Highstate can be thought of as a human-friendly data structure; easy to write and easy to read. • Salt's state compiler validates the highstate and compiles it to low state. • Low state can be thought of as a machine-friendly data structure. It is a list of dictionaries that each map directly to a function call. • Salt's state system finally starts and executes on each "chunk" in the low state. Remember that requisites are evaluated at runtime. • The return for each function call is added to the "running" dictionary which is the final output at the end of the state run. The full evaluation and execution order: Jinja -> YAML -> Highstate -> low state -> execution Avoid changing the underlying system with Jinja Avoid calling commands from Jinja that change the underlying system. Commands run via Jinja do not respect Salt's dry-run mode (test=True)! This is usually in conflict with the idempotent nature of Salt states unless the command being run is also idempotent. Inspect the local system A common use for Jinja in Salt states is to gather information about the underlying system. The grains dictionary available in the Jinja context is a great example of common data points that Salt itself has already gathered. Less common values are often found by running commands. For example: {% set is_selinux_enabled = salt.cmd.run('sestatus') == '1' %} This is usually best done with a variable assignment in order to separate the data from the state that will make use of the data. Gather external data One of the most common uses for Jinja is to pull external data into the state file. External data can come from anywhere like API calls or database queries, but it most commonly comes from flat files on the file system or Pillar data from the Salt Master. For example: {% set some_data = salt.pillar.get('some_data', {'sane default': True}) %} {# or #} {% import_yaml 'path/to/file.yaml' as some_data %} {# or #} {% import_json 'path/to/file.json' as some_data %} {# or #} {% import_text 'path/to/ssh_key.pub' as ssh_pub_key %} {# or #} {% from 'path/to/other_file.jinja' import some_data with context %} This is usually best done with a variable assignment in order to separate the data from the state that will make use of the data. Light conditionals and looping Jinja is extremely powerful for programatically generating Salt states. It is also easy to overuse. As a rule of thumb, if it is hard to read it will be hard to maintain! Separate Jinja control-flow statements from the states as much as is possible to create readable states. Limit Jinja within states to simple variable lookups. Below is a simple example of a readable loop: {% for user in salt.pillar.get('list_of_users', []) %} {# Ensure unique state IDs when looping. #} {{ user.name }}-{{ loop.index }}: user.present: - name: {{ user.name }} - shell: {{ user.shell }} {% endfor %} Avoid putting a Jinja conditionals within Salt states where possible. Readability suffers and the correct YAML indentation is difficult to see in the surrounding visual noise. Parameterization (discussed below) and variables are both useful techniques to avoid this. For example: {# ---- Bad example ---- #} apache: pkg.installed: {% if grains.os_family == 'RedHat' %} - name: httpd {% elif grains.os_family == 'Debian' %} - name: apache2 {% endif %} {# ---- Better example ---- #} {% if grains.os_family == 'RedHat' %} {% set name = 'httpd' %} {% elif grains.os_family == 'Debian' %} {% set name = 'apache2' %} {% endif %} apache: pkg.installed: - name: {{ name }} {# ---- Good example ---- #} {% set name = { 'RedHat': 'httpd', 'Debian': 'apache2', }.get(grains.os_family) %} apache: pkg.installed: - name: {{ name }} Dictionaries are useful to effectively "namespace" a collection of variables. This is useful with parameterization (discussed below). Dictionaries are also easily combined and merged. And they can be directly serialized into YAML which is often easier than trying to create valid YAML through templating. For example: {# ---- Bad example ---- #} haproxy_conf: file.managed: - name: /etc/haproxy/haproxy.cfg - template: jinja {% if 'external_loadbalancer' in grains.roles %} - source: salt://haproxy/external_haproxy.cfg {% elif 'internal_loadbalancer' in grains.roles %} - source: salt://haproxy/internal_haproxy.cfg {% endif %} - context: {% if 'external_loadbalancer' in grains.roles %} ssl_termination: True {% elif 'internal_loadbalancer' in grains.roles %} ssl_termination: False {% endif %} {# ---- Better example ---- #} {% load_yaml as haproxy_defaults %} common_settings: bind_port: 80 internal_loadbalancer: source: salt://haproxy/internal_haproxy.cfg settings: bind_port: 8080 ssl_termination: False external_loadbalancer: source: salt://haproxy/external_haproxy.cfg settings: ssl_termination: True {% endload %} {% if 'external_loadbalancer' in grains.roles %} {% set haproxy = haproxy_defaults['external_loadbalancer'] %} {% elif 'internal_loadbalancer' in grains.roles %} {% set haproxy = haproxy_defaults['internal_loadbalancer'] %} {% endif %} {% do haproxy.settings.update(haproxy_defaults.common_settings) %} haproxy_conf: file.managed: - name: /etc/haproxy/haproxy.cfg - template: jinja - source: {{ haproxy.source }} - context: {{ haproxy.settings | yaml() }} There is still room for improvement in the above example. For example, extracting into an external file or replacing the if-elif conditional with a function call to filter the correct data more succinctly. However, the state itself is simple and legible, the data is separate and also simple and legible. And those suggested improvements can be made at some future date without altering the state at all! Avoid heavy logic and programming Jinja is not Python. It was made by Python programmers and shares many semantics and some syntax but it does not allow for abitrary Python function calls or Python imports. Jinja is a fast and efficient templating language but the syntax can be verbose and visually noisy. Once Jinja use within an sls file becomes slightly complicated -- long chains of if-elif-elif-else statements, nested conditionals, complicated dictionary merges, wanting to use sets -- instead consider using a different Salt renderer, such as the Python renderer. As a rule of thumb, if it is hard to read it will be hard to maintain -- switch to a format that is easier to read. Using alternate renderers is very simple to do using Salt's "she-bang" syntax at the top of the file. The Python renderer must simply return the correct highstate data structure. The following example is a state tree of two sls files, one simple and one complicated. /srv/salt/top.sls: base: '*': - common_configuration - roles_configuration /srv/salt/common_configuration.sls: common_users: user.present: - names: [larry, curly, moe] /srv/salt/roles_configuration: #!py def run(): list_of_roles = set() # This example has the minion id in the form 'web-03-dev'. # Easily access the grains dictionary: try: app, instance_number, environment = __grains__['id'].split('-') instance_number = int(instance_number) except ValueError: app, instance_number, environment = ['Unknown', 0, 'dev'] list_of_roles.add(app) if app == 'web' and environment == 'dev': list_of_roles.add('primary') list_of_roles.add('secondary') elif app == 'web' and environment == 'staging': if instance_number == 0: list_of_roles.add('primary') else: list_of_roles.add('secondary') # Easily cross-call Salt execution modules: if __salt__['myutils.query_valid_ec2_instance'](): list_of_roles.add('is_ec2_instance') return { 'set_roles_grains': { 'grains.present': [ {'name': 'roles'}, {'value': list(list_of_roles)}, ], }, } Jinja Macros In Salt sls files Jinja macros are useful for one thing and one thing only: creating mini templates that can be reused and rendered on demand. Do not fall into the trap of thinking of macros as functions; Jinja is not Python (see above). Macros are useful for creating reusable, parameterized states. For example: {% macro user_state(state_id, user_name, shell='/bin/bash', groups=[]) %} {{ state_id }}: user.present: - name: {{ user_name }} - shell: {{ shell }} - groups: {{ groups | json() }} {% endmacro %} {% for user_info in salt.pillar.get('my_users', []) %} {{ user_state('user_number_' ~ loop.index, **user_info) }} {% endfor %} Macros are also useful for creating one-off "serializers" that can accept a data structure and write that out as a domain-specific configuration file. For example, the following macro could be used to write a php.ini config file: /srv/salt/php.sls: php_ini: file.managed: - name: /etc/php.ini - source: salt://php.ini.tmpl - template: jinja - context: php_ini_settings: {{ salt.pillar.get('php_ini', {}) | json() }} /srv/pillar/php.sls: php_ini: PHP: engine: 'On' short_open_tag: 'Off' error_reporting: 'E_ALL & ~E_DEPRECATED & ~E_STRICT' /srv/salt/php.ini.tmpl: {% macro php_ini_serializer(data) %} {% for section_name, name_val_pairs in data.items() %} [{{ section_name }}] {% for name, val in name_val_pairs.items() -%} {{ name }} = "{{ val }}" {% endfor %} {% endfor %} {% endmacro %} ; File managed by Salt at <{{ source }}>. ; Your changes will be overwritten. {{ php_ini_serializer(php_ini_settings) }} Abstracting static defaults into a lookup table Separate data that a state uses from the state itself to increases the flexibility and reusability of a state. An obvious and common example of this is platform-specific package names and file system paths. Another example is sane defaults for an application, or common settings within a company or organization. Organizing such data as a dictionary (aka hash map, lookup table, associative array) often provides a lightweight namespacing and allows for quick and easy lookups. In addition, using a dictionary allows for easily merging and overriding static values within a lookup table with dynamic values fetched from Pillar. A strong convention in Salt Formulas is to place platform-specific data, such as package names and file system paths, into a file named map.jinja that is placed alongside the state files. The following is an example from the MySQL Formula. The grains.filter_by function performs a lookup on that table using the os_family grain (by default). The result is that the mysql variable is assigned to a subset of the lookup table for the current platform. This allows states to reference, for example, the name of a package without worrying about the underlying OS. The syntax for referencing a value is a normal dictionary lookup in Jinja, such as {{ mysql['service'] }} or the shorthand {{ mysql.service }}. map.jinja: {% set mysql = salt['grains.filter_by']({ 'Debian': { 'server': 'mysql-server', 'client': 'mysql-client', 'service': 'mysql', 'config': '/etc/mysql/my.cnf', 'python': 'python-mysqldb', }, 'RedHat': { 'server': 'mysql-server', 'client': 'mysql', 'service': 'mysqld', 'config': '/etc/my.cnf', 'python': 'MySQL-python', }, 'Gentoo': { 'server': 'dev-db/mysql', 'client': 'dev-db/mysql', 'service': 'mysql', 'config': '/etc/mysql/my.cnf', 'python': 'dev-python/mysql-python', }, }, merge=salt['pillar.get']('mysql:lookup')) %} Values defined in the map file can be fetched for the current platform in any state file using the following syntax: {% from "mysql/map.jinja" import mysql with context %} mysql-server: pkg.installed: - name: {{ mysql.server }} service.running: - name: {{ mysql.service }} Collecting common values Common values can be collected into a base dictionary. This minimizes repetition of identical values in each of the lookup_dict sub-dictionaries. Now only the values that are different from the base must be specified of the alternates: map.jinja: {% set mysql = salt['grains.filter_by']({ 'default': { 'server': 'mysql-server', 'client': 'mysql-client', 'service': 'mysql', 'config': '/etc/mysql/my.cnf', 'python': 'python-mysqldb', }, 'Debian': { }, 'RedHat': { 'client': 'mysql', 'service': 'mysqld', 'config': '/etc/my.cnf', 'python': 'MySQL-python', }, 'Gentoo': { 'server': 'dev-db/mysql', 'client': 'dev-db/mysql', 'python': 'dev-python/mysql-python', }, }, merge=salt['pillar.get']('mysql:lookup', default='default') %} Overriding values in the lookup table Allow static values within lookup tables to be overridden. This is a simple pattern which once again increases flexibility and reusability for state files. The merge argument in filter_by specifies the location of a dictionary in Pillar that can be used to override values returned from the lookup table. If the value exists in Pillar it will take precedence. This is useful when software or configuration files is installed to non-standard locations or on unsupported platforms. For example, the following Pillar would replace the config value from the call above. mysql: lookup: config: /usr/local/etc/mysql/my.cnf NOTE: Protecting Expansion of Content with Special Characters When templating keep in mind that YAML does have special characters for quoting, flows, and other special structure and content. When a Jinja substitution may have special characters that will be incorrectly parsed by YAML care must be taken. It is a good policy to use the yaml_encode or the yaml_dquote Jinja filters: {%- set foo = 7.7 %} {%- set bar = none %} {%- set baz = true %} {%- set zap = 'The word of the day is "salty".' %} {%- set zip = '"The quick brown fox . . ."' %} foo: {{ foo|yaml_encode }} bar: {{ bar|yaml_encode }} baz: {{ baz|yaml_encode }} zap: {{ zap|yaml_encode }} zip: {{ zip|yaml_dquote }} The above will be rendered as below: foo: 7.7 bar: null baz: true zap: "The word of the day is \"salty\"." zip: "\"The quick brown fox . . .\"" The filter_by function performs a simple dictionary lookup but also allows for fetching data from Pillar and overriding data stored in the lookup table. That same workflow can be easily performed without using filter_by; other dictionaries besides data from Pillar can also be used. {% set lookup_table = {...} %} {% do lookup_table.update(salt.pillar.get('my:custom:data')) %} When to use lookup tables The map.jinja file is only a convention within Salt Formulas. This greater pattern is useful for a wide variety of data in a wide variety of workflows. This pattern is not limited to pulling data from a single file or data source. This pattern is useful in States, Pillar and the Reactor, for example. Working with a data structure instead of, say, a config file allows the data to be cobbled together from multiple sources (local files, remote Pillar, database queries, etc), combined, overridden, and searched. Below are a few examples of what lookup tables may be useful for and how they may be used and represented. Platform-specific information An obvious pattern and one used heavily in Salt Formulas is extracting platform-specific information such as package names and file system paths in a file named map.jinja. The pattern is explained in detail above. Sane defaults Application settings can be a good fit for this pattern. Store default settings along with the states themselves and keep overrides and sensitive settings in Pillar. Combine both into a single dictionary and then write the application config or settings file. The example below stores most of the Apache Tomcat server.xml file alongside the Tomcat states and then allows values to be updated or augmented via Pillar. (This example uses the BadgerFish format for transforming JSON to XML.) /srv/salt/tomcat/defaults.yaml: Server: '@port': '8005' '@shutdown': SHUTDOWN GlobalNamingResources: Resource: '@auth': Container '@description': User database that can be updated and saved '@factory': org.apache.catalina.users.MemoryUserDatabaseFactory '@name': UserDatabase '@pathname': conf/tomcat-users.xml '@type': org.apache.catalina.UserDatabase # <...snip...> /srv/pillar/tomcat.sls: appX: server_xml_overrides: Server: Service: '@name': Catalina Connector: '@port': '8009' '@protocol': AJP/1.3 '@redirectPort': '8443' # <...snip...> /srv/salt/tomcat/server_xml.sls: {% import_yaml 'tomcat/defaults.yaml' as server_xml_defaults %} {% set server_xml_final_values = salt.pillar.get( 'appX:server_xml_overrides', default=server_xml_defaults, merge=True) %} appX_server_xml: file.serialize: - name: /etc/tomcat/server.xml - dataset: {{ server_xml_final_values | json() }} - formatter: xml_badgerfish The file.serialize state can provide a shorthand for creating some files from data structures. There are also many examples within Salt Formulas of creating one-off "serializers" (often as Jinja macros) that reformat a data structure to a specific config file format. For example, `Nginx vhosts`__ or the `php.ini`__ __: https://github.com/saltstack-formulas/nginx-formula/blob/5cad4512/nginx/ng/vhosts_config.sls __: https://github.com/saltstack-formulas/php-formula/blob/82e2cd3a/php/ng/files/php.ini Environment specific information A single state can be reused when it is parameterized as described in the section below, by separating the data the state will use from the state that performs the work. This can be the difference between deploying Application X and Application Y, or the difference between production and development. For example: /srv/salt/app/deploy.sls: {# Load the map file. #} {% import_yaml 'app/defaults.yaml' as app_defaults %} {# Extract the relevant subset for the app configured on the current machine (configured via a grain in this example). #} {% app = app_defaults.get(salt.grains.get('role') %} {# Allow values from Pillar to (optionally) update values from the lookup table. #} {% do app_defaults.update(salt.pillar.get('myapp', {}) %} deploy_application: git.latest: - name: {{ app.repo_url }} - version: {{ app.version }} - target: {{ app.deploy_dir }} myco/myapp/deployed: event.send: - data: version: {{ app.version }} - onchanges: - git: deploy_application /srv/salt/app/defaults.yaml: appX: repo_url: git@github.com/myco/appX.git target: /var/www/appX version: master appY: repo_url: git@github.com/myco/appY.git target: /var/www/appY version: v1.2.3.4 Single-purpose SLS files Each sls file in a Formula should strive to do a single thing. This increases the reusability of this file by keeping unrelated tasks from getting coupled together. As an example, the base Apache formula should only install the Apache httpd server and start the httpd service. This is the basic, expected behavior when installing Apache. It should not perform additional changes such as set the Apache configuration file or create vhosts. If a formula is single-purpose as in the example above, other formulas, and also other states can include and use that formula with requisites without also including undesirable or unintended side-effects. The following is a best-practice example for a reusable Apache formula. (This skips platform-specific options for brevity. See the full apache-formula for more.) # apache/init.sls apache: pkg.installed: [...] service.running: [...] # apache/mod_wsgi.sls include: - apache mod_wsgi: pkg.installed: [...] - require: - pkg: apache # apache/conf.sls include: - apache apache_conf: file.managed: [...] - watch_in: - service: apache To illustrate a bad example, say the above Apache formula installed Apache and also created a default vhost. The mod_wsgi state would not be able to include the Apache formula to create that dependency tree without also installing the unneeded default vhost. Formulas should be reusable. Avoid coupling unrelated actions together. Parameterization Parameterization is a key feature of Salt Formulas and also for Salt States. Parameterization allows a single Formula to be reused across many operating systems; to be reused across production, development, or staging environments; and to be reused by many people all with varying goals. Writing states, specifying ordering and dependencies is the part that takes the longest to write and to test. Filling those states out with data such as users or package names or file locations is the easy part. How many users, what those users are named, or where the files live are all implementation details that should be parameterized. This separation between a state and the data that populates a state creates a reusable formula. In the example below the data that populates the state can come from anywhere -- it can be hard-coded at the top of the state, it can come from an external file, it can come from Pillar, it can come from an execution function call, or it can come from a database query. The state itself doesn't change regardless of where the data comes from. Production data will vary from development data will vary from data from one company to another, however the state itself stays the same. {% set user_list = [ {'name': 'larry', 'shell': 'bash'}, {'name': 'curly', 'shell': 'bash'}, {'name': 'moe', 'shell': 'zsh'}, ] %} {# or #} {% set user_list = salt['pillar.get']('user_list') %} {# or #} {% load_json "default_users.json" as user_list %} {# or #} {% set user_list = salt['acme_utils.get_user_list']() %} {% for user in list_list %} {{ user.name }}: user.present: - name: {{ user.name }} - shell: {{ user.shell }} {% endfor %} Configuration Formulas should strive to use the defaults of the underlying platform, followed by defaults from the upstream project, followed by sane defaults for the formula itself. As an example, a formula to install Apache should not change the default Apache configuration file installed by the OS package. However, the Apache formula should include a state to change or override the default configuration file. Pillar overrides Pillar lookups must use the safe get() and must provide a default value. Create local variables using the Jinja set construct to increase redability and to avoid potentially hundreds or thousands of function calls across a large state tree. {% from "apache/map.jinja" import apache with context %} {% set settings = salt['pillar.get']('apache', {}) %} mod_status: file.managed: - name: {{ apache.conf_dir }} - source: {{ settings.get('mod_status_conf', 'salt://apache/mod_status.conf') }} - template: {{ settings.get('template_engine', 'jinja') }} Any default values used in the Formula must also be documented in the pillar.example file in the root of the repository. Comments should be used liberally to explain the intent of each configuration value. In addition, users should be able copy-and-paste the contents of this file into their own Pillar to make any desired changes. Scripting Remember that both State files and Pillar files can easily call out to Salt execution modules and have access to all the system grains as well. {% if '/storage' in salt['mount.active']() %} /usr/local/etc/myfile.conf: file: - symlink - target: /storage/myfile.conf {% endif %} Jinja macros to encapsulate logic or conditionals are discouraged in favor of writing custom execution modules in Python. Repository structure A basic Formula repository should have the following layout: foo-formula |-- foo/ | |-- map.jinja | |-- init.sls | `-- bar.sls |-- CHANGELOG.rst |-- LICENSE |-- pillar.example |-- README.rst `-- VERSION SEE ALSO: template-formula The template-formula repository has a pre-built layout that serves as the basic structure for a new formula repository. Just copy the files from there and edit them. README.rst The README should detail each available .sls file by explaining what it does, whether it has any dependencies on other formulas, whether it has a target platform, and any other installation or usage instructions or tips. A sample skeleton for the README.rst file: === foo === Install and configure the FOO service. .. note:: See the full `Salt Formulas installation and usage instructions <http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_. Available states ================ .. contents:: :local: ``foo`` ------- Install the ``foo`` package and enable the service. ``foo.bar`` ----------- Install the ``bar`` package. CHANGELOG.rst The CHANGELOG.rst file should detail the individual versions, their release date and a set of bullet points for each version highlighting the overall changes in a given version of the formula. A sample skeleton for the CHANGELOG.rst file: CHANGELOG.rst: foo formula =========== 0.0.2 (2013-01-01) - Re-organized formula file layout - Fixed filename used for upstart logger template - Allow for pillar message to have default if none specified Versioning Formula are versioned according to Semantic Versioning, http://semver.org/. NOTE: Given a version number MAJOR.MINOR.PATCH, increment the: 1. MAJOR version when you make incompatible API changes, 2. MINOR version when you add functionality in a backwards-compatible manner, and 3. PATCH version when you make backwards-compatible bug fixes. Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format. Formula versions are tracked using Git tags as well as the VERSION file in the formula repository. The VERSION file should contain the currently released version of the particular formula. Testing Formulas A smoke-test for invalid Jinja, invalid YAML, or an invalid Salt state structure can be performed by with the state.show_sls function: salt '*' state.show_sls apache Salt Formulas can then be tested by running each .sls file via state.sls and checking the output for the success or failure of each state in the Formula. This should be done for each supported platform. SaltStack Packaging Guide Since Salt provides a powerful toolkit for system management and automation, the package can be spit into a number of sub-tools. While packaging Salt as a single package containing all components is perfectly acceptable, the split packages should follow this convention. Patching Salt For Distributions The occasion may arise where Salt source and default configurations may need to be patched. It is preferable if Salt is only patched to include platform specific additions or to fix release time bugs. It is preferable that configuration settings and operations remain in the default state, as changes here lowers the user experience for users moving across distributions. In the event where a packager finds a need to change the default configuration it is advised to add the files to the master.d or minion.d directories. Source Files Release packages should always be built from the source tarball distributed via pypi. Release packages should NEVER use a git checkout as the source for distribution. Single Package Shipping Salt as a single package, where the minion, master, and all tools are together is perfectly acceptable and practiced by distributions such as FreeBSD. Split Package Salt Should always be split in a standard way, with standard dependencies, this lowers cross distribution confusion about what components are going to be shipped with specific packages. These packages can be defined from the Salt Source as of Salt 2014.1.0: Salt Common The salt-common or salt package should contain the files provided by the salt python package, or all files distributed from the salt/ directory in the source distribution packages. The documentation contained under the doc/ directory can be a part of this package but splitting out a doc package is preferred. Since salt-call is the entry point to utilize the libs and is useful for all salt packages it is included in the salt-common package. Name • salt OR salt-common Files • salt/* • man/salt.7 • scripts/salt-call • tests/* • man/salt-call.1 Depends • Python 2.6-2.7 • PyYAML • Jinja2 Salt Master The salt-master package contains the applicable scripts, related man pages and init information for the given platform. Name • salt-master Files • scripts/salt-master • scripts/salt • scripts/salt-run • scripts/salt-key • scripts/salt-cp • pkg/<master init data> • man/salt.1 • man/salt-master.1 • man/salt-run.1 • man/salt-key.1 • man/salt-cp.1 • conf/master Depends • Salt Common • ZeroMQ >= 3.2 • PyZMQ >= 2.10 • PyCrypto • M2Crypto • Python MessagePack (Messagepack C lib, or msgpack-pure) Salt Syndic The Salt Syndic package can be rolled completely into the Salt Master package. Platforms which start services as part of the package deployment need to maintain a separate salt-syndic package (primarily Debian based platforms). The Syndic may optionally not depend on the anything more than the Salt Master since the master will bring in all needed dependencies, but fall back to the platform specific packaging guidelines. Name • salt-syndic Files • scripts/salt-syndic • pkg/<syndic init data> • man/salt-syndic.1 Depends • Salt Common • Salt Master • ZeroMQ >= 3.2 • PyZMQ >= 2.10 • PyCrypto • M2Crypto • Python MessagePack (Messagepack C lib, or msgpack-pure) Salt Minion The Minion is a standalone package and should not be split beyond the salt-minion and salt-common packages. Name • salt-minion Files • scripts/salt-minion • pkg/<minion init data> • man/salt-minion.1 • conf/minion Depends • Salt Common • ZeroMQ >= 3.2 • PyZMQ >= 2.10 • PyCrypto • M2Crypto • Python MessagePack (Messagepack C lib, or msgpack-pure) Salt SSH Since Salt SSH does not require the same dependencies as the minion and master, it should be split out. Name • salt-ssh Files • scripts/salt-ssh • man/salt-ssh.1 • conf/cloud* Depends • Salt Common • Python MessagePack (Messagepack C lib, or msgpack-pure) Salt Cloud As of Salt 2014.1.0 Salt Cloud is included in the same repo as Salt. This can be split out into a separate package or it can be included in the salt-master package. Name • salt-cloud Files • scripts/salt-cloud • man/salt-cloud.1 Depends • Salt Common • apache libcloud >= 0.14.0 Salt Doc The documentation package is very distribution optional. A completely split package will split out the documentation, but some platform conventions do not prefer this. If the documentation is not split out, it should be included with the Salt Common package. Name • salt-doc Files • doc/* Optional Depends • Salt Common • Python Sphinx • Make Salt Release Process The goal for Salt projects is to cut a new feature release every four to six weeks. This document outlines the process for these releases, and the subsequent bug fix releases which follow. Feature Release Process When a new release is ready to be cut, the person responsible for cutting the release will follow the following steps (written using the 0.16 release as an example): 1. All open issues on the release milestone should be moved to the next release milestone. (e.g. from the 0.16 milestone to the 0.17 milestone) 2. Release notes should be created documenting the major new features and bugfixes in the release. 3. Create an annotated tag with only the major and minor version numbers, preceded by the letter v. (e.g. v0.16) This tag will reside on the develop branch. 4. Create a branch for the new release, using only the major and minor version numbers. (e.g. 0.16) 5. On this new branch, create an annotated tag for the first revision release, which is generally a release candidate. It should be preceded by the letter v. (e.g. v0.16.0RC) 6. The release should be packaged from this annotated tag and uploaded to PyPI as well as the GitHub releases page for this tag. 7. The packagers should be notified on the salt-packagers mailing list so they can create packages for all the major operating systems. (note that release candidates should go in the testing repositories) 8. After the packagers have been given a few days to compile the packages, the release is announced on the salt-users mailing list. 9. Log into RTD and add the new release there. (Have to do it manually) Maintenance and Bugfix Releases Once a release has been cut, regular cherry-picking sessions should begin to cherry-pick any bugfixes from the develop branch to the release branch (e.g. 0.16). Once major bugs have been fixes and cherry-picked, a bugfix release can be cut: 1. On the release branch (i.e. 0.16), create an annotated tag for the revision release. It should be preceded by the letter v. (e.g. v0.16.2) Release candidates are unnecessary for bugfix releases. 2. The release should be packaged from this annotated tag and uploaded to PyPI. 3. The packagers should be notified on the salt-packagers mailing list so they can create packages for all the major operating systems. 4. After the packagers have been given a few days to compile the packages, the release is announced on the salt-users mailing list. Cherry-Picking Process for Bugfixes Bugfixes should be made on the develop branch. If the bug also applies to the current release branch, then on the pull request against develop, the user should mention @basepi and ask for the pull request to be cherry-picked. If it is verified that the fix is a bugfix, then the Bugfix -- Cherry-Pick label will be applied to the pull request. When those commits are cherry-picked, the label will be switched to the Bugfix -- [Done] Cherry-Pick label. This allows easy recognition of which pull requests have been cherry-picked, and which are still pending to be cherry-picked. All cherry-picked commits will be present in the next release. Features will not be cherry-picked, and will be present in the next feature release. Salt Coding Style Salt is developed with a certain coding style, while the style is dominantly PEP 8 it is not completely PEP 8. It is also noteworthy that a few development techniques are also employed which should be adhered to. In the end, the code is made to be "Salty". Most importantly though, we will accept code that violates the coding style and KINDLY ask the contributor to fix it, or go ahead and fix the code on behalf of the contributor. Coding style is NEVER grounds to reject code contributions, and is never grounds to talk down to another member of the community (There are no grounds to treat others without respect, especially people working to improve Salt)!! Linting Most Salt style conventions are codified in Salt's .pylintrc file. Salt's pylint file has two dependencies: pylint and saltpylint. You can install these dependencies with pip: pip install pylint pip install saltpylint The .pylintrc file is found in the root of the Salt project and can be passed as an argument to the pylint program as follows: pylint --rcfile=/path/to/salt/.pylintrc salt/dir/to/lint Variables Variables should be a minimum of three characters and should provide an easy-to-understand name of the object being represented. When keys and values are iterated over, descriptive names should be used to represent the temporary variables. Multi-word variables should be separated by an underscore. Variables which are two-letter words should have an underscore appended to them to pad them to three characters. Strings Salt follows a few rules when formatting strings: Single Quotes In Salt, all strings use single quotes unless there is a good reason not to. This means that docstrings use single quotes, standard strings use single quotes etc.: def foo(): ''' A function that does things ''' name = 'A name' return name Formatting Strings All strings which require formatting should use the .format string method: data = 'some text' more = '{0} and then some'.format(data) Make sure to use indices or identifiers in the format brackets, since empty brackets are not supported by python 2.6. Please do NOT use printf formatting. Docstring Conventions Docstrings should always add a newline, docutils takes care of the new line and it makes the code cleaner and more vertical: GOOD: def bar(): ''' Here lies a docstring with a newline after the quotes and is the salty way to handle it! Vertical code is the way to go! ''' return BAD: def baz(): '''This is not ok!''' return When adding a new function or state, where possible try to use a versionadded directive to denote when the function or state was added. def new_func(msg=''): ''' .. versionadded:: 0.16.0 Prints what was passed to the function. msg : None The string to be printed. ''' print msg If you are uncertain what version should be used, either consult a core developer in IRC or bring this up when opening your pull request and a core developer will add the proper version once your pull request has been merged. Bugfixes will be available in a bugfix release (i.e. 0.17.1, the first bugfix release for 0.17.0), while new features are held for feature releases, and this will affect what version number should be used in the versionadded directive. Similar to the above, when an existing function or state is modified (for example, when an argument is added), then under the explanation of that new argument a versionadded directive should be used to note the version in which the new argument was added. If an argument's function changes significantly, the versionchanged directive can be used to clarify this: def new_func(msg='', signature=''): ''' .. versionadded:: 0.16.0 Prints what was passed to the function. msg : None The string to be printed. Will be prepended with 'Greetings! '. .. versionchanged:: 0.17.1 signature : None An optional signature. .. versionadded 0.17.0 ''' print 'Greetings! {0}\n\n{1}'.format(msg, signature) Dictionaries Dictionaries should be initialized using {} instead of dict(). See here for an in-depth discussion of this topic. Imports Salt code prefers importing modules and not explicit functions. This is both a style and functional preference. The functional preference originates around the fact that the module import system used by pluggable modules will include callable objects (functions) that exist in the direct module namespace. This is not only messy, but may unintentionally expose code python libs to the Salt interface and pose a security problem. To say this more directly with an example, this is GOOD: import os def minion_path(): path = os.path.join(self.opts['cachedir'], 'minions') return path This on the other hand is DISCOURAGED: from os.path import join def minion_path(): path = join(self.opts['cachedir'], 'minions') return path The time when this is changed is for importing exceptions, generally directly importing exceptions is preferred: This is a good way to import exceptions: from salt.exceptions import CommandExecutionError Absolute Imports Although absolute imports seems like an awesome idea, please do not use it. Extra care would be necessary all over salt's code in order for absolute imports to work as supposed. Believe it, it has been tried before and, as a tried example, by renaming salt.modules.sysmod to salt.modules.sys, all other salt modules which needed to import sys would have to also import absolute_import, which should be avoided. Vertical is Better When writing Salt code, vertical code is generally preferred. This is not a hard rule but more of a guideline. As PEP 8 specifies, Salt code should not exceed 79 characters on a line, but it is preferred to separate code out into more newlines in some cases for better readability: import os os.chmod( os.path.join(self.opts['sock_dir'], 'minion_event_pub.ipc'), 448 ) Where there are more line breaks, this is also apparent when constructing a function with many arguments, something very common in state functions for instance: def managed(name, source=None, source_hash='', user=None, group=None, mode=None, template=None, makedirs=False, context=None, replace=True, defaults=None, env=None, backup='', **kwargs): NOTE: Making function and class definitions vertical is only required if the arguments are longer then 80 characters. Otherwise, the formatting is optional and both are acceptable. Line Length For function definitions and function calls, Salt adheres to the PEP-8 specification of at most 80 characters per line. Non function definitions or function calls, please adopt a soft limit of 120 characters per line. If breaking the line reduces the code readability, don't break it. Still, try to avoid passing that 120 characters limit and remember, vertical is better... unless it isn't Indenting Some confusion exists in the python world about indenting things like function calls, the above examples use 8 spaces when indenting comma-delimited constructs. The confusion arises because the pep8 program INCORRECTLY flags this as wrong, where PEP 8, the document, cites only using 4 spaces here as wrong, as it doesn't differentiate from a new indent level. Right: def managed(name, source=None, source_hash='', user=None) WRONG: def managed(name, source=None, source_hash='', user=None) Lining up the indent is also correct: def managed(name, source=None, source_hash='', user=None) This also applies to function calls and other hanging indents. pep8 and Flake8 (and, by extension, the vim plugin Syntastic) will complain about the double indent for hanging indents. This is a known conflict between pep8 (the script) and the actual PEP 8 standard. It is recommended that this particular warning be ignored with the following lines in ~/.config/flake8: [flake8] ignore = E226,E241,E242,E126 Make sure your Flake8/pep8 are up to date. The first three errors are ignored by default and are present here to keep the behavior the same. This will also work for pep8 without the Flake8 wrapper -- just replace all instances of 'flake8' with 'pep8', including the filename. Code Churn Many pull requests have been submitted that only churn code in the name of PEP 8. Code churn is a leading source of bugs and is strongly discouraged. While style fixes are encouraged they should be isolated to a single file per commit, and the changes should be legitimate, if there are any questions about whether a style change is legitimate please reference this document and the official PEP 8 (‐ http://legacy.python.org/dev/peps/pep-0008/) document before changing code. Many claims that a change is PEP 8 have been invalid, please double check before committing fixes.
RELEASE NOTES
See the version numbers page for more information about the version numbering scheme. Latest Branch Release /topics/releases/2015.8.7 Previous Releases Salt 2015.8.0 Release Notes - Codename Beryllium 2015.8.0 Detailed Change List Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs) Generated at: 2015-09-09T18:15:43Z This list includes all pull requests merged into the 2015.8 branch between the forking of the branch from develop and the release of 2015.8.0. Statistics: • Total Merges: 682 • Total Issue references: 342 • Total PR references: 866 Pull Requests: • #26993: (whiteinge) Backport #26975 • #26970: (cachedout) Revert "better path query parsing in fileserver" • #26980: (terminalmage) Use human-readable cachedirs for gitfs-backed winrepo • #26969: (TheBigBear) URL of salt windows downloads has changed • #26968: (TheBigBear) URL of salt windows downloads has changed • #26958: (s0undt3ch) Bradthurber bootstrap command line help doc update • #26949: (rallytime) Back-port #25148 to 2015.8 • #26914: (cro) Add salt-proxy script and manpage to setup.py so they will get installed. • #26909: (terminalmage) Don't try to git clone from /tmp on Windows • #26910: (s0undt3ch) Sometimes the event system is just too fast • #26905: (s0undt3ch) Exit the loop if run_once is true • #26897: (msteed) spm file hash part deux • #26900: (s0undt3ch) If no tag is passed, don't actually subscribe to anything. • #26880: (s0undt3ch) Restore backwards compatibility to salt.utils.event • #26896: (msteed) spm remove: use pkgfiles to calculate file hashes • #26891: (jtand) Fixed an unboundlocalerror • #26892: (cachedout) Make the testing ioloop the current one • #26886: (jtand) Gets the azure version correctly on python-azure 1.0.0 • #26870: (rallytime) Back-port #26834 to 2015.8 • #26865: (dmurphy18) Fix apt preferences for apts, repos for pbuilder building for Debian • #26873: (terminalmage) Properly handle getting local config values in older git versions • #26869: (rallytime) Fix provider --> driver change for salt-cloud lxc • #26858: (terminalmage) Fix a couple version checks for git state and execution module • #26853: (UtahDave) Fix salt-cloud on windows • #26852: (basepi) [2015.8] Only reference msgpack if it imported successfully • #26835: (terminalmage) Backport #26572 to 2015.8 • #26836: (jacobhammons) Added rst source for salt-proxy man page, added build and copy lines … • #26818: (terminalmage) Support empty repositories in git.latest • #26819: (rallytime) Make sure we're calling _validate_name in the correct place in 2015.8 Linode driver • #26841: (l2ol33rt) Fix reference before assignment in sqs engine • #26822: (terminalmage) Add some missing imports for masterless winrepo • #26831: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26826: (techhat) Pass a package name to unregister_file() • #26757: (cachedout) Fix various filehandle leaks • #26816: (gtmanfred) rev defaults to HEAD • #26801: (jacobhammons) Added doc for dockerng minion configuration options • #26808: (anlutro) Fix git init argument formatting • #26807: (terminalmage) Move salt.utils.itersplit() to salt.utils.itertools.split() • #26796: (jacobhammons) Add doc for __states__ • #26764: (sjorge) salt.utils.is_proxy() is no longer always true on SunOS/Illumos/SmartOS • #26772: (sjorge) pull in smartos 'virt' module from develop • #26726: (terminalmage) Redact HTTPS Basic Auth in states/funcs which deal with git remotes • #26769: (terminalmage) Use --track to set tracking branch on older git versions • #26765: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26761: (sjorge) fix SPM paths on smartos/illumos esky • #26751: (terminalmage) Fixes for masterless winrepo • #26745: (rallytime) Make sure pyrax configs are in place before checking for deps • #26746: (rallytime) Make sure nova configs are set before checking for dependencies • #26750: (basepi) [2015.8] Add __utils__ to state modules • #26752: (cro) Fix typo in some diagram labels • #26747: (basepi) [2015.8] Add __states__ to state modules, for cross-calling states • #26744: (basepi) [2015.8] Fix issue from #26717 • #26737: (dmurphy18) Fix to allow for package naming other than just salt • #26742: (rallytime) Only warn about vsphere deprecation if vsphere is configured • #26733: (sjorge) Refactor of smartos_vmadm module • #26735: (s0undt3ch) Add .hg and .cvs to spm_build_exclude • #26720: (UtahDave) Updates for winrepo in 2015.8 to support jinja, while maintaining backwards compat • #26719: (jodv) Backport 26532 to 2015.8 • #26721: (rallytime) Linode Driver Cleanup • #26707: (techhat) Add top_level_dir to FORMULAs • #26723: (s0undt3ch) Handle SPM paths in the setup script • #26717: (basepi) [2015.8] Revert loader changes from #26645 • #26712: (techhat) Move SPM paths around • #26680: (TheBigBear) add more python libs info in '--versions-report' • #26716: (terminalmage) Allow git identity to be a list • #26691: (garethgreenaway) Fixes to ipset module for 2015.8 • #26701: (kev009) Ignore the first element of kern.disks split, which is the sysctl name (new disks grain) • #26678: (terminalmage) Restructure git.latest rewrite to work better when following HEAD • #26679: (rallytime) Back-port #26661 to 2015.8 • #26684: (techhat) Add reactor formulas to spm • #26682: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26671: (rallytime) Warn users if cloud driver dependencies are missing. • #26674: (rallytime) Back-port #26583 to 2015.8 • #26670: (techhat) Set up SPM to install -conf packages • #26657: (jfindlay) top file compilation fixes • #26659: (TheBigBear) minor doc edits - spelling • #26654: (jfindlay) merge `#26650`_ • #26567: (jtand) Added git version check to git module • #26649: (twangboy) Fixed Lint for real in win_repo.py • #26608: (jacobhammons) 2015.8.0 release notes and doc/conf.py updates • #26646: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26645: (rallytime) Back-port #26390 to 2015.8 • #26642: (twangboy) Added function to render winrepo Jinja • #26625: (twangboy) Correctly detect packages with no version, docs • #26575: (msteed) Update spm for integration into raas • #26635: (cro) Don't report windows as a proxy. • #26622: (rallytime) [2015.8] Also add -Z to script args for cloud tests • #26619: (rallytime) Apply cloud test fixes from 2015.5 to 2015.8 • #26603: (terminalmage) Fixes for git.latest, git module integration tests, etc. • #26577: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26534: (cachedout) Bump required Tornado version to 4.2.1 • #26566: (cachedout) Don't stacktrace trying to publish without a master • #26541: (terminalmage) Make winrepo execution module use the same code as the runner • #26530: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26570: (cachedout) Fix haproxy docs to be valid • #26562: (cachedout) Fix suprious error message with systemd-detect • #26557: (jfindlay) add docs to #26550 • #26544: (nmadhok) Do not raise KeyError when calling avail_images if VM/template is in disconnected state • #26501: (terminalmage) Update git_pillar docs, add git.list_worktrees function • #26521: (terminalmage) Work around upstream git bug when cloning repo as root • #26518: (krak3n) Fix for `#25492`_ • #26514: (evverx) Unmask a runtime masked services too • #26529: (mnalt) bugfix: fix service.enable for missing rc.conf • #26516: (techhat) Move more path operations into SPM loader • #26533: (cachedout) Fix too aggressive even init check • #26522: (cro) Do not load package provider if its not a proxy • #26531: (cachedout) Fix failing event tests and modify event init • #26433: (cro) Add support for default proxy config options, change default location of proxy config and log to /etc/salt/proxy and /var/log/proxy • #26504: (nmadhok) [Backport] Adding ability to specify the virtual hardware version when creating VM • #26517: (cachedout) Better fix for opensuse tornado httpclient • #26479: (rallytime) Don't allow VMs with duplicate names to be created in EC2/AWS • #26488: (cachedout) Don't pass unsupported kwarg to tornado • #26451: (terminalmage) Use 'rpm -qa' instead of repoquery to list installed packages • #26491: (jacobhammons) doc site css fix for tiny fonts that appeared in code or pre tags in … • #26442: (rallytime) Hide API Key from debug logs for Linode Driver • #26441: (rallytime) Refactor a few linode functions to be useful with salt-cloud command • #26485: (s0undt3ch) One more missed typo • #26495: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26492: (cachedout) Fix schedule test error on py26 • #26489: (cachedout) Fixing more tarfile tests on py2.6 • #26475: (cachedout) Better object checking on asyncreq cleanup • #26477: (cachedout) Fix integration.modules.git.GitModuleTest.test_archive on py26 • #26469: (jtand) --annotate and --message aren't valid options in older versions of git. • #26439: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26464: (rallytime) Back-port #26456 to 2015.8 • #26463: (rallytime) Back-port #26455 to 2015.8 • #26449: (s0undt3ch) The CLI options are not meant to include underscores. • #26270: (sjorge) salt.modules.network now supports SmartOS and SunOS < Solaris 11 • #26436: (TheBigBear) minor edits • #26410: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26427: (anlutro) git.latest with no rev: fix concatenation error (NoneType and str) • #26307: (cachedout) Fix bug in top file ordering • #26428: (cro) Update docs to reflect new pillar structure • #26429: (cachedout) Add release note regarding tcp transport on freebsd • #26418: (driskell) Fix forward-merged caching from 2015.5 into 2015.8 to be compatible with the new match_func • #26252: (DmitryKuzmenko) Issues/24048 http client 2015.8 • #26413: (evverx) Fix service.{start,restart,reload,force-reload} for masked services • #26393: (dmurphy18) Added option parameters to make_repo to allow for configuration settings • #26422: (TheBigBear) no dots in SLS filename __AND__ any directories (incl git repos) • #26323: (0xf10e) Fix Credentials used in glance Exec Module • #26341: (terminalmage) Rewrite git state and execution modules • #26419: (terminalmage) Only use pygit2.errors if it exists • #26423: (eliasp) doc - Correct function name for peer configuration • #26401: (cachedout) Adapt proxy minion to tornado (w/lint) • #26400: (rallytime) Back-port #26318 to 2015.8 • #26397: (s0undt3ch) A single isinstance() check for all types is enough • #26385: (gtmanfred) don't require volume endpoint in nova driver • #26287: (techhat) Break out SPM components into loaders • #26384: (TheBigBear) Fix shell quoting for cmd.run • #26391: (rallytime) Back-port #26367 to 2015.8 • #26383: (rallytime) Allow the creation of a VM without a profile • #26375: (s0undt3ch) [2015.8] Schema DictItem required attribute fixes • #26363: (garethgreenaway) Fixes to mount state 2015.8 • #26347: (0xf10e) Load 'pkgng' as 'pkg' on FreeBSD 9 when providers:pkg == 'pkgng' • #26361: (TronPaul) sign security token • #26346: (TronPaul) Fix s3 using IAM credentials • #26331: (mnalt) fix bug in sysrc to allow for empty rc variables • #26334: (rallytime) Call salt.utils.cloud.bootstrap in GCE Driver provisioning • #26308: (dmurphy18) Support for environment overrides building packages • #26279: (TheScriptSage) Merge changes for pull`#26083`_ and pull`#25632`_ into 2015.8 • #26224: (cachedout) Cleanup of a few cases to move to salt.utils.fopen • #26260: (nmadhok) Correct spelling of integration in docs • #26226: (rallytime) Fix `#25463`_ • #26248: (nmadhok) Initial commit of unit tests for vmware cloud driver • #26228: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26244: (nmadhok) Backport additions to VMware cloud driver from develop to 2015.8 branch • #26235: (sjorge) salt.utils.is_smartos_zone, inverse of is_smartos_globalzone • #26221: (sjorge) SmartOS grain fixes • #26218: (terminalmage) Add warning about file.recurse unicode errors with vim swap files. • #26214: (rallytime) Back-port #24878 to 2015.8 • #26211: (techhat) Move SPM to its own directory • #26197: (TronPaul) Fix GitFS when whitelisting base • #26200: (anlutro) Make it possible to run salt-cloud as current user • #26201: (kev009) Avoid VBOX storage emulation bugs in FreeBSD disks grain • #26188: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26194: (basepi) Allow virtual grains to be generated even if virt-what is not available • #26176: (rallytime) Back-port #26165 to 2015.8 • #26169: (terminalmage) Fix attribute error in gitfs' find_file functions • #26170: (nmadhok) [Backport] Make sure variable is a dictionary before popping something from it. • #26143: (nmadhok) VMware cloud driver fixes [forward port from 2015.5 into 2015.8] • #26173: (jacobhammons) Updates to cloud docs for the provider > driver change • #26125: (evverx) Use timedatectl set-timezone to tzsetting if available • #26145: (sjorge) smartos_imgadm cleanup • #26148: (terminalmage) Refactor winrepo support • #26128: (sjorge) imgadm.avail should return multiple results • #26109: (jfindlay) fix quote indent • #26089: (anlutro) User state/module: fix coercing of None into string "None" in GECOS • #26081: (cachedout) Move invocation routine up • #26086: (rallytime) Back-port #26019 to 2015.8 • #26087: (rallytime) Back-port #26059 to 2015.8 • #26052: (jtand) Rh_ip fix • #26078: (cachedout) Fix missing key in error return • #26074: (basepi) [2015.8] Re-apply #25358 in 2015.8 • #26069: (jfindlay) fix win_firewall.delete_rule • #26066: (s0undt3ch) [2015.8] Update to latest bootstrap stable release v2015.06.08 • #26049: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #26026: (anlutro) Fix httpasswd result false positive in test mode • #26037: (rallytime) Back-port #25489 to 2015.8 • #26004: (techhat) Allow updating a single SPM repo at a time • #26012: (cachedout) Merge kwargs into opts for tcp client • #26007: (anlutro) file.managed: wrap os.remove in if isfile, don't remove on success • #26009: (terminalmage) Add winrepo and dockerng information to 2015.8.0 release notes • #26006: (basepi) Revert #25727 in favor of #25645 • #26001: (cachedout) Fix failing tests • #25978: (anlutro) Correct service state changes in test mode • #25982: (sjorge) salt.modules.smartos_* limit to global zone only • #25989: (rallytime) Back-port #25832 to 2015.8 • #25988: (cachedout) Move #25642 to 2015.8 • #25999: (s0undt3ch) Include subschema defaults • #25997: (s0undt3ch) Allow getting a defaults dictionary from schema defaults • #25979: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25902: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25956: (anlutro) Fix user argument to cron functions • #25946: (sjorge) Fix for salt.utils.decorators under esky • #25957: (anlutro) Remove temporary file after file.managed with checkcmd • #25874: (rallytime) Back-port #25668 to 2015.8 • #25929: (sjorge) salt.module.pkgin's __virtual__() should not return None if pkg_info is not present • #25952: (garethgreenaway) Log when event.fire and event.fire_master fail 2015.8 • #25944: (sjorge) Smartos libcrypto nonesky fix • #25906: (dmurphy18) Cherry-pick of pkgbuild changes from develop branch • #25925: (sjorge) Create default log location in smartos esky buildscript • #25928: (cachedout) Fix stacktrace for non-existant states • #25922: (jacksontj) Correct max_wait -> max_auth_wait in MultiMinion • #25907: (rallytime) Back-port #25892 to 2015.8 • #25910: (terminalmage) Pass osarch to check_32() • #25849: (basepi) Repress template error for GPG renderer (can't seek an OrderedDict) • #25868: (rallytime) Back-port #25404 to 2015.8 • #25896: (cachedout) Lint • #25876: (jacksontj) Fixes for 2015.8 • #25867: (rallytime) Back-port #25370 to 2015.8 • #25845: (jacobhammons) updated versionadded • #25836: (jacksontj) Keep track of SyncWrapper's IOLoop usage • #25859: (0xf10e) warn_until(Carbon,...) instead of Boron • #25505: (0xf10e) Glance state module for 2015.8 "Beryllium" • #25843: (jtand) Fixed a lint error in parsers.py • #25835: (techhat) spm update_repo doesn't always require arguments • #25837: (jacobhammons) regenerated man pages • #25830: (sjorge) Loading of libcrypto on smartos esky fixed • #25808: (jfindlay) add highstate opts to config/__init__.py, update docs • #25820: (sjorge) Prerequisite to fix the smartos libcrypto loading • #25781: (anlutro) Fix iptables.build_rule • #25764: (gtmanfred) allow use of cloudnetworks in ssh_interface • #25736: (jfindlay) insert explicit formatter number • #25742: (rallytime) Back-port #25731 to 2015.8 • #25741: (rallytime) Back-port #25727 to 2015.8 • #25712: (cachedout) Fix outputter for state.apply • #25698: (rallytime) Back-port #25659 to 2015.8 • #25690: (anlutro) Fix highstate duration alignment (again) • #25684: (davidjb) Fix doc around Include/Exclude for states • #25549: (techhat) Switch Scaleway to salt.utils.cloud.bootstrap() • #25667: (jfindlay) add 2015.8.0rc2 autogenerated changelog • #25653: (anlutro) Properly align highstate duration sum • #25663: (rallytime) Back-port #25638 to 2015.8 • #25639: (terminalmage) Don't do pre-flight check on git_pillar if it is not configured • #25587: (cachedout) Fix prereq in salt.state • #25628: (anlutro) Highstate output: show duration in seconds instead of milliseconds when appropriate • #25631: (basepi) Remove trailing whitespace • #25627: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25626: (basepi) Fix the highstate outputter if 'duration' is not present • #25601: (terminalmage) Fix error message when local bin pkg path is not absolute • #25595: (terminalmage) Bring git_pillar up to feature parity with gitfs • #25619: (cachedout) Lint stateconf changes • #25578: (davidjb) Allow parent relative includes in state files • #25610: (s0undt3ch) [2015.8] Update the bootstrap script to latest release v2015.07.22 • #25599: (jfindlay) fix transport settings in #25596 • #25596: (jfindlay) Tcp test • #25591: (garethgreenaway) Return data for scheduled jobs in 2015.8 default to True. • #25588: (basepi) Fix some of the retcode work from #23105 • #25583: (jtand) Fixed lint error where pprint wasn't imported. • #25572: (rallytime) Back-port #25570 to 2015.8 • #25575: (rallytime) Make Sure Scaleway driver works with deprecation paths • #25564: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25566: (techhat) Fix download process for SPM repo updates • #25553: (techhat) Switch SoftLayer to salt.utils.cloud.bootstrap() • #25552: (techhat) Update pricing for SoftlayerHW • #25547: (techhat) Switch Parallels to salt.utils.cloud.bootstrap() • #25548: (techhat) Switch Proxmox to salt.utils.cloud.bootstrap() • #25543: (techhat) Switch GCE to salt.utils.cloud.bootstrap() • #25546: (techhat) Switch CloudStack to salt.utils.cloud.bootstrap() • #25558: (cachedout) Lint config_test • #25515: (s0undt3ch) salt.utils.schema fixes • #25514: (garethgreenaway) fixes to schedule.add documentation in 2015.8 • #25508: (s0undt3ch) [2015.8] Update bootstrap script to latest stable release, v2015.07.17 • #25501: (basepi) Add optional job end time to the local_cache returner • #25491: (s0undt3ch) Let's call it for what it is! • #25462: (rallytime) Wrap is_profile_configrured calls in try/except block • #25439: (rallytime) Reduce digital_ocean API call frequency • #25451: (s0undt3ch) Salt-SSH Scan roster bugfixes (And Py3 support) • #25449: (ruzarowski) Exclude dotfiles and directories from minion key lists (Fixes `#25448`_ ) • #25421: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25412: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25415: (bechtoldt) [docs] declare YAML as code block • #25407: (rallytime) Back-port #23236 to 2015.8 • #25409: (rallytime) Back-port #24422 to 2015.8 • #25394: (rallytime) Back-port #25355 to 2015.8 • #25393: (rallytime) Back-port #25289 to 2015.8 • #25387: (cachedout) Lint #25319 • #25319: (ruzarowski) [cloud:EC2] Move SourceDest logic to _update_enis and add alias for delete_interface_on_terminate • #25310: (anlutro) Add an "is list" test to the jinja environment • #25264: (ruzarowski) Fix AttributeError in fileserver update_opts • #25372: (rallytime) Don't stacktrace when provisioning instances with softlayer* drivers • #25315: (ruzarowski) [cloud:EC2] Move handling of AssociatePublicIpAddress to associate_eip/allocate_new_eip logic depending on value type • #25312: (ruzarowski) [cloud:EC2] Introduce eni Name property to set name tag value after its creation • #25311: (ruzarowski) [cloud:EC2] Add ability to attach an existing eni • #25280: (rallytime) Remove deprecation warnings for Beryllium • #25329: (twangboy) Fixed some documentation errors • #25300: (s0undt3ch) Fix ordering issue & Added requirements support • #25283: (jfindlay) ensure ret is always defined • #25252: (jfindlay) make args optional with default values in win_firewall.delete_rule • #25257: (notpeter) Document SourceDestCheck added in #25242. • #25298: (twangboy) Continue if profile not found • #25296: (twangboy) Fixed file.comment for windows • #25254: (rallytime) Change versionadded/changed references from Beryllium to 2015.8.0 • #25285: (thusoy) Remove error logging of missing victorops keys • #25266: (ruzarowski) cloud: EC2 eni property SourceDestCheck is a AttributeBooleanValue • #25216: (jfindlay) replace shell code with native python code • #25278: (rallytime) Don't require size for all cloud drivers when checking profile configs • #25271: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25263: (techhat) Allow non-standard HTTP requests on tornado • #25253: (s0undt3ch) Remove the deprecation warning. The driver has been renamed. • #25248: (techhat) Do not resize while iterating • #25244: (rallytime) Remove parted deprecations and fix failing tests • #25242: (ruzarowski) Make SourceDestCheck flag available to network interface definition • #25226: (nmadhok) Backporting fix for issue `#25223`_ on 2015.8 branch • #25234: (krak3n) Fix: Bug in boto_asg state argument passing to boto_asg module • #25222: (rallytime) Back-port #25219 to 2015.8 • #25188: (rallytime) Use linode status descriptions instead of ints when logging status to CLI • #25203: (s0undt3ch) Added DictConfig with tests & More tests • #25189: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • #25184: (rallytime) Back-port #25126 to 2015.8 • #25172: (s0undt3ch) Comment out imports while the YAML and RST rendering is not in-place. • #25158: (s0undt3ch) Comment out not implemented code • #25145: (s0undt3ch) Implement oneOf, anyOf, allOf and not with unit tests • #25140: (s0undt3ch) Make the detection code work under Python 3.4 • #25131: (s0undt3ch) Array support in salt.utils.config • #25130: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 The 2015.8.0 feature release of Salt contains several major new features. As usual the release notes are not exhaustive and primarily include the most notable additions and improvements. Hundreds of bugs have been fixed and many modules have been substantially updated and added. New SaltStack Installation Repositories SaltStack now provides installation repositories for several platforms, with more to come. See the following links for instructions: • Red Hat / CentOS 5, 6, 7 • Debian 8 • Windows • FreeBSD Send Event on State Completion A fire_event global state keyword argument was added that allows any state to send an event upon completion. Useful for custom progress bars and checking in on long state runs. See fire_event. ZeroMQ socket monitoring If zmq_monitor is enabled, log all ZMQ events for socket monitoring purposes. Verbose, but useful. SPM (Salt Package Manager) Allows Salt formulas to be packaged for ease of deployment. See spm. NOTE: The spm executable was not included in the Debian or Ubuntu packages for the 2015.8.0 or the 2015.8.1 releases. This executable will be included in an upcoming release. As a workaround, copy the SPM script from the salt library installation into /usr/local/bin or your local equivalent. Specify a Single Environment for Top Files A new default_top option was added to load the state top file from a single, specific environment, rather than merging top data across all environments. Additionally, new top_file_merge_strategy and env_order options were added for more control over top file merging. See The Top File. Tornado TCP Transport Implemented a pure-TCP transport, in addition to ZeroMQ and RAET. The new transport uses Tornado, which allows Salt to use a standardized set of libraries for asynchronous behavior, which should greatly improve reliability and performance. NOTE: Tornado is considered expiremental in this release. The following known issues were being investigated at the time of release: • TCP tests show performance degredation over time (issue 26051) • TCP transport stacktrace on windows minion: Future exception was never retrieved (issue 25718) • [freebsd] TCP transport not working in 2015.8.0rc3 (issue 26364) Proxy Minion Enhancements Proxy Minions have undergone a significant overhaul in 2015.8, see Proxy Minion Enhancements. Engines Salt engines are long-running, external processes that leverage Salt. See Salt Engines. Core Changes • Add system version info to versions_report, which appears in both salt --versions-report and salt '*' test.versions_report. Also added is an alias test.versions to test.versions_report. (issue 21906) • Add colorized console logging support. This is activated by using %(colorlevel)s, %(colorname)s, %(colorprocess)s, %(colormsg)s in log_fmt_console in the config file for any of salt-master, salt-minion, and salt-cloud. Git Pillar The git external pillar has been rewritten to bring it up to feature parity with gitfs. Support for pygit2_ has been added, bringing with it the ability to access authenticated repositories. Using the new features will require updates to the git ext_pillar configuration, further details can be found in the pillar.git_pillar docs. Salt Cloud Improvements • Pricing data from several cloud providers (GCE, DigitalOcean, SoftLayer_HW, EC2) • All cloud providers now use standardized bootstrapping code. • Modified the Linode Salt Cloud driver to use Linode's native API instead of depending on apache-libcloud or linode-python. Salt Cloud Changes • Changed the default behavior of rename_on_destroy to be set to True in the EC2 and AWS drivers. • Changed the default behavior of the EC2 and AWS drivers to always check for duplicate names of VMs before trying to create a new VM. Will now throw an error similarly to other salt-cloud drivers when trying to create a VM of the same name, even if the VM is in the terminated state. • When querying for VMs in digital_ocean.py, the number of VMs to include in a page was changed from 20 (default) to 200 to reduce the number of API calls to Digital Ocean.Ocean. State and Execution Module Improvements • New and improved Docker state and execution modules (state and execution module). Git State and Execution Modules Rewritten The git state and execution modules have gone through an extensive overhaul. Changes in the git.latest State • The branch argument has been added, allowing for a custom branch name to be used in the local checkout maintained by the git.latest state. This can be helpful in avoiding ambiguous refs in the local checkout when a tag is used as the rev argument. If no branch is specified, then the state uses the value of rev as the branch name. • The always_fetch argument no longer has any effect, and will be removed in a future release. The state now detects whether or not a fetch is needed based on comparisons made between the local and remote repositories. • The force_fetch argument has been added to force a fetch if the fetch is not a fast-forward (for instance, if someone has done a reset and force-pushed to the remote repository). • The remote_name argument has been deprecated and renamed to remote. • The force argument has been deprecated and renamed to force_clone to reduce ambiguity with the other "force" arguments. • Using SHA1 hashes (full or shortened) in the rev argument is now properly supported. • Non-fast-forward merges are now detected before the repository is updated, and the state will not update the repository if the change is not a fast-forward. Non-fast-forward updates must be overridden with the force_reset argument. If force_reset is set to True, the state will only reset the repository if it cannot be fast-forwarded. This is in contrast to the earlier behavior, in which a hard-reset would be performed every time the state was run if force_reset was set to True. • A git pull is no longer performed by this state, dropped in favor of a fetch-and-merge (or fetch-and-reset) workflow. git.config_unset state added This state allows for configuration values (or entire keys) to be unset. See here for more information and example SLS. git.config State Renamed to git.config_set To reduce confusion after the addition of git.config_unset, the git.config state has been renamed to git.config_set. The old config.get name will still work for a couple releases, allowing time for SLS files to be updated. In addition, this state now supports managing multivar git configuration values. See here for more information and example SLS. Initial Support for Git Worktrees in Execution Module Several functions have been added to the execution module to manage worktrees (a feature new to Git 2.5.0). State support does not exist yet, but will follow soon. New Functions in Git Execution Module • git.config_get_regexp • git.config_unset • git.is_worktree • git.list_branches • git.list_tags • git.list_worktrees • git.merge_base • git.merge_tree • git.rev_parse • git.version • git.worktree_rm • git.worktree_add • git.worktree_prune Changes to Functions in Git Execution Module git.add • --verbose is now implied when running the git add command, to provide a list of the files added in the return data. git.archive • Now returns True when the git archive command was successful, and otherwise raises an error. • The overwrite argument has been added to prevent an existing archive from being overwritten by this function. • The fmt argument has been deprecated and renamed to format. • Trailing slash no longer implied in prefix argument, must be included if this argument is passed. git.checkout • The rev argument is now optional when using -b or -B in opts, allowing for a branch to be created (or reset) using HEAD as the starting point. git.clone • The name argument has been added to specify the name of the directory in which to clone the repository. If this option is specified, then the clone will be made within the directory specified by the cwd, instead of at that location. • The repository argument has been deprecated and renamed to url. git.config_get • The setting_name argument has been deprecated and renamed to key. • The global argument has been added, to query the global git configuration • The all argument has been added to return a list of all values for the specified key, allowing for all values in a multivar to be returned. • The cwd argument is now optional if global is set to True git.config_set • The value(s) of the key being set are now returned • The setting_name argument has been deprecated and renamed to key. • The setting_value argument has been deprecated and renamed to value. • The is_global argument has been deprecated and renamed to global. • The multivar argument has been added to specify a list of values to set for the specified key. The value argument is not compatible with multivar. • The add argument has been added to add a value to a key (this essentially just adds an --add to the git config command that is run to set the value). git.fetch • The force argument has been added to force the fetch when it is not a fast-forward. This could have been achieved in previous Salt versions by including --force in the opts argument, this argument is just for convenience and to match the usage of other functions with force arguments. • The refspecs argument has been added to allow for one or more refspecs to be provided which override the one(s) specified by the remote.remote_name.fetch git configuration option. git.ls_remote • The repository argument has been deprecated and renamed to remote. • The branch argument has been deprecated and renamed to ref. • The opts argument has been added to allow for additional CLI options to be passed to the git ls-remote command. git.merge • The branch argument has been deprecated and renamed to rev. git.status • Return data has been changed from a list of lists to a dictionary containing lists of files in the modified, added, deleted, and untracked states. git.submodule • Added the command argument to allow for operations other than update to be run on submodules, and deprecated the init argument. To do a submodule update with init=True moving forward, use command=update opts='--init'. • OpenStack Glance API V2 execution module • Amazon VPC state module • RallyDev execution module • BambooHR execution module • Stormpath execution, state modules • Remove unused argument timeout in jboss7.status. • Deprecate enabled argument in pkgrepo.managed in favor of disabled. • Archive module changes: In the archive.tar and archive.cmd_unzip module functions, remove the arbitrary prefixing of the options string with -. An options string beginning with a --long-option, would have uncharacteristically needed its first - removed under the former scheme. Also, tar will parse its options differently if short options are used with or without a preceding -, so it is better to not confuse the user into thinking they're using the non- - format, when really they are using the with- - format. • Added __states__ to state modules, for cross-calling states. This enables using existing states when writing custom states. See cross calling states. Windows Improvements • Enhanced the windows minion silent installation with command line parameters to configure the salt master and minion name. See Silent Installer Options. • Improved user management with additional capabilities in the user module for Windows. • Improved patch management with a new module for managing windows updates (win_wua). • Turned on multi-processing by default for windows in minion configuration. Windows Software Repo Changes A next-generation (ng) windows software repo is available for 2015.8.0 and later minions. When using this new repository, the repo cache is compiled on the Salt Minion, which enables pillar, grains and other things to be available during compilation time. See the Windows Software Repository documentation for more information. Changes to legacy Windows repository If you have pre 2015.8 Windows minions connecting to your 2015.8 Salt master, you can continue to use the legacy Windows repository for these Salt minions. If you were previously using this repository and have customized settings, be aware that several config options have been renamed to make their naming more consistent. See the Windows Software Repository documentation for more information. Win System Module The unit of the timeout parameter in the system.halt, system.poweroff, system.reboot, and system.shutdown functions has been changed from seconds to minutes in order to be consistent with the linux timeout setting. (issue 24411) Optionally, the unit can be reverted to seconds by specifying in_seconds=True. Other Improvements • Sanitize sensitive fields in http.query • Allow authorization to be read from Django and eauth • Add templating to SMTP returner • New REST module for SDB • Added rest_timeout config option and timeout argument to jobs api call • Provide config options for Raet lane and road buffer count. (Useful for BSD kernels) • Implemented ZeroMQ socket monitor for master and minion • Add end time to master job cache for jobs (optional, off by default) • Tornado is now the default backend for http.request • Support pillarenv selection as it's done for saltenv • salt was updated to use python-crypto version 2.6.1, which removes the dependency on python-m2crypto. Deprecations • The digital_ocean.py Salt Cloud driver was removed in favor of the digital_ocean_v2.py driver as DigitalOcean has removed support for APIv1. The digital_ocean_v2.py was renamed to digital_ocean.py and supports DigitalOcean's APIv2. • The vsphere.py Salt Cloud driver has been deprecated in favor of the vmware.py driver. • The openstack.py Salt Cloud driver has been deprecated in favor of the nova.py driver. • The use of provider in Salt Cloud provider files to define cloud drivers has been deprecated in favor of using driver. Both terms will work until the Nitrogen release of Salt. Example provider file: my-ec2-cloud-config: id: 'HJGRYCILJLKJYG' key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' private_key: /etc/salt/my_test_key.pem keyname: my_test_key securitygroup: default driver: ec2 • The use of lock has been deprecated and from salt.utils.fopen. salt.utils.flopen should be used instead. • The following args have been deprecated from the rabbitmq_vhost.present state: user, owner, conf, write, read, and runas. • The use of runas has been deprecated from the rabbitmq_vhost.absent state. • Support for output in mine.get was removed. --out should be used instead. • The use of delim was removed from the following functions in the match execution module: pillar_pcre, pillar, grain_pcre, Security Fixes CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the debug output. Thanks to Andreas Stieger <‐ asteiger@suse.com> for bringing this to our attention. Major Bug Fixes • Fixed minion failover to next master on DNS errors (issue 21082) • Fixed memory consumption in SaltEvents (issue 25557) • Don't lookup outside system path in which() util (issue 24085) • Fixed broken jobs rest api call (issue 23408) • Fixed stale grains data using in modules (issue 24073) • Added ssh_identities_only config flag for ssh-agent configured environments (issue 24096) • Fixed "object has no attribute" errors for Raet transport (issue 21640) • Flush event returners before master exit (issue 22814) • Fix CommandExecutionError in grains generation with lspci missing (issue 23342) • Fix salt-ssh against CentOS 7 when python-zmq not installed (issue 23503) • Fix salt-ssh issues related to out-of-date six module (issue 20949) • Fix salt-ssh thin generation after previous run was interrupted (issue 24376) • Use proper line endings on Windows with "file.managed" w/contents (issue 25675) • Fixed broken comment/uncomment functions in file.py (issue 24620) • Fixed problem with unicode when changing computer description (issue 12255) • Fixed problem with chocolatey module not loading (issue 25717) • Fixed problem adding users to groups with spaces in the name (issue 25144) • Fixed problem adding full name to user account (issue 25206) • Fixed gem module stack trace (issue 21041) • Fixed problem with file.managed when test=True (issue 20441) • Fixed problem with powershell hanging while waiting for user input (issue 13943) • Fixed problem where the salt-minion service would not consistently start (issue 25272) • Fixed problem where pkg.refresh_db would return True even when winrepo.p was not found (issue 18919) • Could someone please provide end to end example for Proxy Minion with REST (issue 25500) • Proxy minions stopped working between 2014.7 and 2015.5 (issue 25053) • Proxy minion documentation includes outdated code sample (issue 24018) • Proxy Minion documentation missing grains example (issue 18273) • Improve process management in proxy minion (issue 12024) • Proxy minion never comes up with message ' I am XXX and I am not supposed to start any proxies.' (issue 25908) • Fixed an issue that caused an exception when using Salt mine from pillar. (issue 11509) Salt 2015.8.1 Release Notes Version 2015.8.1 is a bugfix release for 2015.8.0. Security Fixes CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug log Updated the win_useradd module return data to no longer include the password of the newly created user. The password is now replaced with the string XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display win_password and sudo_password authentication credentials. Also updated the Linode driver to no longer display authentication credentials in debug logs. These credentials are now replaced with REDACTED in the debug output. CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the debug output. Thanks to Andreas Stieger <‐ asteiger@suse.com> for bringing this to our attention. Major Bug Fixes • Add support for spm.d/*.conf configuration of SPM (issue 27010) • Fix proxy grains breakage for non-proxy minions (issue 27039) • Fix global key management for git state • Fix passing http auth to util.http from state.file (issue 21917) • Fix multiprocessing: True in windows (on by default`) • Add pkg.info to pkg modules • Fix name of serial grain (this was accidentally renamed in 2015.8.0`) • Merge config values from master.d/minion.d conf files (rather than flat update`) • Clean grains cache on grains sync (issue 19853) • Remove streamed response for fileclient to avoid HTTP redirection problems (issue 27093) • Fixed incorrect warning about osrelease grain (issue 27065) • Fix authentication via Salt-API with tokens (issue 27270) • Fix winrepo downloads from https locations (issue 27081) • Fix potential error with salt-call as non-root user (issue 26889) • Fix global minion provider overrides (issue 27209) • Fix backward compatibility issues for pecl modules • Fix Windows uninstaller to only remove ./bin, salt*, nssm.exe, uninst.exe (issue 27383) • Fix misc issues with mongo returner. • Add sudo option to cloud config files (issue 27398) • Fix regression in RunnerClient argument handling (issue 25107) • Fix dockerng.running replacing creation hostconfig with runtime hostconfig (issue 27265) • Fix dockerng.running replacing creation hostconfig with runtime hostconfig (issue 27265) • Increased performance on boto asg/elb states due to __states__ integration • Windows minion no longer requires powershell to restart (issue 26629) • Fix x509 module to support recent versions of OpenSSL (issue 27326) • Some issues with proxy minions were corrected. Known Issues: • Proxy minions currently cannot execute a highstate because of the way the proxymodule is being loaded internally. This will be fixed in a future release. Changes for v2015.8.0..v2015.8.1 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-10-01T04:45:02Z Total Merges: 200 Changes: • PR #27584: (jacobhammons) added changes list to 2015.8.1 release notes • PR #27575: (rallytime) Don't report existing instances as running only if they're actually terminated in EC2 • PR #27573: (basepi) [2015.8] Use the custom yaml serializer for minion_opts for salt-ssh • PR #27514: (clinta) Recent Versions of OpenSSL don't allow importing incomplete PEMs • PR #27564: (jacobhammons) Man pages • PR #27522: (twangboy) Removed dependency on powershell to restart salt-minion • PR #27550: (rallytime) [2015.8] Clean up salt-cloud logging and make it more useful • PR #27517: (jacobhammons) Updated install docs • PR #27526: (eliasp) Add missing newlines before param listing to fix doc rendering • PR #27525: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27513: (terminalmage) Fix integration tests for worktree addition in git >= 2.6 • PR #27510: (rallytime) Merge #27475 with test fixes • PR #27451: (ticosax) [dockerng] Enforce usage of host_config and require docker-py>=1.4.0 • PR #27461: (cachedout) Only clean context if it exists • PR #27473: (terminalmage) salt.utils.gitfs: Don't use close_fds=True on Windows • PR #27496: (blueyed) Fix version reporting of gitpython • PR #27502: (ticosax) Add test to check we don't call inspect_image on absent images. • PR #27497: (blueyed) dockerng: fix image_present for forced, non-existent image • PR #27411: (terminalmage) Fix invocation of git.config_get and git.config_set • PR #27477: (terminalmage) Don't append role to hash_cachedir • PR #27474: (whiteinge) Add fake pymongo version attribute for the docs • PR #27466: (blueyed) Fix version reporting of python-gnupg and mysql-python • PR #27465: (ticosax) Fix usage of dockerng "cmd" was #27459 • PR #27417: (whiteinge) Backport #25243 into 2015.8 • PR #27423: (dmurphy18) Changes to support configurable repository for Debian / Ubuntu • PR #27428: (rallytime) Back-port #27398 to 2015.8 • PR #27429: (rallytime) Back-port #27344 to 2015.8 • PR #27450: (ticosax) [dockerng] Fix typo in docstring • PR #27430: (jacksontj) Fix bug introduced in eee0291ff8b65ff1e22f4dc2447a74aa28a3ce7f • PR #27418: (terminalmage) Don't always remove dest path in salt.utils.files.rename() • PR #27383: (twangboy) Uninstaller only removes specific files and dirs • PR #27416: (rallytime) Back-port #27399 to 2015.8 • PR #27394: (jacksontj) Remove streamed response for fileclient to avoid HTTP redirection problems • PR #27415: (ryan-lane) Backwards compat fixes for pecl module • PR #27407: (meggiebot) Adding stretch label definition • PR #27388: (basepi) [2015.8] Fix global provider overrides • PR #27386: (rallytime) Document tty: True usage in salt-ssh roster file • PR #27380: (jtand) Skipping Async tests • PR #27382: (terminalmage) Revert "fixes `#27217`_ clear_old_remotes clears wrong directory (gitfs)" • PR #27361: (cro) Correct some issues with proxy minions • PR #27364: (ruzarowski) SaltCloud[EC2] Fix missing credentials in modify_eni_properties api call • PR #27349: (jfindlay) add freebsd install docs to release notes • PR #27343: (cachedout) Close io loop before deleting attribute • PR #27337: (rallytime) [2015.8] Fixup salt-cloud logging • PR #27332: (terminalmage) Adjust dockerng/dockerio docstrings • PR #27353: (cachedout) Fix case where var not set in config • PR #27350: (rallytime) Allow IP-forwarding in GCE driver • PR #27305: (cachedout) Re-init logging system on Windows when using multiprocessing • PR #27331: (terminalmage) dockerng: Allow both cmd and command to be used to specify command • PR #27327: (isbm) Fix a typo in the RPM output • PR #27312: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27303: (jacobhammons) Updated module doc index using https://github.com/saltstack/salt/pull… • PR #27301: (twangboy) Pass ca_bundle for windows (fixes SSL Error) • PR #27300: (rallytime) Back-port #27287 to 2015.8 • PR #27288: (rallytime) Filter on 'name', not 'id', when listing images • PR #27283: (jtand) __grains__['osrelease'] returns a string • PR #27276: (rallytime) Back-port #27218 to 2015.8 • PR #27275: (rallytime) Back-port #27213 to 2015.8 • PR #27274: (rallytime) Back-port #27272 to 2015.8 • PR #27271: (isbm) Bugfix: crash on token authentication via API • PR #27251: (rallytime) Add support for post_uri in SoftLayer cloud drivers • PR #27260: (bechtoldt) add missing module doc references • PR #27254: (jfindlay) 2015.2,2015.8,Beryllium -> 2015.8.0 • PR #27245: (rallytime) If two ssh keynames are found in DigitalOcean, abort and warn the user. • PR #27241: (jfindlay) osrelease is only an integer for fedora • PR #27234: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27240: (isbm) Backport of the fix of 'pkg.info*' for Beryllium • PR #27223: (pprkut) Support firewalld per interface zone config on rh7 systems • PR #27238: (bechtoldt) salt.modules.disk.percent() throws KeyError when partition doesn't exist • PR #27232: (basepi) [2015.8] Add stub release notes for 2015.8.1 • PR #27199: (rallytime) Avoid RunTimeError (dictionary changed size during iteration) with keys() • PR #27206: (rallytime) Don't repeat GCE setup instructions, and make the use of .json files clearer • PR #27210: (rallytime) Refactor some digital ocean functions • PR #27197: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27195: (jacobhammons) Fixed sphinx / latex build warnings and errors • PR #27182: (bernieke) fix restart_on_error • PR #27163: (terminalmage) Workaround upstream tornado bug affecting redirects • PR #27177: (rallytime) Remove note - incorrect info • PR #27173: (rallytime) Add the ability to specify multiple disks on the SoftLayer driver • PR #27164: (rallytime) Make sure changes from #26824 to digital_ocean_v2.py driver make it to digital_ocean.py in 2015.8 • PR #27143: (cachedout) Clean grains cache on grains sync • PR #27150: (cachedout) Merge config values from master.d/minion.d conf files • PR #27137: (jfindlay) revert serial grain regression • PR #27144: (rallytime) Don't stacktrace on softlayer_hw.show_all_prices if a code isn't supplied • PR #27139: (jacobhammons) Updated key instruction on rhel7 • PR #27134: (isbm) Backport to 2015.8: "pkg.info" • PR #27119: (l2ol33rt) Boto dynamodb module should be using layer 2 abstractions • PR #27092: (perfinion) salt/master: chdir to root not homedir • PR #27131: (jacobhammons) Install docs • PR #27124: (jfindlay) Backport #27123 • PR #27111: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27122: (terminalmage) Fix broken link to git-config(1) docs • PR #27115: (jacobhammons) Release docs • PR #27110: (rallytime) Make sure -Q output is consistent across salt-cloud drivers • PR #27050: (twangboy) Turned multiprocessing on • PR #27086: (techhat) Document development of SPM loader modules • PR #26941: (msteed) Make elasticsearch work as master job cache • PR #27080: (bechtoldt) [Proposal] Add Github SPM label for issues • PR #27064: (twangboy) Fixed user docs • PR #27072: (rallytime) Back-port #26840 to 2015.8 • PR #27060: (cro) Fix grains breakage when hosts are not Linux, Windows, or SunOS • PR #27051: (rallytime) Back-port #26953 to 2015.8 • PR #26864: (terminalmage) Only do git_pillar preflight checks on new-style git_pillar configs • PR #26967: (TheBigBear) new URL for windows salt downloads • PR #26921: (terminalmage) Get rid of error in legacy git pillar when using branch mapping notation • PR #26923: (rallytime) Code clean up of cloud drivers and files • PR #27010: (rallytime) Back-port #26988 to 2015.8 • PR #26985: (rallytime) Fix versionadded tag Salt 2015.8.2 Release Notes NOTE: A significant orchestrate issue #29110 was discovered during the release process of 2015.8.2, so it has not been officially released. Please use 2015.8.3 instead. Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-11-13T17:24:04Z Total Merges: 378 Changes: • PR #28730: (garethgreenaway) Fixes to how return_job is handled in the scheduler for the salt master. • PR #28848: (cro) Lint • PR #28842: (cachedout) Add transport setting to shell test • PR #28837: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28827: (jacksontj) Cleanup virtual_timer in loader • PR #28836: (cachedout) Cast to dict to fix wheel tests in tcp • PR #28834: (cachedout) Fix breakage in tcp server • PR #28804: (cachedout) TCP test fixes • PR #28826: (basepi) [2015.8] Add new tornado deps to salt-ssh thin • PR #28759: (jfindlay) simplify stdin use of stdin in at.present state • PR #28824: (rallytime) Back-port #28778 and #28820 to 2015.8 • PR #28803: (jfindlay) decode strings to utf-8 • PR #28782: (rallytime) Fixes to rabbitmq user state • PR #28789: (nmadhok) Provide ability to enable/disable customization for newly create VMs using VMware salt-cloud driver • PR #28768: (mrosedale) 2015.8 • PR #28772: (rallytime) rabbitmq.list_user_permissions returns a dict, not a list. Don't expect a list. • PR #28774: (rallytime) Back-port #28725 to 2015.8 • PR #28775: (rallytime) Back-port #28740 to 2015.8 • PR #28755: (rallytime) Move most vmware driver list_* functions to use salt.utils.vmware functions • PR #28744: (jfindlay) import gate elementtree • PR #28758: (jfindlay) remove redundant logic in useradd execution module • PR #28757: (mbarrien) Bug fix: pip command to not quote spaces in cmd line args • PR #28764: (multani) Various documentation fixes • PR #28752: (aboe76) Update openSUSE grain for tumbleweed • PR #28713: (hexedpackets) Rename consul.list to consul.list_keys. • PR #28719: (jacobhammons) removed dependencies info from docs • PR #28709: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28710: (rallytime) Pass kwargs correctly to _get_group from get_group_id • PR #28698: (rallytime) Back-port #28530 to 2015.8 • PR #28700: (rallytime) Back-port #28679 to 2015.8 • PR #28695: (s0undt3ch) [2015.8] Update to latest bootstrap script v2015.11.09 • PR #28656: (clarkperkins) `#28526`_ fixed yumpkg module issue with pkg.installed • PR #28672: (jfindlay) add OS grain support for SuSE Leap • PR #28673: (jfindlay) add hidden_opts to mount.mounted • PR #28667: (cro) saltutil.sync_all should sync proxymodules as well as the rest. • PR #28665: (jfindlay) fixes to windows execution and state modules • PR #28660: (techhat) Don't sign empty regions • PR #28632: (terminalmage) Fixes/improvements to pkgbuild state/modules • PR #28658: (techhat) Remove _pkgdb_fun() references • PR #28653: (rallytime) Provide possible parameters for boto_rds.present engine values • PR #28649: (bdrung) Fix OS related grains on Debian • PR #28646: (rallytime) Back-port #28614 to 2015.8 • PR #28647: (rallytime) Back-port #28624 to 2015.8 • PR #28648: (rallytime) Merge branch '2015.5' into '2015.8' • PR #28638: (anlutro) Salt-SSH: Return more concise error when SSH command fails • PR #28644: (pass-by-value) Make sure versionchanged is correct • PR #28615: (The-Loeki) Fixes to FreeBSD pkg • PR #28613: (cachedout) Add facility to deepcopy bound methods in Py2.6 and apply to grains • PR #28612: (rallytime) Remove unsupported storage_type argument for parity with boto_rds module • PR #28611: (rallytime) [2015.8] Be explicit about salt.utils.vmware function calls • PR #28610: (pass-by-value) Lxc config additions • PR #28602: (nasenbaer13) Allow setting of custom dimensions in asg alarm specification • PR #28596: (rallytime) Merge branch '2015.5' into '2015.8' • PR #28593: (blueyed) doc: fix typo with salt.states.file: s/preseve/preserve/ • PR #28578: (twangboy) Fixed the script... something got broke... • PR #28579: (jfindlay) fix __virtual__ returns: tls,uptime mods • PR #28584: (rallytime) If AssociatePublicIpAddress is set to True, don't auto-assign eip. • PR #28576: (jacksontj) Only encode the zmq message once • PR #28587: (cachedout) Reset yaml rendering hooks to avoid leaks • PR #28581: (basepi) Revert b4875e585a165482c4c1ddc8987d76b0a71ef1b0 • PR #28573: (jacksontj) Add body to salt.utils.http.query returns • PR #28564: (s0undt3ch) [2015.8] Update to latest bootstrap script v2015.11.04 • PR #28561: (Oro) Issue `#28527`_ boto_rds.create does not work • PR #28560: (bdrung) Fix various typos • PR #28550: (jfindlay) check timedatectl errno and return stdout on failure • PR #28545: (jfindlay) pass on concurrent create of jid_dir in local_cache • PR #28544: (rallytime) Start moving some vmware.py cloud funcs to utils/vmware.py • PR #28543: (gtmanfred) clean up changes for pkg.uptodate and supervisord.dead • PR #28538: (jfindlay) decode path and url to utf-8 in url.create • PR #28533: (jfindlay) decode highstate error messages to utf-8 • PR #28547: (nmadhok) [Backport] [2015.8] Tasks can be in queued state instead of running • PR #28535: (techhat) Fail gracefully if 169.254* isn't available • PR #28536: (cro) Default configuration file for proxy minions. • PR #28534: (rallytime) Add versionadded directive for vpc_name arg in boto_secgroup.present • PR #28516: (rallytime) Back-port #28489 to 2015.8 • PR #28506: (basepi) [2015.8] Log minion list for all rosters, at debug level • PR #28514: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28502: (cachedout) Lint #28427 • PR #28464: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28486: (rallytime) Back-port #26945 to 2015.8 • PR #28472: (gtmanfred) overwrite more than one value with names • PR #28493: (rallytime) Back-port #28492 to 2015.8 • PR #28494: (whiteinge) Fix filter_by passing incorrect parameters to match functions • PR #28491: (rallytime) Back-port #28388 to 2015.8 • PR #28465: (twangboy) Fix `#12363`_ : Password Expiration in Windows • PR #28485: (nasenbaer13) Fix invalid usage of _get_conn causing `#28484`_ • PR #28454: (sdm24) Fixed nodegroup doc formatting to correctly link to pillar_opts in the master config • PR #28487: (cachedout) Lint 28456 • PR #28457: (sdm24) Clarified comments for grains/core.py for ip_interfaces, ip4_interfac… • PR #28473: (anlutro) Show check_cmd output on failure • PR #28460: (jtand) Skipped wipefs test if wipefs does not exist on OS • PR #28426: (terminalmage) pkgbuild.built: make template engine optional • PR #28422: (cachedout) Handle windows logging on thread_multi [WIP] • PR #28425: (twangboy) Fix `#13513`_ - Reflection • PR #28417: (rallytime) Add note about azure sdk version to getting started docs • PR #28410: (jacksontj) Add retries to the zeromq.AsyncReqMessageClient • PR #28404: (rallytime) Back-port #28395 to 2015.8 • PR #28405: (opdude) Detect legacy versions of chocolatey correctly • PR #28187: (sjansen) fix at.present • PR #28375: (merll) Merge pillar includes correctly • PR #28376: (ryan-lane) Support update of route53 records with multiple values • PR #28377: (terminalmage) Deprecate 'always' in favor of 'force' in pkgbuild.built • PR #28380: (cro) Add missing call for service provider • PR #28348: (jfindlay) salt.utils.alias informs user they are using a renamed function • PR #28364: (jtand) In CentOS 5 the .split() causes a stacktrace. • PR #28361: (rallytime) Back-port #28087 to 2015.8 • PR #28360: (multani) Various documentation fixes • PR #28370: (rallytime) Back-port #28276 to 2015.8 • PR #28353: (merll) Consider each pillar match only once. • PR #28334: (anlutro) iptables needs -m comment for --comment to work • PR #28340: (jfindlay) sdecode file and dir lists in fileclient • PR #28344: (ryan-lane) Fix iptables state for non-filter tables • PR #28343: (rallytime) Back-port #28342 to 2015.8 • PR #28330: (rallytime) Back-port #28305 to 2015.8 • PR #28270: (rallytime) Refactor RabbitMQ Plugin State to correctly use test=true and format errors • PR #28269: (rallytime) Refactor rabbitmq_user state to use test=True correctly • PR #28299: (rallytime) Add test for availability_zone check to boto_vpc_tests • PR #28306: (sdm24) Updated the Nodegroup docs to include how to target nodegroups in SLS Jinja • PR #28308: (rallytime) Firewalld state services should use --add-service, not --new-service • PR #28302: (DmitryKuzmenko) Always close socket even if there is no stream. • PR #28282: (keesbos) Fix for __env__ in legacy git_pillar • PR #28258: (pass-by-value) Add service module for ssh proxy example • PR #28294: (bechtoldt) correct a bad default value in http utility • PR #28185: (jtand) Added single package return for latest_version, fixed other bug. • PR #28297: (cachedout) Lint fix proxy junos • PR #28210: (terminalmage) Fix for ext_pillar being compiled twice in legacy git_pillar code • PR #28265: (jfindlay) fix blockdev execution and state modules • PR #28266: (rallytime) Back-port #28260 to 2015.8 • PR #28253: (rallytime) Back-port #28063 to 2015.8 • PR #28231: (rallytime) Make sure we're compairing strings when getting images in the DO driver • PR #28224: (techhat) Optimize create_repo for large packages • PR #28214: (rallytime) Don't stacktrace if invalid credentials are passed to boto_route53 state • PR #28228: (rallytime) Back-port #27562 to 2015.8 • PR #28232: (rallytime) Add documentation to supply the ssh_username: freebsd config to DO docs • PR #28198: (jacobhammons) Added note regarding missing spm exe on Debian/Ubuntu • PR #28182: (erchn) Some fixes for nova driver for Rackspace • PR #28181: (rallytime) Revamp firewalld state to be more stateful. • PR #28176: (cro) Add ping function • PR #28167: (The-Loeki) file.serialize needs to add a final newline to serialized files • PR #28168: (rallytime) Make sure availability zone gets passed in boto_vpc module when creating subnet • PR #28148: (basepi) [2015.8] Only expand nodegroups to lists if there is a nested nodegroup • PR #28155: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28149: (pass-by-value) Add clarification to cloud profile doc about host • PR #28146: (cachedout) Lint dracr.py • PR #28141: (rallytime) Don't use RAM for root disk size in linode.py • PR #28143: (jtand) Removed blank line at end of chassis.py • PR #28021: (blueyed) Handle includes in include_config recursively • PR #28095: (rallytime) Back-port #28001 to 2015.8 • PR #28096: (rallytime) Back-port #28061 to 2015.8 • PR #28139: (rallytime) Back-port #28103 to 2015.8 • PR #28098: (jacksontj) For all multi-part messages, check the headers. If the header is not … • PR #28134: (bernieke) fix unicode pillar values `#3436`_ • PR #28076: (redmcg) Replace option 'i' with an explicit queryformat • PR #28119: (jacksontj) Check if the remote exists before casting to a string. • PR #28105: (jfindlay) add reason for not loading localemod • PR #28108: (cachedout) Set logfile permsissions correctly • PR #27922: (cro) WIP States/Modules for managing Dell FX2 chassis via salt-proxy • PR #28104: (pass-by-value) Add documentation for proxy minion ssh • PR #28020: (DmitryKuzmenko) LazyLoader deepcopy fix. • PR #27933: (eliasp) Provide all git pillar dirs in opts[pillar_roots] • PR #28013: (rallytime) Back-port #27891 to 2015.8 • PR #28018: (rallytime) Add example to Writing Grains of how grains can be loaded twice • PR #28084: (cachedout) #28069 with lint • PR #28079: (The-Loeki) Fix for trace dump on failing imports for win32com & pythoncom 4 win_task • PR #28081: (The-Loeki) fix for glance state trace error on import failure • PR #28066: (jacksontj) Use the generic text attribute, not .body of the handler • PR #28019: (rallytime) Clean up version added and deprecated msgs to be accurate • PR #28058: (rallytime) Back-port #28041 to 2015.8 • PR #28055: (rallytime) Back-port #28043 to 2015.8 • PR #28046: (pass-by-value) Add pkg install and remove functions • PR #28050: (ryan-lane) Use a better method for checking dynamodb table existence • PR #28042: (jfindlay) fix repo path in ubuntu installation documentation • PR #28033: (twangboy) Fixed win_useradd.py • PR #28027: (cro) Make ssh conn persistent. • PR #28029: (jacobhammons) Updated release notes with additional CVE information • PR #28022: (jacobhammons) Updated Debian and Ubuntu repo paths with new structure for 2015.8.1 • PR #27983: (rallytime) Pip state run result should be False, not None, if installation error occurs. • PR #27991: (twangboy) Fix for `#20678`_ • PR #27997: (rallytime) Remove note about pip bug with pip v1 vs pip v2 return codes • PR #27994: (jtand) Fix schedule_test failure • PR #27992: (cachedout) Make load beacon config into list • PR #28003: (twangboy) Fix `#26336`_ • PR #27984: (rallytime) Versionadded for clean_file option for pkgrepo • PR #27989: (ryan-lane) Do not try to remove the main route table association • PR #27982: (pass-by-value) Add example for salt-proxy over SSH • PR #27985: (jacobhammons) Changed current release to 8.1 and added CVEs to release notes • PR #27979: (cachedout) Fix regression with key whitespace • PR #27977: (cachedout) Decode unicode names in fileclient/server • PR #27981: (jtand) Fixed trailing whitespace lint • PR #27969: (jeffreyctang) fix parse of { on next line • PR #27978: (terminalmage) Add note about dockerng.inspect_image usage • PR #27955: (pass-by-value) Bp 27868 • PR #27953: (The-Loeki) Fix CloudStack cloud for new 'driver' syntax • PR #27965: (ryan-lane) Fail in boto_asg.present if alarms fail • PR #27958: (twangboy) Added new functionality to win_task.py • PR #27959: (techhat) Change __opts__ to self.opts • PR #27943: (rallytime) Back-port #27910 to 2015.8 • PR #27944: (rallytime) Back-port #27909 to 2015.8 • PR #27946: (jtand) Changed grain to look at osmajorrelease instead of osrelease • PR #27914: (rallytime) Use eipalloc instead of eni in EC2 interface properties example • PR #27926: (rallytime) Back-port #27905 to 2015.8 • PR #27927: (ryan-lane) Do not manage ingress or egress rules if set to None • PR #27928: (rallytime) Back-port #27908 to 2015.8 • PR #27676: (ticosax) [dockerng] WIP No more runtime args passed to docker.start() • PR #27885: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27882: (twangboy) Created win_task.py module • PR #27802: (terminalmage) Correct warning logging when update lock is present for git_pillar/winrepo, add runner function for clearing git_pillar/winrepo locks • PR #27886: (rallytime) Handle group lists as well as comma-separated group strings. • PR #27746: (anlutro) timezone module: handle timedatectl errors • PR #27816: (anlutro) Make system.reboot use shutdown -r when available • PR #27874: (rallytime) Add mention of Periodic Table naming scheme to deprecation docs • PR #27883: (terminalmage) Work around --is-ancestor not being present in git-merge-base before git 1.8.0 • PR #27877: (rallytime) Back-port #27774 to 2015.8 • PR #27878: (rallytime) Use apache2ctl binary on SUSE in apache module • PR #27879: (cro) Add docs for 2015.8.2+ changes to proxies • PR #27731: (cro) Add __proxy__ to replace opts['proxymodule'] • PR #27745: (anlutro) Add pip_upgrade arg to virtualenv.managed state • PR #27809: (ticosax) [dockerng] Remove dockerng.ps caching • PR #27859: (ticosax) [dockerng] Clarify doc port bindings • PR #27748: (multani) Fix `#8646`_ • PR #27850: (rallytime) Back-port #27722 to 2015.8 • PR #27851: (rallytime) Back-port #27771 to 2015.8 • PR #27833: (jfindlay) decode path before string ops in fileclient • PR #27837: (jfindlay) reverse truth in python_shell documentation • PR #27860: (flavio) Fix OS related grains on openSUSE and SUSE Linux Enterprise • PR #27768: (rallytime) Clean up bootstrap function to be slightly cleaner • PR #27797: (isbm) Zypper module clusterfix • PR #27849: (rallytime) Don't require a size parameter for proxmox profiles • PR #27827: (techhat) Add additional error checking to SPM • PR #27826: (martinhoefling) Fixes `#27825`_ • PR #27824: (techhat) Update Azure errors • PR #27795: (eguven) better change reporting for postgres_user groups • PR #27799: (terminalmage) Fix usage of identity file in git.latest • PR #27717: (pass-by-value) Proxy beacon example • PR #27793: (anlutro) update code that changes log level of salt-ssh shim command • PR #27761: (terminalmage) Merge git pillar data instead of using dict.update() • PR #27741: (ticosax) [dockerng] pass filters argument to dockerng.ps • PR #27760: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27757: (jfindlay) fix virtual fcn return doc indentation • PR #27754: (rallytime) Change test.nop version directive to 2015.8.1 • PR #27734: (jacobhammons) Updated saltstack2 theme to add SaltConf16 banner • PR #27727: (rallytime) Merge #27719 w/pylint fix • PR #27724: (jfindlay) update __virtual__ return documentation • PR #27725: (basepi) Fix global injection for state cross calls • PR #27628: (ticosax) [dockerng] Add support of labels parameter for dockerng • PR #27704: (jacobhammons) Update compound matcher docs to clarify the usage of alternate delimi… • PR #27705: (rallytime) Merge #27602 with final pylint fix • PR #27691: (notpeter) Faster timeout (3s vs 2min) for instance metadata lookups. `#13850`_ . • PR #27696: (blueyed) loader.proxy: call _modules_dirs only once • PR #27630: (ticosax) Expose container_id in mine.get_docker • PR #27600: (blueyed) dockerng: use docker.version=auto by default • PR #27689: (rallytime) Merge #27448 with test fixes • PR #27693: (jacobhammons) initial engines topic, updates to windows repo docs • PR #27601: (blueyed) dockerng: handle None in container.Names • PR #27596: (blueyed) gitfs: fix UnboundLocalError for 'msg' • PR #27651: (eliasp) Check for existence of 'subnetId' key in subnet dict • PR #27639: (rallytime) Docement version added for new artifactory options • PR #27677: (rallytime) Back-port #27675 to 2015.8 • PR #27637: (rallytime) Back-port #27604 to 2015.8 • PR #27657: (garethgreenaway) Fix to pkg state module • PR #27632: (rallytime) Back-port #27539 to 2015.8 • PR #27633: (rallytime) Back-port #27559 to 2015.8 • PR #27579: (rallytime) Change boto_route53 region default to 'universal' to avoid problems with boto library • PR #27581: (tkwilliams) Add support for 'vpc_name' tag in boto_secgroup module and state • PR #27624: (nasenbaer13) Wait for sync is not passed to boto_route53 state • PR #27614: (blueyed) doc: minor fixes to doc and comments • PR #27627: (eyj) Fix crash in boto_asg.get_instances if the requested attribute is None • PR #27616: (jacobhammons) Updated windows software repository docs • PR #27569: (lomeroe) boto_vpc.get_subnet_association now returns a dict w/key of vpc_id, a… • PR #27567: (whiteinge) Use getattr to fetch psutil.version_info • PR #27583: (tkwilliams) Fixup zypper module • PR #27597: (blueyed) gitfs: remove unused variable "bad_per_remote_conf" • PR #27585: (ryan-lane) Fix undefined variable in cron state module Salt 2015.8.3 Release Notes Security Fix CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. The permissions for this file are now being set correctly. Thanks to @zmalone for bringing this issue to our attention. Changes Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-11-25T00:03:40Z Merges: 452 Changes: • PR #29172: (basepi) [2015.8] Backport new philips_hue proxy features from develop • PR #29167: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29141: (optix2000) Add test case for require: sls with only import statements • PR #29072: (terminalmage) Several gitfs/git_pillar fixes • PR #29118: (ticosax) [dockerng] Add networking capabilities • PR #29145: (anlutro) Remove duplicate import of salt.utils.s3 • PR #29148: (lomeroe) correcting parameter calls to boto get_zone/create_zone functions in … • PR #29108: (lorengordon) Enforce length as an int, fixes `#29107`_ • PR #29125: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29126: (fcrozat) Fix deployment when umask is non-standard • PR #29124: (rallytime) Back-port #28130 to 2015.8 • PR #29076: (RealKelsar) We can't query installed use flags for a non installed pkg • PR #29097: (rallytime) Back-port #29070 to 2015.8 • PR #29090: (gtmanfred) clean up novaclient module • PR #29095: (terminalmage) Add warning about pygit2 API instability • PR #28919: (cro) Update Philips Hue proxy minion to support __proxy__ instead of proxymodule stored in __opts__ • PR #29065: (cachedout) Handle failures inside python's inspect if a module is reloaded • PR #29057: (paulnivin) Add local file support for file.managed source list • PR #29017: (jfindlay) pagerduty runner: add missing salt.utils import • PR #29039: (anlutro) Allow passing list of pip packages to virtualenv.managed • PR #29047: (schwing) Fix salt.modules.gpg.import_key exception: 'GPG_1_3_1 referenced before assignment' • PR #29050: (terminalmage) Make git_pillar global config option docs more prominent • PR #29048: (nmadhok) Fix incorrect debug log statement • PR #29024: (jfindlay) cache runner test: add new unit tests • PR #28967: (cro) Fix some issues with password changes • PR #29020: (basepi) [2015.8] Add special list-only nodegroup support to salt-ssh • PR #28970: (terminalmage) Properly handle non-string saltenvs • PR #28959: (rallytime) Add blade password example and make note of timeout • PR #29000: (kiorky) [Mergeable] Fix up LXC • PR #29014: (jfindlay) systemd module: remove unneeded col command • PR #28983: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28969: (rallytime) Back-port #28825 to 2015.8 • PR #28787: (chrigl) closes `#28784`_ • PR #28944: (rallytime) The ret result must contain 'name', not 'chassis_name' for the state compiler. • PR #28957: (terminalmage) Fix version number for new state option • PR #28950: (DmitryKuzmenko) PR 28812 which test fix • PR #28812: (isbm) Enhance 'which' decorator reliability • PR #28934: (terminalmage) git.latest: Add update_head option to prevent local HEAD from being updated • PR #28937: (rallytime) Update dellchassis state example to use correct jinja syntax • PR #28889: (jfindlay) state compiler: relax aggregate conditional check • PR #28921: (rallytime) Back-port #25470 to 2015.8 • PR #28922: (rallytime) Change 2015.8.2 release note title to reflect proper version • PR #28891: (jfindlay) rh_service module: fix logic in _chkconfig_is_enabled • PR #28892: (jfindlay) grains.core: correctly identify SLES 11 distrib_id • PR #28910: (lorengordon) Fix winrepo command in windows pkg mgmt doc • PR #28896: (rallytime) Back-port #28855 to 2015.8 • PR #28895: (rallytime) Back-port #28823 to 2015.8 • PR #28885: (kt97679) fix for: service.enabled fails on xen server `#28754`_ • PR #28880: (terminalmage) Add "profile" loglevel • PR #28882: (basepi) [2015.8] salt-ssh: Check return type to make sure it's an error • PR #28867: (rallytime) [fx2 grains] Grains functions should return dictionaries • PR #28863: (mhoogendoorn) Fix ebuild.install causing extra refresh_db calls. • PR #28865: (jfindlay) add 2015.8.2 release notes • PR #28730: (garethgreenaway) Fixes to how return_job is handled in the scheduler for the salt master. • PR #28848: (cro) Lint • PR #28842: (cachedout) Add transport setting to shell test • PR #28837: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28827: (jacksontj) Cleanup virtual_timer in loader • PR #28836: (cachedout) Cast to dict to fix wheel tests in tcp • PR #28834: (cachedout) Fix breakage in tcp server • PR #28804: (cachedout) TCP test fixes • PR #28826: (basepi) [2015.8] Add new tornado deps to salt-ssh thin • PR #28759: (jfindlay) simplify stdin use of stdin in at.present state • PR #28824: (rallytime) Back-port #28778 and #28820 to 2015.8 • PR #28803: (jfindlay) decode strings to utf-8 • PR #28782: (rallytime) Fixes to rabbitmq user state • PR #28789: (nmadhok) Provide ability to enable/disable customization for newly create VMs using VMware salt-cloud driver • PR #28768: (mrosedale) 2015.8 • PR #28772: (rallytime) rabbitmq.list_user_permissions returns a dict, not a list. Don't expect a list. • PR #28774: (rallytime) Back-port #28725 to 2015.8 • PR #28775: (rallytime) Back-port #28740 to 2015.8 • PR #28755: (rallytime) Move most vmware driver list_* functions to use salt.utils.vmware functions • PR #28744: (jfindlay) import gate elementtree • PR #28758: (jfindlay) remove redundant logic in useradd execution module • PR #28757: (mbarrien) Bug fix: pip command to not quote spaces in cmd line args • PR #28764: (multani) Various documentation fixes • PR #28752: (aboe76) Update openSUSE grain for tumbleweed • PR #28713: (hexedpackets) Rename consul.list to consul.list_keys. • PR #28719: (jacobhammons) removed dependencies info from docs • PR #28709: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28710: (rallytime) Pass kwargs correctly to _get_group from get_group_id • PR #28698: (rallytime) Back-port #28530 to 2015.8 • PR #28700: (rallytime) Back-port #28679 to 2015.8 • PR #28695: (s0undt3ch) [2015.8] Update to latest bootstrap script v2015.11.09 • PR #28656: (clarkperkins) `#28526`_ fixed yumpkg module issue with pkg.installed • PR #28672: (jfindlay) add OS grain support for SuSE Leap • PR #28673: (jfindlay) add hidden_opts to mount.mounted • PR #28667: (cro) saltutil.sync_all should sync proxymodules as well as the rest. • PR #28665: (jfindlay) fixes to windows execution and state modules • PR #28660: (techhat) Don't sign empty regions • PR #28632: (terminalmage) Fixes/improvements to pkgbuild state/modules • PR #28658: (techhat) Remove _pkgdb_fun() references • PR #28653: (rallytime) Provide possible parameters for boto_rds.present engine values • PR #28649: (bdrung) Fix OS related grains on Debian • PR #28646: (rallytime) Back-port #28614 to 2015.8 • PR #28647: (rallytime) Back-port #28624 to 2015.8 • PR #28648: (rallytime) Merge branch '2015.5' into '2015.8' • PR #28638: (anlutro) Salt-SSH: Return more concise error when SSH command fails • PR #28644: (pass-by-value) Make sure versionchanged is correct • PR #28615: (The-Loeki) Fixes to FreeBSD pkg • PR #28613: (cachedout) Add facility to deepcopy bound methods in Py2.6 and apply to grains • PR #28612: (rallytime) Remove unsupported storage_type argument for parity with boto_rds module • PR #28611: (rallytime) [2015.8] Be explicit about salt.utils.vmware function calls • PR #28610: (pass-by-value) Lxc config additions • PR #28602: (nasenbaer13) Allow setting of custom dimensions in asg alarm specification • PR #28596: (rallytime) Merge branch '2015.5' into '2015.8' • PR #28593: (blueyed) doc: fix typo with salt.states.file: s/preseve/preserve/ • PR #28578: (twangboy) Fixed the script... something got broke... • PR #28579: (jfindlay) fix __virtual__ returns: tls,uptime mods • PR #28584: (rallytime) If AssociatePublicIpAddress is set to True, don't auto-assign eip. • PR #28576: (jacksontj) Only encode the zmq message once • PR #28587: (cachedout) Reset yaml rendering hooks to avoid leaks • PR #28581: (basepi) Revert b4875e585a165482c4c1ddc8987d76b0a71ef1b0 • PR #28573: (jacksontj) Add body to salt.utils.http.query returns • PR #28564: (s0undt3ch) [2015.8] Update to latest bootstrap script v2015.11.04 • PR #28561: (Oro) Issue `#28527`_ boto_rds.create does not work • PR #28560: (bdrung) Fix various typos • PR #28550: (jfindlay) check timedatectl errno and return stdout on failure • PR #28545: (jfindlay) pass on concurrent create of jid_dir in local_cache • PR #28544: (rallytime) Start moving some vmware.py cloud funcs to utils/vmware.py • PR #28543: (gtmanfred) clean up changes for pkg.uptodate and supervisord.dead • PR #28538: (jfindlay) decode path and url to utf-8 in url.create • PR #28533: (jfindlay) decode highstate error messages to utf-8 • PR #28547: (nmadhok) [Backport] [2015.8] Tasks can be in queued state instead of running • PR #28535: (techhat) Fail gracefully if 169.254* isn't available • PR #28536: (cro) Default configuration file for proxy minions. • PR #28534: (rallytime) Add versionadded directive for vpc_name arg in boto_secgroup.present • PR #28516: (rallytime) Back-port #28489 to 2015.8 • PR #28506: (basepi) [2015.8] Log minion list for all rosters, at debug level • PR #28514: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28502: (cachedout) Lint #28427 • PR #28464: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28486: (rallytime) Back-port #26945 to 2015.8 • PR #28472: (gtmanfred) overwrite more than one value with names • PR #28493: (rallytime) Back-port #28492 to 2015.8 • PR #28494: (whiteinge) Fix filter_by passing incorrect parameters to match functions • PR #28491: (rallytime) Back-port #28388 to 2015.8 • PR #28465: (twangboy) Fix `#12363`_ : Password Expiration in Windows • PR #28485: (nasenbaer13) Fix invalid usage of _get_conn causing `#28484`_ • PR #28454: (sdm24) Fixed nodegroup doc formatting to correctly link to pillar_opts in the master config • PR #28487: (cachedout) Lint 28456 • PR #28457: (sdm24) Clarified comments for grains/core.py for ip_interfaces, ip4_interfac… • PR #28473: (anlutro) Show check_cmd output on failure • PR #28460: (jtand) Skipped wipefs test if wipefs does not exist on OS • PR #28426: (terminalmage) pkgbuild.built: make template engine optional • PR #28422: (cachedout) Handle windows logging on thread_multi [WIP] • PR #28425: (twangboy) Fix `#13513`_ - Reflection • PR #28417: (rallytime) Add note about azure sdk version to getting started docs • PR #28410: (jacksontj) Add retries to the zeromq.AsyncReqMessageClient • PR #28404: (rallytime) Back-port #28395 to 2015.8 • PR #28405: (opdude) Detect legacy versions of chocolatey correctly • PR #28187: (sjansen) fix at.present • PR #28375: (merll) Merge pillar includes correctly • PR #28376: (ryan-lane) Support update of route53 records with multiple values • PR #28377: (terminalmage) Deprecate 'always' in favor of 'force' in pkgbuild.built • PR #28380: (cro) Add missing call for service provider • PR #28348: (jfindlay) salt.utils.alias informs user they are using a renamed function • PR #28364: (jtand) In CentOS 5 the .split() causes a stacktrace. • PR #28361: (rallytime) Back-port #28087 to 2015.8 • PR #28360: (multani) Various documentation fixes • PR #28370: (rallytime) Back-port #28276 to 2015.8 • PR #28353: (merll) Consider each pillar match only once. • PR #28334: (anlutro) iptables needs -m comment for --comment to work • PR #28340: (jfindlay) sdecode file and dir lists in fileclient • PR #28344: (ryan-lane) Fix iptables state for non-filter tables • PR #28343: (rallytime) Back-port #28342 to 2015.8 • PR #28330: (rallytime) Back-port #28305 to 2015.8 • PR #28270: (rallytime) Refactor RabbitMQ Plugin State to correctly use test=true and format errors • PR #28269: (rallytime) Refactor rabbitmq_user state to use test=True correctly • PR #28299: (rallytime) Add test for availability_zone check to boto_vpc_tests • PR #28306: (sdm24) Updated the Nodegroup docs to include how to target nodegroups in SLS Jinja • PR #28308: (rallytime) Firewalld state services should use --add-service, not --new-service • PR #28302: (DmitryKuzmenko) Always close socket even if there is no stream. • PR #28282: (keesbos) Fix for __env__ in legacy git_pillar • PR #28258: (pass-by-value) Add service module for ssh proxy example • PR #28294: (bechtoldt) correct a bad default value in http utility • PR #28185: (jtand) Added single package return for latest_version, fixed other bug. • PR #28297: (cachedout) Lint fix proxy junos • PR #28210: (terminalmage) Fix for ext_pillar being compiled twice in legacy git_pillar code • PR #28265: (jfindlay) fix blockdev execution and state modules • PR #28266: (rallytime) Back-port #28260 to 2015.8 • PR #28253: (rallytime) Back-port #28063 to 2015.8 • PR #28231: (rallytime) Make sure we're compairing strings when getting images in the DO driver • PR #28224: (techhat) Optimize create_repo for large packages • PR #28214: (rallytime) Don't stacktrace if invalid credentials are passed to boto_route53 state • PR #28228: (rallytime) Back-port #27562 to 2015.8 • PR #28232: (rallytime) Add documentation to supply the ssh_username: freebsd config to DO docs • PR #28198: (jacobhammons) Added note regarding missing spm exe on Debian/Ubuntu • PR #28182: (erchn) Some fixes for nova driver for Rackspace • PR #28181: (rallytime) Revamp firewalld state to be more stateful. • PR #28176: (cro) Add ping function • PR #28167: (The-Loeki) file.serialize needs to add a final newline to serialized files • PR #28168: (rallytime) Make sure availability zone gets passed in boto_vpc module when creating subnet • PR #28148: (basepi) [2015.8] Only expand nodegroups to lists if there is a nested nodegroup • PR #28155: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #28149: (pass-by-value) Add clarification to cloud profile doc about host • PR #28146: (cachedout) Lint dracr.py • PR #28141: (rallytime) Don't use RAM for root disk size in linode.py • PR #28143: (jtand) Removed blank line at end of chassis.py • PR #28021: (blueyed) Handle includes in include_config recursively • PR #28095: (rallytime) Back-port #28001 to 2015.8 • PR #28096: (rallytime) Back-port #28061 to 2015.8 • PR #28139: (rallytime) Back-port #28103 to 2015.8 • PR #28098: (jacksontj) For all multi-part messages, check the headers. If the header is not … • PR #28134: (bernieke) fix unicode pillar values `#3436`_ • PR #28076: (redmcg) Replace option 'i' with an explicit queryformat • PR #28119: (jacksontj) Check if the remote exists before casting to a string. • PR #28105: (jfindlay) add reason for not loading localemod • PR #28108: (cachedout) Set logfile permsissions correctly • PR #27922: (cro) WIP States/Modules for managing Dell FX2 chassis via salt-proxy • PR #28104: (pass-by-value) Add documentation for proxy minion ssh • PR #28020: (DmitryKuzmenko) LazyLoader deepcopy fix. • PR #27933: (eliasp) Provide all git pillar dirs in opts[pillar_roots] • PR #28013: (rallytime) Back-port #27891 to 2015.8 • PR #28018: (rallytime) Add example to Writing Grains of how grains can be loaded twice • PR #28084: (cachedout) #28069 with lint • PR #28079: (The-Loeki) Fix for trace dump on failing imports for win32com & pythoncom 4 win_task • PR #28081: (The-Loeki) fix for glance state trace error on import failure • PR #28066: (jacksontj) Use the generic text attribute, not .body of the handler • PR #28019: (rallytime) Clean up version added and deprecated msgs to be accurate • PR #28058: (rallytime) Back-port #28041 to 2015.8 • PR #28055: (rallytime) Back-port #28043 to 2015.8 • PR #28046: (pass-by-value) Add pkg install and remove functions • PR #28050: (ryan-lane) Use a better method for checking dynamodb table existence • PR #28042: (jfindlay) fix repo path in ubuntu installation documentation • PR #28033: (twangboy) Fixed win_useradd.py • PR #28027: (cro) Make ssh conn persistent. • PR #28029: (jacobhammons) Updated release notes with additional CVE information • PR #28022: (jacobhammons) Updated Debian and Ubuntu repo paths with new structure for 2015.8.1 • PR #27983: (rallytime) Pip state run result should be False, not None, if installation error occurs. • PR #27991: (twangboy) Fix for `#20678`_ • PR #27997: (rallytime) Remove note about pip bug with pip v1 vs pip v2 return codes • PR #27994: (jtand) Fix schedule_test failure • PR #27992: (cachedout) Make load beacon config into list • PR #28003: (twangboy) Fix `#26336`_ • PR #27984: (rallytime) Versionadded for clean_file option for pkgrepo • PR #27989: (ryan-lane) Do not try to remove the main route table association • PR #27982: (pass-by-value) Add example for salt-proxy over SSH • PR #27985: (jacobhammons) Changed current release to 8.1 and added CVEs to release notes • PR #27979: (cachedout) Fix regression with key whitespace • PR #27977: (cachedout) Decode unicode names in fileclient/server • PR #27981: (jtand) Fixed trailing whitespace lint • PR #27969: (jeffreyctang) fix parse of { on next line • PR #27978: (terminalmage) Add note about dockerng.inspect_image usage • PR #27955: (pass-by-value) Bp 27868 • PR #27953: (The-Loeki) Fix CloudStack cloud for new 'driver' syntax • PR #27965: (ryan-lane) Fail in boto_asg.present if alarms fail • PR #27958: (twangboy) Added new functionality to win_task.py • PR #27959: (techhat) Change __opts__ to self.opts • PR #27943: (rallytime) Back-port #27910 to 2015.8 • PR #27944: (rallytime) Back-port #27909 to 2015.8 • PR #27946: (jtand) Changed grain to look at osmajorrelease instead of osrelease • PR #27914: (rallytime) Use eipalloc instead of eni in EC2 interface properties example • PR #27926: (rallytime) Back-port #27905 to 2015.8 • PR #27927: (ryan-lane) Do not manage ingress or egress rules if set to None • PR #27928: (rallytime) Back-port #27908 to 2015.8 • PR #27676: (ticosax) [dockerng] WIP No more runtime args passed to docker.start() • PR #27885: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27882: (twangboy) Created win_task.py module • PR #27802: (terminalmage) Correct warning logging when update lock is present for git_pillar/winrepo, add runner function for clearing git_pillar/winrepo locks • PR #27886: (rallytime) Handle group lists as well as comma-separated group strings. • PR #27746: (anlutro) timezone module: handle timedatectl errors • PR #27816: (anlutro) Make system.reboot use shutdown -r when available • PR #27874: (rallytime) Add mention of Periodic Table naming scheme to deprecation docs • PR #27883: (terminalmage) Work around --is-ancestor not being present in git-merge-base before git 1.8.0 • PR #27877: (rallytime) Back-port #27774 to 2015.8 • PR #27878: (rallytime) Use apache2ctl binary on SUSE in apache module • PR #27879: (cro) Add docs for 2015.8.2+ changes to proxies • PR #27731: (cro) Add __proxy__ to replace opts['proxymodule'] • PR #27745: (anlutro) Add pip_upgrade arg to virtualenv.managed state • PR #27809: (ticosax) [dockerng] Remove dockerng.ps caching • PR #27859: (ticosax) [dockerng] Clarify doc port bindings • PR #27748: (multani) Fix `#8646`_ • PR #27850: (rallytime) Back-port #27722 to 2015.8 • PR #27851: (rallytime) Back-port #27771 to 2015.8 • PR #27833: (jfindlay) decode path before string ops in fileclient • PR #27837: (jfindlay) reverse truth in python_shell documentation • PR #27860: (flavio) Fix OS related grains on openSUSE and SUSE Linux Enterprise • PR #27768: (rallytime) Clean up bootstrap function to be slightly cleaner • PR #27797: (isbm) Zypper module clusterfix • PR #27849: (rallytime) Don't require a size parameter for proxmox profiles • PR #27827: (techhat) Add additional error checking to SPM • PR #27826: (martinhoefling) Fixes `#27825`_ • PR #27824: (techhat) Update Azure errors • PR #27795: (eguven) better change reporting for postgres_user groups • PR #27799: (terminalmage) Fix usage of identity file in git.latest • PR #27717: (pass-by-value) Proxy beacon example • PR #27793: (anlutro) update code that changes log level of salt-ssh shim command • PR #27761: (terminalmage) Merge git pillar data instead of using dict.update() • PR #27741: (ticosax) [dockerng] pass filters argument to dockerng.ps • PR #27760: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #27757: (jfindlay) fix virtual fcn return doc indentation • PR #27754: (rallytime) Change test.nop version directive to 2015.8.1 • PR #27734: (jacobhammons) Updated saltstack2 theme to add SaltConf16 banner • PR #27727: (rallytime) Merge #27719 w/pylint fix • PR #27724: (jfindlay) update __virtual__ return documentation • PR #27725: (basepi) Fix global injection for state cross calls • PR #27628: (ticosax) [dockerng] Add support of labels parameter for dockerng • PR #27704: (jacobhammons) Update compound matcher docs to clarify the usage of alternate delimi… • PR #27705: (rallytime) Merge #27602 with final pylint fix • PR #27691: (notpeter) Faster timeout (3s vs 2min) for instance metadata lookups. `#13850`_ . • PR #27696: (blueyed) loader.proxy: call _modules_dirs only once • PR #27630: (ticosax) Expose container_id in mine.get_docker • PR #27600: (blueyed) dockerng: use docker.version=auto by default • PR #27689: (rallytime) Merge #27448 with test fixes • PR #27693: (jacobhammons) initial engines topic, updates to windows repo docs • PR #27601: (blueyed) dockerng: handle None in container.Names • PR #27596: (blueyed) gitfs: fix UnboundLocalError for 'msg' • PR #27651: (eliasp) Check for existence of 'subnetId' key in subnet dict • PR #27639: (rallytime) Docement version added for new artifactory options • PR #27677: (rallytime) Back-port #27675 to 2015.8 • PR #27637: (rallytime) Back-port #27604 to 2015.8 • PR #27657: (garethgreenaway) Fix to pkg state module • PR #27632: (rallytime) Back-port #27539 to 2015.8 • PR #27633: (rallytime) Back-port #27559 to 2015.8 • PR #27579: (rallytime) Change boto_route53 region default to 'universal' to avoid problems with boto library • PR #27581: (tkwilliams) Add support for 'vpc_name' tag in boto_secgroup module and state • PR #27624: (nasenbaer13) Wait for sync is not passed to boto_route53 state • PR #27614: (blueyed) doc: minor fixes to doc and comments • PR #27627: (eyj) Fix crash in boto_asg.get_instances if the requested attribute is None • PR #27616: (jacobhammons) Updated windows software repository docs • PR #27569: (lomeroe) boto_vpc.get_subnet_association now returns a dict w/key of vpc_id, a… • PR #27567: (whiteinge) Use getattr to fetch psutil.version_info • PR #27583: (tkwilliams) Fixup zypper module • PR #27597: (blueyed) gitfs: remove unused variable "bad_per_remote_conf" • PR #27585: (ryan-lane) Fix undefined variable in cron state module Salt 2015.8.4 Release Notes Known Issues in_ requisites (issue 30820) This issue affects all users targeting an explicit - name: <name> with a _in requisite (such as watch_in or require_in). If you are not using explicit - name: <name> arguments, are targeting with the state ID instead of the name, or are not using _in requisites, then you should be safe to upgrade to 2015.8.4. This issue is resolved in the 2015.8.5 release. Security Fix CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master. This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master. Thank you to Sebastian Krahmer <krahmer@suse.com> for bringing this issue to our attention. We recommend everyone upgrade to 2015.8.4 as soon as possible. Core Changes • PR #28994: timcharper Salt S3 module has learned how to assume IAM roles • Added option mock=True for state.sls and state.highstate. This allows the salt state compiler to process sls data in a state run without actually calling the state functions, thus providing feedback on the validity of the arguments used for the functions beyond the preprocessing validation provided by state.show_sls (issue 30118 and issue 30189). salt '*' state.sls core,edit.vim mock=True salt '*' state.highstate mock=True salt '*' state.apply edit.vim mock=True Changes for v2015.8.3..v2015.8.4 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-01-25T17:48:35Z Total Merges: 320 Changes: • PR #30613: (basepi) Fix minion/syndic clearfuncs • PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is False, not … • PR #30584: (julianbrost) file.line state: add missing colon in docstring • PR #30589: (terminalmage) Merge 2015.5 into 2015.8 • PR #30599: (multani) Documentation formatting fixes • PR #30554: (rallytime) Make the salt-cloud actions output more verbose and helpful • PR #30549: (techhat) Salt Virt cleanup • PR #30553: (techhat) AWS: Support 17-character IDs • PR #30532: (whiteinge) Add execution module for working in sls files • PR #30529: (terminalmage) Merge 2015.5 into 2015.8 • PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk • PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8 • PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type 'boolean' • PR #30506: (jacksontj) Properly remove newlines after reading the file • PR #30508: (rallytime) Fix Linode driver cloning functionality • PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return data • PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8) • PR #30491: (jacksontj) Add multi-IP support to network state • PR #30496: (anlutro) Fix KeyError when adding ignored pillars • PR #30359: (kingsquirrel152) Removes suspected copy/paste error for zmq_filtering functionailty • PR #30448: (cournape) Fix osx scripts location • PR #30457: (rallytime) Remove fsutils references from modules list • PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode driver • PR #30458: (rallytime) Back-port #30062 to 2015.8 • PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog • PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel function • PR #30450: (gtmanfred) fix extension loading in novaclient • PR #30212: (abednarik) Fix incorrect file permissions in file.line • PR #29947: (jfindlay) fileclient: decode file list from master • PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees • PR #30445: (jtand) Boto uses False for is_default instead of None • PR #30406: (frioux) Add an example of how to use file.managed/check_cmd • PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8 • PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility. • PR #30396: (pass-by-value) Remove hardcoded val • PR #30391: (jtand) Added else statements • PR #30375: (rallytime) Wrap formatted log statements with six.u() in cloud/__init__.py • PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11 series • PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8 • PR #30389: (jtand) Older versions of ipset don't support comments • PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to 2016 • PR #30370: (rallytime) Remove incomplete function • PR #30366: (rallytime) Back-port #28702 to 2015.8 • PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more fns for esxi proxy • PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes filtering • PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal • PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 `#26845`_ • PR #30358: (terminalmage) Add libgit2 version to versions-report • PR #30346: (pass-by-value) Prevent orphaned volumes • PR #30349: (rallytime) Back-port #30347 to 2015.8 • PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught • PR #30356: (nmadhok) Adding code author • PR #30340: (jtand) Updated seed_test.py for changes made to seed module • PR #30339: (jfindlay) Backport #26511 • PR #30343: (rallytime) Fix 2015.8 from incomplete back-port • PR #30342: (eliasp) Correct whitespace placement in error message • PR #30308: (rallytime) Back-port #30257 to 2015.8 • PR #30187: (rallytime) Back-port #27606 to 2015.8 • PR #30223: (serge-p) adding support for DragonFly BSD • PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating keys. • PR #30246: (dmacvicar) Add missing return data to scheduled jobs ( `#24237`_ ) • PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry • PR #30275: (abednarik) Add permanent argument in firewalld. • PR #30328: (cachedout) Fix file test • PR #30310: (pass-by-value) Empty bucket fix • PR #30211: (techhat) Execute choot on the correct path • PR #30309: (rallytime) Back-port #30304 to 2015.8 • PR #30278: (nmadhok) If datacenter is specified in the config, then look for managed objects under it • PR #30305: (jacobhammons) Changed examples to use the "example.com" domain instead of "mycompan… • PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install • PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run • PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed to allow for binary contents • PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is default region • PR #30299: (rallytime) ESXi Proxy minions states are located at salt.states.esxi, not vsphere. • PR #30202: (opdude) Fixed the periodic call to beacons • PR #30303: (jacobhammons) Changed notes to indicate that functions are matched using regular ex… • PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and submodule handling • PR #30280: (jfindlay) add state mocking to release notes • PR #30273: (rallytime) Back-port #30121 to 2015.8 • PR #30301: (cachedout) Accept whatever comes into hightstate mock for state tests • PR #30282: (cachedout) Fix file.append logic • PR #30289: (cro) Fix problems with targeting proxies by grains • PR #30293: (cro) Ensure we don't log stuff we shouldn't • PR #30279: (cachedout) Allow modules to be packed into boto utils • PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct arg/kwarg positioning • PR #30156: (abednarik) Add option in file.append to ignore_whitespace. • PR #30189: (rallytime) Back-port #30185 to 2015.8 • PR #30215: (jacobhammons) Assorted doc bug fixes • PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line" • PR #30190: (jacobhammons) Updated doc site banners • PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat • PR #30179: (terminalmage) Backport #26962 to 2015.8 branch • PR #29693: (abednarik) Handle missing source file in ssh_auth. • PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use region OR profile • PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in boto utils • PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX values in Kilos • PR #30162: (rallytime) Update list_present and append grains state function docs to be more clear. • PR #30163: (rallytime) Add warning about using "=" in file.line function • PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30168: (abednarik) Fix incorrect file permissions in file.line • PR #30154: (Oro) Fix file serialize on windows • PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion • PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images • PR #30075: (joejulian) Convert glusterfs module to use xml • PR #30129: (optix2000) Clean up _uptodate() in git state • PR #30139: (rallytime) Back-port #29589 to 2015.8 • PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD. • PR #30133: (stanislavb) Fix typo in gpgkey URL • PR #30126: (stanislavb) Log S3 API error message • PR #30128: (oeuftete) Log retryable transport errors as warnings • PR #30096: (cachedout) Add rm_special to crontab module • PR #30106: (techhat) Ensure last dir • PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass • PR #30090: (techhat) Add argument to isdir() • PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py state • PR #30095: (rallytime) Add the list_nodes_select function to linode driver • PR #30082: (abednarik) Fixed saltversioninfo grain return • PR #30084: (rallytime) Back-port #29987 to 2015.8 • PR #30071: (rallytime) Merge branch '2015.5' into '2015.8' • PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids explicitly • PR #30069: (techhat) Ensure that pki_dir exists • PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud config options • PR #30049: (rallytime) Add some more unit tests for the vsphere execution module • PR #30060: (rallytime) Back-port #27104 to 2015.8 • PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs. • PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to avoid circular imports • PR #30038: (rallytime) Back-port #30017 to 2015.8 • PR #30036: (rallytime) Back-port #29995 to 2015.8 • PR #30035: (rallytime) Back-port #29895 to 2015.8 • PR #30034: (rallytime) Back-port #29893 to 2015.8 • PR #30033: (rallytime) Back-port #29876 to 2015.8 • PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches • PR #30016: (anlutro) Properly normalize locales in locale.gen_locale • PR #30015: (anlutro) locale module: don't escape the slash in \n • PR #30022: (gqgunhed) Two minor typos fixed • PR #30026: (anlutro) states.at: fix wrong variable being used • PR #29966: (multani) Fix bigip state/module documentation + serializers documentation • PR #29904: (twangboy) Improvements to osx packaging scripts • PR #29950: (multani) boto_iam: fix deletion of IAM users when using delete_keys=true • PR #29937: (multani) Fix states.boto_iam group users • PR #29934: (multani) Fix state.boto_iam virtual name • PR #29943: (cachedout) Check args correctly in boto_rds • PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows • PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd() • PR #29894: (techhat) Support Saltfile in SPM • PR #29856: (rallytime) Added some initial unit tests for the salt.modules.vsphere.py file • PR #29855: (rallytime) Back-port #29740 to 2015.8 • PR #29890: (multani) Various documentation fixes • PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29811: (anlutro) influxdb: add retention policy module functions • PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows • PR #29819: (rallytime) Add esxi module and state to docs build • PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL without systemd • PR #29803: (rallytime) Add vSphere module to doc ref module tree • PR #29767: (abednarik) Hosts file update in mod_hostname. • PR #29772: (terminalmage) pygit2: skip submodules when traversing tree • PR #29765: (gtmanfred) allow nova driver to be boot from volume • PR #29773: (l2ol33rt) Append missing wget in debian installation guide • PR #29800: (rallytime) Back-port #29769 to 2015.8 • PR #29775: (paulnivin) Change listen requisite resolution from name to ID declaration • PR #29754: (rallytime) Back-port #29719 to 2015.8 • PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of deprecated 'provider' • PR #29729: (rallytime) Further clarifications on "unless" and "onlyif" requisites. • PR #29737: (akissa) fix pillar sqlite3 documentation examples • PR #29743: (akissa) fix pillar sqlite not honouring config options • PR #29723: (rallytime) Clarify db_user and db_password kwargs for postgres_user.present state function • PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful" means for cmd state. • PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar docs • PR #29726: (cachedout) Disable some boto tests per resolution of moto issue • PR #29708: (lagesag) Fix test=True for file.directory with recurse ignore_files/ignore_dirs. • PR #29642: (cachedout) Correctly restart deamonized minions on failure • PR #29599: (cachedout) Clean up minion shutdown • PR #29675: (clinta) allow returning all refs • PR #29683: (rallytime) Catch more specific error to pass the error message through elegantly. • PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29681: (clinta) fix bare/mirror in git.latest • PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs • PR #29645: (rallytime) Back-port #29558 to 2015.8 • PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging • PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network configuration. • PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes • PR #29628: (DmitryKuzmenko) Don't create io_loop before fork • PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask in roster • PR #29603: (basepi) Fix orchestration failure-checking • PR #29597: (terminalmage) dockerng: Prevent exception when API response contains empty dictionary • PR #29596: (rallytime) Back-port #29587 to 2015.8 • PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial • PR #29572: (gtmanfred) [nova] use old discover_extensions if available • PR #29545: (terminalmage) git.latest: init submodules if not yet initialized • PR #29548: (rallytime) Back-port #29449 to 2015.8 • PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of esxi_hosts • PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb • PR #29565: (bdrung) Fix typos and missing release note • PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29499: (rallytime) Initial commit of ESXi Proxy Minion • PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released • PR #29531: (jfindlay) grains.core: handle undefined variable • PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for salt-ssh • PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax for "tags" option. • PR #29513: (bdrung) Drop obsolete syslog.target from systemd services • PR #29500: (rallytime) Back-port #29467 to 2015.8 • PR #29463: (abednarik) Add ** kwargs to debconf.set. • PR #29399: (jfindlay) modules.status: add human_readable option to uptime • PR #29433: (cro) Files for building .pkg files for MacOS X • PR #29455: (jfindlay) modules.nova.__init__: do not return None • PR #29454: (jfindlay) rh_service module __virtual__ return error messages • PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not subnets) as a key • PR #29487: (rallytime) Back-port #29450 to 2015.8 • PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs • PR #29440: (rallytime) Back-port #28925 to 2015.8 • PR #29435: (galet) Grains return wrong OS version and other OS related values for Oracle Linux • PR #29430: (rall0r) Fix host.present state limitation • PR #29417: (jacobhammons) Repo install updates • PR #29402: (techhat) Add rate limiting to linode • PR #29400: (twangboy) Fix #19332 • PR #29398: (cachedout) Lint 29288 • PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error • PR #29390: (jacobhammons) updated version numbers in documentation • PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy • PR #29349: (cro) Fix mis-setting chassis names • PR #29334: (rallytime) Back-port #29237 to 2015.8 • PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng • PR #29218: (clan) check service enable state in test mode • PR #29315: (jfindlay) dev tutorial doc: fix markup errors • PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other] • PR #29305: (lorengordon) Add 'file' as a source_hash proto • PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime • PR #29289: (terminalmage) file.managed: Allow local file sources to use source_hash • PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True • PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar config schema • PR #29283: (cachedout) Single-quotes and use format • PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting options for the flat roster • PR #29282: (cachedout) dev docs: add development tutorial • PR #28994: (timcharper) add support to s3 for aws role assumption • PR #29278: (techhat) Add verify_log to SPM • PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of SLSs • PR #29207: (jfindlay) do not shadow ret function argument • PR #29215: (rallytime) Back-port #29192 to 2015.8 • PR #29217: (clan) show duration only if state_output_profile is False • PR #29221: (ticosax) [dokcerng] Docu network mode • PR #29269: (jfindlay) win_status module: fix function names in docs • PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware utils • PR #29271: (techhat) Pass full path for digest (SPM) • PR #29244: (isbm) List products consistently across all SLES systems • PR #29255: (garethgreenaway) fixes to consul module • PR #29208: (whytewolf) Glance more profile errors • PR #29200: (jfindlay) mount state: unmount by device is optional • PR #29205: (trevor-h) Fixes #29187 - using winrm on EC2 • PR #29170: (cachedout) Migrate pydsl tests to integration test suite • PR #29198: (jfindlay) rh_ip module: only set the mtu once • PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc • PR #29196: (s0undt3ch) We need novaclient imported to compare versions • PR #29059: (terminalmage) Work around upstream pygit2 bug • PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present state • PR #29178: (whytewolf) Profile not being passed to keystone.endpoint_get in _auth. so if a p… Salt 2015.8.5 Release Notes About this Release Salt 2015.8.5 is identical to the 2015.8.4 release with the addition of a fix for issue 30820, fixed by PR #30833. For convenience, the content from the 2015.8.4 release notes is included below. Known Issue in boto_* execution modules This release contains an issue that causes the boto_* execution modules to display a __salt__ not defined error (issue 30300). This issue will be fixed in an upcoming release, but can be manually resolved by completing the following: 1. Download the boto_* execution modules that you would like to update from the 2015.8 branch of Salt. A complete list of affected modules with the specific changes is available in PR #30867. A simple way to get the updated modules is to download a zip file of the 2015.8 branch from GitHub. The updated modules are in the salt\modules directory. 2. Copy the boto_* modules to the \srv\salt\_modules directory on your Salt master. 3. Run the following command to sync these modules to all Salt minions: salt '*' saltutil.sync_modules ---- 2015.8.4 Release Notes Security Fix CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master. This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master. Thank you to Sebastian Krahmer <krahmer@suse.com> for bringing this issue to our attention. We recommend everyone upgrade to 2015.8.4 as soon as possible. Core Changes • PR #28994: timcharper Salt S3 module has learned how to assume IAM roles • Added option mock=True for state.sls and state.highstate. This allows the salt state compiler to process sls data in a state run without actually calling the state functions, thus providing feedback on the validity of the arguments used for the functions beyond the preprocessing validation provided by state.show_sls (issue 30118 and issue 30189). salt '*' state.sls core,edit.vim mock=True salt '*' state.highstate mock=True salt '*' state.apply edit.vim mock=True Changes for v2015.8.3..v2015.8.4 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-01-25T17:48:35Z Total Merges: 320 Changes: • PR #30613: (basepi) Fix minion/syndic clearfuncs • PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is False, not … • PR #30584: (julianbrost) file.line state: add missing colon in docstring • PR #30589: (terminalmage) Merge 2015.5 into 2015.8 • PR #30599: (multani) Documentation formatting fixes • PR #30554: (rallytime) Make the salt-cloud actions output more verbose and helpful • PR #30549: (techhat) Salt Virt cleanup • PR #30553: (techhat) AWS: Support 17-character IDs • PR #30532: (whiteinge) Add execution module for working in sls files • PR #30529: (terminalmage) Merge 2015.5 into 2015.8 • PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk • PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8 • PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type 'boolean' • PR #30506: (jacksontj) Properly remove newlines after reading the file • PR #30508: (rallytime) Fix Linode driver cloning functionality • PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return data • PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8) • PR #30491: (jacksontj) Add multi-IP support to network state • PR #30496: (anlutro) Fix KeyError when adding ignored pillars • PR #30359: (kingsquirrel152) Removes suspected copy/paste error for zmq_filtering functionailty • PR #30448: (cournape) Fix osx scripts location • PR #30457: (rallytime) Remove fsutils references from modules list • PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode driver • PR #30458: (rallytime) Back-port #30062 to 2015.8 • PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog • PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel function • PR #30450: (gtmanfred) fix extension loading in novaclient • PR #30212: (abednarik) Fix incorrect file permissions in file.line • PR #29947: (jfindlay) fileclient: decode file list from master • PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees • PR #30445: (jtand) Boto uses False for is_default instead of None • PR #30406: (frioux) Add an example of how to use file.managed/check_cmd • PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8 • PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility. • PR #30396: (pass-by-value) Remove hardcoded val • PR #30391: (jtand) Added else statements • PR #30375: (rallytime) Wrap formatted log statements with six.u() in cloud/__init__.py • PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11 series • PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8 • PR #30389: (jtand) Older versions of ipset don't support comments • PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to 2016 • PR #30370: (rallytime) Remove incomplete function • PR #30366: (rallytime) Back-port #28702 to 2015.8 • PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more fns for esxi proxy • PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes filtering • PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal • PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 `#26845`_ • PR #30358: (terminalmage) Add libgit2 version to versions-report • PR #30346: (pass-by-value) Prevent orphaned volumes • PR #30349: (rallytime) Back-port #30347 to 2015.8 • PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught • PR #30356: (nmadhok) Adding code author • PR #30340: (jtand) Updated seed_test.py for changes made to seed module • PR #30339: (jfindlay) Backport #26511 • PR #30343: (rallytime) Fix 2015.8 from incomplete back-port • PR #30342: (eliasp) Correct whitespace placement in error message • PR #30308: (rallytime) Back-port #30257 to 2015.8 • PR #30187: (rallytime) Back-port #27606 to 2015.8 • PR #30223: (serge-p) adding support for DragonFly BSD • PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating keys. • PR #30246: (dmacvicar) Add missing return data to scheduled jobs ( `#24237`_ ) • PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry • PR #30275: (abednarik) Add permanent argument in firewalld. • PR #30328: (cachedout) Fix file test • PR #30310: (pass-by-value) Empty bucket fix • PR #30211: (techhat) Execute choot on the correct path • PR #30309: (rallytime) Back-port #30304 to 2015.8 • PR #30278: (nmadhok) If datacenter is specified in the config, then look for managed objects under it • PR #30305: (jacobhammons) Changed examples to use the "example.com" domain instead of "mycompan… • PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install • PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run • PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed to allow for binary contents • PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is default region • PR #30299: (rallytime) ESXi Proxy minions states are located at salt.states.esxi, not vsphere. • PR #30202: (opdude) Fixed the periodic call to beacons • PR #30303: (jacobhammons) Changed notes to indicate that functions are matched using regular ex… • PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and submodule handling • PR #30280: (jfindlay) add state mocking to release notes • PR #30273: (rallytime) Back-port #30121 to 2015.8 • PR #30301: (cachedout) Accept whatever comes into hightstate mock for state tests • PR #30282: (cachedout) Fix file.append logic • PR #30289: (cro) Fix problems with targeting proxies by grains • PR #30293: (cro) Ensure we don't log stuff we shouldn't • PR #30279: (cachedout) Allow modules to be packed into boto utils • PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct arg/kwarg positioning • PR #30156: (abednarik) Add option in file.append to ignore_whitespace. • PR #30189: (rallytime) Back-port #30185 to 2015.8 • PR #30215: (jacobhammons) Assorted doc bug fixes • PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line" • PR #30190: (jacobhammons) Updated doc site banners • PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat • PR #30179: (terminalmage) Backport #26962 to 2015.8 branch • PR #29693: (abednarik) Handle missing source file in ssh_auth. • PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use region OR profile • PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in boto utils • PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX values in Kilos • PR #30162: (rallytime) Update list_present and append grains state function docs to be more clear. • PR #30163: (rallytime) Add warning about using "=" in file.line function • PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30168: (abednarik) Fix incorrect file permissions in file.line • PR #30154: (Oro) Fix file serialize on windows • PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion • PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images • PR #30075: (joejulian) Convert glusterfs module to use xml • PR #30129: (optix2000) Clean up _uptodate() in git state • PR #30139: (rallytime) Back-port #29589 to 2015.8 • PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD. • PR #30133: (stanislavb) Fix typo in gpgkey URL • PR #30126: (stanislavb) Log S3 API error message • PR #30128: (oeuftete) Log retryable transport errors as warnings • PR #30096: (cachedout) Add rm_special to crontab module • PR #30106: (techhat) Ensure last dir • PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass • PR #30090: (techhat) Add argument to isdir() • PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py state • PR #30095: (rallytime) Add the list_nodes_select function to linode driver • PR #30082: (abednarik) Fixed saltversioninfo grain return • PR #30084: (rallytime) Back-port #29987 to 2015.8 • PR #30071: (rallytime) Merge branch '2015.5' into '2015.8' • PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids explicitly • PR #30069: (techhat) Ensure that pki_dir exists • PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud config options • PR #30049: (rallytime) Add some more unit tests for the vsphere execution module • PR #30060: (rallytime) Back-port #27104 to 2015.8 • PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs. • PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to avoid circular imports • PR #30038: (rallytime) Back-port #30017 to 2015.8 • PR #30036: (rallytime) Back-port #29995 to 2015.8 • PR #30035: (rallytime) Back-port #29895 to 2015.8 • PR #30034: (rallytime) Back-port #29893 to 2015.8 • PR #30033: (rallytime) Back-port #29876 to 2015.8 • PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches • PR #30016: (anlutro) Properly normalize locales in locale.gen_locale • PR #30015: (anlutro) locale module: don't escape the slash in \n • PR #30022: (gqgunhed) Two minor typos fixed • PR #30026: (anlutro) states.at: fix wrong variable being used • PR #29966: (multani) Fix bigip state/module documentation + serializers documentation • PR #29904: (twangboy) Improvements to osx packaging scripts • PR #29950: (multani) boto_iam: fix deletion of IAM users when using delete_keys=true • PR #29937: (multani) Fix states.boto_iam group users • PR #29934: (multani) Fix state.boto_iam virtual name • PR #29943: (cachedout) Check args correctly in boto_rds • PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows • PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd() • PR #29894: (techhat) Support Saltfile in SPM • PR #29856: (rallytime) Added some initial unit tests for the salt.modules.vsphere.py file • PR #29855: (rallytime) Back-port #29740 to 2015.8 • PR #29890: (multani) Various documentation fixes • PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29811: (anlutro) influxdb: add retention policy module functions • PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows • PR #29819: (rallytime) Add esxi module and state to docs build • PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL without systemd • PR #29803: (rallytime) Add vSphere module to doc ref module tree • PR #29767: (abednarik) Hosts file update in mod_hostname. • PR #29772: (terminalmage) pygit2: skip submodules when traversing tree • PR #29765: (gtmanfred) allow nova driver to be boot from volume • PR #29773: (l2ol33rt) Append missing wget in debian installation guide • PR #29800: (rallytime) Back-port #29769 to 2015.8 • PR #29775: (paulnivin) Change listen requisite resolution from name to ID declaration • PR #29754: (rallytime) Back-port #29719 to 2015.8 • PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of deprecated 'provider' • PR #29729: (rallytime) Further clarifications on "unless" and "onlyif" requisites. • PR #29737: (akissa) fix pillar sqlite3 documentation examples • PR #29743: (akissa) fix pillar sqlite not honouring config options • PR #29723: (rallytime) Clarify db_user and db_password kwargs for postgres_user.present state function • PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful" means for cmd state. • PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar docs • PR #29726: (cachedout) Disable some boto tests per resolution of moto issue • PR #29708: (lagesag) Fix test=True for file.directory with recurse ignore_files/ignore_dirs. • PR #29642: (cachedout) Correctly restart deamonized minions on failure • PR #29599: (cachedout) Clean up minion shutdown • PR #29675: (clinta) allow returning all refs • PR #29683: (rallytime) Catch more specific error to pass the error message through elegantly. • PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29681: (clinta) fix bare/mirror in git.latest • PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs • PR #29645: (rallytime) Back-port #29558 to 2015.8 • PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging • PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network configuration. • PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes • PR #29628: (DmitryKuzmenko) Don't create io_loop before fork • PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask in roster • PR #29603: (basepi) Fix orchestration failure-checking • PR #29597: (terminalmage) dockerng: Prevent exception when API response contains empty dictionary • PR #29596: (rallytime) Back-port #29587 to 2015.8 • PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial • PR #29572: (gtmanfred) [nova] use old discover_extensions if available • PR #29545: (terminalmage) git.latest: init submodules if not yet initialized • PR #29548: (rallytime) Back-port #29449 to 2015.8 • PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of esxi_hosts • PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb • PR #29565: (bdrung) Fix typos and missing release note • PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29499: (rallytime) Initial commit of ESXi Proxy Minion • PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released • PR #29531: (jfindlay) grains.core: handle undefined variable • PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for salt-ssh • PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax for "tags" option. • PR #29513: (bdrung) Drop obsolete syslog.target from systemd services • PR #29500: (rallytime) Back-port #29467 to 2015.8 • PR #29463: (abednarik) Add ** kwargs to debconf.set. • PR #29399: (jfindlay) modules.status: add human_readable option to uptime • PR #29433: (cro) Files for building .pkg files for MacOS X • PR #29455: (jfindlay) modules.nova.__init__: do not return None • PR #29454: (jfindlay) rh_service module __virtual__ return error messages • PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not subnets) as a key • PR #29487: (rallytime) Back-port #29450 to 2015.8 • PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs • PR #29440: (rallytime) Back-port #28925 to 2015.8 • PR #29435: (galet) Grains return wrong OS version and other OS related values for Oracle Linux • PR #29430: (rall0r) Fix host.present state limitation • PR #29417: (jacobhammons) Repo install updates • PR #29402: (techhat) Add rate limiting to linode • PR #29400: (twangboy) Fix #19332 • PR #29398: (cachedout) Lint 29288 • PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error • PR #29390: (jacobhammons) updated version numbers in documentation • PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy • PR #29349: (cro) Fix mis-setting chassis names • PR #29334: (rallytime) Back-port #29237 to 2015.8 • PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng • PR #29218: (clan) check service enable state in test mode • PR #29315: (jfindlay) dev tutorial doc: fix markup errors • PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other] • PR #29305: (lorengordon) Add 'file' as a source_hash proto • PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime • PR #29289: (terminalmage) file.managed: Allow local file sources to use source_hash • PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True • PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar config schema • PR #29283: (cachedout) Single-quotes and use format • PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting options for the flat roster • PR #29282: (cachedout) dev docs: add development tutorial • PR #28994: (timcharper) add support to s3 for aws role assumption • PR #29278: (techhat) Add verify_log to SPM • PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of SLSs • PR #29207: (jfindlay) do not shadow ret function argument • PR #29215: (rallytime) Back-port #29192 to 2015.8 • PR #29217: (clan) show duration only if state_output_profile is False • PR #29221: (ticosax) [dokcerng] Docu network mode • PR #29269: (jfindlay) win_status module: fix function names in docs • PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware utils • PR #29271: (techhat) Pass full path for digest (SPM) • PR #29244: (isbm) List products consistently across all SLES systems • PR #29255: (garethgreenaway) fixes to consul module • PR #29208: (whytewolf) Glance more profile errors • PR #29200: (jfindlay) mount state: unmount by device is optional • PR #29205: (trevor-h) Fixes #29187 - using winrm on EC2 • PR #29170: (cachedout) Migrate pydsl tests to integration test suite • PR #29198: (jfindlay) rh_ip module: only set the mtu once • PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc • PR #29196: (s0undt3ch) We need novaclient imported to compare versions • PR #29059: (terminalmage) Work around upstream pygit2 bug • PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present state • PR #29178: (whytewolf) Profile not being passed to keystone.endpoint_get in _auth. so if a p… Salt 2015.8.7 Release Notes NOTE: Salt 2015.8.4, 2015.8.5, and 2015.8.7 were all released within a short period due to regressions found soon after the releases of 2015.8.4 and 2015.8.5. These release notes contain all of the changes since 2015.8.3 to make it easier to see everything that has changed recently. Changes for v2015.8.4..v2015.8.7 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-02-11T22:13:51Z Statistics: • Total Merges: 2 • Total Issue references: 0 • Total PR references: 3 Changes: • PR #31111: (jtand) Fixes failing npm test on arch. @ 2016-02-10T21:51:47Z • 8d84c63 Merge pull request #31111 from jtand/8_4_npm_fix • b0a48e5 Fixes failing npm test on arch. • 733c6ab Some 3rd-party modules (e.g. gnupg) define custom log levels that emit at INFO level and above. This patch sets the color data lookups to default to TextFormat('reset') rather than producing a stack trace every time a log message is generated from an affected module. • 3f71fd0 Revert #30217 • PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run • PR #31092: (terminalmage) Apply PR #31031 to 2015.8.4.follow_up @ 2016-02-10T20:54:37Z • 5a6a93e Merge pull request #31092 from terminalmage/issue31014-2015.8.4.follow_up * 2767a4e Don't handle epoch specially for dnf • e5dfcc0 More efficient way to add the epoch before version number • ed74627 include possible epoch in version for rpm • 6c6b66a Comment multiprocessing line in minion config • 1f7dfef Set multiprocessing to true in config.py • 433c645 Fix remove placeholder files • 7103756 Remove placeholder files • 20b381f Set overwrite to off • ca50f56 Fix boto_secgroup • fd571d2 Fix boto test failures • cfb6588 Fix regression when contents_pillar/contents_grains is a list. • 881d866 utils.aws: use time lib to conver to epoch seconds • 3141292 The call to cp.get_url needs the saltenv, if you're using environments other than base, it will fail. • a869401 Fix regression in git_pillar when multiple remotes are configured • 2243f25 Properly set the default value for pillar_merge_lists • c7472ff Lint • d868711 Fix failing boto_vpc module unit tests • ed09516 Fix failing state module tests • fd0e940 Pylint fix • bc780a7 Don't use pack=pack. Just pass in pack=__salt__ always. • 1ae022d Pass in 'pack' variable to utils.boto.assign_funcs function from ALL boto modules. • 1efaff1 Remove bad symlinks in osx pkg dirs • c7db435 Fix regression in scanning for state with 'name' param ---- Security Fix CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master. This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master. Thank you to Sebastian Krahmer <krahmer@suse.com> for bringing this issue to our attention. We recommend everyone upgrade to 2015.8.4 as soon as possible. Core Changes • PR #28994: timcharper Salt S3 module has learned how to assume IAM roles • Added option mock=True for state.sls and state.highstate. This allows the salt state compiler to process sls data in a state run without actually calling the state functions, thus providing feedback on the validity of the arguments used for the functions beyond the preprocessing validation provided by state.show_sls (issue 30118 and issue 30189). salt '*' state.sls core,edit.vim mock=True salt '*' state.highstate mock=True salt '*' state.apply edit.vim mock=True Changes for v2015.8.3..v2015.8.4 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-01-25T17:48:35Z Total Merges: 320 Changes: • PR #30613: (basepi) Fix minion/syndic clearfuncs • PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is False, not … • PR #30584: (julianbrost) file.line state: add missing colon in docstring • PR #30589: (terminalmage) Merge 2015.5 into 2015.8 • PR #30599: (multani) Documentation formatting fixes • PR #30554: (rallytime) Make the salt-cloud actions output more verbose and helpful • PR #30549: (techhat) Salt Virt cleanup • PR #30553: (techhat) AWS: Support 17-character IDs • PR #30532: (whiteinge) Add execution module for working in sls files • PR #30529: (terminalmage) Merge 2015.5 into 2015.8 • PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk • PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8 • PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type 'boolean' • PR #30506: (jacksontj) Properly remove newlines after reading the file • PR #30508: (rallytime) Fix Linode driver cloning functionality • PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return data • PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8) • PR #30491: (jacksontj) Add multi-IP support to network state • PR #30496: (anlutro) Fix KeyError when adding ignored pillars • PR #30359: (kingsquirrel152) Removes suspected copy/paste error for zmq_filtering functionailty • PR #30448: (cournape) Fix osx scripts location • PR #30457: (rallytime) Remove fsutils references from modules list • PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode driver • PR #30458: (rallytime) Back-port #30062 to 2015.8 • PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog • PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel function • PR #30450: (gtmanfred) fix extension loading in novaclient • PR #30212: (abednarik) Fix incorrect file permissions in file.line • PR #29947: (jfindlay) fileclient: decode file list from master • PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees • PR #30445: (jtand) Boto uses False for is_default instead of None • PR #30406: (frioux) Add an example of how to use file.managed/check_cmd • PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8 • PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility. • PR #30396: (pass-by-value) Remove hardcoded val • PR #30391: (jtand) Added else statements • PR #30375: (rallytime) Wrap formatted log statements with six.u() in cloud/__init__.py • PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11 series • PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8 • PR #30389: (jtand) Older versions of ipset don't support comments • PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to 2016 • PR #30370: (rallytime) Remove incomplete function • PR #30366: (rallytime) Back-port #28702 to 2015.8 • PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more fns for esxi proxy • PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes filtering • PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal • PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 `#26845`_ • PR #30358: (terminalmage) Add libgit2 version to versions-report • PR #30346: (pass-by-value) Prevent orphaned volumes • PR #30349: (rallytime) Back-port #30347 to 2015.8 • PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught • PR #30356: (nmadhok) Adding code author • PR #30340: (jtand) Updated seed_test.py for changes made to seed module • PR #30339: (jfindlay) Backport #26511 • PR #30343: (rallytime) Fix 2015.8 from incomplete back-port • PR #30342: (eliasp) Correct whitespace placement in error message • PR #30308: (rallytime) Back-port #30257 to 2015.8 • PR #30187: (rallytime) Back-port #27606 to 2015.8 • PR #30223: (serge-p) adding support for DragonFly BSD • PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating keys. • PR #30246: (dmacvicar) Add missing return data to scheduled jobs ( `#24237`_ ) • PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry • PR #30275: (abednarik) Add permanent argument in firewalld. • PR #30328: (cachedout) Fix file test • PR #30310: (pass-by-value) Empty bucket fix • PR #30211: (techhat) Execute choot on the correct path • PR #30309: (rallytime) Back-port #30304 to 2015.8 • PR #30278: (nmadhok) If datacenter is specified in the config, then look for managed objects under it • PR #30305: (jacobhammons) Changed examples to use the "example.com" domain instead of "mycompan… • PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install • PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run • PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed to allow for binary contents • PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is default region • PR #30299: (rallytime) ESXi Proxy minions states are located at salt.states.esxi, not vsphere. • PR #30202: (opdude) Fixed the periodic call to beacons • PR #30303: (jacobhammons) Changed notes to indicate that functions are matched using regular ex… • PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and submodule handling • PR #30280: (jfindlay) add state mocking to release notes • PR #30273: (rallytime) Back-port #30121 to 2015.8 • PR #30301: (cachedout) Accept whatever comes into hightstate mock for state tests • PR #30282: (cachedout) Fix file.append logic • PR #30289: (cro) Fix problems with targeting proxies by grains • PR #30293: (cro) Ensure we don't log stuff we shouldn't • PR #30279: (cachedout) Allow modules to be packed into boto utils • PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct arg/kwarg positioning • PR #30156: (abednarik) Add option in file.append to ignore_whitespace. • PR #30189: (rallytime) Back-port #30185 to 2015.8 • PR #30215: (jacobhammons) Assorted doc bug fixes • PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line" • PR #30190: (jacobhammons) Updated doc site banners • PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat • PR #30179: (terminalmage) Backport #26962 to 2015.8 branch • PR #29693: (abednarik) Handle missing source file in ssh_auth. • PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use region OR profile • PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in boto utils • PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX values in Kilos • PR #30162: (rallytime) Update list_present and append grains state function docs to be more clear. • PR #30163: (rallytime) Add warning about using "=" in file.line function • PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30168: (abednarik) Fix incorrect file permissions in file.line • PR #30154: (Oro) Fix file serialize on windows • PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion • PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images • PR #30075: (joejulian) Convert glusterfs module to use xml • PR #30129: (optix2000) Clean up _uptodate() in git state • PR #30139: (rallytime) Back-port #29589 to 2015.8 • PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD. • PR #30133: (stanislavb) Fix typo in gpgkey URL • PR #30126: (stanislavb) Log S3 API error message • PR #30128: (oeuftete) Log retryable transport errors as warnings • PR #30096: (cachedout) Add rm_special to crontab module • PR #30106: (techhat) Ensure last dir • PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass • PR #30090: (techhat) Add argument to isdir() • PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py state • PR #30095: (rallytime) Add the list_nodes_select function to linode driver • PR #30082: (abednarik) Fixed saltversioninfo grain return • PR #30084: (rallytime) Back-port #29987 to 2015.8 • PR #30071: (rallytime) Merge branch '2015.5' into '2015.8' • PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids explicitly • PR #30069: (techhat) Ensure that pki_dir exists • PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud config options • PR #30049: (rallytime) Add some more unit tests for the vsphere execution module • PR #30060: (rallytime) Back-port #27104 to 2015.8 • PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs. • PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to avoid circular imports • PR #30038: (rallytime) Back-port #30017 to 2015.8 • PR #30036: (rallytime) Back-port #29995 to 2015.8 • PR #30035: (rallytime) Back-port #29895 to 2015.8 • PR #30034: (rallytime) Back-port #29893 to 2015.8 • PR #30033: (rallytime) Back-port #29876 to 2015.8 • PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches • PR #30016: (anlutro) Properly normalize locales in locale.gen_locale • PR #30015: (anlutro) locale module: don't escape the slash in \n • PR #30022: (gqgunhed) Two minor typos fixed • PR #30026: (anlutro) states.at: fix wrong variable being used • PR #29966: (multani) Fix bigip state/module documentation + serializers documentation • PR #29904: (twangboy) Improvements to osx packaging scripts • PR #29950: (multani) boto_iam: fix deletion of IAM users when using delete_keys=true • PR #29937: (multani) Fix states.boto_iam group users • PR #29934: (multani) Fix state.boto_iam virtual name • PR #29943: (cachedout) Check args correctly in boto_rds • PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows • PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd() • PR #29894: (techhat) Support Saltfile in SPM • PR #29856: (rallytime) Added some initial unit tests for the salt.modules.vsphere.py file • PR #29855: (rallytime) Back-port #29740 to 2015.8 • PR #29890: (multani) Various documentation fixes • PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29811: (anlutro) influxdb: add retention policy module functions • PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows • PR #29819: (rallytime) Add esxi module and state to docs build • PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL without systemd • PR #29803: (rallytime) Add vSphere module to doc ref module tree • PR #29767: (abednarik) Hosts file update in mod_hostname. • PR #29772: (terminalmage) pygit2: skip submodules when traversing tree • PR #29765: (gtmanfred) allow nova driver to be boot from volume • PR #29773: (l2ol33rt) Append missing wget in debian installation guide • PR #29800: (rallytime) Back-port #29769 to 2015.8 • PR #29775: (paulnivin) Change listen requisite resolution from name to ID declaration • PR #29754: (rallytime) Back-port #29719 to 2015.8 • PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of deprecated 'provider' • PR #29729: (rallytime) Further clarifications on "unless" and "onlyif" requisites. • PR #29737: (akissa) fix pillar sqlite3 documentation examples • PR #29743: (akissa) fix pillar sqlite not honouring config options • PR #29723: (rallytime) Clarify db_user and db_password kwargs for postgres_user.present state function • PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful" means for cmd state. • PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar docs • PR #29726: (cachedout) Disable some boto tests per resolution of moto issue • PR #29708: (lagesag) Fix test=True for file.directory with recurse ignore_files/ignore_dirs. • PR #29642: (cachedout) Correctly restart deamonized minions on failure • PR #29599: (cachedout) Clean up minion shutdown • PR #29675: (clinta) allow returning all refs • PR #29683: (rallytime) Catch more specific error to pass the error message through elegantly. • PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29681: (clinta) fix bare/mirror in git.latest • PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs • PR #29645: (rallytime) Back-port #29558 to 2015.8 • PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging • PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network configuration. • PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes • PR #29628: (DmitryKuzmenko) Don't create io_loop before fork • PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask in roster • PR #29603: (basepi) Fix orchestration failure-checking • PR #29597: (terminalmage) dockerng: Prevent exception when API response contains empty dictionary • PR #29596: (rallytime) Back-port #29587 to 2015.8 • PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial • PR #29572: (gtmanfred) [nova] use old discover_extensions if available • PR #29545: (terminalmage) git.latest: init submodules if not yet initialized • PR #29548: (rallytime) Back-port #29449 to 2015.8 • PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of esxi_hosts • PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb • PR #29565: (bdrung) Fix typos and missing release note • PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29499: (rallytime) Initial commit of ESXi Proxy Minion • PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released • PR #29531: (jfindlay) grains.core: handle undefined variable • PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for salt-ssh • PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax for "tags" option. • PR #29513: (bdrung) Drop obsolete syslog.target from systemd services • PR #29500: (rallytime) Back-port #29467 to 2015.8 • PR #29463: (abednarik) Add ** kwargs to debconf.set. • PR #29399: (jfindlay) modules.status: add human_readable option to uptime • PR #29433: (cro) Files for building .pkg files for MacOS X • PR #29455: (jfindlay) modules.nova.__init__: do not return None • PR #29454: (jfindlay) rh_service module __virtual__ return error messages • PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not subnets) as a key • PR #29487: (rallytime) Back-port #29450 to 2015.8 • PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs • PR #29440: (rallytime) Back-port #28925 to 2015.8 • PR #29435: (galet) Grains return wrong OS version and other OS related values for Oracle Linux • PR #29430: (rall0r) Fix host.present state limitation • PR #29417: (jacobhammons) Repo install updates • PR #29402: (techhat) Add rate limiting to linode • PR #29400: (twangboy) Fix #19332 • PR #29398: (cachedout) Lint 29288 • PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error • PR #29390: (jacobhammons) updated version numbers in documentation • PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy • PR #29349: (cro) Fix mis-setting chassis names • PR #29334: (rallytime) Back-port #29237 to 2015.8 • PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng • PR #29218: (clan) check service enable state in test mode • PR #29315: (jfindlay) dev tutorial doc: fix markup errors • PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other] • PR #29305: (lorengordon) Add 'file' as a source_hash proto • PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime • PR #29289: (terminalmage) file.managed: Allow local file sources to use source_hash • PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True • PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar config schema • PR #29283: (cachedout) Single-quotes and use format • PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting options for the flat roster • PR #29282: (cachedout) dev docs: add development tutorial • PR #28994: (timcharper) add support to s3 for aws role assumption • PR #29278: (techhat) Add verify_log to SPM • PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of SLSs • PR #29207: (jfindlay) do not shadow ret function argument • PR #29215: (rallytime) Back-port #29192 to 2015.8 • PR #29217: (clan) show duration only if state_output_profile is False • PR #29221: (ticosax) [dokcerng] Docu network mode • PR #29269: (jfindlay) win_status module: fix function names in docs • PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware utils • PR #29271: (techhat) Pass full path for digest (SPM) • PR #29244: (isbm) List products consistently across all SLES systems • PR #29255: (garethgreenaway) fixes to consul module • PR #29208: (whytewolf) Glance more profile errors • PR #29200: (jfindlay) mount state: unmount by device is optional • PR #29205: (trevor-h) Fixes #29187 - using winrm on EC2 • PR #29170: (cachedout) Migrate pydsl tests to integration test suite • PR #29198: (jfindlay) rh_ip module: only set the mtu once • PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc • PR #29196: (s0undt3ch) We need novaclient imported to compare versions • PR #29059: (terminalmage) Work around upstream pygit2 bug • PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present state • PR #29178: (whytewolf) Profile not being passed to keystone.endpoint_get in _auth. so if a p… Salt 2015.8.8 Release Notes Changes for v2015.8.7..v2015.8.8 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-03-17T21:03:44Z Total Merges: 312 Changes: • PR #31947: (cro) Move proxymodule assignment earlier in proxy minion init • PR #31948: (rallytime) Revert "not not" deletion and add comment as to why that is there • PR #31952: (rallytime) Fix lint for 2015.8 branch • PR #31933: (rallytime) Fix linking syntax in testing docs • PR #31930: (cro) Backport changes from 2016.3 • PR #31924: (jfindlay) update 2015.8.8 release notes • PR #31922: (cachedout) For 2015.8 head • PR #31904: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31906: (sbreidba) Win_dacl module: fix FULLCONTROL / FILE_ALL_ACCESS definition • PR #31745: (isbm) Fix the always-false behavior on checking state • PR #31911: (rallytime) Merge #31903 with pylint fix • PR #31883: (paiou) Fix scaleway cloud provider and manage x86 servers • PR #31903: (terminalmage) Use remote_ref instead of local_ref to see if checkout is necessary • PR #31845: (sakateka) Now a check_file_meta deletes temporary files when test=True • PR #31901: (rallytime) Back-port #31846 to 2015.8 • PR #31905: (terminalmage) Update versionadded directive • PR #31902: (rallytime) Update versionadded tag for new funcs • PR #31888: (terminalmage) Fix salt.utils.decorators.Depends • PR #31857: (sjorge) gen_password and del_password missing from solaris_shadow • PR #31879: (cro) Clarify some comments • PR #31815: (dr4Ke) Fix template on contents 2015.8 • PR #31818: (anlutro) Prevent event logs from writing huge amounts of data • PR #31836: (terminalmage) Fix git_pillar race condition • PR #31824: (rallytime) Back-port #31819 to 2015.8 • PR #31856: (szeestraten) Adds missing docs for Virtual Network and Subnet options in salt-cloud Azure cloud profile • PR #31839: (jfindlay) add 2015.8.8 release notes • PR #31828: (gtmanfred) Remove ability of authenticating user to specify pam service • PR #31787: (anlutro) Fix user_create and db_create for new versions of influxdb • PR #31800: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31797: (Ch3LL) Change pkg name to less for suse pkg.info_installed test • PR #31793: (xopher-mc) fixing init system detection on sles 11, refs `#31617`_ • PR #31786: (isbm) Bugfix: zypper doesn't detect base product on SLE11 series • PR #31780: (gtmanfred) use already created vsphere connection • PR #31779: (sbreidba) win_dacl state & module: return comment field as strings, not lists. • PR #31723: (sjorge) file_ignore_regex is a list, not bool • PR #31747: (techhat) Use get_local_client with MASTER opts, not MINION • PR #31688: (whiteinge) Various SMTP returner fixes • PR #31752: (rallytime) Back-port #31686 to 2015.8 • PR #31733: (jacobhammons) docs to clarify cloud configuration • PR #31775: (techhat) Show correct provider/driver name • PR #31754: (techhat) Check all providers, not just the current one • PR #31735: (rallytime) Add reboot, start, and stop actions to digital ocean driver • PR #31770: (anlutro) Fix influxdb user functionality for version 0.9+ • PR #31743: (Talkless) Fix parentheses missmatch in documentation • PR #31162: (isbm) Remove MD5 digest from everywhere and default to SHA256 • PR #31670: (terminalmage) Write lists of minions targeted by syndic masters to job cache • PR #31711: (ticosax) [dockerng] Port and Volume comparison should consider Dockerfile • PR #31719: (techhat) Don't worry about KeyErrors if the node is already removed • PR #31713: (ticosax) [dockerng] Fix dockerng.network_present when container is given by name • PR #31705: (peripatetic-sojourner) Foreman pillar • PR #31702: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31700: (s0undt3ch) It's a function! • PR #31679: (cro) Fix bad link to the sample REST endpoint in salt-contrib. • PR #31668: (rallytime) Some more testing documentation improvements • PR #31653: (DmitryKuzmenko) Don't attempt to verify token if it wasn't sent to master. • PR #31629: (darix) Fix services on sles • PR #31641: (rallytime) Improve Salt Testing tutorial to be a more comprehensive intro • PR #31651: (dr4Ke) test case: test_list_present_nested_already • PR #31643: (opdude) Make sure we are really updating the mercurial repository • PR #31598: (terminalmage) Remove limitations on validation types for eauth targets • PR #31627: (jakehilton) Handling error from using gevent 1.1. • PR #31630: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31594: (rallytime) Back-port #31589 to 2015.8 • PR #31604: (joejulian) Workaround for non-xml output from gluster cli when not tty • PR #31583: (vutny) Remove trailing white spaces • PR #31592: (rallytime) Back-port #31546 to 2015.8 • PR #31593: (rallytime) Back-port #31570 to 2015.8 • PR #31567: (cachedout) Restore FIPS compliance when using master_finger • PR #31568: (twangboy) Grant permissions using SID instead of name • PR #31561: (jtand) Skipped test • PR #31550: (rallytime) Correct versionadded tag for win_service.config • PR #31549: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31544: (DmitryKuzmenko) Protect getattr from recursion • PR #31525: (DmitryKuzmenko) Issues/30643 merge forward fixes • PR #31536: (virtualguy) Remove debian repo from raspbian installation • PR #31528: (vutny) Correct Salt Cloud documentation about updating Salt Bootstrap script • PR #31539: (DmitryKuzmenko) Added temporary workaround for CentOS 7 os-release id bug. • PR #31508: (mcalmer) Zypper correct exit code checking • PR #31510: (vutny) Add installation guide for Raspbian (Debian on Raspberry Pi) • PR #31498: (Ch3LL) rename methods in pkg states test • PR #31471: (cachedout) Correct issue where duplicate items in grains list during state run will result in duplicate grains • PR #31455: (ticosax) [dockerng] Disable notset check • PR #31488: (isbm) Unit Test for Zypper's "remove" and "purge" • PR #31485: (jacobhammons) Fixed transport description in minion / master config • PR #31411: (jtand) Added some beacons execution module integration tests • PR #31475: (jacobhammons) Assorted doc issues • PR #31477: (vutny) Correct installation documentation for Ubuntu • PR #31479: (isbm) Zypper unit tests & fixes • PR #31445: (rallytime) Only use LONGSIZE in rpm.info if available. Otherwise, use SIZE. • PR #31464: (Ch3LL) integartion test: ensure decorator only runs on one method and not class • PR #31458: (vutny) Correct installation documentation for Debian • PR #31457: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31439: (rallytime) Fix lowpkg.info function for Ubuntu 12 - make sure we have a pkg name • PR #31456: (RabidCicada) Clarified the form of requisite targets/requisite-references • PR #31453: (DmitryKuzmenko) Backport cp_geturl fix for large files into 2015.8 • PR #31444: (jacobhammons) Documentation updates - ddns state, file.line state/exe function, installation dependencies • PR #31341: (twangboy) Clarification on Windows Package Manager docs • PR #31380: (kiorky) Bring up ext_pillar rendering errors as well • PR #31418: (terminalmage) Fix core grains when Debian OS detected as 'Debian GNU/Linux' • PR #31429: (mcalmer) fix argument handling for pkg.download • PR #31432: (ticosax) [dockerng] Hotfix docker 1.10.2 • PR #31420: (twangboy) Handle Unversioned Packages • PR #31417: (jacobhammons) ddns state docs updated with notes regarding the name, zone, and keyfile. • PR #31391: (redmcg) Added sanity check: is 'pillar' in self.opts • PR #31376: (cro) Some distros don't have a /lib/systemd • PR #31352: (ticosax) [dockerng] Pull missing images when calling dockerng.running • PR #31378: (mcalmer) Zypper refresh handling • PR #31373: (terminalmage) Use --set-upstream instead of --track to set upstream on older git • PR #31390: (abednarik) Fix Logrotate module. • PR #31354: (ticosax) [dockerng] Dont require auth for all registries • PR #31368: (whiteinge) Update list of netapi clients for autoclass • PR #31367: (techhat) Add docs on how to actually use SDB • PR #31357: (ticosax) [dockerng] Support docker inconsistencies • PR #31353: (ticosax) [dockerng] Fix when ports are integers • PR #31346: (ticosax) Backport #31130 to 2015.8 • PR #31332: (terminalmage) Clarify documentation for gitfs/hgfs/svnfs mountpoint and root options • PR #31305: (mcalmer) call zypper with option --non-interactive everywhere • PR #31337: (jacobhammons) Release notes and versioning for 2015.8.7 • PR #31326: (ticosax) [dockerng ] Detect settings removal • PR #31292: (twangboy) Fix dunder virtual to check for Remote Administration Tools • PR #31287: (joejulian) Rework tests and fix reverse peering with gluster 3.7 • PR #31196: (sakateka) Here are a few fixes utils.network • PR #31299: (rallytime) Allow state-output and state-verbose default settings to be set from CLI • PR #31317: (terminalmage) Fix versonadded directive • PR #31301: (terminalmage) Corrected fix for `#30999`_ • PR #31302: (terminalmage) Audit CLI opts used in git states • PR #31312: (terminalmage) Merge 2015.5 into 2015.8 • PR #31225: (pprince) Fix in file_tree pillar (Fixes `#31223`_ .) • PR #31233: (mcalmer) implement version_cmp for zypper • PR #31273: (rallytime) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31253: (gtmanfred) allow for nova servers to be built with premade volumes • PR #31271: (rallytime) Back-port #30689 to 2015.8 • PR #31255: (jacobhammons) Fixes `#30461`_ • PR #31189: (dmacvicar) Fix crash with scheduler and runners ( `#31106`_ ) • PR #31201: (The-Loeki) Utilize prepared grains var in master-side ipcidr matching • PR #31239: (terminalmage) Improve logging when master cannot decode a payload • PR #31190: (twangboy) Clear minion cache before caching from master • PR #31226: (pprince) Minor docs fix: file_tree pillar (Fixes #31124) • PR #31234: (mcalmer) improve doc for list_pkgs • PR #31237: (mcalmer) add handling for OEM products • PR #31182: (rallytime) Back-port #31172 to 2015.8 • PR #31191: (rallytime) Make sure doc example matches kwarg • PR #31171: (Ch3LL) added logic to check for installed package • PR #31177: (Ch3LL) add integration test for issue `#30934`_ • PR #31181: (cachedout) Lint 2015.8 branch • PR #31169: (rallytime) Back-port #29718 to 2015.8 • PR #31170: (rallytime) Back-port #31157 to 2015.8 • PR #31147: (cro) Documentation clarifications. • PR #31153: (edencrane) Fixed invalid host causing 'reference to variable before assignment' • PR #31152: (garethgreenaway) fixes to beacon module, state module and friends • PR #31149: (jfindlay) add 2015.8.7 release notes • PR #31134: (isbm) Fix types in the output data and return just a list of products • PR #31120: (gtmanfred) Clean up some bugs in the nova driver • PR #31132: (rallytime) Make sure required profile configurations passed in a map file work • PR #31131: (Ch3LL) integration test for issue `#31014`_ • PR #31133: (cachedout) Fixup 31121 • PR #31125: (isbm) Force-kill websocket's child processes faster than default two minutes. • PR #31119: (sakateka) fixes for ipv6-only multi-master faliover • PR #31107: (techhat) Don't try to add a non-existent IP address • PR #31108: (jtand) Changed npm integration test to install request. • PR #31105: (cachedout) Lint 30975 • PR #31100: (jfindlay) states.x509: docs: peer.sls -> peer.conf • PR #31103: (twangboy) Point to reg.delete_key_recursive • PR #31093: (techhat) Ensure double directories don't get created • PR #31095: (jfindlay) modules.file, states.file: explain symbolic links • PR #31061: (rallytime) Revert #30217 - was causing salt-cloud -a breakage • PR #31090: (rallytime) Back-port #30542 to 2015.8 • PR #31085: (jacksontj) Correctly remove path we added after loader is completed • PR #31037: (vutny) Update RHEL installation guide to reflect latest repo changes • PR #31050: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #31053: (cachedout) Fix boto test failures • PR #31029: (twangboy) Windows defaults to multiprocessing true • PR #30998: (dmacvicar) add_key/reject_key: do not crash w/Permission denied: '/var/cache/salt/master/.dfn' ( `#27796`_ ) • PR #31049: (twangboy) Fix versionadded in win_service.config • PR #30987: (youngnick) Changed glusterfs.peer() module so state can handle localhost peering attempts. • PR #31042: (moltob) Allow using Windows path in archive.extracted name attribute • PR #31012: (terminalmage) Fix gitfs/git_pillar/winrepo provider to allow lowercase values • PR #31024: (jfindlay) modules.aptpkg.upgrade: clarify dist-upgrade usage • PR #31028: (twangboy) Fix config overwrite by windows installer • PR #31031: (terminalmage) More complete fix for `#31014`_ • PR #31026: (terminalmage) Fix regression when contents_pillar/contents_grains is a list. • PR #30978: (garethgreenaway) fixes to state.py in 2015.8 • PR #30893: (bdrung) Make build reproducible • PR #30945: (cachedout) Note that pillar cli args are sent via pub • PR #31002: (rmtmckenzie) Fix lxc cloud provided minion reporting present • PR #31007: (jtand) Fixed rabbitmq_vhost test failure. • PR #31004: (rallytime) Remove overstate docs and a few references. • PR #30965: (anlutro) Fix rabbitmq_vhost.present result when test=True • PR #30955: (Ch3LL) docs: add clarification when source is not defined • PR #30941: (rallytime) Back-port #30879 to 2015.8 • PR #30940: (twangboy) Fix Build Process for OSX • PR #30944: (jacobhammons) 2015.8.5 release notes linking and clean up • PR #30905: (joejulian) Add realpath to lvm.pvdisplay and use it in vg_present • PR #30924: (youngnick) Fix small bug with starting volumes after creation. • PR #30910: (cro) fix iDRAC state • PR #30919: (garethgreenaway) Fixes to ssh_auth state module • PR #30920: (jacobhammons) Versioned to 2015.8.5, added known issue `#30300`_ to release notes • PR #30894: (terminalmage) git module/state: Handle identity files more gracefully • PR #30750: (jfindlay) extract whole war version • PR #30884: (rallytime) Move checks for private_key file existence and permissions to create function • PR #30888: (ticosax) Backport #30797 to 2015.8 • PR #30895: (bdrung) Fix various typos • PR #30889: (anlutro) Make msgpack an optional dependency in salt.utils.cache • PR #30896: (vutny) Update nodegroups parameter examples in master config example and docs • PR #30898: (abednarik) Fix pkg install with version. • PR #30867: (rallytime) Pass in 'pack' variable to utils.boto.assign_funcs function from ALL boto modules • PR #30849: (jfindlay) utils.aws: use time lib to conver to epoch seconds • PR #30874: (terminalmage) Fix regression in git_pillar when multiple remotes are configured • PR #30850: (jfindlay) modules.dpkg._get_pkg_info: allow for ubuntu 12.04 • PR #30852: (replicant0wnz) Added more descriptive error message • PR #30847: (terminalmage) Backport #30844 to 2015.8 branch • PR #30860: (vutny) Correct installation documentation for RHEL-based distributions • PR #30841: (jacobhammons) Release notes for 2015.8.5 • PR #30835: (terminalmage) Integration test for `#30820`_ • PR #30837: (jacobhammons) Added known issue `#30820`_ to release notes • PR #30832: (rallytime) Add grains modules to salt modindex • PR #30822: (rallytime) Make sure setting list_user_permissions to ['', '', ''] doesn't stacktrace • PR #30833: (terminalmage) Fix regression in scanning for state with 'name' param • PR #30823: (yannis666) Fix for mine to merge configuration on update. • PR #30827: (jacobhammons) Version to 2015.8.4, added CVE 2016-1866 to release notes • PR #30813: (anlutro) Properly set the default value for pillar_merge_lists • PR #30826: (cachedout) Fix 30682 • PR #30818: (rallytime) Back-port #30790 to 2015.8 • PR #30815: (vutny) Pick right user argument for updating reactor function's low data • PR #30747: (jfindlay) modules.lxc.running_systemd: use command -v not which • PR #30800: (twangboy) Ability to handle special case installations • PR #30794: (rallytime) A spelling fix and some spacing fixes for the boto_ec2 module docs • PR #30756: (basepi) [2015.8] Fix two error conditions in the highstate outputter • PR #30788: (rallytime) Fix incorrect doc example for dellchassis blade_idrac state • PR #30791: (Ch3LL) do not shadow ret function argument for salt.function • PR #30726: (sjmh) Fix improper use of yield in generator • PR #30752: (terminalmage) Backport systemd and yum/dnf optimizations from develop into 2015.8 • PR #30759: (thusoy) Allow managing empty files • PR #30758: (thusoy) Support mounting labelled volumes with multiple drives • PR #30686: (cachedout) Master-side pillar caching • PR #30675: (jfindlay) handle non-ascii minion IDs • PR #30691: (rallytime) Make sure we use the "instance" kwarg in cloud.action. • PR #30713: (rallytime) Fix-up autodoc proxy modules for consistency • PR #30741: (jfindlay) states.locale.__virtual__: return exec mod load err • PR #30751: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8 • PR #30720: (clinta) x509.pem_managed does not return changes dict • PR #30687: (clarkperkins) Setting 'del_root_vol_on_destroy' changes the root volume type to 'standard' • PR #30673: (terminalmage) Properly derive the git_pillar cachedir from the id instead of the URL • PR #30666: (cachedout) Fix grains cache • PR #30623: (twangboy) Added service.config function • PR #30678: (rallytime) Back-port #30668 to 2015.8 • PR #30677: (clarkperkins) Fix EC2 volume creation logic • PR #30680: (cro) Merge forward from 2015.5, primarily for #30671 • PR #30663: (isbm) Zypper: latest version bugfix and epoch support feature • PR #30652: (mew1033) Fix sh beacon • PR #30657: (jfindlay) [2015.8] Backport #30378 and #29650 • PR #30656: (rallytime) [2015.8] Merge 2015.5 into 2015.8 • PR #30644: (tbaker57) Another go at fixing 30573 • PR #30611: (isbm) Bugfix: Zypper pkg.latest crash fix • PR #30631: (rallytime) Refactor rabbitmq_cluster states to use test=true functionality correctly • PR #30628: (rallytime) Refactor rabbitmq_policy states to use test=true functionality correctly • PR #30624: (cro) Remove bad symlinks from osx pkg dir • PR #30622: (rallytime) Add glance state to list of state modules • PR #30618: (rallytime) Back-port #30591 to 2015.8 • PR #30625: (jfindlay) doc.topics.eauth: clarify client_acl vs eauth Salt 2015.5.0 Release Notes - Codename Lithium The 2015.5.0 feature release of Salt is focused on hardening Salt and mostly on improving existing systems. A few major additions are present, primarily the new Beacon system. Most enhancements have been focused around improving existing features and interfaces. As usual the release notes are not exhaustive and primarily include the most notable additions and improvements. Hundreds of bugs have been fixed and many modules have been substantially updated and added. WARNING: In order to fix potential shell injection vulnerabilities in salt modules, a change has been made to the various cmd module functions. These functions now default to python_shell=False, which means that the commands will not be sent to an actual shell. The largest side effect of this change is that "shellisms", such as pipes, will not work by default. The modules shipped with salt have been audited to fix any issues that might have arisen from this change. Additionally, the cmd state module has been unaffected, and use of cmd.run in jinja is also unaffected. cmd.run calls on the CLI will also allow shellisms. However, custom execution modules which use shellisms in cmd calls will break, unless you pass python_shell=True to these calls. As a temporary workaround, you can set cmd_safe: False in your minion and master configs. This will revert the default, but is also less secure, as it will allow shell injection vulnerabilities to be written in custom code. We recommend you only set this setting for as long as it takes to resolve these issues in your custom code, then remove the override. NOTE: Starting in this version of salt, pillar_opts defaults to False instead of True. This means that master opts will not be present in minion pillar, and as a result, config.get calls will not include master opts. We recommend pillar is used for configuration options which need to make it to the minion. Beacons The beacon system allows the minion to hook into system processes and continually translate external events into the salt event bus. The primary example of this is the inotify beacon. This beacon uses inotify to watch configured files or directories on the minion for changes, creation, deletion etc. This allows for the changes to be sent up to the master where the reactor can respond to changes. Sudo Minion Settings It is now possible to run the minion as a non-root user and for the minion to execute commands via sudo. Simply add sudo_user: root to the minion config, run the minion as a non-root user and grant that user sudo rights to execute salt-call. Lazy Loader The Lazy Loader is a significant overhaul of Salt's module loader system. The Lazy Loader will lazily load modules on access instead of all on start. In addition to a major performance improvement, this "sandboxes" modules so a bad/broken import of a single module will only affect jobs that require accessing the broken module. (:issue: 20274) Enhanced Active Directory Support The eauth system for LDAP has been extended to support Microsoft Active Directory out of the box. This includes Active Directory and LDAP group support for eauth. Salt LXC Enhancements The LXC systems have been overhauled to be more consistent and to fix many bugs. This overhaul makes using LXC with Salt much easier and substantially improves the underlying capabilities of Salt's LXC integration. Salt SSH • Additional configuration options and command line flags have been added to configure the scan roster on the fly • Added support for state.single in salt-ssh • Added support for publish.publish, publish.full_data, and publish.runner in salt-ssh • Added support for mine.get in salt-ssh New Windows Installer The new Windows installer changes how Salt is installed on Windows. The old installer used bbfreeze to create an isolated python environment to execute in. This made adding modules and python libraries difficult. The new installer sets up a more flexible python environment making it easy to manage the python install and add python modules. Instead of frozen packages, a full python implementation resides in the bin directory (C:\salt\bin). By executing pip or easy_install from within the Scripts directory (C:\salt\bin\Scripts) you can install any additional python modules you may need for your custom environment. The .exe's that once resided at the root of the salt directory (C:\salt) have been replaced by .bat files and should function the same way as the .exe's in previous versions. The new Windows Installer will not replace the minion config file and key if they already exist on the target system. Only the salt program files will be replaced. C:\salt\conf and C:\salt\var will remain unchanged. Removed Requests Dependency The hard dependency on the requests library has been removed. Requests is still required by a number of cloud modules but is no longer required for normal Salt operations. This removal fixes issues that were introduced with requests and salt-ssh, as well as issues users experienced from the many different packaging methods used by requests package maintainers. Python 3 Updates While Salt does not YET run on Python 3 it has been updated to INSTALL on Python 3, taking us one step closer. What remains is getting the test suite to the point where it can run on Python 3 so that we can verify compatibility. RAET Additions The RAET support continues to improve. RAET now supports multi-master and many bugs and performance issues have been fixed. RAET is much closer to being a first class citizen. Modified File Detection A number of functions have been added to the RPM-based package managers to detect and diff files that are modified from the original package installs. This can be found in the new pkg.modified functions. Reactor Update Fix an infinite recursion problem for runner/wheel reactor jobs by passing a "user" (Reactor) to all jobs that the reactor starts. The reactor skips all events created by that username -- thereby only reacting to events not caused by itself. Because of this, runner and wheel executions from the runner will have user "Reactor" in the job cache. Misc Fixes/Additions • SDB driver for etcd. (:issue: 22043) • Add only_upgrade argument to apt-based pkg.install to only install a package version if the package is already installed. (Great for security updates!) • Joyent now requires a keyname to be specified in the provider configuration. This change was necessitated upstream by the 7.0+ API. • Add args argument to cmd.script_retcode to match cmd.script in the cmd module. (:issue: 21122) • Fixed bug where TCP keepalive was not being sent on the defined interval on the return port (4506) from minion to master. (:issue: 21465) • LocalClient may now optionally raise SaltClientError exceptions. If using this class directly, checking for and handling this exception is recommended. (:issue: 21501) • The SAuth object is now a singleton, meaning authentication state is global (per master) on each minion. This reduces sign-ins of minions from 3->1 per startup. • Nested outputter has been optimized, it is now much faster. • Extensive fileserver backend updates. Deprecations • Removed parameter keyword argument from eselect.exec_action execution module. • Removed runas parameter from the following pip` execution module functions: install, uninstall, freeze, list_, list_upgrades, upgrade_available, upgrade. Please migrate to user. • Removed runas parameter from the following pip state module functions: installed, removed, uptodate . Please migrate to user. • Removed quiet option from all functions in cmdmod execution module. Please use output_loglevel=quiet instead. • Removed parameter argument from eselect.set_ state. Please migrate to module_parameter or action_parameter. • The salt_events table schema has changed to include an additional field called master_id to distinguish between events flowing into a database from multiple masters. If event_return is enabled in the master config, the database schema must first be updated to add the master_id field. This alteration can be accomplished as follows: ALTER TABLE salt_events ADD master_id VARCHAR(255) NOT NULL; Known Issues • In multi-master mode, a minion may become temporarily unresponsive if modules or pillars are refreshed at the same time that one or more masters are down. This can be worked around by setting 'auth_timeout' and 'auth_tries' down to shorter periods. Salt 2015.5.1 Release Notes release 2015-05-20 Version 2015.5.1 is a bugfix release for 2015.5.0. Changes: • salt.runners.cloud.action() has changed the fun keyword argument to func. Please update any calls to this function in the cloud runner. Extended Changelog Courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): PR #23989: (rallytime) Backport #23980 to 2015.5 @ 2015-05-20T19:33:41Z • PR #23980: (iggy) template: jinja2 -> jinja | refs: #23989 • 117ecb1 Merge pull request #23989 from rallytime/bp-23980 • 8f8557c template: jinja2 -> jinja PR #23988: (rallytime) Backport #23977 to 2015.5 @ 2015-05-20T19:13:36Z • PR #23977: (ionutbalutoiu) Fixed glance image_create | refs: #23988 • d4f1ba0 Merge pull request #23988 from rallytime/bp-23977 • 46fc7c6 Fixed glance image_create PR #23986: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-20T18:41:33Z • PR #23965: (hvnsweeting) handle all exceptions gitpython can raise • 9566e7d Merge pull request #23986 from basepi/merge-forward-2015.5 • 0b78156 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 314e4db Merge pull request #23965 from hvnsweeting/20147-fix-gitfs-gitpython-exception • 2576301 handle all exception gitpython can raise PR #23985: (UtahDave) Add 2014.7.5-2 and 2015.5.0-2 Windows installer download links @ 2015-05-20T18:32:44Z • 9d1130e Merge pull request #23985 from UtahDave/2015.5local • 10338d0 Add links to Windows 2015.5.0-2 install downloads • b84f975 updated Windows 2014.7.5-2 installer download link PR #23983: (rallytime) Versionadded tags for https_user and https_pass args new in 2015.5.0 @ 2015-05-20T18:05:27Z • ca7729d Merge pull request #23983 from rallytime/versionadded_git_options • 14eae22 Versionadded tags for https_user and https_pass args new in 2015.5.0 PR #23970: (jayeshka) adding system unit test case @ 2015-05-20T17:12:57Z • b06df57 Merge pull request #23970 from jayeshka/system-unit-test • 89eb008 adding system unit test case PR #23967: (jayeshka) adding states/memcached unit test case @ 2015-05-20T17:12:26Z • 38d5f75 Merge pull request #23967 from jayeshka/memcached-states-unit-test • 8ef9240 adding states/memcached unit test case PR #23966: (jayeshka) adding states/modjk unit test case @ 2015-05-20T17:11:48Z • 868e807 Merge pull request #23966 from jayeshka/modjk-states-unit-test • 422a964 adding states/modjk unit test case PR #23942: (jacobhammons) Updates to sphinx saltstack2 doc theme @ 2015-05-20T15:43:54Z • 6316490 Merge pull request #23942 from jacobhammons/2015.5 • 31023c8 Updates to sphinx saltstack2 doc theme PR #23874: (joejulian) Validate keyword arguments to be valid @ 2015-05-20T04:53:40Z • ISSUE #23872: (joejulian) create_ca_signed_cert can error if dereferenced dict is used for args | refs: #23874 • 587957b Merge pull request #23874 from joejulian/2015.5_tls_validate_kwargs • 30102ac Fix py3 and ordering inconsistency problems. • 493f7ad Validate keyword arguments to be valid PR #23960: (rallytime) Backport #22114 to 2015.5 @ 2015-05-20T04:37:09Z • PR #22114: (dmyerscough) Fixing KeyError when there are no additional pages | refs: #23960 • 00c5c22 Merge pull request #23960 from rallytime/bp-22114 • f3e1d63 Catch KeyError • 306b1ea Fixing KeyError • 6b2cda2 Fix PEP8 complaint • 239e50f Fixing KeyError when there are no additional pages PR #23961: (rallytime) Backport #23944 to 2015.5 @ 2015-05-20T04:35:41Z • PR #23944: (ryan-lane) Add missing loginclass argument to _changes call | refs: #23961 • 4648b46 Merge pull request #23961 from rallytime/bp-23944 • 970d19a Add missing loginclass argument to _changes call PR #23948: (jfindlay) augeas.change state now returns changes as a dict @ 2015-05-20T04:00:10Z • 0cb5cd3 Merge pull request #23948 from jfindlay/augeas_changes • f09b80a augeas.change state now returns changes as a dict PR #23957: (rallytime) Backport #23951 to 2015.5 @ 2015-05-20T03:04:24Z • PR #23951: (ryan-lane) Do not check perms in file.copy if preserve | refs: #23957 • 2d185f7 Merge pull request #23957 from rallytime/bp-23951 • 996b431 Update file.py • 85d461f Do not check perms in file.copy if preserve • PR #23956: (rallytime) Backport #23906 to 2015.5 @ 2015-05-20T03:04:14Z • ISSUE #23839: (gladiatr72) wonky loader syndrome | refs: #23906 • ISSUE #23373: (tnypex) reactor/orchestrate race condition on salt['pillar.get'] | refs: #23906 • PR #23906: (gladiatr72) Added exception handler to trap the RuntimeError raised when | refs: #23956 • ebff1ff Merge pull request #23956 from rallytime/bp-23906 • 9d87fd3 add proper marker for format argument • 197688e Added exception handler to trap the RuntimeError raised when Depends.enforce_dependency() class method fires unsuccessfully. There appears to be no synchronization within the Depends decorator class wrt the class global dependency_dict which results in incomplete population of any loader instantiation occurring at the time of one of these exceptions. • PR #23955: (rallytime) Backport #19305 to 2015.5 @ 2015-05-20T03:03:55Z • ISSUE #19852: (TaiSHiNet) DigitalOcean APIv2 can't delete machines when there is only 1 page | refs: #23955 • ISSUE #19304: (TaiSHiNet) DigitalOcean API v2 cannot delete VMs on 2nd page | refs: #19305 • PR #19305: (TaiSHiNet) Fixes droplet listing past page 1 | refs: #23955 • da3f919 Merge pull request #23955 from rallytime/bp-19305 • bbf2429 Fixes droplet listing past page 1 • PR #23940: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-19T22:37:58Z • ISSUE #23820: (UtahDave) 2014.7.5 schedule error | refs: #23881 • ISSUE #22131: (quixoten) "unexpected keyword argument 'merge'" on 2014.7.2 (salt-ssh) | refs: #23887 • PR #23939: (basepi) Add extended changelog to 2014.7.6 release notes • PR #23887: (basepi) [2014.7] Bring salt-ssh pillar.get in line with mainline pillar.get • PR #23881: (garethgreenaway) Fixes to schedule module in 2014.7 • 02a78fc Merge pull request #23940 from basepi/merge-forward-2015.5 • 36f0065 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 9133912 Merge pull request #23939 from basepi/v2014.7.6release • 32b65dc Add extended changelog to 2014.7.6 release notes • 0031ca2 Merge pull request #23881 from garethgreenaway/23820_2014_7_schedule_list_issue • b207f2a Missing continue in the list function when deleting unused attributes. • 63bd21e Merge pull request #23887 from basepi/salt-ssh.pillar.get.22131 • bc84502 Bring salt-ssh pillar.get in line with mainline pillar.get • PR #23932: (rallytime) Backport #23908 to 2015.5 @ 2015-05-19T21:41:28Z • PR #23908: (nleib) fix connection function to mongo | refs: #23932 • ee4c01b Merge pull request #23932 from rallytime/bp-23908 • 5d520c9 fix connection function to mongo • PR #23931: (rallytime) Backport #23880 to 2015.5 @ 2015-05-19T21:41:18Z • PR #23880: (bastiaanb) if setting client_config_dir to '~', expand path | refs: #23931 • 70bd407 Merge pull request #23931 from rallytime/bp-23880 • 8ce59a2 if setting client_config_dir to '~', expand path • PR #23898: (kiorky) Lxc profiles | refs: #23897 @ 2015-05-19T21:08:28Z • ISSUE #23847: (kiorky) lxc: systemd containers cant be seeded | refs: #23806 #23898 #23897 #23808 • ISSUE #23833: (kiorky) lxc.set_dns fails intermittently | refs: #23898 #23807 #23897 #23808 • ISSUE #23772: (cheuschober) lxc.init fails to bootstrap container | refs: #23806 #23898 #23807 #23897 #23808 • ISSUE #23658: (arthurlogilab) [salt-cloud lxc] too verbose, shows host: True multiple times when starting | refs: #23898 #23897 • ISSUE #23657: (arthurlogilab) [salt-cloud lxc] NameError: global name '__salt__' is not defined | refs: #23727 #23898 #23897 • PR #23897: (kiorky) Lxc seed and prof ports | refs: #23898 • PR #23808: (kiorky) Lxc seed and prof ports | refs: #23807 #23897 • PR #23807: (kiorky) Lxc profiles | refs: #23898 • PR #23806: (kiorky) Lxc seeding | refs: #23807 • 5bdbf0a Merge pull request #23898 from makinacorpus/lxc_profiles • d9051a0 lxc: systemd support • e8d674f lxc: chroot fallback toggle • e2887a0 lxc: sync func name with develop • e96e345 lxc more fixes (lxc.set_dns) • fdb6424 lxc: Fix salt config (no more a kwarg) • 63e63fa repair salt cloud lxc api on develop • 80eabe2 lxc salt cloud doc • 73f229d lxc: unificate saltconfig/master/master_port • 0bc1f08 lxc: refactor a bit saltcloud/lxc interface • 7a80370 lxc: get networkprofile from saltcloud • 47acb2e lxc: default net profile has now correct options • 7eadf48 lxc: select the appropriate default bridge • PR #23922: (garethgreenaway) Fixes to debian_ip.py @ 2015-05-19T18:50:53Z • ISSUE #23900: (hashi825) salt ubuntu network building issue 2015.5.0 | refs: #23922 • b818f72 Merge pull request #23922 from garethgreenaway/23900_2015_5_bonding_interface_fixes • 0bba536 Fixing issue reported when using bonded interfaces on Ubuntu. Attributes should be bond-, but the code was attempting to split just on bond_ . Fix accounts for both, but the debian_ip.py module will write out bond attributes with bond- • PR #23925: (jpic) Fixed wrong path in LXC cloud documentation @ 2015-05-19T18:23:56Z • PR #23924: (jpic) Fixed wrong path in LXC cloud documentation | refs: #23925 • b1c98a3 Merge pull request #23925 from jpic/fix/wrong_lxc_path • a4bcd75 Fixed wrong path in LXC cloud documentation • PR #23894: (whiteinge) Add __all__ attribute to Mock class for docs @ 2015-05-19T17:17:35Z • 7f6a716 Merge pull request #23894 from whiteinge/doc-mock__all__ • 6eeca46 Add __all__ attribute to Mock class for docs • PR #23884: (jfindlay) Fix locale.set_locale on debian @ 2015-05-19T15:51:22Z • ISSUE #23767: (chrimi) Salt system.locale fails on non existent default locale | refs: #23884 • 8108a9b Merge pull request #23884 from jfindlay/fix_locale • 91c2d51 use append_if_not_found in locale.set_locale • e632603 (re)generate /etc/default/locale • PR #23866: (jfindlay) backport #23834, change portage.dep.strip_empty to list comprehension @ 2015-05-19T15:50:43Z • PR #23834: (Arabus) Avoid deprecation warning from portage.dep.strip_empty() | refs: #23866 • 6bae12f Merge pull request #23866 from jfindlay/flag_strip • aa032cc replace portage.dep.strip_empty() with list comprehension • 7576872 Proper replacement for portage.dep.strip_empty() with list comprehension, pep8fix • 2851a5c Switch portage.dep.strip_empty(...) to filter(None,...) to avoid deprecation warning and do essentially the same • PR #23917: (corywright) Split debian bonding options on dash instead of underscore @ 2015-05-19T15:44:35Z • ISSUE #23904: (mbrgm) Network config bonding section cannot be parsed when attribute names use dashes | refs: #23917 • a67a008 Merge pull request #23917 from corywright/issue23904 • c06f8cf Split debian bonding options on dash instead of underscore • PR #23909: (jayeshka) 'str' object has no attribute 'capitalized' @ 2015-05-19T15:41:53Z • e8fcd09 Merge pull request #23909 from jayeshka/file-exe-module • e422d9d 'str' object has no attribute 'capitalized' • PR #23903: (garethgreenaway) Adding docs for missing schedule state module parameters. @ 2015-05-19T06:29:34Z • c73bf38 Merge pull request #23903 from garethgreenaway/missing_docs_schedule_state • acd8ab9 Adding docs for missing schedule state module parameters. • f7eb70c changed previous release to 2014.7.6 • 608059f Merge branch '2015.5' of https://github.com/jacobhammons/salt into 2015.5 • a56697b Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • 1c2af5c Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • ef58128 Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • 8664e8b Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5-2 • 46eb265 saltstack2 sphinx theme updates • e7442d3 Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • ee3c1bd missed one • 3872921 More updates to sphinx2 theme • fcd4865 Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • 8c32152 removed TOC numbering, additional tweaks to layout.html • 73dfaef Merge branch '2015.5' of https://github.com/saltstack/salt into 2015.5 • 16d8a75 saltstack2 sphinx theme and build settings • PR #23806: (kiorky) Lxc seeding | refs: #23807 @ 2015-05-18T23:18:33Z • ISSUE #23847: (kiorky) lxc: systemd containers cant be seeded | refs: #23806 #23898 #23897 #23808 • ISSUE #23772: (cheuschober) lxc.init fails to bootstrap container | refs: #23806 #23898 #23807 #23897 #23808 • ff3cc7d Merge pull request #23806 from makinacorpus/lxc_seeding • 61b7aad runners/lxc: optim • PR #23892: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-18T23:07:57Z • PR #23891: (basepi) Update the release notes index page • PR #23888: (basepi) Update the 2014.7.6 release notes with CVE details • PR #23871: (rallytime) Backport #23848 to 2014.7 • PR #23848: (dumol) Updated installation docs for SLES 12. | refs: #23871 • 5f1a93d Merge pull request #23892 from basepi/merge-forward-2015.5 • c2eed77 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 17c5810 Merge pull request #23891 from basepi/releasenotes • dec153b Update the release notes index page • a93e58f Merge pull request #23888 from basepi/v2014.7.6release • 49921b6 Update the 2014.7.6 release notes with CVE details • 5073028 Merge pull request #23871 from rallytime/bp-23848 • 379c09c Updated for SLES 12. • PR #23875: (rallytime) Backport #23838 to 2015.5 @ 2015-05-18T22:28:55Z • PR #23838: (gtmanfred) add refresh_beacons and sync_beacons | refs: #23875 • 66d1335 Merge pull request #23875 from rallytime/bp-23838 • 3174227 Add versionadded directives to new beacon saltutil functions • 4a94b2c add refresh_beacons and sync_beacons • PR #23876: (rallytime) Switch digital ocean tests to v2 driver @ 2015-05-18T22:17:13Z • d294cf2 Merge pull request #23876 from rallytime/switch_digital_ocean_tests_v2 • dce9b54 Remove extra line • 4acf58e Switch digital ocean tests to v2 driver • PR #23882: (garethgreenaway) Fixes to scheduler in 2015.5 @ 2015-05-18T22:09:24Z • ISSUE #23792: (neogenix) Salt Scheduler Incorrect Response (True, should be False) | refs: #23882 • b97a48c Merge pull request #23882 from garethgreenaway/23792_2015_5_wrong_return_code • 37dbde6 Job already exists in schedule, should return False. • PR #23868: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-18T18:35:54Z • ISSUE #20198: (jcftang) virt.get_graphics, virt.get_nics are broken, in turn breaking other things | refs: #23809 • PR #23823: (gtmanfred) add link local for ipv6 • PR #23810: (rallytime) Backport #23757 to 2014.7 • PR #23809: (rallytime) Fix virtualport section of virt.get_nics loop • PR #23802: (gtmanfred) if it is ipv6 ip_to_int will fail • PR #23757: (clan) use abspath, do not eliminating symlinks | refs: #23810 • PR #23573: (techhat) Scan all available networks for public and private IPs | refs: #23802 • PR #21487: (rallytime) Backport #21469 to 2014.7 | refs: #23809 • PR #21469: (vdesjardins) fixes #20198: virt.get_graphics and virt.get_nics calls in module virt | refs: #21487 • 61c922e Merge pull request #23868 from basepi/merge-forward-2015.5 • c9ed233 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • aee00c8 Merge pull request #23810 from rallytime/bp-23757 • fb32c32 use abspath, do not eliminating symlinks • 6b3352b Merge pull request #23809 from rallytime/virt_get_nics_fix • 0616fb7 Fix virtualport section of virt.get_nics loop • 188f03f Merge pull request #23823 from gtmanfred/2014.7 • 5ef006d add link local for ipv6 • f3ca682 Merge pull request #23802 from gtmanfred/2014.7 • 2da98b5 if it is ipv6 ip_to_int will fail • PR #23863: (rahulhan) Adding states/timezone.py unit test @ 2015-05-18T17:02:19Z • 433f873 Merge pull request #23863 from rahulhan/states_timezone_unit_test • 72fcabc Adding states/timezone.py unit test • PR #23862: (rahulhan) Adding states/tomcat.py unit tests @ 2015-05-18T17:02:10Z • 37b3ee5 Merge pull request #23862 from rahulhan/states_tomcat_unit_test • 65d7752 Adding states/tomcat.py unit tests • PR #23860: (rahulhan) Adding states/test.py unit tests @ 2015-05-18T17:01:49Z • dde7207 Merge pull request #23860 from rahulhan/states_test_unit_test • 1f4cf86 Adding states/test.py unit tests • PR #23859: (rahulhan) Adding states/sysrc.py unit tests @ 2015-05-18T17:01:46Z • 3c9b813 Merge pull request #23859 from rahulhan/states_sysrc_unit_test • 6a903b0 Adding states/sysrc.py unit tests • PR #23812: (rallytime) Backport #23790 to 2015.5 @ 2015-05-18T15:30:34Z • PR #23790: (aboe76) updated suse spec file to version 2015.5.0 | refs: #23812 • 4cf30a7 Merge pull request #23812 from rallytime/bp-23790 • 3f65631 updated suse spec file to version 2015.5.0 • PR #23811: (rallytime) Backport #23786 to 2015.5 @ 2015-05-18T15:30:27Z • PR #23786: (kaithar) Log the error generated that causes returns.mysql.returner to except. | refs: #23811 • c6f939a Merge pull request #23811 from rallytime/bp-23786 • 346f30b Log the error generated that causes returns.mysql.returner to except. • PR #23850: (jayeshka) adding sysbench unit test case @ 2015-05-18T15:28:04Z • ce60582 Merge pull request #23850 from jayeshka/sysbench-unit-test • 280abde adding sysbench unit test case • PR #23843: (The-Loeki) Fix erroneous virtual:physical core grain detection @ 2015-05-18T15:24:22Z • 060902f Merge pull request #23843 from The-Loeki/patch-1 • 9e2cf60 Fix erroneous virtual:physical core grain detection • PR #23816: (Snergster) Doc for #23685 Added prereq, caution, and additional mask information @ 2015-05-18T15:18:03Z • ISSUE #23815: (Snergster) [beacons] inotify errors on subdir creation | refs: #23816 • 3257a9b Merge pull request #23816 from Snergster/23685-doc-fix • 0fca49d Added prereq, caution, and additional mask information • PR #23832: (ahus1) make saltify provider use standard boostrap procedure @ 2015-05-18T02:18:29Z • PR #23829: (ahus1) make saltify provider use standard boostrap procedure | refs: #23832 • 3df3b85 Merge pull request #23832 from ahus1/ahus1_saltify_bootstrap_2015.5 • f5b1734 fixing problem in unit test • cba47f6 make saltify to use standard boostrap procedure, therefore providing all options like master_sign_pub_file • PR #23791: (optix2000) Psutil compat @ 2015-05-16T04:05:54Z • 8ec4fb2 Merge pull request #23791 from optix2000/psutil_compat • 5470cf5 Fix pylint errors and sloppy inline comments • 64634b6 Update psutil.pid_list to use psutil.pids • 5dd6d69 Fix imports that aren't in __all__ • 8a1da33 Fix test cases by mocking psutil_compat • 558798d Fix net_io_counters deprecation issue • 8140f92 Override unnecessary pylint errors • 7d02ad4 Fix some of the mock names for the new API • 9b3023e Fix overloaded getters/setters. Fix line lengths • 180eb87 Fix whitespace • f8edf72 Use new psutil API in ps module • e48982f Fix version checking in psutil_compat • 93ee411 Create compatibility psutil. psutil 3.0 drops 1.0 API, but we still support old psutil versions. • PR #23782: (terminalmage) Replace "command -v" with "which" and get rid of spurious log messages @ 2015-05-16T04:03:10Z • 405517b Merge pull request #23782 from terminalmage/issue23772 • 0f6f239 More ignore_retcode to suppress spurious log msgs • b4c48e6 Ignore return code in lxc.attachable • 08658c0 Replace "command -v" with "which" • PR #23783: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-15T21:38:51Z • ISSUE #22959: (highlyunavailable) Windows Salt hangs if file.directory is trying to write to a drive that doesn't exist • ISSUE #22332: (rallytime) [salt-ssh] Add a check for host in /etc/salt/roster | refs: #23748 • ISSUE #16424: (stanvit) salt-run cloud.create fails with saltify • PR #23748: (basepi) [2014.7] Log salt-ssh roster render errors more assertively and verbosely • PR #23731: (twangboy) Fixes #22959: Trying to add a directory to an unmapped drive in windows • PR #23730: (rallytime) Backport #23729 to 2014.7 • PR #23729: (rallytime) Partially merge #23437 (grains fix) | refs: #23730 • PR #23688: (twangboy) Added inet_pton to utils/validate/net.py for ip.set_static_ip in windows • PR #23488: (cellscape) LXC cloud fixes • PR #23437: (cedwards) Grains item patch | refs: #23729 • cb2eb40 Merge pull request #23783 from basepi/merge-forward-2015.5 • 9df51ca __opts__.get • 51d23ed Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • d9af0c3 Merge pull request #23488 from cellscape/lxc-cloud-fixes • 64250a6 Remove profile from opts after creating LXC container • c4047d2 Set destroy=True in opts when destroying cloud instance • 9e1311a Store instance names in opts when performing cloud action • 934bc57 Correctly pass custom env to lxc-attach • 7fb85f7 Preserve test=True option in cloud states • 9771b5a Fix detection of absent LXC container in cloud state • fb24f0c Report failure when failed to create/clone LXC container • 2d9aa2b Avoid shadowing variables in lxc module • 792e102 Allow overriding profile options in lxc.cloud_init_interface • 42bd64b Return changes on successful lxc.create from salt-cloud • 4409eab Return correct result when creating cloud LXC container • 377015c Issue #16424: List all providers when creating salt-cloud instance without profile • 808bbe1 Merge pull request #23748 from basepi/salt-ssh.roster.host.check • bc53e04 Log entire exception for render errors in roster • 753de6a Log render errors in roster to error level • e01a7a9 Always let the real YAML error through • 72cf360 Merge pull request #23731 from twangboy/fix_22959 • 88e5495 Fixes #22959: Trying to add a directory to an unmapped drive in windows • 2610195 Merge pull request #23730 from rallytime/bp-23729 • 1877cae adding support for nested grains to grains.item • 3e9df88 Merge pull request #23688 from twangboy/fix_23415 • 6a91169 Fixed unused-import pylint error • 5e25b3f fixed pylint errors • 1a96766 Added inet_pton to utils/validate/net.py for ip.set_static_ip in windows • PR #23781: (jfindlay) fix unit test mock errors on arch @ 2015-05-15T19:40:07Z • 982f873 Merge pull request #23781 from jfindlay/fix_locale_tests • 14c711e fix unit test mock errors on arch • PR #23740: (jfindlay) Binary write @ 2015-05-15T18:10:44Z • ISSUE #23566: (rks2286) Salt-cp corrupting the file after transfer to minion | refs: #23740 • 916b1c4 Merge pull request #23740 from jfindlay/binary_write • 626930a update incorrect comment wording • a978f5c always use binary file write mode on windows • PR #23736: (jfindlay) always load pip execution module @ 2015-05-15T18:10:16Z • ISSUE #23682: (chrish42) Pip module requires system pip, even when not used (with env_bin) | refs: #23736 • 348645e Merge pull request #23736 from jfindlay/fix_pip • b8867a8 update pip tests • 040bbc4 only check pip version in one place • 6c453a5 check for executable status of bin_env • 3337257 always load the pip module as pip could be anywhere • PR #23770: (cellscape) Fix cloud LXC container destruction @ 2015-05-15T17:38:59Z • 10cedfb Merge pull request #23770 from cellscape/fix-cloud-lxc-destruction • 4f6021c Fix cloud LXC container destruction • PR #23759: (lisa2lisa) fixed the problem for not beable to revoke ., for more detail https… @ 2015-05-15T17:38:38Z • ddea822 Merge pull request #23759 from lisa2lisa/iss23664 • a29f161 fixed the problem for not beable to revoke ., for more detail https://github.com/saltstack/salt/issues/23201, fixed mysql cannot create user with pure digit password, for more info https://github.com/saltstack/salt/issues/23664 • PR #23769: (cellscape) Fix file_roots CA lookup in salt.utils.http.get_ca_bundle @ 2015-05-15T16:21:49Z • 10615ff Merge pull request #23769 from cellscape/utils-http-ca-file-roots • 8e90f32 Fix file_roots CA lookup in salt.utils.http.get_ca_bundle • PR #23765: (jayeshka) adding states/makeconf unit test case @ 2015-05-15T14:29:43Z • fd8a1b7 Merge pull request #23765 from jayeshka/makeconf_states-unit-test • 26e31af adding states/makeconf unit test case • PR #23760: (ticosax) [doc] document refresh argument @ 2015-05-15T14:23:47Z • ee13b08 Merge pull request #23760 from ticosax/2015.5 • e3ca859 document refresh argument • PR #23766: (jayeshka) adding svn unit test case @ 2015-05-15T14:23:18Z • a017f72 Merge pull request #23766 from jayeshka/svn-unit-test • 19939cf adding svn unit test case • PR #23751: (rallytime) Backport #23737 to 2015.5 @ 2015-05-15T03:58:37Z • ISSUE #23734: (bradthurber) 2015.5.0 modules/archive.py ZipFile instance has no attribute '__exit__' - only python 2.6? | refs: #23737 • PR #23737: (bradthurber) fix for 2015.5.0 modules/archive.py ZipFile instance has no attribute… | refs: #23751 • 0ed9d45 Merge pull request #23751 from rallytime/bp-23737 • 8d1eb32 fix for 2015.5.0 modules/archive.py ZipFile instance has no attribute '__exit__' - only python 2.6? #23734 • PR #23710: (kiorky) Get more useful output from stateful commands @ 2015-05-14T21:58:10Z • ISSUE #23709: (kiorky) cmdmod: enhancement is really needed for stateful commands | refs: #23710 • d73984e Merge pull request #23710 from makinacorpus/i23709 • c706909 Get more useful output from stateful commands • PR #23724: (rallytime) Backport #23609 to 2015.5 @ 2015-05-14T19:34:22Z • PR #23609: (kaidokert) file_map: chown created directories if not root #23608 | refs: #23724 • cdf421b Merge pull request #23724 from rallytime/bp-23609 • fe3a762 file_map: chmod created directories if not root • PR #23723: (rallytime) Backport #23568 to 2015.5 @ 2015-05-14T19:34:11Z • PR #23568: (techhat) Allow Salt Cloud to use either SCP or SFTP, as configured | refs: #23723 • 94f9099 Merge pull request #23723 from rallytime/bp-23568 • bbec34a Allow Salt Cloud to use either SCP or SFTP, as configured • PR #23725: (rallytime) Backport #23691 to 2015.5 @ 2015-05-14T19:32:30Z • PR #23691: (dennisjac) add initial configuration documentation for varstack pillar | refs: #23725 • 137e5ee Merge pull request #23725 from rallytime/bp-23691 • 28a846e add initial configuration documentation for varstack pillar • PR #23722: (rallytime) Backport #23472 to 2015.5 @ 2015-05-14T19:31:52Z • PR #23472: (techhat) Allow neutron network list to be used as pillar data | refs: #23722 • 0c00995 Merge pull request #23722 from rallytime/bp-23472 • c3d0f39 Change versionadded tag for backport • 023e88f Allow neutron network list to be used as pillar data • PR #23727: (jfindlay) fix npm execution module stacktrace @ 2015-05-14T18:14:12Z • ISSUE #23657: (arthurlogilab) [salt-cloud lxc] NameError: global name '__salt__' is not defined | refs: #23727 #23898 #23897 • cbf4ca8 Merge pull request #23727 from jfindlay/npm_salt • 05392f2 fix npm execution module stacktrace • PR #23718: (rahulhan) Adding states/user.py unit tests @ 2015-05-14T17:15:38Z • ef536d5 Merge pull request #23718 from rahulhan/states_user_unit_tests • aad27db Adding states/user.py unit tests • PR #23720: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-14T17:13:02Z • ISSUE #23604: (Azidburn) service.dead on systemd Minion create an Error Message | refs: #23607 • ISSUE #23548: (kkaig) grains.list_present produces incorrect (?) output | refs: #23674 • ISSUE #23403: (iamfil) salt.runners.cloud.action fun parameter is replaced | refs: #23680 • PR #23680: (cachedout) Rename kwarg in cloud runner • PR #23674: (cachedout) Handle lists correctly in grains.list_prsesent • PR #23672: (twangboy) Fix user present • PR #23670: (rallytime) Backport #23607 to 2014.7 • PR #23607: (Azidburn) Fix for #23604. No error reporting. Exitcode !=0 are ok | refs: #23670 • a529d74 Merge pull request #23720 from basepi/merge-forward-2015.5 • 06a3ebd Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 1b86460 Merge pull request #23680 from cachedout/issue_23403 • d5986c2 Rename kwarg in cloud runner • cd64af0 Merge pull request #23674 from cachedout/issue_23548 • da8a2f5 Handle lists correctly in grains.list_prsesent • d322a19 Merge pull request #23672 from twangboy/fix_user_present • 731e7af Merge branch '2014.7' of https://github.com/saltstack/salt into fix_user_present • d6f70a4 Fixed user.present to create password in windows • 43f7025 Merge pull request #23670 from rallytime/bp-23607 • ed30dc4 Fix for #23604. No error reporting. Exitcode !=0 are ok • PR #23704: (jayeshka) adding states/lvs_server unit test case @ 2015-05-14T14:22:10Z • 13facbf Merge pull request #23704 from jayeshka/lvs_server_states-unit-test • da323da adding states/lvs_server unit test case • PR #23703: (jayeshka) adding states/lvs_service unit test case @ 2015-05-14T14:21:23Z • f95ca31 Merge pull request #23703 from jayeshka/lvs_service_states-unit-test • 66717c8 adding states/lvs_service unit test case • PR #23702: (jayeshka) Remove superfluous return statement. @ 2015-05-14T14:20:42Z • 07e987e Merge pull request #23702 from jayeshka/fix_lvs_service • ecff218 fix lvs_service • PR #23686: (jfindlay) remove superfluous return statement @ 2015-05-14T14:20:18Z • 39973d4 Merge pull request #23686 from jfindlay/fix_lvs_server • 5aaeb73 remove superfluous return statement • PR #23690: (rallytime) Backport #23424 to 2015.5 @ 2015-05-13T23:04:36Z • PR #23424: (jtand) Added python_shell=True for refresh_db in pacman.py | refs: #23690 • be7c7ef Merge pull request #23690 from rallytime/bp-23424 • 94574b7 Added python_shell=True for refresh_db in pacman.py • PR #23681: (cachedout) Start on 2015.5.1 release notes @ 2015-05-13T19:44:22Z • 1a0db43 Merge pull request #23681 from cachedout/2015_5_1_release_notes • bdbbfa6 Start on 2015.5.1 release notes • PR #23679: (jfindlay) Merge #23616 @ 2015-05-13T19:03:53Z • PR #23616: (Snergster) virtual returning none warning fixed in dev but missed in 2015.5 | refs: #23679 • b54075a Merge pull request #23679 from jfindlay/merge_23616 • 6e15e19 appease pylint's blank line strictures • 8750680 virtual returning none warning fixed in dev but missed in 2015.5 • PR #23675: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-13T18:35:54Z • ISSUE #23611: (hubez) master_type set to 'failover' but 'master' is not of type list but of type <type 'str'> | refs: #23637 • ISSUE #23479: (danielmorlock) Typo in pkg.removed for Gentoo? | refs: #23558 • ISSUE #23452: (michaelforge) minion crashed with empty grain | refs: #23639 • ISSUE #23411: (dr4Ke) grains.append should work at any level of a grain | refs: #23440 • ISSUE #23355: (dr4Ke) salt-ssh: 'sources: salt://' files from 'pkg' state are not included in salt_state.tgz | refs: #23530 • ISSUE #23110: (martinhoefling) Copying files from gitfs in file.recurse state fails • ISSUE #23004: (b18) 2014.7.5 - Windows - pkg.list_pkgs - "nxlog" never shows up in output. | refs: #23433 • ISSUE #22908: (karanjad) Add failhard option to salt orchestration | refs: #23389 • ISSUE #22141: (Deshke) grains.get_or_set_hash render error if hash begins with "%" | refs: #23640 • PR #23661: (rallytime) Merge #23640 with whitespace fix • PR #23640: (cachedout) Add warning to get_or_set_hash about reserved chars | refs: #23661 • PR #23639: (cachedout) Handle exceptions raised by __virtual__ • PR #23637: (cachedout) Convert str master to list • PR #23606: (twangboy) Fixed checkbox for starting service and actually starting it • PR #23595: (rallytime) Backport #23549 to 2014.7 • PR #23594: (rallytime) Backport #23496 to 2014.7 • PR #23593: (rallytime) Backport #23442 to 2014.7 • PR #23592: (rallytime) Backport #23389 to 2014.7 • PR #23573: (techhat) Scan all available networks for public and private IPs | refs: #23802 • PR #23558: (jfindlay) reorder emerge command line • PR #23554: (jleroy) Debian: Hostname always updated • PR #23551: (dr4Ke) grains.append unit tests, related to #23474 • PR #23549: (vr-jack) Update __init__.py | refs: #23595 • PR #23537: (t0rrant) Update changelog • PR #23530: (dr4Ke) salt-ssh state: fix including all salt:// references • PR #23496: (martinhoefling) Fix for issue #23110 | refs: #23594 • PR #23474: (dr4Ke) Fix grains.append in nested dictionary grains #23411 • PR #23442: (clan) add directory itself to keep list | refs: #23593 • PR #23440: (dr4Ke) fix grains.append in nested dictionary grains #23411 | refs: #23474 • PR #23433: (twangboy) Obtain all software from the registry • PR #23389: (cachedout) Correct fail_hard typo | refs: #23592 • e480f13 Merge pull request #23675 from basepi/merge-forward-2015.5 • bd63548 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 0f006ac Merge pull request #23661 from rallytime/merge-23640 • 4427f42 Whitespace fix • dd91154 Add warning to get_or_set_hash about reserved chars • 84e2ef8 Merge pull request #23639 from cachedout/issue_23452 • d418b49 Syntax error! • 45b4015 Handle exceptions raised by __virtual__ • bd9b94b Merge pull request #23637 from cachedout/issue_23611 • 56cb1f5 Fix typo • f6fcf19 Convert str master to list • f20c0e4 Merge pull request #23595 from rallytime/bp-23549 • 6efcac0 Update __init__.py • 1acaf86 Merge pull request #23594 from rallytime/bp-23496 • d5ae1d2 Fix for issue #23110 This resolves issues when the freshly created directory is removed by fileserver.update. • 2c221c7 Merge pull request #23593 from rallytime/bp-23442 • 39869a1 check w/ low['name'] only • 304cc49 another fix for file defined w/ id, but require name • 8814d41 add directory itself to keep list • fadd1ef Merge pull request #23606 from twangboy/fix_installer • 038331e Fixed checkbox for starting service and actually starting it • acdd3fc Fix lint • 680e88f Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 10b3f0f Merge pull request #23592 from rallytime/bp-23389 • 734cc43 Correct fail_hard typo • cd34b9b Merge pull request #23573 from techhat/novaquery • f92db5e Linting • 26e00d3 Scan all available networks for public and private IPs • 2a72cd7 Merge pull request #23558 from jfindlay/fix_ebuild • 45404fb reorder emerge command line • a664a3c Merge pull request #23530 from dr4Ke/fix_salt-ssh_to_include_pkg_sources • 5df6a80 fix pylint warning • d0549e5 salt-ssh state: fix including all salt:// references • 55c3869 Merge pull request #23433 from twangboy/list_pkgs_fix • 8ab5b1b Fix pylint error • 2d11d65 Obtain all software from the registry • 755bed0 Merge pull request #23554 from jleroy/debian-hostname-fix • 5ff749e Debian: Hostname always updated • 6ec87ce Merge pull request #23551 from dr4Ke/grains.append_unit_tests • ebff9df fix pylint errors • c495404 unit tests for grains.append module function • 0c9a323 use MagickMock • c838a22 unit tests for grains.append module function • e96c5c5 Merge pull request #23474 from dr4Ke/fix_grains.append_nested • a01a5bb grains.get, parameter delimititer, versionadded: 2014.7.6 • b39f504 remove debugging output • b6e15e2 fix grains.append in nested dictionary grains #23411 • ab7e1ae Merge pull request #23537 from t0rrant/patch-1 • 8e03cc9 Update changelog • PR #23669: (rallytime) Backport #23586 to 2015.5 @ 2015-05-13T18:27:11Z • PR #23586: (Lothiraldan) Fix salt.state.file._unify_sources_and_hashes when sources is used without sources_hashes | refs: #23669 • 0dad6be Merge pull request #23669 from rallytime/bp-23586 • ef4c6ad Remove another unused import • 73cfda7 Remove unused import • 52b68d6 Use the zip_longest from six module for python 3 compatibility • 18d5ff9 Fix salt.state.file._unify_sources_and_hashes when sources is used without sources_hashes • PR #23662: (rallytime) Merge #23642 with pylint fix @ 2015-05-13T15:46:51Z • PR #23642: (cachedout) Let saltmod handle lower-level exceptions gracefully | refs: #23662 • fabef75 Merge pull request #23662 from rallytime/merge-23642 • aa7bbd8 Remove unused import • 9e66d4c Let saltmod handle lower-level exceptions gracefully • PR #23622: (jfindlay) merge #23508 @ 2015-05-13T15:36:49Z • PR #23508: (cro) Port mysql returner to postgres using jsonb datatype | refs: #23622 • 072b927 Merge pull request #23622 from jfindlay/pgjsonb • 454322c appease pylint's proscription on blank line excess • 57c6171 Get time with timezone correct also in job return. • e109d0f Get time with timezone correct. • 21e06b9 Fix SQL, remove unneeded imports. • 653f360 Stop making changes in 2 places. • d6daaa0 Typo. • 7d748bf SSL is handled differently by Pg, so don't set it here. • cc7c377 Fill alter_time field in salt_events with current time with timezone. • 43defe9 Port mysql module to Postgres using jsonb datatypes • PR #23651: (jayeshka) adding solr unit test case @ 2015-05-13T15:26:15Z • c1bdd4d Merge pull request #23651 from jayeshka/solr-unit-test • 6e05148 adding solr unit test case • PR #23649: (jayeshka) adding states/libvirt unit test case @ 2015-05-13T15:24:48Z • ee43411 Merge pull request #23649 from jayeshka/libvirt_states-unit-test • 0fb923a adding states/libvirt unit test case • PR #23648: (jayeshka) adding states/linux_acl unit test case @ 2015-05-13T15:24:11Z • c7fc466 Merge pull request #23648 from jayeshka/linux_acl_states-unit-test • 3f0ab29 removed error. • 11081c1 adding states/linux_acl unit test case • PR #23650: (jayeshka) adding states/kmod unit test case @ 2015-05-13T15:09:18Z • 4cba7ba Merge pull request #23650 from jayeshka/kmod_states-unit-test • 1987015 adding states/kmod unit test case • PR #23633: (jayeshka) made changes to test_interfaces function. @ 2015-05-13T06:51:07Z • bc8faf1 Merge pull request #23633 from jayeshka/win_network-2015.5-unit-test • 0936e1d made changes to test_interfaces function. • PR #23619: (jfindlay) fix kmod.present processing of module loading @ 2015-05-13T01:16:56Z • 7df3579 Merge pull request #23619 from jfindlay/fix_kmod_state • 73facbf fix kmod.present processing of module loading • PR #23598: (rahulhan) Adding states/win_dns_client.py unit tests @ 2015-05-12T21:47:36Z • d4f3095 Merge pull request #23598 from rahulhan/states_win_dns_client_unit_test • d08d885 Adding states/win_dns_client.py unit tests • PR #23597: (rahulhan) Adding states/vbox_guest.py unit tests @ 2015-05-12T21:46:30Z • 811c6a1 Merge pull request #23597 from rahulhan/states_vbox_guest_unit_test • 6a2909e Removed errors • 4cde78a Adding states/vbox_guest.py unit tests • PR #23615: (rallytime) Backport #23577 to 2015.5 @ 2015-05-12T21:19:11Z • PR #23577: (msciciel) Fix find and remove functions to pass database param | refs: #23615 • 029ff11 Merge pull request #23615 from rallytime/bp-23577 • 6f74477 Fix find and remove functions to pass database param • PR #23603: (rahulhan) Adding states/winrepo.py unit tests @ 2015-05-12T18:40:12Z • b858953 Merge pull request #23603 from rahulhan/states_winrepo_unit_test • a66e7e7 Adding states/winrepo.py unit tests • PR #23602: (rahulhan) Adding states/win_path.py unit tests @ 2015-05-12T18:39:37Z • 3cbbd6d Merge pull request #23602 from rahulhan/states_win_path_unit_test • 122c29f Adding states/win_path.py unit tests • PR #23600: (rahulhan) Adding states/win_network.py unit tests @ 2015-05-12T18:39:01Z • 3c904e8 Merge pull request #23600 from rahulhan/states_win_network_unit_test • b418404 removed lint error • 1be8023 Adding states/win_network.py unit tests • PR #23599: (rahulhan) Adding win_firewall.py unit tests @ 2015-05-12T18:37:49Z • 10243a7 Merge pull request #23599 from rahulhan/states_win_firewall_unit_test • 6cda890 Adding win_firewall.py unit tests • PR #23601: (basepi) Add versionadded for jboss module/state @ 2015-05-12T17:22:59Z • e73071d Merge pull request #23601 from basepi/jboss.version.added • 0174c8f Add versionadded for jboss module/state • PR #23469: (s0undt3ch) Call the windows specific function not the general one @ 2015-05-12T16:47:22Z • 9beb7bc Merge pull request #23469 from s0undt3ch/hotfix/call-the-win-func • 83e88a3 Call the windows specific function not the general one • PR #23583: (jayeshka) adding states/ipset unit test case @ 2015-05-12T16:31:55Z • d2f0975 Merge pull request #23583 from jayeshka/ipset_states-unit-test • 4330cf4 adding states/ipset unit test case • PR #23582: (jayeshka) adding states/keyboard unit test case @ 2015-05-12T16:31:17Z • 82a47e8 Merge pull request #23582 from jayeshka/keyboard_states-unit-test • fa94d7a adding states/keyboard unit test case • PR #23581: (jayeshka) adding states/layman unit test case @ 2015-05-12T16:30:36Z • 77e5b28 Merge pull request #23581 from jayeshka/layman_states-unit-test • 297b055 adding states/layman unit test case • PR #23580: (jayeshka) adding smf unit test case @ 2015-05-12T16:29:58Z • cbe3282 Merge pull request #23580 from jayeshka/smf-unit-test • 4f97191 adding smf unit test case • PR #23572: (The-Loeki) Fix regression of #21355 introduced by #21603 @ 2015-05-12T16:28:05Z • ISSUE #21603: (ipmb) ssh_auth.present fails on key without comment | refs: #23572 #23572 • PR #21355: (The-Loeki) Fix for comments containing whitespaces • 16a3338 Merge pull request #23572 from The-Loeki/ssh_auth_fix • d8248dd Fix regression of #21355 introduced by #21603 • PR #23565: (garethgreenaway) fix to aptpkg module @ 2015-05-12T16:25:46Z • ISSUE #23490: (lichtamberg) salt.modules.aptpkg.upgrade should have default "dist_upgrade=False" | refs: #23565 • f843f89 Merge pull request #23565 from garethgreenaway/2015_2_aptpkg_upgrade_default_to_upgrade • 97ae514 aptpkg.upgrade should default to upgrade instead of dist_upgrade. • PR #23550: (jfindlay) additional mock for rh_ip_test test_build_bond @ 2015-05-12T15:17:16Z • ISSUE #23473: (terminalmage) unit.modules.rh_ip_test.RhipTestCase.test_build_bond is not properly mocked | refs: #23550 • c1157cd Merge pull request #23550 from jfindlay/fix_rh_ip_test • e9b94d3 additional mock for rh_ip_test test_build_bond • PR #23552: (garethgreenaway) Fix for an issue caused by a previous pull request @ 2015-05-11T21:54:59Z • b593328 Merge pull request #23552 from garethgreenaway/2015_5_returner_fix_broken_previous_pr • 7d70e2b Passed argumentes in the call _fetch_profile_opts to were in the wrong order • PR #23547: (slinu3d) Added AWS v4 signature support for 2015.5 @ 2015-05-11T21:52:24Z • d0f9682 Merge pull request #23547 from slinu3d/2015.5 • f3bfdb5 Fixed urlparse and urlencode calls • 802dbdb Added AWS v4 signature support for 2015.5 • PR #23544: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-11T18:02:06Z • ISSUE #23159: (aneeshusa) Unused validator • ISSUE #20518: (ekle) module s3.get does not support eu-central-1 | refs: #23467 • ISSUE #563: (chutz) pidfile support for minion and master daemons | refs: #23460 #23461 • PR #23538: (cro) Update date in LICENSE file • PR #23505: (aneeshusa) Remove unused ssh config validator. Fixes #23159. • PR #23467: (slinu3d) Added AWS v4 signature support • PR #23460: (s0undt3ch) [2014.7] Update to latest stable bootstrap script v2015.05.07 • PR #23444: (techhat) Add create_attach_volume to nova driver • PR #23439: (techhat) Add wait_for_passwd_maxtries variable • 06c6a1f Merge pull request #23544 from basepi/merge-forward-2015.5 • f8a36bc Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • b79fed3 Merge pull request #23538 from cro/licupdate • 345efe2 Update date in LICENSE file • a123a36 Merge pull request #23505 from aneeshusa/remove-unused-ssh-config-validator • 90af167 Remove unused ssh config validator. Fixes #23159. • ca2c21a Merge pull request #23467 from slinu3d/2014.7 • 0b4081d Fixed pylint error at line 363 • 5be5eb5 Fixed pylink errors • e64f374 Fixed lint errors • b9d1ac4 Added AWS v4 signature support • e6f9eec Merge pull request #23444 from techhat/novacreateattach • ebdb7ea Add create_attach_volume to nova driver • e331463 Merge pull request #23460 from s0undt3ch/hotfix/bootstrap-script-2014.7 • edcd0c4 Update to latest stable bootstrap script v2015.05.07 • 7a8ce1a Merge pull request #23439 from techhat/maxtries • 0ad3ff2 Add wait_for_passwd_maxtries variable • PR #23470: (twangboy) Fixed service.restart for salt-minion @ 2015-05-11T17:54:47Z • ISSUE #23426: (twangboy) Can't restart salt-minion on 64 bit windows (2015.5.0) | refs: #23470 • aa5b896 Merge pull request #23470 from twangboy/fix_svc_restart • b3f284c Fixed tests • ad44d79 Fixed service.restart for salt-minion • PR #23539: (rahulhan) Adding states/virtualenv_mod.py unit tests @ 2015-05-11T17:02:31Z • 67988b2 Merge pull request #23539 from rahulhan/states_virtualenv_mod_unit_test • 750bb07 Adding states/virtualenv_mod.py unit tests • 6f0cf2e Merge remote-tracking branch 'upstream/2015.2' into 2015.5 • ISSUE #23244: (freimer) Caller not available in reactors | refs: #23245 • PR #23509: (keesbos) Catch the unset (empty/None) environment case • PR #23423: (cachedout) Remove jid_event from state.orch • PR #23245: (freimer) Add Caller functionality to reactors. • c966196 Merge pull request #23423 from cachedout/remove_jid_event_from_orch • f81aab7 Remove jid_event from state.orch • 2bb09b7 Merge pull request #23509 from keesbos/Catch_empty_environment • 6dedeac Catch the unset (empty/None) environment case • 6d42f30 Merge pull request #23245 from freimer/issue_23244 • 24cf6eb Add Caller functionality to reactors. • PR #23513: (gladiatr72) short-circuit auto-failure of iptables.delete state @ 2015-05-11T15:18:33Z • c3f03d8 Merge pull request #23513 from gladiatr72/RFC_stop_iptables.check_from_short-circuiting_position-only_delete_rule • c71714c short-circuit auto-failure of iptables.delete state if position argument is set without the other accoutrements that check_rule requires. • PR #23534: (jayeshka) adding states/ini_manage unit test case @ 2015-05-11T14:32:06Z • 4e77f6f Merge pull request #23534 from jayeshka/ini_manage_states-unit-test • 831223c adding states/ini_manage unit test case • PR #23533: (jayeshka) adding states/hipchat unit test case @ 2015-05-11T14:30:22Z • 11ba9ed Merge pull request #23533 from jayeshka/hipchat-states-unit-test • 41d14b3 adding states/hipchat unit test case • PR #23532: (jayeshka) adding states/ipmi unit test case @ 2015-05-11T14:28:15Z • e542113 Merge pull request #23532 from jayeshka/ipmi-states-unit-test • fc3e64a adding states/ipmi unit test case • PR #23531: (jayeshka) adding service unit test case @ 2015-05-11T14:27:12Z • 9ba85fd Merge pull request #23531 from jayeshka/service-unit-test • 3ad5314 adding service unit test case • PR #23517: (garethgreenaway) fix to returners @ 2015-05-11T14:20:51Z • ISSUE #23512: (Code-Vortex) hipchat_returner / slack_returner not work correctly | refs: #23517 • 32838cd Merge pull request #23517 from garethgreenaway/23512_2015_5_returners_with_profiles • 81e31e2 fix for returners that utilize profile attributes. code in the if else statement was backwards. #23512 • PR #23502: (rahulhan) Adding states/win_servermanager.py unit tests @ 2015-05-08T19:47:18Z • 6be7d8d Merge pull request #23502 from rahulhan/states_win_servermanager_unit_test • 2490074 Adding states/win_servermanager.py unit tests • PR #23495: (jayeshka) adding seed unit test case @ 2015-05-08T17:30:38Z • 6048578 Merge pull request #23495 from jayeshka/seed-unit-test • 3f134bc adding seed unit test case • PR #23494: (jayeshka) adding sensors unit test case @ 2015-05-08T17:30:18Z • 70bc3c1 Merge pull request #23494 from jayeshka/sensors-unit-test • 1fb48a3 adding sensors unit test case • PR #23493: (jayeshka) adding states/incron unit test case @ 2015-05-08T17:29:59Z • b981b20 Merge pull request #23493 from jayeshka/incron-states-unit-test • cc7bc17 adding states/incron unit test case • PR #23492: (jayeshka) adding states/influxdb_database unit test case @ 2015-05-08T17:29:51Z • 4019c49 Merge pull request #23492 from jayeshka/influxdb_database-states-unit-test • e1fcac8 adding states/influxdb_database unit test case • PR #23491: (jayeshka) adding states/influxdb_user unit test case @ 2015-05-08T16:24:07Z • d317a77 Merge pull request #23491 from jayeshka/influxdb_user-states-unit-test • 9d4043f adding states/influxdb_user unit test case • PR #23477: (galet) LDAP auth: Escape filter value for group membership search @ 2015-05-07T22:04:48Z • e0b2a73 Merge pull request #23477 from galet/ldap-filter-escaping • 33038b9 LDAP auth: Escape filter value for group membership search • PR #23476: (cachedout) Lint becaon @ 2015-05-07T19:55:36Z • PR #23431: (UtahDave) Beacon fixes | refs: #23476 • e1719fe Merge pull request #23476 from cachedout/lint_23431 • 8d1ff20 Lint becaon • PR #23431: (UtahDave) Beacon fixes | refs: #23476 @ 2015-05-07T19:53:47Z • 1e299ed Merge pull request #23431 from UtahDave/beacon_fixes • 152f223 remove unused import • 81198f9 fix interval logic and example • 5504778 update to proper examples • 6890439 fix list for mask • ee7b579 remove custom interval code. • PR #23468: (rahulhan) Adding states/win_system.py unit tests @ 2015-05-07T19:20:50Z • ea55c44 Merge pull request #23468 from rahulhan/states_win_system_unit_test • 33f8c12 Adding states/win_system.py unit tests • PR #23466: (UtahDave) minor spelling fix @ 2015-05-07T19:19:06Z • e6e1114 Merge pull request #23466 from UtahDave/2015.5local • b2c399a minor spelling fix • PR #23461: (s0undt3ch) [2015.5] Update to latest stable bootstrap script v2015.05.07 @ 2015-05-07T19:16:18Z • ISSUE #563: (chutz) pidfile support for minion and master daemons | refs: #23460 #23461 • 4eeb1e6 Merge pull request #23461 from s0undt3ch/hotfix/bootstrap-script • 638c63d Update to latest stable bootstrap script v2015.05.07 • PR #23450: (jayeshka) adding scsi unit test case @ 2015-05-07T19:00:28Z • 8651278 Merge pull request #23450 from jayeshka/scsi-unit-test • e7269ff adding scsi unit test case • PR #23449: (jayeshka) adding s3 unit test case @ 2015-05-07T18:59:45Z • 8b374ae Merge pull request #23449 from jayeshka/s3-unit-test • 85786bf adding s3 unit test case • PR #23448: (jayeshka) adding states/keystone unit test case @ 2015-05-07T18:58:59Z • 49b431c Merge pull request #23448 from jayeshka/keystone-states-unit-test • a3050eb adding states/keystone unit test case • PR #23447: (jayeshka) adding states/grafana unit test case @ 2015-05-07T18:58:20Z • 23d7e7e Merge pull request #23447 from jayeshka/grafana-states-unit-test • 7e90a4a adding states/grafana unit test case • PR #23438: (techhat) Gate requests import @ 2015-05-07T07:22:58Z • 1fd0bc2 Merge pull request #23438 from techhat/gaterequests • d5b15fc Gate requests import • PR #23429: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-07T05:35:13Z • ISSUE #17245: (tomashavlas) localemod does not generate locale for Arch | refs: #23307 #23397 • PR #23425: (basepi) [2014.7] Fix typo in FunctionWrapper • PR #23422: (cro) $HOME should not be used, some shells don't set it. • PR #23414: (jfindlay) 2015.2 -> 2015.5 • PR #23409: (terminalmage) Update Lithium docstrings in 2014.7 branch | refs: #23410 • PR #23404: (hvnsweeting) saltapi cherrypy: initialize var when POST body is empty • PR #23397: (jfindlay) add more flexible whitespace to locale_gen search • PR #23385: (rallytime) Backport #23346 to 2014.7 • PR #23346: (ericfode) Allow file_map in salt-cloud to handle folders. | refs: #23385 • 3c4f734 Merge pull request #23429 from basepi/merge-forward-2015.5 • 7729834 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 644eb75 Merge pull request #23422 from cro/gce_sh_home • 4ef9e6b Don't use $HOME to find user's directory, some shells don't set it • ef17ab4 Merge pull request #23425 from basepi/functionwrapper_typo • c390737 Fix typo in FunctionWrapper • 1b13ec0 Merge pull request #23385 from rallytime/bp-23346 • 9efc13c more linting fixes • cf131c9 cleaned up some pylint errors • f981699 added logic to sftp_file and file_map to allow folder uploads using file_map • f8c7a62 Merge pull request #23414 from jfindlay/update_branch • 8074d16 2015.2 -> 2015.5 • 54b3bd4 Merge pull request #23404 from hvnsweeting/cherrypy-post-emptybody-fix • f85f8f9 initialize var when POST body is empty • 160f703 Merge pull request #23409 from terminalmage/update-lithium-docstrings-2014.7 • bc97d01 Fix sphinx typo • 20006b0 Update Lithium docstrings in 2014.7 branch • aa5fb0a Merge pull request #23397 from jfindlay/fix_locale_gen • 0941fef add more flexible whitespace to locale_gen search • PR #23396: (basepi) [2015.2] Merge forward from 2014.7 to 2015.2 @ 2015-05-06T21:42:35Z • ISSUE #23294: (variia) file.replace fails to append if repl string partially available | refs: #23350 • ISSUE #23026: (adelcast) Incorrect salt-syndic logfile and pidfile locations | refs: #23341 • ISSUE #22742: (hvnsweeting) salt-master says: "This master address: 'salt' was previously resolvable but now fails to resolve!" | refs: #23344 • ISSUE #19114: (pykler) salt-ssh and gpg pillar renderer | refs: #23272 #23347 #23188 • ISSUE #17245: (tomashavlas) localemod does not generate locale for Arch | refs: #23307 #23397 • ISSUE #580: (thatch45) recursive watch not being caught | refs: #23324 • ISSUE #552: (jhutchins) Support require and watch under the same state dec | refs: #23324 • PR #23368: (kaithar) Backport #23367 to 2014.7 • PR #23367: (kaithar) Put the sed insert statement back in to the output. | refs: #23368 • PR #23350: (lorengordon) Append/prepend: search for full line • PR #23347: (basepi) [2014.7] Salt-SSH Backport FunctionWrapper.__contains__ • PR #23344: (cachedout) Explicitly set file_client on master • PR #23341: (cachedout) Fix syndic pid and logfile path • PR #23324: (s0undt3ch) [2014.7] Update to the latest stable release of the bootstrap script v2015.05.04 • PR #23318: (cellscape) Honor seed argument in LXC container initializaton • PR #23311: (cellscape) Fix new container initialization in LXC runner | refs: #23318 • PR #23307: (jfindlay) check for /etc/locale.gen • PR #23272: (basepi) [2014.7] Allow salt-ssh minion config overrides via master config and roster | refs: #23347 • PR #23188: (basepi) [2014.7] Work around bug in salt-ssh in config.get for gpg renderer | refs: #23272 • PR #18368: (basepi) Merge forward from 2014.7 to develop | refs: #23367 #23368 • PR #589: (epoelke) add --quiet and --outfile options to saltkey | refs: #23324 • PR #567: (bastichelaar) Added upstart module | refs: #23324 • PR #560: (UtahDave) The runas feature that was added in 93423aa2e5e4b7de6452090b0039560d2b13... | refs: #23324 • PR #504: (SEJeff) File state goodies | refs: #23324 • 1fb8445 Merge pull request #23396 from basepi/merge-forward-2015.2 • 2766c8c Fix typo in FunctionWrapper • fd09cda Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.2 • 0c76dd4 Merge pull request #23368 from kaithar/bp-23367 • 577f419 Pylint fix • 8d9acd1 Put the sed insert statement back in to the output. • 3493cc1 Merge pull request #23350 from lorengordon/file.replace_assume_line • b60e224 Append/prepend: search for full line • 7be5c48 Merge pull request #23341 from cachedout/issue_23026 • e98e65e Fix tests • 6011b43 Fix syndic pid and logfile path • ea61abf Merge pull request #23272 from basepi/salt-ssh.minion.config.19114 • c223309 Add versionadded • be7407f Lint • c2c3375 Missing comma • 8e3e8e0 Pass the minion_opts through the FunctionWrapper • cb69cd0 Match the master config template in the master config reference • 87fc316 Add Salt-SSH section to master config template • 91dd9dc Add ssh_minion_opts to master config ref • c273ea1 Add minion config to salt-ssh doc • a0b6b76 Add minion_opts to roster docs • 5212c35 Accept minion_opts from the target information • e2099b6 Process ssh_minion_opts from master config • 3b64214 Revert "Work around bug in salt-ssh in config.get for gpg renderer" • 494953a Remove the strip (embracing multi-line YAML dump) • fe87f0f Dump multi-line yaml into the SHIM • b751a72 Inject local minion config into shim if available • 4f760dd Merge pull request #23347 from basepi/salt-ssh.functionwrapper.contains.19114 • 30595e3 Backport FunctionWrapper.__contains__ • 02658b1 Merge pull request #23344 from cachedout/issue_22742 • 5adc96c Explicitly set file_client on master • ba7605d Merge pull request #23318 from cellscape/honor-seed-argument • 228b1be Honor seed argument in LXC container initializaton • 4ac4509 Merge pull request #23307 from jfindlay/fix_locale_gen • 101199a check for /etc/locale.gen • f790f42 Merge pull request #23324 from s0undt3ch/hotfix/bootstrap-script-2014.7 • 6643e47 Update to the latest stable release of the bootstrap script v2015.05.04 • 23d4feb Merge remote-tracking branch 'upstream/2015.2' into 2015.5 • PR #23412: (rahulhan) Adding states/win_update.py unit tests @ 2015-05-06T18:31:09Z • b3c1672 Merge pull request #23412 from rahulhan/states_win_update_unit_test • 9bc1519 Removed unwanted imports • f12bfcf Adding states/win_update.py unit tests • PR #23413: (terminalmage) Update manpages for 2015.2 -> 2015.5 @ 2015-05-06T17:12:57Z • f2d7646 Merge pull request #23413 from terminalmage/update-manpages • 23fa440 Update manpages to reflect 2015.2 rename to 2015.5 • 0fdaa73 Fix missed docstring updates from 2015.2 -> 2015.5 • 4fea5ba Add missing RST file • PR #23410: (terminalmage) Update Lithium docstrings in 2015.2 branch @ 2015-05-06T15:53:52Z • PR #23409: (terminalmage) Update Lithium docstrings in 2014.7 branch | refs: #23410 • bafbea7 Merge pull request #23410 from terminalmage/update-lithium-docstrings-2015.2 • d395565 Update Lithium docstrings in 2015.2 branch • PR #23407: (jayeshka) adding rsync unit test case @ 2015-05-06T15:52:23Z • 02ef41a Merge pull request #23407 from jayeshka/rsync-unit-test • a4dd836 adding rsync unit test case • PR #23406: (jayeshka) adding states/lxc unit test case @ 2015-05-06T15:51:50Z • 58ec2a2 Merge pull request #23406 from jayeshka/lxc-states-unit-test • 32a0d03 adding states/lxc unit test case • PR #23395: (basepi) [2015.2] Add note to 2015.2.0 release notes about master opts in pillar @ 2015-05-05T22:15:20Z • 8837d00 Merge pull request #23395 from basepi/2015.2.0masteropts • b261c95 Add note to 2015.2.0 release notes about master opts in pillar • PR #23393: (basepi) [2015.2] Add warning about python_shell changes to 2015.2.0 release notes @ 2015-05-05T22:12:46Z • f79aed5 Merge pull request #23393 from basepi/2015.2.0python_shell • b2f033f Add CLI note • 48e7b3e Add warning about python_shell changes to 2015.2.0 release notes • PR #23380: (gladiatr72) Fix for double output with static salt cli/v2015.2 @ 2015-05-05T21:44:28Z • a977776 Merge pull request #23380 from gladiatr72/fix_for_double_output_with_static__salt_CLI/v2015.2 • c47fdd7 Actually removed the static bits from below the else: fold this time. • 4ee3679 Fix for incorrect output with salt CLI --static option • PR #23379: (rahulhan) Adding states/rabbitmq_cluster.py @ 2015-05-05T21:44:06Z • 5c9543c Merge pull request #23379 from rahulhan/states_rabbitmq_cluster_test • 04c22d1 Adding states/rabbitmq_cluster.py • PR #23377: (rahulhan) Adding states/xmpp.py unit tests @ 2015-05-05T21:43:35Z • 430f080 Merge pull request #23377 from rahulhan/states_xmpp_test • 32923b5 Adding states/xmpp.py unit tests • PR #23335: (steverweber) 2015.2: include doc in master config for module_dirs @ 2015-05-05T21:28:58Z • 8c057e6 Merge pull request #23335 from steverweber/2015.2 • 5e3bae9 help installing python pysphere lib • 97513b0 include module_dirs • 36b1c87 include module_dirs • PR #23362: (jayeshka) adding states/zk_concurrency unit test case @ 2015-05-05T15:50:06Z • 1648253 Merge pull request #23362 from jayeshka/zk_concurrency-states-unit-test • f60dda4 adding states/zk_concurrency unit test case • PR #23363: (jayeshka) adding riak unit test case @ 2015-05-05T14:23:05Z • 1cdaeed Merge pull request #23363 from jayeshka/riak-unit-test • f9da6db adding riak unit test case Salt 2015.5.10 Release Notes (In Progress) In progress, not yet released. Salt 2015.5.2 Release Notes release 2015-06-10 Version 2015.5.2 is a bugfix release for 2015.5.0. Extended Changelog Courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): PR #24346: (rallytime) Backport #24271 to 2015.5 @ 2015-06-03T18:44:31Z PR #24271: (randybias) Fixed the setup instructions refs: #24346 • 76927c9 Merge pull request #24346 from rallytime/bp-24271 • 04067b6 Fixed the setup instructions PR #24345: (rallytime) Backport #24013 to 2015.5 @ 2015-06-03T18:39:41Z ISSUE #24012: (jbq) Enabling a service does not create the appropriate rc.d symlinks on Ubuntu refs: #24013 PR #24013: (jbq) Fix enabling a service on Ubuntu #24012 refs: #24345 • 4afa03d Merge pull request #24345 from rallytime/bp-24013 • 16e0732 Fix enabling a service on Ubuntu #24012 PR #24365: (jacobhammons) Fixes for PDF build errors @ 2015-06-03T17:50:02Z • c3392c2 Merge pull request #24365 from jacobhammons/DocFixes • 0fc1902 Fixes for PDF build errors PR #24313: (nicholascapo) Fix #22991 Correctly set result when test=True @ 2015-06-03T14:49:18Z ISSUE #22991: (nicholascapo) npm.installed ignores test=True * ae681a4 Merge pull request #24313 from nicholascapo/fix-22991-npm.installed-test-true * ac9644c Fix #22991 npm.installed correctly set result on test=True PR #24312: (nicholascapo) Fix #18966: file.serialize supports test=True @ 2015-06-03T14:49:06Z ISSUE #18966: (bechtoldt) file.serialize ignores test=True * d57a9a2 Merge pull request #24312 from nicholascapo/fix-18966-file.serialize-test-true * e7328e7 Fix #18966 file.serialize correctly set result on test=True PR #24302: (jfindlay) fix pkg hold/unhold integration test @ 2015-06-03T03:27:43Z • 6b694e3 Merge pull request #24302 from jfindlay/pkg_tests • c2db0b1 fix pkg hold/unhold integration test PR #24349: (rallytime) Remove references to mount_points in ec2 docs @ 2015-06-03T01:54:09Z ISSUE #14021: (mathrawka) EC2 doc mentions mount_point, but unable to use properly refs: #24349 • aca8447 Merge pull request #24349 from rallytime/fix-14021 • a235b11 Remove references to mount_points in ec2 docs PR #24328: (dr4Ke) Fix state grains silently fails 2015.5 @ 2015-06-02T15:18:46Z ISSUE #24319: (dr4Ke) grains state shouldn't fail silently * 88a997e Merge pull request #24328 from dr4Ke/fix_state_grains_silently_fails_2015.5 * 8a63d1e fix state grains silently fails #24319 • ca1af20 grains state: add some tests PR #24310: (techhat) Add warning about destroying maps @ 2015-06-02T03:01:28Z ISSUE #24036: (arthurlogilab) [salt-cloud] Protect against passing command line arguments as names for the --destroy command in map files refs: #24310 ISSUE #9772: (s0undt3ch) Delete VM's in a map does not delete them all refs: #24310 • 7dcd9bb Merge pull request #24310 from techhat/mapwarning • ca535a6 Add warning about destroying maps PR #24281: (steverweber) Ipmi docfix @ 2015-06-01T17:45:36Z • 02bfb25 Merge pull request #24281 from steverweber/ipmi_docfix • dd36f2c yaml formatting • f6deef3 include api_kg kwarg in ipmi state • a7d4e97 doc cleanup • 0ded2fd save more cleanup to doc • 08872f2 fix name api_key to api_kg • 165a387 doc fix add api_kg kwargs • 1ec7888 cleanup docs PR #24287: (jfindlay) fix pkg test on ubuntu 12.04 for realz @ 2015-06-01T14:16:37Z • 73cd2cb Merge pull request #24287 from jfindlay/pkg_test • 98944d8 fix pkg test on ubuntu 12.04 for realz PR #24279: (rallytime) Backport #24263 to 2015.5 @ 2015-06-01T04:29:34Z PR #24263: (cdarwin) Correct usage of import_yaml in formula documentation refs: #24279 • 02017a0 Merge pull request #24279 from rallytime/bp-24263 • beff7c7 Correct usage of import_yaml in formula documentation PR #24277: (rallytime) Put a space between after_jump commands @ 2015-06-01T04:28:26Z ISSUE #24226: (c4urself) iptables state needs to keep ordering of flags refs: #24277 • 2ba696d Merge pull request #24277 from rallytime/fix_iptables_jump • e2d1606 Move after_jump split out of loop • d14f130 Remove extra loop • 42ed532 Put a space between after_jump commands PR #24262: (basepi) More dictupdate after #24142 @ 2015-05-31T04:09:37Z PR #24142: (basepi) Optimize dictupdate.update and add #24097 functionality refs: #24262 PR #24097: (kiorky) Optimize dictupdate refs: #24142 #24142 • 113eba3 Merge pull request #24262 from basepi/dictupdatefix • 0c4832c Raise a typeerror if non-dict types • be21aaa Pylint • bb8a6c6 More optimization • c933249 py3 compat • ff6b2a7 Further optimize dictupdate.update() • c73f5ba Remove unused valtype PR #24269: (kiorky) zfs: Fix spurious retcode hijacking in virtual @ 2015-05-30T17:47:49Z • 785d5a1 Merge pull request #24269 from makinacorpus/zfs • 0bf23ce zfs: Fix spurious retcode hijacking in virtual PR #24257: (jfindlay) fix pkg mod integration test on ubuntu 12.04 @ 2015-05-29T23:09:00Z • 3d885c0 Merge pull request #24257 from jfindlay/pkg_tests • 9508924 fix pkg mod integration test on ubuntu 12.04 PR #24260: (basepi) Fix some typos from #24080 @ 2015-05-29T22:54:58Z ISSUE #23657: (arthurlogilab) [salt-cloud lxc] NameError: global name '__salt__' is not defined refs: #24080 #23982 PR #24080: (kiorky) Lxc consistency2 refs: #24260 #23982 #24066 PR #24066: (kiorky) Merge forward 2015.5 -> develop refs: #23982 PR #24065: (kiorky) continue to fix #23883 refs: #24080 #24066 PR #23982: (kiorky) lxc: path support refs: #24080 • 08a1075 Merge pull request #24260 from basepi/lxctypos24080 • 0fa1ad3 Fix another lxc typo • 669938f s/you ll/you'll/ PR #24080: (kiorky) Lxc consistency2 refs: #24260 #23982 #24066 @ 2015-05-29T22:51:54Z ISSUE #23657: (arthurlogilab) [salt-cloud lxc] NameError: global name '__salt__' is not defined refs: #24080 #23982 PR #24066: (kiorky) Merge forward 2015.5 -> develop refs: #23982 PR #24065: (kiorky) continue to fix #23883 refs: #24080 #24066 PR #23982: (kiorky) lxc: path support refs: #24080 • 75590cf Merge pull request #24080 from makinacorpus/lxc_consistency2 • 81f8067 lxc: fix old lxc test • 458f506 seed: lint • 96b8d55 Fix seed.mkconfig yamldump • 76ddb68 lxc/applynet: conservative • ce7096f variable collision • 8a8b28d lxc: lint • 458b18b more lxc docs • ef1f952 lxc docs: typos • d67a43d more lxc docs • 608da5e modules/lxc: merge resolution • 27c4689 modules/lxc: more consistent comparison • 07c365a lxc: merge conflict spotted • 9993915 modules/lxc: rework settings for consistency • ce11d83 lxc: Global doc refresh • 61ed2f5 clouds/lxc: profile key is conflicting PR #24247: (rallytime) Backport #24220 to 2015.5 @ 2015-05-29T21:40:01Z ISSUE #24210: (damonnk) salt-cloud vsphere.py should allow key_filename param refs: #24220 PR #24220: (djcrabhat) adding key_filename param to vsphere provider refs: #24247 • da14f3b Merge pull request #24247 from rallytime/bp-24220 • 0b1041d adding key_filename param to vsphere provider PR #24254: (rallytime) Add deprecation warning to Digital Ocean v1 Driver @ 2015-05-29T21:39:25Z PR #22731: (dmyerscough) Decommission DigitalOcean APIv1 and have users use the new DigitalOcean APIv2 refs: #24254 • 21d6126 Merge pull request #24254 from rallytime/add_deprecation_warning_digitalocean • cafe37b Add note to docs about deprecation • ea0f1e0 Add deprecation warning to digital ocean driver to move to digital_ocean_v2 PR #24252: (aboe76) Updated suse spec to 2015.5.1 @ 2015-05-29T21:38:45Z • dac055d Merge pull request #24252 from aboe76/opensuse_package • 0ad617d Updated suse spec to 2015.5.1 PR #24251: (garethgreenaway) Returners broken in 2015.5 @ 2015-05-29T21:37:52Z • 49e7fe8 Merge pull request #24251 from garethgreenaway/2015_5_returner_brokenness • 5df6b52 The code calling cfg as a function vs treating it as a dictionary and using get is currently backwards causing returners to fail when used from the CLI and in scheduled jobs. PR #24255: (rallytime) Clarify digital ocean documentation and mention v1 driver deprecation @ 2015-05-29T21:37:07Z ISSUE #21498: (rallytime) Clarify Digital Ocean Documentation refs: #24255 • bfb9461 Merge pull request #24255 from rallytime/clarify_digital_ocean_driver_docs • 8d51f75 Clarify digital ocean documentation and mention v1 driver deprecation PR #24232: (rallytime) Backport #23308 to 2015.5 @ 2015-05-29T21:36:46Z PR #23308: (thusoy) Don't merge: Add missing jump arguments to iptables module refs: #24232 • 41f5756 Merge pull request #24232 from rallytime/bp-23308 • 2733f66 Import string • 9097cca Add missing jump arguments to iptables module PR #24245: (Sacro) Unset PYTHONHOME when starting the service @ 2015-05-29T20:00:31Z • a95982c Merge pull request #24245 from Sacro/patch-2 • 6632d06 Unset PYTHONHOME when starting the service PR #24121: (hvnsweeting) deprecate setting user permission in rabbitmq_vhost.present @ 2015-05-29T15:55:40Z • 1504c76 Merge pull request #24121 from hvnsweeting/rabbitmq-host-deprecate-set-permission • 2223158 deprecate setting user permission in rabbitmq_host.present PR #24179: (merll) Changing user and group only possible for existing ids. @ 2015-05-29T15:52:43Z PR #24169: (merll) Changing user and group only possible for existing ids. refs: #24179 • ba02f65 Merge pull request #24179 from Precis/fix-file-uid-gid-2015.0 • ee4c9d5 Use ids if user or group is not present. PR #24229: (msteed) Fix auth failure on syndic with external_auth @ 2015-05-29T15:04:06Z ISSUE #24147: (paclat) Syndication issues when using authentication on master of masters. refs: #24229 • 9bfb066 Merge pull request #24229 from msteed/issue-24147 • 482d1cf Fix auth failure on syndic with external_auth PR #24234: (jayeshka) adding states/quota unit test case. @ 2015-05-29T14:14:27Z • 19fa43c Merge pull request #24234 from jayeshka/quota-states-unit-test • c233565 adding states/quota unit test case. PR #24217: (jfindlay) disable intermittently failing tests @ 2015-05-29T03:08:39Z ISSUE #40: (thatch45) Clean up timeouts refs: #22857 PR #23623: (jfindlay) Fix /jobs endpoint's return refs: #24217 PR #22857: (jacksontj) Fix /jobs endpoint's return refs: #23623 • e15142c Merge pull request #24217 from jfindlay/disable_bad_tests • 6b62804 disable intermittently failing tests PR #24199: (ryan-lane) Various fixes for boto_route53 and boto_elb @ 2015-05-29T03:02:41Z • ce8e43b Merge pull request #24199 from lyft/route53-fix-elb • d8dc9a7 Better unit tests for boto_elb state • 62f214b Remove cnames_present test • 7b9ae82 Lint fix • b74b0d1 Various fixes for boto_route53 and boto_elb PR #24142: (basepi) Optimize dictupdate.update and add #24097 functionality refs: #24262 @ 2015-05-29T03:00:56Z PR #24097: (kiorky) Optimize dictupdate refs: #24142 #24142 PR #21968: (ryanwohara) Verifying the key has a value before using it. * a43465d Merge pull request #24142 from basepi/dictupdate24097 * 5c6e210 Deepcopy on merge_recurse • a13c84a Fix None check from #21968 • 9ef2c64 Add docstring • 8579429 Add in recursive_update from #24097 • 8599143 if key not in dest, don't recurse • d8a84b3 Rename klass to valtype PR #24208: (jayeshka) adding states/ports unit test case. @ 2015-05-28T23:06:33Z • 526698b Merge pull request #24208 from jayeshka/ports-states-unit-test • 657b709 adding states/ports unit test case. PR #24219: (jfindlay) find zfs without modinfo @ 2015-05-28T21:07:26Z ISSUE #20635: (dennisjac) 2015.2.0rc1: zfs errors in log after update refs: #24219 • d00945f Merge pull request #24219 from jfindlay/zfs_check • 15d4019 use the salt loader in the zfs mod • 5599b67 try to search for zfs if modinfo is unavailable PR #24190: (msteed) Fix issue 23815 @ 2015-05-28T20:10:34Z ISSUE #23815: (Snergster) [beacons] inotify errors on subdir creation * 3dc4b85 Merge pull request #24190 from msteed/issue-23815 * 086a1a9 lint • 65de62f fix #23815 • d04e916 spelling • db9f682 add inotify beacon unit tests PR #24211: (rallytime) Backport #24205 to 2015.5 @ 2015-05-28T18:28:15Z PR #24205: (hazelesque) Docstring fix in salt.modules.yumpkg.hold refs: #24211 • 436634b Merge pull request #24211 from rallytime/bp-24205 • 23284b5 Docstring fix in salt.modules.yumpkg.hold PR #24212: (terminalmage) Clarify error in rendering template for top file @ 2015-05-28T18:26:20Z • cc58624 Merge pull request #24212 from terminalmage/clarify-error-msg • ca807fb Clarify error in rendering template for top file PR #24213: (The-Loeki) ShouldFix _- troubles in debian_ip @ 2015-05-28T18:24:39Z ISSUE #23904: (mbrgm) Network config bonding section cannot be parsed when attribute names use dashes refs: #23917 ISSUE #23900: (hashi825) salt ubuntu network building issue 2015.5.0 refs: #23922 PR #23922: (garethgreenaway) Fixes to debian_ip.py refs: #24213 PR #23917: (corywright) Split debian bonding options on dash instead of underscore refs: #24213 • 9825160 Merge pull request #24213 from The-Loeki/patch-3 • a68d515 ShouldFix _- troubles in debian_ip PR #24214: (basepi) 2015.5.1release @ 2015-05-28T16:23:57Z • 071751d Merge pull request #24214 from basepi/2015.5.1release • e5ba31b 2015.5.1 release date • 768494c Update latest release in docs PR #24202: (rallytime) Backport #24186 to 2015.5 @ 2015-05-28T05:16:48Z PR #24186: (thcipriani) Update salt vagrant provisioner info refs: #24202 • c2f1fdb Merge pull request #24202 from rallytime/bp-24186 • db793dd Update salt vagrant provisioner info PR #24192: (rallytime) Backport #20474 to 2015.5 @ 2015-05-28T05:16:18Z PR #20474: (djcrabhat) add sudo, sudo_password params to vsphere deploy to allow for non-root deploys refs: #24192 • 8a085a2 Merge pull request #24192 from rallytime/bp-20474 • fd3c783 add sudo, sudo_password params to deploy to allow for non-root deploys PR #24184: (rallytime) Backport #24129 to 2015.5 @ 2015-05-28T05:15:08Z PR #24129: (pengyao) Wheel client doc refs: #24184 • 7cc535b Merge pull request #24184 from rallytime/bp-24129 • 722a662 fixed a typo • 565eb46 Add cmd doc for WheelClient PR #24183: (rallytime) Backport #19320 to 2015.5 @ 2015-05-28T05:14:36Z PR #19320: (clan) add 'state_output_profile' option for profile output refs: #24183 • eb0af70 Merge pull request #24183 from rallytime/bp-19320 • 55db1bf sate_output_profile default to True • 9919227 fix type: statei -> state • 0549ca6 add 'state_output_profile' option for profile output PR #24201: (whiteinge) Add list of client libraries for the rest_cherrypy module to the top-level documentation @ 2015-05-28T02:12:09Z • 1b5bf23 Merge pull request #24201 from whiteinge/rest_cherrypy-client-libs • 5f71802 Add list of client libraries for the rest_cherrypy module • 28fc77f Fix rest_cherrypy config example indentation PR #24195: (rallytime) Merge #24185 with a couple of fixes @ 2015-05-27T22:18:37Z PR #24185: (jacobhammons) Fixes for doc build errors refs: #24195 • 3307ec2 Merge pull request #24195 from rallytime/merge-24185 • d8daa9d Merge #24185 with a couple of fixes • 634d56b Fixed pylon error • 0689815 Fixes for doc build errors PR #24166: (jayeshka) adding states/pkgng unit test case. @ 2015-05-27T20:27:49Z • 7e400bc Merge pull request #24166 from jayeshka/pkgng-states-unit-test • 2234bb0 adding states/pkgng unit test case. PR #24189: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-27T20:26:31Z PR #24178: (rallytime) Backport #24118 to 2014.7, too. PR #24159: (rallytime) Fill out modules/keystone.py CLI Examples PR #24158: (rallytime) Fix test_valid_docs test for tls module PR #24118: (trevor-h) removed deprecated pymongo usage refs: #24139 #24178 • 9fcda79 Merge pull request #24189 from basepi/merge-forward-2015.5 • 8839e9c Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 9d7331c Merge pull request #24178 from rallytime/bp-24118 • e2217a0 removed deprecated pymongo usage as no longer functional with pymongo > 3.x • 4e8c503 Merge pull request #24159 from rallytime/keystone_doc_examples • dadac8d Fill out modules/keystone.py CLI Examples • fc10ee8 Merge pull request #24158 from rallytime/fix_doc_error • 49a517e Fix test_valid_docs test for tls module PR #24181: (jtand) Fixed error where file was evaluated as a symlink in test_absent @ 2015-05-27T18:26:28Z • 2303dec Merge pull request #24181 from jtand/file_test • 5f0e601 Fixed error where file was evaluated as a symlink in test_absent PR #24180: (terminalmage) Skip libvirt tests if not running as root @ 2015-05-27T18:18:47Z • a162768 Merge pull request #24180 from terminalmage/fix-libvirt-test • 72e7416 Skip libvirt tests if not running as root PR #24165: (jayeshka) adding states/portage_config unit test case. @ 2015-05-27T17:15:08Z • 1fbc5b2 Merge pull request #24165 from jayeshka/portage_config-states-unit-test • 8cf1505 adding states/portage_config unit test case. PR #24164: (jayeshka) adding states/pecl unit test case. @ 2015-05-27T17:14:26Z • 4747856 Merge pull request #24164 from jayeshka/pecl-states-unit-test • 563a5b3 adding states/pecl unit test case. PR #24160: (The-Loeki) small enhancement to data module; pop() @ 2015-05-27T17:03:10Z • cdaaa19 Merge pull request #24160 from The-Loeki/patch-1 • 2175ff3 doc & merge fix • eba382c small enhancement to data module; pop() PR #24153: (techhat) Batch mode sometimes improperly builds lists of minions to process @ 2015-05-27T16:21:53Z • 4a8dbc7 Merge pull request #24153 from techhat/batchlist • 467ba64 Make sure that minion IDs are strings PR #24167: (jayeshka) adding states/pagerduty unit test case. @ 2015-05-27T16:14:01Z • ed8ccf5 Merge pull request #24167 from jayeshka/pagerduty-states-unit-test • 1af8c83 adding states/pagerduty unit test case. PR #24156: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-05-27T15:05:01Z ISSUE #23464: (tibold) cmd_iter_no_block() blocks refs: #24093 PR #24125: (hvnsweeting) Fix rabbitmq test mode PR #24093: (msteed) Make LocalClient.cmd_iter_no_block() not block PR #24008: (davidjb) Correct reST formatting for states.cmd documentation PR #23933: (jacobhammons) sphinx saltstack2 doc theme * b9507d1 Merge pull request #24156 from basepi/merge-forward-2015.5 * e52b5ab Remove stray >>>>> • 7dfbd92 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • c0d32e0 Merge pull request #24125 from hvnsweeting/fix-rabbitmq-test-mode • 71862c6 enhance log • 28e2594 change according to new output of rabbitmq module functions • cd0212e processes and returns better output for rabbitmq module • 39a8f30 Merge pull request #24093 from msteed/issue-23464 • fd35903 Fix failing test • 41b344c Make LocalClient.cmd_iter_no_block() not block • 5bffd30 Merge pull request #24008 from davidjb/2014.7 • 8b8d029 Correct reST formatting for documentation • 1aa0420 Merge pull request #23933 from jacobhammons/2014.7 • a3613e6 removed numbering from doc TOC • 78b737c removed 2015.* release from release notes, updated index page to remove PDF/epub links • e867f7d Changed build settings to use saltstack2 theme and update release versions. • 81ed9c9 sphinx saltstack2 doc theme PR #24145: (jfindlay) attempt to decode win update package @ 2015-05-26T23:20:20Z ISSUE #24102: (bormotov) win_update encondig problems refs: #24145 • 05745fa Merge pull request #24145 from jfindlay/win_update_encoding • cc5e17e attempt to decode win update package PR #24123: (kiorky) fix service enable/disable change @ 2015-05-26T21:24:19Z ISSUE #24122: (kiorky) service.dead is no more stateful: services does not handle correctly enable/disable change state refs: #24123 • 7024789 Merge pull request #24123 from makinacorpus/ss • 2e2e1d2 fix service enable/disable change PR #24146: (rallytime) Fixes the boto_vpc_test failure on CentOS 5 tests @ 2015-05-26T20:15:19Z • 51c3cec Merge pull request #24146 from rallytime/fix_centos_boto_failure • ac0f97d Fixes the boto_vpc_test failure on CentOS 5 tests PR #24144: (twangboy) Compare Keys ignores all newlines and carriage returns @ 2015-05-26T19:25:48Z ISSUE #24052: (twangboy) v2015.5.1 Changes the way it interprets the minion_master.pub file refs: #24089 #24144 ISSUE #23566: (rks2286) Salt-cp corrupting the file after transfer to minion refs: #24144 #23740 PR #23740: (jfindlay) Binary write refs: #24144 • 1c91a21 Merge pull request #24144 from twangboy/fix_24052 • c197b41 Compare Keys removing all newlines and carriage returns PR #24139: (rallytime) Backport #24118 to 2015.5 @ 2015-05-26T18:24:27Z PR #24118: (trevor-h) removed deprecated pymongo usage refs: #24139 #24178 • 0841667 Merge pull request #24139 from rallytime/bp-24118 • 4bb519b removed deprecated pymongo usage as no longer functional with pymongo > 3.x PR #24138: (rallytime) Backport #24116 to 2015.5 @ 2015-05-26T18:23:51Z PR #24116: (awdrius) Fixed typo in chown username (ending dot) that fails the command. refs: #24138 • 742eca2 Merge pull request #24138 from rallytime/bp-24116 • 7f08641 Fixed typo in chown username (ending dot) that fails the command. PR #24137: (rallytime) Backport #24105 to 2015.5 @ 2015-05-26T18:23:40Z PR #24105: (cedwards) Updated some beacon-specific documentation formatting refs: #24137 • e01536d Merge pull request #24137 from rallytime/bp-24105 • f0778a0 Updated some beacon-specific documentation formatting PR #24136: (rallytime) Backport #24104 to 2015.5 @ 2015-05-26T15:58:47Z ISSUE #23364: (pruiz) Unable to destroy host using proxmox cloud: There was an error destroying machines: 501 Server Error: Method 'DELETE /nodes/pmx1/openvz/openvz/100' not implemented PR #24104: (pruiz) Only try to stop a VM if it's not already stopped. (fixes #23364) refs: #24136 • 89cdf97 Merge pull request #24136 from rallytime/bp-24104 • c538884 Only try to stop a VM if it's not already stopped. (fixes #23364) PR #24135: (rallytime) Backport #24083 to 2015.5 @ 2015-05-26T15:58:27Z PR #24083: (swdream) fix code block syntax refs: #24135 • 67c4373 Merge pull request #24135 from rallytime/bp-24083 • e1d06f9 fix code block syntax PR #24131: (jayeshka) adding states/mysql_user unit test case @ 2015-05-26T15:58:10Z • a83371e Merge pull request #24131 from jayeshka/mysql_user-states-unit-test • ed1ef69 adding states/mysql_user unit test case PR #24130: (jayeshka) adding states/ntp unit test case @ 2015-05-26T15:57:29Z • 1dc1d2a Merge pull request #24130 from jayeshka/ntp-states-unit-test • ede4a9f adding states/ntp unit test case PR #24128: (jayeshka) adding states/openstack_config unit test case @ 2015-05-26T15:56:08Z • 3943417 Merge pull request #24128 from jayeshka/openstack_config-states-unit-test • ca09e0f adding states/openstack_config unit test case PR #24127: (jayeshka) adding states/npm unit test case @ 2015-05-26T15:55:18Z • 23f25c4 Merge pull request #24127 from jayeshka/npm-states-unit-test • c3ecabb adding states/npm unit test case PR #24077: (anlutro) Change how state_verbose output is filtered @ 2015-05-26T15:41:11Z ISSUE #24009: (hvnsweeting) state_verbose False summary is wrong refs: #24077 • 07488a4 Merge pull request #24077 from alprs/fix-outputter_highstate_nonverbose_count • 7790408 Change how state_verbose output is filtered PR #24119: (jfindlay) Update contrib docs @ 2015-05-26T15:37:01Z • 224820f Merge pull request #24119 from jfindlay/update_contrib_docs • fa2d411 update example release branch in contrib docs • a0b76b5 clarify git rebase instructions • 3517e00 fix contribution docs link typos • 651629c backport dev contrib doc updates to 2015.5 PR #23928: (joejulian) Add the ability to replace existing certificates @ 2015-05-25T19:47:26Z • 5488c4a Merge pull request #23928 from joejulian/2015.5_tls_module_replace_existing • 4a4cbdd Add the ability to replace existing certificates PR #24078: (jfindlay) if a charmap is not supplied, set it to the codeset @ 2015-05-25T19:39:19Z ISSUE #23221: (Reiner030) Debian Jessie: locale.present not working again refs: #24078 • dd90ef0 Merge pull request #24078 from jfindlay/locale_charmap • 5eb97f0 if a charmap is not supplied, set it to the codeset PR #24088: (jfindlay) pkg module integration tests @ 2015-05-25T19:39:02Z • 9cec5d3 Merge pull request #24088 from jfindlay/pkg_tests • f1bd5ec adding pkg module integration tests • 739b2ef rework yumpkg refresh_db so args are not mandatory PR #24089: (jfindlay) allow override of binary file mode on windows @ 2015-05-25T19:38:44Z ISSUE #24052: (twangboy) v2015.5.1 Changes the way it interprets the minion_master.pub file refs: #24089 #24144 • 517552c Merge pull request #24089 from jfindlay/binary_write • b2259a6 allow override of binary file mode on windows PR #24092: (jfindlay) collect scattered contents edits, ensure it's a str @ 2015-05-25T19:38:10Z ISSUE #23973: (mschiff) state file.managed: setting contents_pillar to a pillar which is a list throws exception instead giving descriptive error message refs: #24092 • 121ab9f Merge pull request #24092 from jfindlay/file_state • cfa0f13 collect scattered contents edits, ensure it's a str PR #24112: (The-Loeki) thin_gen breaks when thinver doesn't exist @ 2015-05-25T19:37:47Z • 84e65de Merge pull request #24112 from The-Loeki/patch-1 • 34646ea thin_gen breaks when thinver doesn't exist PR #24108: (jayeshka) adding states/mysql_query unit test case @ 2015-05-25T12:30:48Z • ec509ed Merge pull request #24108 from jayeshka/mysql_query-states-unit-test • ec50450 adding states/mysql_query unit test case PR #24110: (jayeshka) adding varnish unit test case @ 2015-05-25T12:30:21Z • f2e5d6c Merge pull request #24110 from jayeshka/varnish-unit-test • e119889 adding varnish unit test case PR #24109: (jayeshka) adding states/mysql_grants unit test case @ 2015-05-25T12:29:53Z • 4fca2b4 Merge pull request #24109 from jayeshka/mysql_grants-states-unit-test • 11a93cb adding states/mysql_grants unit test case PR #24028: (nleib) send a disable message to disable puppet @ 2015-05-25T04:02:11Z • 6b43c9a Merge pull request #24028 from nleib/2015.5 • 15f24b4 update format of string in disabled msg • 7690e5b remove trailing whitespaces • 56a9720 Update puppet.py • 9686391 Update puppet.py • 33f3d68 send a disable message to disable puppet PR #24100: (jfindlay) adding states/file unit test case @ 2015-05-24T05:17:54Z PR #23963: (jayeshka) adding states/file unit test case refs: #24100 • 52c9aca Merge pull request #24100 from jfindlay/merge_23963 • 7d59deb adding states/file unit test case PR #24098: (galet) Systemd not recognized properly on Oracle Linux 7 @ 2015-05-24T04:07:31Z ISSUE #21446: (dpheasant) check for systemd on Oracle Linux refs: #24098 • 0eb9f15 Merge pull request #24098 from galet/2015.5 • 4d6ab21 Systemd not recognized properly on Oracle Linux 7 PR #24090: (jfindlay) adding states/mount unit test case @ 2015-05-22T23:02:57Z PR #24062: (jayeshka) adding states/mount unit test case refs: #24090 • 8e04db7 Merge pull request #24090 from jfindlay/merge_24062 • a81a922 adding states/mount unit test case PR #24086: (rallytime) Backport #22806 to 2015.5 @ 2015-05-22T21:18:20Z ISSUE #22574: (unicolet) error when which is not available refs: #22806 PR #22806: (jfindlay) use cmd.run_all instead of cmd.run_stdout refs: #24086 • c0079f5 Merge pull request #24086 from rallytime/bp-22806 • f728f55 use cmd.run_all instead of cmd.run_stdout PR #24024: (jayeshka) adding states/mongodb_user unit test case @ 2015-05-22T20:53:19Z • 09de253 Merge pull request #24024 from jayeshka/mongodb_user-states-unit-test • f31dc92 resolved errors • d038b1f adding states/mongodb_user unit test case PR #24065: (kiorky) continue to fix #23883 refs: #24080 #24066 @ 2015-05-22T18:59:21Z ISSUE #23883: (kaithar) max_event_size seems broken * bfd812c Merge pull request #24065 from makinacorpus/real23883 * 028282e continue to fix #23883 PR #24029: (kiorky) Fix providers handling @ 2015-05-22T16:56:06Z ISSUE #24017: (arthurlogilab) [salt-cloud openstack] TypeError: unhashable type: 'dict' on map creation refs: #24029 • 429adfe Merge pull request #24029 from makinacorpus/fixproviders • 412b39b Fix providers handling PR #23936: (jfindlay) remove unreachable returns in file state @ 2015-05-22T16:26:49Z • a42cccc Merge pull request #23936 from jfindlay/file_state • ac29c0c also validate file.recurse source parameter • 57f7388 remove unreachable returns in file state PR #24063: (jayeshka) removed tuple index error @ 2015-05-22T14:58:20Z • 8b69b41 Merge pull request #24063 from jayeshka/mount-states-module • b9745d5 removed tuple index error PR #24057: (rallytime) Backport #22572 to 2015.5 @ 2015-05-22T05:36:25Z PR #22572: (The-Loeki) Small docfix for GitPillar refs: #24057 • 02ac4aa Merge pull request #24057 from rallytime/bp-22572 • 49aad84 Small docfix for GitPillar PR #24040: (rallytime) Backport #24027 to 2015.5 @ 2015-05-21T23:43:54Z ISSUE #23088: (wfhg) Segfault when adding a Zypper repo on SLES 11.3 refs: #24027 PR #24027: (wfhg) Add baseurl to salt.modules.zypper.mod_repo refs: #24040 • 82de059 Merge pull request #24040 from rallytime/bp-24027 • 37d25d8 Added baseurl as alias for url and mirrorlist in salt.modules.zypper.mod_repo. PR #24039: (rallytime) Backport #24015 to 2015.5 @ 2015-05-21T23:43:25Z PR #24015: (YanChii) minor improvement of solarisips docs & fix typos refs: #24039 • d909781 Merge pull request #24039 from rallytime/bp-24015 • 6bfaa94 minor improvement of solarisips docs & fix typos PR #24038: (rallytime) Backport #19599 to 2015.5 @ 2015-05-21T23:43:10Z ISSUE #19598: (fayetted) ssh_auth.present test=true incorectly reports changes will be made refs: #19599 PR #19599: (fayetted) Fix ssh_auth test mode, compare lines not just key refs: #24038 • 4a0f254 Merge pull request #24038 from rallytime/bp-19599 • ea00d3e Fix ssh_auth test mode, compare lines not just key PR #24046: (rallytime) Remove key management test from digital ocean cloud tests @ 2015-05-21T22:32:04Z • 42b87f1 Merge pull request #24046 from rallytime/remove_key_test • 1d031ca Remove key management test from digital ocean cloud tests PR #24044: (cro) Remove spurious log message, fix typo in doc @ 2015-05-21T22:31:49Z • eff54b1 Merge pull request #24044 from cro/pgjsonb • de06633 Remove spurious log message, fix typo in doc PR #24001: (msteed) issue #23883 @ 2015-05-21T20:32:30Z ISSUE #23883: (kaithar) max_event_size seems broken * ac32000 Merge pull request #24001 from msteed/issue-23883 * bea97a8 issue #23883 PR #23995: (kiorky) Lxc path pre @ 2015-05-21T17:26:03Z • f7fae26 Merge pull request #23995 from makinacorpus/lxc_path_pre • 319282a lint • 1dc67e5 lxc: versionadded • fcad7cb lxc: states improvements • 644bd72 lxc: more consistence for profiles • 139372c lxc: remove merge cruft • 725b046 lxc: Repair merge PR #24032: (kartiksubbarao) Update augeas_cfg.py @ 2015-05-21T17:03:42Z ISSUE #16383: (interjection) salt.states.augeas.change example from docs fails with exception refs: #24032 • 26d6851 Merge pull request #24032 from kartiksubbarao/augeas_insert_16383 • 3686dcd Update augeas_cfg.py PR #24025: (jayeshka) adding timezone unit test case @ 2015-05-21T16:50:53Z • 55c9245 Merge pull request #24025 from jayeshka/timezone-unit-test • 1ec33e2 removed assertion error • 16ecb28 adding timezone unit test case PR #24023: (jayeshka) adding states/mongodb_database unit test case @ 2015-05-21T16:49:17Z • e243617 Merge pull request #24023 from jayeshka/mongodb_database-states-unit-test • 5a9ac7e adding states/mongodb_database unit test case PR #24022: (jayeshka) adding states/modjk_worker unit test case @ 2015-05-21T16:48:29Z • b377bd9 Merge pull request #24022 from jayeshka/modjk_worker-states-unit-test • 05c0a98 adding states/modjk_worker unit test case PR #24005: (msteed) issue #23776 @ 2015-05-21T01:55:34Z ISSUE #23776: (enblde) Presence change events constantly reporting all minions as new in 2015.5 * 701c51b Merge pull request #24005 from msteed/issue-23776 * 62e67d8 issue #23776 PR #23996: (neogenix) iptables state generates a 0 position which is invalid in iptables cli #23950 @ 2015-05-20T22:44:27Z ISSUE #23950: (neogenix) iptables state generates a 0 position which is invalid in iptables cli refs: #23996 • 17b7c0b Merge pull request #23996 from neogenix/2015.5-23950 • ad417a5 fix for #23950 PR #23994: (rallytime) Skip the gpodder pkgrepo test for Ubuntu 15 - they don't have vivid ppa up yet @ 2015-05-20T21:18:21Z • 4cb8773 Merge pull request #23994 from rallytime/skip_test_ubuntu_15 • 9e0ec07 Skip the gpodder pkgrepo test - they don't have vivid ppa up yet Salt 2015.5.3 Release Notes Extended Changelog Courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-07-01T19:40:52Z Statistics: • Total Merges: 177 • Total Issue references: 81 • Total PR references: 231 Changes: • PR #25096: (jfindlay) Postgres group test @ 2015-07-01T18:48:26Z • PR #24330: (jayeshka) adding states/postgres_group unit test case. | refs: #25096 • 21709aa Merge pull request #25096 from jfindlay/postgres_group_test • 3c379dc declobber postgres state unit test mocking • a162ffa adding states/postgres_group unit test case. • PR #25085: (jfindlay) accept all sources in the file state @ 2015-07-01T18:23:45Z • ISSUE #25041: (wt) REGRESSION: pillar.get of integer fails to render in sls | refs: #25085 • 0a84640 Merge pull request #25085 from jfindlay/fix_file • 937a252 remove unnecessary file state tests • 6f238e9 integration test file.managed sources • a5978d3 iterate an iterable source othwerise list+str it • PR #25095: (jfindlay) Win groupadd unit tests @ 2015-07-01T18:18:53Z • PR #24207: (jayeshka) adding win_groupadd unit test case. | refs: #25095 • a983942 Merge pull request #25095 from jfindlay/win_groupadd_test • 564dffd depend on win libs rather than mocking them • 9b9aeb8 resolved all erors. • aaf8935 adding win_groupadd unit test case. • PR #25089: (jfindlay) fix minion sudo @ 2015-07-01T15:53:16Z • ISSUE #21520: (jfindlay) sudo.salt_call is broken | refs: #25089 • PR #20226: (thatch45) Allow sudo priv escalation | refs: #25089 • 7c8d2a8 Merge pull request #25089 from jfindlay/fix_sudo • d8f91d4 add some apprehension to the sudo exec module • a9269c0 adding sudo exec module docs • e4a40b7 comment whitespace in minion config • 44cb167 adding sudo_user minion config docs • d461060 adding sudo_user minion config to default • PR #25099: (driskell) Fix broken batch results @ 2015-07-01T15:51:29Z • ISSUE #24875: (ahammond) ValueError: list.remove(x): x not in list in File "/usr/lib/python2.6/site-packages/salt/cli/batch.py", line 179, in run active.remove(minion) | refs: #25099 • 4d6078e Merge pull request #25099 from driskell/patch-1 • 59b23e5 Fix broken batch results • PR #25083: (steverweber) ipmi: get_sensor_data would always fail @ 2015-06-30T20:57:21Z • 4635079 Merge pull request #25083 from steverweber/fix_ipmi_stat • 836f48c include _ in IpmiCommand • 817e434 get_sensor_data would always fail • PR #25067: (The-Loeki) Fix for maxdepth=0 in find @ 2015-06-30T20:54:06Z • 15f2a40 Merge pull request #25067 from The-Loeki/patch-1 • 61edad3 Fix for maxdepth=0 in find • PR #25078: (terminalmage) Use smaller number for upper limit of mac_user's _first_avail_uid helper function @ 2015-06-30T20:53:24Z • 58d933c Merge pull request #25078 from terminalmage/fix-mac-uid • df2ab7e Use smaller number for upper limit of mac_user's _first_avail_uid helper function • PR #25045: (garethgreenaway) Fixes to debian_ip.py in 2015.5 @ 2015-06-30T17:36:43Z • ISSUE #24521: (multani) State network.managed fails on Debian (Jessie) | refs: #25045 • ebd6cdc Merge pull request #25045 from garethgreenaway/24521_debian_networking • 6f2a6c9 having proto default to static since it's needed to build the template. • PR #25065: (lorengordon) Add download links for 2015.5.1-3 and 2015.5.2 Windows installers @ 2015-06-30T15:29:31Z • ISSUE #25057: (TheBigBear) why is there still no newer salt-minion for windows than ver. 2015.5.0-2? no 2015.5.1 or 2015.5.2? • ae31b27 Merge pull request #25065 from lorengordon/update-windows-installer-links • 40a0c13 Add download links for 2015.5.1-3 and 2015.5.2, Fixes #25057 • PR #25052: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-30T01:05:00Z • ISSUE #15209: (hubez) file.manage: source_hash not working with s3:// (2014.7.0rc1) | refs: #25011 • PR #25011: (notpeter) Add s3 to protocols for remote source_hash (2014.7 backport) • ddaeb0f Merge pull request #25052 from basepi/merge-forward-2015.5 • 2c5e664 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • a7154e7 Merge pull request #25011 from notpeter/s3_2014.7_backport • 8b8af64 Add s3 to protocols for remote source_hash • PR #25038: (jfindlay) versionadded @ 2015-06-29T19:49:27Z • PR #24747: (msciciel) add get_route function to network module | refs: #25038 • c7003d4 Merge pull request #25038 from jfindlay/versionadded • d6dc6f9 versionadded • PR #24747: (msciciel) add get_route function to network module | refs: #25038 @ 2015-06-29T16:51:43Z • 28c87ca Merge pull request #24747 from msciciel/2015.5 • 79b4ec2 network module lint fix • 0b6ef78 network module: fix for ipv6 • f3d184c add get_route function to network module • PR #24975: (ryan-lane) Fix update of undefined env var in npm module @ 2015-06-29T16:45:05Z • 46a9677 Merge pull request #24975 from lyft/npm-module-fix • 6fde581 Try byte literals rather than unicode strings in the env • c8514de Fix update of undefined env var in npm module • PR #24986: (heewa) Don't modify empty change @ 2015-06-29T16:44:17Z • 9cf8550 Merge pull request #24986 from heewa/fix-pkg-hold-when-errored • d47a448 Don't modify empty change • PR #24999: (rallytime) Provide a less confusing error when cloud provider is misconfigured @ 2015-06-29T16:43:31Z • ISSUE #24969: (bradthurber) salt-cloud 2015.5.0: missing azure dependency results in misleading error | refs: #24999 • ece897d Merge pull request #24999 from rallytime/cloud_error_help • 1e81a88 Clean up • be19a67 Provide a less confusing error when cloud provider is misconfigured • PR #24987: (heewa) Don't try to cache a template when it's not a file @ 2015-06-29T14:02:59Z • 4af15cf Merge pull request #24987 from heewa/fix-trying-to-cache-no-file • 9ae0c78 Don't try to cache a template when it's not a file • PR #25022: (jfindlay) revise label and milestone documentation @ 2015-06-29T13:51:24Z • 8eeaddb Merge pull request #25022 from jfindlay/label_docs • 8575192 revise label and milestone documentation • PR #25029: (jayeshka) adding redismod unit test case. @ 2015-06-29T13:50:33Z • 89c2e01 Merge pull request #25029 from jayeshka/redismod-unit-test • e3045be adding redismod unit test case. • PR #24995: (rallytime) Fix deprecated pymongo usage causing errors in latest pymongo @ 2015-06-27T22:28:56Z • PR #24175: (trevor-h) fix deprecated pymongo usage causing errors in latest pymongo | refs: #24995 • 6425252 Merge pull request #24995 from rallytime/tops_mongo • a3c1063 fix deprecated pymongo usage causing errors in latest pymongo • PR #24994: (garethgreenaway) Another Fix to gpg.py in 2015.5 @ 2015-06-27T22:28:15Z • ISSUE #24862: (dkatsanikakis) gpg.import_key returns error after successfully completed | refs: #24966 #24994 • e9aaa11 Merge pull request #24994 from garethgreenaway/2015_5_24862_gpg_import_key • d2f0d8f variable was referenced before assignment. Just removing the variable and checking the return from distutils.version.LooseVersion directly. • PR #24988: (jayeshka) adding states/supervisord unit test case. @ 2015-06-27T22:24:42Z • ebd666e Merge pull request #24988 from jayeshka/supervisord-states-unit-test • bb0a6d5 adding states/supervisord unit test case. • PR #25007: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-26T21:28:57Z • ISSUE #24915: (jtand) Salt-cloud not working in 2014.7.6 | refs: #24944 • PR #24944: (techhat) Double-check main_cloud_config • PR #24936: (jtand) Fixed ps module to not use depreciated psutil commands • 0487c3c Merge pull request #25007 from basepi/merge-forward-2015.5 • 4980fd5 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • a11e4c6 Merge pull request #24944 from techhat/issue24915 • 59c3081 Double-check main_cloud_config • d26a544 Merge pull request #24936 from jtand/psutil • bdb7a19 Fixed ps module to not use depreciated psutil commands • PR #25003: (jacobhammons) Updated man pages @ 2015-06-26T19:13:41Z • 91a60e1 Merge pull request #25003 from jacobhammons/man-pages • cf97a4a Updated man pages • PR #25002: (jacobhammons) sphinx html theme updates @ 2015-06-26T18:39:14Z • a60a2c4 Merge pull request #25002 from jacobhammons/doc-announcements • f88f344 sphinx html theme updates • PR #24977: (rallytime) Only warn about digital ocean deprecation if digital ocean is configured @ 2015-06-25T23:54:46Z • a791b23 Merge pull request #24977 from rallytime/do_move_warning • 6b54422 Only warn about digital ocean deprecation if digital ocean is configured • PR #24966: (garethgreenaway) Fixes to gpg.py in 2015.5 @ 2015-06-25T19:58:49Z • ISSUE #24862: (dkatsanikakis) gpg.import_key returns error after successfully completed | refs: #24966 #24994 • a71c1b7 Merge pull request #24966 from garethgreenaway/2015_5_24862_gpg_import_key • 55eb73b fixing unit tests. • 80c24be Fixing an issue with the import_key method. Different results depending on which gnupg python module is installed. • PR #24965: (jacksontj) Fix memory leak in saltnado @ 2015-06-25T18:48:03Z • ISSUE #24846: (mavenAtHouzz) Memory leak issue in rest_tornado EventListener | refs: #24965 • 8622184 Merge pull request #24965 from jacksontj/2015.5 • 48b5e16 pylint • 87adca4 Fix memory leak in saltnado • PR #24948: (jfindlay) fix some malformed doc links and anchors @ 2015-06-25T15:51:38Z • 773c4cf Merge pull request #24948 from jfindlay/doc_links • 152a9b2 fix some malformed doc links and anchors • PR #24886: (anlutro) Be more careful about stripping away root_dir from directory options @ 2015-06-25T15:50:11Z • ISSUE #24885: (anlutro) Master config - Directories starting with a dot have the dot stripped when root_dir is . | refs: #24886 • 4ebc01e Merge pull request #24886 from alprs/fix-root_dir_bug • 52ccafd os.sep is the correct directory separator constant • 0ecbf26 Be more careful about stripping away root_dir from directory options • PR #24930: (jacksontj) Don't refetch file templates 100% of the time-- Performance optimization for templated files @ 2015-06-24T21:22:47Z • f52f7e1 Merge pull request #24930 from jacksontj/2015.5 • 5fb7534 Only parse the source if we have one • c03a6fa Add support for sources of managed files to be local • 4cf78a0 pylint • d70914e Don't refetch the template 100% of the time-- Performance optimization for templated files • PR #24935: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-24T18:17:54Z • PR #24918: (BretFisher) SmartOS SMF minion startup fix • PR #473: (whiteinge) Added a couple functions to work with the minion file cache | refs: #24918 • 925a4d9 Merge pull request #24935 from basepi/merge-forward-2015.5 • 8d8bf34 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • eeb05a1 Merge pull request #24918 from BretFisher/minion-start-smartos-smf-fix • d7bfb0c Smartos smf minion fix • PR #24873: (jfindlay) convert osrelease grain to str before str op @ 2015-06-24T16:43:08Z • ISSUE #24826: (rakai93) rh_service.py: 'int' object has no attribute 'startswith' | refs: #24873 • 4e8ed0d Merge pull request #24873 from jfindlay/rh_service • febe6ef convert osrelease grain to str before str op • PR #24923: (jayeshka) adding states/status unit test case. @ 2015-06-24T15:50:07Z • 90819f9 Merge pull request #24923 from jayeshka/status-states-unit-test • baec650 adding states/status unit test case. • PR #24902: (cro) Fix minion failover, document same @ 2015-06-24T15:20:43Z • 2dd24ec Merge pull request #24902 from cro/fixfo2 • 90c73ff References to documentation. • f0c9204 Add references to failover parameters in conf • 9da96a8 Docs • e2314f0 Move comment. • b9a756f Fix master failover and add documentation for same. Factor in syndics. Syndics will not failover (yet). • PR #24926: (rallytime) Back-port #22263 to 2015.5 @ 2015-06-24T15:09:40Z • PR #22263: (cachedout) Prevent a load from being written if one already exists | refs: #24926 • 087ee09 Merge pull request #24926 from rallytime/bp-22263 • 8c92d9c Prevent a load from being written if one already exists • PR #24900: (rallytime) Back-port #24848 to 2015.5 @ 2015-06-24T15:09:18Z • PR #24848: (nmadhok) Correcting bash code blocks | refs: #24900 • b34a74f Merge pull request #24900 from rallytime/bp-24848 • d2b5456 Correcting bash code blocks • PR #24899: (rallytime) Back-port #24847 to 2015.5 @ 2015-06-24T15:09:01Z • PR #24847: (borutmrak) unset size parameter for lxc.create when backing=zfs | refs: #24899 • a546e8e Merge pull request #24899 from rallytime/bp-24847 • 1e4ec7a unset size parameter for lxc.create when backing=zfs • PR #24898: (rallytime) Back-port #24845 to 2015.5 @ 2015-06-24T15:06:09Z • PR #24845: (porterjamesj) fix bug in docker.loaded | refs: #24898 • d4dd8d2 Merge pull request #24898 from rallytime/bp-24845 • 071049a fix bug in docker.loaded • PR #24897: (rallytime) Back-port #24839 to 2015.5 @ 2015-06-24T15:05:35Z • ISSUE #24799: (infestdead) Forced remount because options changed when no options changed (glusterfs) • PR #24839: (infestdead) fix for issue #24799 | refs: #24897 • 6930855 Merge pull request #24897 from rallytime/bp-24839 • f3b20d5 fix for issue #24799 • PR #24891: (jayeshka) adding states/ssh_known_hosts unit test case. @ 2015-06-23T16:46:58Z • 1650233 Merge pull request #24891 from jayeshka/ssh_known_hosts-states-unit-test • ef1347f adding states/ssh_known_hosts unit test case. • PR #24874: (dkiser) Fix for salt-cloud when ssh key used to auth and using sudo. @ 2015-06-22T23:46:08Z • ISSUE #24870: (dkiser) salt-cloud fails on sudo password prompt when using ssh key to auth | refs: #24874 • c32aae9 Merge pull request #24874 from dkiser/salt-cloud-24870 • 6c31143 Fix key error for the PR to fix #24870. • bdcf7d8 Fix pylint for #24874. • 8f66d19 Fix for salt-cloud when ssh key used to auth and using sudo. • PR #24880: (dkiser) Fix to allow password for salt-cloud to be set outside of a vm specif… @ 2015-06-22T23:44:59Z • ISSUE #24871: (dkiser) salt-cloud fails to honor 'password' in cloud options before raising an exception | refs: #24880 • ddaa21c Merge pull request #24880 from dkiser/salt-cloud-24871 • 4f6c035 Fix to allow password for salt-cloud to be set outside of a vm specific context. • PR #24852: (pruiz) Fix issue 24851: regular expression so it now matches packages with '.' or '-' at pkg name @ 2015-06-22T20:37:13Z • 3902b16 Merge pull request #24852 from pruiz/issue-24851 • 73adb1d Fix regular expression so it now matches packages with '.' or '-' at pkg name. • PR #24861: (jayeshka) adding states/ssh_auth unit test case. @ 2015-06-22T16:20:01Z • 6c5b788 Merge pull request #24861 from jayeshka/ssh_auth-states-unit-test • e5d7b0d adding states/ssh_auth unit test case. • PR #24824: (kev009) Detect bhyve virtual type for FreeBSD guests @ 2015-06-22T15:24:35Z • ISSUE #23478: (calvinhp) grains.get virtual reports "physical" on bhyve FreeBSD VM | refs: #24824 • 9e3321c Merge pull request #24824 from kev009/grains-bhyve-bsd • a226209 Detect bhyve virtual type for freebsd guests • PR #24795: (anlutro) Fix state.apply for salt-ssh @ 2015-06-22T15:23:57Z • ISSUE #24746: (anlutro) state.apply doesn't seem to work | refs: #24795 • 7b07ef9 Merge pull request #24795 from alprs/fix-salt_ssh_state_apply • 905840b Fix state.apply for salt-ssh • PR #24832: (jacksontj) Don't incur a "_load_all" of the lazy_loader while looking for mod_init. @ 2015-06-22T15:17:10Z • PR #20540: (jacksontj) Loader nomerge: Don't allow modules to "merge" | refs: #24832 • PR #20481: (jacksontj) Add submodule support to LazyLoader | refs: #20540 • PR #20473: (jacksontj) Add "disabled" support | refs: #20481 • PR #20274: (jacksontj) Loader overhaul to LazyLoader | refs: #20473 • PR #12327: (jacksontj) Add a LazyLoader class which will lazily load modules (with the given lo... | refs: #20274 • 31d4c13 Merge pull request #24832 from jacksontj/2015.5 • cfa7c0a pylint • be18439 Don't incur a "_load_all" of the lazy_loader while looking for mod_init. • PR #24834: (rallytime) Back-port #24811 to 2015.5 @ 2015-06-19T18:43:49Z • ISSUE #14666: (luciddr34m3r) salt-cloud GoGrid exception when using map file | refs: #24811 • PR #24811: (rallytime) Add notes to map and gogrid docs -- don't use -P with map files | refs: #24834 • 2d8148f Merge pull request #24834 from rallytime/bp-24811 • e2684ec Add notes to map and gogrid docs -- don't use -P with map files • PR #24790: (rallytime) Back-port #24741 to 2015.5 @ 2015-06-19T17:25:58Z • PR #24741: (CameronNemo) Improve Upstart enable/disable handling | refs: #24790 • d2edb63 Merge pull request #24790 from rallytime/bp-24741 • a54245f Add missing import • 4ce6370 salt.modules.upstart: fix lint errors • aec53ec Improve Upstart enable/disable handling • PR #24789: (rallytime) Back-port #24717 to 2015.5 @ 2015-06-19T17:17:00Z • PR #24717: (gthb) virtualenv.managed: document user and no_chown | refs: #24789 • 645e62a Merge pull request #24789 from rallytime/bp-24717 • 95ac4eb virtualenv.managed: document user and no_chown • PR #24823: (jayeshka) adding states/splunk_search unit test case. @ 2015-06-19T17:14:12Z • 0a6c70f Merge pull request #24823 from jayeshka/splunk_search-states-unit-test • 98831a8 adding states/splunk_search unit test case. • PR #24809: (jodv) Correctly create single item list for failover master type with string value for master opt @ 2015-06-19T15:22:20Z • 4c5a708 Merge pull request #24809 from jodv/single_item_master_list • 18ceebc single item list vs. list of characters • PR #24802: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-18T20:11:58Z • ISSUE #24776: (nmadhok) --static option in salt raises ValueError and has been broken for a very long time | refs: #24777 • ISSUE #21318: (thanatos) get_full_returns raises KeyError | refs: #24769 • ISSUE #18994: (njhartwell) salt.client.get_cli_returns errors when called immediately after run_job | refs: #24769 • ISSUE #17041: (xenophonf) Confusing Salt error messages due to limited/incomplete PowerShell command error handling | refs: #24690 • ISSUE #19: (thatch45) Sending a faulty command kills all the minions! • PR #24780: (nmadhok) Backporting PR #24777 to 2014.7 branch • PR #24779: (nmadhok) Backporting Changes to 2014.7 branch | refs: #24777 • PR #24778: (nmadhok) Backporting PR #24777 to 2015.2 branch | refs: #24777 • PR #24777: (nmadhok) Fixing issue where --static option fails with ValueError Fixes #24776 | refs: #24778 #24780 • PR #24769: (msteed) Fix stacktrace in get_cli_returns() • PR #24690: (twangboy) Report powershell output instead of error • ae05e70 Merge pull request #24802 from basepi/merge-forward-2015.5 • 5b7a65d Merge pull request #19 from twangboy/merge-forward-fixes • 98e7e90 Fixed test failures for Colton • b949856 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 4281dff Merge pull request #24780 from nmadhok/backport-2014.7-24777 • c53b0d9 Backporting PR #24777 to 2014.7 branch • f3c5cb2 Merge pull request #24769 from msteed/issue-21318 • f40a9d5 Fix stacktrace in get_cli_returns() • 59db246 Merge pull request #24690 from twangboy/fix_17041 • 7a01538 Added additional reporting • d84ad5d Fixed capitalization... Failed and Already • e955245 Merge branch '2014.7' of https://github.com/saltstack/salt into fix_17041 • 144bff2 Report powershell output instead of error • PR #24798: (jtand) Revert "adding states/postgres_database unit test case." @ 2015-06-18T17:56:17Z • PR #24329: (jayeshka) adding states/postgres_database unit test case. | refs: #24798 • daa76c3 Merge pull request #24798 from saltstack/revert-24329-postgres_database-states-unit-test • 179ce03 Revert "adding states/postgres_database unit test case." • PR #24791: (rallytime) Back-port #24749 to 2015.5 @ 2015-06-18T17:43:15Z • PR #24749: (obestwalter) add windows specific default for multiprocessing | refs: #24791 • 7073a9f Merge pull request #24791 from rallytime/bp-24749 • be43b2b add windows specific default for multiprocessing • PR #24792: (rallytime) Back-port #24757 to 2015.5 @ 2015-06-18T15:58:35Z • PR #24757: (cachedout) Fix loader call in pyobjects | refs: #24792 • PR #24668: (grischa) enable virtual package names in pyobjects renderer | refs: #24721 #24757 • 1a158e8 Merge pull request #24792 from rallytime/bp-24757 • 6c804f0 Fix loader call in pyobjects • PR #24768: (jfindlay) fix yum versionlock on RHEL/CentOS 5, disable corresponding test @ 2015-06-18T15:13:12Z • 0f92982 Merge pull request #24768 from jfindlay/pkg_mod • 7a26c2b disable pkg.hold test for RHEL/CentOS 5 • 4cacd93 use correct yum versionlock pkg name on centos 5 • PR #24778: (nmadhok) Backporting PR #24777 to 2015.2 branch | refs: #24777 @ 2015-06-18T14:53:04Z • ISSUE #24776: (nmadhok) --static option in salt raises ValueError and has been broken for a very long time | refs: #24777 • PR #24779: (nmadhok) Backporting Changes to 2014.7 branch | refs: #24777 • PR #24777: (nmadhok) Fixing issue where --static option fails with ValueError Fixes #24776 | refs: #24778 #24780 • 39f088a Merge pull request #24778 from nmadhok/backport-2015.2-24777 • ae3701f Backporting PR #24777 to 2015.2 branch • PR #24774: (zefrog) Fix lxc lvname parameter command @ 2015-06-18T14:49:06Z • 2a4f65f Merge pull request #24774 from zefrog/fix-lxc-lvname-param • 21e0cd4 Fixed typo in lxc module: lvname parameter typo • 283d86e Fixed bug in lxc module: lvname using wrong parameter in cmd • PR #24782: (jayeshka) adding states/slack unit test case. @ 2015-06-18T14:33:55Z • fd73390 Merge pull request #24782 from jayeshka/slack-states-unit-test • e2b6214 adding states/slack unit test case. • PR #24771: (jacksontj) Always extend requisites, instead of replacing them @ 2015-06-18T14:29:09Z • ISSUE #24770: (jacksontj) Requisite and Requisite_in don't play nice together | refs: #24771 • c9c90af Merge pull request #24771 from jacksontj/2015.5 • b1211c5 Re-enable tests for complex prereq and prereq_in • 378f6bf Only merge when the merge is of requisites • PR #24766: (msteed) Remove doc references to obsolete minion opt @ 2015-06-17T21:36:55Z • 5fe4de8 Merge pull request #24766 from msteed/undoc-dns_check • f92a769 Remove doc references to obsolete minion opt • PR #24329: (jayeshka) adding states/postgres_database unit test case. | refs: #24798 @ 2015-06-17T19:11:02Z • a407ab7 Merge pull request #24329 from jayeshka/postgres_database-states-unit-test • ee06f1a adding states/postgres_database unit test case. • PR #24632: (jacobhammons) Doc bug fixes @ 2015-06-17T18:40:02Z • ISSUE #24560: (hydrosine) Documentation missing on parameter | refs: #24632 • ISSUE #24547: (dragonpaw) Artifactory docs say module is 'jboss7'. | refs: #24632 • ISSUE #24375: (companykitchen-dev) Custom grain won't sync under any circumstances | refs: #24632 • ISSUE #24275: (kartiksubbarao) augeas issue with apache and recognizing changes that have been already made | refs: #24632 • ISSUE #24163: (tbaker57) enable_gpu_grains default value confusion | refs: #24632 • 3ff6eff Merge pull request #24632 from jacobhammons/bug-fixes • 7c52012 Fixed typos • c7cdd41 Doc bug fixes Refs #24547 Refs #24275 Refs #24375 Refs #24560 Refs #24163 • PR #24607: (garethgreenaway) fixes to minion.py @ 2015-06-17T18:16:42Z • ISSUE #24198: (ahammond) salt-call event.send doesn't send events from minion | refs: #24607 • 9995f64 Merge pull request #24607 from garethgreenaway/2015_5_sending_events_multi_master • 8abd3f0 A fix if you have multiple masters configured and try to fire events to the minion. Currently they fail silently. Might be the cause of #24198. • PR #24755: (rallytime) Remove SALT_CLOUD_REQS from setup.py @ 2015-06-17T17:42:25Z • bf2dd94 Merge pull request #24755 from rallytime/fix_setup_15 • 48769a5 Remove SALT_CLOUD_REQS from setup.py • PR #24740: (rallytime) Backport #24720 to 2015.5 @ 2015-06-17T16:43:37Z • PR #24720: (TheScriptSage) Issue 24621 - AD/LDAP Group Auth Issue | refs: #24740 • 3d53d79 Merge pull request #24740 from rallytime/bp-24720 • a9bcdb5 Updating master.py to properly check against groups when user is only authed against group. Tested against unit.auth_test. • PR #24723: (rallytime) Back-port #20124 to 2015.5 @ 2015-06-17T16:43:20Z • PR #20124: (cgtx) add init system to default grains | refs: #24723 • ac2851b Merge pull request #24723 from rallytime/bp-20124 • 4d0061b fix infinite loop introduced by #20124 when the init system is not in the supported_inits list • 0c7fa0f Optimizations for #20124 • f353454 add init system to default grains (resolve #20124) • PR #24754: (anlutro) salt-cloud documentation - Add information about linode location @ 2015-06-17T16:04:48Z • 78cd09b Merge pull request #24754 from alprs/docs-add_linode_location_option • d88e071 add information about linode location • PR #24748: (jayeshka) adding states/serverdensity_device unit test case. @ 2015-06-17T15:39:07Z • d5554f7 Merge pull request #24748 from jayeshka/serverdensity_device-states-unit-test • 1a4c241 adding states/serverdensity_device unit test case. • PR #24739: (rallytime) Back-port #24735 to 2015.5 @ 2015-06-17T15:16:47Z • PR #24735: (notpeter) Add 2015.5 codename to version numbers docs | refs: #24739 • 0b7e7ef Merge pull request #24739 from rallytime/bp-24735 • 64c565d Add .0 to version number • 5ed801b Add codenames for 2015.5 and future versions. Trailing newline. • PR #24732: (msteed) Fix stacktrace when --summary is used @ 2015-06-17T03:27:57Z • ISSUE #24111: (yermulnik) cli option '--summary' got broken after upgrade to 2015.5.1 | refs: #24732 • c8713f2 Merge pull request #24732 from msteed/issue-24111 • 54b33dd Fix stacktrace when --summary is used • PR #24721: (rallytime) Back-port #24668 to 2015.5 @ 2015-06-17T03:23:47Z • PR #24668: (grischa) enable virtual package names in pyobjects renderer | refs: #24721 #24757 • 70d3781 Merge pull request #24721 from rallytime/bp-24668 • 68fb5af fixing other test • ba4f262 fixing text for virtual support in pyobjects • b349d91 enable virtual package names in pyobjects renderer • PR #24718: (rallytime) Added some missing config documentation to the vsphere driver @ 2015-06-17T03:19:35Z • ISSUE #21923: (Fluro) Salt cloud not running provisioning script as root | refs: #24718 • ISSUE #17241: (hasues) Salt-Cloud for vSphere needs additional documentation | refs: #24718 • 1b9d689 Merge pull request #24718 from rallytime/update_vsphere_docs • bfdebb6 Added some missing config documentation to the vsphere driver • PR #24714: (rallytime) Remove cloud-requirements.txt @ 2015-06-17T03:17:04Z • 64857c7 Merge pull request #24714 from rallytime/remove_cloud_reqs_15 • 67b796d Remove cloud-requirements.txt • PR #24733: (msteed) Include Tornado in versions report @ 2015-06-17T03:13:53Z • ISSUE #24439: (bechtoldt) Add tornado version to versions report | refs: #24733 • f96b1d6 Merge pull request #24733 from msteed/issue-24439 • 76cfef0 Include Tornado in versions report • PR #24737: (jacksontj) Move AES command logging to trace @ 2015-06-17T01:48:11Z • a861fe0 Merge pull request #24737 from jacksontj/2015.5 • a4ed41a Move AES command logging to trace • PR #24724: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-16T22:46:27Z • ISSUE #24196: (johnccfm) Exception when using user.present with Windows | refs: #24646 • PR #24646: (twangboy) Fixed user.present on existing user • 0d2dc46 Merge pull request #24724 from basepi/merge-forward-2015.5 • 4641028 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • a18dada Merge pull request #24646 from twangboy/fix_24196 • a208e1d Fixed user.present on existing user • PR #24701: (jayeshka) adding states/selinux unit test case. @ 2015-06-16T15:27:29Z • 3d33fe7 Merge pull request #24701 from jayeshka/selinux-states-unit-test • 0c136fd adding states/selinux unit test case. • PR #24687: (cachedout) Note about minimum worker_threads @ 2015-06-15T20:46:23Z • 2e287a9 Merge pull request #24687 from cachedout/min_worker_threads • b7bb7ea Note about minimum worker_threads • PR #24688: (cachedout) Update AUTHORS @ 2015-06-15T20:46:03Z • 432478c Merge pull request #24688 from cachedout/update_authors • 3f6880e Better email • 6c7b773 Update AUTHORS • PR #24649: (cachedout) Improved error reporting for failed states @ 2015-06-15T16:04:20Z • ISSUE #22385: (cachedout) States which require unavailable modules should display the reason | refs: #24649 • 9a2b50d Merge pull request #24649 from cachedout/issue_22385 • b9fe792 States will now return the reason behind failure if a module could not be loaded • PR #24673: (jayeshka) adding states/schedule unit test case. @ 2015-06-15T15:24:52Z • 66e9e16 Merge pull request #24673 from jayeshka/schedule-states-unit-test • 54aaaa5 adding states/schedule unit test case. • PR #24663: (kartiksubbarao) Update augeas_cfg.py @ 2015-06-15T15:18:48Z • ISSUE #24661: (kartiksubbarao) augeas.change doesn't support setting empty values | refs: #24663 • 5eb19c4 Merge pull request #24663 from kartiksubbarao/patch-2 • e18db50 Update augeas_cfg.py • PR #24667: (dkiser) fix for #24583 clouds/openstack.py kerying first time succeeds @ 2015-06-14T21:58:58Z • ISSUE #24583: (dkiser) salt-cloud keyring password referenced before assignment | refs: #24667 • 4450432 Merge pull request #24667 from dkiser/fix-cloud-keyring • c92c05f fix for #24583 clouds/openstack.py kerying first time succeeds • PR #24659: (kartiksubbarao) Update aliases.py @ 2015-06-13T17:31:42Z • ISSUE #24537: (kartiksubbarao) alias.present doesn't update alias values that are substrings of the existing value | refs: #24659 • 4c64ee9 Merge pull request #24659 from kartiksubbarao/patch-1 • d683474 Update aliases.py • PR #24644: (cro) Merge forward 2014.7->2015.5 @ 2015-06-12T21:31:41Z • PR #24643: (cro) Add reference to salt-announce mailing list • PR #24620: (twangboy) Fixed comment and uncomment functions in file.py • 89eb616 Merge pull request #24644 from cro/2014.7-2015.5-20150612 • 4136dc3 Merge forward from 2014.7 to 2015.5 • b99484f Merge pull request #24643 from cro/saltannounce • ecb0623 Add salt-announce mailing list. • 635121e Merge pull request #24620 from twangboy/fix_24215 • d7a9999 Fixed comment and uncomment functions in file.py • PR #24642: (basepi) Revert "fix target rule, remove unneeded quotation mark" @ 2015-06-12T20:14:26Z • PR #24595: (tankywoo) fix target rule, remove unneeded quotation mark | refs: #24642 • b896a0d Merge pull request #24642 from saltstack/revert-24595-fix-iptables-target • 5ff3224 Revert "fix target rule, remove unneeded quotation mark" • PR #24628: (jayeshka) adding states/reg unit test case. @ 2015-06-12T17:29:11Z • 01092c2 Merge pull request #24628 from jayeshka/reg_states-unit-test • af1bd8f adding states/reg unit test case. • PR #24631: (rallytime) Back-port #24591 to 2015.5 @ 2015-06-12T16:54:32Z • ISSUE #24494: (arnoutpierre) Computed comments in jinja states | refs: #24591 • ISSUE #24073: (primechuck) State.highstate uses stale grain data. | refs: #24492 • ISSUE #23359: (BalintSzigeti) init.sls parsing issue | refs: #24591 • ISSUE #21217: (Colstuwjx) Maybe a bug for jinja render? | refs: #24591 • PR #24591: (tbaker57) Add some documentation surrounding Jinja vs yaml comments - | refs: #24631 • PR #24492: (DmitryKuzmenko) Don't remove grains from opts • 5f491f9 Merge pull request #24631 from rallytime/bp-24591 • f13cd41 Add extra clarification why jinja comments are needed. • 2374971 Fix typo • 6a91747 Add some documentation surrounding Jinja comments - refs #24492, #21217, #23359 • PR #24616: (garethgreenaway) additional logging in state.py module @ 2015-06-12T16:25:39Z • f23f99e Merge pull request #24616 from garethgreenaway/2015_5_logging_disabled_states • 4dbf0ef Adding some logging statement to give feedback when states, including highstate, are disabled. Useful when running from scheduler. • PR #24595: (tankywoo) fix target rule, remove unneeded quotation mark | refs: #24642 @ 2015-06-12T16:23:22Z • 6dccbb0 Merge pull request #24595 from tankywoo/fix-iptables-target • 10a5160 fix target rule, remove unneeded quotation mark • PR #24604: (jfindlay) fix pkg module integration tests @ 2015-06-12T16:04:26Z • 8ac3d94 Merge pull request #24604 from jfindlay/pkg_tests • d88fb22 fix pkg module integration tests on CentOS 5 • fb91b40 fix pkg module integration tests on ubuntu 12 • PR #24600: (basepi) [2015.5] Remove __kwarg__ from salt-ssh keyword args @ 2015-06-12T04:21:29Z • 0ff545c Merge pull request #24600 from basepi/salt-ssh.orchestrate.20615 • 9b55683 Remove __kwarg__ from salt-ssh keyword args • PR #24608: (basepi) [2015.5] Normalize salt-ssh flat roster minion IDs to strings @ 2015-06-11T21:35:07Z • ISSUE #22843: (Xiol) salt-ssh roster doesn't support integers as host keys | refs: #24608 • 832916f Merge pull request #24608 from basepi/salt-ssh.flat.roster.integers.22843 • 381820f Normalize salt-ssh flat roster minion IDs to strings • PR #24605: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-11T19:15:21Z • PR #24589: (BretFisher) Fixed Mine example for jinja code block • 4eb5bb2 Merge pull request #24605 from basepi/merge-forward-2015.5 • f96c502 Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • d83928a Merge pull request #24589 from BretFisher/patch-1 • 65a1133 Fixed Mine example for jinja code block • PR #24598: (jacobhammons) 2015.5.2 release changes @ 2015-06-11T17:24:11Z • ISSUE #24457: (ryan-lane) When selecting the version of docs on the docs site, it brings you to the homepage | refs: #24598 • ISSUE #24250: (jfindlay) have version links on docs page link to that version of the current page | refs: #24598 • e0bb177 Merge pull request #24598 from jacobhammons/doc-fixes • f3f34dd 2015.5.2 release changes Refs #24250 Refs #24457 • PR #24588: (basepi) Fixes for saltmod.function for salt-ssh @ 2015-06-11T16:15:21Z • ISSUE #20615: (aurynn) 2014.7.1: salt/states/saltmod using incorrect return dict for orchestrate | refs: #24588 • 26930b4 Merge pull request #24588 from basepi/salt-ssh.orchestrate.20615 • 826936c Move documentation into docstring instead of comments • de052e7 Assign 'return' to 'ret' if necessary in saltmod.function • 34ff989 Convert keyword args to key=value strings in salt-ssh • PR #24593: (jayeshka) adding states/redismod unit test case. @ 2015-06-11T15:55:27Z • 5a21ad1 Merge pull request #24593 from jayeshka/redismod_states-unit-test • 3b95744 adding states/redismod unit test case. • PR #24581: (rallytime) Disabled some flaky tests until we can figure out how to make them more reliable @ 2015-06-11T15:51:41Z • ISSUE #40: (thatch45) Clean up timeouts | refs: #22857 • PR #24217: (jfindlay) disable intermittently failing tests | refs: #24581 • PR #23623: (jfindlay) Fix /jobs endpoint's return | refs: #24217 • PR #22857: (jacksontj) Fix /jobs endpoint's return | refs: #23623 • 8ffb86e Merge pull request #24581 from rallytime/disable_some_flaky_tests • c82f135 Disabled some flaky tests until we can figure out how to make them more reliable • PR #24566: (jayeshka) adding states/rdp unit test case. @ 2015-06-11T02:14:39Z • a570d7f Merge pull request #24566 from jayeshka/rdp_states-unit-test • 273b994 adding states/rdp unit test case. • PR #24551: (joejulian) 2015.5 don't pollute environment @ 2015-06-11T02:13:06Z • ISSUE #24480: (kiorky) [CRITICAL] [2015.5] tls breaks tzinfo | refs: #24551 • 20ada1f Merge pull request #24551 from joejulian/2015.5_dont_pollute_environment • cfc3b43 Don't pollute the TZ environment variable • cba8d3f pep8 • 9cb7015 Mark keyword version adds • 76e2583 Merge tls changes from develop • PR #24574: (jacobhammons) Refs #19901 @ 2015-06-10T20:09:23Z • ISSUE #19901: (clinta) State cache is not documented | refs: #24468 • bb2fd6a Merge pull request #24574 from jacobhammons/19901 • e2a2946 Refs #19901 • PR #24577: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-10T19:46:22Z • ISSUE #24427: (fayetted) 2015.5.1-3 Windows 64Bit Minion fails to start after install | refs: #24530 • PR #24530: (twangboy) Start Minion Service on Silent Install • b03166c Merge pull request #24577 from basepi/merge-forward-2015.5 • e1d45cc Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • d376390 Merge pull request #24530 from twangboy/fix_24427 • 673e1d8 Added missing panel.bmp for installer • cc50218 Start Minion Service on Silent Install • PR #24571: (jacobhammons) Refs #24235 @ 2015-06-10T17:02:18Z • ISSUE #24235: (tomasfejfar) Difference between running from minion and from master | refs: #24468 • 3ec457b Merge pull request #24571 from jacobhammons/24235 • 8df5d53 Refs #24235 • PR #24565: (pille) fix backtrace, when listing plugins @ 2015-06-10T16:33:11Z • fe07eb5 Merge pull request #24565 from pille/munin-ignore-broken-symlinks • 8511a6c fix backtrace, when listing plugins • PR #24554: (ryan-lane) Fix yes usage for pecl defaults @ 2015-06-09T23:59:49Z • 251c8f9 Merge pull request #24554 from lyft/pecl-module-fix • 56a9cfc Fix yes usage for pecl defaults • PR #24535: (rallytime) Back-port #24518 to 2015.5 @ 2015-06-09T20:06:18Z • PR #24518: (rallytime) Merge #24448 with Pylint Fixes | refs: #24535 • PR #24448: (codertux) Update modules path for operating systems using systemd | refs: #24518 • dbd49b4 Merge pull request #24535 from rallytime/bp-24518 • fc75197 Pylint fix • 3e08840 Update modules path for operating systems using systemd • PR #24538: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-09T17:27:20Z • PR #24513: (jquast) bugfix use of 'iteritem' in 2014.7 branch • PR #24511: (jquast) bugfix: trailing "...done" in rabbitmq output | refs: #24513 • 485ed3c Merge pull request #24538 from basepi/merge-forward-2015.5 • 6a8039d Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 6ebc476 Merge pull request #24513 from jquast/2014.7-bugfix-iteritem • 2be0180 bugfix use of 'iteritem' in 2014.7 branch • PR #24495: (jayeshka) adding states/rabbitmq_vhost unit test case. @ 2015-06-09T15:33:23Z • 73e6388 Merge pull request #24495 from jayeshka/rabbitmq_vhost_states-unit-test • 31889e3 cosmetic change. • cf501cf resolved error. • 4bb6087 Merge branch '2015.5' of https://github.com/saltstack/salt into rabbitmq_vhost_states-unit-test • 3ad7714 adding states/rabbitmq_vhost unit test case. • PR #24445: (jayeshka) adding states/pyrax_queues unit test case. @ 2015-06-09T15:28:45Z • bf1abcc Merge pull request #24445 from jayeshka/pyrax_queues_states-unit-test • ea27cef adding states/pyrax_queues unit test case. • PR #24490: (aneeshusa) Fix pacman.list_upgrades for new python_shell default. @ 2015-06-09T15:13:16Z • 0247e8d Merge pull request #24490 from aneeshusa/fix-pacman-list-upgrades • 980e1cb Lint fix. • dca33f1 Fix pacman.list_upgrades for new python_shell default. • PR #24517: (steverweber) small fixes to the ipmi docs @ 2015-06-09T15:10:14Z • 6268ddb Merge pull request #24517 from steverweber/ipmi_doc • 6413712 lint • e78aea9 more small fixes to the ipmi docs • PR #24524: (jayeshka) any() takes list oy tuple. @ 2015-06-09T13:49:42Z • 3728b3f Merge pull request #24524 from jayeshka/rabbitmq_vhost_states-module • 01c99ad any() takes list oy tuple. • PR #24482: (eliasp) 'docker.running' needs now the 'image' param. @ 2015-06-09T04:43:04Z • dd23de8 Merge pull request #24482 from eliasp/2015.5-states.dockerio-docker.running-doc • 5de741d 'docker.running' needs now the 'image' param. • PR #24515: (basepi) [2015.5] Add xml library to the salt-thin @ 2015-06-09T04:10:06Z • ISSUE #23503: (jfindlay) salt-ssh fails on CentOS 7 when python-zmq is not installed | refs: #24515 • 2a727c3 Merge pull request #24515 from basepi/susexml23503 • 078b33e Add xml library to the thin • PR #24497: (jayeshka) adding states/rbenv unit test case. @ 2015-06-09T03:56:10Z • fce998a Merge pull request #24497 from jayeshka/rbenv_states-unit-test • 79d343a adding states/rbenv unit test case. • PR #24496: (jayeshka) adding states/rabbitmq_user unit test case. @ 2015-06-09T03:55:23Z • 2bcb4b1 Merge pull request #24496 from jayeshka/rabbitmq_user_states-unit-test • 7d96f27 adding states/rabbitmq_user unit test case. • PR #24481: (eliasp) Fix typo (licnese → license). @ 2015-06-09T03:30:25Z • 02a597b Merge pull request #24481 from eliasp/2015.5-salt.states.powerpath-license_typo • 1280054 Fix typo (licnese â license). • PR #24467: (thenewwazoo) Fix dockerio bound volumes @ 2015-06-09T01:40:23Z • 5ad3db5 Merge pull request #24467 from thenewwazoo/fix-dockerio-bound-volumes • db4e3dc Let's raise an exception if create fails • d1d85dd Add logging • ddc63f0 Fix volume handling when creating containers • PR #24504: (rallytime) Move vsphere deprecation to 2015.5 @ 2015-06-08T22:43:05Z • PR #24487: (nmadhok) Deprecating vsphere cloud driver in favor of vmware cloud driver | refs: #24504 • d236fbd Merge pull request #24504 from rallytime/move_vsphere_deprecation_2015.5 • d876535 Add Getting Started with VSphere doc to 2015.5 • b685ebc Add vSphere deprecation warnings to 2015.5 • PR #24506: (rallytime) Backport #24450 to 2015.5 @ 2015-06-08T22:42:14Z • PR #24450: (ruzarowski) Fix salt cli runs with batch-size set | refs: #24506 • cb55460 Merge pull request #24506 from rallytime/bp-24450 • 1c0fca2 Backport #24450 to 2015.5 • PR #24498: (rallytime) Added "CLI Example" to make failing test happy on 2015.5 @ 2015-06-08T15:48:40Z • 3173fd1 Merge pull request #24498 from rallytime/fix_doc_failure_fifteen • d992ef4 Added "CLI Example" to make failing test happy on 2015.5 • PR #24471: (anlutro) Set up salt-ssh file logging @ 2015-06-08T15:26:49Z • 3639e41 Merge pull request #24471 from alprs/fix-salt_ssh_logging • 6a11ec8 set up salt-ssh file logging • PR #24469: (jfindlay) correctly handle user environment info for npm @ 2015-06-08T15:26:02Z • ISSUE #24231: (tarwich) npm.bootstrap | refs: #24469 • 551e70f Merge pull request #24469 from jfindlay/npm_env • 8140c96 update npm's user info envs • cb572f8 add env parameter to npm.uninstall • PR #24468: (jacobhammons) Bug fixes and build errors @ 2015-06-08T15:25:40Z • ISSUE #24268: (tkent-xetus) Ability to specify revision for win_gitrepos undocumented | refs: #24468 • ISSUE #24235: (tomasfejfar) Difference between running from minion and from master | refs: #24468 • ISSUE #24193: (abng88) Update ext_pillar docs to mention that this feature is supported masterless as well | refs: #24468 • ISSUE #24172: (zhujinhe) Can lists be passed in the pillar on the command line on version 2015.5.0? | refs: #24468 • ISSUE #23211: (lloesche) Document that salt://| escapes special characters in filenames | refs: #24468 • ISSUE #19901: (clinta) State cache is not documented | refs: #24468 • ISSUE #19801: (ksalman) How are grains static? | refs: #24468 • 0d9e0c2 Merge pull request #24468 from jacobhammons/doc-fixes • 1035959 Appended .0 to version added • d45c4ed Bug fixes and build errors Refs #23211 Refs #24268 Refs #24235 Refs #24193 Refs #24172 Refs #19901 Refs #19801 • PR #24465: (jfindlay) catch exception from softwarerepositories @ 2015-06-08T15:25:19Z • ISSUE #24318: (favadi) uncaught exception for pkgrepo.absent for invalid PPA | refs: #24465 • be6905a Merge pull request #24465 from jfindlay/unknown_ppa • 19c9128 catch exception from softwarerepositories • PR #24464: (jfindlay) fix typo in modules/mount.py @ 2015-06-08T15:25:07Z • ISSUE #24296: (objectx) mount.mount calls file.mkdir with incorrect named argument | refs: #24464 • 58d1ea8 Merge pull request #24464 from jfindlay/file_mkdir • 6e8cd44 fix typo in modules/mount.py • PR #24461: (dkiser) fix for #24434 @ 2015-06-08T15:24:53Z • ISSUE #24434: (dkiser) multimaster failover fails due to logic from issue #23611 • 4f332a7 Merge pull request #24461 from dkiser/multimaster_minion_fix • 1944a74 fix for #24434 • PR #24479: (ahus1) change "path" to "name" for "file" operations @ 2015-06-07T17:56:11Z • 8917416 Merge pull request #24479 from ahus1/patch-1 • 7d6b60c change "path" to "name" for "file" operations • PR #24475: (rallytime) Back-port #24454 to 2015.5 @ 2015-06-07T01:29:32Z • PR #24454: (rhertzog) Strip extraneous newline character added in last environment variable | refs: #24475 • 8618d5b Merge pull request #24475 from rallytime/bp-24454 • a793c19 Avoid extraneous newline character added in last environment variable • PR #24474: (rallytime) Back-port #24420 to 2015.5 @ 2015-06-07T01:29:11Z • ISSUE #24407: (aboe76) Please expand salt module random | refs: #24420 • PR #24420: (aboe76) added random integer module to mod_random.py | refs: #24474 • 61658ff Merge pull request #24474 from rallytime/bp-24420 • 4219b40 Fix lint error and update versionadded to 2015.5.3 • 3613cc9 added random integer module to mod_random.py • PR #24472: (variia) ensure {} output is not treated as change in module.py state, fixes #… @ 2015-06-06T14:45:44Z • ISSUE #24233: (variia) yumpkg.group_install keeps returning state change • 508d7dd Merge pull request #24472 from variia/Fix-yumpkg_group_install-return-change-‐ #24233 • 37e8827 ensure {} output is not treated as change in module.py state, fixes #24233 • PR #24466: (basepi) [2015.5] Fix for # in inner strings in yaml arguments @ 2015-06-06T14:35:56Z • ISSUE #18045: (dstokes) Pillar kwargs parse error with # | refs: #24466 • ISSUE #8585: (UtahDave) '#' in single quoted option on cli not making it into the execution module | refs: #24466 • 0292e67 Merge pull request #24466 from basepi/fixhashinargs18045 • 2e0609f Fix for # in inner strings in yaml arguments • PR #24456: (rallytime) Back-port #24441 to 2015.5 @ 2015-06-05T22:32:25Z • PR #24441: (arthurlogilab) [doc] Alignement fix on external_auth documentation | refs: #24456 • ced558a Merge pull request #24456 from rallytime/bp-24441 • 7002855 yaml indentations should be 2 spaces • 21b51ab [doc] Alignement fix on external_auth documentation • PR #24398: (kiorky) VirtualName for states.apt | refs: #24399 @ 2015-06-05T17:40:04Z • ISSUE #24397: (kiorky) on debian: states.apt should use virtualname as it shadows system apt module | refs: #24398 #24398 #24399 #24399 #24400 • PR #24399: (kiorky) Versionvirtual | refs: #24398 • c0ff411 Merge pull request #24398 from makinacorpus/aptv • 785d277 VirtualName for states.apt • PR #24447: (jayeshka) adding states/rabbitmq_policy unit test case. @ 2015-06-05T15:26:11Z • 3626340 Merge pull request #24447 from jayeshka/rabbitmq_policy_states-unit-test • 9b038ab adding states/rabbitmq_policy unit test case. • PR #24446: (jayeshka) adding states/rabbitmq_plugin unit test case. @ 2015-06-05T15:25:33Z • 8445a3f Merge pull request #24446 from jayeshka/rabbitmq_plugin_states-unit-test • cb0c99a adding states/rabbitmq_plugin unit test case. • PR #24426: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-06-05T03:59:11Z • ISSUE #24276: (markuskramerIgitt) Live salt-master Profiling with SIGUSR2 fails • PR #24405: (jacksontj) Fix for #24276 • PR #24395: (hvnsweeting) handle exceptions when received data is not in good shape • PR #24305: (twangboy) Added documentation, fixed formatting • 9cc3808 Merge pull request #24426 from basepi/merge-forward-2015.5 • eafa20c Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5 • 83f853b Merge pull request #24405 from jacksontj/2014.7 • 2c7afae Fix for #24276 • cef919c Merge pull request #24395 from hvnsweeting/handle-exception-get-file • bb798a0 handle exceptions when received data is not in good shape • efba1a9 Merge pull request #24305 from twangboy/win_path_docs • 36804253 Fixed pylint error caused by \P... added r • bc42a4b triple double quotes to triple single quotes • 77cd930 Added documentation, fixed formatting • PR #24429: (jacobhammons) Salt cloud doc updates, build errors and bug fixes @ 2015-06-05T00:27:38Z • ISSUE #24309: (steverweber) missing docs | refs: #24429 • 5d738b8 Merge pull request #24429 from jacobhammons/cloud-doc-updates • 1f7a13d Salt cloud doc updates, build errors and bug fixes Refs #24309 • PR #24408: (rallytime) Backport #24392 to 2015.5 @ 2015-06-04T20:22:09Z • PR #24392: (quixoten) Fix "No such file or directory" in grains/core.py | refs: #24408 • cdffc02 Merge pull request #24408 from rallytime/bp-24392 • ff7461b Use path found by salt.utils.which • PR #24380: (rallytime) Backport #24357 to 2015.5 @ 2015-06-04T20:13:51Z • PR #24357: (zhujinhe) fix invoke issues of Jinja Macros example | refs: #24380 • a6a1f87 Merge pull request #24380 from rallytime/bp-24357 • f08c875 fix invoke issues of Jinja Macros example • PR #24388: (pengyao) fixes #24358 @ 2015-06-04T20:07:40Z • ISSUE #24358: (pengyao) Netapi SSH client don't support ssh_user and ssh_passwd arguments | refs: #24388 • 86ce9db Merge pull request #24388 from pengyao/sshclient-kwargs • 5c08ca4 fixes #24358 • PR #24367: (terminalmage) Improve error message when module does not exist @ 2015-06-04T20:07:12Z • ISSUE #22958: (highlyunavailable) Weird error when typoing a command | refs: #24367 • 72d2eae Merge pull request #24367 from terminalmage/issue22958 • d0d7a54 Improve error message when module does not exist • PR #24412: (jfindlay) backport #23387 @ 2015-06-04T20:06:03Z • ISSUE #23101: (gravyboat) Create a docs page for labels | refs: #23387 • PR #23387: (rallytime) Add some "What are all these labels for?" documentation | refs: #24412 • a628778 Merge pull request #24412 from jfindlay/bp-23387 • bf85772 Make sure the parameters are in the correct order • 9f53809 Add "* Change" label parameters • b27a15e Remove "workaround" wording • 9fff35a Some small fixes • 54a7089 Link the new labels doc in contributing and hacking docs • 375695e Add pull request label definitions • de94563 Add Feature Request label definition • 684f291 Add issue definition and augment functional areas section • 2da13dd Start a "what are all of these labels for?" doc • PR #24336: (twangboy) Added line to give more descriptive error @ 2015-06-04T19:56:00Z • ISSUE #24154: (ssgward) Exception when running cp.get_url | refs: #24336 • 485116c Merge pull request #24336 from twangboy/fix_cp_get_url • 37b11f9 Added line to give more descriptive error • PR #24413: (techhat) Add more namespaced functions to GoGrid driver @ 2015-06-04T19:51:22Z • b3d39cc Merge pull request #24413 from techhat/gogridnamespace • 1b397cb Adding blank line • da08cc9 Add more namespaced functions to GoGrid driver • PR #24399: (kiorky) Versionvirtual | refs: #24398 @ 2015-06-04T18:02:22Z • ISSUE #24397: (kiorky) on debian: states.apt should use virtualname as it shadows system apt module | refs: #24398 #24398 #24399 #24399 #24400 • PR #24398: (kiorky) VirtualName for states.apt | refs: #24399 • 27f109b Merge pull request #24399 from makinacorpus/versionvirtual • 235c78d Use apt_pkg.version_compare if available • 1c0cd45 reindent block to isolate conflict on merge forward • 699ecea use var to isolate conflict on merge forward • PR #24371: (joejulian) 2015.5 tls module tests @ 2015-06-04T15:20:16Z • deaee68 Merge pull request #24371 from joejulian/2015.5_tls_module_tests • 4c5dee1 Add @destructiveTest decorator to destructive tests • 274bbd4 Accept results from older pyOpenSSL • 161f913 All cert info should be in UTC always • 9affcca See the whole diff if dict compare fails • 94f6208 Ignore extensions for now. Resolve this as part of fixing issue 24338. • 84904d3 Mask lint warning for unused imported module • 5675b78 Do not test if PyOpenSSL is not installed • 563cc66 Add tls tests • PR #24403: (jayeshka) adding states/process unit test case. @ 2015-06-04T15:19:01Z • 84686ee Merge pull request #24403 from jayeshka/process_states-unit-test • fcb71fb adding states/process unit test case. • PR #24402: (jayeshka) adding states/pyenv unit test case. @ 2015-06-04T15:18:11Z • 35de8d7 Merge pull request #24402 from jayeshka/pyenv_states-unit-test • 5f263ab adding states/pyenc unit test case. • PR #24401: (jayeshka) adding states/powerpath unit test case. @ 2015-06-04T15:17:46Z • 632f838 Merge pull request #24401 from jayeshka/powerpath-states-unit-test • 49ff927 adding states/powerpath unit test case. • PR #24400: (kiorky) Aptversion @ 2015-06-04T15:17:19Z • ISSUE #24397: (kiorky) on debian: states.apt should use virtualname as it shadows system apt module | refs: #24398 #24398 #24399 #24399 #24400 • 0a6e5e0 Merge pull request #24400 from makinacorpus/aptversion • e15cb93 Use apt_pkg.version_compare if available • 953725a Fix too much quoting in apt.version_cmp • PR #24385: (jeanpralo) Fix salt.modules.dockerio.start method @ 2015-06-04T15:00:22Z • a904055 Merge pull request #24385 from jeanpralo/Fix-binds-dockerio.start • a0fed31 binds dict if not specified should remain to none otherwise docker-py will try to create a new host config and all volume and ports binds are lost. config should be done at the creation of the container not when we start it • PR #24381: (jtand) Disabled flaky test to review later @ 2015-06-04T14:57:43Z • 9890bc4 Merge pull request #24381 from jtand/seed_test • 7570ae9 Disabled flaky test to review later • PR #24382: (basepi) [2015.5] Handle CommandExecutionError in grains commands, Fixes #23342 @ 2015-06-04T12:44:04Z • ISSUE #23342: (philipsd6) salt-ssh 2015.2.0rc2 fails when target doesn't have lspci available | refs: #24382 • b3fa8fe Merge pull request #24382 from basepi/grainscommandnotfound23342 • 85b91d6 Handle CommandExecutionError in grains commands • PR #24379: (Starblade42) Fixes an issue where Pagerduty states/modules couldn't find their profile in the Pillar @ 2015-06-04T12:41:13Z • 52587a4 Merge pull request #24379 from Starblade42/2015.5 • b93dc5e Linting! • 2dd5904 Fixes an issue where Pagerduty states/modules couldn't find it's profile in the Pillar • PR #24366: (terminalmage) Use yes $'\n' instead of printf '\n' for pecl commands @ 2015-06-03T21:28:58Z • 3ca35d1 Merge pull request #24366 from terminalmage/pecl-yes • dcd9ad8 Use yes $'\n' instead of printf '\n' for pecl commands • PR #24348: (kiorky) Try to close input pipes before calling lxc-start @ 2015-06-03T19:38:07Z • ISSUE #24284: (kiorky) systemd lxc containers need use_vt=True at lxc-start stage | refs: #24348 • PR #548: (Lanzaa) Salt is now platform dependent. Use get_python_lib(1) | refs: #24348 • 86a3b31 Merge pull request #24348 from makinacorpus/lxcpre • 0cb11a2 lxc: typo • d71efa6 Try to close input pipes before calling lxc-start Salt 2015.5.4 Release Notes Version 2015.5.4 is a bugfix release for 2015.5.0. Changes: • The cron.present state now correctly defaults to state ID as identifier. • When querying for VMs in ditigal_ocean_v2.py, the number of VMs to include in a page was changed from 20 (default) to 200 to reduce the number of API calls to Digital Ocean. • The vmware Salt-Cloud driver was back-ported from the develop branch in order for installations of Salt that are older than 2015.8.0 to be able to use the vmware driver without stack-tracing on various deprecation paths that were implemented in the 2015.8.0 release. Changes for v2015.5.3..v2015.5.4 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-08-13T20:23:30Z Statistics: • Total Merges: 247 • Total Issue references: 140 • Total PR references: 330 Changes: • PR #26292: (jquast) Rabbitmq 3.2.4 on Ubuntu has "...done.", not "...done" @ 2015-08-13T19:53:29Z • PR #26296: (jquast) bugfix missing ` runas=None' for rabbitmqctl cmds (backport to 2015.5) @ 2015-08-13T19:52:40Z • PR #26293: (jfindlay) Fix #26268 @ 2015-08-13T19:48:06Z • ISSUE #25618: (twangboy) Fix reg.py to work with the registry properly | refs: #26268 • PR #26268: (twangboy) Multiple improvements to reg executionmod and state mod | refs: #26293 • PR #26290: (rallytime) Only call convert_to_arn when action name is provided @ 2015-08-13T18:48:58Z • ISSUE #25192: (deuscapturus) 2015.5.2 boto_cloudwatch_alarm.present not working. | refs: #26290 • PR #26288: (bbinet) allow deleting grains which value is False @ 2015-08-13T18:24:36Z • PR #26263: (rallytime) Don't make changes when test=True for openstack present/absent funcs @ 2015-08-13T16:30:31Z • ISSUE #24882: (nmadhok) salt.states.openstack_config.present and salt.states.openstack_config.absent make changes when test=True | refs: #26263 • PR #26265: (rallytime) Don't stacktrace on query return in ec2.create_snapshot @ 2015-08-13T16:28:48Z • ISSUE #24484: (codehotter) clouds/ec2.py: create_snapshot throws exception | refs: #26265 • PR #26285: (stanislavb) Remove explicit version from instance identity URL @ 2015-08-13T16:25:32Z • PR #26275: (cachedout) Re-init modules on multi-master reconnect @ 2015-08-13T15:52:50Z • PR #26273: (garethgreenaway) Fixes to schedule module in 2015.5 @ 2015-08-13T15:34:43Z • PR #26271: (rallytime) Fix del_root_vol_on_destroy and del_all_vols_on_destroy functionality on ec2 @ 2015-08-12T23:22:47Z • ISSUE #24483: (codehotter) clouds/ec2.py: del_root_vol_on_destroy and del_all_vols_on_destroy not working | refs: #26271 • PR #26219: (anlutro) cron: make identifier default to state ID @ 2015-08-12T18:42:33Z • ISSUE #25958: (anlutro) Cron identifier does not default to state ID as documented | refs: #26219 • PR #26257: (rallytime) Back-port #26237 to 2015.5 @ 2015-08-12T18:40:35Z • ISSUE #26207: (fullermd) group members setting fails with obscure error message on FreeBSD | refs: #26237 • PR #26237: (silenius) fix issue #26207 | refs: #26257 • PR #26258: (nmadhok) Fix permission on tests/runtests.py on 2015.5 branch @ 2015-08-12T18:40:04Z • PR #26261: (nmadhok) Correct spelling of integration in docs @ 2015-08-12T18:14:48Z • PR #2015: (thekuffs) Esky / bbfreeze support • PR #26247: (nmadhok) Initial commit of unit tests for vmware cloud driver @ 2015-08-12T16:58:24Z • PR #26246: (nmadhok) Backport additions to VMware cloud driver from develop to 2015.5 branch @ 2015-08-12T15:11:26Z • PR #26239: (opdude) Fixed documentation to match function name @ 2015-08-12T14:48:52Z • PR #26232: (garethgreenaway) Fix to trust_key in gpg module for 2015.5. @ 2015-08-12T04:48:27Z • PR #26084: (twangboy) Added python_shell=True, quoted user input @ 2015-08-10T21:29:35Z • ISSUE #25802: (jefftucker) Running module "npm.list" fails on Windows for masterless minion | refs: #26084 • PR #26183: (cro) Fix LDAP configuration issue. @ 2015-08-10T19:09:41Z • PR #26186: (jacobhammons) regenerated man pages @ 2015-08-10T19:07:44Z • PR #26182: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-08-10T19:00:10Z • ISSUE #25961: (getabc) [2015.5.3-2] salt-winrepo.git/salt-minion.sls fails certificate ' * .wpengine.com' or 'wpengine.com' | refs: #26047 • ISSUE #25751: (basepi) Document master_finger more prominently | refs: #26088 • PR #26116: (corux) file.replace fails if repl string is an invalid regex and append/prepend is used • PR #26088: (jacobhammons) Master finger • PR #26047: (jacobhammons) Updated windows download links in the docs to https://repo.saltstack.com • PR #26000: (driskell) Implement full event caching for subscribed tags @ 2015-08-10T18:57:17Z • ISSUE #25998: (driskell) Event subsystem discarding required events during --batch breaking it for slow running commands | refs: #26000 • PR #26175: (rallytime) Back-port #26153 to 2015.5 @ 2015-08-10T18:22:32Z • PR #26153: (loa) Fix dockerio state documentation typo | refs: #26175 • PR #26177: (rallytime) Back-port #26147 to 2015.5 @ 2015-08-10T18:22:01Z • ISSUE #26024: (jpic) lxc_conf_unset in cloud.profile is ignored • PR #26147: (martinhoefling) Fixes #26024 | refs: #26177 • PR #26179: (rallytime) Back-port #25404 to 2015.5 @ 2015-08-10T18:21:50Z • ISSUE #21082: (clinta) master_type failover does not failover on DNS errors | refs: #25404 • PR #25404: (DmitryKuzmenko) Fixed minion failover to next master on DNS errors. | refs: #26179 • PR #26180: (jfindlay) fix processing of state.template @ 2015-08-10T18:21:38Z • ISSUE #26112: (wt) state.template fails with unclear error with template with only an include | refs: #26180 • PR #26172: (nmadhok) [Backport] Make sure variable is a dictionary before popping something from it. @ 2015-08-10T16:42:50Z • ISSUE #26162: (nmadhok) VMware cloud driver create function failing with traceback on latest develop | refs: #26163 #26172 • PR #26163: (nmadhok) Make sure variable is a dictionary before popping something from it. • PR #26168: (cachedout) Fix slack docs @ 2015-08-10T14:57:18Z • ISSUE #26098: (rdinoff) SALT.STATES.SLACK Doc update | refs: #26168 • PR #26127: (garethgreenaway) Fixes to salt.utils.http related to cp.get_file_str bug. @ 2015-08-10T14:38:25Z • ISSUE #24106: (nvx) fileclient.py#get_url ignores HTTP Auth again (2015.5 regression) | refs: #26127 • PR #26140: (nmadhok) VMware cloud driver fixes @ 2015-08-10T13:15:58Z • ISSUE #26141: (nmadhok) salt-cloud VMware driver fails with error in parsing configuration file | refs: #26140 • ISSUE #25809: (o-sleep) vmware cloud module error message | refs: #26140 • ISSUE #25625: (steverweber) cloud vmware driver does not provide mac_address unless vmware tools is running | refs: #26137 #26140 • PR #26137: (steverweber) use device mac address if vmtools not active @ 2015-08-09T03:05:36Z • ISSUE #25625: (steverweber) cloud vmware driver does not provide mac_address unless vmware tools is running | refs: #26137 #26140 • PR #26119: (jodv) Backport eauth bugfix to 2015.5 @ 2015-08-09T02:19:52Z • PR #26135: (cro) Fix proxy minions in 2015.5 and significantly update documentation. @ 2015-08-09T02:19:21Z • PR #26132: (TheBigBear) minor edit @ 2015-08-08T21:05:34Z • PR #26133: (amontalban) Fixed #25915 in salt/modules/pkgng.py and salt/states/pkg.py @ 2015-08-08T21:05:05Z • ISSUE #25915: (ari) FreeBSD pkg install fails • PR #26111: (anlutro) Better error messages when virtualenv creation fails @ 2015-08-07T21:42:09Z • PR #26110: (jfindlay) check for sources before adding them to cmd str @ 2015-08-07T21:33:23Z • ISSUE #26093: (freedba) archive.tar bug | refs: #26110 • PR #26106: (vr-jack) Update __init__.py @ 2015-08-07T21:15:55Z • PR #26101: (rallytime) Back-port #25984 to 2015.5 @ 2015-08-07T18:56:26Z • ISSUE #25983: (jmdcal) Trying to get md5 of local zip | refs: #25984 • PR #25984: (jmdcal) Support local files without md5sum | refs: #26101 • PR #26080: (techhat) Fix string checking in s3fs @ 2015-08-06T23:36:09Z • PR #26079: (cachedout) Update docs to remove state.over @ 2015-08-06T23:35:26Z • ISSUE #26039: (basepi) Update scheduler docs to use orchestrate instead of overstate | refs: #26079 • PR #26058: (opdude) Fix choco version on chocolatey versions below 0.9.9 @ 2015-08-06T18:50:10Z • PR #26068: (jfindlay) fix autoruns.list looking in wrong directory @ 2015-08-06T18:49:48Z • PR #26065: (s0undt3ch) [2015.5] Update to latest bootstrap stable release v2015.06.08 @ 2015-08-06T17:09:35Z • ISSUE #634: (loupgaroublond) /srv/salt/_grains/ not documented | refs: #26065 • ISSUE #631: (fatbox) Can't extend the same item multiple times | refs: #26065 • ISSUE #625: (whiteinge) cmd.run state user flag is not working | refs: #25506 #632 • PR #640: (terminalmage) fix syntax errors introduced in 0f776c13 | refs: #26065 • PR #638: (blast-hardcheese) Tightened up configuration documentation | refs: #26065 • PR #633: (epoelke) Bug fix to salt-key | refs: #26065 • PR #632: (whiteinge) Change the cmd.run state to use the new runas arg | refs: #26065 • PR #26061: (gmcwhistler) Patch for issue #25994 @ 2015-08-06T17:07:34Z • ISSUE #25994: (gmcwhistler) module.ilo tempfile creation in __execute_cmd results in TypeError: cannot concatenate 'str' and 'int' objects • PR #26064: (s0undt3ch) Don't stacktrace when trying to get the default locale. @ 2015-08-06T16:11:05Z • ISSUE #26063: (saltstack-bot) not working with salt-cloud shows unknown locale error | refs: #26064 • PR #26048: (jacobhammons) Updated windows download links in the docs to https://repo.saltstack.com @ 2015-08-05T22:59:50Z • PR #26044: (rallytime) Make sure the key we're comparing is also lowercase @ 2015-08-05T19:23:54Z • ISSUE #25616: (rallytime) [2015.5] Provisioning Linodes Stacktraces | refs: #26044 • PR #26042: (jfindlay) fix test mode logic in state docs @ 2015-08-05T19:23:07Z • PR #26036: (nicholascapo) survey.hash: Remove manually printed text @ 2015-08-05T19:21:59Z • ISSUE #24460: (nicholascapo) Survey runner does not follow --out flag | refs: #26036 • PR #26030: (opdude) Fix a bug in choco version that returned odd data @ 2015-08-05T16:30:25Z • PR #26032: (jfindlay) add test logic to state reult doc @ 2015-08-05T16:28:32Z • PR #26031: (alekti) Revert "Add file as supported protocol for file source_hash. Fixes #23764" @ 2015-08-05T15:32:01Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #26021: (anlutro) Documentation: Specify versionadded for git.present shared argument @ 2015-08-05T14:17:38Z • PR #26020: (alekti) Correctly resolve conflict merging pull 25750 to 2015.5 @ 2015-08-05T14:16:58Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #25750: (alekti) Add file as supported protocol for file source_hash. Fixes #25701. | refs: #26020 • PR #26016: (basepi) Revert "Deep merge of pillar lists" @ 2015-08-05T04:59:52Z • ISSUE #22241: (masterkorp) Salt master not properly generating the map | refs: #25358 • PR #25358: (dkiser) Deep merge of pillar lists | refs: #26016 • PR #25992: (twangboy) Refactor win_system.py @ 2015-08-05T04:54:18Z • ISSUE #12255: (eliasp) 'system.set_computer_desc' fails with non-ASCII chars | refs: #25992 • ISSUE #3: (thatch45) libvirt module • PR #26002: (twangboy) Fixed regex to account for comment character followed by whitespace @ 2015-08-04T22:28:11Z • ISSUE #25948: (twangboy) Fix uncomment function to handle spaces | refs: #26002 • PR #25970: (jfindlay) accept addition of layman overlay @ 2015-08-04T15:42:28Z • ISSUE #25949: (godlike64) layman.add does not work with unofficial overlays | refs: #25970 • PR #25971: (basepi) [2015.5] salt.modules.reg Add spaces for strings split across multiple lines @ 2015-08-04T15:39:48Z • PR #25990: (rallytime) Back-port #25976 to 2015.5 @ 2015-08-04T14:36:53Z • PR #25976: (fleaflicker) Typo in help output | refs: #25990 • PR #25996: (attiasr) fix msiexec package remove @ 2015-08-04T14:36:31Z • PR #25966: (rallytime) Back-port #25864 to 2015.5 @ 2015-08-03T18:48:26Z • ISSUE #25863: (peterdemin) pkg.installed fails on already installed package if it is in versionlock.list | refs: #25864 • PR #25864: (peterdemin) #25863 state.pkg.installed fix | refs: #25966 • PR #25967: (rallytime) Back-port #25917 to 2015.5 @ 2015-08-03T18:48:02Z • PR #25917: (jmdcal) adding missing format string | refs: #25967 • PR #25895: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-08-03T17:12:37Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #25750: (alekti) Add file as supported protocol for file source_hash. Fixes #25701. | refs: #26020 • PR #25704: (cachedout) Ensure prior alignment with master_type in 2014.7 • PR #25657: (MrCitron) Add the ability to specify a base pattern for carbon returner • PR #25633: (AkhterAli) Update loader.py • PR #25941: (jfindlay) add timelib to dependency versions @ 2015-08-03T12:23:42Z • ISSUE #25850: (ssgward) Need to add packages to --versions-report | refs: #25941 • PR #25951: (garethgreenaway) Log when event.fire and event.fire_master fail. @ 2015-08-03T00:19:45Z • PR #25942: (jfindlay) typo in minion doc @ 2015-07-31T23:34:55Z • ISSUE #25838: (grep4linux) docs disable_modules documentation typo | refs: #25942 • PR #25938: (jacobhammons) Doc on using syndic with multimaster @ 2015-07-31T23:05:05Z • PR #14690: (jacksontj) Multi syndic | refs: #25938 • PR #25848: (twangboy) Added allusers="1" when installing msi @ 2015-07-31T20:33:17Z • ISSUE #25839: (twangboy) ALLUSERS="1" should be a default when installing MSI's | refs: #25848 • PR #25898: (jfindlay) clarify and expand syndic docs @ 2015-07-31T20:01:23Z • PR #25927: (jacksontj) Pass actual renderers to the Reactor's Compiler @ 2015-07-31T20:00:17Z • ISSUE #25852: (UtahDave) Salt loader is not loading Salt vars in reactor python renderer | refs: #25927 • PR #25921: (cachedout) Handle non-ascii in state log @ 2015-07-31T17:41:30Z • ISSUE #25810: (nvx) winpkg highstate fails when a new package name contains a unicide character | refs: #25921 • PR #25919: (TheBigBear) Minor update to msi un-installer info @ 2015-07-31T17:39:48Z • PR #25905: (rallytime) Back-port #25982 to 2015.5 @ 2015-07-30T23:24:19Z • PR #25892: (TheBigBear) Update 7-zip msi un-installer instructions | refs: #25905 • PR #25890: (rallytime) Back-port #25698 to 2015.5 @ 2015-07-30T23:12:09Z • ISSUE #25577: (yellow1912) Wrong indentation in document | refs: #25696 • PR #25698: (rallytime) Back-port #25659 to 2015.8 | refs: #25890 • PR #25696: (AkhterAli) Update schedule.py • PR #25659: (isbm) Bugfix: crash at getting non-existing repo | refs: #25698 • PR #25894: (jacobhammons) Minor doc bug fixes @ 2015-07-30T23:02:34Z • ISSUE #25650: (jacksontj) state.running documentation is incorrect | refs: #25894 • ISSUE #24042: (whiteinge) The state_events setting is not documented | refs: #25894 • ISSUE #23788: (k5jj) functions in drac.py module do not match documentation | refs: #25894 • ISSUE #21296: (Lothiraldan) Possible minion enumeration using saltutil.find_job and eauth | refs: #25894 • PR #25877: (rallytime) Protect against passing a map file in addition to VM names with --destroy @ 2015-07-30T21:55:45Z • ISSUE #24036: (arthurlogilab) [salt-cloud] Protect against passing command line arguments as names for the --destroy command in map files | refs: #25877 • PR #25870: (rallytime) Back-port #25824 to 2015.5 @ 2015-07-30T21:54:35Z • PR #25824: (klyr) Fix get_managed() in file.py module for local files | refs: #25870 • PR #25885: (t0rrant) Update Debian changelog @ 2015-07-30T20:05:59Z • PR #25875: (rallytime) Back-port #25862 to 2015.5 @ 2015-07-30T17:34:02Z • ISSUE #25478: (zyio) salt-ssh - Unable to locate current thin version | refs: #25862 • ISSUE #25026: (sylvia-wang) salt-ssh "Failure deploying thin" when using salt module functions | refs: #25862 • PR #25862: (zyio) Adding SCP_NOT_FOUND exit code | refs: #25875 • PR #25873: (rallytime) Back-port #25855 to 2015.5 @ 2015-07-30T17:33:55Z • PR #25855: (puneetk) Patch 3 | refs: #25873 • PR #25871: (rallytime) Back-port #25829 to 2015.5 @ 2015-07-30T17:33:43Z • PR #25829: (peterdemin) Fixed typo in salt.states.saltmod.function doc string | refs: #25871 • PR #25869: (rallytime) Back-port #25788 to 2015.5 @ 2015-07-30T17:33:33Z • ISSUE #24002: (csakoda) File lock contention on windows minions causing highstate crash | refs: #25788 • PR #25788: (opdude) Catch a hard crash when running highstate on windows | refs: #25869 • PR #25853: (davidjb) Make ssh-id-wrapper accessible to non-root users @ 2015-07-30T16:49:47Z • ISSUE #19532: (stolendog) salt-ssh running git clone with not root user | refs: #25853 • PR #25856: (jfindlay) expand minion reauth scalability documentation @ 2015-07-30T15:33:17Z • ISSUE #25447: (spo0nman) SaltMaster is crippled with Minion Re-Authentication | refs: #25856 • PR #25840: (jfindlay) add note to winrepo state docs about required grain @ 2015-07-30T14:38:27Z • ISSUE #25801: (themalkolm) Update docs that salt.states.winrepo requires roles:salt-master in grains. | refs: #25840 • PR #25846: (jfindlay) rework deprecation documentation for release names @ 2015-07-30T13:26:21Z • ISSUE #25827: (0xf10e) "Deprecating Code" doesn't mention Usage of warn_until() w/ Release Names | refs: #25846 • PR #25833: (jahamn) Allows cp.push to recreate empty files @ 2015-07-29T16:14:48Z • ISSUE #23288: (UtahDave) cp.push fails to recreate empty files. | refs: #25833 • PR #25831: (rallytime) Add salt:// to key_url options to docs for pkgrepo.managed @ 2015-07-29T15:38:43Z • ISSUE #11474: (JensRantil) pkgrepo.managed key_url: salt:// always use base env | refs: #25831 • PR #25807: (rallytime) Provide helpful error when using actions with a mapfile @ 2015-07-29T15:30:15Z • ISSUE #22699: (arthurlogilab) salt-cloud fails on KeyError when given a nonexistent action | refs: #25807 • PR #25818: (jfindlay) fix autoruns list @ 2015-07-29T15:29:20Z • PR #25826: (anlutro) Check that "onchanges" is a list @ 2015-07-29T15:00:28Z • PR #25798: (twangboy) Fixed stacktrace on package name not found @ 2015-07-28T22:40:14Z • ISSUE #25258: (nickw8) windows minion repo not updating | refs: #25798 • PR #25797: (twangboy) Changed repocache back to cached_repo @ 2015-07-28T22:39:32Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • PR #25763: (twangboy) Fix 25437 | refs: #25797 • PR #25793: (rallytime) Back-port #25730 to 2015.5 @ 2015-07-28T19:37:34Z • PR #25730: (sjorge) patchelf lives in pkgsrc | refs: #25793 • PR #25792: (rallytime) Back-port #25688 to 2015.5 @ 2015-07-28T19:37:17Z • PR #25688: (bclermont) Don't acquire lock if there is no formatter | refs: #25792 • PR #25796: (cachedout) Remove debug from docs @ 2015-07-28T17:35:59Z • PR #25749: (jahamn) Allow zpool.create on character devices @ 2015-07-28T16:01:40Z • ISSUE #24920: (voileux) module.zpool.create on character device is not possible by salt | refs: #25749 • PR #25685: (twangboy) Fixed regex issues with comment and uncomment @ 2015-07-28T15:29:49Z • PR #25763: (twangboy) Fix 25437 | refs: #25797 @ 2015-07-28T15:29:27Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • PR #25752: (thatch45) State top saltenv @ 2015-07-28T01:02:10Z • PR #25755: (twangboy) Fixed problem with dunder functions not being passed @ 2015-07-27T19:31:22Z • ISSUE #25717: (twangboy) Problem with chocolatey module not loading | refs: #25755 • PR #25648: (twangboy) Clarified functionality of reg module, fixed state to work with new module @ 2015-07-27T19:30:33Z • ISSUE #25352: (m03) reg.absent reporting incorrect results | refs: #25648 • ISSUE #1: (thatch45) Enable regex on the salt cli • PR #25740: (rallytime) Back-port #25722 to 2015.5 @ 2015-07-27T16:08:40Z • ISSUE #25154: (uvsmtid) All data mixed on STDOUT together should generate valid JSON output | refs: #25722 • ISSUE #25153: (uvsmtid) Multiple results should generate valid JSON output | refs: #25722 • PR #25722: (uvsmtid) Minor docs changes to emphasize JSON output problems without --static option | refs: #25740 • PR #25739: (rallytime) Back-port #25709 to 2015.5 @ 2015-07-27T16:08:27Z • PR #25709: (colekowalski) add direct-io-mode to mount_invisible_options | refs: #25739 • PR #25699: (rallytime) Back-port #25660 to 2015.5 | refs: #25709 • PR #25660: (colekowalski) add glusterfs' direct-io-mode to mount_invisible_keys | refs: #25699 #25709 • PR #25738: (rallytime) Back-port #25671 to 2015.5 @ 2015-07-27T16:08:23Z • PR #25671: (niq000) added a parameter so verifying SSL is now optional instead of hard-coded | refs: #25738 • PR #25737: (rallytime) Back-port #25608 to 2015.5 @ 2015-07-27T16:08:18Z • ISSUE #25229: (rall0r) Module git.latest kills target directory when test=True | refs: #25608 • PR #25608: (rall0r) Fix: prevent git.latest from removing target | refs: #25737 • PR #25733: (davidjb) Avoid IndexError when listing mounts if mount output ends in newline @ 2015-07-27T16:08:05Z • PR #25705: (blackduckx) Support for setm augeas command. @ 2015-07-27T16:07:10Z • ISSUE #22460: (onmeac) Command setm is not supported (yet) | refs: #25705 • PR #25703: (cachedout) Return to str for master_type for 2015.5 @ 2015-07-27T16:06:22Z • PR #25702: (twangboy) Fixed win_user module for groups with spaces in the name @ 2015-07-27T15:06:33Z • ISSUE #25144: (johnccfm) user.present on Windows fails to add user to groups if group name contains a space | refs: #25702 • PR #25711: (twangboy) Fixed problem with win_servermanager.list_installed @ 2015-07-27T15:05:48Z • ISSUE #25351: (m03) win_servermanager.list_installed failing with "IndexError: list index out of range" | refs: #25711 • PR #25714: (cachedout) Display warning when progressbar can't be loaded @ 2015-07-25T00:10:13Z • ISSUE #25435: (yee379) progressbar dependency missing | refs: #25714 • PR #25699: (rallytime) Back-port #25660 to 2015.5 | refs: #25709 @ 2015-07-24T22:11:40Z • PR #25660: (colekowalski) add glusterfs' direct-io-mode to mount_invisible_keys | refs: #25699 #25709 • PR #25694: (s0undt3ch) Salt-SSH fix for #25689 @ 2015-07-24T21:41:57Z • ISSUE #25689: (anlutro) Minion log in salt-ssh | refs: #25694 • PR #25710: (jahamn) Integration Testcase for Issue 25250 @ 2015-07-24T20:57:33Z • ISSUE #25250: (wipfs) 'force' option in copy state deletes target file | refs: #25461 #25710 • PR #25680: (basepi) [2015.5] Move cmd.run jinja aliasing to a wrapper class to prevent side effects @ 2015-07-24T19:52:10Z • PR #25049: (terminalmage) Fix cmd.run when cross-called in a state/execution module | refs: #25680 • PR #25682: (basepi) [2015.5] Fix parsing args with just a hash (#) @ 2015-07-24T19:52:01Z • PR #25695: (stanislavb) Configurable AWS region & region from IAM metadata @ 2015-07-24T19:36:40Z • PR #25645: (kev009) Fix pkgng provider to work with a sources list and the underlying pkg… @ 2015-07-24T16:33:18Z • PR #25677: (aneeshusa) Fix pacman.list_upgrades when refresh=True. @ 2015-07-24T16:30:06Z • PR #25675: (UtahDave) Use OS line endings with contents on file.managed @ 2015-07-24T16:29:50Z • ISSUE #25674: (UtahDave) file.managed with contents parameter uses wrong line endings on Windows | refs: #25675 • PR #25676: (basepi) Update release candidate docs to 2015.8.0rc2 @ 2015-07-23T20:29:37Z • PR #25666: (nmadhok) Check if the properties exist before looping over them causing KeyError @ 2015-07-23T17:55:40Z • ISSUE #25665: (nmadhok) salt-cloud VMware driver fails with KeyErrors if there's any existing machine in the VMware infrastructure in (invalid state) | refs: #25666 • PR #25656: (anlutro) Fix locale detection in debian/gentoo @ 2015-07-23T16:46:40Z • PR #25661: (rallytime) Back-port #25624 to 2015.5 @ 2015-07-23T16:26:48Z • PR #25624: (bobrik) Fix typo in get_routes example for debian_ip | refs: #25661 • PR #25662: (rallytime) Back-port #25638 to 2015.5 @ 2015-07-23T16:26:40Z • ISSUE #15209: (hubez) file.manage: source_hash not working with s3:// (2014.7.0rc1) | refs: #25638 • PR #25638: (TronPaul) fix bad merge in 99fc7ec | refs: #25662 • PR #25644: (cachedout) pillar doc fix @ 2015-07-22T22:57:23Z • ISSUE #25413: (zizkebab) pillar_opts default behavior is not reflected in the docs | refs: #25644 • PR #25642: (cachedout) Warn on pillar schedule delete @ 2015-07-22T22:04:12Z • ISSUE #25540: (dennisjac) salt highstate schedule cannot be removed | refs: #25642 • PR #25598: (twangboy) Fixed problem trying to load file with name of boolean type @ 2015-07-22T17:07:49Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • 7b79e433 Merge pull request #25598 from twangboy/fix_25437 • PR #25604: (terminalmage) Move patching of mock_open to within test @ 2015-07-22T16:53:55Z • ISSUE #25323: (terminalmage) unit.modules.tls_test fails with older mock | refs: #25604 • PR #25609: (s0undt3ch) [2015.5] Update the bootstrap script to latest release v2015.07.22 @ 2015-07-22T16:28:52Z • ISSUE #630: (syphernl) Allow for an include statement in config files | refs: #25609 • PR #627: (chjohnst) add saltversion grain | refs: #25609 • PR #25603: (terminalmage) Add version_cmp function to yumpkg.py @ 2015-07-22T15:42:29Z • ISSUE #21912: (rvora) pkg.latest not updating the package on CentOS though yum reports an update available | refs: #25603 • PR #25590: (garethgreenaway) 2015.5 scheduled jobs return data @ 2015-07-21T21:57:42Z • ISSUE #25560: (dennisjac) scheduled highstate runs don't return results to the job cache | refs: #25590 • PR #25584: (rallytime) Back-port #24054 and #25576 to 2015.5 @ 2015-07-21T21:16:38Z • PR #25576: (pcn) s3fs breaks when fetching files from s3 | refs: #25584 • PR #24054: (mgwilliams) s3.head: return useful data | refs: #25584 • PR #25589: (jahamn) Fixes ssh_known_host not taking port into account @ 2015-07-21T21:15:06Z • ISSUE #23626: (mirko) salt state 'ssh_known_hosts' doesn't take 'port' into account | refs: #25589 • PR #25573: (EvaSDK) Do not execute bootstrap script twice @ 2015-07-21T18:20:04Z • PR #25465: (EvaSDK) 2015.5.3 LXC module fixes | refs: #25573 • PR #25580: (attiasr) use explicit utf-8 decoding (#25532) @ 2015-07-21T15:40:49Z • ISSUE #25532: (attiasr) salt/modules/win_pkg.py list_pkgs is broken (encoding issues) | refs: #25556 #25580 • PR #25568: (twangboy) Fixed win_useradd module to add fullname @ 2015-07-21T14:30:25Z • ISSUE #25206: (jfindlay) fullname issues with user.add state on windows | refs: #25568 • PR #25561: (twangboy) Fixed the gem module to work on windows... without injection @ 2015-07-20T21:12:15Z • ISSUE #21041: (deuscapturus) state module gem.installed not working on Windows. | refs: #25430 #25561 #25428 • PR #25428: (twangboy) Fixed the gem module to work on windows | refs: #25561 • PR #25521: (cachedout) Fix outputter for state.orch @ 2015-07-20T19:30:14Z • PR #25563: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-20T19:27:36Z • PR #25416: (cachedout) Fix broken keyword • PR #25559: (cachedout) Lint win_pkg @ 2015-07-20T17:46:29Z • PR #25556: (attiasr) fix for #25532 @ 2015-07-20T17:45:11Z • ISSUE #25532: (attiasr) salt/modules/win_pkg.py list_pkgs is broken (encoding issues) | refs: #25556 #25580 • PR #25554: (jfindlay) verify_ssl=True for s3 ext pillar @ 2015-07-20T17:43:38Z • ISSUE #25538: (stanislavb) S3 ext_pillar configuration requires verify_ssl | refs: #25554 • PR #25551: (rallytime) Backport #25530 to 2015.5 @ 2015-07-20T17:43:00Z • PR #25530: (andre-luiz-dos-santos) The variable name must be last | refs: #25551 • PR #25533: (attiasr) port 445 for windows bootstraping @ 2015-07-20T15:13:06Z • PR #25525: (gtmanfred) add make _prepare an alias for postinitio @ 2015-07-20T15:12:38Z • ISSUE #25432: (gtmanfred) [2015.5.3][raet] raet error with SaltRaetRoadStackJoiner | refs: #25525 • PR #25519: (rallytime) Backport vmware driver to 2015.5 branch @ 2015-07-20T15:11:26Z • ISSUE #25511: (rallytime) Make provider --> driver change backward compatible | refs: #25519 #25519 • ISSUE #23574: (CedNantes) Failed to Deploy Salt-Minion on a Win 2012 R2 using wmware Cloud Driver from Develop branch | refs: #25519 • PR #25542: (Oro) Fix hipchat.send_message when using API v2 @ 2015-07-20T15:09:13Z • PR #25531: (rallytime) Back-port #25529 to 2015.5 @ 2015-07-18T19:16:10Z • PR #25529: (davidjb) Fix minor typo in best practice example | refs: #25531 • PR #25528: (davidjb) Fix typo in extend declaration doco @ 2015-07-18T14:22:06Z • PR #25517: (rallytime) Back-port #25486 to 2015.5 @ 2015-07-17T21:49:26Z • ISSUE #25486: (whiteinge) Highstate outputter not used for state.apply | refs: #25517 • PR #25485: (attiasr) fix file downloads on windows • PR #25516: (rallytime) Back-port #25483 to 2015.5 @ 2015-07-17T21:49:05Z • ISSUE #25479: (alexandrsushko) multiple mount.mounted of one device | refs: #25483 • PR #25483: (alexandrsushko) Added 'none' to the set of specialFSes | refs: #25516 • PR #25513: (garethgreenaway) fixes to schedule.add documentation in 2015.5 @ 2015-07-17T17:03:24Z • ISSUE #25493: (blackduckx) Issue with job_args on schedule.add command | refs: #25513 • PR #25465: (EvaSDK) 2015.5.3 LXC module fixes | refs: #25573 @ 2015-07-17T15:57:54Z • PR #25506: (s0undt3ch) [2015.5] Update bootstrap script to latest stable release, v2015.07.17 @ 2015-07-17T15:40:38Z • ISSUE #25456: (julienlavergne) [2015.8.0rc1] salt-bootstrap fails to install salt master | refs: #25506 • ISSUE #25270: (iggy) [2015.8.0rc1] salt-bootstrap fails to properly install a minion | refs: #25506 • ISSUE #625: (whiteinge) cmd.run state user flag is not working | refs: #25506 #632 • ISSUE #611: (fatbox) Peer interface fails to return data occasionally | refs: #25506 • ISSUE #607: (thatch45) next level -X support | refs: #25506 • ISSUE #598: (syphernl) Explanation on how to execute interactive installs | refs: #25506 • ISSUE #455: (whiteinge) Document common troubleshooting tips | refs: #25506 • PR #624: (chjohnst) Docs are not correct with network.ping as args are not supported | refs: #25506 • PR #621: (akoumjian) Adding ec2 cloud-init bootstrap docs | refs: #25506 • PR #606: (terminalmage) need empty line before code blocks. added ones that were missing. | refs: #25506 • PR #602: (terminalmage) State-related documentation changes | refs: #25506 • PR #25498: (jfindlay) only read /proc/1/cmdline if it exists @ 2015-07-17T15:35:33Z • ISSUE #25454: (mschiff) Regression: salt 2015.5 not working in secure chroot anymore. | refs: #25498 • PR #25487: (rallytime) Back-port #25464 to 2015.5 @ 2015-07-16T16:58:36Z • PR #25464: (jquast) docfix: "cache_jobs: False" => grains_cache: False" | refs: #25487 • PR #25482: (oeuftete) Fix docker.running detection of running container @ 2015-07-16T16:58:29Z • PR #2015: (thekuffs) Esky / bbfreeze support • PR #25468: (joejulian) Add support for pyOpenSSL > 0.10 @ 2015-07-16T15:10:30Z • ISSUE #25384: (rickh563) pyopenssl 0.14 requirement in 2015.5.3 does not work in RHEL6 : ZD-364 | refs: #25468 • PR #25467: (rallytime) Add lxml dependency to opennebula docs @ 2015-07-16T15:09:57Z • PR #25461: (jahamn) Update file, if force option and content not same @ 2015-07-15T20:15:07Z • ISSUE #25250: (wipfs) 'force' option in copy state deletes target file | refs: #25461 #25710 • ISSUE #24647: (nmadhok) salt.states.file.copy does not copy the file if it already exists with force=True | refs: #25461 • PR #25438: (rallytime) Reduce digital_ocean_v2 API call frequency @ 2015-07-15T19:40:18Z • ISSUE #25431: (namcois) Digital Ocean v2 reducing API calls by adding per_page | refs: #25438 • PR #25457: (jacksontj) Saltnado @ 2015-07-15T17:50:12Z • PR #25427: (tony-cocco) Saltnado runner client results in blocking call despite being set-up as Runner.async | refs: #25457 • PR #25459: (jahamn) Fixed 'defulats' typo in verify.py @ 2015-07-15T16:53:06Z • PR #25426: (jquast) bugfix: trailing "...done" in rabbitmq output (backport from 'develop' to 2015.5) @ 2015-07-15T14:48:05Z • PR #25433: (jleroy) Support for IPv6 addresses scopes in network.interfaces (ifconfig) @ 2015-07-15T14:44:09Z • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 • PR #25430: (twangboy) Disabled rbenv execution module for Windows @ 2015-07-15T14:41:18Z • ISSUE #21041: (deuscapturus) state module gem.installed not working on Windows. | refs: #25430 #25561 #25428 • c4b1584 Additional test case for question raised in #1846 • ISSUE #1846: (seanchannel) development dependencies • PR #25420: (techhat) Move S3 to use AWS Signature Version 4 @ 2015-07-14T22:03:09Z • PR #25418: (twangboy) Fixed problem with file.managed test=True @ 2015-07-14T21:26:59Z • ISSUE #20441: (deuscapturus) State module file.managed returns an error on Windows and test=Test | refs: #25418 • PR #25417: (ahus1) extended documentation about dependencies for dig module @ 2015-07-14T20:49:51Z • PR #25411: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-14T17:55:26Z • PR #25375: (cachedout) Fix error in config.py for master_type • PR #25324: (jacobhammons) Latest help theme updates • PR #25406: (anlutro) Force arguments to aptpkg.version_cmp into strings @ 2015-07-14T16:15:41Z • PR #25408: (rallytime) Back-port #25399 to 2015.5 @ 2015-07-14T16:09:06Z • PR #25399: (jarpy) Demonstrate per-minion client_acl. | refs: #25408 • PR #25240: (tankywoo) file make os.walk only be called one @ 2015-07-14T16:04:49Z • PR #25395: (rallytime) Back-port #25389 to 2015.5 @ 2015-07-14T03:26:34Z • PR #25389: (l2ol33rt) Adding entropy note for gpg renderer | refs: #25395 • PR #25392: (rallytime) Back-port #25256 to 2015.5 @ 2015-07-14T03:25:13Z • PR #25256: (yanatan16) Don't assume source_hash exists | refs: #25392 • PR #25398: (twangboy) Fix date @ 2015-07-14T03:21:17Z • PR #25397: (GideonRed) Introduce standard error output when cli exits with non-zero status @ 2015-07-14T03:20:24Z • PR #25386: (cachedout) Lint #25383 @ 2015-07-13T21:01:10Z • ISSUE #24444: (michaelkrupp) file.managed does not handle dead symlinks | refs: #25383 • PR #25383: (jahamn) Fix manage_file function in salt/modules/file.py to handle broken sym… • PR #25383: (jahamn) Fix manage_file function in salt/modules/file.py to handle broken sym… @ 2015-07-13T20:58:23Z • ISSUE #24444: (michaelkrupp) file.managed does not handle dead symlinks | refs: #25383 • PR #25369: (anlutro) Fix aptpkg.version_cmp @ 2015-07-13T20:18:45Z • PR #25379: (jfindlay) check for cwd before getting it @ 2015-07-13T19:50:27Z • ISSUE #25337: (eliasp) salt-call from non-existend cwd backtraces | refs: #25379 • PR #25334: (jfindlay) return all cmd info back to zypper fcn @ 2015-07-13T17:03:29Z • ISSUE #25320: (podloucky-init) zypper module list_upgrades broken (2015.5.2) | refs: #25334 • PR #25339: (jfindlay) update orchestration docs @ 2015-07-13T16:04:26Z • PR #25358: (dkiser) Deep merge of pillar lists | refs: #26016 @ 2015-07-13T15:51:01Z • ISSUE #22241: (masterkorp) Salt master not properly generating the map | refs: #25358 • PR #25346: (bechtoldt) set correct indention in states/requisites.rst (docs), fixes #25281 @ 2015-07-13T15:34:45Z • ISSUE #25281: (shinshenjs) Unless usage in Official Doc syntax error? • PR #25336: (terminalmage) Don't try to read init binary if it wasn't found @ 2015-07-13T09:45:30Z • PR #25350: (davidjb) Fix documentation for file.blockreplace @ 2015-07-13T03:41:20Z • PR #25326: (rallytime) Back-port #20972 to 2015.5 @ 2015-07-10T18:49:44Z • ISSUE #19288: (oba11) AssociatePublicIpAddress doesn't work with salt-cloud 2014.7.0 | refs: #20972 #25326 • PR #20972: (JohannesEbke) Fix interface cleanup when using AssociatePublicIpAddress in #19288 | refs: #25326 • PR #25327: (rallytime) Back-port #25290 to 2015.5 @ 2015-07-10T18:49:37Z • ISSUE #24433: (chrimi) Salt locale state fails, if locale has not been generated | refs: #25290 • PR #25290: (pcdummy) Simple fix for locale.present on Ubuntu. | refs: #25327 • PR #25328: (rallytime) Back-port #25309 to 2015.5 @ 2015-07-10T17:22:59Z • ISSUE #24827: (yermulnik) locale.present doesn't generate locales | refs: #25309 • PR #25309: (davidjb) Format /etc/locale.gen correctly in salt.modules.localemod.gen_locale | refs: #25328 • PR #25322: (jacobhammons) version change to 2015.5.3 @ 2015-07-10T16:11:24Z • PR #25308: (jacksontj) Make clear commands trace level logging @ 2015-07-10T14:20:06Z • PR #24737: (jacksontj) Move AES command logging to trace | refs: #25308 • PR #25269: (jfindlay) Extract tomcat war version @ 2015-07-10T01:28:21Z • ISSUE #24520: (nvx) Tomcat module fails to extract version number from snapshot builds (2015.5 regression) | refs: #24927 • PR #24927: (egarbi) Tomcat module fails to extract version number from snapshot builds #2… | refs: #25269 • PR #25238: (DmitryKuzmenko) Pillarenv backport 2015.5 @ 2015-07-10T01:25:07Z • ISSUE #18808: (amendlik) Add command line argument to select pillar environment | refs: #25238 • PR #23719: (DmitryKuzmenko) Support pillarenv cmdline in state.sls • PR #25299: (twangboy) Added -NonInteractive so powershell doesn't hang waiting for input @ 2015-07-09T21:00:16Z • ISSUE #13943: (Supermathie) Powershell commands that expect input hang forever | refs: #25299 • PR #25301: (jacobhammons) bug fix for module function display in help @ 2015-07-09T20:46:34Z • PR #25279: (jacobhammons) Additional docs on external and master job cache, assorted doc fixes @ 2015-07-09T16:46:26Z • ISSUE #25277: (jacobhammons) CherryPy recommended versions | refs: #25279 • PR #25274: (jleroy) Fix for issue #25268 @ 2015-07-09T13:36:26Z • ISSUE #25268: (lichtamberg) Salt not working anymore in 2015.8/develop: ValueError: 'scope' is not in list | refs: #25274 • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 • PR #25272: (twangboy) Fixed problem with service not starting @ 2015-07-08T23:29:48Z • PR #25225: (nmadhok) Backporting fix for issue #25223 on 2015.5 branch @ 2015-07-08T15:16:18Z • ISSUE #25223: (nmadhok) Runner occasionally fails with a RuntimeError when fired by a reactor | refs: #25225 • PR #25214: (rallytime) A couple of doc fixes for the http tutorial @ 2015-07-07T22:23:07Z • PR #25194: (rallytime) Update moto version check in boto_vpc_test and update min version @ 2015-07-07T18:27:32Z • ISSUE #24272: (rallytime) Fix boto_vpc_test moto version check | refs: #25194 • PR #25205: (basepi) Update releasecandidate docs @ 2015-07-07T15:25:24Z • PR #25187: (UtahDave) Doc fixes: Fix misspelling and remove extraneous double spaces @ 2015-07-07T01:07:04Z • PR #25182: (cachedout) Try to re-pack long floats as strs @ 2015-07-07T01:06:43Z • PR #25185: (rallytime) Back-port #25128 to 2015.5 @ 2015-07-07T00:58:00Z • ISSUE #23822: (sidcarter) Zip file extracted permissions are incorrect | refs: #25128 • PR #25128: (stanislavb) Use cmd_unzip to preserve permissions | refs: #25185 • PR #25181: (rallytime) Back-port #25102 to 2015.5 @ 2015-07-07T00:57:13Z • PR #25102: (derBroBro) Update win_network.py | refs: #25181 • PR #25179: (rallytime) Back-port #25059 to 2015.5 @ 2015-07-07T00:56:44Z • ISSUE #24301: (iggy) influxdb_user and influxdb_database states need virtual functions | refs: #25059 • PR #25059: (babilen) Add virtual functions to influxdb state modules | refs: #25179 • PR #25196: (twangboy) Fixed #18919 false-positive on pkg.refresh @ 2015-07-07T00:24:13Z • ISSUE #18919: (giner) Windows: pkg.refresh_db returns false-positive success | refs: #25196 • PR #25180: (rallytime) Back-port #25088 to 2015.5 @ 2015-07-06T20:33:45Z • PR #25088: (supertom) Update | refs: #25180 • PR #25191: (basepi) Add extrndest back to fileclient.is_cached in 2015.5 @ 2015-07-06T19:35:24Z • PR #25117: (basepi) Fix fileclient.is_cached | refs: #25191 • PR #25175: (rallytime) Back-port #25020 to 2015.5 @ 2015-07-06T18:53:19Z • ISSUE #25016: (martinhoefling) salt-run doc.execution fails with AttributeError • PR #25020: (martinhoefling) Fix for issue #25016 | refs: #25175 • PR #25173: (rallytime) Partial back-port of #25019 @ 2015-07-06T18:52:59Z • ISSUE #21879: (bechtoldt) Reference pages in documentation are outdated again | refs: #25019 • ISSUE #19262: (bechtoldt) salt.pillar.file_tree doesn't appear in the documentation | refs: #25019 • PR #25019: (bechtoldt) add missing module documentation to references | refs: #25173 • PR #24421: (bechtoldt) add missing module documentation | refs: #25019 • PR #21880: (bechtoldt) update references, fixes #21879 | refs: #25019 • PR #20039: (bechtoldt) completing some doc references | refs: #25019 • PR #25171: (rallytime) Back-port #25001 to 2015.5 @ 2015-07-06T18:51:53Z • PR #25001: (jasonkeene) Add docs for key arg in ssh_known_hosts.present | refs: #25171 • PR #25170: (rallytime) Back-port #24982 to 2015.5 @ 2015-07-06T16:34:43Z • PR #24982: (asyncsrc) ec2 network_interfaces fix | refs: #25170 • PR #25161: (aneeshusa) Allow checking for non-normalized systemd units. @ 2015-07-06T15:15:31Z • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 @ 2015-07-06T14:43:03Z • PR #25166: (cachedout) Lint #25149 @ 2015-07-06T14:40:29Z • ISSUE #24979: (mavenAtHouzz) [Discussion] Support for more than 1 netapi.rest_tornado server process | refs: #25149 • PR #25149: (jacksontj) Saltnado multiprocess support | refs: #25166 • PR #25149: (jacksontj) Saltnado multiprocess support | refs: #25166 @ 2015-07-06T14:38:43Z • ISSUE #24979: (mavenAtHouzz) [Discussion] Support for more than 1 netapi.rest_tornado server process | refs: #25149 • PR #25120: (d--j) add missing continue for exception case @ 2015-07-02T19:38:45Z • PR #25117: (basepi) Fix fileclient.is_cached | refs: #25191 @ 2015-07-02T19:38:26Z • PR #25087: (0xf10e) Fix execution module for glance - now based on 2015.5! @ 2015-07-02T19:36:27Z • PR #25129: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-02T17:37:40Z • ISSUE #18447: (ryan-lane) Can't install salt with raet using pip -e git • PR #25093: (jaybocc2) quick fix for issue #18447 • PR #25069: (puneetk) Add a helper module function called list_enabled • PR #25114: (jfindlay) Revert "Revert "adding states/postgres_database unit test case."" @ 2015-07-02T01:01:29Z • PR #24798: (jtand) Revert "adding states/postgres_database unit test case." | refs: #25114 • PR #24329: (jayeshka) adding states/postgres_database unit test case. | refs: #24798 • PR #24362: (jayeshka) adding states/postgres_user unit test case. @ 2015-07-01T21:45:31Z • PR #24361: (jayeshka) adding states/postgres_schema unit test case. @ 2015-07-01T21:44:56Z • PR #24331: (jayeshka) adding states/postgres_extension unit test case. @ 2015-07-01T21:43:58Z Salt 2015.5.5 Release Notes Version 2015.5.5 is a bugfix release for 2015.5.0. Changes: • The cron.present state now correctly defaults to state ID as identifier. • When querying for VMs in ditigal_ocean_v2.py, the number of VMs to include in a page was changed from 20 (default) to 200 to reduce the number of API calls to Digital Ocean. • The vmware Salt-Cloud driver was back-ported from the develop branch in order for installations of Salt that are older than 2015.8.0 to be able to use the vmware driver without stack-tracing on various deprecation paths that were implemented in the 2015.8.0 release. Changes for v2015.5.3..v2015.5.5 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-08-20T17:02:37Z Statistics: • Total Merges: 280 • Total Issue references: 168 • Total PR references: 371 Changes: • PR #26292: (jquast) Rabbitmq 3.2.4 on Ubuntu has "...done.", not "...done" @ 2015-08-13T19:53:29Z • PR #26296: (jquast) bugfix missing ` runas=None' for rabbitmqctl cmds (backport to 2015.5) @ 2015-08-13T19:52:40Z • PR #26293: (jfindlay) Fix #26268 @ 2015-08-13T19:48:06Z • ISSUE #25618: (twangboy) Fix reg.py to work with the registry properly | refs: #26268 • PR #26268: (twangboy) Multiple improvements to reg executionmod and state mod | refs: #26293 • PR #26290: (rallytime) Only call convert_to_arn when action name is provided @ 2015-08-13T18:48:58Z • ISSUE #25192: (deuscapturus) 2015.5.2 boto_cloudwatch_alarm.present not working. | refs: #26290 • PR #26288: (bbinet) allow deleting grains which value is False @ 2015-08-13T18:24:36Z • PR #26263: (rallytime) Don't make changes when test=True for openstack present/absent funcs @ 2015-08-13T16:30:31Z • ISSUE #24882: (nmadhok) salt.states.openstack_config.present and salt.states.openstack_config.absent make changes when test=True | refs: #26263 • PR #26265: (rallytime) Don't stacktrace on query return in ec2.create_snapshot @ 2015-08-13T16:28:48Z • ISSUE #24484: (codehotter) clouds/ec2.py: create_snapshot throws exception | refs: #26265 • PR #26285: (stanislavb) Remove explicit version from instance identity URL @ 2015-08-13T16:25:32Z • PR #26275: (cachedout) Re-init modules on multi-master reconnect @ 2015-08-13T15:52:50Z • PR #26273: (garethgreenaway) Fixes to schedule module in 2015.5 @ 2015-08-13T15:34:43Z • PR #26271: (rallytime) Fix del_root_vol_on_destroy and del_all_vols_on_destroy functionality on ec2 @ 2015-08-12T23:22:47Z • ISSUE #24483: (codehotter) clouds/ec2.py: del_root_vol_on_destroy and del_all_vols_on_destroy not working | refs: #26271 • PR #26219: (anlutro) cron: make identifier default to state ID @ 2015-08-12T18:42:33Z • ISSUE #25958: (anlutro) Cron identifier does not default to state ID as documented | refs: #26219 • PR #26257: (rallytime) Back-port #26237 to 2015.5 @ 2015-08-12T18:40:35Z • ISSUE #26207: (fullermd) group members setting fails with obscure error message on FreeBSD | refs: #26237 • PR #26237: (silenius) fix issue #26207 | refs: #26257 • PR #26258: (nmadhok) Fix permission on tests/runtests.py on 2015.5 branch @ 2015-08-12T18:40:04Z • PR #26261: (nmadhok) Correct spelling of integration in docs @ 2015-08-12T18:14:48Z • PR #2015: (thekuffs) Esky / bbfreeze support • PR #26247: (nmadhok) Initial commit of unit tests for vmware cloud driver @ 2015-08-12T16:58:24Z • PR #26246: (nmadhok) Backport additions to VMware cloud driver from develop to 2015.5 branch @ 2015-08-12T15:11:26Z • PR #26239: (opdude) Fixed documentation to match function name @ 2015-08-12T14:48:52Z • PR #26232: (garethgreenaway) Fix to trust_key in gpg module for 2015.5. @ 2015-08-12T04:48:27Z • PR #26084: (twangboy) Added python_shell=True, quoted user input @ 2015-08-10T21:29:35Z • ISSUE #25802: (jefftucker) Running module "npm.list" fails on Windows for masterless minion | refs: #26084 • PR #26183: (cro) Fix LDAP configuration issue. @ 2015-08-10T19:09:41Z • PR #26186: (jacobhammons) regenerated man pages @ 2015-08-10T19:07:44Z • PR #26182: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-08-10T19:00:10Z • ISSUE #25961: (getabc) [2015.5.3-2] salt-winrepo.git/salt-minion.sls fails certificate ' * .wpengine.com' or 'wpengine.com' | refs: #26047 • ISSUE #25751: (basepi) Document master_finger more prominently | refs: #26088 • PR #26116: (corux) file.replace fails if repl string is an invalid regex and append/prepend is used • PR #26088: (jacobhammons) Master finger • PR #26047: (jacobhammons) Updated windows download links in the docs to https://repo.saltstack.com • PR #26000: (driskell) Implement full event caching for subscribed tags @ 2015-08-10T18:57:17Z • ISSUE #25998: (driskell) Event subsystem discarding required events during --batch breaking it for slow running commands | refs: #26000 • PR #26175: (rallytime) Back-port #26153 to 2015.5 @ 2015-08-10T18:22:32Z • PR #26153: (loa) Fix dockerio state documentation typo | refs: #26175 • PR #26177: (rallytime) Back-port #26147 to 2015.5 @ 2015-08-10T18:22:01Z • ISSUE #26024: (jpic) lxc_conf_unset in cloud.profile is ignored • PR #26147: (martinhoefling) Fixes #26024 | refs: #26177 • PR #26179: (rallytime) Back-port #25404 to 2015.5 @ 2015-08-10T18:21:50Z • ISSUE #21082: (clinta) master_type failover does not failover on DNS errors | refs: #25404 • PR #25404: (DmitryKuzmenko) Fixed minion failover to next master on DNS errors. | refs: #26179 • PR #26180: (jfindlay) fix processing of state.template @ 2015-08-10T18:21:38Z • ISSUE #26112: (wt) state.template fails with unclear error with template with only an include | refs: #26180 • PR #26172: (nmadhok) [Backport] Make sure variable is a dictionary before popping something from it. @ 2015-08-10T16:42:50Z • ISSUE #26162: (nmadhok) VMware cloud driver create function failing with traceback on latest develop | refs: #26163 #26172 • PR #26163: (nmadhok) Make sure variable is a dictionary before popping something from it. • PR #26168: (cachedout) Fix slack docs @ 2015-08-10T14:57:18Z • ISSUE #26098: (rdinoff) SALT.STATES.SLACK Doc update | refs: #26168 • PR #26127: (garethgreenaway) Fixes to salt.utils.http related to cp.get_file_str bug. @ 2015-08-10T14:38:25Z • ISSUE #24106: (nvx) fileclient.py#get_url ignores HTTP Auth again (2015.5 regression) | refs: #26127 • PR #26140: (nmadhok) VMware cloud driver fixes @ 2015-08-10T13:15:58Z • ISSUE #26141: (nmadhok) salt-cloud VMware driver fails with error in parsing configuration file | refs: #26140 • ISSUE #25809: (o-sleep) vmware cloud module error message | refs: #26140 • ISSUE #25625: (steverweber) cloud vmware driver does not provide mac_address unless vmware tools is running | refs: #26137 #26140 • PR #26137: (steverweber) use device mac address if vmtools not active @ 2015-08-09T03:05:36Z • ISSUE #25625: (steverweber) cloud vmware driver does not provide mac_address unless vmware tools is running | refs: #26137 #26140 • PR #26119: (jodv) Backport eauth bugfix to 2015.5 @ 2015-08-09T02:19:52Z • PR #26135: (cro) Fix proxy minions in 2015.5 and significantly update documentation. @ 2015-08-09T02:19:21Z • PR #26132: (TheBigBear) minor edit @ 2015-08-08T21:05:34Z • PR #26133: (amontalban) Fixed #25915 in salt/modules/pkgng.py and salt/states/pkg.py @ 2015-08-08T21:05:05Z • ISSUE #25915: (ari) FreeBSD pkg install fails • PR #26111: (anlutro) Better error messages when virtualenv creation fails @ 2015-08-07T21:42:09Z • PR #26110: (jfindlay) check for sources before adding them to cmd str @ 2015-08-07T21:33:23Z • ISSUE #26093: (freedba) archive.tar bug | refs: #26110 • PR #26106: (vr-jack) Update __init__.py @ 2015-08-07T21:15:55Z • PR #26101: (rallytime) Back-port #25984 to 2015.5 @ 2015-08-07T18:56:26Z • ISSUE #25983: (jmdcal) Trying to get md5 of local zip | refs: #25984 • PR #25984: (jmdcal) Support local files without md5sum | refs: #26101 • PR #26080: (techhat) Fix string checking in s3fs @ 2015-08-06T23:36:09Z • PR #26079: (cachedout) Update docs to remove state.over @ 2015-08-06T23:35:26Z • ISSUE #26039: (basepi) Update scheduler docs to use orchestrate instead of overstate | refs: #26079 • PR #26058: (opdude) Fix choco version on chocolatey versions below 0.9.9 @ 2015-08-06T18:50:10Z • PR #26068: (jfindlay) fix autoruns.list looking in wrong directory @ 2015-08-06T18:49:48Z • PR #26065: (s0undt3ch) [2015.5] Update to latest bootstrap stable release v2015.06.08 @ 2015-08-06T17:09:35Z • ISSUE #634: (loupgaroublond) /srv/salt/_grains/ not documented | refs: #26065 • ISSUE #631: (fatbox) Can't extend the same item multiple times | refs: #26065 • ISSUE #625: (whiteinge) cmd.run state user flag is not working | refs: #25506 #632 • PR #640: (terminalmage) fix syntax errors introduced in 0f776c13 | refs: #26065 • PR #638: (blast-hardcheese) Tightened up configuration documentation | refs: #26065 • PR #633: (epoelke) Bug fix to salt-key | refs: #26065 • PR #632: (whiteinge) Change the cmd.run state to use the new runas arg | refs: #26065 • PR #26061: (gmcwhistler) Patch for issue #25994 @ 2015-08-06T17:07:34Z • ISSUE #25994: (gmcwhistler) module.ilo tempfile creation in __execute_cmd results in TypeError: cannot concatenate 'str' and 'int' objects • PR #26064: (s0undt3ch) Don't stacktrace when trying to get the default locale. @ 2015-08-06T16:11:05Z • ISSUE #26063: (saltstack-bot) not working with salt-cloud shows unknown locale error | refs: #26064 • PR #26048: (jacobhammons) Updated windows download links in the docs to https://repo.saltstack.com @ 2015-08-05T22:59:50Z • PR #26044: (rallytime) Make sure the key we're comparing is also lowercase @ 2015-08-05T19:23:54Z • ISSUE #25616: (rallytime) [2015.5] Provisioning Linodes Stacktraces | refs: #26044 • PR #26042: (jfindlay) fix test mode logic in state docs @ 2015-08-05T19:23:07Z • PR #26036: (nicholascapo) survey.hash: Remove manually printed text @ 2015-08-05T19:21:59Z • ISSUE #24460: (nicholascapo) Survey runner does not follow --out flag | refs: #26036 • PR #26030: (opdude) Fix a bug in choco version that returned odd data @ 2015-08-05T16:30:25Z • PR #26032: (jfindlay) add test logic to state reult doc @ 2015-08-05T16:28:32Z • PR #26031: (alekti) Revert "Add file as supported protocol for file source_hash. Fixes #23764" @ 2015-08-05T15:32:01Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #26021: (anlutro) Documentation: Specify versionadded for git.present shared argument @ 2015-08-05T14:17:38Z • PR #26020: (alekti) Correctly resolve conflict merging pull 25750 to 2015.5 @ 2015-08-05T14:16:58Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #25750: (alekti) Add file as supported protocol for file source_hash. Fixes #25701. | refs: #26020 • PR #26016: (basepi) Revert "Deep merge of pillar lists" @ 2015-08-05T04:59:52Z • ISSUE #22241: (masterkorp) Salt master not properly generating the map | refs: #25358 • PR #25358: (dkiser) Deep merge of pillar lists | refs: #26016 • PR #25992: (twangboy) Refactor win_system.py @ 2015-08-05T04:54:18Z • ISSUE #12255: (eliasp) 'system.set_computer_desc' fails with non-ASCII chars | refs: #25992 • ISSUE #3: (thatch45) libvirt module • PR #26002: (twangboy) Fixed regex to account for comment character followed by whitespace @ 2015-08-04T22:28:11Z • ISSUE #25948: (twangboy) Fix uncomment function to handle spaces | refs: #26002 • PR #25970: (jfindlay) accept addition of layman overlay @ 2015-08-04T15:42:28Z • ISSUE #25949: (godlike64) layman.add does not work with unofficial overlays | refs: #25970 • PR #25971: (basepi) [2015.5] salt.modules.reg Add spaces for strings split across multiple lines @ 2015-08-04T15:39:48Z • PR #25990: (rallytime) Back-port #25976 to 2015.5 @ 2015-08-04T14:36:53Z • PR #25976: (fleaflicker) Typo in help output | refs: #25990 • PR #25996: (attiasr) fix msiexec package remove @ 2015-08-04T14:36:31Z • PR #25966: (rallytime) Back-port #25864 to 2015.5 @ 2015-08-03T18:48:26Z • ISSUE #25863: (peterdemin) pkg.installed fails on already installed package if it is in versionlock.list | refs: #25864 • PR #25864: (peterdemin) #25863 state.pkg.installed fix | refs: #25966 • PR #25967: (rallytime) Back-port #25917 to 2015.5 @ 2015-08-03T18:48:02Z • PR #25917: (jmdcal) adding missing format string | refs: #25967 • PR #25895: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-08-03T17:12:37Z • ISSUE #23764: (es1o) source_hash from local file is not supported. | refs: #25750 • PR #25750: (alekti) Add file as supported protocol for file source_hash. Fixes #25701. | refs: #26020 • PR #25704: (cachedout) Ensure prior alignment with master_type in 2014.7 • PR #25657: (MrCitron) Add the ability to specify a base pattern for carbon returner • PR #25633: (AkhterAli) Update loader.py • PR #25941: (jfindlay) add timelib to dependency versions @ 2015-08-03T12:23:42Z • ISSUE #25850: (ssgward) Need to add packages to --versions-report | refs: #25941 • PR #25951: (garethgreenaway) Log when event.fire and event.fire_master fail. @ 2015-08-03T00:19:45Z • PR #25942: (jfindlay) typo in minion doc @ 2015-07-31T23:34:55Z • ISSUE #25838: (grep4linux) docs disable_modules documentation typo | refs: #25942 • PR #25938: (jacobhammons) Doc on using syndic with multimaster @ 2015-07-31T23:05:05Z • PR #14690: (jacksontj) Multi syndic | refs: #25938 • PR #25848: (twangboy) Added allusers="1" when installing msi @ 2015-07-31T20:33:17Z • ISSUE #25839: (twangboy) ALLUSERS="1" should be a default when installing MSI's | refs: #25848 • PR #25898: (jfindlay) clarify and expand syndic docs @ 2015-07-31T20:01:23Z • PR #25927: (jacksontj) Pass actual renderers to the Reactor's Compiler @ 2015-07-31T20:00:17Z • ISSUE #25852: (UtahDave) Salt loader is not loading Salt vars in reactor python renderer | refs: #25927 • PR #25921: (cachedout) Handle non-ascii in state log @ 2015-07-31T17:41:30Z • ISSUE #25810: (nvx) winpkg highstate fails when a new package name contains a unicide character | refs: #25921 • PR #25919: (TheBigBear) Minor update to msi un-installer info @ 2015-07-31T17:39:48Z • PR #25905: (rallytime) Back-port #25982 to 2015.5 @ 2015-07-30T23:24:19Z • PR #25892: (TheBigBear) Update 7-zip msi un-installer instructions | refs: #25905 • PR #25890: (rallytime) Back-port #25698 to 2015.5 @ 2015-07-30T23:12:09Z • ISSUE #25577: (yellow1912) Wrong indentation in document | refs: #25696 • PR #25698: (rallytime) Back-port #25659 to 2015.8 | refs: #25890 • PR #25696: (AkhterAli) Update schedule.py • PR #25659: (isbm) Bugfix: crash at getting non-existing repo | refs: #25698 • PR #25894: (jacobhammons) Minor doc bug fixes @ 2015-07-30T23:02:34Z • ISSUE #25650: (jacksontj) state.running documentation is incorrect | refs: #25894 • ISSUE #24042: (whiteinge) The state_events setting is not documented | refs: #25894 • ISSUE #23788: (k5jj) functions in drac.py module do not match documentation | refs: #25894 • ISSUE #21296: (Lothiraldan) Possible minion enumeration using saltutil.find_job and eauth | refs: #25894 • PR #25877: (rallytime) Protect against passing a map file in addition to VM names with --destroy @ 2015-07-30T21:55:45Z • ISSUE #24036: (arthurlogilab) [salt-cloud] Protect against passing command line arguments as names for the --destroy command in map files | refs: #25877 • PR #25870: (rallytime) Back-port #25824 to 2015.5 @ 2015-07-30T21:54:35Z • PR #25824: (klyr) Fix get_managed() in file.py module for local files | refs: #25870 • PR #25885: (t0rrant) Update Debian changelog @ 2015-07-30T20:05:59Z • PR #25875: (rallytime) Back-port #25862 to 2015.5 @ 2015-07-30T17:34:02Z • ISSUE #25478: (zyio) salt-ssh - Unable to locate current thin version | refs: #25862 • ISSUE #25026: (sylvia-wang) salt-ssh "Failure deploying thin" when using salt module functions | refs: #25862 • PR #25862: (zyio) Adding SCP_NOT_FOUND exit code | refs: #25875 • PR #25873: (rallytime) Back-port #25855 to 2015.5 @ 2015-07-30T17:33:55Z • PR #25855: (puneetk) Patch 3 | refs: #25873 • PR #25871: (rallytime) Back-port #25829 to 2015.5 @ 2015-07-30T17:33:43Z • PR #25829: (peterdemin) Fixed typo in salt.states.saltmod.function doc string | refs: #25871 • PR #25869: (rallytime) Back-port #25788 to 2015.5 @ 2015-07-30T17:33:33Z • ISSUE #24002: (csakoda) File lock contention on windows minions causing highstate crash | refs: #25788 • PR #25788: (opdude) Catch a hard crash when running highstate on windows | refs: #25869 • PR #25853: (davidjb) Make ssh-id-wrapper accessible to non-root users @ 2015-07-30T16:49:47Z • ISSUE #19532: (stolendog) salt-ssh running git clone with not root user | refs: #25853 • PR #25856: (jfindlay) expand minion reauth scalability documentation @ 2015-07-30T15:33:17Z • ISSUE #25447: (spo0nman) SaltMaster is crippled with Minion Re-Authentication | refs: #25856 • PR #25840: (jfindlay) add note to winrepo state docs about required grain @ 2015-07-30T14:38:27Z • ISSUE #25801: (themalkolm) Update docs that salt.states.winrepo requires roles:salt-master in grains. | refs: #25840 • PR #25846: (jfindlay) rework deprecation documentation for release names @ 2015-07-30T13:26:21Z • ISSUE #25827: (0xf10e) "Deprecating Code" doesn't mention Usage of warn_until() w/ Release Names | refs: #25846 • PR #25833: (jahamn) Allows cp.push to recreate empty files @ 2015-07-29T16:14:48Z • ISSUE #23288: (UtahDave) cp.push fails to recreate empty files. | refs: #25833 • PR #25831: (rallytime) Add salt:// to key_url options to docs for pkgrepo.managed @ 2015-07-29T15:38:43Z • ISSUE #11474: (JensRantil) pkgrepo.managed key_url: salt:// always use base env | refs: #25831 • PR #25807: (rallytime) Provide helpful error when using actions with a mapfile @ 2015-07-29T15:30:15Z • ISSUE #22699: (arthurlogilab) salt-cloud fails on KeyError when given a nonexistent action | refs: #25807 • PR #25818: (jfindlay) fix autoruns list @ 2015-07-29T15:29:20Z • PR #25826: (anlutro) Check that "onchanges" is a list @ 2015-07-29T15:00:28Z • PR #25798: (twangboy) Fixed stacktrace on package name not found @ 2015-07-28T22:40:14Z • ISSUE #25258: (nickw8) windows minion repo not updating | refs: #25798 • PR #25797: (twangboy) Changed repocache back to cached_repo @ 2015-07-28T22:39:32Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • PR #25763: (twangboy) Fix 25437 | refs: #25797 • PR #25793: (rallytime) Back-port #25730 to 2015.5 @ 2015-07-28T19:37:34Z • PR #25730: (sjorge) patchelf lives in pkgsrc | refs: #25793 • PR #25792: (rallytime) Back-port #25688 to 2015.5 @ 2015-07-28T19:37:17Z • PR #25688: (bclermont) Don't acquire lock if there is no formatter | refs: #25792 • PR #25796: (cachedout) Remove debug from docs @ 2015-07-28T17:35:59Z • PR #25749: (jahamn) Allow zpool.create on character devices @ 2015-07-28T16:01:40Z • ISSUE #24920: (voileux) module.zpool.create on character device is not possible by salt | refs: #25749 • PR #25685: (twangboy) Fixed regex issues with comment and uncomment @ 2015-07-28T15:29:49Z • PR #25763: (twangboy) Fix 25437 | refs: #25797 @ 2015-07-28T15:29:27Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • PR #25752: (thatch45) State top saltenv @ 2015-07-28T01:02:10Z • PR #25755: (twangboy) Fixed problem with dunder functions not being passed @ 2015-07-27T19:31:22Z • ISSUE #25717: (twangboy) Problem with chocolatey module not loading | refs: #25755 • PR #25648: (twangboy) Clarified functionality of reg module, fixed state to work with new module @ 2015-07-27T19:30:33Z • ISSUE #25352: (m03) reg.absent reporting incorrect results | refs: #25648 • ISSUE #1: (thatch45) Enable regex on the salt cli • PR #25740: (rallytime) Back-port #25722 to 2015.5 @ 2015-07-27T16:08:40Z • ISSUE #25154: (uvsmtid) All data mixed on STDOUT together should generate valid JSON output | refs: #25722 • ISSUE #25153: (uvsmtid) Multiple results should generate valid JSON output | refs: #25722 • PR #25722: (uvsmtid) Minor docs changes to emphasize JSON output problems without --static option | refs: #25740 • PR #25739: (rallytime) Back-port #25709 to 2015.5 @ 2015-07-27T16:08:27Z • PR #25709: (colekowalski) add direct-io-mode to mount_invisible_options | refs: #25739 • PR #25699: (rallytime) Back-port #25660 to 2015.5 | refs: #25709 • PR #25660: (colekowalski) add glusterfs' direct-io-mode to mount_invisible_keys | refs: #25699 #25709 • PR #25738: (rallytime) Back-port #25671 to 2015.5 @ 2015-07-27T16:08:23Z • PR #25671: (niq000) added a parameter so verifying SSL is now optional instead of hard-coded | refs: #25738 • PR #25737: (rallytime) Back-port #25608 to 2015.5 @ 2015-07-27T16:08:18Z • ISSUE #25229: (rall0r) Module git.latest kills target directory when test=True | refs: #25608 • PR #25608: (rall0r) Fix: prevent git.latest from removing target | refs: #25737 • PR #25733: (davidjb) Avoid IndexError when listing mounts if mount output ends in newline @ 2015-07-27T16:08:05Z • PR #25705: (blackduckx) Support for setm augeas command. @ 2015-07-27T16:07:10Z • ISSUE #22460: (onmeac) Command setm is not supported (yet) | refs: #25705 • PR #25703: (cachedout) Return to str for master_type for 2015.5 @ 2015-07-27T16:06:22Z • PR #25702: (twangboy) Fixed win_user module for groups with spaces in the name @ 2015-07-27T15:06:33Z • ISSUE #25144: (johnccfm) user.present on Windows fails to add user to groups if group name contains a space | refs: #25702 • PR #25711: (twangboy) Fixed problem with win_servermanager.list_installed @ 2015-07-27T15:05:48Z • ISSUE #25351: (m03) win_servermanager.list_installed failing with "IndexError: list index out of range" | refs: #25711 • PR #25714: (cachedout) Display warning when progressbar can't be loaded @ 2015-07-25T00:10:13Z • ISSUE #25435: (yee379) progressbar dependency missing | refs: #25714 • PR #25699: (rallytime) Back-port #25660 to 2015.5 | refs: #25709 @ 2015-07-24T22:11:40Z • PR #25660: (colekowalski) add glusterfs' direct-io-mode to mount_invisible_keys | refs: #25699 #25709 • PR #25694: (s0undt3ch) Salt-SSH fix for #25689 @ 2015-07-24T21:41:57Z • ISSUE #25689: (anlutro) Minion log in salt-ssh | refs: #25694 • PR #25710: (jahamn) Integration Testcase for Issue 25250 @ 2015-07-24T20:57:33Z • ISSUE #25250: (wipfs) 'force' option in copy state deletes target file | refs: #25461 #25710 • PR #25680: (basepi) [2015.5] Move cmd.run jinja aliasing to a wrapper class to prevent side effects @ 2015-07-24T19:52:10Z • PR #25049: (terminalmage) Fix cmd.run when cross-called in a state/execution module | refs: #25680 • PR #25682: (basepi) [2015.5] Fix parsing args with just a hash (#) @ 2015-07-24T19:52:01Z • PR #25695: (stanislavb) Configurable AWS region & region from IAM metadata @ 2015-07-24T19:36:40Z • PR #25645: (kev009) Fix pkgng provider to work with a sources list and the underlying pkg… @ 2015-07-24T16:33:18Z • PR #25677: (aneeshusa) Fix pacman.list_upgrades when refresh=True. @ 2015-07-24T16:30:06Z • PR #25675: (UtahDave) Use OS line endings with contents on file.managed @ 2015-07-24T16:29:50Z • ISSUE #25674: (UtahDave) file.managed with contents parameter uses wrong line endings on Windows | refs: #25675 • PR #25676: (basepi) Update release candidate docs to 2015.8.0rc2 @ 2015-07-23T20:29:37Z • PR #25666: (nmadhok) Check if the properties exist before looping over them causing KeyError @ 2015-07-23T17:55:40Z • ISSUE #25665: (nmadhok) salt-cloud VMware driver fails with KeyErrors if there's any existing machine in the VMware infrastructure in (invalid state) | refs: #25666 • PR #25656: (anlutro) Fix locale detection in debian/gentoo @ 2015-07-23T16:46:40Z • PR #25661: (rallytime) Back-port #25624 to 2015.5 @ 2015-07-23T16:26:48Z • PR #25624: (bobrik) Fix typo in get_routes example for debian_ip | refs: #25661 • PR #25662: (rallytime) Back-port #25638 to 2015.5 @ 2015-07-23T16:26:40Z • ISSUE #15209: (hubez) file.manage: source_hash not working with s3:// (2014.7.0rc1) | refs: #25638 • PR #25638: (TronPaul) fix bad merge in 99fc7ec | refs: #25662 • PR #25644: (cachedout) pillar doc fix @ 2015-07-22T22:57:23Z • ISSUE #25413: (zizkebab) pillar_opts default behavior is not reflected in the docs | refs: #25644 • PR #25642: (cachedout) Warn on pillar schedule delete @ 2015-07-22T22:04:12Z • ISSUE #25540: (dennisjac) salt highstate schedule cannot be removed | refs: #25642 • PR #25598: (twangboy) Fixed problem trying to load file with name of boolean type @ 2015-07-22T17:07:49Z • ISSUE #25437: (lorengordon) Stacktrace on Windows when running pkg.list_pkgs | refs: #25598 #25763 • 7b79e433 Merge pull request #25598 from twangboy/fix_25437 • PR #25604: (terminalmage) Move patching of mock_open to within test @ 2015-07-22T16:53:55Z • ISSUE #25323: (terminalmage) unit.modules.tls_test fails with older mock | refs: #25604 • PR #25609: (s0undt3ch) [2015.5] Update the bootstrap script to latest release v2015.07.22 @ 2015-07-22T16:28:52Z • ISSUE #630: (syphernl) Allow for an include statement in config files | refs: #25609 • PR #627: (chjohnst) add saltversion grain | refs: #25609 • PR #25603: (terminalmage) Add version_cmp function to yumpkg.py @ 2015-07-22T15:42:29Z • ISSUE #21912: (rvora) pkg.latest not updating the package on CentOS though yum reports an update available | refs: #25603 • PR #25590: (garethgreenaway) 2015.5 scheduled jobs return data @ 2015-07-21T21:57:42Z • ISSUE #25560: (dennisjac) scheduled highstate runs don't return results to the job cache | refs: #25590 • PR #25584: (rallytime) Back-port #24054 and #25576 to 2015.5 @ 2015-07-21T21:16:38Z • PR #25576: (pcn) s3fs breaks when fetching files from s3 | refs: #25584 • PR #24054: (mgwilliams) s3.head: return useful data | refs: #25584 • PR #25589: (jahamn) Fixes ssh_known_host not taking port into account @ 2015-07-21T21:15:06Z • ISSUE #23626: (mirko) salt state 'ssh_known_hosts' doesn't take 'port' into account | refs: #25589 • PR #25573: (EvaSDK) Do not execute bootstrap script twice @ 2015-07-21T18:20:04Z • PR #25465: (EvaSDK) 2015.5.3 LXC module fixes | refs: #25573 • PR #25580: (attiasr) use explicit utf-8 decoding (#25532) @ 2015-07-21T15:40:49Z • ISSUE #25532: (attiasr) salt/modules/win_pkg.py list_pkgs is broken (encoding issues) | refs: #25556 #25580 • PR #25568: (twangboy) Fixed win_useradd module to add fullname @ 2015-07-21T14:30:25Z • ISSUE #25206: (jfindlay) fullname issues with user.add state on windows | refs: #25568 • PR #25561: (twangboy) Fixed the gem module to work on windows... without injection @ 2015-07-20T21:12:15Z • ISSUE #21041: (deuscapturus) state module gem.installed not working on Windows. | refs: #25430 #25561 #25428 • PR #25428: (twangboy) Fixed the gem module to work on windows | refs: #25561 • PR #25521: (cachedout) Fix outputter for state.orch @ 2015-07-20T19:30:14Z • PR #25563: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-20T19:27:36Z • PR #25416: (cachedout) Fix broken keyword • PR #25559: (cachedout) Lint win_pkg @ 2015-07-20T17:46:29Z • PR #25556: (attiasr) fix for #25532 @ 2015-07-20T17:45:11Z • ISSUE #25532: (attiasr) salt/modules/win_pkg.py list_pkgs is broken (encoding issues) | refs: #25556 #25580 • PR #25554: (jfindlay) verify_ssl=True for s3 ext pillar @ 2015-07-20T17:43:38Z • ISSUE #25538: (stanislavb) S3 ext_pillar configuration requires verify_ssl | refs: #25554 • PR #25551: (rallytime) Backport #25530 to 2015.5 @ 2015-07-20T17:43:00Z • PR #25530: (andre-luiz-dos-santos) The variable name must be last | refs: #25551 • PR #25533: (attiasr) port 445 for windows bootstraping @ 2015-07-20T15:13:06Z • PR #25525: (gtmanfred) add make _prepare an alias for postinitio @ 2015-07-20T15:12:38Z • ISSUE #25432: (gtmanfred) [2015.5.3][raet] raet error with SaltRaetRoadStackJoiner | refs: #25525 • PR #25519: (rallytime) Backport vmware driver to 2015.5 branch @ 2015-07-20T15:11:26Z • ISSUE #25511: (rallytime) Make provider --> driver change backward compatible | refs: #25519 #25519 • ISSUE #23574: (CedNantes) Failed to Deploy Salt-Minion on a Win 2012 R2 using wmware Cloud Driver from Develop branch | refs: #25519 • PR #25542: (Oro) Fix hipchat.send_message when using API v2 @ 2015-07-20T15:09:13Z • PR #25531: (rallytime) Back-port #25529 to 2015.5 @ 2015-07-18T19:16:10Z • PR #25529: (davidjb) Fix minor typo in best practice example | refs: #25531 • PR #25528: (davidjb) Fix typo in extend declaration doco @ 2015-07-18T14:22:06Z • PR #25517: (rallytime) Back-port #25486 to 2015.5 @ 2015-07-17T21:49:26Z • ISSUE #25486: (whiteinge) Highstate outputter not used for state.apply | refs: #25517 • PR #25485: (attiasr) fix file downloads on windows • PR #25516: (rallytime) Back-port #25483 to 2015.5 @ 2015-07-17T21:49:05Z • ISSUE #25479: (alexandrsushko) multiple mount.mounted of one device | refs: #25483 • PR #25483: (alexandrsushko) Added 'none' to the set of specialFSes | refs: #25516 • PR #25513: (garethgreenaway) fixes to schedule.add documentation in 2015.5 @ 2015-07-17T17:03:24Z • ISSUE #25493: (blackduckx) Issue with job_args on schedule.add command | refs: #25513 • PR #25465: (EvaSDK) 2015.5.3 LXC module fixes | refs: #25573 @ 2015-07-17T15:57:54Z • PR #25506: (s0undt3ch) [2015.5] Update bootstrap script to latest stable release, v2015.07.17 @ 2015-07-17T15:40:38Z • ISSUE #25456: (julienlavergne) [2015.8.0rc1] salt-bootstrap fails to install salt master | refs: #25506 • ISSUE #25270: (iggy) [2015.8.0rc1] salt-bootstrap fails to properly install a minion | refs: #25506 • ISSUE #625: (whiteinge) cmd.run state user flag is not working | refs: #25506 #632 • ISSUE #611: (fatbox) Peer interface fails to return data occasionally | refs: #25506 • ISSUE #607: (thatch45) next level -X support | refs: #25506 • ISSUE #598: (syphernl) Explanation on how to execute interactive installs | refs: #25506 • ISSUE #455: (whiteinge) Document common troubleshooting tips | refs: #25506 • PR #624: (chjohnst) Docs are not correct with network.ping as args are not supported | refs: #25506 • PR #621: (akoumjian) Adding ec2 cloud-init bootstrap docs | refs: #25506 • PR #606: (terminalmage) need empty line before code blocks. added ones that were missing. | refs: #25506 • PR #602: (terminalmage) State-related documentation changes | refs: #25506 • PR #25498: (jfindlay) only read /proc/1/cmdline if it exists @ 2015-07-17T15:35:33Z • ISSUE #25454: (mschiff) Regression: salt 2015.5 not working in secure chroot anymore. | refs: #25498 • PR #25487: (rallytime) Back-port #25464 to 2015.5 @ 2015-07-16T16:58:36Z • PR #25464: (jquast) docfix: "cache_jobs: False" => grains_cache: False" | refs: #25487 • PR #25482: (oeuftete) Fix docker.running detection of running container @ 2015-07-16T16:58:29Z • PR #2015: (thekuffs) Esky / bbfreeze support • PR #25468: (joejulian) Add support for pyOpenSSL > 0.10 @ 2015-07-16T15:10:30Z • ISSUE #25384: (rickh563) pyopenssl 0.14 requirement in 2015.5.3 does not work in RHEL6 : ZD-364 | refs: #25468 • PR #25467: (rallytime) Add lxml dependency to opennebula docs @ 2015-07-16T15:09:57Z • PR #25461: (jahamn) Update file, if force option and content not same @ 2015-07-15T20:15:07Z • ISSUE #25250: (wipfs) 'force' option in copy state deletes target file | refs: #25461 #25710 • ISSUE #24647: (nmadhok) salt.states.file.copy does not copy the file if it already exists with force=True | refs: #25461 • PR #25438: (rallytime) Reduce digital_ocean_v2 API call frequency @ 2015-07-15T19:40:18Z • ISSUE #25431: (namcois) Digital Ocean v2 reducing API calls by adding per_page | refs: #25438 • PR #25457: (jacksontj) Saltnado @ 2015-07-15T17:50:12Z • PR #25427: (tony-cocco) Saltnado runner client results in blocking call despite being set-up as Runner.async | refs: #25457 • PR #25459: (jahamn) Fixed 'defulats' typo in verify.py @ 2015-07-15T16:53:06Z • PR #25426: (jquast) bugfix: trailing "...done" in rabbitmq output (backport from 'develop' to 2015.5) @ 2015-07-15T14:48:05Z • PR #25433: (jleroy) Support for IPv6 addresses scopes in network.interfaces (ifconfig) @ 2015-07-15T14:44:09Z • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 • PR #25430: (twangboy) Disabled rbenv execution module for Windows @ 2015-07-15T14:41:18Z • ISSUE #21041: (deuscapturus) state module gem.installed not working on Windows. | refs: #25430 #25561 #25428 • ISSUE #1846: (seanchannel) development dependencies • PR #25420: (techhat) Move S3 to use AWS Signature Version 4 @ 2015-07-14T22:03:09Z • PR #25418: (twangboy) Fixed problem with file.managed test=True @ 2015-07-14T21:26:59Z • ISSUE #20441: (deuscapturus) State module file.managed returns an error on Windows and test=Test | refs: #25418 • PR #25417: (ahus1) extended documentation about dependencies for dig module @ 2015-07-14T20:49:51Z • PR #25411: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-14T17:55:26Z • PR #25375: (cachedout) Fix error in config.py for master_type • PR #25324: (jacobhammons) Latest help theme updates • PR #25406: (anlutro) Force arguments to aptpkg.version_cmp into strings @ 2015-07-14T16:15:41Z • PR #25408: (rallytime) Back-port #25399 to 2015.5 @ 2015-07-14T16:09:06Z • PR #25399: (jarpy) Demonstrate per-minion client_acl. | refs: #25408 • PR #25240: (tankywoo) file make os.walk only be called one @ 2015-07-14T16:04:49Z • PR #25395: (rallytime) Back-port #25389 to 2015.5 @ 2015-07-14T03:26:34Z • PR #25389: (l2ol33rt) Adding entropy note for gpg renderer | refs: #25395 • PR #25392: (rallytime) Back-port #25256 to 2015.5 @ 2015-07-14T03:25:13Z • PR #25256: (yanatan16) Don't assume source_hash exists | refs: #25392 • PR #25398: (twangboy) Fix date @ 2015-07-14T03:21:17Z • PR #25397: (GideonRed) Introduce standard error output when cli exits with non-zero status @ 2015-07-14T03:20:24Z • PR #25386: (cachedout) Lint #25383 @ 2015-07-13T21:01:10Z • ISSUE #24444: (michaelkrupp) file.managed does not handle dead symlinks | refs: #25383 • PR #25383: (jahamn) Fix manage_file function in salt/modules/file.py to handle broken sym… • PR #25383: (jahamn) Fix manage_file function in salt/modules/file.py to handle broken sym… @ 2015-07-13T20:58:23Z • ISSUE #24444: (michaelkrupp) file.managed does not handle dead symlinks | refs: #25383 • PR #25369: (anlutro) Fix aptpkg.version_cmp @ 2015-07-13T20:18:45Z • PR #25379: (jfindlay) check for cwd before getting it @ 2015-07-13T19:50:27Z • ISSUE #25337: (eliasp) salt-call from non-existend cwd backtraces | refs: #25379 • PR #25334: (jfindlay) return all cmd info back to zypper fcn @ 2015-07-13T17:03:29Z • ISSUE #25320: (podloucky-init) zypper module list_upgrades broken (2015.5.2) | refs: #25334 • PR #25339: (jfindlay) update orchestration docs @ 2015-07-13T16:04:26Z • PR #25358: (dkiser) Deep merge of pillar lists | refs: #26016 @ 2015-07-13T15:51:01Z • ISSUE #22241: (masterkorp) Salt master not properly generating the map | refs: #25358 • PR #25346: (bechtoldt) set correct indention in states/requisites.rst (docs), fixes #25281 @ 2015-07-13T15:34:45Z • ISSUE #25281: (shinshenjs) Unless usage in Official Doc syntax error? • PR #25336: (terminalmage) Don't try to read init binary if it wasn't found @ 2015-07-13T09:45:30Z • PR #25350: (davidjb) Fix documentation for file.blockreplace @ 2015-07-13T03:41:20Z • PR #25326: (rallytime) Back-port #20972 to 2015.5 @ 2015-07-10T18:49:44Z • ISSUE #19288: (oba11) AssociatePublicIpAddress doesn't work with salt-cloud 2014.7.0 | refs: #20972 #25326 • PR #20972: (JohannesEbke) Fix interface cleanup when using AssociatePublicIpAddress in #19288 | refs: #25326 • PR #25327: (rallytime) Back-port #25290 to 2015.5 @ 2015-07-10T18:49:37Z • ISSUE #24433: (chrimi) Salt locale state fails, if locale has not been generated | refs: #25290 • PR #25290: (pcdummy) Simple fix for locale.present on Ubuntu. | refs: #25327 • PR #25328: (rallytime) Back-port #25309 to 2015.5 @ 2015-07-10T17:22:59Z • ISSUE #24827: (yermulnik) locale.present doesn't generate locales | refs: #25309 • PR #25309: (davidjb) Format /etc/locale.gen correctly in salt.modules.localemod.gen_locale | refs: #25328 • PR #25322: (jacobhammons) version change to 2015.5.3 @ 2015-07-10T16:11:24Z • PR #25308: (jacksontj) Make clear commands trace level logging @ 2015-07-10T14:20:06Z • PR #24737: (jacksontj) Move AES command logging to trace | refs: #25308 • PR #25269: (jfindlay) Extract tomcat war version @ 2015-07-10T01:28:21Z • ISSUE #24520: (nvx) Tomcat module fails to extract version number from snapshot builds (2015.5 regression) | refs: #24927 • PR #24927: (egarbi) Tomcat module fails to extract version number from snapshot builds #2… | refs: #25269 • PR #25238: (DmitryKuzmenko) Pillarenv backport 2015.5 @ 2015-07-10T01:25:07Z • ISSUE #18808: (amendlik) Add command line argument to select pillar environment | refs: #25238 • PR #23719: (DmitryKuzmenko) Support pillarenv cmdline in state.sls • PR #25299: (twangboy) Added -NonInteractive so powershell doesn't hang waiting for input @ 2015-07-09T21:00:16Z • ISSUE #13943: (Supermathie) Powershell commands that expect input hang forever | refs: #25299 • PR #25301: (jacobhammons) bug fix for module function display in help @ 2015-07-09T20:46:34Z • PR #25279: (jacobhammons) Additional docs on external and master job cache, assorted doc fixes @ 2015-07-09T16:46:26Z • ISSUE #25277: (jacobhammons) CherryPy recommended versions | refs: #25279 • PR #25274: (jleroy) Fix for issue #25268 @ 2015-07-09T13:36:26Z • ISSUE #25268: (lichtamberg) Salt not working anymore in 2015.8/develop: ValueError: 'scope' is not in list | refs: #25274 • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 • PR #25272: (twangboy) Fixed problem with service not starting @ 2015-07-08T23:29:48Z • PR #25225: (nmadhok) Backporting fix for issue #25223 on 2015.5 branch @ 2015-07-08T15:16:18Z • ISSUE #25223: (nmadhok) Runner occasionally fails with a RuntimeError when fired by a reactor | refs: #25225 • PR #25214: (rallytime) A couple of doc fixes for the http tutorial @ 2015-07-07T22:23:07Z • PR #25194: (rallytime) Update moto version check in boto_vpc_test and update min version @ 2015-07-07T18:27:32Z • ISSUE #24272: (rallytime) Fix boto_vpc_test moto version check | refs: #25194 • PR #25205: (basepi) Update releasecandidate docs @ 2015-07-07T15:25:24Z • PR #25187: (UtahDave) Doc fixes: Fix misspelling and remove extraneous double spaces @ 2015-07-07T01:07:04Z • PR #25182: (cachedout) Try to re-pack long floats as strs @ 2015-07-07T01:06:43Z • PR #25185: (rallytime) Back-port #25128 to 2015.5 @ 2015-07-07T00:58:00Z • ISSUE #23822: (sidcarter) Zip file extracted permissions are incorrect | refs: #25128 • PR #25128: (stanislavb) Use cmd_unzip to preserve permissions | refs: #25185 • PR #25181: (rallytime) Back-port #25102 to 2015.5 @ 2015-07-07T00:57:13Z • PR #25102: (derBroBro) Update win_network.py | refs: #25181 • PR #25179: (rallytime) Back-port #25059 to 2015.5 @ 2015-07-07T00:56:44Z • ISSUE #24301: (iggy) influxdb_user and influxdb_database states need virtual functions | refs: #25059 • PR #25059: (babilen) Add virtual functions to influxdb state modules | refs: #25179 • PR #25196: (twangboy) Fixed #18919 false-positive on pkg.refresh @ 2015-07-07T00:24:13Z • ISSUE #18919: (giner) Windows: pkg.refresh_db returns false-positive success | refs: #25196 • PR #25180: (rallytime) Back-port #25088 to 2015.5 @ 2015-07-06T20:33:45Z • PR #25088: (supertom) Update | refs: #25180 • PR #25191: (basepi) Add extrndest back to fileclient.is_cached in 2015.5 @ 2015-07-06T19:35:24Z • PR #25117: (basepi) Fix fileclient.is_cached | refs: #25191 • PR #25175: (rallytime) Back-port #25020 to 2015.5 @ 2015-07-06T18:53:19Z • ISSUE #25016: (martinhoefling) salt-run doc.execution fails with AttributeError • PR #25020: (martinhoefling) Fix for issue #25016 | refs: #25175 • PR #25173: (rallytime) Partial back-port of #25019 @ 2015-07-06T18:52:59Z • ISSUE #21879: (bechtoldt) Reference pages in documentation are outdated again | refs: #25019 • ISSUE #19262: (bechtoldt) salt.pillar.file_tree doesn't appear in the documentation | refs: #25019 • PR #25019: (bechtoldt) add missing module documentation to references | refs: #25173 • PR #24421: (bechtoldt) add missing module documentation | refs: #25019 • PR #21880: (bechtoldt) update references, fixes #21879 | refs: #25019 • PR #20039: (bechtoldt) completing some doc references | refs: #25019 • PR #25171: (rallytime) Back-port #25001 to 2015.5 @ 2015-07-06T18:51:53Z • PR #25001: (jasonkeene) Add docs for key arg in ssh_known_hosts.present | refs: #25171 • PR #25170: (rallytime) Back-port #24982 to 2015.5 @ 2015-07-06T16:34:43Z • PR #24982: (asyncsrc) ec2 network_interfaces fix | refs: #25170 • PR #25161: (aneeshusa) Allow checking for non-normalized systemd units. @ 2015-07-06T15:15:31Z • PR #25151: (jleroy) Support for IPv6 addresses scopes in network.interfaces | refs: #25274 #25433 @ 2015-07-06T14:43:03Z • PR #25166: (cachedout) Lint #25149 @ 2015-07-06T14:40:29Z • ISSUE #24979: (mavenAtHouzz) [Discussion] Support for more than 1 netapi.rest_tornado server process | refs: #25149 • PR #25149: (jacksontj) Saltnado multiprocess support | refs: #25166 • PR #25149: (jacksontj) Saltnado multiprocess support | refs: #25166 @ 2015-07-06T14:38:43Z • ISSUE #24979: (mavenAtHouzz) [Discussion] Support for more than 1 netapi.rest_tornado server process | refs: #25149 • PR #25120: (d--j) add missing continue for exception case @ 2015-07-02T19:38:45Z • PR #25117: (basepi) Fix fileclient.is_cached | refs: #25191 @ 2015-07-02T19:38:26Z • PR #25087: (0xf10e) Fix execution module for glance - now based on 2015.5! @ 2015-07-02T19:36:27Z • PR #25129: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-07-02T17:37:40Z • ISSUE #18447: (ryan-lane) Can't install salt with raet using pip -e git • PR #25093: (jaybocc2) quick fix for issue #18447 • PR #25069: (puneetk) Add a helper module function called list_enabled • PR #25114: (jfindlay) Revert "Revert "adding states/postgres_database unit test case."" @ 2015-07-02T01:01:29Z • PR #24798: (jtand) Revert "adding states/postgres_database unit test case." | refs: #25114 • PR #24329: (jayeshka) adding states/postgres_database unit test case. | refs: #24798 • PR #24362: (jayeshka) adding states/postgres_user unit test case. @ 2015-07-01T21:45:31Z • PR #24361: (jayeshka) adding states/postgres_schema unit test case. @ 2015-07-01T21:44:56Z • PR #24331: (jayeshka) adding states/postgres_extension unit test case. @ 2015-07-01T21:43:58Z • PR #26486: (thusoy) Git: Don't leak https user/pw to log @ 2015-08-20T16:04:52Z • ISSUE #26484: (thusoy) Git state leaks HTTPS user/pw to log | refs: #26486 • ISSUE #26482: (thusoy) Git states doesn't allow user-only auth | refs: #26483 • PR #26483: (thusoy) Handle user-only http auth in git module | refs: #26486 • PR #26476: (jacobhammons) Minor doc bug fixes @ 2015-08-19T22:52:35Z • ISSUE #26432: (centromere) Documentation incorrectly references salt-key on the minion | refs: #26476 • ISSUE #26403: (adelcast) Grains documentation incorrectly states they are static | refs: #26476 • ISSUE #26329: (cro) Add note to eauth docs indicating default PAM service. | refs: #26476 • ISSUE #26264: (grep4linux) state trees cannot have 'dots' in the name | refs: #26476 • ISSUE #26233: (dove-young) pip install salt, then start master failed on Fedora 22 | refs: #26476 • PR #26443: (cachedout) Fix connect issue in event init @ 2015-08-19T22:50:22Z • ISSUE #26366: (GreatSnoopy) The development tree produces hanging, 100%cpu salt-master processes | refs: #26443 • ISSUE #26301: (waynew) CPU pegged out running salt-master (after running command) | refs: #26443 • ISSUE #25998: (driskell) Event subsystem discarding required events during --batch breaking it for slow running commands | refs: #26000 • PR #26000: (driskell) Implement full event caching for subscribed tags | refs: #26443 • PR #26445: (cachedout) Raise clean error when no minions targeted in batch mode @ 2015-08-19T22:50:07Z • ISSUE #26343: (jfindlay) batch error when no minions match target | refs: #26445 • PR #26483: (thusoy) Handle user-only http auth in git module | refs: #26486 @ 2015-08-19T22:47:41Z • ISSUE #26482: (thusoy) Git states doesn't allow user-only auth | refs: #26483 • PR #26496: (jfindlay) add dateutil dependency reporting @ 2015-08-19T22:46:31Z • PR #26494: (cachedout) Remove unnecessary debug statements @ 2015-08-19T20:46:00Z • PR #26465: (rallytime) Back-port #26457 to 2015.5 @ 2015-08-19T16:08:16Z • PR #26457: (arthurlogilab) docstring improvement for network.ping module execution | refs: #26465 • PR #26434: (s0undt3ch) Fix missed typo @ 2015-08-18T18:14:29Z • PR #26430: (rallytime) List public and private ips under the correct label @ 2015-08-18T16:20:32Z • ISSUE #26426: (alxbse) Private/public IPs are interchanged when listing nova driver cloud nodes | refs: #26430 • PR #26431: (rallytime) Back-port #26417 to 2015.5 @ 2015-08-18T15:41:58Z • PR #26417: (scottjpack) Changed t1 -> t2 micro | refs: #26431 • PR #26378: (stanislavb) Fix EC2 credentials from IAM roles for s3fs and s3 ext_pillar in 2015.5 @ 2015-08-18T14:01:53Z • PR #26420: (terminalmage) Only use pygit2.errors if it exists (2015.5 branch) @ 2015-08-18T14:00:01Z • ISSUE #26245: (bradthurber) salt v2015.5.3 gitfs.py using newer pygit2 feature than required minimum | refs: #26420 • PR #26409: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 @ 2015-08-17T23:19:56Z • PR #26242: (cro) Remove dead code • PR #26216: (cro) Fix LDAP configuration issue. • PR #26406: (jfindlay) fix syntax error in lvm exec module @ 2015-08-17T21:18:25Z • ISSUE #26404: (ssgward) Syntax error in lvm.vg_absent state causing failure | refs: #26406 • PR #26405: (TheBigBear) dependency zip files moved to new site @ 2015-08-17T21:17:24Z • PR #26298: (vr-jack) Keep $HOME from being interpretted by Master shell @ 2015-08-17T21:15:11Z • PR #26324: (s0undt3ch) Salt is now pip install'able in windows @ 2015-08-17T20:41:34Z • PR #26371: (bastiaanb) fix issue #26161: on RedHat family systems touch /var/lock/subsys/$SE… @ 2015-08-17T20:39:28Z • ISSUE #26161: (bastiaanb) salt initscripts do not set lock file in /var/lock/subsys as required on RedHat family OSes • PR #26402: (twangboy) Removed documentation no longer required @ 2015-08-17T20:35:37Z • ISSUE #25801: (themalkolm) Update docs that salt.states.winrepo requires roles:salt-master in grains. | refs: #26328 • ISSUE #25562: (jefftucker) winrepo state does not run on masterless minion | refs: #26328 • PR #26328: (twangboy) Removed salt-master role requirement | refs: #26402 • PR #26392: (rallytime) Back-port #26376 to 2015.5 @ 2015-08-17T19:39:51Z • PR #26376: (TheBigBear) minor edit spelling | refs: #26392 • PR #26342: (rallytime) Don't call boto_elb._attributes_present if no attributes were provided @ 2015-08-17T19:19:08Z • ISSUE #16049: (ryan-lane) boto_elb.present state requires attributes argument | refs: #26342 • PR #26389: (rallytime) Back-port #26160 to 2015.5 @ 2015-08-17T19:09:16Z • ISSUE #26155: (silenius) pip availability in states/pip_state | refs: #26160 • PR #26160: (silenius) proposed fix for #26155 | refs: #26389 • PR #26300: (jfindlay) mock pwd function calls in pw_user exec module @ 2015-08-17T18:56:41Z • ISSUE #26266: (o-sleep) limit pw_user.getent() from returning entire corporate list | refs: #26300 • PR #26386: (jahamn) Fixes autosign_timeout usage in check_autosign_dir @ 2015-08-17T18:34:40Z • ISSUE #24334: (afletch) autosign_timeout not honoured | refs: #26386 • PR #26328: (twangboy) Removed salt-master role requirement | refs: #26402 @ 2015-08-17T18:30:17Z • ISSUE #25801: (themalkolm) Update docs that salt.states.winrepo requires roles:salt-master in grains. | refs: #26328 • ISSUE #25562: (jefftucker) winrepo state does not run on masterless minion | refs: #26328 • PR #26362: (garethgreenaway) Fixes to mount state. @ 2015-08-17T17:44:55Z • ISSUE #26327: (bradthurber) mount.mounted opts incorrect "forced unmount and mount because options (tcp) changed" | refs: #26362 • PR #26379: (s0undt3ch) [2015.5] Backport #26353 @ 2015-08-17T17:19:29Z • PR #26353: (sixninetynine) fixed a typo in setup.py | refs: #26379 • PR #26277: (rallytime) Handle exception when user is not found in keystone.user_get @ 2015-08-14T19:41:59Z • ISSUE #26240: (0xf10e) keystone.user_get raises exception when user is not found | refs: #26277 • PR #26326: (rallytime) Make ec2.create_snapshot return less unweildly and more relevant @ 2015-08-14T19:40:47Z • ISSUE #24484: (codehotter) clouds/ec2.py: create_snapshot throws exception | refs: #26326 • PR #26306: (rallytime) Move VM creation details dict to log.trace @ 2015-08-14T17:39:52Z • ISSUE #16179: (UtahDave) Salt Cloud -l debug includes the entire bootstrap script twice in its output | refs: #26306 Salt 2015.5.6 Release Notes Version 2015.5.6 is a bugfix release for 2015.5.0. Security Fixes CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug log Updated the win_useradd module return data to no longer include the password of the newly created user. The password is now replaced with the string XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display win_password and sudo_password authentication credentials. CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the debug output. Thanks to Andreas Stieger <‐ asteiger@suse.com> for bringing this to our attention. Changes for v2015.5.5..v2015.5.6 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-09-30T22:22:43Z Total Merges: 144 Changes: • PR #27557: (jfindlay) add doc motivating mine vs grains • PR #27515: (jfindlay) save iptables rules on SuSE • PR #27509: (jfindlay) tell the user why the gluster module does not work • PR #27379: (jfindlay) document and check dict type for pip env_vars • PR #27516: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #27472: (cachedout) Change recommeded schema for data field in mysql event table • PR #27468: (cachedout) Fix 27351 • PR #27479: (aboe76) fix locale on opensuse and suse `#27438`_ • PR #27483: (rallytime) Outputters should sync to output, not outputters, on the minion. • PR #27484: (rallytime) Back-port #27434 and #27470 to 2015.5 • PR #27469: (twangboy) Added quotes to version numbers example • PR #27467: (cachedout) file.managed: check contents_{pillar|grain} result • PR #27419: (rallytime) Amend error log to include multiple tips for troubleshooting. • PR #27426: (rallytime) Don't stacktrace if there are conflicting id errors in highstate • PR #27408: (rallytime) Fix avail_locations function for the softlayer_hw driver in 2015.5 • PR #27410: (jacobhammons) Fix css layout Refs `#27389`_ • PR #27336: (rallytime) [2015.5] Fixup salt-cloud logging • PR #27358: (lorengordon) Escape search replacement text, fixes `#27356`_ • PR #27345: (rallytime) Allow use of rst header links by separating options out from yaml example • PR #26903: (bersace) Review defaults.get • PR #27317: (efficks) State unzip should use unzip command instead of unzip_cmd. • PR #27309: (rallytime) Change a value list to a comma-separated string in boto_route53.present • PR #27311: (jfindlay) discuss replacement occurrences in file doc • PR #27310: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #27308: (terminalmage) Fix refresh_db regression in yumpkg.py • PR #27286: (terminalmage) Add a configurable timer for minion return retries • PR #27278: (rallytime) Back-port #27256 to 2015.5 • PR #27277: (rallytime) Back-port #27230 to 2015.5 • PR #27253: (jfindlay) 2015.5 -> 2015.5.0 • PR #27244: (garethgreenaway) Exception in cloud.ec2.create_snapshot • PR #27231: (jfindlay) only write cron file if it is changed • PR #27233: (basepi) [2015.5] Add stub release notes for 2015.5.6 • PR #27208: (basepi) [2015.5] Add test.nop state • PR #27201: (jfindlay) rename hash_hostname to hash_known_hosts • PR #27214: (jacksontj) Correctly support https, port 443 is not a requirement • PR #27172: (rallytime) Back-port #27150 to 2015.5 • PR #27194: (rallytime) Back-port #27180 to 2015.5 • PR #27176: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #27170: (rallytime) Update Getting Started with GCE docs to use cloud.profiles or cloud.profiles.d examples • PR #27167: (rallytime) Back-port #27148 to 2015.5 • PR #27168: (techhat) Add further gating of impacket library • PR #27166: (rallytime) Allow a full-query for EC2, even if there are no profiles defined • PR #27162: (rallytime) Be explicit in using "SoftLayer" for service queries in SoftLayer drivers • PR #27149: (twangboy) Fixed problem with add/remove path • PR #27147: (rallytime) Enforce bounds in the GCE Regex • PR #27128: (eguven) don't show diff for test run if show_diff=False • PR #27116: (jacobhammons) Update latest to 2015.8, 2015.5 is now previous • PR #27033: (jfindlay) Merge #27019 • PR #26942: (Arabus) Fix docker.run • PR #26977: (abh) Add support for PEERNTP network interface configuration • PR #27023: (jfindlay) add test support for htpasswd state mod • PR #27074: (twangboy) Replaced password with redacted when displayed • PR #27073: (rallytime) Remove "use develop branch" warning from LXC tutorial • PR #27054: (rallytime) Back-port #27029 to 2015.5 • PR #27053: (rallytime) Back-port #26992 to 2015.5 • PR #27052: (rallytime) Back-port #26930 to 2015.5 • PR #27049: (johanek) Run repoquery less • PR #27070: (stanislavb) Deprecate salt.utils.iam in Carbon • PR #27030: (jfindlay) Backport #26938 • PR #27025: (cachedout) Better try and error handling for prep_jid • PR #27035: (terminalmage) useradd.py: Use contextmanager to prevent leaked filehandles • PR #27034: (rallytime) Update softlayer docs for where to find apikey • PR #27024: (rallytime) Back-port #27004 to 2015.5 • PR #27027: (rallytime) Back-port #27013 to 2015.5 • PR #27026: (rallytime) Back-port #27011 to 2015.5 • PR #26972: (twangboy) Catch the 404 error from fileclient • PR #26951: (terminalmage) Fix timezone module for CentOS • PR #26875: (marccardinal) LXC gateway provisioned only when IP is provided • PR #26997: (twangboy) Fixed symlinks for windows (don't use user root) • PR #27001: (twangboy) Added CLI Example for reg.delete_key_recursive • PR #26996: (jacobhammons) Beacon doc updates • PR #26868: (joejulian) Use the actual device name when checking vgdisplay • PR #26955: (dsumsky) S3 ext_pillar module has broken caching mechanism (backport to 2015.5) • PR #26987: (rallytime) Back-port #26966 to 2015.5 • PR #26915: (rallytime) Update Joyent Cloud Tests • PR #26971: (rallytime) Fix a couple of typos in reactor docs • PR #26976: (thatch45) Revert "file.symlink gets windows account instead of root" • PR #26975: (whiteinge) Remove mocks from rest_cherrypy integration tests; fix groups check bug • PR #26899: (twangboy) file.symlink gets windows account instead of root • PR #26960: (rallytime) Fix bash code block formatting in CherryPy netapi docs • PR #26940: (rallytime) Fix minor doc typo in client api • PR #26871: (rallytime) Back-port #26852 to 2015.5 • PR #26851: (jacobhammons) states/pkgrepo examples, suse installation updates • PR #26817: (jfindlay) modify groupadd for rhel 5 • PR #26824: (pravka) [salt-cloud] Fix creating droplet from snapshot in digital_ocean provider • PR #26823: (joejulian) use dbus instead of localectl • PR #26820: (jfindlay) add default param in _parse_localectl in locale mod • PR #26821: (twangboy) Fixed user.rename function in windows • PR #26803: (twangboy) Added check for PyMySQL if MySQLdb import fails • PR #26815: (jfindlay) stringify linode id before performing str actions • PR #26800: (jacobhammons) Doc bug fixes • PR #26793: (rallytime) Don't stacktrace if "name" is specified as a minion id in a map file • PR #26790: (rallytime) Update Saltify docs to be more accurate and helpful • PR #26787: (jfindlay) merge #26775 • PR #26759: (terminalmage) Backport PR #26726 to 2015.5 branch • PR #26768: (garethgreenaway) Fixes to ipset in 2015.5 for `#26628`_ • PR #26753: (jfindlay) import elementree from _compat in ilo exec mod • PR #26736: (twangboy) Changed import from smbconnection to smb3 • PR #26714: (jfindlay) add exception placeholder for older msgpacks • PR #26710: (rallytime) Update GCE driver to return True, False or a new name in __virtual__() • PR #26709: (rallytime) Ensure VM name is valid before trying to create Linode VM • PR #26617: (terminalmage) Fix Windows failures in pip module due to raw string formatting • PR #26700: (kev009) Ignore the first element of kern.disks split, which is the sysctl name • PR #26695: (terminalmage) Better HTTPS basic auth redaction for 2015.5 branch • PR #26694: (terminalmage) Backport #26693 to 2015.5 • PR #26681: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #26676: (rallytime) Back-port #26648 to 2015.5 • PR #26677: (rallytime) Back-port #26653 to 2015.5 • PR #26675: (rallytime) Back-port #26631 to 2015.5 • PR #26655: (cheng0919) Update win_dns_client.py • PR #26662: (jacobhammons) update version to 2015.5 • PR #26651: (jfindlay) add 2015.5.4 notes to 2015.5.5 notes • PR #26525: (jfindlay) document check_file_meta args, remove unused arg • PR #26561: (stanislavb) Leave salt.utils.s3 location fallback to salt.utils.aws • PR #26573: (rallytime) Don't stacktrace if using private_ips and delete_sshkeys together • PR #26563: (rallytime) Fix error detection when salt-cloud config is missing a master's address • PR #26641: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #26620: (rallytime) Also add -Z to script args for cloud tests • PR #26618: (rallytime) Add script_args: '-P' to Ubuntu 14 profiles for nightly cloud tests • PR #26612: (rallytime) Use an available image to test against • PR #26576: (rallytime) Ensure GCE and EC2 configuration checks are correct • PR #26580: (rallytime) Avoid race condition when assigning floating IPs to new VMs • PR #26581: (terminalmage) Skip tests that don't work with older mock • PR #26591: (rallytime) Back-port #26554 to 2015.5 • PR #26565: (cachedout) Fix many errors with __virtual__ in tests • PR #26553: (rallytime) Back-port #26548 to 2015.5 • PR #26552: (rallytime) Back-port #26542 to 2015.5 • PR #26551: (rallytime) Back-port #26539 to 2015.5 • PR #26549: (rallytime) Back-port #26524 to 2015.5 • PR #26527: (jfindlay) check exists and values in boto_elb listeners • PR #26446: (stanislavb) Fetch AWS region from EC2 instance metadata • PR #26546: (nmadhok) Do not raise KeyError when calling avail_images if VM/template is in disconnected state • PR #26537: (jfindlay) Merge #26481 • PR #26528: (zmalone) Fixing encrypt to instructions in the 2015.5 branch Salt 2015.5.7 Release Notes NOTE: A significant orchestrate issue #29110 was discovered during the release process of 2015.5.7, so it has not been officially released. Please use 2015.5.8 instead. Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-11-13T17:11:14Z Total Merges: 102 Changes: • PR #28731: (garethgreenaway) Fixes to salt scheduler in 2015.5, ensuring that return_job is only used on minion scheduler • PR #28857: (rallytime) Back-port #28851 to 2015.5 • PR #28856: (rallytime) Back-port #28853 to 2015.5 • PR #28832: (basepi) [2015.5] Backport #28826 • PR #28833: (basepi) [2015.5] Increase the default gather_job_timeout • PR #28829: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #28756: (MrCitron) Fix `#25775`_ • PR #28786: (chrigl) closes `#28783`_ • PR #28776: (rallytime) Back-port #28740 to 2015.5 • PR #28760: (dmyerscough) Fixing CherryPy key bug • PR #28746: (rallytime) Back-port #28718 to 2015.5 • PR #28705: (cachedout) Account for new headers class in tornado 4.3 • PR #28699: (rallytime) Back-port #28670 to 2015.5 • PR #28703: (rallytime) Back-port #28690 to 2015.5 • PR #28694: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.09 • PR #28669: (rallytime) Use the -q argument to strip extraneous messages from rabbitmq • PR #28645: (jacksontj) Rework minion return_retry_timer • PR #28668: (twangboy) Fixed join_domain and unjoin_domain for Windows • PR #28666: (jfindlay) define r_data before using it in file module • PR #28662: (cachedout) Add note about disabling master_alive_interval • PR #28627: (twangboy) Backport win_useradd • PR #28617: (cachedout) Set restrictive umask on module sync • PR #28622: (gravyboat) Update puppet module wording • PR #28563: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.04 • PR #28541: (twangboy) Fixed problem with system.set_computer_name • PR #28537: (jfindlay) decode filename to utf-8 in file.recurse state • PR #28529: (rallytime) Update contributing and documentation pages to recommend submitting against branches • PR #28548: (nmadhok) [Backport] [2015.5] Tasks can be in queued state instead of running • PR #28531: (rallytime) Add versionadded directives to virtualenv_mod state/module • PR #28508: (twangboy) Fixed windows tests • PR #28525: (rallytime) Fix spacing in doc examples for boto_route53 state and module • PR #28517: (rallytime) Add state_auto_order defaults to True note to ordering docs • PR #28512: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #28448: (gwaters) added a note to the tutorial for redhat derivatives • PR #28406: (rallytime) Back-port #28381 to 2015.5 • PR #28413: (rallytime) Back-port #28400 to 2015.5 • PR #28366: (erchn) mark repo not enabled when pkgrepo state passes in disable: True • PR #28373: (beverlcl) Fixing bug `#28372`_ for use_carrier option on bonding network interfaces. • PR #28359: (rallytime) Back-port #28358 to 2015.5 • PR #28346: (twangboy) Fix installer • PR #28315: (gwaters) Adding a working example of setting pillar data on the cli • PR #28211: (terminalmage) Fix for ext_pillar being compiled twice in legacy git_pillar code (2015.5 branch) • PR #28263: (cachedout) New channel for event.send • PR #28293: (cachedout) Minor grammar changes • PR #28271: (gwaters) Update tutorial documentation • PR #28280: (0xf10e) Correct Jinja function load_* to import_* • PR #28255: (cachedout) Add __cli opt • PR #28213: (rallytime) If record returned None, don't continue with the state. Something went wrong • PR #28238: (basepi) [2015.5] Fix schedule.present always diffing • PR #28174: (lorengordon) Add support for multiline regex in file.replace • PR #28175: (twangboy) Fixes `#19673`_ • PR #28140: (rallytime) Add OpenBSD installation documentation to 2015.5 branch • PR #28138: (rallytime) Back-port #28130 EC2 Sizes Only portion to 2015.5 • PR #28097: (jacksontj) For all multi-part messages, check the headers. If the header is not … • PR #28117: (rallytime) Clean up stacktrace when master can't be reached in lxc cloud driver • PR #28110: (terminalmage) Add explanation of file_client: local setting masterless mode • PR #28109: (rallytime) Add created reactor event to lxc cloud driver • PR #27996: (rallytime) Don't fail if pip package is already present and pip1 is installed • PR #28056: (rallytime) Back-port #28033 to 2015.5 • PR #28059: (rallytime) Back-port #28040 to 2015.5 • PR #28047: (cachedout) Restore FTP functionality to file client • PR #28032: (twangboy) Fixed win_path.py • PR #28037: (rallytime) Back-port #28003 to 2015.5 • PR #28031: (jacobhammons) Updated release notes with additional CVE information • PR #28008: (jfindlay) platform independent line endings in hosts mod • PR #28012: (rallytime) Clean up stack trace when something goes wrong with minion output • PR #27995: (jacobhammons) added link to grains security FAQ to targeting and pillar topics. • PR #27986: (jacobhammons) Changed current release to 5.6 and added CVE to release notes • PR #27913: (pass-by-value) Set default • PR #27876: (terminalmage) 2015.5 branch: Fix traceback when 2015.8 git ext_pillar config schema used • PR #27726: (jfindlay) deprecate hash_hostname in favor of hash_known_hosts • PR #27776: (jfindlay) return message when local jobs_cache not found • PR #27766: (jfindlay) better check for debian userdel error • PR #27758: (iggy) Remove redundant text from syslog returner • PR #27841: (terminalmage) Detect Manjaro Linux as Arch derivative • PR #27852: (rallytime) Back-port #27806 to 2015.5 • PR #27838: (basepi) [2015.5] Fix highstate outputter for jobs.lookup_jid • PR #27791: (eguven) 2015.5 postgres_user groups backport • PR #27759: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #27732: (jacobhammons) update docs for __virtual__ and __virtualname__ • PR #27747: (Sacro) Chocolatey doesn't have a help command. • PR #27733: (jacobhammons) hardening topic - updates to docs.saltstack.com theme • PR #27706: (jacobhammons) Assorted doc bugs • PR #27695: (rallytime) Back-port #27671 to 2015.5 • PR #27524: (jfindlay) parse pkgng output in quiet mode for >= 1.6.1 • PR #27686: (rallytime) Back-port #27476 to 2015.5 • PR #27684: (rallytime) Back-port #27656 to 2015.5 • PR #27683: (rallytime) Back-port #27659 to 2015.5 • PR #27682: (rallytime) Back-port #27566 to 2015.5 • PR #27681: (rallytime) Back-port #25928 to 2015.5 • PR #27680: (rallytime) Back-port #27535 to 2015.5 • PR #27442: (JaseFace) Ensure we pass on the enable setting if present, or use the default of True if not in build_schedule_item() • PR #27641: (rallytime) Gate the psutil import and add depends doc for diskusage beacon • PR #27644: (rallytime) Back-port #27640 to 2015.5 • PR #27612: (rallytime) Fix GCE external_ip stacktraces in 2015.5 • PR #27568: (jacobhammons) regenerated man pages Salt 2015.5.8 Release Notes Security Fix CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. The permissions for this file are now being set correctly. Thanks to @zmalone for bringing this issue to our attention. Changes Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2015-11-23T23:16:23Z Total Merges: 118 Changes: • PR #29128: (cachedout) Set a safer default value for ret in saltmod • PR #29122: (cachedout) Fix broken state orchestration • PR #29096: (rallytime) Back-port #29093 to 2015.5 • PR #29084: (rallytime) Back-port #29055 to 2015.5 • PR #29083: (rallytime) Back-port #29053 to 2015.5 • PR #28932: (twangboy) Fixed user.present / user.absent in windows • PR #29011: (rallytime) Back-port #28630 to 2015.5 • PR #28982: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #28949: (whiteinge) Add sync_sdb execution function • PR #28930: (twangboy) Added missing import mmap required by file.py • PR #28908: (rallytime) A couple of spelling fixes for doc conventions page. • PR #28902: (whiteinge) Fix missing JSON support for /keys endpoint • PR #28897: (rallytime) Back-port #28873 to 2015.5 • PR #28871: (basepi) [2015.5] Fix command generation for mdadm.assemble • PR #28864: (jfindlay) add 2015.5.7 release notes • PR #28731: (garethgreenaway) Fixes to salt scheduler in 2015.5, ensuring that return_job is only used on minion scheduler • PR #28857: (rallytime) Back-port #28851 to 2015.5 • PR #28856: (rallytime) Back-port #28853 to 2015.5 • PR #28832: (basepi) [2015.5] Backport #28826 • PR #28833: (basepi) [2015.5] Increase the default gather_job_timeout • PR #28829: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #28756: (MrCitron) Fix `#25775`_ • PR #28786: (chrigl) closes `#28783`_ • PR #28776: (rallytime) Back-port #28740 to 2015.5 • PR #28760: (dmyerscough) Fixing CherryPy key bug • PR #28746: (rallytime) Back-port #28718 to 2015.5 • PR #28705: (cachedout) Account for new headers class in tornado 4.3 • PR #28699: (rallytime) Back-port #28670 to 2015.5 • PR #28703: (rallytime) Back-port #28690 to 2015.5 • PR #28694: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.09 • PR #28669: (rallytime) Use the -q argument to strip extraneous messages from rabbitmq • PR #28645: (jacksontj) Rework minion return_retry_timer • PR #28668: (twangboy) Fixed join_domain and unjoin_domain for Windows • PR #28666: (jfindlay) define r_data before using it in file module • PR #28662: (cachedout) Add note about disabling master_alive_interval • PR #28627: (twangboy) Backport win_useradd • PR #28617: (cachedout) Set restrictive umask on module sync • PR #28622: (gravyboat) Update puppet module wording • PR #28563: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.04 • PR #28541: (twangboy) Fixed problem with system.set_computer_name • PR #28537: (jfindlay) decode filename to utf-8 in file.recurse state • PR #28529: (rallytime) Update contributing and documentation pages to recommend submitting against branches • PR #28548: (nmadhok) [Backport] [2015.5] Tasks can be in queued state instead of running • PR #28531: (rallytime) Add versionadded directives to virtualenv_mod state/module • PR #28508: (twangboy) Fixed windows tests • PR #28525: (rallytime) Fix spacing in doc examples for boto_route53 state and module • PR #28517: (rallytime) Add state_auto_order defaults to True note to ordering docs • PR #28512: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #28448: (gwaters) added a note to the tutorial for redhat derivatives • PR #28406: (rallytime) Back-port #28381 to 2015.5 • PR #28413: (rallytime) Back-port #28400 to 2015.5 • PR #28366: (erchn) mark repo not enabled when pkgrepo state passes in disable: True • PR #28373: (beverlcl) Fixing bug `#28372`_ for use_carrier option on bonding network interfaces. • PR #28359: (rallytime) Back-port #28358 to 2015.5 • PR #28346: (twangboy) Fix installer • PR #28315: (gwaters) Adding a working example of setting pillar data on the cli • PR #28211: (terminalmage) Fix for ext_pillar being compiled twice in legacy git_pillar code (2015.5 branch) • PR #28263: (cachedout) New channel for event.send • PR #28293: (cachedout) Minor grammar changes • PR #28271: (gwaters) Update tutorial documentation • PR #28280: (0xf10e) Correct Jinja function load_* to import_* • PR #28255: (cachedout) Add __cli opt • PR #28213: (rallytime) If record returned None, don't continue with the state. Something went wrong • PR #28238: (basepi) [2015.5] Fix schedule.present always diffing • PR #28174: (lorengordon) Add support for multiline regex in file.replace • PR #28175: (twangboy) Fixes `#19673`_ • PR #28140: (rallytime) Add OpenBSD installation documentation to 2015.5 branch • PR #28138: (rallytime) Back-port #28130 EC2 Sizes Only portion to 2015.5 • PR #28097: (jacksontj) For all multi-part messages, check the headers. If the header is not … • PR #28117: (rallytime) Clean up stacktrace when master can't be reached in lxc cloud driver • PR #28110: (terminalmage) Add explanation of file_client: local setting masterless mode • PR #28109: (rallytime) Add created reactor event to lxc cloud driver • PR #27996: (rallytime) Don't fail if pip package is already present and pip1 is installed • PR #28056: (rallytime) Back-port #28033 to 2015.5 • PR #28059: (rallytime) Back-port #28040 to 2015.5 • PR #28047: (cachedout) Restore FTP functionality to file client • PR #28032: (twangboy) Fixed win_path.py • PR #28037: (rallytime) Back-port #28003 to 2015.5 • PR #28031: (jacobhammons) Updated release notes with additional CVE information • PR #28008: (jfindlay) platform independent line endings in hosts mod • PR #28012: (rallytime) Clean up stack trace when something goes wrong with minion output • PR #27995: (jacobhammons) added link to grains security FAQ to targeting and pillar topics. • PR #27986: (jacobhammons) Changed current release to 5.6 and added CVE to release notes • PR #27913: (pass-by-value) Set default • PR #27876: (terminalmage) 2015.5 branch: Fix traceback when 2015.8 git ext_pillar config schema used • PR #27726: (jfindlay) deprecate hash_hostname in favor of hash_known_hosts • PR #27776: (jfindlay) return message when local jobs_cache not found • PR #27766: (jfindlay) better check for debian userdel error • PR #27758: (iggy) Remove redundant text from syslog returner • PR #27841: (terminalmage) Detect Manjaro Linux as Arch derivative • PR #27852: (rallytime) Back-port #27806 to 2015.5 • PR #27838: (basepi) [2015.5] Fix highstate outputter for jobs.lookup_jid • PR #27791: (eguven) 2015.5 postgres_user groups backport • PR #27759: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #27732: (jacobhammons) update docs for __virtual__ and __virtualname__ • PR #27747: (Sacro) Chocolatey doesn't have a help command. • PR #27733: (jacobhammons) hardening topic - updates to docs.saltstack.com theme • PR #27706: (jacobhammons) Assorted doc bugs • PR #27695: (rallytime) Back-port #27671 to 2015.5 • PR #27524: (jfindlay) parse pkgng output in quiet mode for >= 1.6.1 • PR #27686: (rallytime) Back-port #27476 to 2015.5 • PR #27684: (rallytime) Back-port #27656 to 2015.5 • PR #27683: (rallytime) Back-port #27659 to 2015.5 • PR #27682: (rallytime) Back-port #27566 to 2015.5 • PR #27681: (rallytime) Back-port #25928 to 2015.5 • PR #27680: (rallytime) Back-port #27535 to 2015.5 • PR #27442: (JaseFace) Ensure we pass on the enable setting if present, or use the default of True if not in build_schedule_item() • PR #27641: (rallytime) Gate the psutil import and add depends doc for diskusage beacon • PR #27644: (rallytime) Back-port #27640 to 2015.5 • PR #27612: (rallytime) Fix GCE external_ip stacktraces in 2015.5 • PR #27568: (jacobhammons) regenerated man pages Salt 2015.5.9 Release Notes Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-01-08T23:02:31Z Total Merges: 44 Changes: • PR #30237: (jacobhammons) Updated man pages and doc version for 2015.5.9 • PR #30207: (rallytime) Use correct spacing in rabbitmq state examples • PR #30191: (jacobhammons) Updated doc site banners • PR #30125: (abednarik) Update user home event when createhome is set to False • PR #30127: (jsutton) Updating documentation and example minion config for random_master/master_shuffle. • PR #30110: (markckimball) Fixed flag sent to salt.utils.http in order for verify_ssl to work correctly • PR #30093: (zmalone) Noting that file_roots and "state tree" should both be avoided • PR #30097: (cachedout) Note concern about cleartext password in docs for shadow.gen_password • PR #30089: (mpreziuso) Fixes terminology and adds more accurate details about the algorithms • PR #30086: (cachedout) Document that gitfs needs recent libs • PR #30070: (cachedout) Add documentation on debugging salt-ssh • PR #30059: (mpreziuso) Fixes wrong function scope • PR #30025: (jtand) Skipping some Boto tests until resolved moto issue • PR #29949: (aletourneau) Enhanced netscaler docstring • PR #29941: (cachedout) Fix spelling error in boto_vpc • PR #29908: (cachedout) Allow kwargs to be passed to pacman provide for update func • PR #29909: (abednarik) FreeBSD pkgng fix for non-interactive install. • PR #29730: (rallytime) Update docker-py version requirement to 0.6.0 for dockerio.py files • PR #29715: (rallytime) Install correct package version, if provided, for npm state. • PR #29721: (terminalmage) Fix display of multiline strings when iterating over a list • PR #29646: (rallytime) Don't stacktrace on kwargs.get if kwargs=None • PR #29673: (rallytime) Default value should be False and not 'False' • PR #29527: (jfindlay) 2015.5.7 notes: add note about not being released • PR #29539: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #29504: (rallytime) Document userdata_file option for EC2 driver • PR #29507: (rallytime) Switch volumes and del_*_on_destroy example ordering • PR #29469: (abednarik) Added Documentation note in salt cloud. • PR #29461: (dmyerscough) Fix resource limits, systemd sets the default too small • PR #29439: (rallytime) Back-port #28656 to 2015.5 • PR #29418: (jacobhammons) Added CVE 2015-8034 to 2015.5.8 release notes • PR #29389: (jacobhammons) updated version numbers in documentation • PR #28501: (twangboy) Requested fixes for 26898 • PR #29348: (jtand) Fixes an file.search on python2.6 • PR #29336: (rallytime) Back-port #29276 to 2015.5 • PR #29333: (rallytime) Back-port #29280 to 2015.5 • PR #29316: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5 • PR #29216: (clan) size is 0 doesn't mean no data, e.g, /proc/version • PR #29261: (attiasr) fix incorrect reinstallation of windows pkg • PR #29214: (cro) Doc for salt.utils.http should say verify_ssl not ssl_verify. • PR #29204: (lorengordon) Use os.path.join to return full path to ca bundle Salt 2014.7.0 Release Notes - Codename Helium This release is the largest Salt release ever, with more features and commits then any previous release of Salt. Everything from the new RAET transport to major updates in Salt Cloud and the merging of Salt API into the main project. IMPORTANT: The Fedora/RHEL/CentOS salt-master package has been modified for this release. The following components of Salt have been broken out and placed into their own packages: • salt-syndic • salt-cloud • salt-ssh When the salt-master package is upgraded, these components will be removed, and they will need to be manually installed. IMPORTANT: Compound/pillar matching have been temporarily disabled for the mine and publish modules for this release due to the possibility of inferring pillar data using pillar glob matching. A proper fix is now in the 2014.7 branch and scheduled for the 2014.7.1 release, and compound matching and non-globbing pillar matching will be re-enabled at that point. Compound and pillar matching for normal salt commands are unaffected. New Transport! RAET Transport Option This has been a HUGE amount of work, but the beta release of Salt with RAET is ready to go. RAET is a reliable queuing transport system that has been developed in partnership with a number of large enterprises to give Salt an alternative to ZeroMQ and a way to get Salt to scale well beyond tens of thousands of servers. Unlike ZeroMQ, RAET is completely asynchronous in every aspect of its operation and has been developed using the flow programming paradigm. This allows for many new capabilities to be added to Salt in the upcoming releases. Please keep in mind that this is a beta release of RAET and we hope for bugs to be worked out, performance to be better realized and more in the 2015.5.0 release. Simply stated, users running Salt with RAET should expect some hiccups as we hammer out the update. This is a BETA release of Salt RAET. For information about how to use Salt with RAET please see the tutorial. Salt SSH Enhancements Salt SSH has just entered a new league, with substantial updates and improvements to make salt-ssh more reliable and easier then ever! From new features like the ansible roster and fileserver backends to the new pypi salt-ssh installer to lowered deps and a swath of bugfixes, salt-ssh is basically reborn! Install salt-ssh Using pip Salt-ssh is now pip-installable! https://pypi.python.org/pypi/salt-ssh/ Pip will bring in all of the required deps, and while some deps are compiled, they all include pure python implementations, meaning that any compile errors which may be seen can be safely ignored. pip install salt-ssh Fileserver Backends Salt-ssh can now use the salt fileserver backend system. This allows for the gitfs, hgfs, s3, and many more ways to centrally store states to be easily used with salt-ssh. This also allows for a distributed team to easily use a centralized source. Saltfile Support The new saltfile system makes it easy to have a user specific custom extended configuration. Ext Pillar Salt-ssh can now use the external pillar system. Making it easier then ever to use salt-ssh with teams. No More sshpass Thanks to the enhancements in the salt vt system, salt-ssh no longer requires sshpass to send passwords to ssh. This also makes the manipulation of ssh calls substantially more flexible, allowing for intercepting ssh calls in a much more fluid way. Pure Python Shim The salt-ssh call originally used a shell script to discover what version of python to execute with and determine the state of the ssh code deployment. This shell script has been replaced with a pure python version making it easy to increase the capability of the code deployment without causing platform inconsistency issues with different shell interpreters. Custom Module Delivery Custom modules are now seamlessly delivered. This makes the deployment of custom grains, states, execution modules and returners a seamless process. CP Module Support Salt-ssh now makes simple file transfers easier then ever! The cp module allows for files to be conveniently sent from the salt fileserver system down to systems. More Thin Directory Options Salt ssh functions by copying a subset of the salt code, or salt thin down to the target system. In the past this was always transferred to /tmp/.salt and cached there for subsequent commands. Now, salt thin can be sent to a random directory and removed when the call is complete with the -W option. The new -W option still uses a static location but will clean up that location when finished. The default salt thin location is now user defined, allowing multiple users to cleanly access the same systems. State System Enhancements New Imperative State Keyword Listen The new listen and listen_in keywords allow for completely imperative states by calling the mod_watch() routine after all states have run instead of re-ordering the states. Mod Aggregate Runtime Manipulator The new mod_aggregate system allows for the state system to rewrite the state data during execution. This allows for state definitions to be aggregated dynamically at runtime. The best example is found in the pkg state. If mod_aggregate is turned on, then when the first pkg state is reached, the state system will scan all of the other running states for pkg states and take all other packages set for install and install them all at once in the first pkg state. These runtime modifications make it easy to run groups of states together. In future versions, we hope to fill out the mod_aggregate system to build in more and more optimizations. For more documentation on mod_aggregate, see the documentation. New Requisites: onchanges and onfail The new onchanges and onchanges_in requisites make a state apply only if there are changes in the required state. This is useful to execute post hooks after changes occur on a system. The other new requisites, onfail, and onfail_in, allow for a state to run in reaction to the failure of another state. For more information about these new requisites, see the requisites documentation. Global onlyif and unless The onlyif and unless options can now be used for any state declaration. Use names to expand and override values The names declaration in Salt's state system can now override or add values to the expanded data structure. For example: my_users: user.present: - names: - larry - curly - moe: - shell: /bin/zsh - groups: - wheel - shell: /bin/bash Major Features Scheduler Additions The Salt scheduler system has received MAJOR enhancements, allowing for cron-like scheduling and much more granular timing routines. See here for more info. Red Hat 7 Family Support All the needed additions have been made to run Salt on RHEL 7 and derived OSes like CentOS and Scientific. Fileserver Backends in salt-call Fileserver backends like gitfs can now be used without a salt master! Just add the fileserver backend configuration to the minion config and execute salt-call. This has been a much-requested feature and we are happy to finally bring it to our users. Amazon Execution Modules An entire family of execution modules further enhancing Salt's Amazon Cloud support. They include the following: • Autoscale Groups (includes state support) -- related: Launch Control states • Cloud Watch (includes state support) • Elastic Cache (includes state support) • Elastic Load Balancer (includes state support) • IAM Identity and Access Management (includes state support) • Route53 DNS (includes state support) • Security Groups (includes state support) • Simple Queue Service (includes state support) LXC Runner Enhancements BETA The Salt LXC management system has received a number of enhancements which make running an LXC cloud entirely from Salt an easy proposition. Next Gen Docker Management The Docker support in Salt has been increased at least ten fold. The Docker API is now completely exposed and Salt ships with Docker data tracking systems which make automating Docker deployments very easy. Peer System Performance Improvements The peer system communication routines have been refined to make the peer system substantially faster. SDB Encryption at rest for configs GPG Renderer Encrypted pillar at rest OpenStack Expansion Lots of new OpenStack stuff Queues System Ran change external queue systems into Salt events Multi Master Failover Additions Connecting to multiple masters is more dynamic then ever Chef Execution Module Managing Chef with Salt just got even easier! salt-api Project Merge The salt-api project has been merged into Salt core and is now available as part of the regular salt-master package install. No API changes were made, the salt-api script and init scripts remain intact. salt-api has always provided Yet Another Pluggable Interface to Salt (TM) in the form of "netapi" modules. These are modules that bind to a port and start a service. Like many of Salt's other module types, netapi modules often have library and configuration dependencies. See the documentation for each module for instructions. SEE ALSO: The full list of netapi modules. Synchronous and Asynchronous Execution of Runner and Wheel Modules salt.runner.RunnerClient and salt.wheel.WheelClient have both gained complimentary cmd_sync and cmd_async methods allowing for synchronous and asynchronous execution of any Runner or Wheel module function, all protected using Salt's external authentication system. salt-api benefits from this addition as well. rest_cherrypy Additions The rest_cherrypy netapi module provides the main REST API for Salt. Web Hooks This release of course includes the Web Hook additions from the most recent salt-api release, which allows external services to signal actions within a Salt infrastructure. External services such as Amazon SNS, Travis-CI, or GitHub, as well as internal services that cannot or should not run a Salt minion daemon can be used as first-class components in Salt's rich orchestration capabilities. The raw HTTP request body is now available in the event data. This is sometimes required information for checking an HMAC signature in order to verify a HTTP request. As an example, Amazon or GitHub requests are signed this way. Generating and Accepting Minion Keys The /key convenience URL generates a public and private key for a minion, automatically pre-accepts the public key on the Salt Master, and returns both keys as a tarball for download. This allows for easily bootstrapping the key on a new minion with a single HTTP call, such as with a Kickstart script, all using regular shell tools. curl -sS http://salt-api.example.com:8000/keys \ -d mid=jerry \ -d username=kickstart \ -d password=kickstart \ -d eauth=pam \ -o jerry-salt-keys.tar Fileserver Backend Enhancements All of the fileserver backends have been overhauled to be faster, lighter, and more reliable. The VCS backends (gitfs, hgfs, and svnfs) have also received a lot of new features. Additionally, most config parameters for the VCS backends can now be configured on a per-remote basis, allowing for global config parameters to be overridden for a specific gitfs/hgfs/svnfs remote. New gitfs Features Pygit2 and Dulwich In addition to supporting GitPython, support for pygit2 (0.20.3 and newer) and dulwich have been added. Provided a compatible version of pygit2 is installed, it will now be the default provider. The config parameter gitfs_provider has been added to allow one to choose a specific provider for gitfs. Mountpoints Prior to this release, to serve a file from gitfs at a salt fileserver URL of salt://foo/bar/baz.txt, it was necessary to ensure that the parent directories existed in the repository. A new config parameter gitfs_mountpoint allows gitfs remotes to be exposed starting at a user-defined salt:// URL. Environment Whitelisting/Blacklisting By default, gitfs will expose all branches and tags as Salt fileserver environments. Two new config parameters, gitfs_env_whitelist, and gitfs_env_blacklist, allow more control over which branches and tags are exposed. More detailed information on how these two options work can be found in the Gitfs Walkthrough. Expanded Authentication Support As of pygit2 0.20.3, both http(s) and SSH key authentication are supported, and Salt now also supports both authentication methods when using pygit2. Keep in mind that pygit2 0.20.3 is not yet available on many platforms, so those who had been using authenticated git repositories with a passphraseless key should stick to GitPython if a new enough pygit2 is not yet available for the platform on which the master is running. A full explanation of how to use authentication can be found in the Gitfs Walkthrough. New hgfs Features Mountpoints This feature works exactly like its gitfs counterpart. The new config parameter is called hgfs_mountpoint. Environment Whitelisting/Blacklisting This feature works exactly like its gitfs counterpart. The new config parameters are called hgfs_env_whitelist and hgfs_env_blacklist. New svnfs Features Mountpoints This feature works exactly like its gitfs counterpart. The new config parameter is called svnfs_mountpoint. Environment Whitelisting/Blacklisting This feature works exactly like its gitfs counterpart. The new config parameters are called svnfs_env_whitelist and svnfs_env_blacklist. Configurable Trunk/Branches/Tags Paths Prior to this release, the paths where trunk, branches, and tags were located could only be in directories named "trunk", "branches", and "tags" directly under the root of the repository. Three new config parameters (svnfs_trunk, svnfs_branches, and svnfs_tags) allow SVN repositories which are laid out differently to be used with svnfs. New minionfs Features Mountpoint This feature works exactly like its gitfs counterpart. The new config parameter is called minionfs_mountpoint. The one major difference is that, as minionfs doesn't use multiple remotes (it just serves up files pushed to the master using cp.push) there is no such thing as a per-remote configuration for minionfs_mountpoint. Changing the Saltenv from Which Files are Served A new config parameter (minionfs_env) allows minionfs files to be served from a Salt fileserver environment other than base. Minion Whitelisting/Blacklisting By default, minionfs will expose the pushed files from all minions. Two new config parameters, minionfs_whitelist, and minionfs_blacklist, allow minionfs to be restricted to serve files from only the desired minions. Pyobjects Renderer Salt now ships with with the Pyobjects Renderer that allows for construction of States using pure Python with an idiomatic object interface. New Modules In addition to the Amazon modules mentioned above, there are also several other new execution modules: • Oracle • Random • Redis • Amazon Simple Queue Service • Block Device Management • CoreOS etcd • Genesis • InfluxDB • Server Density • Twilio Notifications • Varnish • ZNC IRC Bouncer • SMTP New Runners • Map/Reduce Style • Queue New External Pillars • CoreOS etcd New Salt-Cloud Providers • Aliyun ECS Cloud • LXC Containers • Proxmox (OpenVZ containers & KVM) Salt Call Change When used with a returner, salt-call now contacts a master if --local is not specicified. Deprecations salt.modules.virtualenv_mod • Removed deprecated memoize function from salt/utils/__init__.py (deprecated) • Removed deprecated no_site_packages argument from create function (deprecated) • Removed deprecated check_dns argument from minion_config and apply_minion_config functions (deprecated) • Removed deprecated OutputOptionsWithTextMixIn class from salt/utils/parsers.py (deprecated) • Removed the following deprecated functions from salt/modules/ps.py: - physical_memory_usage (deprecated) - virtual_memory_usage (deprecated) - cached_physical_memory (deprecated) - physical_memory_buffers (deprecated) • Removed deprecated cloud arguments from cloud_config function in salt/config.py: - vm_config (deprecated) - vm_config_path (deprecated) • Removed deprecated libcloud_version function from salt/cloud/libcloudfuncs.py (deprecated) • Removed deprecated CloudConfigMixIn class from salt/utils/parsers.py (deprecated) Salt 2014.7.1 Release Notes release 2015-01-12 Version 2014.7.1 is a bugfix release for 2014.7.0. The changes include: • Fixed gitfs serving symlinks in file.recurse states (issue 17700) • Fixed holding of multiple packages (YUM) when combined with version pinning (issue 18468) • Fixed use of Jinja templates in masterless mode with non-roots fileserver backend (issue 17963) • Re-enabled pillar and compound matching for mine and publish calls. Note that pillar globbing is still disabled for those modes, for security reasons. (issue 17194) • Fix for tty: True in salt-ssh (issue 16847) • Fix for supervisord states when supervisor not installed to system python (issue 18044) • Fix for logging when log_level='quiet' for cmd.run (issue 19479) Salt 2014.7.2 Release Notes release 2015-02-09 Version 2014.7.2 is a bugfix release for 2014.7.0. The changes include: • Fix erroneous warnings for systemd service enabled check (issue 19606) • Fix FreeBSD kernel module loading, listing, and persistence kmod (issue 197151, issue 19682) • Allow case-sensitive npm package names in the npm state. This may break behavior for people expecting the state to lowercase their npm package names for them. The npm module was never affected by mandatory lowercasing. (issue 20329) • Deprecate the activate parameter for pip.install for both the module and the state. If bin_env is given and points to a virtualenv, there is no need to activate that virtualenv in a shell for pip to install to the virtualenv. • Fix a file-locking bug in gitfs (issue 18839) • Deprecated archive_user in favor of standardized user parameter in state and added group parameter. Salt 2014.7.3 Release Notes release TBA Version 2014.7.3 is a bugfix release for 2014.7.0. Changes: • Multi-master minions mode no longer route fileclient operations asymetrically. This fixes the source of many multi-master bugs where the minion would become unrepsonsive from one or more masters. • Fix bug wherein network.iface could produce stack traces. • net.arp will no longer be made available unless arp is installed on the system. • Major performance improvements to Saltnado • Allow KVM module to operate under KVM itself or VMWare Fusion • Various fixes to the Windows installation scripts • Fix issue where the syndic would not correctly propagate loads to the master job cache. • Improve error handling on invalid /etc/network/interfaces file in salt networking modules • Fix bug where a response status was not checked for in fileclient.get_url • Enable eauth when running salt in batch mode • Increase timeout in Boto Route53 module • Fix bugs with Salt's 'tar' module option parsing • Fix parsing of NTP servers on Windows • Fix issue with blockdev tuning not reporting changes correctly • Update to the latest Salt bootstrap script • Update Linode salt-cloud driver to use either linode-python or apache-libcloud • Fix for s3.query function to return correct headers • Fix for s3.head returning None for files that exist • Fix the disable function in win_service module so that the service is disabled correctly • Fix race condition between master and minion when making a directory when both daemons are on the same host • Fix an issue where file.recurse would fail at the root of an svn repo when the repo has a mountpoint • Fix an issue where file.recurse would fail at the root of an hgfs repo when the repo has a mountpoint • Fix an issue where file.recurse would fail at the root of an gitfs repo when the repo has a mountpoint • Add status.master capability for Windows. • Various fixes to ssh_known_hosts • Various fixes to states.network bonding for Debian • The debian_ip.get_interfaces module no longer removes nameservers. • Better integration between grains.virtual and systemd-detect-virt and virt-what • Fix traceback in sysctl.present state output • Fix for issue where mount.mounted would fail when superopts were not a part of mount.active (extended=True). Also mount.mounted various fixes for Solaris and FreeBSD. • Fix error where datetimes were not correctly safeguarded before being passed into msgpack. • Fix file.replace regressions. If the pattern is not found, and if dry run is False, and if backup is False, and if a pre-existing file exists with extension .bak, then that backup file will be overwritten. This backup behavior is a result of how fileinput works. Fixing it requires either passing through the file twice (the first time only to search for content and set a flag), or rewriting file.replace so it doesn't use fileinput • VCS filreserver fixes/optimizations • Catch fileserver configuration errors on master start • Raise errors on invalid gitfs configurations • set_locale when locale file does not exist (Redhat family) • Fix to correctly count active devices when created mdadm array with spares • Fix to correctly target minions in batch mode • Support ssh:// urls using the gitfs dulwhich backend • New fileserver runner • Fix various bugs with argument parsing to the publish module. • Fix disk.usage for Synology OS • Fix issue with tags occurring twice with docker.pulled • Fix incorrect key error in SMTP returner • Fix condition which would remount loopback filesystems on every state run • Remove requsites from listens after they are called in the state system • Make system implementation of service.running aware of legacy service calls • Fix issue where publish.publish would not handle duplicate responses gracefully. • Accept Kali Linux for aptpkg salt execution module • Fix bug where cmd.which could not handle a dirname as an argument • Fix issue in ps.pgrep where exceptions were thrown on Windows. Known issues: • In multimaster mode, a minion may become temporarily unresponsive if modules or pillars are refreshed at the same time that one or more masters are down. This can be worked around by setting 'auth_timeout' and 'auth_tries' down to shorter periods. Salt 2014.7.4 Release Notes release 2015-03-30 Version 2014.7.4 is a bugfix release for 2014.7.0. This is a security release. The security issues fixed have only been present since 2014.7.0, and only users of the two listed modules are vulnerable. The following CVEs have been resolved: • CVE-2015-1838 SaltStack: insecure /tmp file handling in salt/modules/serverdensity_device.py • CVE-2015-1839 SaltStack: insecure /tmp file handling in salt/modules/chef.py Changes: • Multi-master minions mode no longer route fileclient operations asymetrically. This fixes the source of many multi-master bugs where the minion would become unrepsonsive from one or more masters. • Fix bug wherein network.iface could produce stack traces. • net.arp will no longer be made available unless arp is installed on the system. • Major performance improvements to Saltnado • Allow KVM module to operate under KVM itself or VMWare Fusion • Various fixes to the Windows installation scripts • Fix issue where the syndic would not correctly propagate loads to the master job cache. • Improve error handling on invalid /etc/network/interfaces file in salt networking modules • Fix bug where a response status was not checked for in fileclient.get_url • Enable eauth when running salt in batch mode • Increase timeout in Boto Route53 module • Fix bugs with Salt's 'tar' module option parsing • Fix parsing of NTP servers on Windows • Fix issue with blockdev tuning not reporting changes correctly • Update to the latest Salt bootstrap script • Update Linode salt-cloud driver to use either linode-python or apache-libcloud • Fix for s3.query function to return correct headers • Fix for s3.head returning None for files that exist • Fix the disable function in win_service module so that the service is disabled correctly • Fix race condition between master and minion when making a directory when both daemons are on the same host • Fix an issue where file.recurse would fail at the root of an svn repo when the repo has a mountpoint • Fix an issue where file.recurse would fail at the root of an hgfs repo when the repo has a mountpoint • Fix an issue where file.recurse would fail at the root of an gitfs repo when the repo has a mountpoint • Add status.master capability for Windows. • Various fixes to ssh_known_hosts • Various fixes to states.network bonding for Debian • The debian_ip.get_interfaces module no longer removes nameservers. • Better integration between grains.virtual and systemd-detect-virt and virt-what • Fix traceback in sysctl.present state output • Fix for issue where mount.mounted would fail when superopts were not a part of mount.active (extended=True). Also mount.mounted various fixes for Solaris and FreeBSD. • Fix error where datetimes were not correctly safeguarded before being passed into msgpack. • Fix file.replace regressions. If the pattern is not found, and if dry run is False, and if backup is False, and if a pre-existing file exists with extension .bak, then that backup file will be overwritten. This backup behavior is a result of how fileinput works. Fixing it requires either passing through the file twice (the first time only to search for content and set a flag), or rewriting file.replace so it doesn't use fileinput • VCS filreserver fixes/optimizations • Catch fileserver configuration errors on master start • Raise errors on invalid gitfs configurations • set_locale when locale file does not exist (Redhat family) • Fix to correctly count active devices when created mdadm array with spares • Fix to correctly target minions in batch mode • Support ssh:// urls using the gitfs dulwhich backend • New fileserver runner • Fix various bugs with argument parsing to the publish module. • Fix disk.usage for Synology OS • Fix issue with tags occurring twice with docker.pulled • Fix incorrect key error in SMTP returner • Fix condition which would remount loopback filesystems on every state run • Remove requsites from listens after they are called in the state system • Make system implementation of service.running aware of legacy service calls • Fix issue where publish.publish would not handle duplicate responses gracefully. • Accept Kali Linux for aptpkg salt execution module • Fix bug where cmd.which could not handle a dirname as an argument • Fix issue in ps.pgrep where exceptions were thrown on Windows. Known issues: • In multimaster mode, a minion may become temporarily unresponsive if modules or pillars are refreshed at the same time that one or more masters are down. This can be worked around by setting 'auth_timeout' and 'auth_tries' down to shorter periods. • There are known issues with batch mode operating on the incorrect number of minions. This bug can be patched with the change in Pull Request #22464. • The fun, state, and unless keywords are missing from the state internals, which can cause problems running some states. This bug can be patched with the change in Pull Request #22365. Salt 2014.7.5 Release Notes release 2015-04-16 Version 2014.7.5 is a bugfix release for 2014.7.0. Changes: • Fixed a key error bug in salt-cloud • Updated man pages to better match documentation • Fixed bug concerning high CPU usage with salt-ssh • Fixed bugs with remounting cvfs and fuse filesystems • Fixed bug with alowing requisite tracking of entire sls files • Fixed bug with aptpkg.mod_repo returning OK even if apt-add-repository fails • Increased frequency of ssh terminal output checking • Fixed malformed locale string in localmod module • Fixed checking of available version of package when accept_keywords were changed • Fixed bug to make git.latest work with empty repositories • Added **kwargs to service.mod_watch which removes warnings about enable and __reqs__ not being supported by the function • Improved state comments to not grow so quickly on failed requisites • Added force argument to service to trigger force_reload • Fixed bug to andle pkgrepo keyids that have been converted to int • Fixed module.portage_config bug with appending accept_keywords • Fixed bug to correctly report disk usage on windows minion • Added the ability to specify key prefix for S3 ext_pillar • Fixed issues with batch mode operating on the incorrect number of minions • Fixed a bug with the proxmox cloud provider stacktracing on disk definition • Fixed a bug with the changes dictionary in the file state • Fixed the TCP keep alive settings to work better with SREQ caching • Fixed many bugs within the iptables state and module • Fixed bug with states by adding fun, state, and unless to the state runtime internal keywords listing • Added ability to eAuth against Active Directory • Fixed some salt-ssh issues when running on Fedora 21 • Fixed grains.get_or_set_hash to work with multiple entries under same key • Added better explanations and more examples of how the Reactor calls functions to docs • Fixed bug to not pass ex_config_drive to libcloud unless it's explicitly enabled • Fixed bug with pip.install on windows • Fixed bug where puppet.run always returns a 0 retcode • Fixed race condition bug with minion scheduling via pillar • Made efficiency improvements and bug fixes to the windows installer • Updated environment variables to fix bug with pygit2 when running salt as non-root user • Fixed cas behavior on data module -- data.cas was not saving changes • Fixed GPG rendering error • Fixed strace error in virt.query • Fixed stacktrace when running chef-solo command • Fixed possible bug wherein uncaught exceptions seem to make zmq3 tip over when threading is involved • Fixed argument passing to the reactor • Fixed glibc caching to prevent bug where salt-minion getaddrinfo in dns_check() never got updated nameservers Known issues: • In multimaster mode, a minion may become temporarily unresponsive if modules or pillars are refreshed at the same time that one or more masters are down. This can be worked around by setting 'auth_timeout' and 'auth_tries' down to shorter periods. Salt 2014.7.6 Release Notes release 2015-05-18 Version 2014.7.6 is a bugfix release for 2014.7.0. This release is a security release. A minor issue was found, as cited below: • CVE-2015-4017 -- Certificates are not verified when connecting to server in the Aliyun and Proxmox modules Only users of the Aliyun or Proxmox cloud modules are at risk. The vulnerability does not exist in the latest 2015.5.0 release of Salt. Changes: • salt.runners.cloud.action() has changed the fun keyword argument to func. Please update any calls to this function in the cloud runner. Extended Changelog Courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): • PR #23810: (rallytime) Backport #23757 to 2014.7 @ 2015-05-18T15:30:21Z • PR #23757: (clan) use abspath, do not eliminating symlinks | refs: #23810 • aee00c8 Merge pull request #23810 from rallytime/bp-23757 • fb32c32 use abspath, do not eliminating symlinks • PR #23809: (rallytime) Fix virtualport section of virt.get_nics loop @ 2015-05-18T15:30:09Z • ISSUE #20198: (jcftang) virt.get_graphics, virt.get_nics are broken, in turn breaking other things | refs: #23809 • PR #21487: (rallytime) Backport #21469 to 2014.7 | refs: #23809 • PR #21469: (vdesjardins) fixes #20198: virt.get_graphics and virt.get_nics calls in module virt | refs: #21487 • 6b3352b Merge pull request #23809 from rallytime/virt_get_nics_fix • 0616fb7 Fix virtualport section of virt.get_nics loop • PR #23823: (gtmanfred) add link local for ipv6 @ 2015-05-17T12:48:25Z • 188f03f Merge pull request #23823 from gtmanfred/2014.7 • 5ef006d add link local for ipv6 • PR #23802: (gtmanfred) if it is ipv6 ip_to_int will fail @ 2015-05-16T04:06:59Z • PR #23573: (techhat) Scan all available networks for public and private IPs | refs: #23802 • f3ca682 Merge pull request #23802 from gtmanfred/2014.7 • 2da98b5 if it is ipv6 ip_to_int will fail • PR #23488: (cellscape) LXC cloud fixes @ 2015-05-15T18:09:35Z • ISSUE #16424: (stanvit) salt-run cloud.create fails with saltify • d9af0c3 Merge pull request #23488 from cellscape/lxc-cloud-fixes • 64250a6 Remove profile from opts after creating LXC container • c4047d2 Set destroy=True in opts when destroying cloud instance • 9e1311a Store instance names in opts when performing cloud action • 934bc57 Correctly pass custom env to lxc-attach • 7fb85f7 Preserve test=True option in cloud states • 9771b5a Fix detection of absent LXC container in cloud state • fb24f0c Report failure when failed to create/clone LXC container • 2d9aa2b Avoid shadowing variables in lxc module • 792e102 Allow overriding profile options in lxc.cloud_init_interface • 42bd64b Return changes on successful lxc.create from salt-cloud • 4409eab Return correct result when creating cloud LXC container • 377015c Issue #16424: List all providers when creating salt-cloud instance without profile • PR #23748: (basepi) [2014.7] Log salt-ssh roster render errors more assertively and verbosely @ 2015-05-14T22:38:10Z • ISSUE #22332: (rallytime) [salt-ssh] Add a check for host in /etc/salt/roster | refs: #23748 • 808bbe1 Merge pull request #23748 from basepi/salt-ssh.roster.host.check • bc53e04 Log entire exception for render errors in roster • 753de6a Log render errors in roster to error level • e01a7a9 Always let the real YAML error through • PR #23731: (twangboy) Fixes #22959: Trying to add a directory to an unmapped drive in windows @ 2015-05-14T21:59:14Z • ISSUE #22959: (highlyunavailable) Windows Salt hangs if file.directory is trying to write to a drive that doesn't exist • 72cf360 Merge pull request #23731 from twangboy/fix_22959 • 88e5495 Fixes #22959: Trying to add a directory to an unmapped drive in windows • PR #23730: (rallytime) Backport #23729 to 2014.7 @ 2015-05-14T21:58:34Z • PR #23729: (rallytime) Partially merge #23437 (grains fix) | refs: #23730 • PR #23437: (cedwards) Grains item patch | refs: #23729 • 2610195 Merge pull request #23730 from rallytime/bp-23729 • 1877cae adding support for nested grains to grains.item • PR #23688: (twangboy) Added inet_pton to utils/validate/net.py for ip.set_static_ip in windows @ 2015-05-14T16:15:56Z • 3e9df88 Merge pull request #23688 from twangboy/fix_23415 • 6a91169 Fixed unused-import pylint error • 5e25b3f fixed pylint errors • 1a96766 Added inet_pton to utils/validate/net.py for ip.set_static_ip in windows • PR #23680: (cachedout) Rename kwarg in cloud runner @ 2015-05-13T19:44:02Z • ISSUE #23403: (iamfil) salt.runners.cloud.action fun parameter is replaced | refs: #23680 • 1b86460 Merge pull request #23680 from cachedout/issue_23403 • d5986c2 Rename kwarg in cloud runner • PR #23674: (cachedout) Handle lists correctly in grains.list_prsesent @ 2015-05-13T18:34:58Z • ISSUE #23548: (kkaig) grains.list_present produces incorrect (?) output | refs: #23674 • cd64af0 Merge pull request #23674 from cachedout/issue_23548 • da8a2f5 Handle lists correctly in grains.list_prsesent • PR #23672: (twangboy) Fix user present @ 2015-05-13T18:30:09Z • d322a19 Merge pull request #23672 from twangboy/fix_user_present • 731e7af Merge branch '2014.7' of https://github.com/saltstack/salt into fix_user_present • d6f70a4 Fixed user.present to create password in windows • PR #23670: (rallytime) Backport #23607 to 2014.7 @ 2015-05-13T18:27:17Z • ISSUE #23604: (Azidburn) service.dead on systemd Minion create an Error Message | refs: #23607 • PR #23607: (Azidburn) Fix for #23604. No error reporting. Exitcode !=0 are ok | refs: #23670 • 43f7025 Merge pull request #23670 from rallytime/bp-23607 • ed30dc4 Fix for #23604. No error reporting. Exitcode !=0 are ok • PR #23661: (rallytime) Merge #23640 with whitespace fix @ 2015-05-13T15:47:30Z • ISSUE #22141: (Deshke) grains.get_or_set_hash render error if hash begins with "%" | refs: #23640 • PR #23640: (cachedout) Add warning to get_or_set_hash about reserved chars | refs: #23661 • 0f006ac Merge pull request #23661 from rallytime/merge-23640 • 4427f42 Whitespace fix • dd91154 Add warning to get_or_set_hash about reserved chars • PR #23639: (cachedout) Handle exceptions raised by __virtual__ @ 2015-05-13T15:11:12Z • ISSUE #23452: (michaelforge) minion crashed with empty grain | refs: #23639 • 84e2ef8 Merge pull request #23639 from cachedout/issue_23452 • d418b49 Syntax error! • 45b4015 Handle exceptions raised by __virtual__ • PR #23637: (cachedout) Convert str master to list @ 2015-05-13T15:08:19Z • ISSUE #23611: (hubez) master_type set to 'failover' but 'master' is not of type list but of type <type 'str'> | refs: #23637 • bd9b94b Merge pull request #23637 from cachedout/issue_23611 • 56cb1f5 Fix typo • f6fcf19 Convert str master to list • PR #23595: (rallytime) Backport #23549 to 2014.7 @ 2015-05-12T21:19:40Z • PR #23549: (vr-jack) Update __init__.py | refs: #23595 • f20c0e4 Merge pull request #23595 from rallytime/bp-23549 • 6efcac0 Update __init__.py • PR #23594: (rallytime) Backport #23496 to 2014.7 @ 2015-05-12T21:19:34Z • ISSUE #23110: (martinhoefling) Copying files from gitfs in file.recurse state fails • PR #23496: (martinhoefling) Fix for issue #23110 | refs: #23594 • 1acaf86 Merge pull request #23594 from rallytime/bp-23496 • d5ae1d2 Fix for issue #23110 This resolves issues when the freshly created directory is removed by fileserver.update. • PR #23593: (rallytime) Backport #23442 to 2014.7 @ 2015-05-12T21:19:26Z • PR #23442: (clan) add directory itself to keep list | refs: #23593 • 2c221c7 Merge pull request #23593 from rallytime/bp-23442 • 39869a1 check w/ low['name'] only • 304cc49 another fix for file defined w/ id, but require name • 8814d41 add directory itself to keep list • PR #23606: (twangboy) Fixed checkbox for starting service and actually starting it @ 2015-05-12T21:18:50Z • fadd1ef Merge pull request #23606 from twangboy/fix_installer • 038331e Fixed checkbox for starting service and actually starting it • PR #23592: (rallytime) Backport #23389 to 2014.7 @ 2015-05-12T16:44:42Z • ISSUE #22908: (karanjad) Add failhard option to salt orchestration | refs: #23389 • PR #23389: (cachedout) Correct fail_hard typo | refs: #23592 • 10b3f0f Merge pull request #23592 from rallytime/bp-23389 • 734cc43 Correct fail_hard typo • PR #23573: (techhat) Scan all available networks for public and private IPs | refs: #23802 @ 2015-05-12T15:22:22Z • cd34b9b Merge pull request #23573 from techhat/novaquery • f92db5e Linting • 26e00d3 Scan all available networks for public and private IPs • PR #23558: (jfindlay) reorder emerge command line @ 2015-05-12T15:17:46Z • ISSUE #23479: (danielmorlock) Typo in pkg.removed for Gentoo? | refs: #23558 • 2a72cd7 Merge pull request #23558 from jfindlay/fix_ebuild • 45404fb reorder emerge command line • PR #23530: (dr4Ke) salt-ssh state: fix including all salt:// references @ 2015-05-12T15:13:43Z • ISSUE #23355: (dr4Ke) salt-ssh: 'sources: salt://' files from 'pkg' state are not included in salt_state.tgz | refs: #23530 • a664a3c Merge pull request #23530 from dr4Ke/fix_salt-ssh_to_include_pkg_sources • 5df6a80 fix pylint warning • d0549e5 salt-ssh state: fix including all salt:// references • PR #23433: (twangboy) Obtain all software from the registry @ 2015-05-11T22:47:52Z • ISSUE #23004: (b18) 2014.7.5 - Windows - pkg.list_pkgs - "nxlog" never shows up in output. | refs: #23433 • 55c3869 Merge pull request #23433 from twangboy/list_pkgs_fix • 8ab5b1b Fix pylint error • 2d11d65 Obtain all software from the registry • PR #23554: (jleroy) Debian: Hostname always updated @ 2015-05-11T21:57:00Z • 755bed0 Merge pull request #23554 from jleroy/debian-hostname-fix • 5ff749e Debian: Hostname always updated • PR #23551: (dr4Ke) grains.append unit tests, related to #23474 @ 2015-05-11T21:54:25Z • 6ec87ce Merge pull request #23551 from dr4Ke/grains.append_unit_tests • ebff9df fix pylint errors • c495404 unit tests for grains.append module function • 0c9a323 use MagickMock • c838a22 unit tests for grains.append module function • PR #23474: (dr4Ke) Fix grains.append in nested dictionary grains #23411 @ 2015-05-11T18:00:21Z • ISSUE #23411: (dr4Ke) grains.append should work at any level of a grain | refs: #23440 • PR #23440: (dr4Ke) fix grains.append in nested dictionary grains #23411 | refs: #23474 • e96c5c5 Merge pull request #23474 from dr4Ke/fix_grains.append_nested • a01a5bb grains.get, parameter delimititer, versionadded: 2014.7.6 • b39f504 remove debugging output • b6e15e2 fix grains.append in nested dictionary grains #23411 • PR #23537: (t0rrant) Update changelog @ 2015-05-11T17:02:16Z • ab7e1ae Merge pull request #23537 from t0rrant/patch-1 • 8e03cc9 Update changelog • PR #23538: (cro) Update date in LICENSE file @ 2015-05-11T15:19:25Z • b79fed3 Merge pull request #23538 from cro/licupdate • 345efe2 Update date in LICENSE file • PR #23505: (aneeshusa) Remove unused ssh config validator. Fixes #23159. @ 2015-05-09T13:24:15Z • ISSUE #23159: (aneeshusa) Unused validator • a123a36 Merge pull request #23505 from aneeshusa/remove-unused-ssh-config-validator • 90af167 Remove unused ssh config validator. Fixes #23159. • PR #23467: (slinu3d) Added AWS v4 signature support @ 2015-05-08T14:36:19Z • ISSUE #20518: (ekle) module s3.get does not support eu-central-1 | refs: #23467 • ca2c21a Merge pull request #23467 from slinu3d/2014.7 • 0b4081d Fixed pylint error at line 363 • 5be5eb5 Fixed pylink errors • e64f374 Fixed lint errors • b9d1ac4 Added AWS v4 signature support • PR #23444: (techhat) Add create_attach_volume to nova driver @ 2015-05-07T19:51:32Z • e6f9eec Merge pull request #23444 from techhat/novacreateattach • ebdb7ea Add create_attach_volume to nova driver • PR #23460: (s0undt3ch) [2014.7] Update to latest stable bootstrap script v2015.05.07 @ 2015-05-07T19:10:54Z • ISSUE #563: (chutz) pidfile support for minion and master daemons | refs: #23460 • e331463 Merge pull request #23460 from s0undt3ch/hotfix/bootstrap-script-2014.7 • edcd0c4 Update to latest stable bootstrap script v2015.05.07 • PR #23439: (techhat) Add wait_for_passwd_maxtries variable @ 2015-05-07T07:28:56Z • 7a8ce1a Merge pull request #23439 from techhat/maxtries • 0ad3ff2 Add wait_for_passwd_maxtries variable • PR #23422: (cro) $HOME should not be used, some shells don't set it. @ 2015-05-06T21:02:36Z • 644eb75 Merge pull request #23422 from cro/gce_sh_home • 4ef9e6b Don't use $HOME to find user's directory, some shells don't set it • PR #23425: (basepi) [2014.7] Fix typo in FunctionWrapper @ 2015-05-06T20:38:03Z • ef17ab4 Merge pull request #23425 from basepi/functionwrapper_typo • c390737 Fix typo in FunctionWrapper • PR #23385: (rallytime) Backport #23346 to 2014.7 @ 2015-05-06T20:12:29Z • PR #23346: (ericfode) Allow file_map in salt-cloud to handle folders. | refs: #23385 • 1b13ec0 Merge pull request #23385 from rallytime/bp-23346 • 9efc13c more linting fixes • cf131c9 cleaned up some pylint errors • f981699 added logic to sftp_file and file_map to allow folder uploads using file_map • PR #23414: (jfindlay) 2015.2 -> 2015.5 @ 2015-05-06T20:04:02Z • f8c7a62 Merge pull request #23414 from jfindlay/update_branch • 8074d16 2015.2 -> 2015.5 • PR #23404: (hvnsweeting) saltapi cherrypy: initialize var when POST body is empty @ 2015-05-06T17:35:56Z • 54b3bd4 Merge pull request #23404 from hvnsweeting/cherrypy-post-emptybody-fix • f85f8f9 initialize var when POST body is empty • PR #23409: (terminalmage) Update Lithium docstrings in 2014.7 branch @ 2015-05-06T16:20:46Z • 160f703 Merge pull request #23409 from terminalmage/update-lithium-docstrings-2014.7 • bc97d01 Fix sphinx typo • 20006b0 Update Lithium docstrings in 2014.7 branch • PR #23397: (jfindlay) add more flexible whitespace to locale_gen search @ 2015-05-06T03:44:11Z • ISSUE #17245: (tomashavlas) localemod does not generate locale for Arch | refs: #23307 #23397 • aa5fb0a Merge pull request #23397 from jfindlay/fix_locale_gen • 0941fef add more flexible whitespace to locale_gen search • PR #23368: (kaithar) Backport #23367 to 2014.7 @ 2015-05-05T21:42:26Z • PR #23367: (kaithar) Put the sed insert statement back in to the output. | refs: #23368 • PR #18368: (basepi) Merge forward from 2014.7 to develop | refs: #23367 #23368 • 0c76dd4 Merge pull request #23368 from kaithar/bp-23367 • 577f419 Pylint fix • 8d9acd1 Put the sed insert statement back in to the output. • PR #23350: (lorengordon) Append/prepend: search for full line @ 2015-05-05T21:42:11Z • ISSUE #23294: (variia) file.replace fails to append if repl string partially available | refs: #23350 • 3493cc1 Merge pull request #23350 from lorengordon/file.replace_assume_line • b60e224 Append/prepend: search for full line • PR #23341: (cachedout) Fix syndic pid and logfile path @ 2015-05-05T21:29:10Z • ISSUE #23026: (adelcast) Incorrect salt-syndic logfile and pidfile locations | refs: #23341 • 7be5c48 Merge pull request #23341 from cachedout/issue_23026 • e98e65e Fix tests • 6011b43 Fix syndic pid and logfile path • PR #23272: (basepi) [2014.7] Allow salt-ssh minion config overrides via master config and roster | refs: #23347 @ ** • ISSUE #19114: (pykler) salt-ssh and gpg pillar renderer | refs: #23188 #23272 #23347 • PR #23188: (basepi) [2014.7] Work around bug in salt-ssh in config.get for gpg renderer | refs: #23272 • ea61abf Merge pull request #23272 from basepi/salt-ssh.minion.config.19114 • c223309 Add versionadded • be7407f Lint • c2c3375 Missing comma • 8e3e8e0 Pass the minion_opts through the FunctionWrapper • cb69cd0 Match the master config template in the master config reference • 87fc316 Add Salt-SSH section to master config template • 91dd9dc Add ssh_minion_opts to master config ref • c273ea1 Add minion config to salt-ssh doc • a0b6b76 Add minion_opts to roster docs • 5212c35 Accept minion_opts from the target information • e2099b6 Process ssh_minion_opts from master config • 3b64214 Revert "Work around bug in salt-ssh in config.get for gpg renderer" • 494953a Remove the strip (embracing multi-line YAML dump) • fe87f0f Dump multi-line yaml into the SHIM • b751a72 Inject local minion config into shim if available • PR #23347: (basepi) [2014.7] Salt-SSH Backport FunctionWrapper.__contains__ @ 2015-05-05T14:13:21Z • ISSUE #19114: (pykler) salt-ssh and gpg pillar renderer | refs: #23188 #23272 #23347 • PR #23272: (basepi) [2014.7] Allow salt-ssh minion config overrides via master config and roster | refs: #23347 • PR #23188: (basepi) [2014.7] Work around bug in salt-ssh in config.get for gpg renderer | refs: #23272 • 4f760dd Merge pull request #23347 from basepi/salt-ssh.functionwrapper.contains.19114 • 30595e3 Backport FunctionWrapper.__contains__ • PR #23344: (cachedout) Explicitly set file_client on master @ 2015-05-04T23:21:48Z • ISSUE #22742: (hvnsweeting) salt-master says: "This master address: 'salt' was previously resolvable but now fails to resolve!" | refs: #23344 • 02658b1 Merge pull request #23344 from cachedout/issue_22742 • 5adc96c Explicitly set file_client on master • PR #23318: (cellscape) Honor seed argument in LXC container initializaton @ 2015-05-04T20:58:12Z • PR #23311: (cellscape) Fix new container initialization in LXC runner | refs: #23318 • ba7605d Merge pull request #23318 from cellscape/honor-seed-argument • 228b1be Honor seed argument in LXC container initializaton • PR #23307: (jfindlay) check for /etc/locale.gen @ 2015-05-04T20:56:32Z • ISSUE #17245: (tomashavlas) localemod does not generate locale for Arch | refs: #23307 #23397 • 4ac4509 Merge pull request #23307 from jfindlay/fix_locale_gen • 101199a check for /etc/locale.gen • PR #23324: (s0undt3ch) [2014.7] Update to the latest stable release of the bootstrap script v2015.05.04 @ 2015-05-04T16:28:30Z • ISSUE #580: (thatch45) recursive watch not being caught | refs: #23324 • ISSUE #552: (jhutchins) Support require and watch under the same state dec | refs: #23324 • PR #589: (epoelke) add --quiet and --outfile options to saltkey | refs: #23324 • PR #567: (bastichelaar) Added upstart module | refs: #23324 • PR #560: (UtahDave) The runas feature that was added in 93423aa2e5e4b7de6452090b0039560d2b13... | refs: #23324 • PR #504: (SEJeff) File state goodies | refs: #23324 • f790f42 Merge pull request #23324 from s0undt3ch/hotfix/bootstrap-script-2014.7 • 6643e47 Update to the latest stable release of the bootstrap script v2015.05.04 • PR #23329: (cro) Require requests to verify cert when talking to aliyun and proxmox cloud providers @ 2015-05-04T16:18:17Z • 5487367 Merge pull request #23329 from cro/cloud_verify_cert • 860d4b7 Turn on ssl verify for requests. • PR #23311: (cellscape) Fix new container initialization in LXC runner | refs: #23318 @ 2015-05-04T09:55:29Z • ea20176 Merge pull request #23311 from cellscape/fix-salt-cloud-lxc-init • 76fbb34 Fix new container initialization in LXC runner • PR #23298: (chris-prince) Fixed issue #18880 in 2014.7 branch @ 2015-05-03T15:49:41Z • ISSUE #18880: (johtso) npm installed breaks when a module is missing • c399b8f Merge pull request #23298 from chris-prince/2014.7 • 0fa25db Fixed issue #18880 in 2014.7 branch • PR #23292: (rallytime) Merge #23151 with pylint fixes @ 2015-05-02T03:54:12Z • ISSUE #23148: (cr1st1p) virt - error handling bogus if machine image location is wrong • PR #23151: (cr1st1p) Fixes #23148 | refs: #23292 • 16ecefd Merge pull request #23292 from rallytime/merge-23151 • 8ff852a Merge #23151 with pylint fixes • 8ffa12e Fixes #23148 • PR #23274: (basepi) [2014.7] Reduce salt-ssh debug log verbosity @ 2015-05-01T20:19:23Z • ce24315 Merge pull request #23274 from basepi/salt-ssh.debug.verbosity • ecee6c6 Log stdout and stderr to trace • 08f54d7 Log stdout and stderr to trace as well • 9b9c30f Reduce salt-ssh debug log verbosity • PR #23261: (rallytime) Fix tornado websocket event handler registration @ 2015-05-01T18:20:31Z • ISSUE #22605: (mavenAtHouzz) Tornado websockets event Handlers registration are incorrect | refs: #23261 • 7b55e43 Merge pull request #23261 from rallytime/fix-22605 • 4950fbf Fix tornado websocket event handler registration • PR #23258: (teizz) TCP keepalives on the ret side, Revisited. @ 2015-05-01T16:13:49Z • 83ef7cb Merge pull request #23258 from teizz/ret_keepalive_2014_7_5 • 0b9fb6f The fixes by cachedout which were backported into 2015_2 were missing a single parameter thus not setting up the TCP keepalive for the ZeroMQ Channel by default. • PR #23241: (techhat) Move iptables log options after the jump @ 2015-05-01T01:31:59Z • ISSUE #23224: (twellspring) iptables.append --log parameters must be after --jump LOG | refs: #23241 • 8de3c83 Merge pull request #23241 from techhat/issue23224 • 87f7948 Move iptables log options after the jump • PR #23228: (rallytime) Backport #23171 to 2014.7 @ 2015-04-30T21:09:45Z • PR #23171: (skizunov) Bugfix: 'clean_proc_dir' is broken | refs: #23228 • f20210e Merge pull request #23228 from rallytime/bp-23171 • e670e99 Bugfix: 'clean_proc_dir' is broken • PR #23227: (rallytime) Backport #22808 to 2014.7 @ 2015-04-30T21:09:14Z • ISSUE #22703: (Xiol) salt-ssh does not work with list matcher | refs: #22808 • PR #22808: (basepi) [2015.2] Add list targeting to salt-ssh flat roster | refs: #23227 • 721cc28 Merge pull request #23227 from rallytime/bp-22808 • d208a00 Dict, not list • a3f529e It's already been converted to a list • dd57f2d Add list targeting to salt-ssh flat roster • PR #22823: (hvnsweeting) 22822 file directory clean @ 2015-04-30T15:25:51Z • 82c22af Merge pull request #22823 from hvnsweeting/22822-file-directory-clean • c749c27 fix lint - remove unnecessary parenthesis • cb3dfee refactor • 8924b5a refactor: use relpath instead of do it manually • d3060a5 refactor • 5759a0e bugfix: fix file.directory clean=True when it require parent dir • PR #22977: (bersace) Fix fileserver backends __opts__ overwritten by _pillar @ 2015-04-30T15:24:56Z • ISSUE #22941: (bersace) _pillar func breaks fileserver globals | refs: #22977 #22942 • PR #22942: (bersace) Fix fileserver backends global overwritten by _pillar | refs: #22977 • f6c0728 Merge pull request #22977 from bersace/fix-fileserver-backends-pillar-side-effect • 5f451f6 Fix fileserver backends __opts__ overwritten by _pillar • PR #23180: (jfindlay) fix typos from 36841bdd in masterapi.py @ 2015-04-30T15:22:41Z • ISSUE #23166: (claudiupopescu) "Error in function _minion_event" resulting in modules not loaded | refs: #23180 • 34206f7 Merge pull request #23180 from jfindlay/remote_event • 72066e1 fix typos from 36841bdd in masterapi.py • PR #23176: (jfindlay) copy standard cmd.run* kwargs into cmd.run_chroot @ 2015-04-30T15:22:12Z • ISSUE #23153: (cr1st1p) cmdmod : run_chroot - broken in 2014.7.5 - missing kwargs | refs: #23176 • b6b8216 Merge pull request #23176 from jfindlay/run_chroot • 7dc3417 copy standard cmd.run* kwargs into cmd.run_chroot • PR #23193: (joejulian) supervisord.mod_watch should accept sfun @ 2015-04-30T04:34:21Z • ISSUE #23192: (joejulian) supervisord mod_watch does not accept sfun | refs: #23193 • effacbe Merge pull request #23193 from joejulian/2014.7_supervisord_accept_sfun • efb59f9 supervisord.mod_watch should accept sfun • PR #23188: (basepi) [2014.7] Work around bug in salt-ssh in config.get for gpg renderer | refs: #23272 @ 2015-04-30T04:34:10Z • ISSUE #19114: (pykler) salt-ssh and gpg pillar renderer | refs: #23188 #23272 #23347 • 72fe88e Merge pull request #23188 from basepi/salt-ssh.function.wrapper.gpg.19114 • d73979e Work around bug in salt-ssh in config.get for gpg renderer • PR #23154: (cachedout) Re-establish channel on interruption in fileclient @ 2015-04-29T16:18:59Z • ISSUE #21480: (msciciel) TypeError: string indices must be integers, not str | refs: #23154 • 168508e Merge pull request #23154 from cachedout/refresh_channel • 9f8dd80 Re-establish channel on interruption in fileclient • PR #23146: (rallytime) Backport #20779 to 2014.7 @ 2015-04-28T20:45:06Z • ISSUE #20647: (ryan-lane) file.serialize fails to serialize due to ordered dicts | refs: #20779 • PR #20779: (cachedout) Use declared yaml options | refs: #23146 • 3b53e04 Merge pull request #23146 from rallytime/bp-20779 • ffd1849 compare OrderedDicts in serializer unit test • a221706 Just change serialize • a111798 Use declared yaml options • PR #23145: (rallytime) Backport #23089 to 2014.7 @ 2015-04-28T20:44:56Z • PR #23089: (cachedout) Stringify version number before lstrip | refs: #23145 • 8bb4664 Merge pull request #23145 from rallytime/bp-23089 • 93c41af Stringify version number before lstrip • PR #23144: (rallytime) Backport #23124 to 2014.7 @ 2015-04-28T20:44:46Z • ISSUE #16188: (drawks) salt.modules.parted has various functions with bogus input validation. | refs: #23124 • PR #23124: (ether42) fix parsing the output of parted in parted.list_() | refs: #23144 • c85d36f Merge pull request #23144 from rallytime/bp-23124-2014-7 • 6b64da7 fix parsing the output of parted • PR #23120: (terminalmage) Don't run os.path.relpath() if repo doesn't have a "root" param set @ 2015-04-28T15:46:54Z • a27b158 Merge pull request #23120 from terminalmage/fix-gitfs-relpath • 1860fff Don't run os.path.relpath() if repo doesn't have a "root" param set • PR #23132: (clinta) Backport b27c176 @ 2015-04-28T15:00:30Z • fcba607 Merge pull request #23132 from clinta/patch-2 • a824d72 Backport b27c176 • PR #23114: (rallytime) Adjust ZeroMQ 4 docs to reflect changes to Ubuntu 12 packages @ 2015-04-28T03:59:24Z • ISSUE #18476: (Auha) Upgrading salt on my master caused dependency issues | refs: #23114 #18610 • PR #18610: (rallytime) Make ZMQ 4 installation docs for ubuntu more clear | refs: #23114 • b0f4b28 Merge pull request #23114 from rallytime/remove_ubuntu_zmq4_docs • f6cc7c8 Adjust ZeroMQ 4 docs to reflect changes to Ubuntu 12 packages • PR #23108: (rallytime) Backport #23097 to 2014.7 @ 2015-04-28T03:58:05Z • ISSUE #23085: (xenophonf) Use "s3fs" (not "s3") in fileserver_roots | refs: #23097 • PR #23097: (rallytime) Change s3 to s3fs in fileserver_roots docs example | refs: #23108 • 399857f Merge pull request #23108 from rallytime/bp-23097 • fa88984 Change s3 to s3fs in fileserver_roots docs example • PR #23112: (basepi) [2014.7] Backport #22199 to fix mysql returner save_load errors @ 2015-04-28T03:55:44Z • ISSUE #22171: (basepi) We should only call returner.save_load once per jid | refs: #22199 • PR #22199: (basepi) [2015.2] Put a bandaid on the save_load duplicate issue (mysql returner) | refs: #23112 • 5541537 Merge pull request #23112 from basepi/mysql_returner_save_load • 0127012 Put a bandaid on the save_load duplicate issue • PR #23113: (rallytime) Revert "Backport #22895 to 2014.7" @ 2015-04-28T03:27:29Z • PR #22925: (rallytime) Backport #22895 to 2014.7 | refs: #23113 • PR #22895: (aletourneau) pam_tally counter was not reset to 0 after a succesfull login | refs: #22925 • dfe2066 Merge pull request #23113 from saltstack/revert-22925-bp-22895 • b957ea8 Revert "Backport #22895 to 2014.7" • PR #23094: (terminalmage) pygit2: disable cleaning of stale refs for authenticated remotes @ 2015-04-27T20:51:28Z • ISSUE #23013: (markusr815) gitfs regression with authenticated repos | refs: #23094 • 21515f3 Merge pull request #23094 from terminalmage/issue23013 • aaf7b04 pygit2: disable cleaning of stale refs for authenticated remotes • PR #23048: (jfindlay) py-2.6 compat for utils/boto.py ElementTree exception @ 2015-04-25T16:56:45Z • d45aa21 Merge pull request #23048 from jfindlay/ET_error • 64c42cc py-2.6 compat for utils/boto.py ElementTree exception • PR #23025: (jfindlay) catch exceptions on bad system locales/encodings @ 2015-04-25T16:56:30Z • ISSUE #22981: (syphernl) Locale state throwing traceback when generating not (yet) existing locale | refs: #23025 • d25a5c1 Merge pull request #23025 from jfindlay/fix_sys_locale • 9c4d62b catch exceptions on bad system locales/encodings • PR #22932: (hvnsweeting) bugfix: also manipulate dir_mode when source not defined @ 2015-04-25T16:54:58Z • 5e44b59 Merge pull request #22932 from hvnsweeting/file-append-bugfix • 3f368de do not use assert in execution module • 9d4fd4a bugfix: also manipulate dir_mode when source not defined • PR #23055: (jfindlay) prevent ps module errors on accessing dead procs @ 2015-04-24T22:39:49Z • ISSUE #23021: (ether42) ps.pgrep raises NoSuchProcess | refs: #23055 • c2416a4 Merge pull request #23055 from jfindlay/fix_ps • c2dc7ad prevent ps module errors on accessing dead procs • PR #23031: (jfindlay) convert exception e.message to just e @ 2015-04-24T18:38:13Z • bfd9158 Merge pull request #23031 from jfindlay/exception • 856bad1 convert exception e.message to just e • PR #23015: (hvnsweeting) if status of service is stop, there is not an error with it @ 2015-04-24T14:35:10Z • 7747f33 Merge pull request #23015 from hvnsweeting/set-non-error-lvl-for-service-status-log • 92ea163 if status of service is stop, there is not an error with it • PR #23000: (jfindlay) set systemd service killMode to process for minion @ 2015-04-24T03:42:39Z • ISSUE #22993: (jetpak) salt-minion restart causes all spawned daemons to die on centos7 (systemd) | refs: #23000 • 2e09789 Merge pull request #23000 from jfindlay/systemd_kill • 3d575e2 set systemd service killMode to process for minion • PR #22999: (jtand) Added retry_dns to minion doc. @ 2015-04-24T03:30:24Z • ISSUE #22707: (arthurlogilab) retry_dns of master configuration is missing from the documentation | refs: #22999 • b5c059a Merge pull request #22999 from jtand/fix_22707 • 8486e17 Added retry_dns to minion doc. • PR #22990: (techhat) Use the proper cloud conf variable @ 2015-04-23T17:48:07Z • 27dc877 Merge pull request #22990 from techhat/2014.7 • d33bcbc Use the proper cloud conf variable • PR #22976: (multani) Improve state_output documentation @ 2015-04-23T12:24:22Z • 13dff65 Merge pull request #22976 from multani/fix/state-output-doc • 19efd41 Improve state_output documentation • PR #22955: (terminalmage) Fix regression introduced yesterday in dockerio module @ 2015-04-22T18:56:39Z • 89fa185 Merge pull request #22955 from terminalmage/dockerio-run-fix • b4472ad Fix regression introduced yesterday in dockerio module • PR #22954: (rallytime) Backport #22909 to 2014.7 @ 2015-04-22T18:56:20Z • PR #22909: (mguegan) Fix compatibility with pkgin > 0.7 | refs: #22954 • 46ef227 Merge pull request #22954 from rallytime/bp-22909 • 70c1cd3 Fix compatibility with pkgin > 0.7 • PR #22856: (jfindlay) increase timeout and decrease tries for route53 records @ 2015-04-22T16:47:01Z • ISSUE #18720: (Reiner030) timeouts when setting Route53 records | refs: #22856 • c9ae593 Merge pull request #22856 from jfindlay/route53_timeout • ba4a786 add route53 record sync wait, default=False • ea2fd50 increase timeout and tries for route53 records • PR #22946: (s0undt3ch) Test with a more recent pip version to avoid a traceback @ 2015-04-22T16:25:17Z • a178d44 Merge pull request #22946 from s0undt3ch/2014.7 • bc87749 Test with a more recent pip version to avoid a traceback • PR #22945: (garethgreenaway) Fixes to scheduler @ 2015-04-22T16:25:00Z • ISSUE #22571: (BoomerB) same error message as on issue #18504 | refs: #22945 • de339be Merge pull request #22945 from garethgreenaway/22571_2014_7_schedule_pillar_refresh_seconds_exceptions • bfa6d25 Fixing a reported issue when using a scheduled job from pillar with splay. _seconds element that acted as a backup of the actual seconds was being removed when pillar was refreshed and causing exceptions. This fix moves some splay related code out of the if else condition so it's checked whether the job is in the job queue or not. • PR #22887: (hvnsweeting) fix #18843 @ 2015-04-22T15:47:05Z • ISSUE #18843: (calvinhp) State user.present will fail to create home if user exists and homedir doesn't • 12d2b91 Merge pull request #22887 from hvnsweeting/18843-fix-user-present-home • 7fe7b08 run user.chhome once to avoid any side-effect when run it twice • 19de995 clarify the usage of home arg • d6dc09a enhance doc, as usermod on ubuntu 12.04 will not CREATE home • 0ce4d7f refactor: force to use boolean • 849d19e log debug the creating dir process • c4e95b9 fix #18843: usermod won't create a dir if old home does not exist • PR #22930: (jfindlay) localemod.gen_locale now always returns a boolean @ 2015-04-22T15:37:39Z • ISSUE #21140: (holms) locale.present state executed successfully, although originally fails | refs: #22930 #22829 • ISSUE #2417: (ffa) Module standards | refs: #22829 • PR #22829: (F30) Always return a boolean in gen_locale() | refs: #22930 • b7de7bd Merge pull request #22930 from jfindlay/localegen_bool • 399399f localemod.gen_locale now always returns a boolean • PR #22933: (hvnsweeting) add test for #18843 @ 2015-04-22T15:27:18Z • ISSUE #18843: (calvinhp) State user.present will fail to create home if user exists and homedir doesn't • 11bcf14 Merge pull request #22933 from hvnsweeting/18843-test • b13db32 add test for #18843 • PR #22925: (rallytime) Backport #22895 to 2014.7 | refs: #23113 @ 2015-04-22T02:30:26Z • PR #22895: (aletourneau) pam_tally counter was not reset to 0 after a succesfull login | refs: #22925 • 6890752 Merge pull request #22925 from rallytime/bp-22895 • 3852d96 Pylint fix • 90f7829 Fixed pylint issues • 5ebf159 Cleaned up pull request • a08ac47 pam_tally counter was not reset to 0 after a succesfull login • PR #22914: (cachedout) Call proper returner function in jobs.list_jobs @ 2015-04-22T00:49:01Z • ISSUE #22790: (whiteinge) jobs.list_jobs runner tracebacks on 'missing' argument | refs: #22914 • eca37eb Merge pull request #22914 from cachedout/issue_22790 • d828d6f Call proper returner function in jobs.list_jobs • PR #22918: (JaseFace) Add a note to the git_pillar docs stating that GitPython is the only currently supported provider @ 2015-04-22T00:48:26Z • 44f3409 Merge pull request #22918 from JaseFace/git-pillar-provider-doc-note • 0aee5c2 Add a note to the git_pillar docs stating that GitPython is the only currently supported provider • PR #22907: (techhat) Properly merge cloud configs to create profiles @ 2015-04-21T22:02:44Z • 31c461f Merge pull request #22907 from techhat/cloudconfig • 3bf4e66 Properly merge cloud configs to create profiles • PR #22894: (0xf10e) Fix issue #22782 @ 2015-04-21T18:55:18Z • f093975 Merge pull request #22894 from 0xf10e/2014.7 • 58fa24c Clarify doc on kwarg 'roles' for user_present(). • f0ae2eb Improve readability by renaming tenant_role • PR #22902: (rallytime) Change state example to use proper kwarg @ 2015-04-21T18:50:47Z • ISSUE #12003: (MarkusMuellerAU) [state.dockerio] docker.run TypeError: run() argument after ** must be a mapping, not str | refs: #22902 • c802ba7 Merge pull request #22902 from rallytime/docker_doc_fix • 8f70346 Change state example to use proper kwarg • PR #22898: (terminalmage) dockerio: better error message for native exec driver @ 2015-04-21T18:02:58Z • 81771a7 Merge pull request #22898 from terminalmage/issue12003 • c375309 dockerio: better error message for native exec driver • PR #22897: (rallytime) Add param documentation for file.replace state @ 2015-04-21T17:31:04Z • ISSUE #22825: (paolodina) Issue using file.replace in state file | refs: #22897 • e2ec4ec Merge pull request #22897 from rallytime/fix-22825 • 9c51630 Add param documentation for file.replace state • PR #22850: (bersace) Fix pillar and salt fileserver mixed @ 2015-04-21T17:04:33Z • ISSUE #22844: (bersace) LocalClient file cache confuse pillar and state files | refs: #22850 • fd53889 Merge pull request #22850 from bersace/fix-pillar-salt-mixed • 31b98e7 Initialize state file client after pillar loading • f6bebb7 Use saltenv • PR #22818: (twangboy) Added documentation regarding pip in windows @ 2015-04-21T03:58:59Z • 1380fec Merge pull request #22818 from twangboy/upd_pip_docs • cb999c7 Update pip.py • 3cc5c97 Added documentation regarding pip in windows • PR #22872: (rallytime) Prevent stacktrace on os.path.exists in hosts module @ 2015-04-21T02:54:40Z • b2bf17f Merge pull request #22872 from rallytime/fix_hosts_stacktrace • c88a1ea Prevent stacktrace on os.path.exists in hosts module • PR #22853: (s0undt3ch) Don't assume package installation order. @ 2015-04-21T02:42:41Z • 03af523 Merge pull request #22853 from s0undt3ch/2014.7 • b62df62 Don't assume package installation order. • PR #22877: (s0undt3ch) Don't fail on make clean just because the directory does not exist @ 2015-04-21T02:40:47Z • 9211e36 Merge pull request #22877 from s0undt3ch/hotfix/clean-docs-fix • 95d6887 Don't fail on make clean just because the directory does not exist • PR #22873: (thatch45) Type check the version since it will often be numeric @ 2015-04-21T02:38:11Z • 5bdbd08 Merge pull request #22873 from thatch45/type_check • 53b8376 Type check the version since it will often be numeric • PR #22870: (twangboy) Added ability to send a version with a space in it @ 2015-04-20T23:18:28Z • c965b0a Merge pull request #22870 from twangboy/fix_installer_again • 3f180cf Added ability to send a version with a space in it • PR #22863: (rallytime) Backport #20974 to 2014.7 @ 2015-04-20T19:29:37Z • PR #20974: (JohannesEbke) Fix expr_match usage in salt.utils.check_whitelist_blacklist | refs: #22863 • 2973eb1 Merge pull request #22863 from rallytime/bp-20974 • 14913a4 Fix expr_match usage in salt.utils.check_whitelist_blacklist • PR #22578: (hvnsweeting) gracefully handle when salt-minion cannot decrypt key @ 2015-04-20T15:24:45Z • c45b92b Merge pull request #22578 from hvnsweeting/2014-7-fix-compile-pillar • f75b24a gracefully handle when salt-minion cannot decrypt key • PR #22800: (terminalmage) Improve error logging for pygit2 SSH-based remotes @ 2015-04-18T17:18:55Z • ISSUE #21979: (yrdevops) gitfs: error message not descriptive enough when libgit2 was compiled without libssh2 | refs: #22800 • 900c7a5 Merge pull request #22800 from terminalmage/issue21979 • 8f1c008 Clarify that for pygit2, receiving 0 objects means repo is up-to-date • 98885f7 Add information about libssh2 requirement for pygit2 ssh auth • 09468d2 Fix incorrect log message • 2093bf8 Adjust loglevels for gitfs errors • 9d394df Improve error logging for pygit2 SSH-based remotes • PR #22813: (twangboy) Updated instructions for building salt @ 2015-04-18T04:10:07Z • e99f2fd Merge pull request #22813 from twangboy/win_doc_fix • adc421a Fixed some formatting issues • 8901b3b Updated instructions for building salt • PR #22810: (basepi) [2014.7] More msgpack gating for salt-ssh @ 2015-04-17T22:28:24Z • ISSUE #22708: (Bilge) salt-ssh file.accumulated error: NameError: global name 'msgpack' is not defined | refs: #22810 • fe1de89 Merge pull request #22810 from basepi/salt-ssh.more.msgpack.gating • d4da8e6 Gate msgpack in salt/modules/saltutil.py • 02303b2 Gate msgpack in salt/modules/data.py • d7e8741 Gate salt.states.file.py msgpack • PR #22803: (rallytime) Allow map file to work with softlayer @ 2015-04-17T20:34:42Z • ISSUE #17144: (xpender) salt-cloud -m fails with softlayer | refs: #22803 • 11df71e Merge pull request #22803 from rallytime/fix-17144 • ce88b6a Allow map file to work with softlayer • PR #22807: (rallytime) Add 2014.7.5 links to windows installation docs @ 2015-04-17T20:32:13Z • cd43a95 Merge pull request #22807 from rallytime/windows_docs_update • 5931a58 Replace all 4s with 5s • eadaead Add 2014.7.5 links to windows installation docs • PR #22795: (rallytime) Added release note for 2014.7.5 release @ 2015-04-17T18:05:36Z • 0b295e2 Merge pull request #22795 from rallytime/release_notes • fde1fee Remove extra line • b19b95d Added release note for 2014.7.5 release • PR #22759: (twangboy) Final edits to the batch files for running salt @ 2015-04-17T04:31:15Z • ISSUE #22740: (lorengordon) New Windows installer assumes salt is installed to the current directory | refs: #22759 • PR #22754: (twangboy) Removed redundant \ and " | refs: #22759 • 3c91459 Merge pull request #22759 from twangboy/fix_bat_one_last_time • 075f82e Final edits to the batch files for running salt • PR #22760: (thatch45) Fix issues with the syndic @ 2015-04-17T04:30:48Z • 20d3f2b Merge pull request #22760 from thatch45/syndic_fix • e2db624 Fix issues with the syndic not resolving the master when the interface is set • PR #22762: (twangboy) Fixed version not showing in Add/Remove Programs @ 2015-04-17T04:29:46Z • 54c4584 Merge pull request #22762 from twangboy/fix_installer • 4d25af8 Fixed version not showing in Add/Remove Programs Salt 2014.7.8 Release Notes Changes for v2014.7.7..v2014.7.8 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-03-11T21:18:48Z Statistics: • Total Merges: 7 • Total Issue references: 3 • Total PR references: 10 Changes: • PR #28839: (cachedout) Revert #28740 @ 2015-11-12T22:54:28Z • PR #28740: (MasterNayru) Add missing S3 module import | refs: #28777 • 4b8bdd0 Merge pull request #28839 from cachedout/revert_28740 • 215b26c Revert #28740 • PR #28777: (rallytime) Back-port #28740 to 2014.7 @ 2015-11-11T18:00:00Z • PR #28740: (MasterNayru) Add missing S3 module import | refs: #28777 • 76e69b4 Merge pull request #28777 from rallytime/bp-28740-2014.7 • da5fac2 Back-port #28740 to 2014.7 • PR #28716: (rallytime) Back-port #28705 to 2014.7 @ 2015-11-10T16:15:03Z • PR #28705: (cachedout) Account for new headers class in tornado 4.3 | refs: #28716 • 45c73eb Merge pull request #28716 from rallytime/bp-28705 • 32e7bd3 Account for new headers class in tornado 4.3 • PR #28717: (cachedout) Add note about recommended umask @ 2015-11-09T23:26:20Z • ISSUE #28199: (felskrone) Non-standard umasks might break the master | refs: #28717 • f4fe921 Merge pull request #28717 from cachedout/umask_note • 1874300 Add note about recommended umask • PR #28461: (cachedout) Wrap all cache calls in state.sls in correct umask @ 2015-11-02T17:11:02Z • ISSUE #28455: (zmalone) highstate.cache is world readable, and contains secrets | refs: #28461 • 4bf56ca Merge pull request #28461 from cachedout/issue_28455 • 097838e Wrap all cache calls in state.sls in correct umask • PR #28407: (DmitryKuzmenko) Don't request creds if auth with key. @ 2015-10-29T16:12:30Z • ISSUE #24910: (bocig) -T, --make-token flag does NOT work- LDAP Groups | refs: #28407 • f3e61db Merge pull request #28407 from DSRCompany/issues/24910_token_auth_fix_2014 • b7b5bec Don't request creds if auth with key. • PR #27390: (JaseFace) Ensure we pass on the enable setting if present, or use the default of True if not in build_schedule_item() @ 2015-10-05T18:09:33Z • d284eb1 Merge pull request #27390 from JaseFace/schedule-missing-enabled • 563db71 Ensure we pass on the enable setting if present, or use the default of True if not in build_schedule_item() Prior to this, when schedule.present compares the existing schedule to the one crafted by this function, enabled will actually be removed at each run. schedule.present sees a modification needs to be made, and invokes schedule.modify, which does so with enabled: True, creating and endless loop of an 'enabled' removal and addition. Salt 2014.7.9 Release Notes Changes for v2014.7.8..v2014.7.9 Extended changelog courtesy of Todd Stansell (‐ https://github.com/tjstansell/salt-changelogs): Generated at: 2016-03-11T20:58:58Z Statistics: • Total Merges: 3 • Total Issue references: 1 • Total PR references: 3 Changes: • PR #31826: (gtmanfred) Remove ability of authenticating user to specify pam service @ 2016-03-11T20:41:01Z • c5e7c03 Merge pull request #31826 from gtmanfred/2014.7 • d73f70e Remove ability of authenticating user to specify pam service • PR #29392: (jacobhammons) updated version number to not reference a specific build from the lat… @ 2015-12-03T15:54:31Z • 85aa70a Merge pull request #29392 from jacobhammons/2014.7 • d7f0db1 updated version number to not reference a specific build from the latest branch • PR #29296: (douardda) Use process KillMode on Debian systems also @ 2015-12-01T16:00:16Z • ISSUE #29295: (douardda) systemd's service file should use the 'process' KillMode option on Debian also | refs: #29296 • d2fb210 Merge pull request #29296 from douardda/patch-3 • d288539 Use process KillMode on Debian systems also Salt 2014.1.0 Release Notes - Codename Hydrogen NOTE: Due to a change in master to minion communication, 2014.1.0 minions are not compatible with older-version masters. Please upgrade masters first. More info on backwards-compatibility policy here, under the "Upgrading Salt" subheading. NOTE: A change in the grammar in the state compiler makes module.run in requisites illegal syntax. Its use is replaced simply with the word module. In other words you will need to change requisites like this: require: module.run: some_module_name to: require: module: some_module_name This is a breaking change. We apologize for the inconvenience, we needed to do this to remove some ambiguity in parsing requisites. release 2014-02-24 The 2014.1.0 release of Salt is a major release which not only increases stability but also brings new capabilities in virtualization, cloud integration, and more. This release brings a great focus on the expansion of testing making roughly double the coverage in the Salt tests, and comes with many new features. 2014.1.0 is the first release to follow the new date-based release naming system. See the version numbers page for more details. Major Features Salt Cloud Merged into Salt Salt Cloud is a tool for provisioning salted minions across various cloud providers. Prior to this release, Salt Cloud was a separate project but this marks its full integration with the Salt distribution. A Getting Started guide and additional documentation for Salt Cloud can be found here: Google Compute Engine Alongside Salt Cloud comes new support for the Google Compute Engine. Salt Stack can now deploy and control GCE virtual machines and the application stacks that they run. For more information on Salt Stack and GCE, please see this blog post. Documentation for Salt and GCE can be found here. Salt Virt Salt Virt is a cloud controller that supports virtual machine deployment, inspection, migration, and integration with many aspects of Salt. Salt Virt has undergone a major overhaul with this release and now supports many more features and includes a number of critical improvements. Docker Integration Salt now ships with states and an execution module to manage Docker containers. Substantial Testing Expansion Salt continues to increase its unit/regression test coverage. This release includes over 300 new tests. BSD Package Management BSD package management has been entirely rewritten. FreeBSD 9 and older now default to using pkg_add, while FreeBSD 10 and newer will use pkgng. FreeBSD 9 can be forced to use pkgng, however, by specifying the following option in the minion config file: providers: pkg: pkgng In addition, support for installing software from the ports tree has been added. See the documentation for the ports state and execution module for more information. Network Management for Debian/Ubuntu Initial support for management of network interfaces on Debian-based distros has been added. See the documentation for the network state and the debian_ip for more information. IPv6 Support for iptables State/Module The iptables state and module now have IPv6 support. A new parameter family has been added to the states and execution functions, to distinguish between IPv4 and IPv6. The default value for this parameter is ipv4, specifying ipv6 will use ip6tables to manage firewall rules. GitFS Improvements Several performance improvements have been made to the Git fileserver backend. Additionally, file states can now use any any SHA1 commit hash as a fileserver environment: /etc/httpd/httpd.conf: file.managed: - source: salt://webserver/files/httpd.conf - saltenv: 45af879 This applies to the functions in the cp module as well: salt '*' cp.get_file salt://readme.txt /tmp/readme.txt saltenv=45af879 MinionFS This new fileserver backend allows files which have been pushed from the minion to the master (using cp.push) to be served up from the salt fileserver. The path for these files takes the following format: salt://minion-id/path/to/file minion-id is the id of the "source" minion, the one from which the files were pushed to the master. /path/to/file is the full path of the file. The MinionFS Walkthrough contains a more thorough example of how to use this backend. saltenv To distinguish between fileserver environments and execution functions which deal with environment variables, fileserver environments are now specified using the saltenv parameter. env will continue to work, but is deprecated and will be removed in a future release. Grains Caching A caching layer has been added to the Grains system, which can help speed up minion startup. Disabled by default, it can be enabled by setting the minion config option grains_cache: grains_cache: True # Seconds before grains cache is considered to be stale. grains_cache_expiration: 300 If set to True, the grains loader will read from/write to a msgpack-serialized file containing the grains data. Additional command-line parameters have been added to salt-call, mainly for testing purposes: • --skip-grains will completely bypass the grains loader when salt-call is invoked. • --refresh-grains-cache will force the grains loader to bypass the grains cache and refresh the grains, writing a new grains cache file. Improved Command Logging Control When using the cmd module, either on the CLI or when developing Salt execution modules, a new keyword argument output_loglevel allows for greater control over how (or even if) the command and its output are logged. For example: salt '*' cmd.run 'tail /var/log/messages' output_loglevel=debug The package management modules (apt, yumpkg, etc.) have been updated to log the copious output generated from these commands at loglevel debug. NOTE: To keep a command from being logged, output_loglevel=quiet can be used. Prior to this release, this could be done using quiet=True. This argument is still supported, but will be removed in a future Salt release. PagerDuty Support Initial support for firing events via PagerDuty has been added. See the documentation for the pagerduty module. Virtual Terminal Sometimes the subprocess module is not good enough, and, in fact, not even askpass is. This virtual terminal is still in it's infant childhood, needs quite some love, and was originally created to replace askpass, but, while developing it, it immediately proved that it could do so much more. It's currently used by salt-cloud when bootstrapping salt on clouds which require the use of a password. Proxy Minions Initial basic support for Proxy Minions is in this release. Documentation can be found here. Proxy minions are a developing feature in Salt that enables control of devices that cannot run a minion. Examples include network gear like switches and routers that run a proprietary OS but offer an API, or "dumb" devices that just don't have the horsepower or ability to handle a Python VM. Proxy minions can be difficult to write, so a simple REST-based example proxy is included. A Python bottle-based webserver can be found at https://github.com/cro/salt-proxy-rest as an endpoint for this proxy. This is an ALPHA-quality feature. There are a number of issues with it currently, mostly centering around process control, logging, and inability to work in a masterless configuration. Additional Bugfixes (Release Candidate Period) Below are many of the fixes that were implemented in salt during the release candidate phase. • Fix mount.mounted leaving conflicting entries in fstab (issue 7079) • Fix mysql returner serialization to use json (issue 9590) • Fix ZMQError: Operation cannot be accomplished in current state errors (issue 6306) • Rbenv and ruby improvements • Fix quoting issues with mysql port (issue 9568) • Update mount module/state to support multiple swap partitions (issue 9520) • Fix archive state to work with bsdtar • Clarify logs for minion ID caching • Add numeric revision support to git state (issue 9718) • Update master_uri with master_ip (issue 9694) • Add comment to Debian mod_repo (issue 9923) • Fix potential undefined loop variable in rabbitmq state (issue 8703) • Fix for salt-virt runner to delete key on VM deletion • Fix for salt-run -d to limit results to specific runner or function (issue 9975) • Add tracebacks to jinja renderer when applicable (issue 10010) • Fix parsing in monit module (issue 10041) • Fix highstate output from syndic minions (issue 9732) • Quiet logging when dealing with passwords/hashes (issue 10000) • Fix for multiple remotes in git_pillar (issue 9932) • Fix npm installed command (issue 10109) • Add safeguards for utf8 errors in zcbuildout module • Fix compound commands (issue 9746) • Add systemd notification when master is started • Many doc improvements Salt 2014.1.1 Release Notes release 2014-03-18 Version 2014.1.1 is a bugfix release for 2014.1.0. The changes include: • Various doc fixes, including up-to-date Salt Cloud installation documentation. • Renamed state.sls runner to state.orchestrate, to reduce confusion with the state.sls execution function • Fix various bugs in the dig module (issue 10367) • Add retry for query on certain EC2 status codes (issue 10154) • Fix various bugs in mongodb_user state module (issue 10430) • Fix permissions on ~/.salt_token (issue 10422) • Add PyObjects support • Fix launchctl module crash with missing files • Fix saltutil.find_job for Windows (issue 10581) • Fix OS detection for OpenSolaris (issue 10601) • Fix broken salt-ssh key_deploy • Add support for multiline cron comments (issue 10721) • Fix timezone module for Arch (issue 10789) • Fix symlink support for file.recurse (issue 10809) • Fix multi-master bugs (issue 10732 and issue 10969) • Fix file.patch to error when source file is unavailable (issue 10380) • Fix pkg to handle packages set as purge in pkg.installed (issue 10719) • Add zmqversion grain • Fix highstate summary for masterless minions (issue 10945) • Fix saltutil.find_job for 2014.1 masters talking to 0.17 minions (issue 11020) • Fix file.recurse states with trailing slashes in source (issue 11002) • Fix pkg states to allow pkgname.x86_64 (issue 7306) • Make iptables states set a default table for flush (issue 11037) • Added iptables --reject-with after final iptables call in iptables states (issue:10757) • Fix improper passing of “family” in iptables states (issue 10774) • Fix traceback in iptables.insert states (issue 10988) • Fix zombie processes (issue 10867 and others) • Fix batch mode to obey --return settings (issue 9146) • Fix localclient issue that was causing batch mode breakage (issue 11094, issue 10470, and others) • Multiple salt-ssh fixes • FreeBSD: look in /usr/local/etc/salt for configuration by default, if installed using pip --editable. • Add a skip_suggestions parameter to pkg.installed states which allows pre-flight check to be skipped (issue 11106) • Fixed tag-based gitfs fileserver environments regression (issue 10956) • Yum: fix cache of available pkgs not cleared when repos are changed (issue 11001) • Yum: fix for plugin-provided repositories (i.e. RHN/Spacewalk) (issue 11145) • Fix regression in chocolatey.bootstrap (issue 10541) • Fix fail on unknown target in jobs runner (issue 11151) • Don’t log errors for commands which are expected to sometimes exit with non-zero exit status (issue 11154, issue 11090) • Fix test=True CLI override of config option (issue 10877) • Log sysctl key listing at loglevel TRACE (issue 10931) Salt 2014.1.10 Release Notes release 2014-08-01 NOTE: Version 2014.1.9 contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. This version contains the version detection fix, but is otherwise identical to 2014.1.9. Version 2014.1.10 is another bugfix release for 2014.1.0. Changes include: • Ensure salt-ssh will not continue if permissions on a temporary directory are not correct. • Use the bootstrap script distributed with Salt instead of relying on an external resource • Remove unused testing code • Ensure salt states are placed into the .salt directory in salt-ssh • Use a randomized path for temporary files in a salt-cloud deployment • Clean any stale directories to ensure a fresh copy of salt-ssh during a deployment Salt 2014.1.10 fixes security issues documented by CVE-2014-3563: "Insecure tmp-file creation in seed.py, salt-ssh, and salt-cloud." Upgrading is recommended. Salt 2014.1.11 Release Notes release 2014-08-29 Version 2014.1.11 is another bugfix release for 2014.1.0. Changes include: • Fix for minion_id with byte-order mark (BOM) (issue 12296) • Fix runas deprecation in at module • Fix trailing slash befhavior for file.makedirs_ (issue 14019) • Fix chocolatey path (issue 13870) • Fix git_pillar infinite loop issues (issue 14671) • Fix json outputter null case • Fix for minion error if one of multiple masters are down (issue 14099) Salt 2014.1.12 Release Notes release 2014-10-08 Version 2014.1.12 is another bugfix release for 2014.1.0. Changes include: • Fix scp_file always failing (which broke salt-cloud) (issue 16437) • Fix regression in pillar in masterless (issue 16210, issue 16416, issue 16428) Salt 2014.1.13 Release Notes release 2014-10-14 Version 2014.1.13 is another bugfix release for 2014.1.0. Changes include: • Fix sftp_file by checking the exit status code of scp (which broke salt-cloud) (issue 16599) Salt 2014.1.2 Release Notes release 2014-04-15 Version 2014.1.2 is another bugfix release for 2014.1.0. The changes include: • Fix username detection when su'ed to root on FreeBSD (issue 11628) • Fix minionfs backend for file.recurse states • Fix 32-bit packages of different arches than the CPU arch, on 32-bit RHEL/CentOS (issue 11822) • Fix bug with specifying alternate home dir on user creation (FreeBSD) (issue 11790) • Don’t reload site module on module refresh for MacOS • Fix regression with running execution functions in Pillar SLS (issue 11453) • Fix some modules missing from Windows installer • Don’t log an error for yum commands that return nonzero exit status on non-failure (‐ issue 11645) • Fix bug in rabbitmq state (issue 8703) • Fix missing ssh config options (issue 10604) • Fix top.sls ordering (issue 10810 and issue 11691) • Fix salt-key --list all (issue 10982) • Fix win_servermanager install/remove function (issue 11038) • Fix interaction with tokens when running commands as root (issue 11223) • Fix overstate bug with find_job and **kwargs (issue 10503) • Fix saltenv for aptpkg.mod_repo from pkgrepo state • Fix environment issue causing file caching problems (issue 11189) • Fix bug in __parse_key in registry state (issue 11408) • Add minion auth retry on rejection (issue 10763) • Fix publish_session updating the encryption key (issue 11493) • Fix for bad AssertionError raised by GitPython (issue 11473) • Fix debian_ip to allow disabling and enabling networking on Ubuntu (issue 11164) • Fix potential memory leak caused by saved (and unused) events (issue 11582) • Fix exception handling in the MySQL module (issue 11616) • Fix environment-related error (issue 11534) • Include psutil on Windows • Add file.replace and file.search to Windows (issue 11471) • Add additional file module helpers to Windows (issue 11235) • Add pid to netstat output on Windows (issue 10782) • Fix Windows not caching new versions of installers in winrepo (issue 10597) • Fix hardcoded md5 hashing • Fix kwargs in salt-ssh (issue 11609) • Fix file backup timestamps (issue 11745) • Fix stacktrace on sys.doc with invalid eauth (issue 11293) • Fix git.latest with test=True (issue 11595) • Fix file.check_perms hardcoded follow_symlinks (issue 11387) • Fix certain pkg states for RHEL5/Cent5 machines (issue 11719) Salt 2014.1.3 Release Notes release 2014-04-15 Version 2014.1.3 is another bugfix release for 2014.1.0. It was created as a hotfix for a regression found in 2014.1.2, which was not distributed. The only change made was as follows: • Fix regression that caused saltutil.find_job to fail, causing premature terminations of salt CLI commands. Changes in the not-distributed 2014.1.2, also included in 2014.1.3: • Fix username detection when su'ed to root on FreeBSD (issue 11628) • Fix minionfs backend for file.recurse states • Fix 32-bit packages of different arches than the CPU arch, on 32-bit RHEL/CentOS (issue 11822) • Fix bug with specifying alternate home dir on user creation (FreeBSD) (issue 11790) • Don’t reload site module on module refresh for MacOS • Fix regression with running execution functions in Pillar SLS (issue 11453) • Fix some modules missing from Windows installer • Don’t log an error for yum commands that return nonzero exit status on non-failure (‐ issue 11645) • Fix bug in rabbitmq state (issue 8703) • Fix missing ssh config options (issue 10604) • Fix top.sls ordering (issue 10810 and issue 11691) • Fix salt-key --list all (issue 10982) • Fix win_servermanager install/remove function (issue 11038) • Fix interaction with tokens when running commands as root (issue 11223) • Fix overstate bug with find_job and **kwargs (issue 10503) • Fix saltenv for aptpkg.mod_repo from pkgrepo state • Fix environment issue causing file caching problems (issue 11189) • Fix bug in __parse_key in registry state (issue 11408) • Add minion auth retry on rejection (issue 10763) • Fix publish_session updating the encryption key (issue 11493) • Fix for bad AssertionError raised by GitPython (issue 11473) • Fix debian_ip to allow disabling and enabling networking on Ubuntu (issue 11164) • Fix potential memory leak caused by saved (and unused) events (issue 11582) • Fix exception handling in the MySQL module (issue 11616) • Fix environment-related error (issue 11534) • Include psutil on Windows • Add file.replace and file.search to Windows (issue 11471) • Add additional file module helpers to Windows (issue 11235) • Add pid to netstat output on Windows (issue 10782) • Fix Windows not caching new versions of installers in winrepo (issue 10597) • Fix hardcoded md5 hashing • Fix kwargs in salt-ssh (issue 11609) • Fix file backup timestamps (issue 11745) • Fix stacktrace on sys.doc with invalid eauth (issue 11293) • Fix git.latest with test=True (issue 11595) • Fix file.check_perms hardcoded follow_symlinks (issue 11387) • Fix certain pkg states for RHEL5/Cent5 machines (issue 11719) Salt 2014.1.4 Release Notes release 2014-05-05 Version 2014.1.4 is another bugfix release for 2014.1.0. Changes include: • Fix setup.py dependency issue (issue 12031) • Fix handling for IOErrors under certain circumstances (issue 11783 and issue 11853) • Fix fatal exception when /proc/1/cgroup is not readable (issue 11619) • Fix os grains for OpenSolaris (issue 11907) • Fix lvs.zero module argument pass-through (issue 9001) • Fix bug in debian_ip interaction with network.system state (issue 11164) • Remove bad binary package verification code (issue 12177) • Fix traceback in solaris package installation (issue 12237) • Fix file.directory state symlink handling (issue 12209) • Remove external_ip grain • Fix file.managed makedirs issues (issue 10446) • Fix hang on non-existent Windows drive letter for file module (issue 9880) • Fix salt minion caching all users on the server (issue 9743) • Add strftime formatting for ps.boot_time (issue 12428) Salt 2014.1.5 Release Notes release 2014-06-11 Version 2014.1.5 is another bugfix release for 2014.1.0. Changes include: • Add function for finding cached job on the minion • Fix iptables save file location for Debian (issue 11730) • Fix for minion caching jobs when master is down • Bump default syndic_wait to 5 to fix syndic-related problems (issue 12262) • Add OpenBSD, FreeBSD, and NetBSD support for network.netstat (issue 12121) • Fix false positive error in logs for makeconf state (issue 9762) • Fix for yum fromrepo package installs when repo is disabled by default (issue 12466) • Fix for extra blank lines in file.blockreplace (issue 12422) • Fix grain detection for OpenVZ guests (issue 11877) • Fix get_dns_servers function for Windows win_dns_client • Use system locale for ports package installations • Use correct stop/restart procedure for Debian networking in debian_ip (issue 12614) • Fix for cmd_iter/cmd_iter_no_block blocking issues (issue 12617) • Fix traceback when syncing custom types (issue 12883) • Fix cleaning directory symlinks in file.directory • Add performance optimizations for saltutil.sync_all and state.highstate • Fix possible error in saltutil.running • Fix for kmod modules with dashes (issue 13239) • Fix possible race condition for Windows minions in state module reloading (issue 12370) • Fix bug with roster for passwd option that is loaded as a non-string object (issue 13249) • Keep duplicate version numbers from showing up in pkg.list_pkgs output • Fixes for Jinja renderer, timezone module/state (issue 12724) • Fix timedatectl parsing for systemd>=210 (issue 12728) • Fix saltenv being written to YUM repo config files (issue 12887) • Removed the deprecated external nodes classifier (originally accessible by setting a value for external_nodes in the master configuration file). Note that this functionality has been marked deprecated for some time and was replaced by the more general master tops system. • More robust escaping of ldap filter strings. • Fix trailing slash in gitfs_root causing files not to be available (issue 13185) Salt 2014.1.6 Release Notes release 2014-07-08 Version 2014.1.6 is another bugfix release for 2014.1.0. Changes include: • Fix extra iptables --help output (Sorry!) (issue 13648, issue 13507, issue 13527, issue 13607) • Fix mount.active for Solaris • Fix support for allow-hotplug statement in debian_ip network module • Add sqlite3 to esky builds • Fix jobs.active output (issue 9526) • Fix the virtual grain for Xen (issue 13534) • Fix _ext_nodes unavailable on master (issue 13535) • Fix eauth for batch mode (issue 9605) • Fix force-related issues with tomcat support (issue 12889) • Fix KeyError when cloud mapping • Fix salt-minion restart loop in Windows (issue 12086) • Fix detection of service virtual module on Fedora minions • Fix traceback with missing ipv4 grain (issue 13838) • Fix issue in roots backend with invalid data in mtime_map (issue 13836) • Fix traceback in jobs.active (issue 11151) • Fix master_tops and _ext_nodes issue (issue 13535, issue 13673) Salt 2014.1.7 Release Notes release 2014-07-09 Version 2014.1.7 is another bugfix release for 2014.1.0. Changes include: • Fix batch mode regression (issue 14046) This release was a hotfix release for the regression listed above which was present in the 2014.1.6 release. The changes included in 2014.1.6 are listed below: • Fix extra iptables --help output (Sorry!) (issue 13648, issue 13507, issue 13527, issue 13607) • Fix mount.active for Solaris • Fix support for allow-hotplug statement in debian_ip network module • Add sqlite3 to esky builds • Fix jobs.active output (issue 9526) • Fix the virtual grain for Xen (issue 13534) • Fix eauth for batch mode (issue 9605) • Fix force-related issues with tomcat support (issue 12889) • Fix KeyError when cloud mapping • Fix salt-minion restart loop in Windows (issue 12086) • Fix detection of service virtual module on Fedora minions • Fix traceback with missing ipv4 grain (issue 13838) • Fix issue in roots backend with invalid data in mtime_map (issue 13836) • Fix traceback in jobs.active (issue 11151) • Fix master_tops and _ext_nodes issue (issue 13535, issue 13673) Salt 2014.1.8 Release Notes release 2014-07-30 NOTE: This release contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. Please use version 2014.1.10 instead. Version 2014.1.8 is another bugfix release for 2014.1.0. Changes include: • Ensure salt-ssh will not continue if permissions on a temporary directory are not correct. • Use the bootstrap script distributed with Salt instead of relying on an external resource • Remove unused testing code • Ensure salt states are placed into the .salt directory in salt-ssh • Use a randomized path for temporary files in a salt-cloud deployment • Clean any stale directories to ensure a fresh copy of salt-ssh during a deployment Salt 2014.1.9 Release Notes release 2014-07-31 NOTE: This release contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. Please use version 2014.1.10 instead. NOTE: Version 2014.1.8 contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. This version contains the version detection fix, but is otherwise identical to 2014.1.8. Version 2014.1.9 is another bugfix release for 2014.1.0. Changes include: • Ensure salt-ssh will not continue if permissions on a temporary directory are not correct. • Use the bootstrap script distributed with Salt instead of relying on an external resource • Remove unused testing code • Ensure salt states are placed into the .salt directory in salt-ssh • Use a randomized path for temporary files in a salt-cloud deployment • Clean any stale directories to ensure a fresh copy of salt-ssh during a deployment Salt 0.10.0 Release Notes release 2012-06-16 0.10.0 has arrived! This release comes with MANY bug fixes, and new capabilities which greatly enhance performance and reliability. This release is primarily a bug fix release with many new tests and many repaired bugs. This release also introduces a few new key features which were brought in primarily to repair bugs and some limitations found in some of the components of the original architecture. Major Features Event System The Salt Master now comes equipped with a new event system. This event system has replaced some of the back end of the Salt client and offers the beginning of a system which will make plugging external applications into Salt. The event system relies on a local ZeroMQ publish socket and other processes can connect to this socket and listen for events. The new events can be easily managed via Salt's event library. Unprivileged User Updates Some enhancements have been added to Salt for running as a user other than root. These new additions should make switching the user that the Salt Master is running as very painless, simply change the user option in the master configuration and restart the master, Salt will take care of all of the particulars for you. Peer Runner Execution Salt has long had the peer communication system used to allow minions to send commands via the salt master. 0.10.0 adds a new capability here, now the master can be configured to allow for minions to execute Salt runners via the peer_run option in the salt master configuration. YAML Parsing Updates In the past the YAML parser for sls files would return the incorrect numbers when the file mode was set with a preceding 0. The YAML parser used in Salt has been modified to no longer convert these number into octal but to keep them as the correct value so that sls files can be a little cleaner to write. State Call Data Files It was requested that the minion keep a local cache of the most recent executed state run. This has been added and now with state runs the data is stored in a msgpack file in the minion's cachedir. Turning Off the Job Cache A new option has been added to the master configuration file. In previous releases the Salt client would look over the Salt job cache to read in the minion return data. With the addition of the event system the Salt client can now watch for events directly from the master worker processes. This means that the job cache is no longer a hard requirement. Keep in mind though, that turning off the job cache means that historic job execution data cannot be retrieved. Test Updates Minion Swarms Are Faster To continue our efforts with testing Salt's ability to scale the minionswarm script has been updated. The minionswarm can now start up minions much faster than it could before and comes with a new feature allowing modules to be disabled, thus lowering the minion's footprint when making a swarm. These new updates have allows us to test # python minionswarm.py -m 20 --master salt-master Many Fixes To get a good idea for the number of bugfixes this release offers take a look at the closed tickets for 0.10.0, this is a very substantial update: https://github.com/saltstack/salt/issues?milestone=12&state=closed Master and Minion Stability Fixes As Salt deployments grow new ways to break Salt are discovered. 0.10.0 comes with a number of fixes for the minions and master greatly improving Salt stability. Salt 0.10.1 Release Notes release 2012-06-19 Salt 0.10.2 Release Notes release 2012-07-30 0.10.2 is out! This release comes with enhancements to the pillar interface, cleaner ways to access the salt-call capabilities in the API, minion data caching and the event system has been added to salt minions. There have also been updates to the ZeroMQ functions, many more tests (thanks to sponsors, the code sprint and many contributors) and a swath of bug fixes. Major Features Ext Pillar Modules The ranks of available Salt modules directories sees a new member in 0.10.2. With the popularity of pillar a higher demand has arisen for ext_pillar interfaces to be more like regular Salt module additions. Now ext_pillar interfaces can be added in the same way as other modules, just drop it into the pillar directory in the salt source. Minion Events In 0.10.0 an event system was added to the Salt master. 0.10.2 adds the event system to the minions as well. Now event can be published on a local minion as well. The minions can also send events back up to the master. This means that Salt is able to communicate individual events from the minions back up to the Master which are not associated with command. Minion Data Caching When pillar was introduced the landscape for available data was greatly enhanced. The minion's began sending grain data back to the master on a regular basis. The new config option on the master called minion_data_cache instructs the Salt master to maintain a cache of the minion's grains and pillar data in the cachedir. This option is turned off by default to avoid hitting the disk more, but when enabled the cache is used to make grain matching from the salt command more powerful, since the minions that will match can be predetermined. Backup Files By default all files replaced by the file.managed and file.recurse states we simply deleted. 0.10.2 adds a new option. By setting the backup option to minion the files are backed up before they are replaced. The backed up files are located in the cachedir under the file_backup directory. On a default system this will be at: /var/cache/salt/file_backup Configuration files salt-master and salt-minion automatically load additional configuration files from master.d/*.conf respective minion.d/*.conf where master.d/minion.d is a directory in the same directory as the main configuration file. Salt Key Verification A number of users complained that they had inadvertently deleted the wrong salt authentication keys. 0.10.2 now displays what keys are going to be deleted and verifies that they are the keys that are intended for deletion. Key auto-signing If autosign_file is specified in the configuration file incoming keys will be compared to the list of keynames in autosign_file. Regular expressions as well as globbing is supported. The file must only be writable by the user otherwise the file will be ignored. To relax the permission and allow group write access set the permissive_pki_access option. Module changes Improved OpenBSD support New modules for managing services and packages were provided by Joshua Elsasser to further improve the support for OpenBSD. Existing modules like the disk module were also improved to support OpenBSD. SQL Modules The MySQL and PostgreSQL modules have both received a number of additions thanks to the work of Avi Marcus and Roman Imankulov. ZFS Support on FreeBSD A new ZFS module has been added by Kurtis Velarde for FreeBSD supporting various ZFS operations like creating, extending or removing zpools. Augeas A new Augeas module by Ulrich Dangel for editing and verifying config files. Native Debian Service module The support for the Debian was further improved with an new service module for Debian by Ahmad Khayyat supporting disable and enable. Cassandra Cassandra support has been added by Adam Garside. Currently only status and diagnostic information are supported. Networking The networking support for RHEL has been improved and supports bonding support as well as zeroconf configuration. Monit Basic monit support by Kurtis Velarde to control services via monit. nzbget Basic support for controlling nzbget by Joseph Hall Bluetooth Baisc bluez support for managing and controlling Bluetooth devices. Supports scanning as well as pairing/unpairing by Joseph Hall. Test Updates Consistency Testing Another testing script has been added. A bug was found in pillar when many minions generated pillar data at the same time. The new consist.py script is the tests directory was created to reproduce bugs where data should always be consistent. Many Fixes To get a good idea for the number of bugfixes this release offers take a look at the closed tickets for 0.10.2, this is a very substantial update: https://github.com/saltstack/salt/issues?milestone=24&page=1&state=closed Master and Minion Stability Fixes As Salt deployments grow new ways to break Salt are discovered. 0.10.2 comes with a number of fixes for the minions and master greatly improving Salt stability. Salt 0.10.3 Release Notes release 2012-09-30 The latest taste of Salt has come, this release has many fixes and feature additions. Modifications have been made to make ZeroMQ connections more reliable, the beginning of the ACL system is in place, a new command line parsing system has been added, dynamic module distribution has become more environment aware, the new master_finger option and many more! Major Features ACL System The new ACL system has been introduced. The ACL system allows for system users other than root to execute salt commands. Users can be allowed to execute specific commands in the same way that minions are opened up to the peer system. The configuration value to open up the ACL system is called client_acl and is configured like so: client_acl: fred: - test..* - pkg.list_pkgs Where fred is allowed access to functions in the test module and to the pkg.list_pkgs function. Master Finger Option The master_finger option has been added to improve the security of minion provisioning. The master_finger option allows for the fingerprint of the master public key to be set in the configuration file to double verify that the master is valid. This option was added in response to a motivation to pre-authenticate the master when provisioning new minions to help prevent man in the middle attacks in some situations. Salt Key Fingerprint Generation The ability to generate fingerprints of keys used by Salt has been added to salt-key. The new option finger accepts the name of the key to generate and display a fingerprint for. salt-key -F master Will display the fingerprints for the master public and private keys. Parsing System Pedro Algavio, aka s0undt3ch, has added a substantial update to the command line parsing system that makes the help message output much cleaner and easier to search through. Salt parsers now have --versions-report besides usual --version info which you can provide when reporting any issues found. Key Generation We have reduced the requirements needed for salt-key to generate minion keys. You're no longer required to have salt configured and it's common directories created just to generate keys. This might prove useful if you're batch creating keys to pre-load on minions. Startup States A few configuration options have been added which allow for states to be run when the minion daemon starts. This can be a great advantage when deploying with Salt because the minion can apply states right when it first runs. To use startup states set the startup_states configuration option on the minion to highstate. New Exclude Declaration Some users have asked about adding the ability to ensure that other sls files or ids are excluded from a state run. The exclude statement will delete all of the data loaded from the specified sls file or will delete the specified id: exclude: - sls: http - id: /etc/vimrc Max Open Files While we're currently unable to properly handle ZeroMQ's abort signals when the max open files is reached, due to the way that's handled on ZeroMQ's, we have minimized the chances of this happening without at least warning the user. More State Output Options Some major changes have been made to the state output system. In the past state return data was printed in a very verbose fashion and only states that failed or made changes were printed by default. Now two options can be passed to the master and minion configuration files to change the behavior of the state output. State output can be set to verbose (default) or non-verbose with the state_verbose option: state_verbose: False It is noteworthy that the state_verbose option used to be set to False by default but has been changed to True by default in 0.10.3 due to many requests for the change. Te next option to be aware of new and called state_output. This option allows for the state output to be set to full (default) or terse. The full output is the standard state output, but the new terse output will print only one line per state making the output much easier to follow when executing a large state system. state_output: terse state.file.append Improvements The salt state file.append() tries not to append existing text. Previously the matching check was being made line by line. While this kind of check might be enough for most cases, if the text being appended was multi-line, the check would not work properly. This issue is now properly handled, the match is done as a whole ignoring any white space addition or removal except inside commas. For those thinking that, in order to properly match over multiple lines, salt will load the whole file into memory, that's not true. For most cases this is not important but an erroneous order to read a 4GB file, if not properly handled, like salt does, could make salt chew that amount of memory. Salt has a buffered file reader which will keep in memory a maximum of 256KB and iterates over the file in chunks of 32KB to test for the match, more than enough, if not, explain your usage on a ticket. With this change, also salt.modules.file.contains(), salt.modules.file.contains_regex(), salt.modules.file.contains_glob() and salt.utils.find now do the searching and/or matching using the buffered chunks approach explained above. Two new keyword arguments were also added, makedirs, and source. The first, makedirs will create the necessary directories in order to append to the specified file, of course, it only applies if we're trying to append to a non-existing file on a non-existing directory: /tmp/salttest/file-append-makedirs: file.append: text: foo makedirs: True The second, source, allows one to append the contents of a file instead of specifying the text. /tmp/salttest/file-append-source: file.append: - source: salt://testfile Security Fix A timing vulnerability was uncovered in the code which decrypts the AES messages sent over the network. This has been fixed and upgrading is strongly recommended. Salt 0.10.4 Release Notes release 2012-10-23 Salt 0.10.4 is a monumental release for the Salt team, with two new module systems, many additions to allow granular access to Salt, improved platform support and much more. This release is also exciting because we have been able to shorten the release cycle back to under a month. We are working hard to keep up the aggressive pace and look forward to having releases happen more frequently! This release also includes a serious security fix and all users are very strongly recommended to upgrade. As usual, upgrade the master first, and then the minion to ensure that the process is smooth. Major Features External Authentication System The new external authentication system allows for Salt to pass through authentication to any authentication system to determine if a user has permission to execute a Salt command. The Unix PAM system is the first supported system with more to come! The external authentication system allows for specific users to be granted access to execute specific functions on specific minions. Access is configured in the master configuration file, and uses the new access control system: external_auth: pam: thatch: - 'web*': - test.* - network.* The configuration above allows the user thatch to execute functions in the test and network modules on minions that match the web* target. Access Control System All Salt systems can now be configured to grant access to non-administrative users in a granular way. The old configuration continues to work. Specific functions can be opened up to specific minions from specific users in the case of external auth and client ACLs, and for specific minions in the case of the peer system. Access controls are configured like this: client_acl: fred: - web\*: - pkg.list_pkgs - test.* - apache.* Target by Network A new matcher has been added to the system which allows for minions to be targeted by network. This new matcher can be called with the -S flag on the command line and is available in all places that the matcher system is available. Using it is simple: $ salt -S '192.168.1.0/24' test.ping $ salt -S '192.168.1.100' test.ping Nodegroup Nesting Previously a nodegroup was limited by not being able to include another nodegroup, this restraint has been lifted and now nodegroups will be expanded within other nodegroups with the N@ classifier. Salt Key Delete by Glob The ability to delete minion keys by glob has been added to salt-key. To delete all minion keys whose minion name starts with 'web': $ salt-key -d 'web*' Master Tops System The external_nodes system has been upgraded to allow for modular subsystems to be used to generate the top file data for a highstate run. The external_nodes option still works but will be deprecated in the future in favor of the new master_tops option. Example of using master_tops: master_tops: ext_nodes: cobbler-external-nodes Next Level Solaris Support A lot of work has been put into improved Solaris support by Romeo Theriault. Packaging modules (pkgadd/pkgrm and pkgutil) and states, cron support and user and group management have all been added and improved upon. These additions along with SMF (Service Management Facility) service support and improved Solaris grain detection in 0.10.3 add up to Salt becoming a great tool to manage Solaris servers with. Security A vulnerability in the security handshake was found and has been repaired, old minions should be able to connect to a new master, so as usual, the master should be updated first and then the minions. Pillar Updates The pillar communication has been updated to add some extra levels of verification so that the intended minion is the only one allowed to gather the data. Once all minions and the master are updated to salt 0.10.4 please activate pillar 2 by changing the pillar_version in the master config to 2. This will be set to 2 by default in a future release. Salt 0.10.5 Release Notes release 2012-11-15 Salt 0.10.5 is ready, and comes with some great new features. A few more interfaces have been modularized, like the outputter system. The job cache system has been made more powerful and can now store and retrieve jobs archived in external databases. The returner system has been extended to allow minions to easily retrieve data from a returner interface. As usual, this is an exciting release, with many noteworthy additions! Major Features External Job Cache The external job cache is a system which allows for a returner interface to also act as a job cache. This system is intended to allow users to store job information in a central location for longer periods of time and to make the act of looking up information from jobs executed on other minions easier. Currently the external job cache is supported via the mongo and redis returners: ext_job_cache: redis redis.host: salt Once the external job cache is turned on the new ret module can be used on the minions to retrieve return information from the job cache. This can be a great way for minions to respond and react to other minions. OpenStack Additions OpenStack integration with Salt has been moving forward at a blistering pace. The new nova, glance, and keystone modules represent the beginning of ongoing OpenStack integration. The Salt team has had many conversations with core OpenStack developers and is working on linking to OpenStack in powerful new ways. Wheel System A new API was added to the Salt Master which allows the master to be managed via an external API. This new system allows Salt API to easily hook into the Salt Master and manage configs, modify the state tree, manage the pillar and more. The main motivation for the wheel system is to enable features needed in the upcoming web UI so users can manage the master just as easily as they manage minions. The wheel system has also been hooked into the external auth system. This allows specific users to have granular access to manage components of the Salt Master. Render Pipes Jack Kuan has added a substantial new feature. The render pipes system allows Salt to treat the render system like unix pipes. This new system enables sls files to be passed through specific render engines. While the default renderer is still recommended, different engines can now be more easily merged. So to pipe the output of Mako used in YAML use this shebang line: #!mako|yaml Salt Key Overhaul The Salt Key system was originally developed as only a CLI interface, but as time went on it was pressed into becoming a clumsy API. This release marks a complete overhaul of Salt Key. Salt Key has been rewritten to function purely from an API and to use the outputter system. The benefit here is that the outputter system works much more cleanly with Salt Key now, and the internals of Salt Key can be used much more cleanly. Modular Outputters The outputter system is now loaded in a modular way. This means that output systems can be more easily added by dropping a python file down on the master that contains the function output. Gzip from Fileserver Gzip compression has been added as an option to the cp.get_file and cp.get_dir commands. This will make file transfers more efficient and faster, especially over slower network links. Unified Module Configuration In past releases of Salt, the minions needed to be configured for certain modules to function. This was difficult because it required pre-configuring the minions. 0.10.5 changes this by making all module configs on minions search the master config file for values. Now if a single database server is needed, then it can be defined in the master config and all minions will become aware of the configuration value. Salt Call Enhancements The salt-call command has been updated in a few ways. Now, salt-call can take the --return option to send the data to a returner. Also, salt-call now reports executions in the minion proc system, this allows the master to be aware of the operation salt-call is running. Death to pub_refresh and sub_timeout The old configuration values pub_refresh and sub_timeout have been removed. These options were in place to alleviate problems found in earlier versions of ZeroMQ which have since been fixed. The continued use of these options has proven to cause problems with message passing and have been completely removed. Git Revision Versions When running Salt directly from git (for testing or development, of course) it has been difficult to know exactly what code is being executed. The new versioning system will detect the git revision when building and how many commits have been made since the last release. A release from git will look like this: 0.10.4-736-gec74d69 Svn Module Addition Anthony Cornehl (twinshadow) contributed a module that adds Subversion support to Salt. This great addition helps round out Salt's VCS support. Noteworthy Changes Arch Linux Defaults to Systemd Arch Linux recently changed to use systemd by default and discontinued support for init scripts. Salt has followed suit and defaults to systemd now for managing services in Arch. Salt, Salt Cloud and Openstack With the releases of Salt 0.10.5 and Salt Cloud 0.8.2, OpenStack becomes the first (non-OS) piece of software to include support both on the user level (with Salt Cloud) and the admin level (with Salt). We are excited to continue to extend support of other platforms at this level. Salt 0.11.0 Release Notes release 2012-12-14 Salt 0.11.0 is here, with some highly sought after and exciting features. These features include the new overstate system, the reactor system, a new state run scope component called __context__, the beginning of the search system (still needs a great deal of work), multiple package states, the MySQL returner and a better system to arbitrarily reference outputters. It is also noteworthy that we are changing how we mark release numbers. For the life of the project we have been pushing every release with features and fixes as point releases. We will now be releasing point releases for only bug fixes on a more regular basis and major feature releases on a slightly less regular basis. This means that the next release will be a bugfix only release with a version number of 0.11.1. The next feature release will be named 0.12.0 and will mark the end of life for the 0.11 series. Major Features OverState The overstate system is a simple way to manage rolling state executions across many minions. The overstate allows for a state to depend on the successful completion of another state. Reactor System The new reactor system allows for a reactive logic engine to be created which can respond to events within a salted environment. The reactor system uses sls files to match events fired on the master with actions, enabling Salt to react to problems in an infrastructure. Your load-balanced group of webservers is under extra load? Spin up a new VM and add it to the group. Your fileserver is filling up? Send a notification to your sysadmin on call. The possibilities are endless! Module Context A new component has been added to the module loader system. The module context is a data structure that can hold objects for a given scope within the module. This allows for components that are initialized to be stored in a persistent context which can greatly speed up ongoing connections. Right now the best example can be found in the cp execution module. Multiple Package Management A long desired feature has been added to package management. By definition Salt States have always installed packages one at a time. On most platforms this is not the fastest way to install packages. Erik Johnson, aka terminalmage, has modified the package modules for many providers and added new capabilities to install groups of packages. These package groups can be defined as a list of packages available in repository servers: python_pkgs: pkg.installed: - pkgs: - python-mako - whoosh - python-git or specify based on the location of specific packages: python_pkgs: pkg.installed: - sources: - python-mako: http://some-rpms.org/python-mako.rpm - whoosh: salt://whoosh/whoosh.rpm - python-git: ftp://companyserver.net/python-git.rpm Search System The bones to the search system have been added. This is a very basic interface that allows for search backends to be added as search modules. The first supported search module is the whoosh search backend. Right now only the basic paths for the search system are in place, making this very experimental. Further development will involve improving the search routines and index routines for whoosh and other search backends. The search system has been made to allow for searching through all of the state and pillar files, configuration files and all return data from minion executions. Notable Changes All previous versions of Salt have shared many directories between the master and minion. The default locations for keys, cached data and sockets has been shared by master and minion. This has created serious problems with running a master and a minion on the same systems. 0.11.0 changes the defaults to be separate directories. Salt will also attempt to migrate all of the old key data into the correct new directories, but if it is not successful it may need to be done manually. If your keys exhibit issues after updating make sure that they have been moved from /etc/salt/pki to /etc/salt/pki/{master,minion}. The old setup will look like this: /etc/salt/pki |-- master.pem |-- master.pub |-- minions | `-- ragnarok.saltstack.net |-- minions_pre |-- minion.pem |-- minion.pub |-- minion_master.pub |-- minions_pre `-- minions_rejected With the accepted minion keys in /etc/salt/pki/minions, the new setup places the accepted minion keys in /etc/salt/pki/master/minions. /etc/salt/pki |-- master | |-- master.pem | |-- master.pub | |-- minions | | `-- ragnarok.saltstack.net | |-- minions_pre | `-- minions_rejected |-- minion | |-- minion.pem | |-- minion.pub | `-- minion_master.pub Salt 0.11.1 Release Notes release 2012-12-19 Salt 0.12.0 Release Notes release 2013-01-15 Another feature release of Salt is here! Some exciting additions are included with more ways to make salt modular and even easier management of the salt file server. Major Features Modular Fileserver Backend The new modular fileserver backend allows for any external system to be used as a salt file server. The main benefit here is that it is now possible to tell the master to directly use a git remote location, or many git remote locations, automatically mapping git branches and tags to salt environments. Windows is First Class! A new Salt Windows installer is now available! Much work has been put in to improve Windows support. With this much easier method of getting Salt on your Windows machines, we hope even more development and progress will occur. Please file bug reports on the Salt GitHub repo issue tracker so we can continue improving. One thing that is missing on Windows that Salt uses extensively is a software package manager and a software package repository. The Salt pkg state allows sys admins to install software across their infrastructure and across operating systems. Software on Windows can now be managed in the same way. The SaltStack team built a package manager that interfaces with the standard Salt pkg module to allow for installing and removing software on Windows. In addition, a software package repository has been built on top of the Salt fileserver. A small YAML file provides the information necessary for the package manager to install and remove software. An interesting feature of the new Salt Windows software package repository is that one or more remote git repositories can supplement the master's local repository. The repository can point to software on the master's fileserver or on an HTTP, HTTPS, or ftp server. New Default Outputter Salt displays data to the terminal via the outputter system. For a long time the default outputter for Salt has been the python pretty print library. While this has been a generally reasonable outputter, it did have many failings. The new default outputter is called "nested", it recursively scans return data structures and prints them out cleanly. If the result of the new nested outputter is not desired any other outputter can be used via the --out option, or the output option can be set in the master and minion configs to change the default outputter. Internal Scheduler The internal Salt scheduler is a new capability which allows for functions to be executed at given intervals on the minion, and for runners to be executed at given intervals on the master. The scheduler allows for sequences such as executing state runs (locally on the minion or remotely via an overstate) or continually gathering system data to be run at given intervals. The configuration is simple, add the schedule option to the master or minion config and specify jobs to run, this in the master config will execute the state.over runner every 60 minutes: schedule: overstate: function: state.over minutes: 60 This example for the minion configuration will execute a highstate every 30 minutes: schedule: highstate: function: state.highstate minutes: 30 Optional DSL for SLS Formulas Jack Kuan, our renderer expert, has created something that is astonishing. Salt, now comes with an optional Python based DSL, this is a very powerful interface that makes writing SLS files in pure python easier than it was with the raw py renderer. As usual this can be used with the renderer shebang line, so a single sls can be written with the DSL if pure python power is needed while keeping other sls files simple with YAML. Set Grains Remotely A new execution function and state module have been added that allows for grains to be set on the minion. Now grains can be set via a remote execution or via states. Use the grains.present state or the grains.setval execution functions. Gentoo Additions Major additions to Gentoo specific components have been made. The encompasses executions modules and states ranging from supporting the make.conf file to tools like layman. Salt 0.12.1 Release Notes release 2013-01-21 Salt 0.13.0 Release Notes release 2013-02-12 The lucky number 13 has turned the corner! From CLI notifications when quitting a salt command, to substantial improvements on Windows, Salt 0.13.0 has arrived! Major Features Improved file.recurse Performance The file.recurse system has been deployed and used in a vast array of situations. Fixes to the file state and module have led towards opening up new ways of running file.recurse to make it faster. Now the file.recurse state will download fewer files and will run substantially faster. Windows Improvements Minion stability on Windows has improved. Many file operations, including file.recurse, have been fixed and improved. The network module works better, to include network.interfaces. Both 32bit and 64bit installers are now available. Nodegroup Targeting in Peer System In the past, nodegroups were not available for targeting via the peer system. This has been fixed, allowing the new nodegroup expr_form argument for the publish.publish function: salt-call publish.publish group1 test.ping expr_form=nodegroup Blacklist Additions Additions allowing more granular blacklisting are available in 0.13.0. The ability to blacklist users and functions in client_acl have been added, as well as the ability to exclude state formulas from the command line. Command Line Pillar Embedding Pillar data can now be embedded on the command line when calling state.sls and state.highstate. This allows for on the fly changes or settings to pillar and makes parameterizing state formulas even easier. This is done via the keyword argument: salt '*' state.highstate pillar='{"cheese": "spam"}' The above example will extend the existing pillar to hold the cheese key with a value of spam. If the cheese key is already specified in the minion's pillar then it will be overwritten. CLI Notifications In the past hitting ctrl-C and quitting from the salt command would just drop to a shell prompt, this caused confusion with users who expected the remote executions to also quit. Now a message is displayed showing what command can be used to track the execution and what the job id is for the execution. Version Specification in Multiple-Package States Versions can now be specified within multiple-package pkg.installed states. An example can be found below: mypkgs: pkg.installed: - pkgs: - foo - bar: 1.2.3-4 - baz Noteworthy Changes The configuration subsystem in Salt has been overhauled to make the opts dict used by Salt applications more portable, the problem is that this is an incompatible change with salt-cloud, and salt-cloud will need to be updated to the latest git to work with Salt 0.13.0. Salt Cloud 0.8.5 will also require Salt 0.13.0 or later to function. The SaltStack team is sorry for the inconvenience here, we work hard to make sure these sorts of things do not happen, but sometimes hard changes get in. Salt 0.13.1 Release Notes release 2013-02-15 Salt 0.13.2 Release Notes release 2013-03-13 Salt 0.13.3 Release Notes release 2013-03-18 Salt 0.14.0 Release Notes release 2013-03-23 Salt 0.14.0 is here! This release was held up primarily by PyCon, Scale, and illness, but has arrived! 0.14.0 comes with many new features and is breaking ground for Salt in the area of cloud management with the introduction of Salt providing basic cloud controller functionality. Major Features Salt - As a Cloud Controller This is the first primitive inroad to using Salt as a cloud controller is available in 0.14.0. Be advised that this is alpha, only tested in a few very small environments. The cloud controller is built using kvm and libvirt for the hypervisors. Hypervisors are autodetected as minions and only need to have libvirt running and kvm installed to function. The features of the Salt cloud controller are as follows: • Basic vm discovery and reporting • Creation of new virtual machines • Seeding virtual machines with Salt via qemu-nbd or libguestfs • Live migration (shared and non shared storage) • Delete existing VMs It is noteworthy that this feature is still Alpha, meaning that all rights are reserved to change the interface if needs be in future releases! Libvirt State One of the problems with libvirt is management of certificates needed for live migration and cross communication between hypervisors. The new libvirt state makes the Salt Master hold a CA and manage the signing and distribution of keys onto hypervisors, just add a call to the libvirt state in the sls formulas used to set up a hypervisor: libvirt_keys: libvirt.keys New get Functions An easier way to manage data has been introduced. The pillar, grains, and config execution modules have been extended with the new get function. This function works much in the same way as the get method in a python dict, but with an enhancement, nested dict components can be extracted using a : delimiter. If a structure like this is in pillar: foo: bar: baz: quo Extracting it from the raw pillar in an sls formula or file template is done this way: {{ pillar['foo']['bar']['baz'] }} Now with the new get function the data can be safely gathered and a default can be set allowing the template to fall back if the value is not available: {{ salt['pillar.get']('foo:bar:baz', 'qux') }} This makes handling nested structures much easier, and defaults can be cleanly set. This new function is being used extensively in the new formulae repository of salt sls formulas. Salt 0.14.1 Release Notes release 2013-04-13 Salt 0.15.0 Release Notes release 2013-05-03 The many new features of Salt 0.15.0 have arrived! Salt 0.15.0 comes with many smaller features and a few larger ones. These features range from better debugging tools to the new Salt Mine system. Major Features The Salt Mine First there was the peer system, allowing for commands to be executed from a minion to other minions to gather data live. Then there was the external job cache for storing and accessing long term data. Now the middle ground is being filled in with the Salt Mine. The Salt Mine is a system used to execute functions on a regular basis on minions and then store only the most recent data from the functions on the master, then the data is looked up via targets. The mine caches data that is public to all minions, so when a minion posts data to the mine all other minions can see it. IPV6 Support 0.13.0 saw the addition of initial IPV6 support but errors were encountered and it needed to be stripped out. This time the code covers more cases and must be explicitly enabled. But the support is much more extensive than before. Copy Files From Minions to the Master Minions have long been able to copy files down from the master file server, but until now files could not be easily copied from the minion up to the master. A new function called cp.push can push files from the minions up to the master server. The uploaded files are then cached on the master in the master cachedir for each minion. Better Template Debugging Template errors have long been a burden when writing states and pillar. 0.15.0 will now send the compiled template data to the debug log, this makes tracking down the intermittent stage templates much easier. So running state.sls or state.highstate with -l debug will now print out the rendered templates in the debug information. State Event Firing The state system is now more closely tied to the master's event bus. Now when a state fails the failure will be fired on the master event bus so that the reactor can respond to it. Major Syndic Updates The Syndic system has been basically re-written. Now it runs in a completely asynchronous way and functions primarily as an event broker. This means that the events fired on the syndic are now pushed up to the higher level master instead of the old method used which waited for the client libraries to return. This makes the syndic much more accurate and powerful, it also means that all events fired on the syndic master make it up the pipe as well making a reactor on the higher level master able to react to minions further downstream. Peer System Updates The Peer System has been updated to run using the client libraries instead of firing directly over the publish bus. This makes the peer system much more consistent and reliable. Minion Key Revocation In the past when a minion was decommissioned the key needed to be manually deleted on the master, but now a function on the minion can be used to revoke the calling minion's key: $ salt-call saltutil.revoke_auth Function Return Codes Functions can now be assigned numeric return codes to determine if the function executed successfully. While not all functions have been given return codes, many have and it is an ongoing effort to fill out all functions that might return a non-zero return code. Functions in Overstate The overstate system was originally created to just manage the execution of states, but with the addition of return codes to functions, requisite logic can now be used with respect to the overstate. This means that an overstate stage can now run single functions instead of just state executions. Pillar Error Reporting Previously if errors surfaced in pillar, then the pillar would consist of only an empty dict. Now all data that was successfully rendered stays in pillar and the render error is also made available. If errors are found in the pillar, states will refuse to run. Using Cached State Data Sometimes states are executed purely to maintain a specific state rather than to update states with new configs. This is grounds for the new cached state system. By adding cache=True to a state call the state will not be generated fresh from the master but the last state data to be generated will be used. If no previous state data is available then fresh data will be generated. Monitoring States The new monitoring states system has been started. This is very young but allows for states to be used to configure monitoring routines. So far only one monitoring state is available, the disk.status state. As more capabilities are added to Salt UI the monitoring capabilities of Salt will continue to be expanded. Salt 0.15.1 Release Notes release 2013-05-08 The 0.15.1 release has been posted, this release includes fixes to a number of bugs in 0.15.1 and a three security patches. Security Updates A number of security issues have been resolved via the 0.15.1 release. Path Injection in Minion IDs Salt masters did not properly validate the id of a connecting minion. This can lead to an attacker uploading files to the master in arbitrary locations. In particular this can be used to bypass the manual validation of new unknown minions. Exploiting this vulnerability does not require authentication. This issue affects all known versions of Salt. This issue was reported by Ronald Volgers. Patch The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/5427b9438e452a5a8910d9128c6aafb45d8fd5d3 https://github.com/saltstack/salt/commit/7560908ee62351769c3cd43b03d74c1ca772cc52 https://github.com/saltstack/salt/commit/e200b8a7ff53780124e08d2bdefde7587e52bfca RSA Key Generation Fault RSA key generation was done incorrectly, leading to very insecure keys. It is recommended to regenerate all RSA keys. This issue can be used to impersonate Salt masters or minions, or decrypt any transferred data. This issue can only be exploited by attackers who are able to observe or modify traffic between Salt minions and the legitimate Salt master. A tool was included in 0.15.1 to assist in mass key regeneration, the manage.regen_keys runner. This issue affects all known versions of Salt. This issue was reported by Ronald Volgers. Patch The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc Command Injection Via ext_pillar Arbitrary shell commands could be executed on the master by an authenticated minion through options passed when requesting a pillar. Ext pillar options have been restricted to only allow safe external pillars to be called when prompted by the minion. This issue affects Salt versions from 0.14.0 to 0.15.0. This issue was reported by Ronald Volgers. Patch The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/43d8c16bd26159d827d1a945c83ac28159ec5865 Salt 0.15.2 Release Notes release 2013-05-29 Salt 0.15.3 Release Notes release 2013-06-01 Salt 0.16.0 Release Notes release 2013-07-01 The 0.16.0 release is an exciting one, with new features in master redundancy, and a new, powerful requisite. Major Features Multi-Master This new capability allows for a minion to be actively connected to multiple salt masters at the same time. This allows for multiple masters to send out commands to minions and for minions to automatically reconnect to masters that have gone down. A tutorial is available to help get started here: Multi Master Tutorial Prereq, the New Requisite The new prereq requisite is very powerful! It allows for states to execute based on a state that is expected to make changes in the future. This allows for a change on the system to be preempted by another execution. A good example is needing to shut down a service before modifying files associated with it, allowing, for instance, a webserver to be shut down allowing a load balancer to stop sending requests while server side code is updated. In this case, the prereq will only run if changes are expected to happen in the prerequired state, and the prerequired state will always run after the prereq state and only if the prereq state succeeds. Peer System Improvements The peer system has been revamped to make it more reliable, faster, and like the rest of Salt, async. The peer calls when an updated minion and master are used together will be much faster! Relative Includes The ability to include an sls relative to the defined sls has been added, the new syntax id documented here: Includes More State Output Options The state_output option in the past only supported full and terse, 0.16.0 add the mixed and changes modes further refining how states are sent to users' eyes. Improved Windows Support Support for Salt on Windows continues to improve. Software management on Windows has become more seamless with Linux/UNIX/BSD software management. Installed software is now recognized by the short names defined in the repository SLS. This makes it possible to run salt '*' pkg.version firefox and get back results from Windows and non-Windows minions alike. When templating files on Windows, Salt will now correctly use Windows appropriate line endings. This makes it much easier to edit and consume files on Windows. When using the cmd state the shell option now allows for specifying Windows Powershell as an alternate shell to execute cmd.run and cmd.script. This opens up Salt to all the power of Windows Powershell and its advanced Windows management capabilities. Several fixes and optimizations were added for the Windows networking modules, especially when working with IPv6. A system module was added that makes it easy to restart and shutdown Windows minions. The Salt Minion will now look for its config file in c:\salt\conf by default. This means that it's no longer necessary to specify the -c option to specify the location of the config file when starting the Salt Minion on Windows in a terminal. Multiple Targets for pkg.removed, pkg.purged States Both pkg.removed and pkg.purged now support the pkgs argument, which allow for multiple packages to be targeted in a single state. This, as in pkg.installed, helps speed up these states by reducing the number of times that the package management tools (apt, yum, etc.) need to be run. Random Times in Cron States The temporal parameters in cron.present states (minute, hour, etc.) can now be randomized by using random instead of a specific value. For example, by using the random keyword in the minute parameter of a cron state, the same cron job can be pushed to hundreds or thousands of hosts, and they would each use a randomly-generated minute. This can be helpful when the cron job accesses a network resource, and it is not desirable for all hosts to run the job concurrently. /path/to/cron/script: cron.present: - user: root - minute: random - hour: 2 Since Salt assumes a value of * for unspecified temporal parameters, adding a parameter to the state and setting it to random will change that value from * to a randomized numeric value. However, if that field in the cron entry on the minion already contains a numeric value, then using the random keyword will not modify it. Confirmation Prompt on Key Acceptance When accepting new keys with salt-key -a minion-id or salt-key -A, there is now a prompt that will show the affected keys and ask for confirmation before proceeding. This prompt can be bypassed using the -y or --yes command line argument, as with other salt-key commands. Support for Setting Password Hashes on BSD Minions FreeBSD, NetBSD, and OpenBSD all now support setting passwords in user.present states. Salt 0.16.1 Release Notes release 2013-07-29 Salt 0.16.2 Release Notes release 2013-08-01 Version 0.16.2 is a bugfix release for 0.16.0, and contains a number of fixes. Windows • Only allow Administrator's group and SYSTEM user access to C:\salt. This eliminates a race condition where a non-admin user could modify a template or managed file before it is executed by the minion (which is running as an elevated user), thus avoiding a potential escalation of privileges. (issue 6361) Grains • Fixed detection of virtual grain on OpenVZ hardware nodes • Gracefully handle lsb_release data when it is enclosed in quotes • LSB grains are now prefixed with lsb_distrib_ instead of simply lsb_. The old naming is not preserved, so SLS may be affected. • Improved grains detection on MacOS Pillar • Don't try to load git_pillar if not enabled in master config (issue 6052) • Functions pillar.item and pillar.items added for parity with grains.item/grains.items. The old function pillar.data is preserved for backwards compatibility. • Fixed minion traceback when Pillar SLS is malformed (issue 5910) Peer Publishing • More gracefully handle improperly quoted publish commands (issue 5958) • Fixed traceback when timeout specified via the CLI fo publish.publish, publish.full_data (issue 5959) • Fixed unintended change in output of publish.publish (issue 5928) Minion • Fixed salt-key usage in minionswarm script • Quieted warning about SALT_MINION_CONFIG environment variable on minion startup and for CLI commands run via salt-call (issue 5956) • Added minion config parameter random_reauth_delay to stagger re-auth attempts when the minion is waiting for the master to approve its public key. This helps prevent SYN flooding in larger environments. User/Group Management • Implement previously-ignored unique option for user.present states in FreeBSD • Report in state output when a group.present state attempts to use a gid in use by another group • Fixed regression that prevents a user.present state to set the password hash to the system default (i.e. an unset password) • Fixed multiple group.present states with the same group (issue 6439) File Management • Fixed file.mkdir setting incorrect permissions (issue 6033) • Fixed cleanup of source files for templates when /tmp is in file_roots (issue 6118) • Fixed caching of zero-byte files when a non-empty file was previously cached at the same path • Added HTTP authentication support to the cp module (issue 5641) • Diffs are now suppressed when binary files are changed Package/Repository Management • Fixed traceback when there is only one target for pkg.latest states • Fixed regression in detection of virtual packages (apt) • Limit number of pkg database refreshes to once per state.sls/state.highstate • YUM: Allow 32-bit packages with arches other than i686 to be managed on 64-bit systems (issue 6299) • Fixed incorrect reporting in pkgrepo.managed states (issue 5517) • Fixed 32-bit binary package installs on 64-bit RHEL-based distros, and added proper support for 32-bit packages on 64-bit Debian-based distros (issue 6303) • Fixed issue where requisites were inadvertently being put into YUM repo files (issue 6471) Service Management • Fixed inaccurate reporting of results in service.running states when the service fails to start (issue 5894) • Fixed handling of custom initscripts in RHEL-based distros so that they are immediately available, negating the need for a second state run to manage the service that the initscript controls Networking • Function network.hwaddr renamed to network.hw_addr to match network.ip_addrs and network.ip_addrs6. All three functions also now work without the underscore in the name, as well. • Fixed traceback in bridge.show when interface is not present (issue 6326) SSH • Fixed incorrect result reporting for some ssh_known_hosts.present states • Fixed inaccurate reporting when ssh_auth.present states are run with test=True, when rsa/dss is used for the enc param instead of ssh-rsa/ssh-dss (issue 5374) pip • Properly handle -f lines in pip freeze output • Fixed regression in pip.installed states with specifying a requirements file (issue 6003) • Fixed use of editable argument in pip.installed states (issue 6025) • Deprecated runas parameter in execution function calls, in favor of user MySQL • Allow specification of MySQL connection arguments via the CLI, overriding/bypassing minion config params • Allow mysql_user.present states to set a passwordless login (issue 5550) • Fixed endless loop when mysql.processlist is run (issue 6297) PostgreSQL • Fixed traceback in postgres.user_list (issue 6352) Miscellaneous • Don't allow npm states to be used if npm module is not available • Fixed alternatives.install states for which the target is a symlink (issue 6162) • Fixed traceback in sysbench module (issue 6175) • Fixed traceback in job cache • Fixed tempfile cleanup for windows • Fixed issue where SLS files using the pydsl renderer were not being run • Fixed issue where returners were being passed incorrect information (issue 5518) • Fixed traceback when numeric args are passed to cmd.script states • Fixed bug causing cp.get_dir to return more directories than expected (issue 6048) • Fixed traceback when supervisord.running states are run with test=True (issue 6053) • Fixed tracebacks when Salt encounters problems running rbenv (issue 5888) • Only make the monit module available if monit binary is present (issue 5871) • Fixed incorrect behavior of img.mount_image • Fixed traceback in tomcat.deploy_war in Windows • Don't re-write /etc/fstab if mount fails • Fixed tracebacks when Salt encounters problems running gem (issue 5886) • Fixed incorrect behavior of selinux.boolean states (issue 5912) • RabbitMQ: Quote passwords to avoid symbols being interpolated by the shell (issue 6338) • Fixed tracebacks in extfs.mkfs and extfs.tune (issue 6462) • Fixed a regression with the module.run state where the m_name and m_fun arguments were being ignored (issue 6464) Salt 0.16.3 Release Notes release 2013-08-09 Version 0.16.3 is another bugfix release for 0.16.0. The changes include: • Various documentation fixes • Fix proc directory regression (issue 6502) • Properly detect Linaro Linux (issue 6496) • Fix regressions in mount.mounted (issue 6522, issue 6545) • Skip malformed state requisites (issue 6521) • Fix regression in gitfs from bad import • Fix for watching prereq states (including recursive requisite error) (issue 6057) • Fix mod_watch not overriding prereq (issue 6520) • Don't allow functions which compile states to be called within states (issue 5623) • Return error for malformed top.sls (issue 6544) • Fix traceback in mysql.query • Fix regression in binary package installation for 64-bit packages on Debian-based Linux distros (issue 6563) • Fix traceback caused by running cp.push without having set file_recv in the master config file • Fix scheduler configuration in pillar (issue 6201) Salt 0.16.4 Release Notes release 2013-09-07 Version 0.16.4 is another bugfix release for 0.16.0, likely to be the last before 0.17.0 is released. The changes include: • Multiple documentation improvements/additions • Added the osfinger and osarch grains • Properly handle 32-bit packages for debian32 on x86_64 (issue 6607) • Fix regression in yum package installation in CentOS 5 (issue 6677) • Fix bug in hg.latest state that would erroneously delete directories (issue 6661) • Fix bug related to pid not existing for ps.top (issue 6679) • Fix regression in MySQL returner (issue 6695) • Fix IP addresses grains (ipv4 and ipv6) to include all addresses (issue 6656) • Fix regression preventing authenticated FTP (issue 6733) • Fix setting password for windows users (issue 6824) • Fix file.contains on values YAML parses as non-string (issue 6817) • Fix file.get_gid, file.get_uid, and file.chown for broken symlinks (issue 6826) • Fix comment for service reloads in service state (issue 6851) Salt 0.17.0 Release Notes release 2013-09-26 The 0.17.0 release is a very exciting release of Salt, this brings to Salt some very powerful new features and advances. The advances range from the state system to the test suite, covering new transport capabilities and making states easier and more powerful, to extending Salt Virt and much more! The 0.17.0 release will also be the last release of Salt to follow the old 0.XX.X numbering system, the next release of Salt will change the numbering to be date based following this format: <Year>.<Month>.<Minor> So if the release happens in November of 2013 the number will be 13.11.0, the first bugfix release will be 13.11.1 and so forth. Major Features Halite The new Halite web GUI is now available on PyPI. A great deal of work has been put into Halite to make it fully event driven and amazingly fast. The Halite UI can be started from within the Salt Master (after being installed from PyPI), or standalone, and does not require an external database to run. It is very lightweight! This initial release of Halite is primarily the framework for the UI and the communication systems, making it easy to extend and build the UI up. It presently supports watching the event bus and firing commands over Salt. At this time, Halite is not available as a package, but installation documentation is available at: http://docs.saltstack.com/topics/tutorials/halite.html Halite is, like the rest of Salt, Open Source! Much more will be coming in the future of Halite! Salt SSH The new salt-ssh command has been added to Salt. This system allows for remote execution and states to be run over ssh. The benefit here being, that salt can run relying only on the ssh agent, rather than requiring a minion to be deployed. The salt-ssh system runs states in a compatible way as Salt and states created and run with salt-ssh can be moved over to a standard salt deployment without modification. Since this is the initial release of salt-ssh, there is plenty of room for improvement, but it is fully operational, not just a bootstrap tool. Rosters Salt is designed to have the minions be aware of the master and the master does not need to be aware of the location of the minions. The new salt roster system was created and designed to facilitate listing the targets for salt-ssh. The roster system, like most of Salt, is a plugin system, allowing for the list of systems to target to be derived from any pluggable backend. The rosters shipping with 0.17.0 are flat and scan. Flat is a file which is read in via the salt render system and the scan roster does simple network scanning to discover ssh servers. State Auto Order This is a major change in how states are evaluated in Salt. State Auto Order is a new feature that makes states get evaluated and executed in the order in which they are defined in the sls file. This feature makes it very easy to see the finite order in which things will be executed, making Salt now, fully imperative AND fully declarative. The requisite system still takes precedence over the order in which states are defined, so no existing states should break with this change. But this new feature can be turned off by setting state_auto_order: False in the master config, thus reverting to the old lexicographical order. state.sls Runner The state.sls runner has been created to allow for a more powerful system for orchestrating state runs and function calls across the salt minions. This new system uses the state system for organizing executions. This allows for states to be defined that are executed on the master to call states on minions via salt-run state.sls. Salt Thin Salt Thin is an exciting new component of Salt, this is the ability to execute Salt routines without any transport mechanisms installed, it is a pure python subset of Salt. Salt Thin does not have any networking capability, but can be dropped into any system with Python installed and then salt-call can be called directly. The Salt Thin system, is used by the salt-ssh command, but can still be used to just drop salt somewhere for easy use. Event Namespacing Events have been updated to be much more flexible. The tags in events have all been namespaced allowing easier tracking of event names. Mercurial Fileserver Backend The popular git fileserver backend has been joined by the mercurial fileserver backend, allowing the state tree to be managed entirely via mercurial. External Logging Handlers The external logging handler system allows for Salt to directly hook into any external logging system. Currently supported are sentry and logstash. Jenkins Testing The testing systems in Salt have been greatly enhanced, tests for salt are now executed, via jenkins.saltstack.com, across many supported platforms. Jenkins calls out to salt-cloud to create virtual machines on Rackspace, then the minion on the virtual machine checks into the master running on Jenkins where a state run is executed that sets up the minion to run tests and executes the test suite. This now automates the sequence of running platform tests and allows for continuous destructive tests to be run. Salt Testing Project The testing libraries for salt have been moved out of the main salt code base and into a standalone codebase. This has been done to ease the use of the testing systems being used in salt based projects other than Salt itself. StormPath External Authentication The external auth system now supports the fantastic Stormpath cloud based authentication system. LXC Support Extensive additions have been added to Salt for LXC support. This included the backend libs for managing LXC containers. Addition into the salt-virt system is still in the works. Mac OS X User/Group Support Salt is now able to manage users and groups on Minions running Mac OS X. However, at this time user passwords cannot be managed. Django ORM External Pillar Pillar data can now be derived from Django managed databases. Fixes from RC to release • Multiple documentation fixes • Add multiple source files + templating for file.append (issue 6905) • Support sysctl configuration files in systemd>=207 (issue 7351) • Add file.search and file.replace • Fix cross-calling execution functions in provider overrides • Fix locale override for postgres (issue 4543) • Fix Raspbian identification for service/pkg support (issue 7371) • Fix cp.push file corruption (issue 6495) • Fix ALT Linux password hash specification (issue 3474) • Multiple salt-ssh-related fixes and improvements Salt 0.17.1 Release Notes release 2013-10-17 NOTE: THIS RELEASE IS NOT COMPATIBLE WITH PREVIOUS VERSIONS. If you update your master to 0.17.1, you must update your minions as well. Sorry for the inconvenience -- this is a result of one of the security fixes listed below. The 0.17.1 release comes with a number of improvements to salt-ssh, many bugfixes, and a number of security updates. Salt SSH has been improved to be faster, more featureful and more secure. Since the original release of Salt SSH was primarily a proof of concept, it has been very exciting to see its rapid adoption. We appreciate the willingness of security experts to review Salt SSH and help discover oversights and ensure that security issues only exist for such a tiny window of time. SSH Enhancements Shell Improvements Improvements to Salt SSH's communication have been added that improve routine execution regardless of the target system's login shell. Performance Deployment of routines is now faster and takes fewer commands to execute. Security Updates Be advised that these security issues all apply to a small subset of Salt users and mostly apply to Salt SSH. Insufficient Argument Validation This issue allowed for a user with limited privileges to embed executions inside of routines to execute routines that should be restricted. This applies to users using external auth or client ACL and opening up specific routines. Be advised that these patches address the direct issue. Additional commits have been applied to help mitigate this issue from resurfacing. CVE CVE-2013-4435 Affected Versions 0.15.0 - 0.17.0 Patches https://github.com/saltstack/salt/commit/6d8ef68b605fd63c36bb8ed96122a75ad2e80269 https://github.com/saltstack/salt/commit/ebdef37b7e5d2b95a01d34b211c61c61da67e46a https://github.com/saltstack/salt/commit/7f190ff890e47cdd591d9d7cefa5126574660824 https://github.com/saltstack/salt/commit/8e5afe59cef6743fe5dbd510dcf463dbdfca1ced https://github.com/saltstack/salt/commit/aca78f314481082862e96d4f0c1b75fa382bb885 https://github.com/saltstack/salt/commit/6a9752cdb1e8df2c9505ea910434c79d132eb1e2 https://github.com/saltstack/salt/commit/b73677435ba54ecfc93c1c2d840a7f9ba6f53410 https://github.com/saltstack/salt/commit/07972eb0a6f985749a55d8d4a2e471596591c80d https://github.com/saltstack/salt/commit/1e3f197726aa13ac5c3f2416000089f477f489b5 Found By Feth Arezki, of Majerti MITM SSH attack in salt-ssh SSH host keys were being accepted by default and not enforced on future SSH connections. These patches set SSH host key checking by default and can be overridden by passing the -i flag to salt-ssh. CVE CVE-2013-4436 Affected Versions 0.17.0 Found By Michael Scherer, Red Hat Insecure Usage of /tmp in salt-ssh The initial release of salt-ssh used the /tmp directory in an insecure way. These patches not only secure usage of files under /tmp in salt-ssh, but also add checksum validation for all packages sent into the now secure locations on target systems. CVE CVE-2013-4438 Affected Versions 0.17.0 Patches https://github.com/saltstack/salt/commit/aa4bb77ef230758cad84381dde0ec660d2dc340a https://github.com/saltstack/salt/commit/8f92b6b2cb2e4ec3af8783eb6bf4ff06f5a352cf https://github.com/saltstack/salt/commit/c58e56811d5a50c908df0597a0ba0b643b45ebfd https://github.com/saltstack/salt/commit/0359db9b46e47614cff35a66ea6a6a76846885d2 https://github.com/saltstack/salt/commit/4348392860e0fd43701c331ac3e681cf1a8c17b0 https://github.com/saltstack/salt/commit/664d1a1cac05602fad2693f6f97092d98a72bf61 https://github.com/saltstack/salt/commit/bab92775a576e28ff9db262f32db9cf2375bba87 https://github.com/saltstack/salt/commit/c6d34f1acf64900a3c87a2d37618ff414e5a704e Found By Michael Scherer, Red Hat YAML Calling Unsafe Loading Routine It has been argued that this is not a valid security issue, as the YAML loading that was happening was only being called after an initial gateway filter in Salt has already safely loaded the YAML and would fail if non-safe routines were embedded. Nonetheless, the CVE was filed and patches applied. CVE CVE-2013-4438 Patches https://github.com/saltstack/salt/commit/339b0a51befae6b6b218ebcb55daa9cd3329a1c5 Found By Michael Scherer, Red Hat Failure to Drop Supplementary Group on Salt Master If a salt master was started as a non-root user by the root user, root's groups would still be applied to the running process. This fix changes the process to have only the groups of the running user. CVE CVE not considered necessary by submitter. Affected Versions 0.11.0 - 0.17.0 Patches https://github.com/saltstack/salt/commit/b89fa9135822d029795ab1eecd68cce2d1ced715 Found By Michael Scherer, Red Hat Failure to Validate Minions Posting Data This issue allowed a minion to pose as another authorized minion when posting data such as the mine data. All minions now pass through the id challenge before posting such data. CVE CVE-2013-4439 Affected Versions 0.15.0 - 0.17.0 Patches https://github.com/saltstack/salt/commit/7b850ff3d07ef6782888914ac4556c01e8a1c482 https://github.com/saltstack/salt/commit/151759b2a1e1c6ce29277aa81b054219147f80fd Found By David Anderson Fix Reference Version 0.17.1 is the first bugfix release for 0.17.0. The changes include: • Fix symbolic links in thin.tgz (issue 7482) • Pass env through to file.patch state (issue 7452) • Service provider fixes and reporting improvements (issue 7361) • Add --priv option for specifying salt-ssh private key • Fix salt-thin's salt-call on setuptools installations (issue 7516) • Fix salt-ssh to support passwords with spaces (issue 7480) • Fix regression in wildcard includes (issue 7455) • Fix salt-call outputter regression (issue 7456) • Fix custom returner support for startup states (issue 7540) • Fix value handling in augeas (issue 7605) • Fix regression in apt (issue 7624) • Fix minion ID guessing to use socket.getfqdn() first (issue 7558) • Add minion ID caching (issue 7558) • Fix salt-key race condition (issue 7304) • Add --include-all flag to salt-key (issue 7399) • Fix custom grains in pillar (part of issue 5716, issue 6083) • Fix race condition in salt-key (issue 7304) • Fix regression in minion ID guessing, prioritize socket.getfqdn() (issue 7558) • Cache minion ID on first guess (issue 7558) • Allow trailing slash in file.directory state • Fix reporting of file_roots in pillar return (issue 5449 and issue 5951) • Remove pillar matching for mine.get (issue 7197) • Sanitize args for multiple execution modules • Fix yumpkg mod_repo functions to filter hidden args (issue 7656) • Fix conflicting IDs in state includes (issue 7526) • Fix mysql_grants.absent string formatting issue (issue 7827) • Fix postgres.version so it won't return None (issue 7695) • Fix for trailing slashes in mount.mounted state • Fix rogue AttributErrors in the outputter system (issue 7845) • Fix for incorrect ssh key encodings resulting in incorrect key added (issue 7718) • Fix for pillar/grains naming regression in python renderer (issue 7693) • Fix args/kwargs handling in the scheduler (issue 7422) • Fix logfile handling for file://, tcp://, and udp:// (issue 7754) • Fix error handling in config file parsing (issue 6714) • Fix RVM using sudo when running as non-root user (issue 2193) • Fix client ACL and underlying logging bugs (issue 7706) • Fix scheduler bug with returner (issue 7367) • Fix user management bug related to default groups (issue 7690) • Fix various salt-ssh bugs (issue 7528) • Many various documentation fixes Salt 0.17.2 Release Notes release 2013-11-14 Version 0.17.2 is another bugfix release for 0.17.0. The changes include: • Add ability to delete key with grains.delval (issue 7872) • Fix possible state compiler stack trace (issue 5767) • Fix architecture regression in yumpkg (issue 7813) • Use correct ps on Debian to prevent truncating (issue 5646) • Fix grains targeting for new grains (issue 5737) • Fix bug with merging in git_pillar (issue 6992) • Fix print_jobs duplicate results • Fix apt version specification for pkg.install • Fix possible KeyError from ext_job_cache missing option • Fix auto_order for - names states (issue 7649) • Fix regression in new gitfs installs (directory not found error) • Fix escape pipe issue on Windows for file.recurse (issue 7967) • Fix fileclient in case of master restart (issue 7987) • Try to output warning if CLI command malformed (issue 6538) • Fix --out=quiet to actually be quiet (issue 8000) • Fix for state.sls in salt-ssh (issue 7991) • Fix for MySQL grants ordering issue (issue 5817) • Fix traceback for certain missing CLI args (issue 8016) • Add ability to disable lspci queries on master (issue 4906) • Fail if sls defined in topfile does not exist (issue 5998) • Add ability to downgrade MySQL grants (issue 6606) • Fix ssh_auth.absent traceback (issue 8043) • Add upstart detection for Debian/Raspbian (issue 8039) • Fix ID-related issues (issue 8052, issue 8050, and others) • Fix for jinja rendering issues (issue 8066 and issue 8079) • Fix argument parsing in salt-ssh (issue 7928) • Fix some GPU detection instances (issue 6945) • Fix bug preventing includes from other environments in SLS files • Fix for kwargs with dashes (issue 8102) • Fix salt.utils.which for windows '.exe' (issue 7904) • Fix apache.adduser without apachectl (issue 8123) • Fix issue with evaluating test kwarg in states (issue 7788) • Fix regression in salt.client.Caller() (issue 8078) • Fix apt-key silent failure • Fix bug where cmd.script would try to run even if caching failed (issue 7601) • Fix apt pkg.latest regression (issue 8067) • Fix for mine data not being updated (issue 8144) • Fix for noarch packages in yum • Fix a Xen detection edge case (issue 7839) • Fix windows __opts__ dictionary persistence (issue 7714) • Fix version generation for when it's part of another git repo (issue 8090) • Fix _handle_iorder stacktrace so that the real syntax error is shown (issue 8114 and issue 7905) • Fix git.latest state when a commit SHA is used (issue 8163) • Fix various small bugs in yumpkg.py (issue 8201) • Fix for specifying identify file in git.latest (issue 8094) • Fix for --output-file CLI arg (issue 8205) • Add ability to specify shutdown time for system.shutdown (issue 7833) • Fix for salt version using non-salt git repo info (issue 8266) • Add additional hints at impact of pkgrepo states when test=True (issue 8247) • Fix for salt-ssh files not being owned by root (issue 8216) • Fix retry logic and error handling in fileserver (related to issue 7755) • Fix file.replace with test=True (issue 8279) • Add flag for limiting file traversal in fileserver (issue 6928) • Fix for extra mine processes (issue 5729) • Fix for unloading custom modules (issue 7691) • Fix for salt-ssh opts (issue 8005 and issue 8271) • Fix compound matcher for grains (issue 7944) • Improve error reporting in ebuild module (related to issue 5393) • Add dir_mode to file.managed (issue 7860) • Improve traceroute support for FreeBSD and OS X (issue 4927) • Fix for matching minions under syndics (issue 7671) • Improve exception handling for missing ID (issue 8259) • Fix grain mismatch for ScientificLinux (issue 8338) • Add configuration option for minion_id_caching • Fix open mode auth errors (issue 8402) Salt 0.17.3 Release Notes release 2013-12-08 NOTE: 0.17.3 had some regressions which were promptly fixed in the 0.17.4 release. Please use 0.17.4 instead. Version 0.17.3 is another bugfix release for 0.17.0. The changes include: • Fix some jinja render errors (issue 8418) • Fix file.replace state changing file ownership (issue 8399) • Fix state ordering with the PyDSL renderer (issue 8446) • Fix for new npm version (issue 8517) • Fix for pip state requiring name even with requirements file (issue 8519) • Fix yum logging to open terminals (issue 3855) • Add sane maxrunning defaults for scheduler (issue 8563) • Fix states duplicate key detection (issue 8053) • Fix SUSE patch level reporting (issue 8428) • Fix managed file creation umask (issue 8590) • Fix logstash exception (issue 8635) • Improve argument exception handling for salt command (issue 8016) • Fix pecl success reporting (issue 8750) • Fix launchctl module exceptions (issue 8759) • Fix argument order in pw_user module • Add warnings for failing grains (issue 8690) • Fix hgfs problems caused by connections left open (issue 8811 and issue 8810) • Add Debian iptables default for iptables-persistent package (issue 8889) • Fix installation of packages with dots in pkg name (issue 8614) • Fix noarch package installation on CentOS 6 (issue 8945) • Fix portage_config.enforce_nice_config (issue 8252) • Fix salt.util.copyfile umask usage (issue 8590) • Fix rescheduling of failed jobs (issue 8941) • Fix pkg on Amazon Linux (uses yumpkg5 now) (issue 8226) • Fix conflicting options in postgres module (issue 8717) • Fix ps modules for psutil >= 0.3.0 (issue 7432) • Fix postgres module to return False on failure (issue 8778) • Fix argument passing for args with pound signs (issue 8585) • Fix pid of salt CLi command showing in status.pid output (issue 8720) • Fix rvm to run gem as the correct user (issue 8951) • Fix namespace issue in win_file module (issue 9060) • Fix masterless state paths on windows (issue 9021) • Fix timeout option in master config (issue 9040) Salt 0.17.4 Release Notes release 2013-12-10 Version 0.17.4 is another bugfix release for 0.17.0. The changes include: • Fix file.replace bug when replacement str is numeric (issue 9101) • Fix regression in file.managed (issue 9131) • Prevent traceback when job is None. (issue 9145) Salt 0.17.5 Release Notes release 2014-01-27 Version 0.17.5 is another bugfix release for 0.17.0. The changes include: • Fix user.present states with non-string fullname (issue 9085) • Fix virt.init return value on failure (issue 6870) • Fix reporting of file.blockreplace state when test=True • Fix network.interfaces when used in cron (issue 7990) • Fix bug in pkgrepo when switching to/from mirrorlist-based repo def (issue 9121) • Fix infinite recursion when cache file is corrupted • Add checking for rev and mirror/bare args in git.latest (issue 9107) • Add cmd.watch alias (points to cmd.wait) (issue 8612) • Fix stacktrace when prereq is not formed as a list (issue 8235) • Fix stdin issue with lvdisplay command (issue 9128) • Add pre-check function for range matcher (issue 9236) • Add exception handling for psutil for processes that go missing (issue 9274) • Allow _in requisites to match both on ID and name (issue 9061) • Fix multiple client timeout issues (issue 7157 and issue 9302, probably others) • Fix ZMQError: Operation cannot be accomplished in current state errors (issue 6306) • Multiple optimization in minion auth routines • Clarify logs for minion ID caching Salt 0.6.0 release notes The Salt remote execution manager has reached initial functionality! Salt is a management application which can be used to execute commands on remote sets of servers. The whole idea behind Salt is to create a system where a group of servers can be remotely controlled from a single master, not only can commands be executed on remote systems, but salt can also be used to gather information about your server environment. Unlike similar systems, like Func and MCollective, Salt is extremely simple to setup and use, the entire application is contained in a single package, and the master and minion daemons require no running dependencies in the way that Func requires Certmaster and MCollective requires activeMQ. Salt also manages authentication and encryption. Rather than using SSL for encryption, salt manages encryption on a payload level, so the data sent across the network is encrypted with fast AES encryption, and authentication uses RSA keys. This means that Salt is fast, secure, and very efficient. Messaging in Salt is executed with ZeroMQ, so the message passing interface is built into salt and does not require an external ZeroMQ server. This also adds speed to Salt since there is no additional bloat on the networking layer, and ZeroMQ has already proven itself as a very fast networking system. The remote execution in Salt is "Lazy Execution", in that once the command is sent the requesting network connection is closed. This makes it easier to detach the execution from the calling process on the master, it also means that replies are cached, so that information gathered from historic commands can be queried in the future. Salt also allows users to make execution modules in Python. Writers of these modules should also be pleased to know that they have access to the impressive information gathered from PuppetLabs' Facter application, making Salt module more flexible. In the future I hope to also allow Salt to group servers based on Facter information as well. All in all Salt is fast, efficient, and clean, can be used from a simple command line client or through an API, uses message queue technology to make network execution extremely fast, and encryption is handled in a very fast and efficient manner. Salt is also VERY easy to use and VERY easy to extend. You can find the source code for Salt on my GitHub page, I have also set up a few wiki pages explaining how to use and set up Salt. If you are using Arch Linux there is a package available in the Arch Linux AUR. Salt 0.6.0 Source: https://cloud.github.com/downloads/saltstack/salt/salt-0.6.0.tar.gz GitHub page: https://github.com/saltstack/salt Wiki: https://github.com/saltstack/salt/wiki Arch Linux Package: https://aur.archlinux.org/packages/salt-git/ I am very open to contributions, for instance I need packages for more Linux distributions as well as BSD packages and testers. Give Salt a try, this is the initial release and is not a 1.0 quality release, but it has been working well for me! I am eager to get your feedback! Salt 0.7.0 release notes I am pleased to announce the release of Salt 0.7.0! This release marks what is the first stable release of salt, 0.7.0 should be suitable for general use. 0.7.0 Brings the following new features to Salt: • Integration with Facter data from puppet labs • Allow for matching minions from the salt client via Facter information • Minion job threading, many jobs can be executed from the master at once • Preview of master clustering support - Still experimental • Introduce new minion modules for stats, virtualization, service management and more • Add extensive logging to the master and minion daemons • Add sys.reload_functions for dynamic function reloading • Greatly improve authentication • Introduce the saltkey command for managing public keys • Begin backend development preparatory to introducing butter • Addition of man pages for the core commands • Extended and cleaned configuration 0.7.0 Fixes the following major bugs: • Fix crash in minions when matching failed • Fix configuration file lookups for the local client • Repair communication bugs in encryption • Numerous fixes in the minion modules The next release of Salt should see the following features: • Stabilize the cluster support • Introduce a remote client for salt command tiers • salt-ftp system for distributed file copies • Initial support for "butter" Coming up next is a higher level management framework for salt called Butter. I want salt to stay as a simple and effective communication framework, and allow for more complicated executions to be managed via Butter. Right now Butter is being developed to act as a cloud controller using salt as the communication layer, but features like system monitoring and advanced configuration control (a puppet manager) are also in the pipe. Special thanks to Joseph Hall for the status and network modules, and thanks to Matthias Teege for tracking down some configuration bugs! Salt can be downloaded from the following locations; Source Tarball: https://cloud.github.com/downloads/saltstack/salt/salt-0.7.0.tar.gz Arch Linux Package: https://aur.archlinux.org/packages/salt-git/ Please enjoy the latest Salt release! Salt 0.8.0 release notes Salt 0.8.0 is ready for general consumption! The source tarball is available on GitHub for download: https://cloud.github.com/downloads/saltstack/salt/salt-0.8.0.tar.gz A lot of work has gone into salt since the last release just 2 weeks ago, and salt has improved a great deal. A swath of new features are here along with performance and threading improvements! The main new features of salt 0.8.0 are: Salt-cp Cython minion modules Dynamic returners Faster return handling Lowered required Python version to 2.6 Advanced minion threading Configurable minion modules Salt-cp The salt-cp command introduces the ability to copy simple files via salt to targeted servers. Using salt-cp is very simple, just call salt-cp with a target specification, the source file(s) and where to copy the files on the minions. For instance: # salt-cp ‘*’ /etc/hosts /etc/hosts Will copy the local /etc/hosts file to all of the minions. Salt-cp is very young, in the future more advanced features will be added, and the functionality will much more closely resemble the cp command. Cython minion modules Cython is an amazing tool used to compile Python modules down to c. This is arguably the fastest way to run Python code, and since pyzmq requires cython, adding support to salt for cython adds no new dependencies. Cython minion modules allow minion modules to be written in cython and therefore executed in compiled c. Simply write the salt module in cython and use the file extension “.pyx” and the minion module will be compiled when the minion is started. An example cython module is included in the main distribution called cytest.pyx: https://github.com/saltstack/salt/blob/develop/salt/modules/cytest.pyx Dynamic Returners By default salt returns command data back to the salt master, but now salt can return command data to any system. This is enabled via the new returners modules feature for salt. The returners modules take the return data and sends it to a specific module. The returner modules work like minion modules, so any returner can be added to the minions. This means that a custom data returner can be added to communicate the return data so anything from MySQL, Redis, MongoDB, and more! There are 2 simple stock returners in the returners directory: https://github.com/saltstack/salt/blob/develop/salt/returners The documentation on writing returners will be added to the wiki shortly, and returners can be written in pure Python, or in cython. Configurable Minion Modules Minion modules may need to be configured, now the options passed to the minion configuration file can be accessed inside of the minion modules via the __opt__ dict. Information on how to use this simple addition has been added to the wiki: Writing modules The test module has an example of using the __opts__ dict, and how to set default options: https://github.com/saltstack/salt/blob/develop/salt/modules/test.py Advanced Minion Threading In 0.7.0 the minion would block after receiving a command from the master, now the minion will spawn a thread or multiprocess. By default Python threads are used because for general use they have proved to be faster, but the minion can now be configured to use the Python multiprocessing module instead. Using multiprocessing will cause executions that are CPU bound or would otherwise exploit the negative aspects of the Python GIL to run faster and more reliably, but simple calls will still be faster with Python threading. The configuration option can be found in the minion configuration file: https://github.com/saltstack/salt/blob/develop/conf/minion Lowered Supported Python to 2.6 The requirement for Python 2.7 has been removed to support Python 2.6. I have received requests to take the minimum Python version back to 2.4, but unfortunately this will not be possible, since the ZeroMQ Python bindings do not support Python 2.4. Salt 0.8.0 is a very major update, it also changes the network protocol slightly which makes communication with older salt daemons impossible, your master and minions need to be upgraded together! I could use some help bringing salt to the people! Right now I only have packages for Arch Linux, Fedora 14 and Gentoo. We need packages for Debian and people willing to help test on more platforms. We also need help writing more minion modules and returner modules. If you want to contribute to salt please hop on the mailing list and send in patches, make a fork on GitHub and send in pull requests! If you want to help but are not sure where you can, please email me directly or post tot he mailing list! I hope you enjoy salt, while it is not yet 1.0 salt is completely viable and usable! -Thomas S. Hatch Salt 0.8.7 release notes It has been a month since salt 0.8.0, and it has been a long month! But Salt is still coming along strong. 0.8.7 has a lot of changes and a lot of updates. This update makes Salt’s ZeroMQ back end better, strips Facter from the dependencies, and introduces interfaces to handle more capabilities. Many of the major updates are in the background, but the changes should shine through to the surface. A number of the new features are still a little thin, but the back end to support expansion is in place. I also recently gave a presentation to the Utah Python users group in Salt Lake City, the slides from this presentation are available here: https://cloud.github.com/downloads/saltstack/salt/Salt.pdf The video from this presentation will be available shortly. The major new features and changes in Salt 0.8.7 are: • Revamp ZeroMQ topology on the master for better scalability • State enforcement • Dynamic state enforcement managers • Extract the module loader into salt.loader • Make Job ids more granular • Replace Facter functionality with the new salt grains interface • Support for “virtual” salt modules • Introduce the salt-call command • Better debugging for minion modules The new ZeroMQ topology allows for better scalability, this will be required by the need to execute massive file transfers to multiple machines in parallel and state management. The new ZeroMQ topology is available in the aforementioned presentation. 0.8.7 introduces the capability to declare states, this is similar to the capabilities of Puppet. States in salt are declared via state data structures. This system is very young, but the core feature set is available. Salt states work around rendering files which represent Salt high data. More on the Salt state system will be documented in the near future. The system for loading salt modules has been pulled out of the minion class to be a standalone module, this has enabled more dynamic loading of Salt modules and enables many of the updates in 0.8.7 – https://github.com/saltstack/salt/blob/develop/salt/loader.py Salt Job ids are now microsecond precise, this was needed to repair a race condition unveiled by the speed improvements in the new ZeroMQ topology. The new grains interface replaces the functionality of Facter, the idea behind grains differs from Facter in that the grains are only used for static system data, dynamic data needs to be derived from a call to a salt module. This makes grains much faster to use, since the grains data is generated when the minion starts. Virtual salt modules allows for a salt module to be presented as something other than its module name. The idea here is that based on information from the minion decisions about which module should be presented can be made. The best example is the pacman module. The pacman module will only load on Arch Linux minions, and will be called pkg. Similarly the yum module will be presented as pkg when the minion starts on a Fedora/RedHat system. The new salt-call command allows for minion modules to be executed from the minion. This means that on the minion a salt module can be executed, this is a great tool for testing Salt modules. The salt-call command can also be used to view the grains data. In previous releases when a minion module threw an exception very little data was returned to the master. Now the stack trace from the failure is returned making debugging of minion modules MUCH easier. Salt is nearing the goal of 1.0, where the core feature set and capability is complete! Salt 0.8.7 can be downloaded from GitHub here: https://cloud.github.com/downloads/saltstack/salt/salt-0.8.7.tar.gz -Thomas S Hatch Salt 0.8.8 release notes Salt 0.8.8 is here! This release adds a great deal of code and some serious new features. The latest release can be downloaded here: https://cloud.github.com/downloads/saltstack/salt/salt-0.8.8.tar.gz Improved Documentation has been set up for salt using sphinx thanks to the efforts of Seth House. This new documentation system will act as the back end to the salt website which is still under heavy development. The new sphinx documentation system has also been used to greatly clean up the salt manpages. The salt 7 manpage in particular now contains extensive information which was previously only in the wiki. The new documentation can be found at: http://docs.saltstack.com/ We still have a lot to add, and when the domain is set up I will post another announcement. More additions have been made to the ZeroMQ setup, particularly in the realm of file transfers. Salt 0.8.8 introduces a built in, stateless, encrypted file server which allows salt minions to download files from the salt master using the same encryption system used for all other salt communications. The main motivation for the salt file server has been to facilitate the new salt state system. Much of the salt code has been cleaned up and a new cleaner logging system has been introduced thanks to the efforts of Pedro Algarvio. These additions will allow for much more flexible logging to be executed by salt, and fixed a great deal of my poor spelling in the salt docstrings! Pedro Algarvio has also cleaned up the API, making it easier to embed salt into another application. The biggest addition to salt found in 0.8.8 is the new state system. The salt module system has received a new front end which allows salt to be used as a configuration management system. The configuration management system allows for system configuration to be defined in data structures. The configuration management system, or as it is called in salt, the “salt state system” supports many of the features found in other configuration managers, but allows for system states to be written in a far simpler format, executes at blazing speeds, and operates via the salt minion matching system. The state system also operates within the normal scope of salt, and requires no additional configuration to use. The salt state system can enforce the following states with many more to come: Packages Files Services Executing commands Hosts The system used to define the salt states is based on a data structure, the data structure used to define the salt states has been made to be as easy to use as possible. The data structure is defined by default using a YAML file rendered via a Jinja template. This means that the state definition language supports all of the data structures that YAML supports, and all of the programming constructs and logic that Jinja supports. If the user does not like YAML or Jinja the states can be defined in yaml-mako, json-jinja, or json-mako. The system used to render the states is completely dynamic, and any rendering system can be added to the capabilities of Salt, this means that a rendering system that renders XML data in a cheetah template, or whatever you can imagine, can be easily added to the capabilities of salt. The salt state system also supports isolated environments, as well as matching code from several environments to a single salt minion. The feature base for Salt has grown quite a bit since my last serious documentation push. As we approach 0.9.0 the goals are becoming very clear, and the documentation needs a lot of work. The main goals for 0.9.0 are to further refine the state system, fix any bugs we find, get Salt running on as many platforms as we can, and get the documentation filled out. There is a lot more to come as Salt moves forward to encapsulate a much larger scope, while maintaining supreme usability and simplicity. If you would like a more complete overview of Salt please watch the Salt presentation: Slides: https://cloud.github.com/downloads/saltstack/salt/Salt.pdf -Thomas S Hatch Salt 0.8.9 Release Notes Salt 0.8.9 has finally arrived! Unfortunately this is much later than I had hoped to release 0.8.9, life has been very crazy over the last month. But despite challenges, Salt has moved forward! This release, as expected, adds few new features and many refinements. One of the most exciting aspect of this release is that the development community for salt has grown a great deal and much of the code is from contributors. Also, I have filled out the documentation a great deal. So information on States is properly documented, and much of the documentation that was out of date has been filled in. Download! The Salt source can be downloaded from the salt GitHub site: https://cloud.github.com/downloads/saltstack/salt/salt-0.8.9.tar.gz Or from PyPI: https://pypi.python.org/packages/source/s/salt/salt-0.8.9.tar.gz Here s the md5sum: 7d5aca4633bc22f59045f59e82f43b56 For instructions on how to set up Salt please see the installation instructions. New Features Salt Run A big feature is the addition of Salt run, the salt-run command allows for master side execution modules to be made that gather specific information or execute custom routines from the master. Documentation for salt-run can be found here Refined Outputters One problem often complained about in salt was the fact that the output was so messy. Thanks to help from Jeff Schroeder a cleaner interface for the command output for the Salt CLI has been made. This new interface makes adding new printout formats easy and additions to the capabilities of minion modules makes it possible to set the printout mode or outputter for functions in minion modules. Cross Calling Salt Modules Salt modules can now call each other, the __salt__ dict has been added to the predefined references in minion modules. This new feature is documented in the modules documentation. Watch Option Added to Salt State System Now in Salt states you can set the watch option, this will allow watch enabled states to change based on a change in the other defined states. This is similar to subscribe and notify statements in puppet. Root Dir Option Travis Cline has added the ability to define the option root_dir which allows the salt minion to operate in a subdir. This is a strong move in supporting the minion running as an unprivileged user Config Files Defined in Variables Thanks again to Travis Cline, the master and minion configuration file locations can be defined in environment variables now. New Modules Quite a few new modules, states, returners, and runners have been made. New Minion Modules apt Support for apt-get has been added, this adds greatly improved Debian and Ubuntu support to Salt! useradd and groupadd Support for manipulating users and groups on Unix-like systems. moosefs Initial support for reporting on aspects of the distributed file system, MooseFS. For more information on MooseFS please see: http://www.moosefs.org Thanks to Joseph Hall for his work on MooseFS support. mount Manage mounts and the fstab. puppet Execute puppet on remote systems. shadow Manipulate and manage the user password file. ssh Interact with ssh keys. New States user and group Support for managing users and groups in Salt States. mount Enforce mounts and the fstab. New Returners mongo_return Send the return information to a MongoDB server. New Runners manage Display minions that are up or down. Salt 0.9.0 Release Notes release 2011-08-27 Salt 0.9.0 is here. This is an exciting release, 0.9.0 includes the new network topology features allowing peer salt commands and masters of masters via the syndic interface. 0.9.0 also introduces many more modules, improvements to the API and improvements to the ZeroMQ systems. Download! The Salt source can be downloaded from the salt GitHub site: https://cloud.github.com/downloads/saltstack/salt/salt-0.9.0.tar.gz Or from PyPI: https://pypi.python.org/packages/source/s/salt/salt-0.9.0.tar.gz Here is the md5sum: 9a925da04981e65a0f237f2e77ddab37 For instructions on how to set up Salt please see the installation instructions. New Features Salt Syndic The new Syndic interface allows a master to be commanded via another higher level salt master. This is a powerful solution allowing a master control structure to exist, allowing salt to scale to much larger levels then before. Peer Communication 0.9.0 introduces the capability for a minion to call a publication on the master and receive the return from another set of minions. This allows salt to act as a communication channel between minions and as a general infrastructure message bus. Peer communication is turned off by default but can be enabled via the peer option in the master configuration file. Documentation on the new Peer interface. Easily Extensible API The minion and master classes have been redesigned to allow for specialized minion and master servers to be easily created. An example on how this is done for the master can be found in the master.py salt module: https://github.com/saltstack/salt/blob/develop/salt/master.py The Master class extends the SMaster class and set up the main master server. The minion functions can now also be easily added to another application via the SMinion class, this class can be found in the minion.py module: https://github.com/saltstack/salt/blob/develop/salt/minion.py Cleaner Key Management This release changes some of the key naming to allow for multiple master keys to be held based on the type of minion gathering the master key. The -d option has also been added to the salt-key command allowing for easy removal of accepted public keys. The --gen-keys option is now available as well for salt-key, this allows for a salt specific RSA key pair to be easily generated from the command line. Improved 0MQ Master Workers The 0MQ worker system has been further refined to be faster and more robust. This new system has been able to handle a much larger load than the previous setup. The new system uses the IPC protocol in 0MQ instead of TCP. New Modules Quite a few new modules have been made. New Minion Modules apache Work directly with apache servers, great for managing balanced web servers cron Read out the contents of a systems crontabs mdadm Module to manage raid devices in Linux, appears as the raid module mysql Gather simple data from MySQL databases ps Extensive utilities for managing processes publish Used by the peer interface to allow minions to make publications Salt 0.9.1 Release Notes release 2011-08-29 Salt 0.9.2 Release Notes release 2011-09-17 Salt 0.9.2 has arrived! 0.9.2 is primarily a bugfix release, the exciting component in 0.9.2 is greatly improved support for salt states. All of the salt states interfaces have been more thoroughly tested and the new salt-states git repo is growing with example of how to use states. This release introduces salt states for early developers and testers to start helping us clean up the states interface and make it ready for the world! 0.9.2 also fixes a number of bugs found on Python 2.6. Download! The Salt source can be downloaded from the salt GitHub site: https://cloud.github.com/downloads/saltstack/salt/salt-0.9.2.tar.gz Or from PyPI: https://pypi.python.org/packages/source/s/salt/salt-0.9.2.tar.gz For instructions on how to set up Salt please see the installation instructions. New Features Salt-Call Additions The salt-call command has received an overhaul, it now hooks into the outputter system so command output looks clean, and the logging system has been hooked into salt-call, so the -l option allows the logging output from salt minion functions to be displayed. The end result is that the salt-call command can execute the state system and return clean output: # salt-call state.highstate State System Fixes The state system has been tested and better refined. As of this release the state system is ready for early testers to start playing with. If you are interested in working with the state system please check out the (still very small) salt-states GitHub repo: https://github.com/saltstack/salt-states This git repo is the active development branch for determining how a clean salt-state database should look and act. Since the salt state system is still very young a lot of help is still needed here. Please fork the salt-states repo and help us develop a truly large and scalable system for configuration management! Notable Bug Fixes Python 2.6 String Formatting Python 2.6 does not support format strings without an index identifier, all of them have been repaired. Cython Loading Disabled by Default Cython loading requires a development tool chain to be installed on the minion, requiring this by default can cause problems for most Salt deployments. If Cython auto loading is desired it will need to be turned on in the minion config. Salt 0.9.3 Release Notes release 2011-11-05 Salt 0.9.3 is finally arrived. This is another big step forward for Salt, new features range from proper FreeBSD support to fixing issues seen when attaching a minion to a master over the Internet. The biggest improvements in 0.9.3 though can be found in the state system, it has progressed from something ready for early testers to a system ready to compete with platforms such as Puppet and Chef. The backbone of the state system has been greatly refined and many new features are available. Download! The Salt source can be downloaded from the salt GitHub site: https://cloud.github.com/downloads/saltstack/salt/salt-0.9.3.tar.gz Or from PyPI: https://pypi.python.org/packages/source/s/salt/salt-0.9.3.tar.gz For instructions on how to set up Salt please see the installation instructions. New Features WAN Support Recently more people have been testing Salt minions connecting to Salt Masters over the Internet. It was found that Minions would commonly loose their connection to the master when working over the internet. The minions can now detect if the connection has been lost and reconnect to the master, making WAN connections much more reliable. State System Fixes Substantial testing has gone into the state system and it is ready for real world usage. A great deal has been added to the documentation for states and the modules and functions available to states have been cleanly documented. A number of State System bugs have also been founds and repaired, the output from the state system has also been refined to be extremely clear and concise. Error reporting has also been introduced, issues found in sls files will now be clearly reported when executing Salt States. Extend Declaration The Salt States have also gained the extend declaration. This declaration allows for states to be cleanly modified in a post environment. Simply said, if there is an apache.sls file that declares the apache service, then another sls can include apache and then extend it: include: - apache extend: apache: service: - require: - pkg: mod_python mod_python: pkg: - installed The notable behavior with the extend functionality is that it literally extends or overwrites a declaration set up in another sls module. This means that Salt will behave as though the modifications were made directly to the apache sls. This ensures that the apache service in this example is directly tied to all requirements. Highstate Structure Specification This release comes with a clear specification of the Highstate data structure that is used to declare Salt States. This specification explains everything that can be declared in the Salt SLS modules. The specification is extremely simple, and illustrates how Salt has been able to fulfill the requirements of a central configuration manager within a simple and easy to understand format and specification. SheBang Renderer Switch It came to our attention that having many renderers means that there may be a situation where more than one State Renderer should be available within a single State Tree. The method chosen to accomplish this was something already familiar to developers and systems administrators, a SheBang. The Python State Renderer displays this new capability. Python State Renderer Until now Salt States could only be declared in yaml or json using Jinja or Mako. A new, very powerful, renderer has been added, making it possible to write Salt States in pure Python: #!py def run(): ''' Install the python-mako package ''' return {'include': ['python'], 'python-mako': {'pkg': ['installed']}} This renderer is used by making a run function that returns the Highstate data structure. Any capabilities of Python can be used in pure Python sls modules. This example of a pure Python sls module is the same as this example in yaml: include: - python python-mako: pkg: - installed FreeBSD Support Additional support has been added for FreeBSD, this is Salt's first branch out of the Linux world and proves the viability of Salt on non-Linux platforms. Salt remote execution already worked on FreeBSD, and should work without issue on any Unix-like platform. But this support comes in the form of package management and user support, so Salt States also work on FreeBSD now. The new freebsdpkg module provides package management support for FreeBSD and the new pw_user and pw_group provide user and group management. Module and State Additions Cron Support Support for managing the system crontab has been added, declaring a cron state can be done easily: date > /tmp/datestamp: cron: - present - user: fred - minute: 5 - hour: 3 File State Additions The file state has been given a number of new features, primarily the directory, recurse, symlink, and absent functions. file.directory Make sure that a directory exists and has the right permissions. /srv/foo: file: - directory - user: root - group: root - mode: 1755 file.symlink Make a symlink. /var/lib/www: file: - symlink - target: /srv/www - force: True file.recurse The recurse state function will recursively download a directory on the master file server and place it on the minion. Any change in the files on the master will be pushed to the minion. The recurse function is very powerful and has been tested by pushing out the full Linux kernel source. /opt/code: file: - recurse - source: salt://linux file.absent Make sure that the file is not on the system, recursively deletes directories, files, and symlinks. /etc/httpd/conf.d/somebogusfile.conf: file: - absent Sysctl Module and State The sysctl module and state allows for sysctl components in the kernel to be managed easily. the sysctl module contains the following functions: sysctl.show Return a list of sysctl parameters for this minion sysctl.get Return a single sysctl parameter for this minion sysctl.assign Assign a single sysctl parameter for this minion sysctl.persist Assign and persist a simple sysctl parameter for this minion The sysctl state allows for sysctl parameters to be assigned: vm.swappiness: sysctl: - present - value: 20 Kernel Module Management A module for managing Linux kernel modules has been added. The new functions are as follows: kmod.available Return a list of all available kernel modules kmod.check_available Check to see if the specified kernel module is available kmod.lsmod Return a dict containing information about currently loaded modules kmod.load Load the specified kernel module kmod.remove Unload the specified kernel module The kmod state can enforce modules be either present or absent: kvm_intel: kmod: - present Ssh Authorized Keys The ssh_auth state can distribute ssh authorized keys out to minions. Ssh authorized keys can be present or absent. AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyYvlRBsJdDOo49CNfhlWHWXQRqul6rwL4KIuPrhY7hBw0tV7UNC7J9IZRNO4iGod9C+OYutuWGJ2x5YNf7P4uGhH9AhBQGQ4LKOLxhDyT1OrDKXVFw3wgY3rHiJYAbd1PXNuclJHOKL27QZCRFjWSEaSrUOoczvAAAAFQD9d4jp2dCJSIseSkk4Lez3LqFcqQAAAIAmovHIVSrbLbXAXQE8eyPoL9x5C+x2GRpEcA7AeMH6bGx/xw6NtnQZVMcmZIre5Elrw3OKgxcDNomjYFNHuOYaQLBBMosyO++tJe1KTAr3A2zGj2xbWO9JhEzu8xvSdF8jRu0N5SRXPpzSyU4o1WGIPLVZSeSq1VFTHRT4lXB7PQAAAIBXUz6ZO0bregF5xtJRuxUN583HlfQkXvxLqHAGY8WSEVlTnuG/x75wolBDbVzeTlxWxgxhafj7P6Ncdv25Wz9wvc6ko/puww0b3rcLNqK+XCNJlsM/7lB8Q26iK5mRZzNsGeGwGTyzNIMBekGYQ5MRdIcPv5dBIP/1M6fQDEsAXQ==: ssh_auth: - present - user: frank - enc: dsa - comment: 'Frank's key' Salt 0.9.4 Release Notes release 2011-11-27 Salt 0.9.4 has arrived. This is a critical update that repairs a number of key bugs found in 0.9.3. But this update is not without feature additions as well! 0.9.4 adds support for Gentoo portage to the pkg module and state system. Also there are 2 major new state additions, the failhard option and the ability to set up finite state ordering with the order option. This release also sees our largest increase in community contributions. These contributors have and continue to be the life blood of the Salt project, and the team continues to grow. I want to put out a big thanks to our new and existing contributors. Download! The Salt source can be downloaded from the salt GitHub site: https://cloud.github.com/downloads/saltstack/salt/salt-0.9.4.tar.gz Or from PyPI: https://pypi.python.org/packages/source/s/salt/salt-0.9.4.tar.gz For instructions on how to set up Salt please see the installation instructions. New Features Failhard State Option Normally, when a state fails Salt continues to execute the remainder of the defined states and will only refuse to execute states that require the failed state. But the situation may exist, where you would want all state execution to stop if a single state execution fails. The capability to do this is called failing hard. State Level Failhard A single state can have a failhard set, this means that if this individual state fails that all state execution will immediately stop. This is a great thing to do if there is a state that sets up a critical config file and setting a require for each state that reads the config would be cumbersome. A good example of this would be setting up a package manager early on: /etc/yum.repos.d/company.repo: file: - managed - source: salt://company/yumrepo.conf - user: root - group: root - mode: 644 - order: 1 - failhard: True In this situation, the yum repo is going to be configured before other states, and if it fails to lay down the config file, than no other states will be executed. Global Failhard It may be desired to have failhard be applied to every state that is executed, if this is the case, then failhard can be set in the master configuration file. Setting failhard in the master configuration file will result in failing hard when any minion gathering states from the master have a state fail. This is NOT the default behavior, normally Salt will only fail states that require a failed state. Using the global failhard is generally not recommended, since it can result in states not being executed or even checked. It can also be confusing to see states failhard if an admin is not actively aware that the failhard has been set. To use the global failhard set failhard: True in the master configuration Finite Ordering of State Execution When creating salt sls files, it is often important to ensure that they run in a specific order. While states will always execute in the same order, that order is not necessarily defined the way you want it. A few tools exist in Salt to set up the correct state ordering, these tools consist of requisite declarations and order options. The Order Option Before using the order option, remember that the majority of state ordering should be done with requisite statements, and that a requisite statement will override an order option. The order option is used by adding an order number to a state declaration with the option order: vim: pkg: - installed - order: 1 By adding the order option to 1 this ensures that the vim package will be installed in tandem with any other state declaration set to the order 1. Any state declared without an order option will be executed after all states with order options are executed. But this construct can only handle ordering states from the beginning. Sometimes you may want to send a state to the end of the line, to do this set the order to last: vim: pkg: - installed - order: last Substantial testing has gone into the state system and it is ready for real world usage. A great deal has been added to the documentation for states and the modules and functions available to states have been cleanly documented. A number of State System bugs have also been founds and repaired, the output from the state system has also been refined to be extremely clear and concise. Error reporting has also been introduced, issues found in sls files will now be clearly reported when executing Salt States. Gentoo Support Additional experimental support has been added for Gentoo. This is found in the contribution from Doug Renn, aka nestegg. Salt 0.9.5 Release Notes release 2012-01-15 Salt 0.9.5 is one of the largest steps forward in the development of Salt. 0.9.5 comes with many milestones, this release has seen the community of developers grow out to an international team of 46 code contributors and has many feature additions, feature enhancements, bug fixes and speed improvements. WARNING: Be sure to read the upgrade instructions about the switch to msgpack before upgrading! Community Nothing has proven to have more value to the development of Salt that the outstanding community that has been growing at such a great pace around Salt. This has proven not only that Salt has great value, but also the expandability of Salt is as exponential as I originally intended. 0.9.5 has received over 600 additional commits since 0.9.4 with a swath of new committers. The following individuals have contributed to the development of 0.9.5: • Aaron Bull Schaefer • Antti Kaihola • Bas Tichelaar • Brad Barden • Brian Wagner • Byron Clark • Chris Scheller • Christer Edwards • Clint Savage • Corey Quinn • David Boucha • Eivind Uggedal • Eric Poelke • Evan Borgstrom • Jed Glazner • Jeff Schroeder • Jeffrey C. Ollie • Jonas Buckner • Kent Tenney • Martin Schnabel • Maxim Burgerhout • Mitch Anderson • Nathaniel Whiteinge • Seth House • Thomas S Hatch • Thomas Schreiber • Tor Hveem • lzyeval • syphernl This makes 21 new developers since 0.9.4 was released! To keep up with the growing community follow Salt on Ohloh (http://www.ohloh.net/p/salt), to join the Salt development community, fork Salt on GitHub, and get coding (‐ https://github.com/saltstack/salt)! Major Features SPEED! Pickle to msgpack For a few months now we have been talking about moving away from Python pickles for network serialization, but a preferred serialization format had not yet been found. After an extensive performance testing period involving everything from JSON to protocol buffers, a clear winner emerged. Message Pack (http://msgpack.org/) proved to not only be the fastest and most compact, but also the most "salt like". Message Pack is simple, and the code involved is very small. The msgpack library for Python has been added directly to Salt. This move introduces a few changes to Salt. First off, Salt is no longer a "noarch" package, since the msgpack lib is written in C. Salt 0.9.5 will also have compatibility issues with 0.9.4 with the default configuration. We have gone through great lengths to avoid backwards compatibility issues with Salt, but changing the serialization medium was going to create issues regardless. Salt 0.9.5 is somewhat backwards compatible with earlier minions. A 0.9.5 master can command older minions, but only if the serial config value in the master is set to pickle. This will tell the master to publish messages in pickle format and will allow the master to receive messages in both msgpack and pickle formats. Therefore the suggested methods for upgrading are either to just upgrade everything at once, or: 1. Upgrade the master to 0.9.5 2. Set serial to pickle in the master config 3. Upgrade the minions 4. Remove the serial option from the master config Since pickles can be used as a security exploit the ability for a master to accept pickles from minions at all will be removed in a future release. C Bindings for YAML All of the YAML rendering is now done with the YAML C bindings. This speeds up all of the sls files when running states. Experimental Windows Support David Boucha has worked tirelessly to bring initial support to Salt for Microsoft Windows operating systems. Right now the Salt Minion can run as a native Windows service and accept commands. In the weeks and months to come Windows will receive the full treatment and will have support for Salt States and more robust support for managing Windows systems. This is a big step forward for Salt to move entirely outside of the Unix world, and proves Salt is a viable cross platform solution. Big Thanks to Dave for his contribution here! Dynamic Module Distribution Many Salt users have expressed the desire to have Salt distribute in-house modules, states, renderers, returners, and grains. This support has been added in a number of ways: Modules via States Now when salt modules are deployed to a minion via the state system as a file, then the modules will be automatically loaded into the active running minion - no restart required - and into the active running state. So custom state modules can be deployed and used in the same state run. Modules via Module Environment Directories Under the file_roots each environment can now have directories that are used to deploy large groups of modules. These directories sync modules at the beginning of a state run on the minion, or can be manually synced via the Salt module salt.modules.saltutil.sync_all. The directories are named: • _modules • _states • _grains • _renderers • _returners The modules are pushed to their respective scopes on the minions. Module Reloading Modules can now be reloaded without restarting the minion, this is done by calling the salt.modules.sys.reload_modules function. But wait, there's more! Now when a salt module of any type is added via states the modules will be automatically reloaded, allowing for modules to be laid down with states and then immediately used. Finally, all modules are reloaded when modules are dynamically distributed from the salt master. Enable / Disable Added to Service A great deal of demand has existed for adding the capability to set services to be started at boot in the service module. This feature also comes with an overhaul of the service modules and initial systemd support. This means that the service state can now accept - enable: True to make sure a service is enabled at boot, and - enable: False to make sure it is disabled. Compound Target A new target type has been added to the lineup, the compound target. In previous versions the desired minions could only be targeted via a single specific target type, but now many target specifications can be declared. These targets can also be separated by and/or operators, so certain properties can be used to omit a node: salt -C 'webserv* and G@os:Debian or E@db.*' test.ping will match all minions with ids starting with webserv via a glob and minions matching the os:Debian grain. Or minions that match the db.* regular expression. Node Groups Often the convenience of having a predefined group of minions to execute targets on is desired. This can be accomplished with the new nodegroups feature. Nodegroups allow for predefined compound targets to be declared in the master configuration file: nodegroups: group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' group2: 'G@os:Debian and foo.domain.com' And then used via the -N option: salt -N group1 test.ping Minion Side Data Store The data module introduces the initial approach into storing persistent data on the minions, specific to the minions. This allows for data to be stored on minions that can be accessed from the master or from the minion. The Minion datastore is young, and will eventually provide an interface similar to a more mature key/value pair server. Major Grains Improvement The Salt grains have been overhauled to include a massive amount of extra data. this includes hardware data, os data and salt specific data. Salt -Q is Useful Now In the past the salt query system, which would display the data from recent executions would be displayed in pure Python, and it was unreadable. 0.9.5 has added the outputter system to the -Q option, thus enabling the salt query system to return readable output. Packaging Updates Huge strides have been made in packaging Salt for distributions. These additions are thanks to our wonderful community where the work to set up packages has proceeded tirelessly. FreeBSD Salt on FreeBSD? There a port for that: http://svnweb.freebsd.org/ports/head/sysutils/py-salt/ This port was developed and added by Christer Edwards. This also marks the first time Salt has been included in an upstream packaging system! Fedora and Red Hat Enterprise Salt packages have been prepared for inclusion in the Fedora Project and in EPEL for Red Hat Enterprise 5 and 6. These packages are the result of the efforts made by Clint Savage (herlo). Debian/Ubuntu A team of many contributors have assisted in developing packages for Debian and Ubuntu. Salt is still actively seeking inclusion in upstream Debian and Ubuntu and the package data that has been prepared is being pushed through the needed channels for inclusion. These packages have been prepared with the help of: • Corey • Aaron Toponce • and` More to Come We are actively seeking inclusion in more distributions. Primarily getting Salt into Gentoo, SUSE, OpenBSD, and preparing Solaris support are all turning into higher priorities. Refinement Salt continues to be refined into a faster, more stable and more usable application. 0.9.5 comes with more debug logging, more bug fixes and more complete support. More Testing, More BugFixes 0.9.5 comes with more bugfixes due to more testing than any previous release. The growing community and the introduction a a dedicated QA environment have unearthed many issues that were hiding under the covers. This has further refined and cleaned the state interface, taking care of things from minor visual issues to repairing misleading data. Custom Exceptions A custom exception module has been added to throw salt specific exceptions. This allows Salt to give much more granular error information. New Modules data The new data module manages a persistent datastore on the minion. Big thanks to bastichelaar for his help refining this module freebsdkmod FreeBSD kernel modules can now be managed in the same way Salt handles Linux kernel modules. This module was contributed thanks to the efforts of Christer Edwards gentoo_service Support has been added for managing services in Gentoo. Now Gentoo services can be started, stopped, restarted, enabled, disabled, and viewed. pip The pip module introduces management for pip installed applications. Thanks goes to whitinge for the addition of the pip module rh_service The rh_service module enables Red Hat and Fedora specific service management. Now Red Hat like systems come with extensive management of the classic init system used by Red Hat saltutil The saltutil module has been added as a place to hold functions used in the maintenance and management of salt itself. Saltutil is used to salt the salt minion. The saltutil module is presently used only to sync extension modules from the master server. systemd Systemd support has been added to Salt, now systems using this next generation init system are supported on systems running systemd. virtualenv The virtualenv module has been added to allow salt to create virtual Python environments. Thanks goes to whitinge for the addition of the virtualenv module win_disk Support for gathering disk information on Microsoft Windows minions The windows modules come courtesy of Utah_Dave win_service The win_service module adds service support to Salt for Microsoft Windows services win_useradd Salt can now manage local users on Microsoft Windows Systems yumpkg5 The yumpkg module introduces in 0.9.4 uses the yum API to interact with the yum package manager. Unfortunately, on Red Hat 5 systems salt does not have access to the yum API because the yum API is running under Python 2.4 and Salt needs to run under Python 2.6. The yumpkg5 module bypasses this issue by shelling out to yum on systems where the yum API is not available. New States mysql_database The new mysql_database state adds the ability to systems running a mysql server to manage the existence of mysql databases. The mysql states are thanks to syphernl mysql_user The mysql_user state enables mysql user management. virtualenv The virtualenv state can manage the state of Python virtual environments. Thanks to Whitinge for the virtualenv state New Returners cassandra_returner A returner allowing Salt to send data to a cassandra server. Thanks to Byron Clark for contributing this returner Salt 0.9.6 Release Notes release 2012-01-21 Salt 0.9.6 is a release targeting a few bugs and changes. This is primarily targeting an issue found in the names declaration in the state system. But a few other bugs were also repaired, like missing support for grains in extmods. Due to a conflict in distribution packaging msgpack will no longer be bundled with Salt, and is required as a dependency. New Features HTTP and ftp support in files.managed Now under the source option in the file.managed state a HTTP or ftp address can be used instead of a file located on the salt master. Allow Multiple Returners Now the returner interface can define multiple returners, and will also return data back to the master, making the process less ambiguous. Minion Memory Improvements A number of modules have been taken out of the minion if the underlying systems required by said modules are not present on the minion system. A number of other modules need to be stripped out in this same way which should continue to make the minion more efficient. Minions Can Locally Cache Return Data A new option, cache_jobs, has been added to the minion to allow for all of the historically run jobs to cache on the minion, allowing for looking up historic returns. By default cache_jobs is set to False. Pure Python Template Support For file.managed Templates in the file.managed state can now be defined in a Python script. This script needs to have a run function that returns the string that needs to be in the named file. Salt 0.9.7 Release Notes release 2012-02-15 Salt 0.9.7 is here! The latest iteration of Salt brings more features and many fixes. This release is a great refinement over 0.9.6, adding many conveniences under the hood, as well as some features that make working with Salt much better. A few highlights include the new Job system, refinements to the requisite system in states, the mod_init interface for states, external node classification, search path to managed files in the file state, and refinements and additions to dynamic module loading. 0.9.7 also introduces the long developed (and oft changed) unit test framework and the initial unit tests. Major Features Salt Jobs Interface The new jobs interface makes the management of running executions much cleaner and more transparent. Building on the existing execution framework the jobs system allows clear introspection into the active running state of the running Salt interface. The Jobs interface is centered in the new minion side proc system. The minions now store msgpack serialized files under /var/cache/salt/proc. These files keep track of the active state of processes on the minion. Functions in the saltutil Module A number of functions have been added to the saltutil module to manage and view the jobs: running - Returns the data of all running jobs that are found in the proc directory. find_job - Returns specific data about a certain job based on job id. signal_job - Allows for a given jid to be sent a signal. term_job - Sends a termination signal (SIGTERM, 15) to the process controlling the specified job. kill_job Sends a kill signal (SIGKILL, 9) to the process controlling the specified job. The jobs Runner A convenience runner front end and reporting system has been added as well. The jobs runner contains functions to make viewing data easier and cleaner. The jobs runner contains a number of functions... active The active function runs saltutil.running on all minions and formats the return data about all running jobs in a much more usable and compact format. The active function will also compare jobs that have returned and jobs that are still running, making it easier to see what systems have completed a job and what systems are still being waited on. lookup_jid When jobs are executed the return data is sent back to the master and cached. By default is is cached for 24 hours, but this can be configured via the keep_jobs option in the master configuration. Using the lookup_jid runner will display the same return data that the initial job invocation with the salt command would display. list_jobs Before finding a historic job, it may be required to find the job id. list_jobs will parse the cached execution data and display all of the job data for jobs that have already, or partially returned. External Node Classification Salt can now use external node classifiers like Cobbler's cobbler-ext-nodes. Salt uses specific data from the external node classifier. In particular the classes value denotes which sls modules to run, and the environment value sets to another environment. An external node classification can be set in the master configuration file via the external_nodes option: http://salt.readthedocs.org/en/latest/ref/configuration/master.html#external-nodes External nodes are loaded in addition to the top files. If it is intended to only use external nodes, do not deploy any top files. State Mod Init System An issue arose with the pkg state. Every time a package was run Salt would need to refresh the package database. This made systems with slower package metadata refresh speeds much slower to work with. To alleviate this issue the mod_init interface has been added to salt states. The mod_init interface is a function that can be added to a state file. This function is called with the first state called. In the case of the pkg state, the mod_init function sets up a tag which makes the package database only refresh on the first attempt to install a package. In a nutshell, the mod_init interface allows a state to run any command that only needs to be run once, or can be used to set up an environment for working with the state. Source File Search Path The file state continues to be refined, adding speed and capabilities. This release adds the ability to pass a list to the source option. This list is then iterated over until the source file is found, and the first found file is used. The new syntax looks like this: /etc/httpd/conf/httpd.conf: file: - managed - source: - salt://httpd/httpd.conf - http://myserver/httpd.conf: md5=8c1fe119e6f1fd96bc06614473509bf1 The source option can take sources in the list from the salt file server as well as an arbitrary web source. If using an arbitrary web source the checksum needs to be passed as well for file verification. Refinements to the Requisite System A few discrepancies were still lingering in the requisite system, in particular, it was not possible to have a require and a watch requisite declared in the same state declaration. This issue has been alleviated, as well as making the requisite system run more quickly. Initial Unit Testing Framework Because of the module system, and the need to test real scenarios, the development of a viable unit testing system has been difficult, but unit testing has finally arrived. Only a small amount of unit testing coverage has been developed, much more coverage will be in place soon. A huge thanks goes out to those who have helped with unit testing, and the contributions that have been made to get us where we are. Without these contributions unit tests would still be in the dark. Compound Targets Expanded Originally only support for and and or were available in the compound target. 0.9.7 adds the capability to negate compound targets with not. Nodegroups in the Top File Previously the nodegroups defined in the master configuration file could not be used to match nodes for states. The nodegroups support has been expanded and the nodegroups defined in the master configuration can now be used to match minions in the top file. Salt 0.9.8 Release Notes release 2012-03-21 Salt 0.9.8 is a big step forward, with many additions and enhancements, as well as a number of precursors to advanced future developments. This version of Salt adds much more power to the command line, making the old hard timeout issues a thing of the past and adds keyword argument support. These additions are also available in the salt client API, making the available API tools much more powerful. The new pillar system allows for data to be stored on the master and assigned to minions in a granular way similar to the state system. It also allows flexibility for users who want to keep data out of their state tree similar to 'external lookup' functionality in other tools. A new way to extend requisites was added, the "requisite in" statement. This makes adding requires or watch statements to external state decs much easier. Additions to requisites making them much more powerful have been added as well as improved error checking for sls files in the state system. A new provider system has been added to allow for redirecting what modules run in the background for individual states. Support for OpenSUSE has been added and support for Solaris has begun serious development. Windows support has been significantly enhanced as well. The matcher and target systems have received a great deal of attention. The default behavior of grain matching has changed slightly to reflect the rest of salt and the compound matcher system has been refined. A number of impressive features with keyword arguments have been added to both the CLI and to the state system. This makes states much more powerful and flexible while maintaining the simple configuration everyone loves. The new batch size capability allows for executions to be rolled through a group of targeted minions a percentage or specific number at a time. This was added to prevent the "thundering herd" problem when targeting large numbers of minions for things like service restarts or file downloads. Upgrade Considerations Upgrade Issues There was a previously missed oversight which could cause a newer minion to crash an older master. That oversight has been resolved so the version incompatibility issue will no longer occur. When upgrading to 0.9.8 make sure to upgrade the master first, followed by the minions. Debian/Ubuntu Packages The original Debian/Ubuntu packages were called salt and included all salt applications. New packages in the ppa are split by function. If an old salt package is installed then it should be manually removed and the new split packages need to be freshly installed. On the master: # apt-get purge salt # apt-get install salt-{master,minion} On the minions: # apt-get purge salt # apt-get install salt-minion And on any Syndics: # apt-get install salt-syndic The official Salt PPA for Ubuntu is located at: https://launchpad.net/~saltstack/+archive/salt Major Features Pillar Pillar offers an interface to declare variable data on the master that is then assigned to the minions. The pillar data is made available to all modules, states, sls files etc. It is compiled on the master and is declared using the existing renderer system. This means that learning pillar should be fairly trivial to those already familiar with salt states. CLI Additions The salt command has received a serious overhaul and is more powerful than ever. Data is returned to the terminal as it is received, and the salt command will now wait for all running minions to return data before stopping. This makes adding very large --timeout arguments completely unnecessary and gets rid of long running operations returning empty {} when the timeout is exceeded. When calling salt via sudo, the user originally running salt is saved to the log for auditing purposes. This makes it easy to see who ran what by just looking through the minion logs. The salt-key command gained the -D and --delete-all arguments for removing all keys. Be careful with this one! Running States Without a Master The addition of running states without a salt-master has been added to 0.9.8. This feature allows for the unmodified salt state tree to be read locally from a minion. The result is that the UNMODIFIED state tree has just become portable, allowing minions to have a local copy of states or to manage states without a master entirely. This is accomplished via the new file client interface in Salt that allows for the salt:// URI to be redirected to custom interfaces. This means that there are now two interfaces for the salt file server, calling the master or looking in a local, minion defined file_roots. This new feature can be used by modifying the minion config to point to a local file_roots and setting the file_client option to local. Keyword Arguments and States State modules now accept the **kwargs argument. This results in all data in a sls file assigned to a state being made available to the state function. This passes data in a transparent way back to the modules executing the logic. In particular, this allows adding arguments to the pkg.install module that enable more advanced and granular controls with respect to what the state is capable of. An example of this along with the new debconf module for installing ldap client packages on Debian: ldap-client-packages: pkg: - debconf: salt://debconf/ldap-client.ans - installed - names: - nslcd - libpam-ldapd - libnss-ldapd Keyword Arguments and the CLI In the past it was required that all arguments be passed in the proper order to the salt and salt-call commands. As of 0.9.8, keyword arguments can be passed in the form of kwarg=argument. # salt -G 'type:dev' git.clone \ repository=https://github.com/saltstack/salt.git cwd=/tmp/salt user=jeff Matcher Refinements and Changes A number of fixes and changes have been applied to the Matcher system. The most noteworthy is the change in the grain matcher. The grain matcher used to use a regular expression to match the passed data to a grain, but now defaults to a shell glob like the majority of match interfaces in Salt. A new option is available that still uses the old style regex matching to grain data called grain-pcre. To use regex matching in compound matches use the letter P. For example, this would match any ArchLinux or Fedora minions: # salt --grain-pcre 'os:(Arch:Fed).*' test.ping And the associated compound matcher suitable for top.sls is P: P@os:(Arch|Fed).* NOTE: Changing the grains matcher from pcre to glob is backwards incompatible. Support has been added for matching minions with Yahoo's range library. This is handled by passing range syntax with -R or --range arguments to salt. More information at: https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec Requisite in A new means to updating requisite statements has been added to make adding watchers and requires to external states easier. Before 0.9.8 the only way to extend the states that were watched by a state outside of the sls was to use an extend statement: include: - http extend: apache: service: - watch: - pkg: tomcat tomcat: pkg: - installed But the new Requisite in statement allows for easier extends for requisites: include: - http tomcat: pkg: - installed - watch_in: - service: apache Requisite in is part of the extend system, so still remember to always include the sls that is being extended! Providers Salt predetermines what modules should be mapped to what uses based on the properties of a system. These determinations are generally made for modules that provide things like package and service management. The apt module maps to pkg on Debian and the yum module maps to pkg on Fedora for instance. Sometimes in states, it may be necessary for a non-default module to be used for the desired functionality. For instance, an Arch Linux system may have been set up with systemd support. Instead of using the default service module detected for Arch Linux, the systemd module can be used: http: service: - running - enable: True - provider: systemd Default providers can also be defined in the minion config file: providers: service: systemd When default providers are passed in the minion config, then those providers will be applied to all functionality in Salt, this means that the functions called by the minion will use these modules, as well as states. Requisite Glob Matching Requisites can now be defined with glob expansion. This means that if there are many requisites, they can be defined on a single line. To watch all files in a directory: http: service: - running - enable: True - watch: - file: /etc/http/conf.d/* This example will watch all defined files that match the glob /etc/http/conf.d/* Batch Size The new batch size option allows commands to be executed while maintaining that only so many hosts are executing the command at one time. This option can take a percentage or a finite number: salt '*' -b 10 test.ping salt -G 'os:RedHat' --batch-size 25% apache.signal restart This will only run test.ping on 10 of the targeted minions at a time and then restart apache on 25% of the minions matching os:RedHat at a time and work through them all until the task is complete. This makes jobs like rolling web server restarts behind a load balancer or doing maintenance on BSD firewalls using carp much easier with salt. Module Updates This is a list of notable, but non-exhaustive updates with new and existing modules. Windows support has seen a flurry of support this release cycle. We've gained all new file, network, and shadow modules. Please note that these are still a work in progress. For our ruby users, new rvm and gem modules have been added along with the associated states The virt module gained basic Xen support. The yum module gained Scientific Linux support. The pkg module on Debian, Ubuntu, and derivatives force apt to run in a non-interactive mode. This prevents issues when package installation waits for confirmation. A pkg module for OpenSUSE's zypper was added. The service module on Ubuntu natively supports upstart. A new debconf module was contributed by our community for more advanced control over deb package deployments on Debian based distributions. The mysql.user state and mysql module gained a password_hash argument. The cmd module and state gained a shell keyword argument for specifying a shell other than /bin/sh on Linux / Unix systems. New git and mercurial modules have been added for fans of distributed version control. In Progress Development Master Side State Compiling While we feel strongly that the advantages gained with minion side state compiling are very critical, it does prevent certain features that may be desired. 0.9.8 has support for initial master side state compiling, but many more components still need to be developed, it is hoped that these can be finished for 0.9.9. The goal is that states can be compiled on both the master and the minion allowing for compilation to be split between master and minion. Why will this be great? It will allow storing sensitive data on the master and sending it to some minions without all minions having access to it. This will be good for handling ssl certificates on front-end web servers for instance. Solaris Support Salt 0.9.8 sees the introduction of basic Solaris support. The daemon runs well, but grains and more of the modules need updating and testing. Windows Support Salt states on windows are now much more viable thanks to contributions from our community! States for file, service, local user, and local group management are more fully fleshed out along with network and disk modules. Windows users can also now manage registry entries using the new "reg" module. Salt 0.9.9 Release Notes release 2012-04-27 0.9.9 is out and comes with some serious bug fixes and even more serious features. This release is the last major feature release before 1.0.0 and could be considered the 1.0.0 release candidate. A few updates include more advanced kwargs support, the ability for salt states to more safely configure a running salt minion, better job directory management and the new state test interface. Many new tests have been added as well, including the new minion swarm test that allows for easier testing of Salt working with large groups of minions. This means that if you have experienced stability issues with Salt before, particularly in larger deployments, that these bugs have been tested for, found, and killed. Major Features State Test Interface Until 0.9.9 the only option when running states to see what was going to be changed was to print out the highstate with state.show_highstate and manually look it over. But now states can be run to discover what is going to be changed. Passing the option test=True to many of the state functions will now cause the salt state system to only check for what is going to be changed and report on those changes. salt '*' state.highstate test=True Now states that would have made changes report them back in yellow. State Syntax Update A shorthand syntax has been added to sls files, and it will be the default syntax in documentation going forward. The old syntax is still fully supported and will not be deprecated, but it is recommended to move to the new syntax in the future. This change moves the state function up into the state name using a dot notation. This is in-line with how state functions are generally referred to as well: The new way: /etc/sudoers: file.present: - source: salt://sudo/sudoers - user: root - mode: 400 Use and Use_in Requisites Two new requisite statements are available in 0.9.9. The use and use_in requisite and requisite-in allow for the transparent duplication of data between states. When a state "uses" another state it copies the other state's arguments as defaults. This was created in direct response to the new network state, and allows for many network interfaces to be configured in the same way easily. A simple example: root_file: file.absent: - name: /tmp/nothing - user: root - mode: 644 - group: root - use_in: - file: /etc/vimrc fred_file: file.absent: - name: /tmp/nothing - user: fred - group: marketing - mode: 660 /files/marketing/district7.rst: file.present: - source: salt://marketing/district7.rst - template: jinja - use: - file: fred_file /etc/vimrc: file.present: - source: salt://edit/vimrc This makes the 2 lower state decs inherit the options from their respectively "used" state decs. Network State The new network state allows for the configuration of network devices via salt states and the ip salt module. This addition has been given to the project by Jeff Hutchins and Bret Palsson from Jive Communications. Currently the only network configuration backend available is for Red Hat based systems, like Red Hat Enterprise, CentOS, and Fedora. Exponential Jobs Originally the jobs executed were stored on the master in the format: <cachedir>/jobs/jid/{minion ids} But this format restricted the number of jobs in the cache to the number of subdirectories allowed on the filesystem. Ext3 for instance limits subdirectories to 32000. To combat this the new format for 0.9.9 is: <cachedir>/jobs/jid_hash[:2]/jid_hash[2:]/{minion ids} So that now the number of maximum jobs that can be run before the cleanup cycle hits the job directory is substantially higher. ssh_auth Additions The original ssh_auth state was limited to accepting only arguments to apply to a public key, and the key itself. This was restrictive due to the way the we learned that many people were using the state, so the key section has been expanded to accept options and arguments to the key that over ride arguments passed in the state. This gives substantial power to using ssh_auth with names: sshkeys: ssh_auth: - present - user: backup - enc: ssh-dss - options: - option1="value1" - option2="value2 flag2" - comment: backup - names: - AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0111== - AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0222== override - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0333== override - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0444== - option3="value3",option4="value4 flag4" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0555== override - option3="value3" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlyE26SMFFVY5YJvnL7AF5CRTPtAigSW1U887ASfBt6FDa7Qr1YdO5ochiLoz8aSiMKd5h4dhB6ymHbmntMPjQena29jQjXAK4AK0500rMShG1Y1HYEjTXjQxIy/SMjq2aycHI+abiVDn3sciQjsLsNW59t48Udivl2RjWG7Eo+LYiB17MKD5M40r5CP2K4B8nuL+r4oAZEHKOJUF3rzA20MZXHRQuki7vVeWcW7ie8JHNBcq8iObVSoruylXav4aKG02d/I4bz/l0UdGh18SpMB8zVnT3YF5nukQQ/ATspmhpU66s4ntMehULC+ljLvZL40ByNmF0TZc2sdSkA0666== LocalClient Additions To follow up the recent additions in 0.9.8 of additional kwargs support, 0.9.9 also adds the capability to send kwargs into commands via a dict. This addition to the LocalClient api can be used like so: import salt.client client = salt.client.LocalClient('/etc/salt/master') ret = client.cmd('*', 'cmd.run', ['ls -l'], kwarg={'cwd': '/etc'}) This update has been added to all cmd methods in the LocalClient class. Better Self Salting One problem faced with running Salt states, is that it has been difficult to manage the Salt minion via states, this is due to the fact that if the minion is called to restart while a state run is happening then the state run would be killed. 0.9.9 slightly changes the process scope of the state runs, so now when salt is executing states it can safely restart the salt-minion daemon. In addition to daemonizing the state run, the apt module also daemonizes. This update makes it possible to cleanly update the salt-minion package on Debian/Ubuntu systems without leaving apt in an inconsistent state or killing the active minion process mid-execution. Wildcards for SLS Modules Now, when including sls modules in include statements or in the top file, shell globs can be used. This can greatly simplify listing matched sls modules in the top file and include statements: base: '*': - files* - core* include: - users.dev.* - apache.ser* External Pillar Since the pillar data is just, data, it does not need to come expressly from the pillar interface. The external pillar system allows for hooks to be added making it possible to extract pillar data from any arbitrary external interface. The external pillar interface is configured via the ext_pillar option. Currently interfaces exist to gather external pillar data via hiera or via a shell command that sends yaml data to the terminal: ext_pillar: - cmd_yaml: cat /etc/salt/ext.yaml - hiera: /etc/hirea.yaml The initial external pillar interfaces and extra interfaces can be added to the file salt/pillar.py, it is planned to add more external pillar interfaces. If the need arises a new module loader interface will be created in the future to manage external pillar interfaces. Single State Executions The new state.single function allows for single states to be cleanly executed. This is a great tool for setting up a small group of states on a system or for testing out the behavior of single states: salt '*' state.single user.present name=wade uid=2000 The test interface functions here as well, so changes can also be tested against as: salt '*' state.single user.present name=wade uid=2000 test=True New Tests A few exciting new test interfaces have been added, the minion swarm allows not only testing of larger loads, but also allows users to see how Salt behaves with large groups of minions without having to create a large deployment. Minion Swarm The minion swarm test system allows for large groups of minions to be tested against easily without requiring large numbers of servers or virtual machines. The minion swarm creates as many minions as a system can handle and roots them in the /tmp directory and connects them to a master. The benefit here is that we were able to replicate issues that happen only when there are large numbers of minions. A number of elusive bugs which were causing stability issues in masters and minions have since been hunted down. Bugs that used to take careful watch by users over several days can now be reliably replicated in minutes, and fixed in minutes. Using the swarm is easy, make sure a master is up for the swarm to connect to, and then use the minionswarm.py script in the tests directory to spin up as many minions as you want. Remember, this is a fork bomb, don't spin up more than your hardware can handle! python minionswarm.py -m 20 --master salt-master Shell Tests The new Shell testing system allows us to test the behavior of commands executed from a high level. This allows for the high level testing of salt runners and commands like salt-key. Client Tests Tests have been added to test the aspects of the client APIs and ensure that the client calls work, and that they manage passed data, in a desirable way. SEE ALSO: Legacy salt-cloud release docs SEE ALSO: Legacy salt-api release docs
SALT BASED PROJECTS
A number of unofficial open source projects, based on Salt, or written to enhance Salt have been created. Salt Sandbox Created by Aaron Bull Schaefer, aka "elasticdog". https://github.com/elasticdog/salt-sandbox Salt Sandbox is a multi-VM Vagrant-based Salt development environment used for creating and testing new Salt state modules outside of your production environment. It's also a great way to learn firsthand about Salt and its remote execution capabilities. Salt Sandbox will set up three separate virtual machines: • salt.example.com - the Salt master server • minion1.example.com - the first Salt minion machine • minion2.example.com - the second Salt minion machine These VMs can be used in conjunction to segregate and test your modules based on node groups, top file environments, grain values, etc. You can even test modules on different Linux distributions or release versions to better match your production infrastructure.
SECURITY DISCLOSURE POLICY
email security@saltstack.com gpg key ID 4EA0793D gpg key fingerprint 8ABE 4EFC F0F4 B24B FF2A AF90 D570 F2D3 4EA0 793D gpg public key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) mQINBFO15mMBEADa3CfQwk5ED9wAQ8fFDku277CegG3U1hVGdcxqKNvucblwoKCb hRK6u9ihgaO9V9duV2glwgjytiBI/z6lyWqdaD37YXG/gTL+9Md+qdSDeaOa/9eg 7y+g4P+FvU9HWUlujRVlofUn5Dj/IZgUywbxwEybutuzvvFVTzsn+DFVwTH34Qoh QIuNzQCSEz3Lhh8zq9LqkNy91ZZQO1ZIUrypafspH6GBHHcE8msBFgYiNBnVcUFH u0r4j1Rav+621EtD5GZsOt05+NJI8pkaC/dDKjURcuiV6bhmeSpNzLaXUhwx6f29 Vhag5JhVGGNQxlRTxNEM86HEFp+4zJQ8m/wRDrGX5IAHsdESdhP+ljDVlAAX/ttP /Ucl2fgpTnDKVHOA00E515Q87ZHv6awJ3GL1veqi8zfsLaag7rw1TuuHyGLOPkDt t5PAjsS9R3KI7pGnhqI6bTOi591odUdgzUhZChWUUX1VStiIDi2jCvyoOOLMOGS5 AEYXuWYP7KgujZCDRaTNqRDdgPd93Mh9JI8UmkzXDUgijdzVpzPjYgFaWtyK8lsc Fizqe3/Yzf9RCVX/lmRbiEH+ql/zSxcWlBQd17PKaL+TisQFXcmQzccYgAxFbj2r QHp5ABEu9YjFme2Jzun7Mv9V4qo3JF5dmnUk31yupZeAOGZkirIsaWC3hwARAQAB tDBTYWx0U3RhY2sgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAc2FsdHN0YWNrLmNv bT6JAj4EEwECACgFAlO15mMCGwMFCQeGH4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4B AheAAAoJENVw8tNOoHk9z/MP/2vzY27fmVxU5X8joiiturjlgEqQw41IYEmWv1Bw 4WVXYCHP1yu/1MC1uuvOmOd5BlI8YO2C2oyW7d1B0NorguPtz55b7jabCElekVCh h/H4ZVThiwqgPpthRv/2npXjIm7SLSs/kuaXo6Qy2JpszwDVFw+xCRVL0tH9KJxz HuNBeVq7abWD5fzIWkmGM9hicG/R2D0RIlco1Q0VNKy8klG+pOFOW886KnwkSPc7 JUYp1oUlHsSlhTmkLEG54cyVzrTP/XuZuyMTdtyTc3mfgW0adneAL6MARtC5UB/h q+v9dqMf4iD3wY6ctu8KWE8Vo5MUEsNNO9EA2dUR88LwFZ3ZnnXdQkizgR/Aa515 dm17vlNkSoomYCo84eN7GOTfxWcq+iXYSWcKWT4X+h/ra+LmNndQWQBRebVUtbKE ZDwKmiQz/5LY5EhlWcuU4lVmMSFpWXt5FR/PtzgTdZAo9QKkBjcv97LYbXvsPI69 El1BLAg+m+1UpE1L7zJT1il6PqVyEFAWBxW46wXCCkGssFsvz2yRp0PDX8A6u4yq rTkt09uYht1is61joLDJ/kq3+6k8gJWkDOW+2NMrmf+/qcdYCMYXmrtOpg/wF27W GMNAkbdyzgeX/MbUBCGCMdzhevRuivOI5bu4vT5s3KdshG+yhzV45bapKRd5VN+1 mZRquQINBFO15mMBEAC5UuLii9ZLz6qHfIJp35IOW9U8SOf7QFhzXR7NZ3DmJsd3 f6Nb/habQFIHjm3K9wbpj+FvaW2oWRlFVvYdzjUq6c82GUUjW1dnqgUvFwdmM835 1n0YQ2TonmyaF882RvsRZrbJ65uvy7SQxlouXaAYOdqwLsPxBEOyOnMPSktW5V2U IWyxsNP3sADchWIGq9p5D3Y/loyIMsS1dj+TjoQZOKSj7CuRT98+8yhGAY8YBEXu 9r3I9o6mDkuPpAljuMc8r09Im6az2egtK/szKt4Hy1bpSSBZU4W/XR7XwQNywmb3 wxjmYT6Od3Mwj0jtzc3gQiH8hcEy3+BO+NNmyzFVyIwOLziwjmEcw62S57wYKUVn HD2nglMsQa8Ve0e6ABBMEY7zGEGStva59rfgeh0jUMJiccGiUDTMs0tdkC6knYKb u/fdRqNYFoNuDcSeLEw4DdCuP01l2W4yY+fiK6hAcL25amjzc+yYo9eaaqTn6RAT bzdhHQZdpAMxY+vNT0+NhP1Zo5gYBMR65Zp/VhFsf67ijb03FUtdw9N8dHwiR2m8 vVA8kO/gCD6wS2p9RdXqrJ9JhnHYWjiVuXR+f755ZAndyQfRtowMdQIoiXuJEXYw 6XN+/BX81gJaynJYc0uw0MnxWQX+A5m8HqEsbIFUXBYXPgbwXTm7c4IHGgXXdwAR AQABiQIlBBgBAgAPBQJTteZjAhsMBQkHhh+AAAoJENVw8tNOoHk91rcQAIhxLv4g duF/J1Cyf6Wixz4rqslBQ7DgNztdIUMjCThg3eB6pvIzY5d3DNROmwU5JvGP1rEw hNiJhgBDFaB0J/y28uSci+orhKDTHb/cn30IxfuAuqrv9dujvmlgM7JUswOtLZhs 5FYGa6v1RORRWhUx2PQsF6ORg22QAaagc7OlaO3BXBoiE/FWsnEQCUsc7GnnPqi7 um45OJl/pJntsBUKvivEU20fj7j1UpjmeWz56NcjXoKtEvGh99gM5W2nSMLE3aPw vcKhS4yRyLjOe19NfYbtID8m8oshUDji0XjQ1z5NdGcf2V1YNGHU5xyK6zwyGxgV xZqaWnbhDTu1UnYBna8BiUobkuqclb4T9k2WjbrUSmTwKixokCOirFDZvqISkgmN r6/g3w2TRi11/LtbUciF0FN2pd7rj5mWrOBPEFYJmrB6SQeswWNhr5RIsXrQd/Ho zvNm0HnUNEe6w5YBfA6sXQy8B0Zs6pcgLogkFB15TuHIIIpxIsVRv5z8SlEnB7HQ Io9hZT58yjhekJuzVQB9loU0C/W0lzci/pXTt6fd9puYQe1DG37pSifRG6kfHxrR if6nRyrfdTlawqbqdkoqFDmEybAM9/hv3BqriGahGGH/hgplNQbYoXfNwYMYaHuB aSkJvrOQW8bpuAzgVyd7TyNFv+t1kLlfaRYJ =wBTJ -----END PGP PUBLIC KEY BLOCK----- The SaltStack Security Team is available at security@saltstack.com for security-related bug reports or questions. We request the disclosure of any security-related bugs or issues be reported non-publicly until such time as the issue can be resolved and a security-fix release can be prepared. At that time we will release the fix and make a public announcement with upgrade instructions and download locations. Security response procedure SaltStack takes security and the trust of our customers and users very seriously. Our disclosure policy is intended to resolve security issues as quickly and safely as is possible. 1. A security report sent to security@saltstack.com is assigned to a team member. This person is the primary contact for questions and will coordinate the fix, release, and announcement. 2. The reported issue is reproduced and confirmed. A list of affected projects and releases is made. 3. Fixes are implemented for all affected projects and releases that are actively supported. Back-ports of the fix are made to any old releases that are actively supported. 4. Packagers are notified via the salt-packagers mailing list that an issue was reported and resolved, and that an announcement is incoming. 5. A new release is created and pushed to all affected repositories. The release documentation provides a full description of the issue, plus any upgrade instructions or other relevant details. 6. An announcement is made to the salt-users and salt-announce mailing lists. The announcement contains a description of the issue and a link to the full release documentation and download locations. Receiving security announcements The fastest place to receive security announcements is via the salt-announce mailing list. This list is low-traffic.
FREQUENTLY ASKED QUESTIONS
FAQ • Frequently Asked Questions • Is Salt open-core? • I think I found a bug! What should I do? • What ports should I open on my firewall? • I'm seeing weird behavior (including but not limited to packages not installing their users properly) • My script runs every time I run a state.highstate. Why? • When I run test.ping, why don't the Minions that aren't responding return anything? Returning False would be helpful. • How does Salt determine the Minion's id? • I'm trying to manage packages/services but I get an error saying that the state is not available. Why? • Why aren't my custom modules/states/etc. available on my Minions? • Module X isn't available, even though the shell command it uses is installed. Why? • Can I run different versions of Salt on my Master and Minion? • Does Salt support backing up managed files? • Is it possible to deploy a file to a specific minion, without other minions having access to it? • What is the best way to restart a Salt daemon using Salt? • Linux/Unix • Windows • Salting the Salt Master • Is Targeting using Grain Data Secure? Is Salt open-core? No. Salt is 100% committed to being open-source, including all of our APIs. It is developed under the Apache 2.0 license, allowing it to be used in both open and proprietary projects. I think I found a bug! What should I do? The salt-users mailing list as well as the salt IRC channel can both be helpful resources to confirm if others are seeing the issue and to assist with immediate debugging. To report a bug to the Salt project, please follow the instructions in reporting a bug. What ports should I open on my firewall? Minions need to be able to connect to the Master on TCP ports 4505 and 4506. Minions do not need any inbound ports open. More detailed information on firewall settings can be found here. I'm seeing weird behavior (including but not limited to packages not installing their users properly) This is often caused by SELinux. Try disabling SELinux or putting it in permissive mode and see if the weird behavior goes away. My script runs every time I run a state.highstate. Why? You are probably using cmd.run rather than cmd.wait. A cmd.wait state will only run when there has been a change in a state that it is watching. A cmd.run state will run the corresponding command every time (unless it is prevented from running by the unless or onlyif arguments). More details can be found in the documentation for the cmd states. When I run test.ping, why don't the Minions that aren't responding return anything? Returning False would be helpful. When you run test.ping the Master tells Minions to run commands/functions, and listens for the return data, printing it to the screen when it is received. If it doesn't receive anything back, it doesn't have anything to display for that Minion. There are a couple options for getting information on Minions that are not responding. One is to use the verbose (-v) option when you run salt commands, as it will display "Minion did not return" for any Minions which time out. salt -v '*' pkg.install zsh Another option is to use the manage.down runner: salt-run manage.down Also, if the Master is under heavy load, it is possible that the CLI will exit without displaying return data for all targeted Minions. However, this doesn't mean that the Minions did not return; this only means that the Salt CLI timed out waiting for a response. Minions will still send their return data back to the Master once the job completes. If any expected Minions are missing from the CLI output, the jobs.list_jobs runner can be used to show the job IDs of the jobs that have been run, and the jobs.lookup_jid runner can be used to get the return data for that job. salt-run jobs.list_jobs salt-run jobs.lookup_jid 20130916125524463507 If you find that you are often missing Minion return data on the CLI, only to find it with the jobs runners, then this may be a sign that the worker_threads value may need to be increased in the master config file. Additionally, running your Salt CLI commands with the -t option will make Salt wait longer for the return data before the CLI command exits. For instance, the below command will wait up to 60 seconds for the Minions to return: salt -t 60 '*' test.ping How does Salt determine the Minion's id? If the Minion id is not configured explicitly (using the id parameter), Salt will determine the id based on the hostname. Exactly how this is determined varies a little between operating systems and is described in detail here. I'm trying to manage packages/services but I get an error saying that the state is not available. Why? Salt detects the Minion's operating system and assigns the correct package or service management module based on what is detected. However, for certain custom spins and OS derivatives this detection fails. In cases like this, an issue should be opened on our tracker, with the following information: 1. The output of the following command: salt <minion_id> grains.items | grep os 2. The contents of /etc/lsb-release, if present on the Minion. Why aren't my custom modules/states/etc. available on my Minions? Custom modules are only synced to Minions when state.highstate, saltutil.sync_modules, or saltutil.sync_all is run. Similarly, custom states are only synced to Minions when state.highstate, saltutil.sync_states, or saltutil.sync_all is run. Other custom types (renderers, outputters, etc.) have similar behavior, see the documentation for the saltutil module for more information. Module X isn't available, even though the shell command it uses is installed. Why? This is most likely a PATH issue. Did you custom-compile the software which the module requires? RHEL/CentOS/etc. in particular override the root user's path in /etc/init.d/functions, setting it to /sbin:/usr/sbin:/bin:/usr/bin, making software installed into /usr/local/bin unavailable to Salt when the Minion is started using the initscript. In version 2014.1.0, Salt will have a better solution for these sort of PATH-related issues, but recompiling the software to install it into a location within the PATH should resolve the issue in the meantime. Alternatively, you can create a symbolic link within the PATH using a file.symlink state. /usr/bin/foo: file.symlink: - target: /usr/local/bin/foo Can I run different versions of Salt on my Master and Minion? This depends on the versions. In general, it is recommended that Master and Minion versions match. When upgrading Salt, the master(s) should always be upgraded first. Backwards compatibility for minions running newer versions of salt than their masters is not guaranteed. Whenever possible, backwards compatibility between new masters and old minions will be preserved. Generally, the only exception to this policy is in case of a security vulnerability. Recent examples of backwards compatibility breakage include the 0.17.1 release (where all backwards compatibility was broken due to a security fix), and the 2014.1.0 release (which retained compatibility between 2014.1.0 masters and 0.17 minions, but broke compatibility for 2014.1.0 minions and older masters). Does Salt support backing up managed files? Yes. Salt provides an easy to use addition to your file.managed states that allow you to back up files via backup_mode, backup_mode can be configured on a per state basis, or in the minion config (note that if set in the minion config this would simply be the default method to use, you still need to specify that the file should be backed up!). Is it possible to deploy a file to a specific minion, without other minions having access to it? The Salt fileserver does not yet support access control, but it is still possible to do this. As of Salt 2015.5.0, the file_tree external pillar is available, and allows the contents of a file to be loaded as Pillar data. This external pillar is capable of assigning Pillar values both to individual minions, and to nodegroups. See the documentation for details on how to set this up. Once the external pillar has been set up, the data can be pushed to a minion via a file.managed state, using the contents_pillar argument: /etc/my_super_secret_file: file.managed: - user: secret - group: secret - mode: 600 - contents_pillar: secret_files:my_super_secret_file In this example, the source file would be located in a directory called secret_files underneath the file_tree path for the minion. The syntax for specifying the pillar variable is the same one used for pillar.get, with a colon representing a nested dictionary. WARNING: Deploying binary contents using the file.managed state is only supported in Salt 2015.8.4 and newer. What is the best way to restart a Salt daemon using Salt? Updating the salt-minion package requires a restart of the salt-minion service. But restarting the service while in the middle of a state run interrupts the process of the minion running states and sending results back to the master. It's a tricky problem to solve, and we're working on it, but in the meantime one way of handling this (on Linux and UNIX-based operating systems) is to use at (a job scheduler which predates cron) to schedule a restart of the service. at is not installed by default on most distros, and requires a service to be running (usually called atd) in order to schedule jobs. Here's an example of how to upgrade the salt-minion package at the end of a Salt run, and schedule a service restart for one minute after the package update completes. Linux/Unix salt-minion: pkg.installed: - name: salt-minion - version: 2014.1.7-3.el6 - order: last service.running: - name: salt-minion - require: - pkg: salt-minion cmd.wait: - name: echo service salt-minion restart | at now + 1 minute - watch: - pkg: salt-minion To ensure that at is installed and atd is running, the following states can be used (be sure to double-check the package name and service name for the distro the minion is running, in case they differ from the example below. at: pkg.installed: - name: at service.running: - name: atd - enable: True An alternative to using the atd daemon is to fork and disown the process. restart_minion: cmd.run: - name: | exec 0>&- # close stdin exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c 'sleep 10 && salt-call --local service.restart salt-minion' & - python_shell: True - order: last Windows For Windows machines, restarting the minion at can be accomplished by adding the following state: schedule-start: cmd.run: - name: 'start powershell "Restart-Service -Name salt-minion"' - order: last or running immediately from the command line: salt -G kernel:Windows cmd.run 'start powershell "Restart-Service -Name salt-minion"' Salting the Salt Master In order to configure a master server via states, the Salt master can also be "salted" in order to enforce state on the Salt master as well as the Salt minions. Salting the Salt master requires a Salt minion to be installed on the same machine as the Salt master. Once the Salt minion is installed, the minion configuration file must be pointed to the local Salt master: master: 127.0.0.1 Once the Salt master has been "salted" with a Salt minion, it can be targeted just like any other minion. If the minion on the salted master is running, the minion can be targeted via any usual salt command. Additionally, the salt-call command can execute operations to enforce state on the salted master without requiring the minion to be running. More information about salting the Salt master can be found in the salt-formula for salt itself: https://github.com/saltstack-formulas/salt-formula Is Targeting using Grain Data Secure? Because grains can be set by users that have access to the minion configuration files on the local system, grains are considered less secure than other identifiers in Salt. Use caution when targeting sensitive operations or setting pillar values based on grain data. When possible, you should target sensitive operations and data using the Minion ID. If the Minion ID of a system changes, the Salt Minion's public key must be re-accepted by an administrator on the Salt Master, making it less vulnerable to impersonation attacks.
GLOSSARY
Auto-Order The evaluation of states in the order that they are defined in a SLS file. See also: ordering. Bootstrap A stand-alone Salt project which can download and install a Salt master and/or a Salt minion onto a host. See also: salt-bootstrap. Compound Matcher A combination of many target definitions that can be combined with boolean operators. See also: targeting. EAuth Shorthand for 'external authentication'. A system for calling to a system outside of Salt in order to authenticate users and determine if they are allowed to issue particular commands to Salt. See also: external auth. Environment A directory tree containing state files which can be applied to minions. See also: top file. Execution Function A Python function inside an Execution Module that may take arguments and performs specific system-management tasks. See also: the list of execution modules. External Job Cache An external data-store that can archive information about jobs that have been run. A default returner. See also: ext_job_cache, the list of returners. Execution Module A Python module that contains execution functions which directly perform various system-management tasks on a server. Salt ships with a number of execution modules but users can also write their own execution modules to perform specialized tasks. See also: the list of execution modules. External Pillar A module that accepts arbitrary arguments and returns a dictionary. The dictionary is automatically added to a pillar for a minion. Event A notice emitted onto an event bus. Events are often driven by requests for actions to occur on a minion or master and the results of those actions. See also: Salt Reactor. File Server A local or remote location for storing both Salt-specific files such as top files or SLS files as well as files that can be distributed to minions, such as system configuration files. See also: Salt's file server. Grain A key-value pair which contains a fact about a system, such as its hostname, network addresses. See also: targeting with grains. Highdata The data structure in a SLS file the represents a set of state declarations. See also: state layers. Highstate The collection of states to be applied to a system. See also: state layers. Jinja A templating language which allows variables and simple logic to be dynamically inserted into static text files when they are rendered. See also: Salt's Jinja documentation. Job The complete set of tasks to be performed by the execution of a Salt command are a single job. See also: jobs runner. Job Cache A storage location for job results, which may then be queried by a salt runner or an external system. May be local to a salt master or stored externally. Job ID A unique identifier to represent a given job. Low State The collection of processed states after requisites and order are evaluated. See also: state layers. Master A central Salt daemon which from which commands can be issued to listening minions. Masterless A minion which does not require a Salt master to operate. All configuration is local. See also: file_client. Master Tops A system for the master that allows hooks into external systems to generate top file data. Mine A facility to collect arbitrary data from minions and store that data on the master. This data is then available to all other minions. [Sometimes referred to as Salt Mine.] See also: Salt Mine. Minion A server running a Salt minion daemon which can listen to commands from a master and perform the requested tasks. Generally, minions are servers which are to be controlled using Salt. Minion ID A globally unique identifier for a minion. See also: id. Multi-Master The ability for a minion to be actively connected to multiple Salt masters at the same time in high-availability environments. Node Group A pre-defined group of minions declared in the master configuration file. See also: targeting. Outputter A formatter for defining the characteristics of output data from a Salt command. See also: list of outputters. Peer Communication The ability for minions to communicate directly with other minions instead of brokering commands through the Salt master. See also: peer communication. Pillar A simple key-value store for user-defined data to be made available to a minion. Often used to store and distribute sensitive data to minions. See also: Pillar, list of Pillar modules. Proxy Minion A minion which can control devices that are unable to run a Salt minion locally, such as routers and switches. PyDSL A Pythonic domain-specific-language used as a Salt renderer. PyDSL can be used in cases where adding pure Python into SLS files is beneficial. See also: PyDSL. Reactor An interface for listening to events and defining actions that Salt should taken upon receipt of given events. See also: Reactor. Render Pipe Allows SLS files to be rendered by multiple renderers, with each renderer receiving the output of the previous. See also: composing renderers. Renderer Responsible for translating a given data serialization format such as YAML or JSON into a Python data structure that can be consumed by Salt. See also: list of renderers. Returner Allows for the results of a Salt command to be sent to a given data-store such as a database or log file for archival. See also: list of returners. Roster A flat-file list of target hosts. (Currently only used by salt-ssh.) Runner Module A module containing a set of runner functions. See also: list of runner modules. Runner Function A function which is is called by the salt-run command and executes on the master instead of on a minion. See also: Runner Module. Salt Cloud A suite of tools used to create and deploy systems on many hosted cloud providers. See also: salt-cloud. Salt SSH A configuration management and remote orchestration system that does not require that any software besides SSH be installed on systems to be controlled. Salt Thin A subset of the normal Salt distribution that does not include any transport routines. A Salt Thin bundle can be dropped onto a host and used directly without any requirement that the host be connected to a network. Used by Salt SSH. See also: thin runner. Salt Virt Used to manage the creation and deployment of virtual machines onto a set of host machines. Often used to create and deploy private clouds. See also: virt runner. SLS Module Contains a set of state declarations. State Compiler Translates highdata into lowdata. State Declaration A data structure which contains a unique ID and describes one or more states of a system such as ensuring that a package is installed or a user is defined. See also: highstate structure. State Function A function contained inside a state module which can manages the application of a particular state to a system. State functions frequently call out to one or more execution modules to perform a given task. State Module A module which contains a set of state functions. See also: list of state modules. State Run The application of a set of states on a set of systems. Syndic A forwarder which can relay messages between tiered masters. See also: Syndic. Target Minion(s) to which a given salt command will apply. See also: targeting. Top File Determines which SLS files should be applied to various systems and organizes those groups of systems into environments. See also: top file, list of master top modules. __virtual__ A function in a module that is called on module load to determine whether or not the module should be available to a minion. This function commonly contains logic to determine if all requirements for a module are available, such as external libraries. Worker A master process which can send notices and receive replies from minions. See also: worker_threads.
AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
COPYRIGHT
2016 SaltStack, Inc.