# Salt Notes SaltProject or "Salt" is the configuration management tool - * [SaltStack Project](https://saltproject.io/) * [SaltStack Project Package Repo](https://repo.saltproject.io/) * [SaltStack Project FAQ](https://docs.saltproject.io/en/latest/faq.html#frequently-asked-questions) --- My first section 02/02/2020 Deploying Salt event monitoring for Splunk 1. push new git files 2. sync_all 3. refresh_pillar 4. salt state for updating minions config --- Custom grains 10/20/2019 `_grains/mdr_environment.py` This file discovers which aws account the ec2 instnace is in. grain is called `dr_environment` but it is broken on salt master, the minion has a static file `/etc/salt/grains` `saltutil.sync_grains` ERROR: Could not get AWS connection: global name 'boto3' is not defined SOLUTION: see [Salt Upgrade 2019 -> 3001 Notes](Salt%20Upgrade%202019%20->%203001%20Notes.md) -------- Highstate 11/20/2019 Cron job for state.apply ( DISABLED DURING REFACTOR ) salt manages a cron job on the master -------- salt-minion reactor when a salt-minion restarts the reactor kicks off a state.apply. This causes a notification when the salt-minion starts up and you try to apply a state. -------- gitfs lock file /var/cache/salt/master/gitfs/gitfs-base-msoc/.git/update.lk -------- Test salt master Switch branch on test salt-master for testing salt-run fileserver.update salt-run fileserver.file_list | grep mystuff ## Testing git branches using environments: You can use a different git branch for testing by specifying an environment to salt: ``` sudo salt-run fileserver.update # Refresh from git salt target saltutil.sync_all saltenv=mybranchname salt target state.sls mytestsls saltenv=mybranchname ``` ## Bringing on a new minion You probably want the grains synchronized before the minion is pushed to highstate. After accepting the key, run: ``` salt '*' saltutil.sync_grains salt '*' saltutil.sync_all ``` We can do this via a `Reactor`. See [Minion Start Reactor](https://docs.saltstack.com/en/latest/topics/reactor/index.html#minion-start-reactor) ## Excluding States Use `exclude=` to exclude a particular state. To exclude sls's, you can just use the same, eg: ``` salt '*' state.highstate --output-diff test=true exclude='splunk.*' ``` To excludes states within an sls, use a map, like this one which runs all the states for splunk.indexer except the one that modifies server.conf: ``` salt -C '*indexer* or *idx*' state.sls splunk.indexer --output-diff test=true --timeout=300 exclude="[{'id': '/opt/splunk/etc/system/local/server.conf'}]" ``` This is a usseful one for doing everything but restarting splunk: ``` salt '*splunk*' state.highstate --output-diff test=true exclude="[{'id': 'big_bounce'}, {'id': 'restart_splunk'}]" ``` ---- Random - [Extending External SLS Data](https://docs.saltproject.io/en/latest/ref/states/extend.html) ---- New Github Server gitfs uses `/root/.ssh/github_read_only` for authentication, which is overridden via `/root/.ssh/config` for teh github server. So when the GIT server changes: ``` sudo su - cd .ssh echo > known_hosts ssh -i github_read_only git@github.xdr.accenturefederalcyber.com vim config # copy entry sudo systemctl stop salt-master sudo rm -rf /var/cache/salt/master sudo systemctl start salt-master tail -F /var/log/salt/master ```