Home Esplora Aiuto
Registrati Accedi
AFS
/
infrastructure-notes
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 883a468866
Rami (Branch) Tag
infrastructure-...
/
Salt Notes.md

Salt Notes.md 3.3 KB
Cronologia Originale

Salt Notes

SaltProject or "Salt" is the configuration management tool -

My first section 02/02/2020

Deploying Salt event monitoring for Splunk

  1. push new git files
  2. sync_all
  3. refresh_pillar
  4. salt state for updating minions config

Custom grains 10/20/2019

_grains/mdr_environment.py This file discovers which aws account the ec2 instnace is in. grain is called dr_environment but it is broken on salt master, the minion has a static file /etc/salt/grains saltutil.sync_grains

ERROR: Could not get AWS connection: global name 'boto3' is not defined SOLUTION: see Salt Upgrade 2019 -> 3001 Notes

Highstate 11/20/2019

Cron job for state.apply ( DISABLED DURING REFACTOR ) salt manages a cron job on the master

salt-minion reactor

when a salt-minion restarts the reactor kicks off a state.apply. This causes a notification when the salt-minion starts up and you try to apply a state.

gitfs lock file

/var/cache/salt/master/gitfs/gitfs-base-msoc/.git/update.lk

Test salt master

Switch branch on test salt-master for testing salt-run fileserver.update salt-run fileserver.file_list | grep mystuff

Testing git branches using environments:

You can use a different git branch for testing by specifying an environment to salt:

sudo salt-run fileserver.update # Refresh from git
salt target saltutil.sync_all saltenv=mybranchname 
salt target state.sls mytestsls saltenv=mybranchname

Bringing on a new minion

You probably want the grains synchronized before the minion is pushed to highstate. After accepting the key, run:

salt '*' saltutil.sync_grains
salt '*' saltutil.sync_all

We can do this via a Reactor. See Minion Start Reactor

Excluding States

Use exclude= to exclude a particular state.

To exclude sls's, you can just use the same, eg:

salt '*' state.highstate --output-diff test=true exclude='splunk.*'

To excludes states within an sls, use a map, like this one which runs all the states for splunk.indexer except the one that modifies server.conf:

salt -C '*indexer* or *idx*' state.sls splunk.indexer --output-diff test=true --timeout=300 exclude="[{'id': '/opt/splunk/etc/system/local/server.conf'}]"

This is a usseful one for doing everything but restarting splunk:

salt '*splunk*' state.highstate --output-diff test=true exclude="[{'id': 'big_bounce'}, {'id': 'restart_splunk'}]"

Random - Extending External SLS Data

New Github Server

gitfs uses /root/.ssh/github_read_only for authentication, which is overridden via /root/.ssh/config for teh github server.

So when the GIT server changes:

sudo su -
cd .ssh
echo > known_hosts
ssh -i github_read_only git@github.xdr.accenturefederalcyber.com
vim config
# copy entry
sudo systemctl stop salt-master
sudo rm -rf /var/cache/salt/master
sudo systemctl start salt-master
tail -F /var/log/salt/master