Public | Automated Build

Last pushed: a year ago
Short Description
Saltstack docker image including master, minion and api
Full Description

SaltStack - Managed Infrastructure

SaltStack configuration management delivers event-driven infrastructure automation and cloud orchestration. We'll use SaltStack to keep servers and systems in each correct "state". Salt can be configured in multiple ways, here's an outlay of how to use SaltStack at Plex.

Here's some good resources to start read before entering the world of SaltStack

Execution

Remote execution

Salt usage an event bus between the salt master and minion to send and receive commands for remote execution. Execution can be triggered both from master and directly on a minion with the --local flag

Apply highstate to all connected minions

salt \* state.apply

to run a specific execution modules

salt minion1 service.restart nginx

Execute on schedule

Each minion will run a highstate each 30 minion, appended in minion configuration file:

schedule:
  highstate:
    function: state.highstate
    minutes: 30

States and formulas

States

Salt States are reusable configuration templets to describe a state of a specific application or system. States are written as a describing YAML document that defines what should be done and how. State them self is using execution modules to do the heavy lifting, which is why they are fairly trivial to make and use.

Formulas

Formulas are pre-written Salt States. They are as open-ended as Salt States themselves and can be used for tasks such as installing a package, configuring, and starting a service, setting up users or permissions, and many other common tasks. All official Salt Formulas are found as separate Git repositories in the "saltstack-formulas" organization on GitHub: https://github.com/saltstack-formulas

All formulas should be cloned into ./state/formula/%name%

Repository structure

☁  saltstack [POC-structure] ⚡ tree -L 2
.
├── Dockerfile
├── Makefile
├── README.md
├── Vagrant
│   ├── LICENSE
│   ├── README.rst
│   ├── Vagrantfile
│   └── saltstack
├── docker-compose.yaml
├── extension_modules
│   └── pillar
├── formula
│   ├── apt
│   ├── pip
│   ├── salt
│   ├── timezone
│   └── users
├── pillar
│   ├── convert
│   ├── salt-master.pub
│   ├── stack
│   └── top.sls
├── run.sh
└── state
    ├── apps
    ├── base
    ├── chef-convert
    ├── salt
    └── top.sls

Pillar data

Salt pillar is a system that lets you define secure data that are ‘assigned’ to one or more minions using targets. We use an pillar extension called Pillarstack to create stacked configuration structures. Pillarstack let's us merge remove or overwrite values depending on which host are requesting pillar data. Pillarcrypt is then decrypting gpg encrypted secure information

Encrypted pillar

gpg key pair is avalible to the master at /etc/salt/gpgkeys and are used on master when decrypting pillar data before sending it out to a minion.

Encrypt
  1. Import salt master public gpg key

    gpg --import ./pillar/salt-master.pub
    
  2. Encrypt string/file with gpg

    echo "password" | gpg --homedir /etc/salt/gpgkeys --armor --encrypt -r "Plex Salt <ops@plex.biz>"
    
Decrypt

Decrypt can be done on the master or with the master's private key (not recommended)

echo "GPG-data" | gpg --homedir /etc/salt/gpgkeys --decrypt

Minion naming

Salt is relaying on Plex instance naming convention. Each part is avalible to salt as a grain, making it easy to run logic against a set of minions with these attributes.

{APPLICATION}{2 digits ID}.{ENVIRONMENT}.{DATACENTER}.plex.bz

For example listing application:

root@saltmaster:/srv# salt salt-master* grains.item application
salt-master00.dev.local.plex.bz:
    ----------
    application:
        salt-master

Install

Master

wget -O bootstrap-salt.sh https://bootstrap.saltstack.com; sh bootstrap-salt.sh -M stable

Minion

wget -O bootstrap-salt.sh https://bootstrap.saltstack.com; sh bootstrap-salt.sh -A salt-master00.dev.sjc.plex.bz stable

Local testing

Salt can be tested locally with either Vagrant or Docker. See suitable folder for more info. You can also spin up your local environment via Makefile. Which will setup needed dependency and start the environment.

Test states against minions

salt \* state.show_highstate

Vagrant (recomended)

Vargant will apply salt highstate during provisioning.

# decrypt salt private gpg key (used by salt to access decrypted pillars)
gpg salt-master.key.gpg
make install_vagrant
make run_vagrant

Docker

# decrypt salt private gpg key (used by salt to access decrypted pillars)
gpg salt-master.key.gpg
make install_docker
make run_docker
Docker Pull Command
Owner
plexinc
Source Repository