/r/saltstack
Salt is an open source tool to manage your infrastructure via remote execution and configuration management.
Feel free to ask questions here. Or in the discord community at https://discord.gg/GC5U3SEF
Salt is a powerful remote execution manager that can be used to administer servers in a fast and efficient way.
Salt allows commands to be executed across large groups of servers. This means systems can be easily managed, but data can also be easily gathered. Quick introspection into running systems becomes a reality.
Remote execution is usually used to set up a certain state on a remote system. Salt addresses this problem as well, the salt state system uses salt state files to define the state a server needs to be in.
Between the remote execution system, and state management Salt addresses the backbone of cloud and data center management.
See the wiki page for more links and other resources.
/r/saltstack
Hi. I have the following problem:
I'm trying to enroll a server into a domain via Salt, I'm sending out the domain enroll-admin account details to execute the ipa-client install command via salt-pillars. At the same time through salt-call any user with sudo rights can read the admin password. What are best practices for similar tasks that will prevent this data from being exposed?
Heya!
So, I don't really like Ansible. Or chef, or puppet. But I do like Saltstack.
Now the big question, why are so many giving up on Saltstack after the latest aquisition?
Ansible is owned by IBM, kind of. IBM have ruined ansible according to me. SaltStack was bought by VmWare and to me made it better, and now Broadcom bought VmWare, so by proxy bought SaltStack - right?
Did Boradcom screw up Saltstack?
I'm having trouble targeting servers with grains on my v3006.9 salt master. There's a custom grain [myCustomGrain] that only certain servers have. I use this grain to target salt command [here, test.ping]. Then, in the output, servers without the grain have output. In the past, only servers with the grain would have output.
salt -G myCustomGrain:someValue test.ping
...
validserver001:
True
invalidserver001:
Minion did not return. [No response]
The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:
salt-run jobs.lookup_jid 20241113183605042208
...
Also, the job info has those extra minions present in the Minions list
Arguments:
Function:
test.ping
Minions:
- validserver001
- invalidserver001
...
Target:
myCustomGrain:someValue
Target-type:
grain
Does someone have a fix for this or is this the new, expected behavior? This new behavior is incompatible with a bunch of scripts and I really don't want to change everything. Thanks in advance for any information.
With the migration to broadcom, many link are dead… I think to migrate to ansible… I just tried to ask chatgpt to convert some sls to ansible playbook, and the result is very good in most of case… 🤔
I have created the custom grain holding the full Debian version
as non of the build-in ones show that for some reason.
It is called osreleasefull and it is in the file called osreleasefull.py
which is in the _grains dir in the salt root dir.
It works fine from the master but not on the minion
even though gains syncing works fine,
new grain is recognized and the file is in the cache on the minion:
[master]:
-rw-r--r-- 1 root root 323 Nov 7 05:45 /srv/salt/_grains/osreleasefull.py
[master]# salt minion1 grains.get osreleasefull
minion1:
12.1
[minion]:
-rw-r--r-- 1 root root 323 Nov 7 05:48 /var/cache/salt/minion/files/base/_grains/osreleasefull.py
[minion1]# salt-call saltutil.sync_grains
local:
- grains.osreleasefull
[minion1]# salt-call grains.get osreleasefull
local:
osreleasefull.py:
#!/usr/bin/env python
import os
def osreleasefull():
grains = {}
if os.path.isfile('/etc/debian_version'):
with open('/etc/debian_version', 'r') as f:
# Setting the grain name to match the expected output
grains['osreleasefull'] = f.read().strip()
return grains
Any tips on what am I missing?
I have Odroid-HC1 ARM machine (Samsung Exynos5422 Cortex-A15) running Debian 12. It's my personal mail server.
After Broadcom migration I get:
N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'https://packages.broadcom.com/artifactory/saltproject-deb stable InRelease
' doesn't support architecture 'armhf'
I do not see `armhf` in https://packages.broadcom.com/artifactory/saltproject-deb/dists/stable/main/ so I guess I'm f...?
You can only get salt 3006 or newer on the Broadcom site. Where are the packages for the older versions? This is having a horrific affect on our faith in using salt going forward.
Did anyone have archive mirrors of the previous salt versions?
How would ANYONE in Broadcom think this was a good idea?
Why should ANYONE continue using Salt?
I have to mirror salt's repos for various reasons, but broadcom's using jFrog or whatever's 'Artifactory' instead of standard repository structure.
Any insight on how to rclone from there?
Or am I stuck mirroring it myself with createrepo
before my pulp server pulls it?
I’m rebuilding my homelab and learning SaltStack as well. I want to automate everything but there is one thing that bothers me and I haven’t found a solution in the docs.
Let’s say that I need a proxy server, but that depends on a DNS Resolver. But the DNS Resolver depends on the Proxy Server to install the Unbound.
Is possible to do something like this and how to do it?
If someone is willing to point to some “production ready” examples on GitHub, I would be thankful.
I currently have a /srv/salt/base/top.sls
that looks like:
base:
'*':
- motd
- lnav
Now, I have a state called myteam-ssh-keys
that should be targeted to minions having a specific grain (managed_by
) equal to a specific value (myteam
).
How can I update the top.sls
to apply the myteam-ssh-keys
only to the targeted minion ?
The overall goal is to end up putting a cron job that runs salt '*' state-apply
regularly to keep the minions in sync.
I'm trying to use Salt lgpo.set to configure windows 'Attack Surface Reduction Rules'. This setting requires a list with values. I have successfully configured other lists without values e.g
Local_Policies:
lgpo.set:
- computer_policy:
Access this computer from the network:
- Administrators
- Remote Desktop Users
How do I include values in the list items?
well, what the title says. If I have passwords or keys defined in `/etc/salt/master` do they have to be in plain text? I'm trying to define external pillar source using hashicorp vault, which works pretty well, but in a master config file I need to define the app role secret id. I would rather the secret id not be in scm.
Olá pessoal,
Sou iniciante no salt e gostaria de uma ajuda de vocês. Criei um state para modificar a pasta C:\ProgramData\Microsoft\Windows\Start Menu\. Gostaria que todos os arquivos dela fossem limpos e só ficasse o arquivo do state cria_atalho. Quando eu executo a primeira vez ele funciona corretamente mas após isso eu crio arquivos manualmente nessa pasta e mesmo executando o state novamente ele não limpa esses arquivos. O retorno que tenho no master é que não houveram mudanças na pasta. Sabem me dizer o que estou fazendo de errado?
remove.arquivos:
file.directory:
- name: 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\'
- clean: True
- require:
- cria.atalho
cria.atalho:
file.managed:
- name: 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\atalho.lnk'
- source: 'salt://win/atalhos/atalho.lnk'
- source_hash: 43808f02b6f82eb7b68906bec8cfa7be
Obrigado.
Hey all, Does anyone use SaltStack to streamline Aerospike configuration management for different clusters at your workplace/org?
Would love to hear whats your approach in deploying aerospike configuration dynamically for different aerospike clusters using saltstack.
Need ideas to streamline configuration management while setting up a new cluster.
I am having an issue where I cannot communicate with my salt minions from master even though they have their salt key accepted and the salt service is installed and running.
When I try to run test.ping I get an error "Minion did not return. [Not Connected]"
To resolve this I often have to remove the minion keys and reinstall minion with a new key. Surely, there has to be a solution for this, or maybe my salt configuration is wrong??
I have a situation where by on a VMware based virtual machine when I check if Secure Boot is enabled using mokutil
it says it is, but when I check the efi-secure-boot
grain it's saying Secure Boot isn't enabled.
When I check the VMs firmware configuration the vCenter it's configured to use EFI (and not BIOS) and Secure Boot is ticked.
This seems to be case across my entire estate of approx. 20 Debian and Ubuntu based VMs.
root@host:~ # mokutil --sb-state
SecureBoot enabled
root@host:~ # sudo salt-call grains.item efi efi-secure-boot
local:
----------
efi:
True
efi-secure-boot:
False
Anyone else experiencing the same thing?
hey all, im trying to solve a problem in using saltstack:
lets say we have aerospike clusters being used across different teams in the company. The thing is when a team is needed to create a new aerospike cluster or make any changes in the existing clusters, they create new folder in the salt:// folder specific to a cluster and add relevant hosts, config and namespaces to it that they need and spin up or make changes to a cluster
ex: config.sls host.yml install.sls etc
the problem here is since every cluster has its own folder and it creates more folders and it's kind of cumbersome. how do i improve this? using salt pillar? and how do i optimise this?
Is there really no built-in way to parse a URL in salt or jinja1
Python has urlparse, and Ansible has urlsplit.
Yes, I know I can cobble this together in many ways, but I'd expect salt or jinja to have a simple call that puts a URL in an array of parts or even a dictionary.
Am I missing something?
What is the best way to upgrade OS (Debian in my case) on the minions?
I use pkg.uptodate in my state but for some reason it does not install all the packages available.
(apt update/upgrade shows packages available for upgrade like linux-image or kernel headers)
Any tip or what am I missing?
Is it possible to use salt to add/update/delete A, PTR, etc. records with AD based DNS?
I want DNS changes to be tied to salt deploying or terminating servers as well as using Salt to automate reoccurring hygiene activities.
Any examples would be awesome.
TIA
So, I have a specific problem to solve and have been advised to look at salt as a possible tool to solve it.
I've spent the last two hours reading documentation and setting up a master and a windows minion, but now I'm a bit stuck.
In hindsight, I'm not sure I need the master, but I might play around with it at some point if I end up solving my problem with salt and using it more.
Anyway, so here's what I actually want to accomplish:
The plan is to use packer to build monthly images that will be used to deploy remote desktop session host. There are about 40 different "profiles" (I know, we're trying to cut it down. But licensing and very different workloads make it a bit of a pain). So part of the build would be installing the required applications and installing them.
At this stage I'm having packer upload the required installation files to the image, running the installations in the required order and then deleting the installation files.
I was hoping to use salt for this. I'm not sure salt is the right tool. Anything requiring use of github is a no-go. That's both disallowed by policy and actively blocked in the firewall. Any installation files need to be fetched from a local repository as we have custom packaged applications hosted on SMB-shares.
My hope would be that I could during my packer build just make a call similar to "install Developer Desktop packages" and there would be a role (not sure what it's called in salt?) that then lists everything that needs to be installed and in what order. Bonus if it can fetch it from a self-hosted repository. I can do https if I have to, but if smb isn't an option I'd rather just have packer upload the files at build time. But then I also need to keep track of the roles in packer so it knows which files to upload...
Is salt a good fit? I've been trying to find a good solution for this, but everywhere I look most tools are focused on cloud and using services hosted on the internet like git, which infosec will shut down instantly. I need something that can run on-prem with no outside dependencies. The machines also only need to be provisioned, not managed. The image will never be booted up once it's built, the workers will be clones of the image and non-persistent. As in they reboot daily and all written data is discarded and the workers revert to a clean clone. We would then rebuild the images monthly in order to apply patches and updates.
Looking to apply the CIS hardening guidelines to our windows 10 systems via a salt state
Has anyone attempted this with salt?
The list is enormous