Dan Poirier
Lightning Lunch Talk
November 22, 2013
Why? A master serves two roles:
Even with a master, you can still kick off updates on each minion anytime you want.
Recent versions of Salt have added Git integration.
I use the bootstrap script and specify a particular version:
curl --insecure -L http://bootstrap.saltstack.org \ | sh -s -- -M -N git v0.17.1
(https://github.com/saltstack/salt-bootstrap)
In /etc/salt/master, comment out the config related to getting the state files from the local file system:
# fileserver_backend: # - roots # file_roots: # base: # - /srv/salt
Enable the git fileserver backend:
fileserver_backend: - git
And give it one or more git repos to look at:
gitfs_remotes: - git://github.com/saltstack/salt-states.git
If the repo is private, you need to access it using ssh:
gitfs_remotes: - git+ssh://git@prius.poirier.us/salt-states.git
And put a passwordless private ssh key in ~/.ssh/id_rsa under the user that salt master is running as
For no apparent reason, configuring git as a source of pillar files is rather different from how to configure git as a source of state files:
ext_pillar: - git: master git+ssh://git@prius.poirier.us/salt-pillar.git
More compact output:
state_output: mixed
Run as non-root:
user: salt-master
Bootstrap script again, don't need any extra options this time though, just git to get salt from github, and the version:
curl --insecure -L http://bootstrap.saltstack.org \ | sh -s -- git v0.17.1
Not much needed. In /etc/salt/minion:
master: <full hostname of master> id: <shorthostname of minion> state_output: mixed
All the minion needs is a name and how to find the master, and you can skip the name if you're happy with just using the hostname.
Might need to start the minion:
sudo service salt-minion start
The master won't talk to any minion unless you say it's okay:
# salt-key -a <minion ID>
Install packages I want everywhere:
packages:
pkg.latest:
- name: screen
- name: sqlite3
or just Ubuntu:
{% if grains['os'] == 'Ubuntu' %}
{% for pkg in 'tasksel', 'python-software-properties' %}
{{ pkg }}:
pkg.latest
{% endfor %}
{% endif %}
PPA for latest version:
{% if grains['os'] == 'Ubuntu' %}
ppa-emacs:
pkgrepo.managed:
# Emacs
- ppa: cassou/emacs
- require_in:
- pkg: emacs24
{% endif %}
Install packages with latest version:
{% for name in ['emacs24', 'emacs24-el'] %}
{{ name }}:
pkg.latest:
{% if grains['os'] == 'Ubuntu' %}
- require:
- pkgrepo: ppa-emacs
{% endif %}
{% endfor %}
A sample of what I have in pillar:
{% if 'caktus' in grains['domain'] %}
myusername: dpoirier
mygroupname: dpoirier
myemail: dpoirier@caktusgroup.com
myhomedir: /home/dpoirier
{% else %}
myusername: poirier
myemail: dan@poirier.us
...
{% endif %}
You get the idea.
bitbucket.sls:
bitbucket_deploy_key:
file.managed:
- name: {{ pillar['myhomedir'] }}/.ssh/id_bitbucket
- contents_pillar: bitbucket:deploy_key
- user: {{ pillar['myuid'] }}
- group: {{ pillar['mygid'] }}
- mode: 400
In pillar:
bitbucket:
deploy_key: |
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
....
I keep my ~/.emacs.d directory in git, and this state keeps it up to date on all my systems:
git@bitbucket.org:poirier/emacs.d.git:
git.latest:
- rev: master
- target: {{ pillar['myhomedir'] }}/.emacs.d
- user: {{ pillar['myusername'] }}
- group: {{ pillar['mygid'] }}
- identity: {{ pillar['myhomedir'] }}/.ssh/id_bitbucket
- require:
- user: {{ pillar['myusername'] }}
- file: bitbucket_deploy_key
alternatives.sls:
editor:
alternatives.install:
- name: editor
- link: /usr/bin/editor
- path: /usr/bin/emacs
- priority: 100
Use salt to set up the cron job to run salt between 2 and 2:59 am each day:
/usr/bin/salt-call -l quiet state.highstate:
cron.present:
- user: root
- minute: random
- hour: 2
PyCharm and Crashplan both want you to increase the kernel setting for how many files they can monitor for changes. This is the kind of thing I always used to forget to do when I set up a new machine, but not anymore:
fs.inotify.max_user_watches:
sysctl.present:
- value: 1048576
Getting dropbox installed and connected under my account isn't fully automated yet, but once that's done, I use Salt to reliably have Supervisor keep dropbox running:
# dropbox.sls
dropbox:
supervisord.running:
- restart: True
- watch:
- file: /etc/supervisor/conf.d/dropbox.conf
- require:
- pkg: supervisor
- file: /etc/supervisor/conf.d/dropbox.conf
/etc/supervisor/conf.d/dropbox.conf:
file.managed:
- source: salt://dropbox/dropbox_supervisor.conf
- user: root
- group: root
- template: jinja
extend:
supervisor:
service:
- watch:
- file: /etc/supervisor/conf.d/dropbox.conf
Here's the template for the supervisor config file for dropbox:
# dropbox_supervisor.conf
[program:dropbox]
command=/home/{{ pillar['myusername'] }}/.dropbox-dist/dropboxd
numprocs=1
directory=/home/{{ pillar['myusername'] }}
user={{ pillar['myusername'] }}
redirect_stderr=true
Installing Java on Ubuntu is a pain, but Salt can handle it:
accept-java-license:
debconf.set:
- name: oracle-java8-installer
- data:
shared/accepted-oracle-license-v1-1: {'type': boolean, 'value': true}
- require:
- pkg: debconf-utils
ppa-java:
pkgrepo.managed:
# Java
- ppa: webupd8team/java
- require_in:
- pkg: java
java:
pkg.latest:
- name: oracle-java8-installer
- require:
- debconf: accept-java-license
Some things I'd still like to do:
| Table of Contents | t |
|---|---|
| Exposé | ESC |
| Full screen slides | e |
| Presenter View | p |
| Source Files | s |
| Slide Numbers | n |
| Toggle screen blanking | b |
| Show/hide slide context | c |
| Notes | 2 |
| Help | h |