FAQ
hi, robert,

i also meet an problem like you, did you get the solution yet?
thx

在 2013年6月18日星期二UTC+8下午8时53分49秒,Robert Einsle写道:
Hi List,

we want do configure a lot of Hosts in different firewall-zones using
salt. Salt works connecting the Clients to the Master. Because of the
sensity of the data, the salt-master should work in a own firewallzone. And
let the minions directly connect from an outside-zone to the salt-zone is a
bad idea. Our solution was to use syndic. Syndic is up and running, but
don't share salt-states and pillar-data.

To test the setting, i use an salt-master (running salt-master,
salt-syndic and salt-minion), salt-syndic (running salt-master,
salt-syndic, salt-minion) and an salt-minion (running an salt-minion).

test.ping works:

--- cut ---
root@salt-master:~# salt '*' test.ping
salt-master.xxx.de:
True
salt-minion.xxx.de:
True
salt-syndic.xxx.de:
True
--- cut ---

Ok, now test the next step, usind salt sate-files:

I created a File /srv/salt/core/init.sls:
--- cut ---
core-packages:
pkg:
- installed
- names:
- dnsutils
--- cut ---

and a corresponding top.sls:
--- cut ---
base:
'*':
- core
--- cut ---

an run shows me:

--- cut ---
root@salt-master:~# salt '*' state.highstate
salt-minion.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-syndic.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-master.xxx.de:
----------
State: - pkg
Name: dnsutils
Function: installed
Result: True
Comment: The following packages were installed/updated: dnsutils.
Changes: dnsutils: { new : 1:9.8.4.dfsg.P1-6+nmu2
old :
}
--- cut ---

seems that /srv/salt will not be shared to downstream masters. But using
git, this is not our showstopper.

Now we will use pillar-data (on salt-master)(/srv/pillar/core/init.sls):

--- cut ---
root@salt-master:~# cat /srv/pillar/core/init.sls
zzz_data:
test:
- data1
- data2
--- cut ---

shows:

--- cut ---
root@salt-master:~# salt '*' pillar.data zzz_data
salt-master.xxx.de:
----------
test:
- data1
- data2
salt-minion.xxx.de:
----------
salt-syndic.xxx.de:
----------
--- cut ---

This is our Show-Stopper because we don't want to deliver Production-Data
outside the salt-firewall-zone.

Do we have a outer chance to get syndic running as proxy delivering also
/srv/salt and /srv/pillar data?

Thanks a lot

Robert
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 3 | next ›
Discussion Overview
groupsalt-users @
postedNov 3, '14 at 4:49a
activeNov 21, '14 at 10:31a
posts3
users2

2 users in discussion

Elvis Macak: 2 posts Colton Myers: 1 post

People

Translate

site design / logo © 2022 Grokbase