FAQ
Hey Robert,

As you've discovered, salt's syndic masters are completely separate from the master of masters as far as pillar and state data go. The easiest solution to this is to store your state data in git and use GitFS, and store your pillar data in a different git repo and use git_pillar external pillar module.

You can also have the minion on the syndic master connect to the master of masters and use that minion to sync down the state files and pillar files, using a `file.recurse` state or similar.

Hope that helps.

--
Colton Myers
Platform Engineer, SaltStack
@basepi on Github/Twitter/IRC
On Jun 18, 2013, at 6:53 AM, Robert Einsle wrote:

Hi List,

we want do configure a lot of Hosts in different firewall-zones using salt. Salt works connecting the Clients to the Master. Because of the sensity of the data, the salt-master should work in a own firewallzone. And let the minions directly connect from an outside-zone to the salt-zone is a bad idea. Our solution was to use syndic. Syndic is up and running, but don't share salt-states and pillar-data.

To test the setting, i use an salt-master (running salt-master, salt-syndic and salt-minion), salt-syndic (running salt-master, salt-syndic, salt-minion) and an salt-minion (running an salt-minion).

test.ping works:

--- cut ---
root@salt-master:~# salt '*' test.ping
salt-master.xxx.de:
True
salt-minion.xxx.de:
True
salt-syndic.xxx.de:
True
--- cut ---

Ok, now test the next step, usind salt sate-files:

I created a File /srv/salt/core/init.sls:
--- cut ---
core-packages:
pkg:
- installed
- names:
- dnsutils
--- cut ---

and a corresponding top.sls:
--- cut ---
base:
'*':
- core
--- cut ---

an run shows me:

--- cut ---
root@salt-master:~# salt '*' state.highstate
salt-minion.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-syndic.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-master.xxx.de:
----------
State: - pkg
Name: dnsutils
Function: installed
Result: True
Comment: The following packages were installed/updated: dnsutils.
Changes: dnsutils: { new : 1:9.8.4.dfsg.P1-6+nmu2
old :
}
--- cut ---

seems that /srv/salt will not be shared to downstream masters. But using git, this is not our showstopper.

Now we will use pillar-data (on salt-master)(/srv/pillar/core/init.sls):

--- cut ---
root@salt-master:~# cat /srv/pillar/core/init.sls
zzz_data:
test:
- data1
- data2
--- cut ---

shows:

--- cut ---
root@salt-master:~# salt '*' pillar.data zzz_data
salt-master.xxx.de:
----------
test:
- data1
- data2
salt-minion.xxx.de:
----------
salt-syndic.xxx.de:
----------
--- cut ---

This is our Show-Stopper because we don't want to deliver Production-Data outside the salt-firewall-zone.

Do we have a outer chance to get syndic running as proxy delivering also /srv/salt and /srv/pillar data?

Thanks a lot

Robert

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out <https://groups.google.com/groups/opt_out>.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 3 | next ›
Discussion Overview
groupsalt-users @
postedNov 3, '14 at 4:49a
activeNov 21, '14 at 10:31a
posts3
users2

2 users in discussion

Elvis Macak: 2 posts Colton Myers: 1 post

People

Translate

site design / logo © 2022 Grokbase