[salt-users] Re: salt syndic as proxy between salt-master and salt-minion

On Jun 18, 2013, at 6:53 AM, Robert Einsle wrote:

Hi List,

we want do configure a lot of Hosts in different firewall-zones using salt. Salt works connecting the Clients to the Master. Because of the sensity of the data, the salt-master should work in a own firewallzone. And let the minions directly connect from an outside-zone to the salt-zone is a bad idea. Our solution was to use syndic. Syndic is up and running, but don't share salt-states and pillar-data.

To test the setting, i use an salt-master (running salt-master, salt-syndic and salt-minion), salt-syndic (running salt-master, salt-syndic, salt-minion) and an salt-minion (running an salt-minion).

test.ping works:

--- cut ---
root@salt-master:~# salt '*' test.ping
salt-master.xxx.de:
True
salt-minion.xxx.de:
True
salt-syndic.xxx.de:
True
--- cut ---

Ok, now test the next step, usind salt sate-files:

I created a File /srv/salt/core/init.sls:
--- cut ---
core-packages:
pkg:
- installed
- names:
- dnsutils
--- cut ---

and a corresponding top.sls:
--- cut ---
base:
'*':
- core
--- cut ---

an run shows me:

--- cut ---
root@salt-master:~# salt '*' state.highstate
salt-minion.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-syndic.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-master.xxx.de:
----------
State: - pkg
Name: dnsutils
Function: installed
Result: True
Comment: The following packages were installed/updated: dnsutils.
Changes: dnsutils: { new : 1:9.8.4.dfsg.P1-6+nmu2
old :
}
--- cut ---

seems that /srv/salt will not be shared to downstream masters. But using git, this is not our showstopper.

Now we will use pillar-data (on salt-master)(/srv/pillar/core/init.sls):

--- cut ---
root@salt-master:~# cat /srv/pillar/core/init.sls
zzz_data:
test:
- data1
- data2
--- cut ---

shows:

--- cut ---
root@salt-master:~# salt '*' pillar.data zzz_data
salt-master.xxx.de:
----------
test:
- data1
- data2
salt-minion.xxx.de:
----------
salt-syndic.xxx.de:
----------
--- cut ---

This is our Show-Stopper because we don't want to deliver Production-Data outside the salt-firewall-zone.

Do we have a outer chance to get syndic running as proxy delivering also /srv/salt and /srv/pillar data?

Thanks a lot

Robert

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out <https://groups.google.com/groups/opt_out>.

Hey Robert,

As you've discovered, salt's syndic masters are completely separate from
the master of masters as far as pillar and state data go. The easiest
solution to this is to store your state data in git and use GitFS, and
store your pillar data in a different git repo and use git_pillar external
pillar module.

You can also have the minion on the syndic master connect to the master of
masters and use that minion to sync down the state files and pillar files,
using a `file.recurse` state or similar.

Hope that helps.

--
Colton Myers
Platform Engineer, SaltStack
@basepi on Github/Twitter/IRC

On Jun 18, 2013, at 6:53 AM, Robert Einsle <robert.i...@gmail.com
<javascript:>> wrote:

Hi List,

we want do configure a lot of Hosts in different firewall-zones using
salt. Salt works connecting the Clients to the Master. Because of the
sensity of the data, the salt-master should work in a own firewallzone. And
let the minions directly connect from an outside-zone to the salt-zone is a
bad idea. Our solution was to use syndic. Syndic is up and running, but
don't share salt-states and pillar-data.

To test the setting, i use an salt-master (running salt-master,
salt-syndic and salt-minion), salt-syndic (running salt-master,
salt-syndic, salt-minion) and an salt-minion (running an salt-minion).

test.ping works:

--- cut ---
root@salt-master:~# salt '*' test.ping
salt-master.xxx.de:
True
salt-minion.xxx.de:
True
salt-syndic.xxx.de:
True
--- cut ---

Ok, now test the next step, usind salt sate-files:

I created a File /srv/salt/core/init.sls:
--- cut ---
core-packages:
pkg:
- installed
- names:
- dnsutils
--- cut ---

and a corresponding top.sls:
--- cut ---
base:
'*':
- core
--- cut ---

an run shows me:

--- cut ---
root@salt-master:~# salt '*' state.highstate
salt-minion.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-syndic.xxx.de:
----------
no_|-states_|-states_|-None:
----------
__run_num__:

changes:
----------
comment:
No Top file or external nodes data matches found
name:
No States
result:
False
salt-master.xxx.de:
----------
State: - pkg
Name: dnsutils
Function: installed
Result: True
Comment: The following packages were installed/updated: dnsutils.
Changes: dnsutils: { new : 1:9.8.4.dfsg.P1-6+nmu2
old :
}
--- cut ---

seems that /srv/salt will not be shared to downstream masters. But using
git, this is not our showstopper.

Now we will use pillar-data (on salt-master)(/srv/pillar/core/init.sls):

--- cut ---
root@salt-master:~# cat /srv/pillar/core/init.sls
zzz_data:
test:
- data1
- data2
--- cut ---

shows:

--- cut ---
root@salt-master:~# salt '*' pillar.data zzz_data
salt-master.xxx.de:
----------
test:
- data1
- data2
salt-minion.xxx.de:
----------
salt-syndic.xxx.de:
----------
--- cut ---

This is our Show-Stopper because we don't want to deliver Production-Data
outside the salt-firewall-zone.

Do we have a outer chance to get syndic running as proxy delivering also
/srv/salt and /srv/pillar data?

Thanks a lot

Robert

--
You received this message because you are subscribed to the Google Groups
"Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to salt-users+...@googlegroups.com <javascript:>.
For more options, visit https://groups.google.com/groups/opt_out.