1
0

requisites.rst 41 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243
  1. .. _requisites:
  2. ===========================================
  3. Requisites and Other Global State Arguments
  4. ===========================================
  5. Requisites
  6. ==========
  7. The Salt requisite system is used to create relationships between states. The
  8. core idea being that, when one state is dependent somehow on another, that
  9. inter-dependency can be easily defined. These dependencies are expressed by
  10. declaring the relationships using state names and ID's or names. The
  11. generalized form of a requisite target is ``<state name> : <ID or name>``.
  12. The specific form is defined as a :ref:`Requisite Reference
  13. <requisite-reference>`
  14. Requisites come in two types: Direct requisites (such as ``require``),
  15. and requisite_ins (such as ``require_in``). The relationships are
  16. directional: a direct requisite requires something from another state.
  17. However, a requisite_in inserts a requisite into the targeted state pointing to
  18. the targeting state. The following example demonstrates a direct requisite:
  19. .. code-block:: yaml
  20. vim:
  21. pkg.installed
  22. /etc/vimrc:
  23. file.managed:
  24. - source: salt://edit/vimrc
  25. - require:
  26. - pkg: vim
  27. In the example above, the file ``/etc/vimrc`` depends on the vim package.
  28. Requisite_in statements are the opposite. Instead of saying "I depend on
  29. something", requisite_ins say "Someone depends on me":
  30. .. code-block:: yaml
  31. vim:
  32. pkg.installed:
  33. - require_in:
  34. - file: /etc/vimrc
  35. /etc/vimrc:
  36. file.managed:
  37. - source: salt://edit/vimrc
  38. So here, with a requisite_in, the same thing is accomplished as in the first
  39. example, but the other way around. The vim package is saying "/etc/vimrc depends
  40. on me". This will result in a ``require`` being inserted into the
  41. ``/etc/vimrc`` state which targets the ``vim`` state.
  42. In the end, a single dependency map is created and everything is executed in a
  43. finite and predictable order.
  44. Requisite matching
  45. ------------------
  46. Requisites need two pieces of information for matching: The state module name –
  47. e.g. ``pkg`` –, and the identifier – e.g. vim –, which can be either the ID (the
  48. first line in the stanza) or the ``- name`` parameter.
  49. .. code-block:: yaml
  50. - require:
  51. - pkg: vim
  52. Glog matching in requisites
  53. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  54. .. versionadded:: 0.9.8
  55. Glob matching is supported in requisites. This is mostly useful for file
  56. changes. In the example below, a change in ``/etc/apache2/httpd.conf`` or
  57. ``/etc/apache2/sites-available/default.conf`` will reload/restart the service:
  58. .. code-block:: yaml
  59. apache2:
  60. service.running:
  61. - watch:
  62. - file: /etc/apache2/*
  63. Omitting state module in requisites
  64. -----------------------------------
  65. .. versionadded:: 2016.3.0
  66. In version 2016.3.0, the state module name was made optional. If the state module
  67. is omitted, all states matching the ID will be required, regardless of which
  68. module they are using.
  69. .. code-block:: yaml
  70. - require:
  71. - vim
  72. State target matching
  73. ~~~~~~~~~~~~~~~~~~~~~
  74. In order to understand how state targets are matched, it is helpful to know
  75. :ref:`how the state compiler is working <compiler-ordering>`. Consider the following
  76. example:
  77. .. code-block:: yaml
  78. Deploy server package:
  79. file.managed:
  80. - name: /usr/local/share/myapp.tar.xz
  81. - source: salt://myapp.tar.xz
  82. Extract server package:
  83. archive.extracted:
  84. - name: /usr/local/share/myapp
  85. - source: /usr/local/share/myapp.tar.xz
  86. - archive_format: tar
  87. - onchanges:
  88. - file: Deploy server package
  89. The first formula is converted to a dictionary which looks as follows (represented
  90. as YAML, some properties omitted for simplicity) as `High Data`:
  91. .. code-block:: yaml
  92. Deploy server package:
  93. file:
  94. - managed
  95. - name: /usr/local/share/myapp.tar.xz
  96. - source: salt://myapp.tar.xz
  97. The ``file.managed`` format used in the formula is essentially syntactic sugar:
  98. at the end, the target is ``file``, which is used in the ``Extract server package``
  99. state above.
  100. Identifier matching
  101. ~~~~~~~~~~~~~~~~~~~
  102. Requisites match on both the ID Declaration and the ``name`` parameter.
  103. This means that, in the "Deploy server package" example above, a ``require``
  104. requisite would match with ``Deploy server package`` *or* ``/usr/local/share/myapp.tar.xz``,
  105. so either of the following versions for "Extract server package" works:
  106. .. code-block:: yaml
  107. # (Archive arguments omitted for simplicity)
  108. # Match by ID declaration
  109. Extract server package:
  110. archive.extracted:
  111. - onchanges:
  112. - file: Deploy server package
  113. # Match by name parameter
  114. Extract server package:
  115. archive.extracted:
  116. - onchanges:
  117. - file: /usr/local/share/myapp.tar.xz
  118. Requisite overview
  119. ~~~~~~~~~~~~~~~~~~
  120. +------------+-------------------+---------------+------------+--------------------+
  121. | name | state is only | state is only | order | comment |
  122. | of | executed if | executed if | | or |
  123. | | target execution | target has | 1.target | |
  124. | | | | 2.state | |
  125. | requisite | result is | changes | (default) | description |
  126. +============+===================+===============+============+====================+
  127. | require | success | | default | state will always |
  128. | | | | | execute unless |
  129. | | | | | target fails |
  130. +------------+-------------------+---------------+------------+--------------------+
  131. | watch | success | | default | like require, |
  132. | | | | | but adds additional|
  133. | | | | | behaviour |
  134. | | | | | (mod_watch) |
  135. +------------+-------------------+---------------+------------+--------------------+
  136. | prereq | success | has changes | switched | like onchanges, |
  137. | | | (run | | except order |
  138. | | | individually | | |
  139. | | | as dry-run) | | |
  140. +------------+-------------------+---------------+------------+--------------------+
  141. | onchanges | success | has changes | default | execute state if |
  142. | | | | | target execution |
  143. | | | | | result is success |
  144. | | | | | and target has |
  145. | | | | | changes |
  146. +------------+-------------------+---------------+------------+--------------------+
  147. | onfail | failed | | default | Only requisite |
  148. | | | | | where state exec. |
  149. | | | | | if target fails |
  150. +------------+-------------------+---------------+------------+--------------------+
  151. In this table, the following short form of terms is used:
  152. * **state** (= dependent state): state containing requisite
  153. * **target** (= state target) : state referenced by requisite
  154. Direct Requisite and Requisite_in types
  155. ---------------------------------------
  156. There are several direct requisite statements that can be used in Salt:
  157. * ``require``
  158. * ``watch``
  159. * ``prereq``
  160. * ``use``
  161. * ``onchanges``
  162. * ``onfail``
  163. Each direct requisite also has a corresponding requisite_in:
  164. * ``require_in``
  165. * ``watch_in``
  166. * ``prereq_in``
  167. * ``use_in``
  168. * ``onchanges_in``
  169. * ``onfail_in``
  170. There are several corresponding requisite_any statements:
  171. * ``require_any``
  172. * ``watch_any``
  173. * ``onchanges_any``
  174. * ``onfail_any``
  175. All of the requisites define specific relationships and always work with the
  176. dependency logic defined above.
  177. .. _requisites-require:
  178. require
  179. ~~~~~~~
  180. The use of ``require`` demands that the required state executes before the
  181. dependent state. The state containing the ``require`` requisite is defined as the
  182. dependent state. The state specified in the ``require`` statement is defined as the
  183. required state. If the required state's execution succeeds, the dependent state
  184. will then execute. If the required state's execution fails, the dependent state
  185. will not execute. In the first example above, the file ``/etc/vimrc`` will only
  186. execute after the vim package is installed successfully.
  187. Require an Entire SLS File
  188. ~~~~~~~~~~~~~~~~~~~~~~~~~~
  189. As of Salt 0.16.0, it is possible to require an entire sls file. Do this first by
  190. including the sls file and then setting a state to ``require`` the included sls file:
  191. .. code-block:: yaml
  192. include:
  193. - foo
  194. bar:
  195. pkg.installed:
  196. - require:
  197. - sls: foo
  198. This will add all of the state declarations found in the given sls file. This means
  199. that every state in sls `foo` will be required. This makes it very easy to batch
  200. large groups of states easily in any requisite statement.
  201. .. _requisites-require_any:
  202. require_any
  203. ~~~~~~~~~~~
  204. .. versionadded:: 2018.3.0
  205. The use of ``require_any`` demands that one of the required states executes before the
  206. dependent state. The state containing the ``require_any`` requisite is defined as the
  207. dependent state. The states specified in the ``require_any`` statement are defined as the
  208. required states. If at least one of the required state's execution succeeds, the dependent state
  209. will then execute. If all of the executions by the required states fail, the dependent state
  210. will not execute.
  211. .. code-block:: yaml
  212. A:
  213. cmd.run:
  214. - name: echo A
  215. - require_any:
  216. - cmd: B
  217. - cmd: C
  218. - cmd: D
  219. B:
  220. cmd.run:
  221. - name: echo B
  222. C:
  223. cmd.run:
  224. - name: /bin/false
  225. D:
  226. cmd.run:
  227. - name: echo D
  228. In this example `A` will run because at least one of the requirements specified,
  229. `B`, `C`, or `D` will succeed.
  230. .. _requisites-watch:
  231. watch
  232. ~~~~~
  233. ``watch`` statements are used to add additional behavior when there are changes
  234. in other states.
  235. .. note::
  236. If a state should only execute when another state has changes, and
  237. otherwise do nothing, the new ``onchanges`` requisite should be used
  238. instead of ``watch``. ``watch`` is designed to add *additional* behavior
  239. when there are changes, but otherwise the state executes normally.
  240. The state containing the ``watch`` requisite is defined as the watching
  241. state. The state specified in the ``watch`` statement is defined as the watched
  242. state. When the watched state executes, it will return a dictionary containing
  243. a key named "changes". Here are two examples of state return dictionaries,
  244. shown in json for clarity:
  245. .. code-block:: json
  246. {
  247. "local": {
  248. "file_|-/tmp/foo_|-/tmp/foo_|-directory": {
  249. "comment": "Directory /tmp/foo updated",
  250. "__run_num__": 0,
  251. "changes": {
  252. "user": "bar"
  253. },
  254. "name": "/tmp/foo",
  255. "result": true
  256. }
  257. }
  258. }
  259. {
  260. "local": {
  261. "pkgrepo_|-salt-minion_|-salt-minion_|-managed": {
  262. "comment": "Package repo 'salt-minion' already configured",
  263. "__run_num__": 0,
  264. "changes": {},
  265. "name": "salt-minion",
  266. "result": true
  267. }
  268. }
  269. }
  270. If the "result" of the watched state is ``True``, the watching state *will
  271. execute normally*, and if it is ``False``, the watching state will never run.
  272. This part of ``watch`` mirrors the functionality of the ``require`` requisite.
  273. If the "result" of the watched state is ``True`` *and* the "changes"
  274. key contains a populated dictionary (changes occurred in the watched state),
  275. then the ``watch`` requisite can add additional behavior. This additional
  276. behavior is defined by the ``mod_watch`` function within the watching state
  277. module. If the ``mod_watch`` function exists in the watching state module, it
  278. will be called *in addition to* the normal watching state. The return data
  279. from the ``mod_watch`` function is what will be returned to the master in this
  280. case; the return data from the main watching function is discarded.
  281. If the "changes" key contains an empty dictionary, the ``watch`` requisite acts
  282. exactly like the ``require`` requisite (the watching state will execute if
  283. "result" is ``True``, and fail if "result" is ``False`` in the watched state).
  284. .. note::
  285. Not all state modules contain ``mod_watch``. If ``mod_watch`` is absent
  286. from the watching state module, the ``watch`` requisite behaves exactly
  287. like a ``require`` requisite.
  288. A good example of using ``watch`` is with a :mod:`service.running
  289. <salt.states.service.running>` state. When a service watches a state, then
  290. the service is reloaded/restarted when the watched state changes, in addition
  291. to Salt ensuring that the service is running.
  292. .. code-block:: yaml
  293. ntpd:
  294. service.running:
  295. - watch:
  296. - file: /etc/ntp.conf
  297. file.managed:
  298. - name: /etc/ntp.conf
  299. - source: salt://ntp/files/ntp.conf
  300. watch_any
  301. ~~~~~~~~~
  302. .. versionadded:: 2018.3.0
  303. The state containing the ``watch_any`` requisite is defined as the watching
  304. state. The states specified in the ``watch_any`` statement are defined as the watched
  305. states. When the watched states execute, they will return a dictionary containing
  306. a key named "changes".
  307. If the "result" of any of the watched states is ``True``, the watching state *will
  308. execute normally*, and if all of them are ``False``, the watching state will never run.
  309. This part of ``watch`` mirrors the functionality of the ``require`` requisite.
  310. If the "result" of any of the watched states is ``True`` *and* the "changes"
  311. key contains a populated dictionary (changes occurred in the watched state),
  312. then the ``watch`` requisite can add additional behavior. This additional
  313. behavior is defined by the ``mod_watch`` function within the watching state
  314. module. If the ``mod_watch`` function exists in the watching state module, it
  315. will be called *in addition to* the normal watching state. The return data
  316. from the ``mod_watch`` function is what will be returned to the master in this
  317. case; the return data from the main watching function is discarded.
  318. If the "changes" key contains an empty dictionary, the ``watch`` requisite acts
  319. exactly like the ``require`` requisite (the watching state will execute if
  320. "result" is ``True``, and fail if "result" is ``False`` in the watched state).
  321. .. code-block:: yaml
  322. apache2:
  323. service.running:
  324. - watch_any:
  325. - file: /etc/apache2/sites-available/site1.conf
  326. - file: apache2-site2
  327. file.managed:
  328. - name: /etc/apache2/sites-available/site1.conf
  329. - source: salt://apache2/files/site1.conf
  330. apache2-site2:
  331. file.managed:
  332. - name: /etc/apache2/sites-available/site2.conf
  333. - source: salt://apache2/files/site2.conf
  334. In this example, the service will be reloaded/restarted if either of the
  335. file.managed states has a result of True and has changes.
  336. .. _requisites-prereq:
  337. prereq
  338. ~~~~~~
  339. .. versionadded:: 0.16.0
  340. ``prereq`` allows for actions to be taken based on the expected results of
  341. a state that has not yet been executed. The state containing the ``prereq``
  342. requisite is defined as the pre-requiring state. The state specified in the
  343. ``prereq`` statement is defined as the pre-required state.
  344. When a ``prereq`` requisite is evaluated, the pre-required state reports if it
  345. expects to have any changes. It does this by running the pre-required single
  346. state as a test-run by enabling ``test=True``. This test-run will return a
  347. dictionary containing a key named "changes". (See the ``watch`` section above
  348. for examples of "changes" dictionaries.)
  349. If the "changes" key contains a populated dictionary, it means that the
  350. pre-required state expects changes to occur when the state is actually
  351. executed, as opposed to the test-run. The pre-requiring state will now
  352. actually run. If the pre-requiring state executes successfully, the
  353. pre-required state will then execute. If the pre-requiring state fails, the
  354. pre-required state will not execute.
  355. If the "changes" key contains an empty dictionary, this means that changes are
  356. not expected by the pre-required state. Neither the pre-required state nor the
  357. pre-requiring state will run.
  358. The best way to define how ``prereq`` operates is displayed in the following
  359. practical example: When a service should be shut down because underlying code
  360. is going to change, the service should be off-line while the update occurs. In
  361. this example, ``graceful-down`` is the pre-requiring state and ``site-code``
  362. is the pre-required state.
  363. .. code-block:: yaml
  364. graceful-down:
  365. cmd.run:
  366. - name: service apache graceful
  367. - prereq:
  368. - file: site-code
  369. site-code:
  370. file.recurse:
  371. - name: /opt/site_code
  372. - source: salt://site/code
  373. In this case the apache server will only be shutdown if the site-code state
  374. expects to deploy fresh code via the file.recurse call. The site-code
  375. deployment will only be executed if the graceful-down run completes
  376. successfully.
  377. .. _requisites-onfail:
  378. onfail
  379. ~~~~~~
  380. .. versionadded:: 2014.7.0
  381. The ``onfail`` requisite allows for reactions to happen strictly as a response
  382. to the failure of another state. This can be used in a number of ways, such as
  383. executing a second attempt to set up a service or begin to execute a separate
  384. thread of states because of a failure.
  385. The ``onfail`` requisite is applied in the same way as ``require`` as ``watch``:
  386. .. code-block:: yaml
  387. primary_mount:
  388. mount.mounted:
  389. - name: /mnt/share
  390. - device: 10.0.0.45:/share
  391. - fstype: nfs
  392. backup_mount:
  393. mount.mounted:
  394. - name: /mnt/share
  395. - device: 192.168.40.34:/share
  396. - fstype: nfs
  397. - onfail:
  398. - mount: primary_mount
  399. .. note::
  400. Setting failhard (:ref:`globally <global-failhard>` or in
  401. :ref:`the failing state <state-level-failhard>`) to ``True`` will cause
  402. ``onfail``, ``onfail_in`` and ``onfail_any`` requisites to be ignored.
  403. If you want to combine a global failhard set to True with ``onfail``,
  404. ``onfail_in`` or ``onfail_any``, you will have to explicitly set failhard
  405. to ``False`` (overriding the global setting) in the state that could fail.
  406. .. note::
  407. Beginning in the ``2016.11.0`` release of Salt, ``onfail`` uses OR logic for
  408. multiple listed ``onfail`` requisites. Prior to the ``2016.11.0`` release,
  409. ``onfail`` used AND logic. See `Issue #22370`_ for more information.
  410. .. _Issue #22370: https://github.com/saltstack/salt/issues/22370
  411. .. _requisites-onfail_any:
  412. onfail_any
  413. ~~~~~~~~~~
  414. .. versionadded:: 2018.3.0
  415. The ``onfail_any`` requisite allows for reactions to happen strictly as a response
  416. to the failure of at least one other state. This can be used in a number of ways, such as
  417. executing a second attempt to set up a service or begin to execute a separate
  418. thread of states because of a failure.
  419. The ``onfail_any`` requisite is applied in the same way as ``require_any`` and ``watch_any``:
  420. .. code-block:: yaml
  421. primary_mount:
  422. mount.mounted:
  423. - name: /mnt/share
  424. - device: 10.0.0.45:/share
  425. - fstype: nfs
  426. secondary_mount:
  427. mount.mounted:
  428. - name: /mnt/code
  429. - device: 10.0.0.45:/code
  430. - fstype: nfs
  431. backup_mount:
  432. mount.mounted:
  433. - name: /mnt/share
  434. - device: 192.168.40.34:/share
  435. - fstype: nfs
  436. - onfail_any:
  437. - mount: primary_mount
  438. - mount: secondary_mount
  439. In this example, the `backup_mount` will be mounted if either of the
  440. `primary_mount` or `secondary_mount` states results in a failure.
  441. .. _requisites-onchanges:
  442. onchanges
  443. ~~~~~~~~~
  444. .. versionadded:: 2014.7.0
  445. The ``onchanges`` requisite makes a state only apply if the required states
  446. generate changes, and if the watched state's "result" is ``True``. This can be
  447. a useful way to execute a post hook after changing aspects of a system.
  448. If a state has multiple ``onchanges`` requisites then the state will trigger
  449. if any of the watched states changes.
  450. .. note::
  451. One easy-to-make mistake is to use ``onchanges_in`` when ``onchanges`` is
  452. supposed to be used. For example, the below configuration is not correct:
  453. .. code-block:: yaml
  454. myservice:
  455. pkg.installed:
  456. - name: myservice
  457. file.managed:
  458. - name: /etc/myservice/myservice.conf
  459. - source: salt://myservice/files/myservice.conf
  460. - mode: 600
  461. cmd.run:
  462. - name: /usr/libexec/myservice/post-changes-hook.sh
  463. - onchanges_in:
  464. - file: /etc/myservice/myservice.conf
  465. This will set up a requisite relationship in which the ``cmd.run`` state
  466. always executes, and the ``file.managed`` state only executes if the
  467. ``cmd.run`` state has changes (which it always will, since the ``cmd.run``
  468. state includes the command results as changes).
  469. It may semantically seem like the ``cmd.run`` state should only run
  470. when there are changes in the file state, but remember that requisite
  471. relationships involve one state watching another state, and a
  472. :ref:`requisite_in <requisites-onchanges-in>` does the opposite: it forces
  473. the specified state to watch the state with the ``requisite_in``.
  474. The correct usage would be:
  475. .. code-block:: yaml
  476. myservice:
  477. pkg.installed:
  478. - name: myservice
  479. file.managed:
  480. - name: /etc/myservice/myservice.conf
  481. - source: salt://myservice/files/myservice.conf
  482. - mode: 600
  483. cmd.run:
  484. - name: /usr/libexec/myservice/post-changes-hook.sh
  485. - onchanges:
  486. - file: /etc/myservice/myservice.conf
  487. .. _requisites-onchanges_any:
  488. onchanges_any
  489. ~~~~~~~~~~~~~
  490. .. versionadded:: 2018.3.0
  491. The ``onchanges_any`` requisite makes a state only apply one of the required states
  492. generates changes, and if one of the watched state's "result" is ``True``. This can be
  493. a useful way to execute a post hook after changing aspects of a system.
  494. .. code-block:: yaml
  495. myservice:
  496. pkg.installed:
  497. - name: myservice
  498. - name: yourservice
  499. file.managed:
  500. - name: /etc/myservice/myservice.conf
  501. - source: salt://myservice/files/myservice.conf
  502. - mode: 600
  503. file.managed:
  504. - name: /etc/yourservice/yourservice.conf
  505. - source: salt://yourservice/files/yourservice.conf
  506. - mode: 600
  507. cmd.run:
  508. - name: /usr/libexec/myservice/post-changes-hook.sh
  509. - onchanges_any:
  510. - file: /etc/myservice/myservice.conf
  511. - file: /etc/your_service/yourservice.conf
  512. In this example, the `cmd.run` would be run only if either of the
  513. `file.managed` states generated changes and at least one of the
  514. watched state's "result" is ``True``.
  515. use
  516. ~~~
  517. The ``use`` requisite is used to inherit the arguments passed in another
  518. id declaration. This is useful when many files need to have the same defaults.
  519. .. code-block:: yaml
  520. /etc/foo.conf:
  521. file.managed:
  522. - source: salt://foo.conf
  523. - template: jinja
  524. - mkdirs: True
  525. - user: apache
  526. - group: apache
  527. - mode: 755
  528. /etc/bar.conf:
  529. file.managed:
  530. - source: salt://bar.conf
  531. - use:
  532. - file: /etc/foo.conf
  533. The ``use`` statement was developed primarily for the networking states but
  534. can be used on any states in Salt. This makes sense for the networking state
  535. because it can define a long list of options that need to be applied to
  536. multiple network interfaces.
  537. The ``use`` statement does not inherit the requisites arguments of the
  538. targeted state. This means also a chain of ``use`` requisites would not
  539. inherit inherited options.
  540. runas
  541. ~~~~~
  542. .. versionadded:: 2017.7.0
  543. The ``runas`` global option is used to set the user which will be used to run
  544. the command in the ``cmd.run`` module.
  545. .. code-block:: yaml
  546. django:
  547. pip.installed:
  548. - name: django >= 1.6, <= 1.7
  549. - runas: daniel
  550. - require:
  551. - pkg: python-pip
  552. In the above state, the pip command run by ``cmd.run`` will be run by the daniel user.
  553. runas_password
  554. ~~~~~~~~~~~~~~
  555. .. versionadded:: 2017.7.2
  556. The ``runas_password`` global option is used to set the password used by the
  557. runas global option. This is required by ``cmd.run`` on Windows when ``runas``
  558. is specified. It will be set when ``runas_password`` is defined in the state.
  559. .. code-block:: yaml
  560. run_script:
  561. cmd.run:
  562. - name: Powershell -NonInteractive -ExecutionPolicy Bypass -File C:\\Temp\\script.ps1
  563. - runas: frank
  564. - runas_password: supersecret
  565. In the above state, the Powershell script run by ``cmd.run`` will be run by the
  566. frank user with the password ``supersecret``.
  567. .. _requisites-require-in:
  568. .. _requisites-watch-in:
  569. .. _requisites-onchanges-in:
  570. The _in versions of requisites
  571. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  572. All of the requisites also have corresponding requisite_in versions, which do
  573. the reverse of their normal counterparts. The examples below all use
  574. ``require_in`` as the example, but note that all of the ``_in`` requisites work
  575. the same way: They result in a normal requisite in the targeted state, which
  576. targets the state which has defines the requisite_in. Thus, a ``require_in``
  577. causes the target state to ``require`` the targeting state. Similarly, a
  578. ``watch_in`` causes the target state to ``watch`` the targeting state. This
  579. pattern continues for the rest of the requisites.
  580. If a state declaration needs to be required by another state declaration then
  581. ``require_in`` can accommodate it. Therefore, these two sls files would be the
  582. same in the end:
  583. Using ``require``
  584. .. code-block:: yaml
  585. httpd:
  586. pkg.installed: []
  587. service.running:
  588. - require:
  589. - pkg: httpd
  590. Using ``require_in``
  591. .. code-block:: yaml
  592. httpd:
  593. pkg.installed:
  594. - require_in:
  595. - service: httpd
  596. service.running: []
  597. The ``require_in`` statement is particularly useful when assigning a require
  598. in a separate sls file. For instance it may be common for httpd to require
  599. components used to set up PHP or mod_python, but the HTTP state does not need
  600. to be aware of the additional components that require it when it is set up:
  601. http.sls
  602. .. code-block:: yaml
  603. httpd:
  604. pkg.installed: []
  605. service.running:
  606. - require:
  607. - pkg: httpd
  608. php.sls
  609. .. code-block:: yaml
  610. include:
  611. - http
  612. php:
  613. pkg.installed:
  614. - require_in:
  615. - service: httpd
  616. mod_python.sls
  617. .. code-block:: yaml
  618. include:
  619. - http
  620. mod_python:
  621. pkg.installed:
  622. - require_in:
  623. - service: httpd
  624. Now the httpd server will only start if both php and mod_python are first verified to
  625. be installed. Thus allowing for a requisite to be defined "after the fact".
  626. .. _requisites-fire-event:
  627. Fire Event Notifications
  628. ========================
  629. .. versionadded:: 2015.8.0
  630. The `fire_event` option in a state will cause the minion to send an event to
  631. the Salt Master upon completion of that individual state.
  632. The following example will cause the minion to send an event to the Salt Master
  633. with a tag of `salt/state_result/20150505121517276431/dasalt/nano` and the
  634. result of the state will be the data field of the event. Notice that the `name`
  635. of the state gets added to the tag.
  636. .. code-block:: yaml
  637. nano_stuff:
  638. pkg.installed:
  639. - name: nano
  640. - fire_event: True
  641. In the following example instead of setting `fire_event` to `True`,
  642. `fire_event` is set to an arbitrary string, which will cause the event to be
  643. sent with this tag:
  644. `salt/state_result/20150505121725642845/dasalt/custom/tag/nano/finished`
  645. .. code-block:: yaml
  646. nano_stuff:
  647. pkg.installed:
  648. - name: nano
  649. - fire_event: custom/tag/nano/finished
  650. Altering States
  651. ===============
  652. The state altering system is used to make sure that states are evaluated exactly
  653. as the user expects. It can be used to double check that a state preformed
  654. exactly how it was expected to, or to make 100% sure that a state only runs
  655. under certain conditions. The use of unless or onlyif options help make states
  656. even more stateful. The ``check_cmd`` option helps ensure that the result of a
  657. state is evaluated correctly.
  658. Reload
  659. ------
  660. ``reload_modules`` is a boolean option that forces salt to reload its modules
  661. after a state finishes. ``reload_pillar`` and ``reload_grains`` can also be set.
  662. See :ref:`Reloading Modules <reloading-modules>`.
  663. .. code-block:: yaml
  664. grains_refresh:
  665. module.run:
  666. - name: saltutil.refresh_grains
  667. - reload_grains: true
  668. grains_read:
  669. module.run:
  670. - name: grains.items
  671. .. _unless-requisite:
  672. Unless
  673. ------
  674. .. versionadded:: 2014.7.0
  675. The ``unless`` requisite specifies that a state should only run when any of
  676. the specified commands return ``False``. The ``unless`` requisite operates
  677. as NAND and is useful in giving more granular control over when a state should
  678. execute.
  679. **NOTE**: Under the hood ``unless`` calls ``cmd.retcode`` with
  680. ``python_shell=True``. This means the commands referenced by ``unless`` will be
  681. parsed by a shell, so beware of side-effects as this shell will be run with the
  682. same privileges as the salt-minion. Also be aware that the boolean value is
  683. determined by the shell's concept of ``True`` and ``False``, rather than Python's
  684. concept of ``True`` and ``False``.
  685. .. code-block:: yaml
  686. vim:
  687. pkg.installed:
  688. - unless:
  689. - rpm -q vim-enhanced
  690. - ls /usr/bin/vim
  691. In the example above, the state will only run if either the vim-enhanced
  692. package is not installed (returns ``False``) or if /usr/bin/vim does not
  693. exist (returns ``False``). The state will run if both commands return
  694. ``False``.
  695. However, the state will not run if both commands return ``True``.
  696. Unless checks are resolved for each name to which they are associated.
  697. For example:
  698. .. code-block:: yaml
  699. deploy_app:
  700. cmd.run:
  701. - names:
  702. - first_deploy_cmd
  703. - second_deploy_cmd
  704. - unless: some_check
  705. In the above case, ``some_check`` will be run prior to _each_ name -- once for
  706. ``first_deploy_cmd`` and a second time for ``second_deploy_cmd``.
  707. .. versionchanged:: 3000
  708. The ``unless`` requisite can take a module as a dictionary field in unless.
  709. The dictionary must contain an argument ``fun`` which is the module that is
  710. being run, and everything else must be passed in under the args key or will
  711. be passed as individual kwargs to the module function.
  712. .. code-block:: yaml
  713. install apache on debian based distros:
  714. cmd.run:
  715. - name: make install
  716. - cwd: /path/to/dir/whatever-2.1.5/
  717. - unless:
  718. - fun: file.file_exists
  719. path: /usr/local/bin/whatever
  720. .. code-block:: yaml
  721. set mysql root password:
  722. debconf.set:
  723. - name: mysql-server-5.7
  724. - data:
  725. 'mysql-server/root_password': {'type': 'password', 'value': {{pillar['mysql.pass']}} }
  726. - unless:
  727. - fun: pkg.version
  728. args:
  729. - mysql-server-5.7
  730. .. _onlyif-requisite:
  731. Onlyif
  732. ------
  733. .. versionadded:: 2014.7.0
  734. The ``onlyif`` requisite specifies that if each command listed in ``onlyif``
  735. returns ``True``, then the state is run. If any of the specified commands
  736. return ``False``, the state will not run.
  737. **NOTE**: Under the hood ``onlyif`` calls ``cmd.retcode`` with
  738. ``python_shell=True``. This means the commands referenced by ``onlyif`` will be
  739. parsed by a shell, so beware of side-effects as this shell will be run with the
  740. same privileges as the salt-minion. Also be aware that the boolean value is
  741. determined by the shell's concept of ``True`` and ``False``, rather than Python's
  742. concept of ``True`` and ``False``.
  743. .. code-block:: yaml
  744. stop-volume:
  745. module.run:
  746. - name: glusterfs.stop_volume
  747. - m_name: work
  748. - onlyif:
  749. - gluster volume status work
  750. - order: 1
  751. remove-volume:
  752. module.run:
  753. - name: glusterfs.delete
  754. - m_name: work
  755. - onlyif:
  756. - gluster volume info work
  757. - watch:
  758. - cmd: stop-volume
  759. The above example ensures that the stop_volume and delete modules only run
  760. if the gluster commands return a 0 ret value.
  761. .. versionchanged:: 3000
  762. The ``onlyif`` requisite can take a module as a dictionary field in onlyif.
  763. The dictionary must contain an argument ``fun`` which is the module that is
  764. being run, and everything else must be passed in under the args key or will
  765. be passed as individual kwargs to the module function.
  766. .. code-block:: yaml
  767. install apache on redhat based distros:
  768. pkg.latest:
  769. - name: httpd
  770. - onlyif:
  771. - fun: match.grain
  772. tgt: 'os_family: RedHat'
  773. install apache on debian based distros:
  774. pkg.latest:
  775. - name: apache2
  776. - onlyif:
  777. - fun: match.grain
  778. tgt: 'os_family: Debian'
  779. .. code-block:: yaml
  780. arbitrary file example:
  781. file.touch:
  782. - name: /path/to/file
  783. - onlyif:
  784. - fun: file.search
  785. args:
  786. - /etc/crontab
  787. - 'entry1'
  788. runas
  789. ~~~~~
  790. .. versionadded:: 2014.7.0
  791. listen and its counterpart listen_in trigger mod_wait functions for states,
  792. when those states succeed and result in changes, similar to how watch its
  793. counterpart watch_in. Unlike watch and watch_in, listen, and listen_in will
  794. not modify the order of states and can be used to ensure your states are
  795. executed in the order they are defined. All listen/listen_in actions will occur
  796. at the end of a state run, after all states have completed.
  797. .. code-block:: yaml
  798. restart-apache2:
  799. service.running:
  800. - name: apache2
  801. - listen:
  802. - file: /etc/apache2/apache2.conf
  803. configure-apache2:
  804. file.managed:
  805. - name: /etc/apache2/apache2.conf
  806. - source: salt://apache2/apache2.conf
  807. This example will cause apache2 to be restarted when the apache2.conf file is
  808. changed, but the apache2 restart will happen at the end of the state run.
  809. .. code-block:: yaml
  810. restart-apache2:
  811. service.running:
  812. - name: apache2
  813. configure-apache2:
  814. file.managed:
  815. - name: /etc/apache2/apache2.conf
  816. - source: salt://apache2/apache2.conf
  817. - listen_in:
  818. - service: apache2
  819. This example does the same as the above example, but puts the state argument
  820. on the file resource, rather than the service resource.
  821. check_cmd
  822. ---------
  823. .. versionadded:: 2014.7.0
  824. Check Command is used for determining that a state did or did not run as
  825. expected.
  826. **NOTE**: Under the hood ``check_cmd`` calls ``cmd.retcode`` with
  827. ``python_shell=True``. This means the commands referenced by unless will be
  828. parsed by a shell, so beware of side-effects as this shell will be run with the
  829. same privileges as the salt-minion.
  830. .. code-block:: yaml
  831. comment-repo:
  832. file.replace:
  833. - name: /etc/yum.repos.d/fedora.repo
  834. - pattern: '^enabled=0'
  835. - repl: enabled=1
  836. - check_cmd:
  837. - "! grep 'enabled=0' /etc/yum.repos.d/fedora.repo"
  838. This will attempt to do a replace on all ``enabled=0`` in the .repo file, and
  839. replace them with ``enabled=1``. The ``check_cmd`` is just a bash command. It
  840. will do a grep for ``enabled=0`` in the file, and if it finds any, it will
  841. return a 0, which will be inverted by the leading ``!``, causing ``check_cmd``
  842. to set the state as failed. If it returns a 1, meaning it didn't find any
  843. ``enabled=0``, it will be inverted by the leading ``!``, returning a 0, and
  844. declaring the function succeeded.
  845. **NOTE**: This requisite ``check_cmd`` functions differently than the ``check_cmd``
  846. of the ``file.managed`` state.
  847. Overriding Checks
  848. -----------------
  849. There are two commands used for the above checks.
  850. ``mod_run_check`` is used to check for ``onlyif`` and ``unless``. If the goal is to
  851. override the global check for these to variables, include a ``mod_run_check`` in the
  852. salt/states/ file.
  853. ``mod_run_check_cmd`` is used to check for the check_cmd options. To override
  854. this one, include a ``mod_run_check_cmd`` in the states file for the state.
  855. Retrying States
  856. ===============
  857. .. versionadded:: 2017.7.0
  858. The retry option in a state allows it to be executed multiple times until a desired
  859. result is obtained or the maximum number of attempts have been made.
  860. The retry option can be configured by the ``attempts``, ``until``, ``interval``, and
  861. ``splay`` parameters.
  862. The ``attempts`` parameter controls the maximum number of times the state will be
  863. run. If not specified or if an invalid value is specified, ``attempts`` will default
  864. to ``2``.
  865. The ``until`` parameter defines the result that is required to stop retrying the state.
  866. If not specified or if an invalid value is specified, ``until`` will default to ``True``
  867. The ``interval`` parameter defines the amount of time, in seconds, that the system
  868. will wait between attempts. If not specified or if an invalid value is specified,
  869. ``interval`` will default to ``30``.
  870. The ``splay`` parameter allows the ``interval`` to be additionally spread out. If not
  871. specified or if an invalid value is specified, ``splay`` defaults to ``0`` (i.e. no
  872. splaying will occur).
  873. The following example will run the pkg.installed state until it returns ``True`` or it has
  874. been run ``5`` times. Each attempt will be ``60`` seconds apart and the interval will be splayed
  875. up to an additional ``10`` seconds:
  876. .. code-block:: yaml
  877. my_retried_state:
  878. pkg.installed:
  879. - name: nano
  880. - retry:
  881. attempts: 5
  882. until: True
  883. interval: 60
  884. splay: 10
  885. The following example will run the pkg.installed state with all the defaults for ``retry``.
  886. The state will run up to ``2`` times, each attempt being ``30`` seconds apart, or until it
  887. returns ``True``.
  888. .. code-block:: yaml
  889. install_nano:
  890. pkg.installed:
  891. - name: nano
  892. - retry: True
  893. The following example will run the file.exists state every ``30`` seconds up to ``15`` times
  894. or until the file exists (i.e. the state returns ``True``).
  895. .. code-block:: yaml
  896. wait_for_file:
  897. file.exists:
  898. - name: /path/to/file
  899. - retry:
  900. attempts: 15
  901. interval: 30
  902. Return data from a retried state
  903. --------------------------------
  904. When a state is retried, the returned output is as follows:
  905. The ``result`` return value is the ``result`` from the final run. For example, imagine a state set
  906. to ``retry`` up to three times or ``until`` ``True``. If the state returns ``False`` on the first run
  907. and then ``True`` on the second, the ``result`` of the state will be ``True``.
  908. The ``started`` return value is the ``started`` from the first run.
  909. The ``duration`` return value is the total duration of all attempts plus the retry intervals.
  910. The ``comment`` return value will include the result and comment from all previous attempts.
  911. For example:
  912. .. code-block:: yaml
  913. wait_for_file:
  914. file.exists:
  915. - name: /path/to/file
  916. - retry:
  917. attempts: 10
  918. interval: 2
  919. splay: 5
  920. Would return similar to the following. The state result in this case is ``False`` (file.exist was run 10
  921. times with a 2 second interval, but the file specified did not exist on any run).
  922. .. code-block:: none
  923. ID: wait_for_file
  924. Function: file.exists
  925. Result: False
  926. Comment: Attempt 1: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  927. Attempt 2: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  928. Attempt 3: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  929. Attempt 4: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  930. Attempt 5: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  931. Attempt 6: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  932. Attempt 7: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  933. Attempt 8: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  934. Attempt 9: Returned a result of "False", with the following comment: "Specified path /path/to/file does not exist"
  935. Specified path /path/to/file does not exist
  936. Started: 09:08:12.903000
  937. Duration: 47000.0 ms
  938. Changes: