faq.rst 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458
  1. .. _faq:
  2. Frequently Asked Questions
  3. ==========================
  4. .. contents:: FAQ
  5. Is Salt open-core?
  6. ------------------
  7. No. Salt is 100% committed to being open-source, including all of our APIs. It
  8. is developed under the `Apache 2.0 license`_, allowing it to be used in both
  9. open and proprietary projects.
  10. To expand on this a little:
  11. There is much argument over the actual definition of "open core". From our standpoint, Salt is open source because
  12. 1. It is a standalone product that anyone is free to use.
  13. 2. It is developed in the open with contributions accepted from the community for the good of the project.
  14. 3. There are no features of Salt itself that are restricted to separate proprietary products distributed by SaltStack, Inc.
  15. 4. Because of our Apache 2.0 license, Salt can be used as the foundation for a project or even a proprietary tool.
  16. 5. Our APIs are open and documented (any lack of documentation is an oversight as opposed to an intentional decision by SaltStack the company) and available for use by anyone.
  17. SaltStack the company does make proprietary products which use Salt and its libraries, like company is free to do, but we do so via the APIs, NOT by forking Salt and creating a different, closed-source version of it for paying customers.
  18. .. _`Apache 2.0 license`: http://www.apache.org/licenses/LICENSE-2.0.html
  19. I think I found a bug! What should I do?
  20. ----------------------------------------
  21. The salt-users mailing list as well as the salt IRC channel can both be helpful
  22. resources to confirm if others are seeing the issue and to assist with
  23. immediate debugging.
  24. To report a bug to the Salt project, please follow the instructions in
  25. :ref:`reporting a bug <reporting-bugs>`.
  26. What ports should I open on my firewall?
  27. ----------------------------------------
  28. Minions need to be able to connect to the Master on TCP ports 4505 and 4506.
  29. Minions do not need any inbound ports open. More detailed information on
  30. firewall settings can be found :ref:`here <firewall>`.
  31. I'm seeing weird behavior (including but not limited to packages not installing their users properly)
  32. -----------------------------------------------------------------------------------------------------
  33. This is often caused by SELinux. Try disabling SELinux or putting it in
  34. permissive mode and see if the weird behavior goes away.
  35. My script runs every time I run a *state.apply*. Why?
  36. -----------------------------------------------------
  37. You are probably using :mod:`cmd.run <salt.states.cmd.run>` rather than
  38. :mod:`cmd.wait <salt.states.cmd.wait>`. A :mod:`cmd.wait
  39. <salt.states.cmd.wait>` state will only run when there has been a change in a
  40. state that it is watching.
  41. A :mod:`cmd.run <salt.states.cmd.run>` state will run the corresponding command
  42. *every time* (unless it is prevented from running by the ``unless`` or ``onlyif``
  43. arguments).
  44. More details can be found in the documentation for the :mod:`cmd
  45. <salt.states.cmd>` states.
  46. When I run *test.ping*, why don't the Minions that aren't responding return anything? Returning ``False`` would be helpful.
  47. ---------------------------------------------------------------------------------------------------------------------------
  48. When you run *test.ping* the Master tells Minions to run commands/functions,
  49. and listens for the return data, printing it to the screen when it is received.
  50. If it doesn't receive anything back, it doesn't have anything to display for
  51. that Minion.
  52. There are a couple options for getting information on Minions that are not
  53. responding. One is to use the verbose (``-v``) option when you run salt
  54. commands, as it will display "Minion did not return" for any Minions which time
  55. out.
  56. .. code-block:: bash
  57. salt -v '*' pkg.install zsh
  58. Another option is to use the :mod:`manage.down <salt.runners.manage.down>`
  59. runner:
  60. .. code-block:: bash
  61. salt-run manage.down
  62. Also, if the Master is under heavy load, it is possible that the CLI will exit
  63. without displaying return data for all targeted Minions. However, this doesn't
  64. mean that the Minions did not return; this only means that the Salt CLI timed
  65. out waiting for a response. Minions will still send their return data back to
  66. the Master once the job completes. If any expected Minions are missing from the
  67. CLI output, the :mod:`jobs.list_jobs <salt.runners.jobs.list_jobs>` runner can
  68. be used to show the job IDs of the jobs that have been run, and the
  69. :mod:`jobs.lookup_jid <salt.runners.jobs.lookup_jid>` runner can be used to get
  70. the return data for that job.
  71. .. code-block:: bash
  72. salt-run jobs.list_jobs
  73. salt-run jobs.lookup_jid 20130916125524463507
  74. If you find that you are often missing Minion return data on the CLI, only to
  75. find it with the jobs runners, then this may be a sign that the
  76. :conf_master:`worker_threads` value may need to be increased in the master
  77. config file. Additionally, running your Salt CLI commands with the ``-t``
  78. option will make Salt wait longer for the return data before the CLI command
  79. exits. For instance, the below command will wait up to 60 seconds for the
  80. Minions to return:
  81. .. code-block:: bash
  82. salt -t 60 '*' test.ping
  83. How does Salt determine the Minion's id?
  84. ----------------------------------------
  85. If the Minion id is not configured explicitly (using the :conf_minion:`id`
  86. parameter), Salt will determine the id based on the hostname. Exactly how this
  87. is determined varies a little between operating systems and is described in
  88. detail :ref:`here <minion-id-generation>`.
  89. I'm trying to manage packages/services but I get an error saying that the state is not available. Why?
  90. ------------------------------------------------------------------------------------------------------
  91. Salt detects the Minion's operating system and assigns the correct package or
  92. service management module based on what is detected. However, for certain custom
  93. spins and OS derivatives this detection fails. In cases like this, an issue
  94. should be opened on our tracker_, with the following information:
  95. 1. The output of the following command:
  96. .. code-block:: bash
  97. salt <minion_id> grains.items | grep os
  98. 2. The contents of ``/etc/lsb-release``, if present on the Minion.
  99. .. _tracker: https://github.com/saltstack/salt/issues
  100. Why aren't my custom modules/states/etc. available on my Minions?
  101. -----------------------------------------------------------------
  102. Custom modules are synced to Minions when
  103. :py:func:`saltutil.sync_modules <salt.modules.saltutil.sync_modules>`,
  104. or :py:func:`saltutil.sync_all <salt.modules.saltutil.sync_all>` is run.
  105. Similarly, custom states are synced to Minions when :py:func:`saltutil.sync_states
  106. <salt.modules.saltutil.sync_states>`, or :py:func:`saltutil.sync_all
  107. <salt.modules.saltutil.sync_all>` is run.
  108. They are both also synced when a :ref:`highstate <running-highstate>` is
  109. triggered.
  110. As of the 2019.2.0 release, as well as 2017.7.7 and 2018.3.2 in their
  111. respective release cycles, the ``sync`` argument to :py:func:`state.apply
  112. <salt.modules.state.apply_>`/:py:func:`state.sls <salt.modules.state.sls>` can
  113. be used to sync custom types when running individual SLS files.
  114. Other custom types (renderers, outputters, etc.) have similar behavior, see the
  115. documentation for the :py:func:`saltutil <salt.modules.saltutil>` module for more
  116. information.
  117. :ref:`This reactor example <minion-start-reactor>` can be used to automatically
  118. sync custom types when the minion connects to the master, to help with this
  119. chicken-and-egg issue.
  120. Module ``X`` isn't available, even though the shell command it uses is installed. Why?
  121. --------------------------------------------------------------------------------------
  122. This is most likely a PATH issue. Did you custom-compile the software which the
  123. module requires? RHEL/CentOS/etc. in particular override the root user's path
  124. in ``/etc/init.d/functions``, setting it to ``/sbin:/usr/sbin:/bin:/usr/bin``,
  125. making software installed into ``/usr/local/bin`` unavailable to Salt when the
  126. Minion is started using the initscript. In version 2014.1.0, Salt will have a
  127. better solution for these sort of PATH-related issues, but recompiling the
  128. software to install it into a location within the PATH should resolve the
  129. issue in the meantime. Alternatively, you can create a symbolic link within the
  130. PATH using a :mod:`file.symlink <salt.states.file.symlink>` state.
  131. .. code-block:: yaml
  132. /usr/bin/foo:
  133. file.symlink:
  134. - target: /usr/local/bin/foo
  135. .. _which-version:
  136. Can I run different versions of Salt on my Master and Minion?
  137. -------------------------------------------------------------
  138. This depends on the versions. In general, it is recommended that Master and
  139. Minion versions match.
  140. When upgrading Salt, the master(s) should always be upgraded first. Backwards
  141. compatibility for minions running newer versions of salt than their masters is
  142. not guaranteed.
  143. Whenever possible, backwards compatibility between new masters
  144. and old minions will be preserved. Generally, the only exception to this
  145. policy is in case of a security vulnerability.
  146. Recent examples of backwards compatibility breakage include the 0.17.1 release
  147. (where all backwards compatibility was broken due to a security fix), and the
  148. 2014.1.0 release (which retained compatibility between 2014.1.0 masters and
  149. 0.17 minions, but broke compatibility for 2014.1.0 minions and older masters).
  150. Does Salt support backing up managed files?
  151. -------------------------------------------
  152. Yes. Salt provides an easy to use addition to your file.managed states that
  153. allow you to back up files via :ref:`backup_mode <file-state-backups>`,
  154. backup_mode can be configured on a per state basis, or in the minion config
  155. (note that if set in the minion config this would simply be the default
  156. method to use, you still need to specify that the file should be backed up!).
  157. Is it possible to deploy a file to a specific minion, without other minions having access to it?
  158. ------------------------------------------------------------------------------------------------
  159. The Salt fileserver does not yet support access control, but it is still
  160. possible to do this. As of Salt 2015.5.0, the
  161. :mod:`file_tree <salt.pillar.file_tree>` external pillar is available, and
  162. allows the contents of a file to be loaded as Pillar data. This external pillar
  163. is capable of assigning Pillar values both to individual minions, and to
  164. :ref:`nodegroups <targeting-nodegroups>`. See the :mod:`documentation
  165. <salt.pillar.file_tree>` for details on how to set this up.
  166. Once the external pillar has been set up, the data can be pushed to a minion
  167. via a :py:func:`file.managed <salt.states.file.managed>` state, using the
  168. ``contents_pillar`` argument:
  169. .. code-block:: yaml
  170. /etc/my_super_secret_file:
  171. file.managed:
  172. - user: secret
  173. - group: secret
  174. - mode: 600
  175. - contents_pillar: secret_files:my_super_secret_file
  176. In this example, the source file would be located in a directory called
  177. ``secret_files`` underneath the file_tree path for the minion. The syntax for
  178. specifying the pillar variable is the same one used for :py:func:`pillar.get
  179. <salt.modules.pillar.get>`, with a colon representing a nested dictionary.
  180. .. warning::
  181. Deploying binary contents using the :py:func:`file.managed
  182. <salt.states.file.managed>` state is only supported in Salt 2015.8.4 and
  183. newer.
  184. .. _faq-restart-salt-minion:
  185. What is the best way to restart a Salt Minion daemon using Salt after upgrade?
  186. ------------------------------------------------------------------------------
  187. Updating the ``salt-minion`` package requires a restart of the ``salt-minion``
  188. service. But restarting the service while in the middle of a state run
  189. interrupts the process of the Minion running states and sending results back to
  190. the Master. A common way to workaround that is to schedule restarting the
  191. Minion service in the background by issuing a ``salt-call`` command calling
  192. ``service.restart`` function. This prevents the Minion being disconnected from
  193. the Master immediately. Otherwise you would get
  194. ``Minion did not return. [Not connected]`` message as the result of a state run.
  195. Upgrade without automatic restart
  196. *********************************
  197. Doing the Minion upgrade seems to be a simplest state in your SLS file at
  198. first. But the operating systems such as Debian GNU/Linux, Ubuntu and their
  199. derivatives start the service after the package installation by default.
  200. To prevent this, we need to create policy layer which will prevent the Minion
  201. service to restart right after the upgrade:
  202. .. code-block:: jinja
  203. {%- if grains['os_family'] == 'Debian' %}
  204. Disable starting services:
  205. file.managed:
  206. - name: /usr/sbin/policy-rc.d
  207. - user: root
  208. - group: root
  209. - mode: 0755
  210. - contents:
  211. - '#!/bin/sh'
  212. - exit 101
  213. # do not touch if already exists
  214. - replace: False
  215. - prereq:
  216. - pkg: Upgrade Salt Minion
  217. {%- endif %}
  218. Upgrade Salt Minion:
  219. pkg.installed:
  220. - name: salt-minion
  221. - version: 2016.11.3{% if grains['os_family'] == 'Debian' %}+ds-1{% endif %}
  222. - order: last
  223. Enable Salt Minion:
  224. service.enabled:
  225. - name: salt-minion
  226. - require:
  227. - pkg: Upgrade Salt Minion
  228. {%- if grains['os_family'] == 'Debian' %}
  229. Enable starting services:
  230. file.absent:
  231. - name: /usr/sbin/policy-rc.d
  232. - onchanges:
  233. - pkg: Upgrade Salt Minion
  234. {%- endif %}
  235. Restart using states
  236. ********************
  237. Now we can apply the workaround to restart the Minion in reliable way.
  238. The following example works on UNIX-like operating systems:
  239. .. code-block:: jinja
  240. {%- if grains['os'] != 'Windows' %}
  241. Restart Salt Minion:
  242. cmd.run:
  243. - name: 'salt-call service.restart salt-minion'
  244. - bg: True
  245. - onchanges:
  246. - pkg: Upgrade Salt Minion
  247. {%- endif %}
  248. Note that restarting the ``salt-minion`` service on Windows operating systems is
  249. not always necessary when performing an upgrade. The installer stops the
  250. ``salt-minion`` service, removes it, deletes the contents of the ``\salt\bin``
  251. directory, installs the new code, re-creates the ``salt-minion`` service, and
  252. starts it (by default). The restart step **would** be necessary during the
  253. upgrade process, however, if the minion config was edited after the upgrade or
  254. installation. If a minion restart is necessary, the state above can be edited
  255. as follows:
  256. .. code-block:: jinja
  257. Restart Salt Minion:
  258. cmd.run:
  259. {%- if grains['kernel'] == 'Windows' %}
  260. - name: 'C:\salt\salt-call.bat service.restart salt-minion'
  261. {%- else %}
  262. - name: 'salt-call service.restart salt-minion'
  263. {%- endif %}
  264. - bg: True
  265. - onchanges:
  266. - pkg: Upgrade Salt Minion
  267. However, it requires more advanced tricks to upgrade from legacy version of
  268. Salt (before ``2016.3.0``) on UNIX-like operating systems, where executing
  269. commands in the background is not supported. You also may need to schedule
  270. restarting the Minion service using :ref:`masterless mode
  271. <masterless-quickstart>` after all other states have been applied for Salt
  272. versions earlier than ``2016.11.0``. This allows the Minion to keep the
  273. connection to the Master alive for being able to report the final results back
  274. to the Master, while the service is restarting in the background. This state
  275. should run last or watch for the ``pkg`` state changes:
  276. .. code-block:: jinja
  277. Restart Salt Minion:
  278. cmd.run:
  279. {%- if grains['kernel'] == 'Windows' %}
  280. - name: 'start powershell "Restart-Service -Name salt-minion"'
  281. {%- else %}
  282. # fork and disown the process
  283. - name: |-
  284. exec 0>&- # close stdin
  285. exec 1>&- # close stdout
  286. exec 2>&- # close stderr
  287. nohup salt-call --local service.restart salt-minion &
  288. {%- endif %}
  289. Restart using remote executions
  290. *******************************
  291. Restart the Minion from the command line:
  292. .. code-block:: bash
  293. salt -G kernel:Windows cmd.run_bg 'C:\salt\salt-call.bat service.restart salt-minion'
  294. salt -C 'not G@kernel:Windows' cmd.run_bg 'salt-call service.restart salt-minion'
  295. Salting the Salt Master
  296. -----------------------
  297. In order to configure a master server via states, the Salt master can also be
  298. "salted" in order to enforce state on the Salt master as well as the Salt
  299. minions. Salting the Salt master requires a Salt minion to be installed on
  300. the same machine as the Salt master. Once the Salt minion is installed, the
  301. minion configuration file must be pointed to the local Salt master:
  302. .. code-block:: yaml
  303. master: 127.0.0.1
  304. Once the Salt master has been "salted" with a Salt minion, it can be targeted
  305. just like any other minion. If the minion on the salted master is running, the
  306. minion can be targeted via any usual ``salt`` command. Additionally, the
  307. ``salt-call`` command can execute operations to enforce state on the salted
  308. master without requiring the minion to be running.
  309. More information about salting the Salt master can be found in the salt-formula
  310. for salt itself:
  311. https://github.com/saltstack-formulas/salt-formula
  312. Restarting the ``salt-master`` service using execution module or application of
  313. state could be done the same way as for the Salt minion described :ref:`above
  314. <faq-restart-salt-minion>`.
  315. .. _faq-grain-security:
  316. Is Targeting using Grain Data Secure?
  317. -------------------------------------
  318. Because grains can be set by users that have access to the minion configuration
  319. files on the local system, grains are considered less secure than other
  320. identifiers in Salt. Use caution when targeting sensitive operations or setting
  321. pillar values based on grain data.
  322. The only grain which can be safely used is ``grains['id']`` which contains the Minion ID.
  323. When possible, you should target sensitive operations and data using the Minion
  324. ID. If the Minion ID of a system changes, the Salt Minion's public key must be
  325. re-accepted by an administrator on the Salt Master, making it less vulnerable
  326. to impersonation attacks.
  327. Why Did the Value for a Grain Change on Its Own?
  328. ------------------------------------------------
  329. This is usually the result of an upstream change in an OS distribution that
  330. replaces or removes something that Salt was using to detect the grain.
  331. Fortunately, when this occurs, you can use Salt to fix it with a command
  332. similar to the following:
  333. .. code-block:: bash
  334. salt -G 'grain:ChangedValue' grains.setvals "{'grain': 'OldValue'}"
  335. (Replacing *grain*, *ChangedValue*, and *OldValue* with
  336. the grain and values that you want to change / set.)
  337. You should also `file an issue <https://github.com/saltstack/salt/issues>`_
  338. describing the change so it can be fixed in Salt.