1
0

top.rst 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510
  1. .. _states-top:
  2. ============
  3. The Top File
  4. ============
  5. Introduction
  6. ============
  7. Most infrastructures are made up of groups of machines, each machine in the
  8. group performing a role similar to others. Those groups of machines work
  9. in concert with each other to create an application stack.
  10. To effectively manage those groups of machines, an administrator needs to
  11. be able to create roles for those groups. For example, a group of machines
  12. that serve front-end web traffic might have roles which indicate that
  13. those machines should all have the Apache webserver package installed and
  14. that the Apache service should always be running.
  15. In Salt, the file which contains a mapping between groups of machines on a
  16. network and the configuration roles that should be applied to them is
  17. called a ``top file``.
  18. Top files are named ``top.sls`` by default and they are so-named because they
  19. always exist in the "top" of a directory hierarchy that contains state files.
  20. That directory hierarchy is called a ``state tree``.
  21. A Basic Example
  22. ===============
  23. Top files have three components:
  24. - **Environment:** A state tree directory containing a set of state files to
  25. configure systems.
  26. - **Target:** A grouping of machines which will have a set of states applied to
  27. them.
  28. - **State files:** A list of state files to apply to a target. Each state file
  29. describes one or more states to be configured and enforced on the targeted
  30. machines.
  31. The relationship between these three components is nested as follows:
  32. - Environments contain targets
  33. - Targets contain states
  34. Putting these concepts together, we can describe a scenario in which all
  35. minions with an ID that begins with ``web`` have an ``apache`` state applied
  36. to them:
  37. .. code-block:: yaml
  38. base: # Apply SLS files from the directory root for the 'base' environment
  39. 'web*': # All minions with a minion_id that begins with 'web'
  40. - apache # Apply the state file named 'apache.sls'
  41. .. _states-top-environments:
  42. Environments
  43. ============
  44. Environments are directory hierarchies which contain a top file and a set
  45. of state files.
  46. Environments can be used in many ways, however there is no requirement that
  47. they be used at all. In fact, the most common way to deploy Salt is with
  48. a single environment, called ``base``. It is recommended that users only
  49. create multiple environments if they have a use case which specifically
  50. calls for multiple versions of state trees.
  51. Getting Started with Top Files
  52. ==============================
  53. Each environment is defined inside a salt master configuration variable
  54. called, :conf_master:`file_roots` .
  55. In the most common single-environment setup, only the ``base`` environment is
  56. defined in :conf_master:`file_roots` along with only one directory path for
  57. the state tree.
  58. .. code-block:: yaml
  59. file_roots:
  60. base:
  61. - /srv/salt
  62. In the above example, the top file will only have a single environment to pull
  63. from.
  64. Next is a simple single-environment top file placed in ``/srv/salt/top.sls``,
  65. illustrating that for the environment called ``base``, all minions will have the
  66. state files named ``core.sls`` and ``edit.sls`` applied to them.
  67. .. code-block:: yaml
  68. base:
  69. '*':
  70. - core
  71. - edit
  72. Assuming the ``file_roots`` configuration from above, Salt will look in the
  73. ``/srv/salt`` directory for ``core.sls`` and ``edit.sls``.
  74. Multiple Environments
  75. =====================
  76. In some cases, teams may wish to create versioned state trees which can be
  77. used to test Salt configurations in isolated sets of systems such as a staging
  78. environment before deploying states into production.
  79. For this case, multiple environments can be used to accomplish this task.
  80. To create multiple environments, the :conf_master:`file_roots` option can be
  81. expanded:
  82. .. code-block:: yaml
  83. file_roots:
  84. dev:
  85. - /srv/salt/dev
  86. qa:
  87. - /srv/salt/qa
  88. prod:
  89. - /srv/salt/prod
  90. In the above, we declare three environments: ``dev``, ``qa`` and ``prod``.
  91. Each environment has a single directory assigned to it.
  92. Our top file references the environments:
  93. .. code-block:: yaml
  94. dev:
  95. 'webserver*':
  96. - webserver
  97. 'db*':
  98. - db
  99. qa:
  100. 'webserver*':
  101. - webserver
  102. 'db*':
  103. - db
  104. prod:
  105. 'webserver*':
  106. - webserver
  107. 'db*':
  108. - db
  109. As seen above, the top file now declares the three environments and for each,
  110. target expressions are defined to map minions to state files. For example, all
  111. minions which have an ID beginning with the string ``webserver`` will have the
  112. webserver state from the requested environment assigned to it.
  113. In this manner, a proposed change to a state could first be made in a state
  114. file in ``/srv/salt/dev`` and then be applied to development webservers before
  115. moving the state into QA by copying the state file into ``/srv/salt/qa``.
  116. Choosing an Environment to Target
  117. =================================
  118. The top file is used to assign a minion to an environment unless overridden
  119. using the methods described below. The environment in the top file must match
  120. valid fileserver environment (a.k.a. ``saltenv``) in order for any states to be
  121. applied to that minion. When using the default fileserver backend, environments
  122. are defined in :conf_master:`file_roots`.
  123. The states that will be applied to a minion in a given environment can be
  124. viewed using the :py:func:`state.show_top <salt.modules.state.show_top>`
  125. function.
  126. Minions may be pinned to a particular environment by setting the
  127. :conf_minion:`environment` value in the minion configuration file. In doing so,
  128. a minion will only request files from the environment to which it is assigned.
  129. The environment may also be dynamically selected at runtime by passing it to
  130. the ``salt``, ``salt-call`` or ``salt-ssh`` command. This is most commonly done
  131. with functions in the ``state`` module by using the ``saltenv`` argument. For
  132. example, to run a ``highstate`` on all minions, using only the top file and SLS
  133. files in the ``prod`` environment, run: ``salt '*' state.highstate
  134. saltenv=prod``.
  135. .. note::
  136. Not all functions accept ``saltenv`` as an argument, see the documentation
  137. for an individual function documentation to verify.
  138. Shorthand
  139. =========
  140. If you assign only one SLS to a system, as in this example, a shorthand is
  141. also available:
  142. .. code-block:: yaml
  143. base:
  144. '*': global
  145. dev:
  146. 'webserver*': webserver
  147. 'db*': db
  148. qa:
  149. 'webserver*': webserver
  150. 'db*': db
  151. prod:
  152. 'webserver*': webserver
  153. 'db*': db
  154. Advanced Minion Targeting
  155. =========================
  156. In the examples above, notice that all of the target expressions are globs. The
  157. default match type in top files (since version 2014.7.0) is actually the
  158. :ref:`compound matcher <targeting-compound>`, not the glob matcher as in the
  159. CLI.
  160. A single glob, when passed through the compound matcher, acts the same way as
  161. matching by glob, so in most cases the two are indistinguishable. However,
  162. there is an edge case in which a minion ID contains whitespace. While it is not
  163. recommended to include spaces in a minion ID, Salt will not stop you from doing
  164. so. However, since compound expressions are parsed word-by-word, if a minion ID
  165. contains spaces it will fail to match. In this edge case, it will be necessary
  166. to explicitly use the ``glob`` matcher:
  167. .. code-block:: yaml
  168. base:
  169. 'minion 1':
  170. - match: glob
  171. - foo
  172. .. _top-file-match-types:
  173. The available match types which can be set for a target expression in the top
  174. file are:
  175. ============ ================================================================================================================
  176. Match Type Description
  177. ============ ================================================================================================================
  178. glob Full minion ID or glob expression to match multiple minions (e.g. ``minion123`` or ``minion*``)
  179. pcre Perl-compatible regular expression (PCRE) matching a minion ID (e.g. ``web[0-3].domain.com``)
  180. grain Match a :ref:`grain <grains>`, optionally using globbing (e.g. ``kernel:Linux`` or ``kernel:*BSD``)
  181. grain_pcre Match a :ref:`grain <grains>` using PCRE (e.g. ``kernel:(Free|Open)BSD``)
  182. list Comma-separated list of minions (e.g. ``minion1,minion2,minion3``)
  183. pillar :ref:`Pillar <pillar>` match, optionally using globbing (e.g. ``role:webserver`` or ``role:web*``)
  184. pillar_pcre :ref:`Pillar <pillar>` match using PCRE (e.g. ``role:web(server|proxy)``
  185. pillar_exact :ref:`Pillar <pillar>` match with no globbing or PCRE (e.g. ``role:webserver``)
  186. ipcidr Subnet or IP address (e.g. ``172.17.0.0/16`` or ``10.2.9.80``)
  187. data Match values kept in the minion's datastore (created using the :mod:`data <salt.modules.data>` execution module)
  188. range :ref:`Range <targeting-range>` cluster
  189. compound Complex expression combining multiple match types (see :ref:`here <targeting-compound>`)
  190. nodegroup Pre-defined compound expressions in the master config file (see :ref:`here <targeting-nodegroups>`)
  191. ============ ================================================================================================================
  192. Below is a slightly more complex top file example, showing some of the above
  193. match types:
  194. .. code-block:: yaml
  195. # All files will be taken from the file path specified in the base
  196. # environment in the ``file_roots`` configuration value.
  197. base:
  198. # All minions which begin with the strings 'nag1' or any minion with
  199. # a grain set called 'role' with the value of 'monitoring' will have
  200. # the 'server.sls' state file applied from the 'nagios/' directory.
  201. 'nag1* or G@role:monitoring':
  202. - nagios.server
  203. # All minions get the following three state files applied
  204. '*':
  205. - ldap-client
  206. - networking
  207. - salt.minion
  208. # All minions which have an ID that begins with the phrase
  209. # 'salt-master' will have an SLS file applied that is named
  210. # 'master.sls' and is in the 'salt' directory, underneath
  211. # the root specified in the ``base`` environment in the
  212. # configuration value for ``file_roots``.
  213. 'salt-master*':
  214. - salt.master
  215. # Minions that have an ID matching the following regular
  216. # expression will have the state file called 'web.sls' in the
  217. # nagios/mon directory applied. Additionally, minions matching
  218. # the regular expression will also have the 'server.sls' file
  219. # in the apache/ directory applied.
  220. # NOTE!
  221. #
  222. # Take note of the 'match' directive here, which tells Salt
  223. # to treat the target string as a regex to be matched!
  224. '^(memcache|web).(qa|prod).loc$':
  225. - match: pcre
  226. - nagios.mon.web
  227. - apache.server
  228. # Minions that have a grain set indicating that they are running
  229. # the Ubuntu operating system will have the state file called
  230. # 'ubuntu.sls' in the 'repos' directory applied.
  231. #
  232. # Again take note of the 'match' directive here which tells
  233. # Salt to match against a grain instead of a minion ID.
  234. 'os:Ubuntu':
  235. - match: grain
  236. - repos.ubuntu
  237. # Minions that are either RedHat or CentOS should have the 'epel.sls'
  238. # state applied, from the 'repos/' directory.
  239. 'os:(RedHat|CentOS)':
  240. - match: grain_pcre
  241. - repos.epel
  242. # The three minions with the IDs of 'foo', 'bar' and 'baz' should
  243. # have 'database.sls' applied.
  244. 'foo,bar,baz':
  245. - match: list
  246. - database
  247. # Any minion for which the pillar key 'somekey' is set and has a value
  248. # of that key matching 'abc' will have the 'xyz.sls' state applied.
  249. 'somekey:abc':
  250. - match: pillar
  251. - xyz
  252. How Top Files Are Compiled
  253. ==========================
  254. When a :ref:`highstate <running-highstate>` is executed and an environment is
  255. specified (either using the :conf_minion:`environment` config option or by
  256. passing the saltenv when executing the :ref:`highstate <running-highstate>`),
  257. then that environment's top file is the only top file used to assign states to
  258. minions, and only states from the specified environment will be run.
  259. The remainder of this section applies to cases in which a :ref:`highstate
  260. <running-highstate>` is executed without an environment specified.
  261. With no environment specified, the minion will look for a top file in each
  262. environment, and each top file will be processed to determine the SLS files to
  263. run on the minions. By default, the top files from each environment will be
  264. merged together. In configurations with many environments, such as with
  265. :ref:`GitFS <tutorial-gitfs>` where each branch and tag is treated as a
  266. distinct environment, this may cause unexpected results as SLS files from older
  267. tags cause defunct SLS files to be included in the highstate. In cases like
  268. this, it can be helpful to set :conf_minion:`top_file_merging_strategy` to
  269. ``same`` to force each environment to use its own top file.
  270. .. code-block:: yaml
  271. top_file_merging_strategy: same
  272. Another option would be to set :conf_minion:`state_top_saltenv` to a specific
  273. environment, to ensure that any top files in other environments are
  274. disregarded:
  275. .. code-block:: yaml
  276. state_top_saltenv: base
  277. With :ref:`GitFS <tutorial-gitfs>`, it can also be helpful to simply manage
  278. each environment's top file separately, and/or manually specify the environment
  279. when executing the highstate to avoid any complicated merging scenarios.
  280. :conf_master:`gitfs_env_whitelist` and :conf_master:`gitfs_env_blacklist` can
  281. also be used to hide unneeded branches and tags from GitFS to reduce the number
  282. of top files in play.
  283. When using multiple environments, it is not necessary to create a top file for
  284. each environment. The easiest-to-maintain approach is to use a single top file
  285. placed in the ``base`` environment. This is often infeasible with :ref:`GitFS
  286. <tutorial-gitfs>` though, since branching/tagging can easily result in extra
  287. top files. However, when only the default (``roots``) fileserver backend is
  288. used, a single top file in the ``base`` environment is the most common way of
  289. configuring a :ref:`highstate <running-highstate>`.
  290. The following minion configuration options affect how top files are compiled
  291. when no environment is specified, it is recommended to follow the below four
  292. links to learn more about how these options work:
  293. - :conf_minion:`state_top_saltenv`
  294. - :conf_minion:`top_file_merging_strategy`
  295. - :conf_minion:`env_order`
  296. - :conf_minion:`default_top`
  297. Top File Compilation Examples
  298. =============================
  299. For the scenarios below, assume the following configuration:
  300. **/etc/salt/master**:
  301. .. code-block:: yaml
  302. file_roots:
  303. base:
  304. - /srv/salt/base
  305. dev:
  306. - /srv/salt/dev
  307. qa:
  308. - /srv/salt/qa
  309. **/srv/salt/base/top.sls**:
  310. .. code-block:: yaml
  311. base:
  312. '*':
  313. - base1
  314. dev:
  315. '*':
  316. - dev1
  317. qa:
  318. '*':
  319. - qa1
  320. **/srv/salt/dev/top.sls**:
  321. .. code-block:: yaml
  322. base:
  323. 'minion1':
  324. - base2
  325. dev:
  326. 'minion2':
  327. - dev2
  328. qa:
  329. '*':
  330. - qa1
  331. - qa2
  332. .. note::
  333. For the purposes of these examples, there is no top file in the ``qa``
  334. environment.
  335. Scenario 1 - ``dev`` Environment Specified
  336. ------------------------------------------
  337. In this scenario, the :ref:`highstate <running-highstate>` was either invoked
  338. with ``saltenv=dev`` or the minion has ``environment: dev`` set in the minion
  339. config file. The result will be that only the ``dev2`` SLS from the dev
  340. environment will be part of the :ref:`highstate <running-highstate>`, and it
  341. will be applied to minion2, while minion1 will have no states applied to it.
  342. If the ``base`` environment were specified, the result would be that only the
  343. ``base1`` SLS from the ``base`` environment would be part of the
  344. :ref:`highstate <running-highstate>`, and it would be applied to all minions.
  345. If the ``qa`` environment were specified, the :ref:`highstate
  346. <running-highstate>` would exit with an error.
  347. Scenario 2 - No Environment Specified, :conf_minion:`top_file_merging_strategy` is "merge"
  348. ------------------------------------------------------------------------------------------
  349. In this scenario, assuming that the ``base`` environment's top file was
  350. evaluated first, the ``base1``, ``dev1``, and ``qa1`` states would be applied
  351. to all minions. If, for instance, the ``qa`` environment is not defined in
  352. **/srv/salt/base/top.sls**, then because there is no top file for the ``qa``
  353. environment, no states from the ``qa`` environment would be applied.
  354. Scenario 3 - No Environment Specified, :conf_minion:`top_file_merging_strategy` is "same"
  355. -----------------------------------------------------------------------------------------
  356. .. versionchanged:: 2016.11.0
  357. In prior versions, "same" did not quite work as described below (see
  358. here__). This has now been corrected. It was decided that changing
  359. something like top file handling in a point release had the potential to
  360. unexpectedly impact users' top files too much, and it would be better to
  361. make this correction in a feature release.
  362. .. __: https://github.com/saltstack/salt/issues/35045
  363. In this scenario, ``base1`` from the ``base`` environment is applied to all
  364. minions. Additionally, ``dev2`` from the ``dev`` environment is applied to
  365. minion2.
  366. If :conf_minion:`default_top` is unset (or set to ``base``, which happens to be
  367. the default), then ``qa1`` from the ``qa`` environment will be applied to all
  368. minions. If :conf_minion:`default_top` were set to ``dev``, then both ``qa1``
  369. and ``qa2`` from the ``qa`` environment would be applied to all minions.
  370. Scenario 4 - No Environment Specified, :conf_minion:`top_file_merging_strategy` is "merge_all"
  371. ----------------------------------------------------------------------------------------------
  372. .. versionadded:: 2016.11.0
  373. In this scenario, all configured states in all top files are applied. From the
  374. ``base`` environment, ``base1`` would be applied to all minions, with ``base2``
  375. being applied only to ``minion1``. From the ``dev`` environment, ``dev1`` would
  376. be applied to all minions, with ``dev2`` being applied only to ``minion2``.
  377. Finally, from the ``qa`` environment, both the ``qa1`` and ``qa2`` states will
  378. be applied to all minions. Note that the ``qa1`` states would not be applied
  379. twice, even though ``qa1`` appears twice.