index.rst 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829
  1. .. _pillar:
  2. =================================
  3. Storing Static Data in the Pillar
  4. =================================
  5. Pillar is an interface for Salt designed to offer global values that can be
  6. distributed to minions. Pillar data is managed in a similar way as
  7. the Salt State Tree.
  8. Pillar was added to Salt in version 0.9.8
  9. .. note:: Storing sensitive data
  10. Pillar data is compiled on the master. Additionally, pillar data for a
  11. given minion is only accessible by the minion for which it is targeted in
  12. the pillar configuration. This makes pillar useful for storing sensitive
  13. data specific to a particular minion.
  14. Declaring the Master Pillar
  15. ===========================
  16. The Salt Master server maintains a :conf_master:`pillar_roots` setup that
  17. matches the structure of the :conf_master:`file_roots` used in the Salt file
  18. server. Like :conf_master:`file_roots`, the :conf_master:`pillar_roots` option
  19. maps environments to directories. The pillar data is then mapped to minions
  20. based on matchers in a top file which is laid out in the same way as the state
  21. top file. Salt pillars can use the same matcher types as the standard :ref:`top
  22. file <states-top>`.
  23. conf_master:`pillar_roots` is configured just like :conf_master:`file_roots`.
  24. For example:
  25. .. code-block:: yaml
  26. pillar_roots:
  27. base:
  28. - /srv/pillar
  29. This example configuration declares that the base environment will be located
  30. in the ``/srv/pillar`` directory. It must not be in a subdirectory of the
  31. state tree.
  32. The top file used matches the name of the top file used for States,
  33. and has the same structure:
  34. ``/srv/pillar/top.sls``
  35. .. code-block:: yaml
  36. base:
  37. '*':
  38. - packages
  39. In the above top file, it is declared that in the ``base`` environment, the
  40. glob matching all minions will have the pillar data found in the ``packages``
  41. pillar available to it. Assuming the ``pillar_roots`` value of ``/srv/pillar``
  42. taken from above, the ``packages`` pillar would be located at
  43. ``/srv/pillar/packages.sls``.
  44. Any number of matchers can be added to the base environment. For example, here
  45. is an expanded version of the Pillar top file stated above:
  46. /srv/pillar/top.sls:
  47. .. code-block:: yaml
  48. base:
  49. '*':
  50. - packages
  51. 'web*':
  52. - vim
  53. In this expanded top file, minions that match ``web*`` will have access to the
  54. ``/srv/pillar/packages.sls`` file, as well as the ``/srv/pillar/vim.sls`` file.
  55. Another example shows how to use other standard top matching types
  56. to deliver specific salt pillar data to minions with different properties.
  57. Here is an example using the ``grains`` matcher to target pillars to minions
  58. by their ``os`` grain:
  59. .. code-block:: yaml
  60. dev:
  61. 'os:Debian':
  62. - match: grain
  63. - servers
  64. Pillar definitions can also take a keyword argument ``ignore_missing``.
  65. When the value of ``ignore_missing`` is ``True``, all errors for missing
  66. pillar files are ignored. The default value for ``ignore_missing`` is
  67. ``False``.
  68. Here is an example using the ``ignore_missing`` keyword parameter to ignore
  69. errors for missing pillar files:
  70. .. code-block:: yaml
  71. base:
  72. '*':
  73. - servers
  74. - systems
  75. - ignore_missing: True
  76. Assuming that the pillar ``servers`` exists in the fileserver backend
  77. and the pillar ``systems`` doesn't, all pillar data from ``servers``
  78. pillar is delivered to minions and no error for the missing pillar
  79. ``systems`` is noted under the key ``_errors`` in the pillar data
  80. delivered to minions.
  81. Should the ``ignore_missing`` keyword parameter have the value ``False``,
  82. an error for the missing pillar ``systems`` would produce the value
  83. ``Specified SLS 'servers' in environment 'base' is not available on the salt master``
  84. under the key ``_errors`` in the pillar data delivered to minions.
  85. ``/srv/pillar/packages.sls``
  86. .. code-block:: jinja
  87. {% if grains['os'] == 'RedHat' %}
  88. apache: httpd
  89. git: git
  90. {% elif grains['os'] == 'Debian' %}
  91. apache: apache2
  92. git: git-core
  93. {% endif %}
  94. company: Foo Industries
  95. .. important::
  96. See :ref:`Is Targeting using Grain Data Secure? <faq-grain-security>` for
  97. important security information.
  98. The above pillar sets two key/value pairs. If a minion is running RedHat, then
  99. the ``apache`` key is set to ``httpd`` and the ``git`` key is set to the value
  100. of ``git``. If the minion is running Debian, those values are changed to
  101. ``apache2`` and ``git-core`` respectively. All minions that have this pillar
  102. targeting to them via a top file will have the key of ``company`` with a value
  103. of ``Foo Industries``.
  104. Consequently this data can be used from within modules, renderers, State SLS
  105. files, and more via the shared pillar dictionary:
  106. .. code-block:: jinja
  107. apache:
  108. pkg.installed:
  109. - name: {{ pillar['apache'] }}
  110. .. code-block:: jinja
  111. git:
  112. pkg.installed:
  113. - name: {{ pillar['git'] }}
  114. Finally, the above states can utilize the values provided to them via Pillar.
  115. All pillar values targeted to a minion are available via the 'pillar'
  116. dictionary. As seen in the above example, Jinja substitution can then be
  117. utilized to access the keys and values in the Pillar dictionary.
  118. Note that you cannot just list key/value-information in ``top.sls``. Instead,
  119. target a minion to a pillar file and then list the keys and values in the
  120. pillar. Here is an example top file that illustrates this point:
  121. .. code-block:: yaml
  122. base:
  123. '*':
  124. - common_pillar
  125. And the actual pillar file at '/srv/pillar/common_pillar.sls':
  126. .. code-block:: yaml
  127. foo: bar
  128. boo: baz
  129. .. note::
  130. When working with multiple pillar environments, assuming that each pillar
  131. environment has its own top file, the jinja placeholder ``{{ saltenv }}``
  132. can be used in place of the environment name:
  133. .. code-block:: jinja
  134. {{ saltenv }}:
  135. '*':
  136. - common_pillar
  137. Yes, this is ``{{ saltenv }}``, and not ``{{ pillarenv }}``. The reason for
  138. this is because the Pillar top files are parsed using some of the same code
  139. which parses top files when :ref:`running states <running-highstate>`, so
  140. the pillar environment takes the place of ``{{ saltenv }}`` in the jinja
  141. context.
  142. Dynamic Pillar Environments
  143. ===========================
  144. If environment ``__env__`` is specified in :conf_master:`pillar_roots`, all
  145. environments that are not explicitly specified in :conf_master:`pillar_roots`
  146. will map to the directories from ``__env__``. This allows one to use dynamic
  147. git branch based environments for state/pillar files with the same file-based
  148. pillar applying to all environments. For example:
  149. .. code-block:: yaml
  150. pillar_roots:
  151. __env__:
  152. - /srv/pillar
  153. ext_pillar:
  154. - git:
  155. - __env__ https://example.com/git-pillar.git
  156. .. versionadded:: 2017.7.5,2018.3.1
  157. Pillar Namespace Flattening
  158. ===========================
  159. The separate pillar SLS files all merge down into a single dictionary of
  160. key-value pairs. When the same key is defined in multiple SLS files, this can
  161. result in unexpected behavior if care is not taken to how the pillar SLS files
  162. are laid out.
  163. For example, given a ``top.sls`` containing the following:
  164. .. code-block:: yaml
  165. base:
  166. '*':
  167. - packages
  168. - services
  169. with ``packages.sls`` containing:
  170. .. code-block:: yaml
  171. bind: bind9
  172. and ``services.sls`` containing:
  173. .. code-block:: yaml
  174. bind: named
  175. Then a request for the ``bind`` pillar key will only return ``named``. The
  176. ``bind9`` value will be lost, because ``services.sls`` was evaluated later.
  177. .. note::
  178. Pillar files are applied in the order they are listed in the top file.
  179. Therefore conflicting keys will be overwritten in a 'last one wins' manner!
  180. For example, in the above scenario conflicting key values in ``services``
  181. will overwrite those in ``packages`` because it's at the bottom of the list.
  182. It can be better to structure your pillar files with more hierarchy. For
  183. example the ``package.sls`` file could be configured like so:
  184. .. code-block:: yaml
  185. packages:
  186. bind: bind9
  187. This would make the ``packages`` pillar key a nested dictionary containing a
  188. ``bind`` key.
  189. Pillar Dictionary Merging
  190. =========================
  191. If the same pillar key is defined in multiple pillar SLS files, and the keys in
  192. both files refer to nested dictionaries, then the content from these
  193. dictionaries will be recursively merged.
  194. For example, keeping the ``top.sls`` the same, assume the following
  195. modifications to the pillar SLS files:
  196. ``packages.sls``:
  197. .. code-block:: yaml
  198. bind:
  199. package-name: bind9
  200. version: 9.9.5
  201. ``services.sls``:
  202. .. code-block:: yaml
  203. bind:
  204. port: 53
  205. listen-on: any
  206. The resulting pillar dictionary will be:
  207. .. code-block:: bash
  208. $ salt-call pillar.get bind
  209. local:
  210. ----------
  211. listen-on:
  212. any
  213. package-name:
  214. bind9
  215. port:
  216. 53
  217. version:
  218. 9.9.5
  219. Since both pillar SLS files contained a ``bind`` key which contained a nested
  220. dictionary, the pillar dictionary's ``bind`` key contains the combined contents
  221. of both SLS files' ``bind`` keys.
  222. .. _pillar-include:
  223. Including Other Pillars
  224. =======================
  225. .. versionadded:: 0.16.0
  226. Pillar SLS files may include other pillar files, similar to State files. Two
  227. syntaxes are available for this purpose. The simple form simply includes the
  228. additional pillar as if it were part of the same file:
  229. .. code-block:: yaml
  230. include:
  231. - users
  232. The full include form allows two additional options -- passing default values
  233. to the templating engine for the included pillar file as well as an optional
  234. key under which to nest the results of the included pillar:
  235. .. code-block:: yaml
  236. include:
  237. - users:
  238. defaults:
  239. sudo: ['bob', 'paul']
  240. key: users
  241. With this form, the included file (users.sls) will be nested within the 'users'
  242. key of the compiled pillar. Additionally, the 'sudo' value will be available
  243. as a template variable to users.sls.
  244. .. _pillar-in-memory:
  245. In-Memory Pillar Data vs. On-Demand Pillar Data
  246. ===============================================
  247. Since compiling pillar data is computationally expensive, the minion will
  248. maintain a copy of the pillar data in memory to avoid needing to ask the master
  249. to recompile and send it a copy of the pillar data each time pillar data is
  250. requested. This in-memory pillar data is what is returned by the
  251. :py:func:`pillar.item <salt.modules.pillar.item>`, :py:func:`pillar.get
  252. <salt.modules.pillar.get>`, and :py:func:`pillar.raw <salt.modules.pillar.raw>`
  253. functions.
  254. Also, for those writing custom execution modules, or contributing to Salt's
  255. existing execution modules, the in-memory pillar data is available as the
  256. ``__pillar__`` dunder dictionary.
  257. The in-memory pillar data is generated on minion start, and can be refreshed
  258. using the :py:func:`saltutil.refresh_pillar
  259. <salt.modules.saltutil.refresh_pillar>` function:
  260. .. code-block:: bash
  261. salt '*' saltutil.refresh_pillar
  262. This function triggers the minion to asynchronously refresh the in-memory
  263. pillar data and will always return ``None``.
  264. In contrast to in-memory pillar data, certain actions trigger pillar data to be
  265. compiled to ensure that the most up-to-date pillar data is available. These
  266. actions include:
  267. - Running states
  268. - Running :py:func:`pillar.items <salt.modules.pillar.items>`
  269. Performing these actions will *not* refresh the in-memory pillar data. So, if
  270. pillar data is modified, and then states are run, the states will see the
  271. updated pillar data, but :py:func:`pillar.item <salt.modules.pillar.item>`,
  272. :py:func:`pillar.get <salt.modules.pillar.get>`, and :py:func:`pillar.raw
  273. <salt.modules.pillar.raw>` will not see this data unless refreshed using
  274. :py:func:`saltutil.refresh_pillar <salt.modules.saltutil.refresh_pillar>`.
  275. .. _pillar-environments:
  276. How Pillar Environments Are Handled
  277. ===================================
  278. When multiple pillar environments are used, the default behavior is for the
  279. pillar data from all environments to be merged together. The pillar dictionary
  280. will therefore contain keys from all configured environments.
  281. The :conf_minion:`pillarenv` minion config option can be used to force the
  282. minion to only consider pillar configuration from a single environment. This
  283. can be useful in cases where one needs to run states with alternate pillar
  284. data, either in a testing/QA environment or to test changes to the pillar data
  285. before pushing them live.
  286. For example, assume that the following is set in the minion config file:
  287. .. code-block:: yaml
  288. pillarenv: base
  289. This would cause that minion to ignore all other pillar environments besides
  290. ``base`` when compiling the in-memory pillar data. Then, when running states,
  291. the ``pillarenv`` CLI argument can be used to override the minion's
  292. :conf_minion:`pillarenv` config value:
  293. .. code-block:: bash
  294. salt '*' state.apply mystates pillarenv=testing
  295. The above command will run the states with pillar data sourced exclusively from
  296. the ``testing`` environment, without modifying the in-memory pillar data.
  297. .. note::
  298. When running states, the ``pillarenv`` CLI option does not require a
  299. :conf_minion:`pillarenv` option to be set in the minion config file. When
  300. :conf_minion:`pillarenv` is left unset, as mentioned above all configured
  301. environments will be combined. Running states with ``pillarenv=testing`` in
  302. this case would still restrict the states' pillar data to just that of the
  303. ``testing`` pillar environment.
  304. Starting in the 2017.7.0 release, it is possible to pin the pillarenv to the
  305. effective saltenv, using the :conf_minion:`pillarenv_from_saltenv` minion
  306. config option. When this is set to ``True``, if a specific saltenv is specified
  307. when running states, the ``pillarenv`` will be the same. This essentially makes
  308. the following two commands equivalent:
  309. .. code-block:: bash
  310. salt '*' state.apply mystates saltenv=dev
  311. salt '*' state.apply mystates saltenv=dev pillarenv=dev
  312. However, if a pillarenv is specified, it will override this behavior. So, the
  313. following command will use the ``qa`` pillar environment but source the SLS
  314. files from the ``dev`` saltenv:
  315. .. code-block:: bash
  316. salt '*' state.apply mystates saltenv=dev pillarenv=qa
  317. So, if a ``pillarenv`` is set in the minion config file,
  318. :conf_minion:`pillarenv_from_saltenv` will be ignored, and passing a
  319. ``pillarenv`` on the CLI will temporarily override
  320. :conf_minion:`pillarenv_from_saltenv`.
  321. Viewing Pillar Data
  322. ===================
  323. To view pillar data, use the :mod:`pillar <salt.modules.pillar>` execution
  324. module. This module includes several functions, each of them with their own
  325. use. These functions include:
  326. - :py:func:`pillar.item <salt.modules.pillar.item>` - Retrieves the value of
  327. one or more keys from the :ref:`in-memory pillar data <pillar-in-memory>`.
  328. - :py:func:`pillar.items <salt.modules.pillar.items>` - Compiles a fresh pillar
  329. dictionary and returns it, leaving the :ref:`in-memory pillar data
  330. <pillar-in-memory>` untouched. If pillar keys are passed to this function
  331. however, this function acts like :py:func:`pillar.item
  332. <salt.modules.pillar.item>` and returns their values from the :ref:`in-memory
  333. pillar data <pillar-in-memory>`.
  334. - :py:func:`pillar.raw <salt.modules.pillar.raw>` - Like :py:func:`pillar.items
  335. <salt.modules.pillar.items>`, it returns the entire pillar dictionary, but
  336. from the :ref:`in-memory pillar data <pillar-in-memory>` instead of compiling
  337. fresh pillar data.
  338. - :py:func:`pillar.get <salt.modules.pillar.get>` - Described in detail below.
  339. The :py:func:`pillar.get <salt.modules.pillar.get>` Function
  340. ============================================================
  341. .. versionadded:: 0.14.0
  342. The :mod:`pillar.get <salt.modules.pillar.get>` function works much in the same
  343. way as the ``get`` method in a python dict, but with an enhancement: nested
  344. dictonaries can be traversed using a colon as a delimiter.
  345. If a structure like this is in pillar:
  346. .. code-block:: yaml
  347. foo:
  348. bar:
  349. baz: qux
  350. Extracting it from the raw pillar in an sls formula or file template is done
  351. this way:
  352. .. code-block:: jinja
  353. {{ pillar['foo']['bar']['baz'] }}
  354. Now, with the new :mod:`pillar.get <salt.modules.pillar.get>` function the data
  355. can be safely gathered and a default can be set, allowing the template to fall
  356. back if the value is not available:
  357. .. code-block:: jinja
  358. {{ salt['pillar.get']('foo:bar:baz', 'qux') }}
  359. This makes handling nested structures much easier.
  360. .. note:: ``pillar.get()`` vs ``salt['pillar.get']()``
  361. It should be noted that within templating, the ``pillar`` variable is just
  362. a dictionary. This means that calling ``pillar.get()`` inside of a
  363. template will just use the default dictionary ``.get()`` function which
  364. does not include the extra ``:`` delimiter functionality. It must be
  365. called using the above syntax (``salt['pillar.get']('foo:bar:baz',
  366. 'qux')``) to get the salt function, instead of the default dictionary
  367. behavior.
  368. Setting Pillar Data at the Command Line
  369. =======================================
  370. Pillar data can be set at the command line like the following example:
  371. .. code-block:: bash
  372. salt '*' state.apply pillar='{"cheese": "spam"}'
  373. This will add a pillar key of ``cheese`` with its value set to ``spam``.
  374. .. note::
  375. Be aware that when sending sensitive data via pillar on the command-line
  376. that the publication containing that data will be received by all minions
  377. and will not be restricted to the targeted minions. This may represent
  378. a security concern in some cases.
  379. .. _pillar-encryption:
  380. Pillar Encryption
  381. =================
  382. Salt's renderer system can be used to decrypt pillar data. This allows for
  383. pillar items to be stored in an encrypted state, and decrypted during pillar
  384. compilation.
  385. Encrypted Pillar SLS
  386. --------------------
  387. .. versionadded:: 2017.7.0
  388. Consider the following pillar SLS file:
  389. .. code-block:: yaml
  390. secrets:
  391. vault:
  392. foo: |
  393. -----BEGIN PGP MESSAGE-----
  394. hQEMAw2B674HRhwSAQgAhTrN8NizwUv/VunVrqa4/X8t6EUulrnhKcSeb8sZS4th
  395. W1Qz3K2NjL4lkUHCQHKZVx/VoZY7zsddBIFvvoGGfj8+2wjkEDwFmFjGE4DEsS74
  396. ZLRFIFJC1iB/O0AiQ+oU745skQkU6OEKxqavmKMrKo3rvJ8ZCXDC470+i2/Hqrp7
  397. +KWGmaDOO422JaSKRm5D9bQZr9oX7KqnrPG9I1+UbJyQSJdsdtquPWmeIpamEVHb
  398. VMDNQRjSezZ1yKC4kCWm3YQbBF76qTHzG1VlLF5qOzuGI9VkyvlMaLfMibriqY73
  399. zBbPzf6Bkp2+Y9qyzuveYMmwS4sEOuZL/PetqisWe9JGAWD/O+slQ2KRu9hNww06
  400. KMDPJRdyj5bRuBVE4hHkkP23KrYr7SuhW2vpe7O/MvWEJ9uDNegpMLhTWruGngJh
  401. iFndxegN9w==
  402. =bAuo
  403. -----END PGP MESSAGE-----
  404. bar: this was unencrypted already
  405. baz: |
  406. -----BEGIN PGP MESSAGE-----
  407. hQEMAw2B674HRhwSAQf+Ne+IfsP2IcPDrUWct8sTJrga47jQvlPCmO+7zJjOVcqz
  408. gLjUKvMajrbI/jorBWxyAbF+5E7WdG9WHHVnuoywsyTB9rbmzuPqYCJCe+ZVyqWf
  409. 9qgJ+oUjcvYIFmH3h7H68ldqbxaAUkAOQbTRHdr253wwaTIC91ZeX0SCj64HfTg7
  410. Izwk383CRWonEktXJpientApQFSUWNeLUWagEr/YPNFA3vzpPF5/Ia9X8/z/6oO2
  411. q+D5W5mVsns3i2HHbg2A8Y+pm4TWnH6mTSh/gdxPqssi9qIrzGQ6H1tEoFFOEq1V
  412. kJBe0izlfudqMq62XswzuRB4CYT5Iqw1c97T+1RqENJCASG0Wz8AGhinTdlU5iQl
  413. JkLKqBxcBz4L70LYWyHhYwYROJWjHgKAywX5T67ftq0wi8APuZl9olnOkwSK+wrY
  414. 1OZi
  415. =7epf
  416. -----END PGP MESSAGE-----
  417. qux:
  418. - foo
  419. - bar
  420. - |
  421. -----BEGIN PGP MESSAGE-----
  422. hQEMAw2B674HRhwSAQgAg1YCmokrweoOI1c9HO0BLamWBaFPTMblOaTo0WJLZoTS
  423. ksbQ3OJAMkrkn3BnnM/djJc5C7vNs86ZfSJ+pvE8Sp1Rhtuxh25EKMqGOn/SBedI
  424. gR6N5vGUNiIpG5Tf3DuYAMNFDUqw8uY0MyDJI+ZW3o3xrMUABzTH0ew+Piz85FDA
  425. YrVgwZfqyL+9OQuu6T66jOIdwQNRX2NPFZqvon8liZUPus5VzD8E5cAL9OPxQ3sF
  426. f7/zE91YIXUTimrv3L7eCgU1dSxKhhfvA2bEUi+AskMWFXFuETYVrIhFJAKnkFmE
  427. uZx+O9R9hADW3hM5hWHKH9/CRtb0/cC84I9oCWIQPdI+AaPtICxtsD2N8Q98hhhd
  428. 4M7I0sLZhV+4ZJqzpUsOnSpaGyfh1Zy/1d3ijJi99/l+uVHuvmMllsNmgR+ZTj0=
  429. =LrCQ
  430. -----END PGP MESSAGE-----
  431. When the pillar data is compiled, the results will be decrypted:
  432. .. code-block:: bash
  433. # salt myminion pillar.items
  434. myminion:
  435. ----------
  436. secrets:
  437. ----------
  438. vault:
  439. ----------
  440. bar:
  441. this was unencrypted already
  442. baz:
  443. rosebud
  444. foo:
  445. supersecret
  446. qux:
  447. - foo
  448. - bar
  449. - baz
  450. Salt must be told what portions of the pillar data to decrypt. This is done
  451. using the :conf_master:`decrypt_pillar` config option:
  452. .. code-block:: yaml
  453. decrypt_pillar:
  454. - 'secrets:vault': gpg
  455. The notation used to specify the pillar item(s) to be decrypted is the same as
  456. the one used in :py:func:`pillar.get <salt.modules.pillar.get>` function.
  457. If a different delimiter is needed, it can be specified using the
  458. :conf_master:`decrypt_pillar_delimiter` config option:
  459. .. code-block:: yaml
  460. decrypt_pillar:
  461. - 'secrets|vault': gpg
  462. decrypt_pillar_delimiter: '|'
  463. The name of the renderer used to decrypt a given pillar item can be omitted,
  464. and if so it will fall back to the value specified by the
  465. :conf_master:`decrypt_pillar_default` config option, which defaults to ``gpg``.
  466. So, the first example above could be rewritten as:
  467. .. code-block:: yaml
  468. decrypt_pillar:
  469. - 'secrets:vault'
  470. Encrypted Pillar Data on the CLI
  471. --------------------------------
  472. .. versionadded:: 2016.3.0
  473. The following functions support passing pillar data on the CLI via the
  474. ``pillar`` argument:
  475. - :py:func:`pillar.items <salt.modules.pillar.items>`
  476. - :py:func:`state.apply <salt.modules.state.apply_>`
  477. - :py:func:`state.highstate <salt.modules.state.highstate>`
  478. - :py:func:`state.sls <salt.modules.state.sls>`
  479. Triggerring decryption of this CLI pillar data can be done in one of two ways:
  480. 1. Using the ``pillar_enc`` argument:
  481. .. code-block:: bash
  482. # salt myminion pillar.items pillar_enc=gpg pillar='{foo: "-----BEGIN PGP MESSAGE-----\n\nhQEMAw2B674HRhwSAQf+OvPqEdDoA2fk15I5dYUTDoj1yf/pVolAma6iU4v8Zixn\nRDgWsaAnFz99FEiFACsAGDEFdZaVOxG80T0Lj+PnW4pVy0OXmXHnY2KjV9zx8FLS\nQxfvmhRR4t23WSFybozfMm0lsN8r1vfBBjbK+A72l0oxN78d1rybJ6PWNZiXi+aC\nmqIeunIbAKQ21w/OvZHhxH7cnIiGQIHc7N9nQH7ibyoKQzQMSZeilSMGr2abAHun\nmLzscr4wKMb+81Z0/fdBfP6g3bLWMJga3hSzSldU9ovu7KR8rDJI1qOlENj3Wm8C\nwTpDOB33kWIKMqiAjY3JFtb5MCHrafyggwQL7cX1+tI+AbSO6kZpbcDfzetb77LZ\nxc5NWnnGK4pGoqq4MAmZshw98RpecSHKMosto2gtiuWCuo9Zn5cV/FbjZ9CTWrQ=\n=0hO/\n-----END PGP MESSAGE-----"}'
  483. The newlines in this example are specified using a literal ``\n``. Newlines
  484. can be replaced with a literal ``\n`` using ``sed``:
  485. .. code-block:: bash
  486. $ echo -n bar | gpg --armor --trust-model always --encrypt -r user@domain.tld | sed ':a;N;$!ba;s/\n/\\n/g'
  487. .. note::
  488. Using ``pillar_enc`` will perform the decryption minion-side, so for
  489. this to work it will be necessary to set up the keyring in
  490. ``/etc/salt/gpgkeys`` on the minion just as one would typically do on
  491. the master. The easiest way to do this is to first export the keys from
  492. the master:
  493. .. code-block:: bash
  494. # gpg --homedir /etc/salt/gpgkeys --export-secret-key -a user@domain.tld >/tmp/keypair.gpg
  495. Then, copy the file to the minion, setup the keyring, and import:
  496. .. code-block:: bash
  497. # mkdir -p /etc/salt/gpgkeys
  498. # chmod 0700 /etc/salt/gpgkeys
  499. # gpg --homedir /etc/salt/gpgkeys --list-keys
  500. # gpg --homedir /etc/salt/gpgkeys --import --allow-secret-key-import keypair.gpg
  501. The ``--list-keys`` command is run create a keyring in the newly-created
  502. directory.
  503. Pillar data which is decrypted minion-side will still be securely
  504. transferred to the master, since the data sent between minion and master is
  505. encrypted with the master's public key.
  506. 2. Use the :conf_master:`decrypt_pillar` option. This is less flexible in that
  507. the pillar key passed on the CLI must be pre-configured on the master, but
  508. it doesn't require a keyring to be setup on the minion. One other caveat to
  509. this method is that pillar decryption on the master happens at the end of
  510. pillar compilation, so if the encrypted pillar data being passed on the CLI
  511. needs to be referenced by pillar or ext_pillar *during pillar compilation*,
  512. it *must* be decrypted minion-side.
  513. Adding New Renderers for Decryption
  514. -----------------------------------
  515. Those looking to add new renderers for decryption should look at the :mod:`gpg
  516. <salt.renderers.gpg>` renderer for an example of how to do so. The function
  517. that performs the decryption should be recursive and be able to traverse a
  518. mutable type such as a dictionary, and modify the values in-place.
  519. Once the renderer has been written, :conf_master:`decrypt_pillar_renderers`
  520. should be modified so that Salt allows it to be used for decryption.
  521. If the renderer is being submitted upstream to the Salt project, the renderer
  522. should be added in `salt/renderers/`_. Additionally, the following should be
  523. done:
  524. - Both occurrences of :conf_master:`decrypt_pillar_renderers` in
  525. `salt/config/__init__.py`_ should be updated to include the name of the new
  526. renderer so that it is included in the default value for this config option.
  527. - The documentation for the :conf_master:`decrypt_pillar_renderers` config
  528. option in the `master config file`_ and `minion config file`_ should be
  529. updated to show the correct new default value.
  530. - The commented example for the :conf_master:`decrypt_pillar_renderers` config
  531. option in the `master config template`_ should be updated to show the correct
  532. new default value.
  533. .. _`salt/renderers/`: https://github.com/saltstack/salt/tree/develop/salt/renderers/
  534. .. _`salt/config/__init__.py`: https://github.com/saltstack/salt/tree/develop/salt/config/__init__.py
  535. .. _`master config file`: https://github.com/saltstack/salt/tree/develop/doc/ref/configuration/master.rst
  536. .. _`minion config file`: https://github.com/saltstack/salt/tree/develop/doc/ref/configuration/minion.rst
  537. .. _`master config template`: https://github.com/saltstack/salt/tree/develop/conf/master
  538. Binary Data in the Pillar
  539. =========================
  540. Salt has partial support for binary pillar data.
  541. .. note::
  542. There are some situations (such as salt-ssh) where only text (ASCII or
  543. Unicode) is allowed.
  544. The simplest way to embed binary data in your pillar is to make use of YAML's
  545. built-in binary data type, which requires base64 encoded data.
  546. .. code-block:: yaml
  547. salt_pic: !!binary
  548. iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAMAAAC67D+PAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAA
  549. Then you can use it as a ``contents_pillar`` in a state:
  550. .. code-block:: yaml
  551. /tmp/salt.png:
  552. file.managed:
  553. - contents_pillar: salt_pic
  554. It is also possible to add ASCII-armored encrypted data to pillars, as
  555. mentioned in the Pillar Encryption section.
  556. Master Config in Pillar
  557. =======================
  558. For convenience the data stored in the master configuration file can be made
  559. available in all minion's pillars. This makes global configuration of services
  560. and systems very easy but may not be desired if sensitive data is stored in the
  561. master configuration. This option is disabled by default.
  562. To enable the master config from being added to the pillar set
  563. :conf_minion:`pillar_opts` to ``True`` in the minion config file:
  564. .. code-block:: yaml
  565. pillar_opts: True
  566. Minion Config in Pillar
  567. =======================
  568. Minion configuration options can be set on pillars. Any option that you want
  569. to modify, should be in the first level of the pillars, in the same way you set
  570. the options in the config file. For example, to configure the MySQL root
  571. password to be used by MySQL Salt execution module, set the following pillar
  572. variable:
  573. .. code-block:: yaml
  574. mysql.pass: hardtoguesspassword
  575. Master Provided Pillar Error
  576. ============================
  577. By default if there is an error rendering a pillar, the detailed error is
  578. hidden and replaced with:
  579. .. code-block:: bash
  580. Rendering SLS 'my.sls' failed. Please see master log for details.
  581. The error is protected because it's possible to contain templating data
  582. which would give that minion information it shouldn't know, like a password!
  583. To have the master provide the detailed error that could potentially carry
  584. protected data set ``pillar_safe_render_error`` to ``False``:
  585. .. code-block:: yaml
  586. pillar_safe_render_error: False
  587. .. toctree::
  588. ../tutorials/pillar