master.rst 138 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732
  1. .. _configuration-salt-master:
  2. ===========================
  3. Configuring the Salt Master
  4. ===========================
  5. The Salt system is amazingly simple and easy to configure, the two components
  6. of the Salt system each have a respective configuration file. The
  7. ``salt-master`` is configured via the master configuration file, and the
  8. ``salt-minion`` is configured via the minion configuration file.
  9. .. seealso::
  10. :ref:`Example master configuration file <configuration-examples-master>`.
  11. The configuration file for the salt-master is located at ``/etc/salt/master``
  12. by default. A notable exception is FreeBSD, where the configuration file is
  13. located at ``/usr/local/etc/salt``. The available options are as follows:
  14. .. _primary-master-configuration:
  15. Primary Master Configuration
  16. ============================
  17. .. conf_master:: interface
  18. ``interface``
  19. -------------
  20. Default: ``0.0.0.0`` (all interfaces)
  21. The local interface to bind to, must be an IP address.
  22. .. code-block:: yaml
  23. interface: 192.168.0.1
  24. .. conf_master:: ipv6
  25. ``ipv6``
  26. --------
  27. Default: ``False``
  28. Whether the master should listen for IPv6 connections. If this is set to True,
  29. the interface option must be adjusted too (for example: ``interface: '::'``)
  30. .. code-block:: yaml
  31. ipv6: True
  32. .. conf_master:: publish_port
  33. ``publish_port``
  34. ----------------
  35. Default: ``4505``
  36. The network port to set up the publication interface.
  37. .. code-block:: yaml
  38. publish_port: 4505
  39. .. conf_master:: master_id
  40. ``master_id``
  41. -------------
  42. Default: ``None``
  43. The id to be passed in the publish job to minions. This is used for MultiSyndics
  44. to return the job to the requesting master.
  45. .. note::
  46. This must be the same string as the syndic is configured with.
  47. .. code-block:: yaml
  48. master_id: MasterOfMaster
  49. .. conf_master:: user
  50. ``user``
  51. --------
  52. Default: ``root``
  53. The user to run the Salt processes
  54. .. code-block:: yaml
  55. user: root
  56. .. conf_master:: ret_port
  57. ``enable_ssh_minions``
  58. ----------------------
  59. Default: ``False``
  60. Tell the master to also use salt-ssh when running commands against minions.
  61. .. code-block:: yaml
  62. enable_ssh_minions: True
  63. .. note::
  64. Cross-minion communication is still not possible. The Salt mine and
  65. publish.publish do not work between minion types.
  66. ``ret_port``
  67. ------------
  68. Default: ``4506``
  69. The port used by the return server, this is the server used by Salt to receive
  70. execution returns and command executions.
  71. .. code-block:: yaml
  72. ret_port: 4506
  73. .. conf_master:: pidfile
  74. ``pidfile``
  75. -----------
  76. Default: ``/var/run/salt-master.pid``
  77. Specify the location of the master pidfile.
  78. .. code-block:: yaml
  79. pidfile: /var/run/salt-master.pid
  80. .. conf_master:: root_dir
  81. ``root_dir``
  82. ------------
  83. Default: ``/``
  84. The system root directory to operate from, change this to make Salt run from
  85. an alternative root.
  86. .. code-block:: yaml
  87. root_dir: /
  88. .. note::
  89. This directory is prepended to the following options:
  90. :conf_master:`pki_dir`, :conf_master:`cachedir`, :conf_master:`sock_dir`,
  91. :conf_master:`log_file`, :conf_master:`autosign_file`,
  92. :conf_master:`autoreject_file`, :conf_master:`pidfile`,
  93. :conf_master:`autosign_grains_dir`.
  94. .. conf_master:: conf_file
  95. ``conf_file``
  96. -------------
  97. Default: ``/etc/salt/master``
  98. The path to the master's configuration file.
  99. .. code-block:: yaml
  100. conf_file: /etc/salt/master
  101. .. conf_master:: pki_dir
  102. ``pki_dir``
  103. -----------
  104. Default: ``/etc/salt/pki/master``
  105. The directory to store the pki authentication keys.
  106. .. code-block:: yaml
  107. pki_dir: /etc/salt/pki/master
  108. .. conf_master:: extension_modules
  109. ``extension_modules``
  110. ---------------------
  111. .. versionchanged:: 2016.3.0
  112. The default location for this directory has been moved. Prior to this
  113. version, the location was a directory named ``extmods`` in the Salt
  114. cachedir (on most platforms, ``/var/cache/salt/extmods``). It has been
  115. moved into the master cachedir (on most platforms,
  116. ``/var/cache/salt/master/extmods``).
  117. Directory for custom modules. This directory can contain subdirectories for
  118. each of Salt's module types such as ``runners``, ``output``, ``wheel``,
  119. ``modules``, ``states``, ``returners``, ``engines``, ``utils``, etc.
  120. This path is appended to :conf_master:`root_dir`.
  121. .. code-block:: yaml
  122. extension_modules: /root/salt_extmods
  123. .. conf_master:: extmod_whitelist
  124. .. conf_master:: extmod_blacklist
  125. ``extmod_whitelist/extmod_blacklist``
  126. -------------------------------------
  127. .. versionadded:: 2017.7.0
  128. By using this dictionary, the modules that are synced to the master's extmod cache using `saltutil.sync_*` can be
  129. limited. If nothing is set to a specific type, then all modules are accepted. To block all modules of a specific type,
  130. whitelist an empty list.
  131. .. code-block:: yaml
  132. extmod_whitelist:
  133. modules:
  134. - custom_module
  135. engines:
  136. - custom_engine
  137. pillars: []
  138. extmod_blacklist:
  139. modules:
  140. - specific_module
  141. Valid options:
  142. - modules
  143. - states
  144. - grains
  145. - renderers
  146. - returners
  147. - output
  148. - proxy
  149. - runners
  150. - wheel
  151. - engines
  152. - queues
  153. - pillar
  154. - utils
  155. - sdb
  156. - cache
  157. - clouds
  158. - tops
  159. - roster
  160. - tokens
  161. .. conf_master:: module_dirs
  162. ``module_dirs``
  163. ---------------
  164. Default: ``[]``
  165. Like ``extension_modules``, but a list of extra directories to search
  166. for Salt modules.
  167. .. code-block:: yaml
  168. module_dirs:
  169. - /var/cache/salt/minion/extmods
  170. .. conf_master:: cachedir
  171. ``cachedir``
  172. ------------
  173. Default: ``/var/cache/salt/master``
  174. The location used to store cache information, particularly the job information
  175. for executed salt commands.
  176. This directory may contain sensitive data and should be protected accordingly.
  177. .. code-block:: yaml
  178. cachedir: /var/cache/salt/master
  179. .. conf_master:: verify_env
  180. ``verify_env``
  181. --------------
  182. Default: ``True``
  183. Verify and set permissions on configuration directories at startup.
  184. .. code-block:: yaml
  185. verify_env: True
  186. .. conf_master:: keep_jobs
  187. ``keep_jobs``
  188. -------------
  189. Default: ``24``
  190. Set the number of hours to keep old job information. Note that setting this option
  191. to ``0`` disables the cache cleaner.
  192. .. code-block:: yaml
  193. keep_jobs: 24
  194. .. conf_master:: gather_job_timeout
  195. ``gather_job_timeout``
  196. ----------------------
  197. .. versionadded:: 2014.7.0
  198. Default: ``10``
  199. The number of seconds to wait when the client is requesting information
  200. about running jobs.
  201. .. code-block:: yaml
  202. gather_job_timeout: 10
  203. .. conf_master:: timeout
  204. ``timeout``
  205. -----------
  206. Default: ``5``
  207. Set the default timeout for the salt command and api.
  208. .. conf_master:: loop_interval
  209. ``loop_interval``
  210. -----------------
  211. Default: ``60``
  212. The loop_interval option controls the seconds for the master's maintenance
  213. process check cycle. This process updates file server backends, cleans the
  214. job cache and executes the scheduler.
  215. .. conf_master:: output
  216. ``output``
  217. ----------
  218. Default: ``nested``
  219. Set the default outputter used by the salt command.
  220. .. conf_master:: outputter_dirs
  221. ``outputter_dirs``
  222. ------------------
  223. Default: ``[]``
  224. A list of additional directories to search for salt outputters in.
  225. .. code-block:: yaml
  226. outputter_dirs: []
  227. .. conf_master:: output_file
  228. ``output_file``
  229. ---------------
  230. Default: None
  231. Set the default output file used by the salt command. Default is to output
  232. to the CLI and not to a file. Functions the same way as the "--out-file"
  233. CLI option, only sets this to a single file for all salt commands.
  234. .. code-block:: yaml
  235. output_file: /path/output/file
  236. .. conf_master:: show_timeout
  237. ``show_timeout``
  238. ----------------
  239. Default: ``True``
  240. Tell the client to show minions that have timed out.
  241. .. code-block:: yaml
  242. show_timeout: True
  243. .. conf_master:: show_jid
  244. ``show_jid``
  245. ------------
  246. Default: ``False``
  247. Tell the client to display the jid when a job is published.
  248. .. code-block:: yaml
  249. show_jid: False
  250. .. conf_master:: color
  251. ``color``
  252. ---------
  253. Default: ``True``
  254. By default output is colored, to disable colored output set the color value
  255. to False.
  256. .. code-block:: yaml
  257. color: False
  258. .. conf_master:: color_theme
  259. ``color_theme``
  260. ---------------
  261. Default: ``""``
  262. Specifies a path to the color theme to use for colored command line output.
  263. .. code-block:: yaml
  264. color_theme: /etc/salt/color_theme
  265. .. conf_master:: cli_summary
  266. ``cli_summary``
  267. ---------------
  268. Default: ``False``
  269. When set to ``True``, displays a summary of the number of minions targeted,
  270. the number of minions returned, and the number of minions that did not
  271. return.
  272. .. code-block:: yaml
  273. cli_summary: False
  274. .. conf_master:: sock_dir
  275. ``sock_dir``
  276. ------------
  277. Default: :file:`/var/run/salt/master`
  278. Set the location to use for creating Unix sockets for master process
  279. communication.
  280. .. code-block:: yaml
  281. sock_dir: /var/run/salt/master
  282. .. conf_master:: enable_gpu_grains
  283. ``enable_gpu_grains``
  284. ---------------------
  285. Default: ``False``
  286. Enable GPU hardware data for your master. Be aware that the master can
  287. take a while to start up when lspci and/or dmidecode is used to populate the
  288. grains for the master.
  289. .. code-block:: yaml
  290. enable_gpu_grains: True
  291. .. conf_master:: job_cache
  292. ``job_cache``
  293. -------------
  294. Default: ``True``
  295. The master maintains a temporary job cache. While this is a great addition, it
  296. can be a burden on the master for larger deployments (over 5000 minions).
  297. Disabling the job cache will make previously executed jobs unavailable to
  298. the jobs system and is not generally recommended. Normally it is wise to make
  299. sure the master has access to a faster IO system or a tmpfs is mounted to the
  300. jobs dir.
  301. .. code-block:: yaml
  302. job_cache: True
  303. .. note::
  304. Setting the ``job_cache`` to ``False`` will not cache minion returns, but
  305. the JID directory for each job is still created. The creation of the JID
  306. directories is necessary because Salt uses those directories to check for
  307. JID collisions. By setting this option to ``False``, the job cache
  308. directory, which is ``/var/cache/salt/master/jobs/`` by default, will be
  309. smaller, but the JID directories will still be present.
  310. Note that the :conf_master:`keep_jobs` option can be set to a lower value,
  311. such as ``1``, to limit the number of hours jobs are stored in the job
  312. cache. (The default is 24 hours.)
  313. Please see the :ref:`Managing the Job Cache <managing_the_job_cache>`
  314. documentation for more information.
  315. .. conf_master:: minion_data_cache
  316. ``minion_data_cache``
  317. ---------------------
  318. Default: ``True``
  319. The minion data cache is a cache of information about the minions stored on the
  320. master, this information is primarily the pillar, grains and mine data. The data
  321. is cached via the cache subsystem in the Master cachedir under the name of the
  322. minion or in a supported database. The data is used to predetermine what minions
  323. are expected to reply from executions.
  324. .. code-block:: yaml
  325. minion_data_cache: True
  326. .. conf_master:: cache
  327. ``cache``
  328. ---------
  329. Default: ``localfs``
  330. Cache subsystem module to use for minion data cache.
  331. .. code-block:: yaml
  332. cache: consul
  333. .. conf_master:: memcache_expire_seconds
  334. ``memcache_expire_seconds``
  335. ---------------------------
  336. Default: ``0``
  337. Memcache is an additional cache layer that keeps a limited amount of data
  338. fetched from the minion data cache for a limited period of time in memory that
  339. makes cache operations faster. It doesn't make much sense for the ``localfs``
  340. cache driver but helps for more complex drivers like ``consul``.
  341. This option sets the memcache items expiration time. By default is set to ``0``
  342. that disables the memcache.
  343. .. code-block:: yaml
  344. memcache_expire_seconds: 30
  345. .. conf_master:: memcache_max_items
  346. ``memcache_max_items``
  347. ----------------------
  348. Default: ``1024``
  349. Set memcache limit in items that are bank-key pairs. I.e the list of
  350. minion_0/data, minion_0/mine, minion_1/data contains 3 items. This value depends
  351. on the count of minions usually targeted in your environment. The best one could
  352. be found by analyzing the cache log with ``memcache_debug`` enabled.
  353. .. code-block:: yaml
  354. memcache_max_items: 1024
  355. .. conf_master:: memcache_full_cleanup
  356. ``memcache_full_cleanup``
  357. -------------------------
  358. Default: ``False``
  359. If cache storage got full, i.e. the items count exceeds the
  360. ``memcache_max_items`` value, memcache cleans up it's storage. If this option
  361. set to ``False`` memcache removes the only one oldest value from it's storage.
  362. If this set set to ``True`` memcache removes all the expired items and also
  363. removes the oldest one if there are no expired items.
  364. .. code-block:: yaml
  365. memcache_full_cleanup: True
  366. .. conf_master:: memcache_debug
  367. ``memcache_debug``
  368. ------------------
  369. Default: ``False``
  370. Enable collecting the memcache stats and log it on `debug` log level. If enabled
  371. memcache collect information about how many ``fetch`` calls has been done and
  372. how many of them has been hit by memcache. Also it outputs the rate value that
  373. is the result of division of the first two values. This should help to choose
  374. right values for the expiration time and the cache size.
  375. .. code-block:: yaml
  376. memcache_debug: True
  377. .. conf_master:: ext_job_cache
  378. ``ext_job_cache``
  379. -----------------
  380. Default: ``''``
  381. Used to specify a default returner for all minions. When this option is set,
  382. the specified returner needs to be properly configured and the minions will
  383. always default to sending returns to this returner. This will also disable the
  384. local job cache on the master.
  385. .. code-block:: yaml
  386. ext_job_cache: redis
  387. .. conf_master:: event_return
  388. ``event_return``
  389. ----------------
  390. .. versionadded:: 2015.5.0
  391. Default: ``''``
  392. Specify the returner(s) to use to log events. Each returner may have
  393. installation and configuration requirements. Read the returner's
  394. documentation.
  395. .. note::
  396. Not all returners support event returns. Verify that a returner has an
  397. ``event_return()`` function before configuring this option with a returner.
  398. .. code-block:: yaml
  399. event_return:
  400. - syslog
  401. - splunk
  402. .. conf_master:: event_return_queue
  403. ``event_return_queue``
  404. ----------------------
  405. .. versionadded:: 2015.5.0
  406. Default: ``0``
  407. On busy systems, enabling event_returns can cause a considerable load on
  408. the storage system for returners. Events can be queued on the master and
  409. stored in a batched fashion using a single transaction for multiple events.
  410. By default, events are not queued.
  411. .. code-block:: yaml
  412. event_return_queue: 0
  413. .. conf_master:: event_return_whitelist
  414. ``event_return_whitelist``
  415. --------------------------
  416. .. versionadded:: 2015.5.0
  417. Default: ``[]``
  418. Only return events matching tags in a whitelist.
  419. .. versionchanged:: 2016.11.0
  420. Supports glob matching patterns.
  421. .. code-block:: yaml
  422. event_return_whitelist:
  423. - salt/master/a_tag
  424. - salt/run/*/ret
  425. .. conf_master:: event_return_blacklist
  426. ``event_return_blacklist``
  427. --------------------------
  428. .. versionadded:: 2015.5.0
  429. Default: ``[]``
  430. Store all event returns _except_ the tags in a blacklist.
  431. .. versionchanged:: 2016.11.0
  432. Supports glob matching patterns.
  433. .. code-block:: yaml
  434. event_return_blacklist:
  435. - salt/master/not_this_tag
  436. - salt/wheel/*/ret
  437. .. conf_master:: max_event_size
  438. ``max_event_size``
  439. ------------------
  440. .. versionadded:: 2014.7.0
  441. Default: ``1048576``
  442. Passing very large events can cause the minion to consume large amounts of
  443. memory. This value tunes the maximum size of a message allowed onto the
  444. master event bus. The value is expressed in bytes.
  445. .. code-block:: yaml
  446. max_event_size: 1048576
  447. .. conf_master:: master_job_cache
  448. ``master_job_cache``
  449. --------------------
  450. .. versionadded:: 2014.7.0
  451. Default: ``local_cache``
  452. Specify the returner to use for the job cache. The job cache will only be
  453. interacted with from the salt master and therefore does not need to be
  454. accessible from the minions.
  455. .. code-block:: yaml
  456. master_job_cache: redis
  457. .. conf_master:: job_cache_store_endtime
  458. ``job_cache_store_endtime``
  459. ---------------------------
  460. .. versionadded:: 2015.8.0
  461. Default: ``False``
  462. Specify whether the Salt Master should store end times for jobs as returns
  463. come in.
  464. .. code-block:: yaml
  465. job_cache_store_endtime: False
  466. .. conf_master:: enforce_mine_cache
  467. ``enforce_mine_cache``
  468. ----------------------
  469. Default: False
  470. By-default when disabling the minion_data_cache mine will stop working since
  471. it is based on cached data, by enabling this option we explicitly enabling
  472. only the cache for the mine system.
  473. .. code-block:: yaml
  474. enforce_mine_cache: False
  475. .. conf_master:: max_minions
  476. ``max_minions``
  477. ---------------
  478. Default: 0
  479. The maximum number of minion connections allowed by the master. Use this to
  480. accommodate the number of minions per master if you have different types of
  481. hardware serving your minions. The default of ``0`` means unlimited connections.
  482. Please note that this can slow down the authentication process a bit in large
  483. setups.
  484. .. code-block:: yaml
  485. max_minions: 100
  486. ``con_cache``
  487. -------------
  488. Default: False
  489. If max_minions is used in large installations, the master might experience
  490. high-load situations because of having to check the number of connected
  491. minions for every authentication. This cache provides the minion-ids of
  492. all connected minions to all MWorker-processes and greatly improves the
  493. performance of max_minions.
  494. .. code-block:: yaml
  495. con_cache: True
  496. .. conf_master:: presence_events
  497. ``presence_events``
  498. -------------------
  499. Default: False
  500. Causes the master to periodically look for actively connected minions.
  501. :ref:`Presence events <event-master_presence>` are fired on the event bus on a
  502. regular interval with a list of connected minions, as well as events with lists
  503. of newly connected or disconnected minions. This is a master-only operation
  504. that does not send executions to minions.
  505. .. code-block:: yaml
  506. presence_events: False
  507. .. conf_master:: ping_on_rotate
  508. ``ping_on_rotate``
  509. ------------------
  510. .. versionadded:: 2014.7.0
  511. Default: ``False``
  512. By default, the master AES key rotates every 24 hours. The next command
  513. following a key rotation will trigger a key refresh from the minion which may
  514. result in minions which do not respond to the first command after a key refresh.
  515. To tell the master to ping all minions immediately after an AES key refresh,
  516. set ``ping_on_rotate`` to ``True``. This should mitigate the issue where a
  517. minion does not appear to initially respond after a key is rotated.
  518. Note that enabling this may cause high load on the master immediately after the
  519. key rotation event as minions reconnect. Consider this carefully if this salt
  520. master is managing a large number of minions.
  521. If disabled, it is recommended to handle this event by listening for the
  522. ``aes_key_rotate`` event with the ``key`` tag and acting appropriately.
  523. .. code-block:: yaml
  524. ping_on_rotate: False
  525. .. conf_master:: transport
  526. ``transport``
  527. -------------
  528. Default: ``zeromq``
  529. Changes the underlying transport layer. ZeroMQ is the recommended transport
  530. while additional transport layers are under development. Supported values are
  531. ``zeromq`` and ``tcp`` (experimental). This setting has a significant impact on
  532. performance and should not be changed unless you know what you are doing!
  533. .. code-block:: yaml
  534. transport: zeromq
  535. .. conf_master:: transport_opts
  536. ``transport_opts``
  537. ------------------
  538. Default: ``{}``
  539. (experimental) Starts multiple transports and overrides options for each
  540. transport with the provided dictionary This setting has a significant impact on
  541. performance and should not be changed unless you know what you are doing! The
  542. following example shows how to start a TCP transport alongside a ZMQ transport.
  543. .. code-block:: yaml
  544. transport_opts:
  545. tcp:
  546. publish_port: 4605
  547. ret_port: 4606
  548. zeromq: []
  549. .. conf_master:: master_stats
  550. ``master_stats``
  551. ----------------
  552. Default: False
  553. Turning on the master stats enables runtime throughput and statistics events
  554. to be fired from the master event bus. These events will report on what
  555. functions have been run on the master and how long these runs have, on
  556. average, taken over a given period of time.
  557. .. conf_master:: master_stats_event_iter
  558. ``master_stats_event_iter``
  559. ---------------------------
  560. Default: 60
  561. The time in seconds to fire master_stats events. This will only fire in
  562. conjunction with receiving a request to the master, idle masters will not
  563. fire these events.
  564. .. conf_master:: sock_pool_size
  565. ``sock_pool_size``
  566. ------------------
  567. Default: 1
  568. To avoid blocking waiting while writing a data to a socket, we support
  569. socket pool for Salt applications. For example, a job with a large number
  570. of target host list can cause long period blocking waiting. The option
  571. is used by ZMQ and TCP transports, and the other transport methods don't
  572. need the socket pool by definition. Most of Salt tools, including CLI,
  573. are enough to use a single bucket of socket pool. On the other hands,
  574. it is highly recommended to set the size of socket pool larger than 1
  575. for other Salt applications, especially Salt API, which must write data
  576. to socket concurrently.
  577. .. code-block:: yaml
  578. sock_pool_size: 15
  579. .. conf_master:: ipc_mode
  580. ``ipc_mode``
  581. ------------
  582. Default: ``ipc``
  583. The ipc strategy. (i.e., sockets versus tcp, etc.) Windows platforms lack
  584. POSIX IPC and must rely on TCP based inter-process communications. ``ipc_mode``
  585. is set to ``tcp`` by default on Windows.
  586. .. code-block:: yaml
  587. ipc_mode: ipc
  588. .. conf_master:: tcp_master_pub_port
  589. ``tcp_master_pub_port``
  590. -----------------------
  591. Default: ``4512``
  592. The TCP port on which events for the master should be published if ``ipc_mode`` is TCP.
  593. .. code-block:: yaml
  594. tcp_master_pub_port: 4512
  595. .. conf_master:: tcp_master_pull_port
  596. ``tcp_master_pull_port``
  597. ------------------------
  598. Default: ``4513``
  599. The TCP port on which events for the master should be pulled if ``ipc_mode`` is TCP.
  600. .. code-block:: yaml
  601. tcp_master_pull_port: 4513
  602. .. conf_master:: tcp_master_publish_pull
  603. ``tcp_master_publish_pull``
  604. ---------------------------
  605. Default: ``4514``
  606. The TCP port on which events for the master should be pulled fom and then republished onto
  607. the event bus on the master.
  608. .. code-block:: yaml
  609. tcp_master_publish_pull: 4514
  610. .. conf_master:: tcp_master_workers
  611. ``tcp_master_workers``
  612. ----------------------
  613. Default: ``4515``
  614. The TCP port for ``mworkers`` to connect to on the master.
  615. .. code-block:: yaml
  616. tcp_master_workers: 4515
  617. .. conf_master:: auth_events
  618. ``auth_events``
  619. --------------------
  620. .. versionadded:: 2017.7.3
  621. Default: ``True``
  622. Determines whether the master will fire authentication events.
  623. :ref:`Authentication events <event-master_auth>` are fired when
  624. a minion performs an authentication check with the master.
  625. .. code-block:: yaml
  626. auth_events: True
  627. .. conf_master:: minion_data_cache_events
  628. ``minion_data_cache_events``
  629. ----------------------------
  630. .. versionadded:: 2017.7.3
  631. Default: ``True``
  632. Determines whether the master will fire minion data cache events. Minion data
  633. cache events are fired when a minion requests a minion data cache refresh.
  634. .. code-block:: yaml
  635. minion_data_cache_events: True
  636. .. conf_master:: http_connect_timeout
  637. ``http_connect_timeout``
  638. ------------------------
  639. .. versionadded:: 2019.2.0
  640. Default: ``20``
  641. HTTP connection timeout in seconds.
  642. Applied when fetching files using tornado back-end.
  643. Should be greater than overall download time.
  644. .. code-block:: yaml
  645. http_connect_timeout: 20
  646. .. conf_master:: http_request_timeout
  647. ``http_request_timeout``
  648. ------------------------
  649. .. versionadded:: 2015.8.0
  650. Default: ``3600``
  651. HTTP request timeout in seconds.
  652. Applied when fetching files using tornado back-end.
  653. Should be greater than overall download time.
  654. .. code-block:: yaml
  655. http_request_timeout: 3600
  656. ``use_yamlloader_old``
  657. ------------------------
  658. .. versionadded:: 2019.2.1
  659. Default: ``False``
  660. Use the pre-2019.2 YAML renderer.
  661. Uses legacy YAML rendering to support some legacy inline data structures.
  662. See the :ref:`2019.2.1 release notes <release-2019-2-1>` for more details.
  663. .. code-block:: yaml
  664. use_yamlloader_old: False
  665. .. _salt-ssh-configuration:
  666. Salt-SSH Configuration
  667. ======================
  668. .. conf_master:: roster
  669. ``roster``
  670. ---------------
  671. Default: ``flat``
  672. Define the default salt-ssh roster module to use
  673. .. code-block:: yaml
  674. roster: cache
  675. .. conf_master:: roster_defaults
  676. ``roster_defaults``
  677. -------------------
  678. .. versionadded:: 2017.7.0
  679. Default settings which will be inherited by all rosters.
  680. .. code-block:: yaml
  681. roster_defaults:
  682. user: daniel
  683. sudo: True
  684. priv: /root/.ssh/id_rsa
  685. tty: True
  686. .. conf_master:: roster_file
  687. ``roster_file``
  688. ---------------
  689. Default: ``/etc/salt/roster``
  690. Pass in an alternative location for the salt-ssh :py:mod:`flat
  691. <salt.roster.flat>` roster file.
  692. .. code-block:: yaml
  693. roster_file: /root/roster
  694. .. conf_master:: rosters
  695. ``rosters``
  696. -----------
  697. Default: ``None``
  698. Define locations for :py:mod:`flat <salt.roster.flat>` roster files so they can
  699. be chosen when using Salt API. An administrator can place roster files into
  700. these locations. Then, when calling Salt API, the :conf_master:`roster_file`
  701. parameter should contain a relative path to these locations. That is,
  702. ``roster_file=/foo/roster`` will be resolved as
  703. ``/etc/salt/roster.d/foo/roster`` etc. This feature prevents passing insecure
  704. custom rosters through the Salt API.
  705. .. code-block:: yaml
  706. rosters:
  707. - /etc/salt/roster.d
  708. - /opt/salt/some/more/rosters
  709. .. conf_master:: ssh_passwd
  710. ``ssh_passwd``
  711. --------------
  712. Default: ``''``
  713. The ssh password to log in with.
  714. .. code-block:: yaml
  715. ssh_passwd: ''
  716. .. conf_master:: ssh_priv_passwd
  717. ``ssh_priv_passwd``
  718. -------------------
  719. Default: ``''``
  720. Passphrase for ssh private key file.
  721. .. code-block:: yaml
  722. ssh_priv_passwd: ''
  723. .. conf_master:: ssh_port
  724. ``ssh_port``
  725. ------------
  726. Default: ``22``
  727. The target system's ssh port number.
  728. .. code-block:: yaml
  729. ssh_port: 22
  730. .. conf_master:: ssh_scan_ports
  731. ``ssh_scan_ports``
  732. ------------------
  733. Default: ``22``
  734. Comma-separated list of ports to scan.
  735. .. code-block:: yaml
  736. ssh_scan_ports: 22
  737. .. conf_master:: ssh_scan_timeout
  738. ``ssh_scan_timeout``
  739. --------------------
  740. Default: ``0.01``
  741. Scanning socket timeout for salt-ssh.
  742. .. code-block:: yaml
  743. ssh_scan_timeout: 0.01
  744. .. conf_master:: ssh_sudo
  745. ``ssh_sudo``
  746. ------------
  747. Default: ``False``
  748. Boolean to run command via sudo.
  749. .. code-block:: yaml
  750. ssh_sudo: False
  751. .. conf_master:: ssh_timeout
  752. ``ssh_timeout``
  753. ---------------
  754. Default: ``60``
  755. Number of seconds to wait for a response when establishing an SSH connection.
  756. .. code-block:: yaml
  757. ssh_timeout: 60
  758. .. conf_master:: ssh_user
  759. ``ssh_user``
  760. ------------
  761. Default: ``root``
  762. The user to log in as.
  763. .. code-block:: yaml
  764. ssh_user: root
  765. .. conf_master:: ssh_log_file
  766. ``ssh_log_file``
  767. ----------------
  768. .. versionadded:: 2016.3.5
  769. Default: ``/var/log/salt/ssh``
  770. Specify the log file of the ``salt-ssh`` command.
  771. .. code-block:: yaml
  772. ssh_log_file: /var/log/salt/ssh
  773. .. conf_master:: ssh_minion_opts
  774. ``ssh_minion_opts``
  775. -------------------
  776. Default: None
  777. Pass in minion option overrides that will be inserted into the SHIM for
  778. salt-ssh calls. The local minion config is not used for salt-ssh. Can be
  779. overridden on a per-minion basis in the roster (``minion_opts``)
  780. .. code-block:: yaml
  781. ssh_minion_opts:
  782. gpg_keydir: /root/gpg
  783. .. conf_master:: ssh_use_home_key
  784. ``ssh_use_home_key``
  785. --------------------
  786. Default: False
  787. Set this to True to default to using ``~/.ssh/id_rsa`` for salt-ssh
  788. authentication with minions
  789. .. code-block:: yaml
  790. ssh_use_home_key: False
  791. .. conf_master:: ssh_identities_only
  792. ``ssh_identities_only``
  793. -----------------------
  794. Default: ``False``
  795. Set this to ``True`` to default salt-ssh to run with ``-o IdentitiesOnly=yes``. This
  796. option is intended for situations where the ssh-agent offers many different identities
  797. and allows ssh to ignore those identities and use the only one specified in options.
  798. .. code-block:: yaml
  799. ssh_identities_only: False
  800. .. conf_master:: ssh_list_nodegroups
  801. ``ssh_list_nodegroups``
  802. -----------------------
  803. Default: ``{}``
  804. List-only nodegroups for salt-ssh. Each group must be formed as either a comma-separated
  805. list, or a YAML list. This option is useful to group minions into easy-to-target groups
  806. when using salt-ssh. These groups can then be targeted with the normal -N argument to
  807. salt-ssh.
  808. .. code-block:: yaml
  809. ssh_list_nodegroups:
  810. groupA: minion1,minion2
  811. groupB: minion1,minion3
  812. .. conf_master:: thin_extra_mods
  813. ``thin_extra_mods``
  814. -------------------
  815. Default: None
  816. List of additional modules, needed to be included into the Salt Thin.
  817. Pass a list of importable Python modules that are typically located in
  818. the `site-packages` Python directory so they will be also always included
  819. into the Salt Thin, once generated.
  820. ``min_extra_mods``
  821. ------------------
  822. Default: None
  823. Identical as `thin_extra_mods`, only applied to the Salt Minimal.
  824. .. _master-security-settings:
  825. Master Security Settings
  826. ========================
  827. .. conf_master:: open_mode
  828. ``open_mode``
  829. -------------
  830. Default: ``False``
  831. Open mode is a dangerous security feature. One problem encountered with pki
  832. authentication systems is that keys can become "mixed up" and authentication
  833. begins to fail. Open mode turns off authentication and tells the master to
  834. accept all authentication. This will clean up the pki keys received from the
  835. minions. Open mode should not be turned on for general use. Open mode should
  836. only be used for a short period of time to clean up pki keys. To turn on open
  837. mode set this value to ``True``.
  838. .. code-block:: yaml
  839. open_mode: False
  840. .. conf_master:: auto_accept
  841. ``auto_accept``
  842. ---------------
  843. Default: ``False``
  844. Enable auto_accept. This setting will automatically accept all incoming
  845. public keys from minions.
  846. .. code-block:: yaml
  847. auto_accept: False
  848. .. conf_master:: keysize
  849. ``keysize``
  850. -----------
  851. Default: ``2048``
  852. The size of key that should be generated when creating new keys.
  853. .. code-block:: yaml
  854. keysize: 2048
  855. .. conf_master:: autosign_timeout
  856. ``autosign_timeout``
  857. --------------------
  858. .. versionadded:: 2014.7.0
  859. Default: ``120``
  860. Time in minutes that a incoming public key with a matching name found in
  861. pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
  862. are removed when the master checks the minion_autosign directory. This method
  863. to auto accept minions can be safer than an autosign_file because the
  864. keyid record can expire and is limited to being an exact name match.
  865. This should still be considered a less than secure option, due to the fact
  866. that trust is based on just the requesting minion id.
  867. .. conf_master:: autosign_file
  868. ``autosign_file``
  869. -----------------
  870. Default: ``not defined``
  871. If the ``autosign_file`` is specified incoming keys specified in the autosign_file
  872. will be automatically accepted. Matches will be searched for first by string
  873. comparison, then by globbing, then by full-string regex matching.
  874. This should still be considered a less than secure option, due to the fact
  875. that trust is based on just the requesting minion id.
  876. .. versionchanged:: 2018.3.0
  877. For security reasons the file must be readonly except for it's owner.
  878. If :conf_master:`permissive_pki_access` is ``True`` the owning group can also
  879. have write access, but if Salt is running as ``root`` it must be a member of that group.
  880. A less strict requirement also existed in previous version.
  881. .. conf_master:: autoreject_file
  882. ``autoreject_file``
  883. -------------------
  884. .. versionadded:: 2014.1.0
  885. Default: ``not defined``
  886. Works like :conf_master:`autosign_file`, but instead allows you to specify
  887. minion IDs for which keys will automatically be rejected. Will override both
  888. membership in the :conf_master:`autosign_file` and the
  889. :conf_master:`auto_accept` setting.
  890. .. conf_master:: autosign_grains_dir
  891. ``autosign_grains_dir``
  892. -----------------------
  893. .. versionadded:: 2018.3.0
  894. Default: ``not defined``
  895. If the ``autosign_grains_dir`` is specified, incoming keys from minions with
  896. grain values that match those defined in files in the autosign_grains_dir
  897. will be accepted automatically. Grain values that should be accepted automatically
  898. can be defined by creating a file named like the corresponding grain in the
  899. autosign_grains_dir and writing the values into that file, one value per line.
  900. Lines starting with a ``#`` will be ignored.
  901. Minion must be configured to send the corresponding grains on authentication.
  902. This should still be considered a less than secure option, due to the fact
  903. that trust is based on just the requesting minion.
  904. Please see the :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`
  905. documentation for more information.
  906. .. code-block:: yaml
  907. autosign_grains_dir: /etc/salt/autosign_grains
  908. .. conf_master:: permissive_pki_access
  909. ``permissive_pki_access``
  910. -------------------------
  911. Default: ``False``
  912. Enable permissive access to the salt keys. This allows you to run the
  913. master or minion as root, but have a non-root group be given access to
  914. your pki_dir. To make the access explicit, root must belong to the group
  915. you've given access to. This is potentially quite insecure. If an autosign_file
  916. is specified, enabling permissive_pki_access will allow group access to that
  917. specific file.
  918. .. code-block:: yaml
  919. permissive_pki_access: False
  920. .. conf_master:: publisher_acl
  921. ``publisher_acl``
  922. -----------------
  923. Default: ``{}``
  924. Enable user accounts on the master to execute specific modules. These modules
  925. can be expressed as regular expressions.
  926. .. code-block:: yaml
  927. publisher_acl:
  928. fred:
  929. - test.ping
  930. - pkg.*
  931. .. conf_master:: publisher_acl_blacklist
  932. ``publisher_acl_blacklist``
  933. ---------------------------
  934. Default: ``{}``
  935. Blacklist users or modules
  936. This example would blacklist all non sudo users, including root from
  937. running any commands. It would also blacklist any use of the "cmd"
  938. module.
  939. This is completely disabled by default.
  940. .. code-block:: yaml
  941. publisher_acl_blacklist:
  942. users:
  943. - root
  944. - '^(?!sudo_).*$' # all non sudo users
  945. modules:
  946. - cmd.*
  947. - test.echo
  948. .. conf_master:: sudo_acl
  949. ``sudo_acl``
  950. ------------
  951. Default: ``False``
  952. Enforce ``publisher_acl`` and ``publisher_acl_blacklist`` when users have sudo
  953. access to the salt command.
  954. .. code-block:: yaml
  955. sudo_acl: False
  956. .. conf_master:: external_auth
  957. ``external_auth``
  958. -----------------
  959. Default: ``{}``
  960. The external auth system uses the Salt auth modules to authenticate and
  961. validate users to access areas of the Salt system.
  962. .. code-block:: yaml
  963. external_auth:
  964. pam:
  965. fred:
  966. - test.*
  967. .. conf_master:: token_expire
  968. ``token_expire``
  969. ----------------
  970. Default: ``43200``
  971. Time (in seconds) for a newly generated token to live.
  972. Default: 12 hours
  973. .. code-block:: yaml
  974. token_expire: 43200
  975. .. conf_master:: token_expire_user_override
  976. ``token_expire_user_override``
  977. ------------------------------
  978. Default: ``False``
  979. Allow eauth users to specify the expiry time of the tokens they generate.
  980. A boolean applies to all users or a dictionary of whitelisted eauth backends
  981. and usernames may be given:
  982. .. code-block:: yaml
  983. token_expire_user_override:
  984. pam:
  985. - fred
  986. - tom
  987. ldap:
  988. - gary
  989. .. conf_master:: keep_acl_in_token
  990. ``keep_acl_in_token``
  991. ---------------------
  992. Default: ``False``
  993. Set to True to enable keeping the calculated user's auth list in the token
  994. file. This is disabled by default and the auth list is calculated or requested
  995. from the eauth driver each time.
  996. .. code-block:: yaml
  997. keep_acl_in_token: False
  998. .. conf_master:: eauth_acl_module
  999. ``eauth_acl_module``
  1000. --------------------
  1001. Default: ``''``
  1002. Auth subsystem module to use to get authorized access list for a user. By default it's
  1003. the same module used for external authentication.
  1004. .. code-block:: yaml
  1005. eauth_acl_module: django
  1006. .. conf_master:: file_recv
  1007. ``file_recv``
  1008. -------------
  1009. Default: ``False``
  1010. Allow minions to push files to the master. This is disabled by default, for
  1011. security purposes.
  1012. .. code-block:: yaml
  1013. file_recv: False
  1014. .. conf_master:: file_recv_max_size
  1015. ``file_recv_max_size``
  1016. ----------------------
  1017. .. versionadded:: 2014.7.0
  1018. Default: ``100``
  1019. Set a hard-limit on the size of the files that can be pushed to the master.
  1020. It will be interpreted as megabytes.
  1021. .. code-block:: yaml
  1022. file_recv_max_size: 100
  1023. .. conf_master:: master_sign_pubkey
  1024. ``master_sign_pubkey``
  1025. ----------------------
  1026. Default: ``False``
  1027. Sign the master auth-replies with a cryptographic signature of the master's
  1028. public key. Please see the tutorial how to use these settings in the
  1029. `Multimaster-PKI with Failover Tutorial <http://docs.saltstack.com/en/latest/topics/tutorials/multimaster_pki.html>`_
  1030. .. code-block:: yaml
  1031. master_sign_pubkey: True
  1032. .. conf_master:: master_sign_key_name
  1033. ``master_sign_key_name``
  1034. ------------------------
  1035. Default: ``master_sign``
  1036. The customizable name of the signing-key-pair without suffix.
  1037. .. code-block:: yaml
  1038. master_sign_key_name: <filename_without_suffix>
  1039. .. conf_master:: master_pubkey_signature
  1040. ``master_pubkey_signature``
  1041. ---------------------------
  1042. Default: ``master_pubkey_signature``
  1043. The name of the file in the master's pki-directory that holds the pre-calculated
  1044. signature of the master's public-key.
  1045. .. code-block:: yaml
  1046. master_pubkey_signature: <filename>
  1047. .. conf_master:: master_use_pubkey_signature
  1048. ``master_use_pubkey_signature``
  1049. -------------------------------
  1050. Default: ``False``
  1051. Instead of computing the signature for each auth-reply, use a pre-calculated
  1052. signature. The :conf_master:`master_pubkey_signature` must also be set for this.
  1053. .. code-block:: yaml
  1054. master_use_pubkey_signature: True
  1055. .. conf_master:: rotate_aes_key
  1056. ``rotate_aes_key``
  1057. ------------------
  1058. Default: ``True``
  1059. Rotate the salt-masters AES-key when a minion-public is deleted with salt-key.
  1060. This is a very important security-setting. Disabling it will enable deleted
  1061. minions to still listen in on the messages published by the salt-master.
  1062. Do not disable this unless it is absolutely clear what this does.
  1063. .. code-block:: yaml
  1064. rotate_aes_key: True
  1065. .. conf_master:: publish_session
  1066. ``publish_session``
  1067. -------------------
  1068. Default: ``86400``
  1069. The number of seconds between AES key rotations on the master.
  1070. .. code-block:: yaml
  1071. publish_session: Default: 86400
  1072. .. conf_master:: ssl
  1073. ``ssl``
  1074. -------
  1075. .. versionadded:: 2016.11.0
  1076. Default: ``None``
  1077. TLS/SSL connection options. This could be set to a dictionary containing
  1078. arguments corresponding to python ``ssl.wrap_socket`` method. For details see
  1079. `Tornado <http://www.tornadoweb.org/en/stable/tcpserver.html#tornado.tcpserver.TCPServer>`_
  1080. and `Python <http://docs.python.org/2/library/ssl.html#ssl.wrap_socket>`_
  1081. documentation.
  1082. Note: to set enum arguments values like ``cert_reqs`` and ``ssl_version`` use
  1083. constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23``.
  1084. .. code-block:: yaml
  1085. ssl:
  1086. keyfile: <path_to_keyfile>
  1087. certfile: <path_to_certfile>
  1088. ssl_version: PROTOCOL_TLSv1_2
  1089. .. conf_master:: preserve_minion_cache
  1090. ``preserve_minion_cache``
  1091. -------------------------
  1092. Default: ``False``
  1093. By default, the master deletes its cache of minion data when the key for that
  1094. minion is removed. To preserve the cache after key deletion, set
  1095. ``preserve_minion_cache`` to True.
  1096. WARNING: This may have security implications if compromised minions auth with
  1097. a previous deleted minion ID.
  1098. .. code-block:: yaml
  1099. preserve_minion_cache: False
  1100. .. conf_master:: allow_minion_key_revoke
  1101. ``allow_minion_key_revoke``
  1102. ---------------------------
  1103. Default: ``True``
  1104. Controls whether a minion can request its own key revocation. When True
  1105. the master will honor the minion's request and revoke its key. When False,
  1106. the master will drop the request and the minion's key will remain accepted.
  1107. .. code-block:: yaml
  1108. allow_minion_key_revoke: False
  1109. .. conf_master:: optimization_order
  1110. ``optimization_order``
  1111. ----------------------
  1112. Default: ``[0, 1, 2]``
  1113. In cases where Salt is distributed without .py files, this option determines
  1114. the priority of optimization level(s) Salt's module loader should prefer.
  1115. .. note::
  1116. This option is only supported on Python 3.5+.
  1117. .. code-block:: yaml
  1118. optimization_order:
  1119. - 2
  1120. - 0
  1121. - 1
  1122. Master Large Scale Tuning Settings
  1123. ==================================
  1124. .. conf_master:: max_open_files
  1125. ``max_open_files``
  1126. ------------------
  1127. Default: ``100000``
  1128. Each minion connecting to the master uses AT LEAST one file descriptor, the
  1129. master subscription connection. If enough minions connect you might start
  1130. seeing on the console(and then salt-master crashes):
  1131. .. code-block:: bash
  1132. Too many open files (tcp_listener.cpp:335)
  1133. Aborted (core dumped)
  1134. .. code-block:: yaml
  1135. max_open_files: 100000
  1136. By default this value will be the one of `ulimit -Hn`, i.e., the hard limit for
  1137. max open files.
  1138. To set a different value than the default one, uncomment, and configure this
  1139. setting. Remember that this value CANNOT be higher than the hard limit. Raising
  1140. the hard limit depends on the OS and/or distribution, a good way to find the
  1141. limit is to search the internet for something like this:
  1142. .. code-block:: text
  1143. raise max open files hard limit debian
  1144. .. conf_master:: worker_threads
  1145. ``worker_threads``
  1146. ------------------
  1147. Default: ``5``
  1148. The number of threads to start for receiving commands and replies from minions.
  1149. If minions are stalling on replies because you have many minions, raise the
  1150. worker_threads value.
  1151. Worker threads should not be put below 3 when using the peer system, but can
  1152. drop down to 1 worker otherwise.
  1153. .. note::
  1154. When the master daemon starts, it is expected behaviour to see
  1155. multiple salt-master processes, even if 'worker_threads' is set to '1'. At
  1156. a minimum, a controlling process will start along with a Publisher, an
  1157. EventPublisher, and a number of MWorker processes will be started. The
  1158. number of MWorker processes is tuneable by the 'worker_threads'
  1159. configuration value while the others are not.
  1160. .. code-block:: yaml
  1161. worker_threads: 5
  1162. .. conf_master:: pub_hwm
  1163. ``pub_hwm``
  1164. -----------
  1165. Default: ``1000``
  1166. The zeromq high water mark on the publisher interface.
  1167. .. code-block:: yaml
  1168. pub_hwm: 1000
  1169. .. conf_master:: zmq_backlog
  1170. ``zmq_backlog``
  1171. ---------------
  1172. Default: ``1000``
  1173. The listen queue size of the ZeroMQ backlog.
  1174. .. code-block:: yaml
  1175. zmq_backlog: 1000
  1176. .. _master-module-management:
  1177. Master Module Management
  1178. ========================
  1179. .. conf_master:: runner_dirs
  1180. ``runner_dirs``
  1181. ---------------
  1182. Default: ``[]``
  1183. Set additional directories to search for runner modules.
  1184. .. code-block:: yaml
  1185. runner_dirs:
  1186. - /var/lib/salt/runners
  1187. .. conf_master:: utils_dirs
  1188. ``utils_dirs``
  1189. ---------------
  1190. .. versionadded:: 2018.3.0
  1191. Default: ``[]``
  1192. Set additional directories to search for util modules.
  1193. .. code-block:: yaml
  1194. utils_dirs:
  1195. - /var/lib/salt/utils
  1196. .. conf_master:: cython_enable
  1197. ``cython_enable``
  1198. -----------------
  1199. Default: ``False``
  1200. Set to true to enable Cython modules (.pyx files) to be compiled on the fly on
  1201. the Salt master.
  1202. .. code-block:: yaml
  1203. cython_enable: False
  1204. .. _master-state-system-settings:
  1205. Master State System Settings
  1206. ============================
  1207. .. conf_master:: state_top
  1208. ``state_top``
  1209. -------------
  1210. Default: ``top.sls``
  1211. The state system uses a "top" file to tell the minions what environment to
  1212. use and what modules to use. The state_top file is defined relative to the
  1213. root of the base environment. The value of "state_top" is also used for the
  1214. pillar top file
  1215. .. code-block:: yaml
  1216. state_top: top.sls
  1217. .. conf_master:: state_top_saltenv
  1218. ``state_top_saltenv``
  1219. ---------------------
  1220. This option has no default value. Set it to an environment name to ensure that
  1221. *only* the top file from that environment is considered during a
  1222. :ref:`highstate <running-highstate>`.
  1223. .. note::
  1224. Using this value does not change the merging strategy. For instance, if
  1225. :conf_master:`top_file_merging_strategy` is set to ``merge``, and
  1226. :conf_master:`state_top_saltenv` is set to ``foo``, then any sections for
  1227. environments other than ``foo`` in the top file for the ``foo`` environment
  1228. will be ignored. With :conf_master:`state_top_saltenv` set to ``base``, all
  1229. states from all environments in the ``base`` top file will be applied,
  1230. while all other top files are ignored. The only way to set
  1231. :conf_master:`state_top_saltenv` to something other than ``base`` and not
  1232. have the other environments in the targeted top file ignored, would be to
  1233. set :conf_master:`top_file_merging_strategy` to ``merge_all``.
  1234. .. code-block:: yaml
  1235. state_top_saltenv: dev
  1236. .. conf_master:: top_file_merging_strategy
  1237. ``top_file_merging_strategy``
  1238. -----------------------------
  1239. .. versionchanged:: 2016.11.0
  1240. A ``merge_all`` strategy has been added.
  1241. Default: ``merge``
  1242. When no specific fileserver environment (a.k.a. ``saltenv``) has been specified
  1243. for a :ref:`highstate <running-highstate>`, all environments' top files are
  1244. inspected. This config option determines how the SLS targets in those top files
  1245. are handled.
  1246. When set to ``merge``, the ``base`` environment's top file is evaluated first,
  1247. followed by the other environments' top files. The first target expression
  1248. (e.g. ``'*'``) for a given environment is kept, and when the same target
  1249. expression is used in a different top file evaluated later, it is ignored.
  1250. Because ``base`` is evaluated first, it is authoritative. For example, if there
  1251. is a target for ``'*'`` for the ``foo`` environment in both the ``base`` and
  1252. ``foo`` environment's top files, the one in the ``foo`` environment would be
  1253. ignored. The environments will be evaluated in no specific order (aside from
  1254. ``base`` coming first). For greater control over the order in which the
  1255. environments are evaluated, use :conf_master:`env_order`. Note that, aside from
  1256. the ``base`` environment's top file, any sections in top files that do not
  1257. match that top file's environment will be ignored. So, for example, a section
  1258. for the ``qa`` environment would be ignored if it appears in the ``dev``
  1259. environment's top file. To keep use cases like this from being ignored, use the
  1260. ``merge_all`` strategy.
  1261. When set to ``same``, then for each environment, only that environment's top
  1262. file is processed, with the others being ignored. For example, only the ``dev``
  1263. environment's top file will be processed for the ``dev`` environment, and any
  1264. SLS targets defined for ``dev`` in the ``base`` environment's (or any other
  1265. environment's) top file will be ignored. If an environment does not have a top
  1266. file, then the top file from the :conf_master:`default_top` config parameter
  1267. will be used as a fallback.
  1268. When set to ``merge_all``, then all states in all environments in all top files
  1269. will be applied. The order in which individual SLS files will be executed will
  1270. depend on the order in which the top files were evaluated, and the environments
  1271. will be evaluated in no specific order. For greater control over the order in
  1272. which the environments are evaluated, use :conf_master:`env_order`.
  1273. .. code-block:: yaml
  1274. top_file_merging_strategy: same
  1275. .. conf_master:: env_order
  1276. ``env_order``
  1277. -------------
  1278. Default: ``[]``
  1279. When :conf_master:`top_file_merging_strategy` is set to ``merge``, and no
  1280. environment is specified for a :ref:`highstate <running-highstate>`, this
  1281. config option allows for the order in which top files are evaluated to be
  1282. explicitly defined.
  1283. .. code-block:: yaml
  1284. env_order:
  1285. - base
  1286. - dev
  1287. - qa
  1288. .. conf_master:: master_tops
  1289. ``master_tops``
  1290. ---------------
  1291. Default: ``{}``
  1292. The master_tops option replaces the external_nodes option by creating
  1293. a pluggable system for the generation of external top data. The external_nodes
  1294. option is deprecated by the master_tops option.
  1295. To gain the capabilities of the classic external_nodes system, use the
  1296. following configuration:
  1297. .. code-block:: yaml
  1298. master_tops:
  1299. ext_nodes: <Shell command which returns yaml>
  1300. .. conf_master:: renderer
  1301. ``renderer``
  1302. ------------
  1303. Default: ``jinja|yaml``
  1304. The renderer to use on the minions to render the state data.
  1305. .. code-block:: yaml
  1306. renderer: jinja|json
  1307. .. conf_master:: userdata_template
  1308. ``userdata_template``
  1309. ---------------------
  1310. .. versionadded:: 2016.11.4
  1311. Default: ``None``
  1312. The renderer to use for templating userdata files in salt-cloud, if the
  1313. ``userdata_template`` is not set in the cloud profile. If no value is set in
  1314. the cloud profile or master config file, no templating will be performed.
  1315. .. code-block:: yaml
  1316. userdata_template: jinja
  1317. .. conf_master:: jinja_env
  1318. ``jinja_env``
  1319. -------------
  1320. .. versionadded:: 2018.3.0
  1321. Default: ``{}``
  1322. jinja_env overrides the default Jinja environment options for
  1323. **all templates except sls templates**.
  1324. To set the options for sls templates use :conf_master:`jinja_sls_env`.
  1325. .. note::
  1326. The `Jinja2 Environment documentation <http://jinja.pocoo.org/docs/api/#jinja2.Environment>`_ is the official source for the default values.
  1327. Not all the options listed in the jinja documentation can be overridden using :conf_master:`jinja_env` or :conf_master:`jinja_sls_env`.
  1328. The default options are:
  1329. .. code-block:: yaml
  1330. jinja_env:
  1331. block_start_string: '{%'
  1332. block_end_string: '%}'
  1333. variable_start_string: '{{'
  1334. variable_end_string: '}}'
  1335. comment_start_string: '{#'
  1336. comment_end_string: '#}'
  1337. line_statement_prefix:
  1338. line_comment_prefix:
  1339. trim_blocks: False
  1340. lstrip_blocks: False
  1341. newline_sequence: '\n'
  1342. keep_trailing_newline: False
  1343. .. conf_master:: jinja_sls_env
  1344. ``jinja_sls_env``
  1345. -----------------
  1346. .. versionadded:: 2018.3.0
  1347. Default: ``{}``
  1348. jinja_sls_env sets the Jinja environment options for **sls templates**.
  1349. The defaults and accepted options are exactly the same as they are
  1350. for :conf_master:`jinja_env`.
  1351. The default options are:
  1352. .. code-block:: yaml
  1353. jinja_sls_env:
  1354. block_start_string: '{%'
  1355. block_end_string: '%}'
  1356. variable_start_string: '{{'
  1357. variable_end_string: '}}'
  1358. comment_start_string: '{#'
  1359. comment_end_string: '#}'
  1360. line_statement_prefix:
  1361. line_comment_prefix:
  1362. trim_blocks: False
  1363. lstrip_blocks: False
  1364. newline_sequence: '\n'
  1365. keep_trailing_newline: False
  1366. Example using line statements and line comments to increase ease of use:
  1367. If your configuration options are
  1368. .. code-block:: yaml
  1369. jinja_sls_env:
  1370. line_statement_prefix: '%'
  1371. line_comment_prefix: '##'
  1372. With these options jinja will interpret anything after a ``%`` at the start of a line (ignoreing whitespace)
  1373. as a jinja statement and will interpret anything after a ``##`` as a comment.
  1374. This allows the following more convenient syntax to be used:
  1375. .. code-block:: jinja
  1376. ## (this comment will not stay once rendered)
  1377. # (this comment remains in the rendered template)
  1378. ## ensure all the formula services are running
  1379. % for service in formula_services:
  1380. enable_service_{{ service }}:
  1381. service.running:
  1382. name: {{ service }}
  1383. % endfor
  1384. The following less convenient but equivalent syntax would have to
  1385. be used if you had not set the line_statement and line_comment options:
  1386. .. code-block:: jinja
  1387. {# (this comment will not stay once rendered) #}
  1388. # (this comment remains in the rendered template)
  1389. {# ensure all the formula services are running #}
  1390. {% for service in formula_services %}
  1391. enable_service_{{ service }}:
  1392. service.running:
  1393. name: {{ service }}
  1394. {% endfor %}
  1395. .. conf_master:: jinja_trim_blocks
  1396. ``jinja_trim_blocks``
  1397. ---------------------
  1398. .. deprecated:: 2018.3.0
  1399. Replaced by :conf_master:`jinja_env` and :conf_master:`jinja_sls_env`
  1400. .. versionadded:: 2014.1.0
  1401. Default: ``False``
  1402. If this is set to ``True``, the first newline after a Jinja block is
  1403. removed (block, not variable tag!). Defaults to ``False`` and corresponds
  1404. to the Jinja environment init variable ``trim_blocks``.
  1405. .. code-block:: yaml
  1406. jinja_trim_blocks: False
  1407. .. conf_master:: jinja_lstrip_blocks
  1408. ``jinja_lstrip_blocks``
  1409. -----------------------
  1410. .. deprecated:: 2018.3.0
  1411. Replaced by :conf_master:`jinja_env` and :conf_master:`jinja_sls_env`
  1412. .. versionadded:: 2014.1.0
  1413. Default: ``False``
  1414. If this is set to ``True``, leading spaces and tabs are stripped from the
  1415. start of a line to a block. Defaults to ``False`` and corresponds to the
  1416. Jinja environment init variable ``lstrip_blocks``.
  1417. .. code-block:: yaml
  1418. jinja_lstrip_blocks: False
  1419. .. conf_master:: failhard
  1420. ``failhard``
  1421. ------------
  1422. Default: ``False``
  1423. Set the global failhard flag. This informs all states to stop running states
  1424. at the moment a single state fails.
  1425. .. code-block:: yaml
  1426. failhard: False
  1427. .. conf_master:: state_verbose
  1428. ``state_verbose``
  1429. -----------------
  1430. Default: ``True``
  1431. Controls the verbosity of state runs. By default, the results of all states are
  1432. returned, but setting this value to ``False`` will cause salt to only display
  1433. output for states that failed or states that have changes.
  1434. .. code-block:: yaml
  1435. state_verbose: False
  1436. .. conf_master:: state_output
  1437. ``state_output``
  1438. ----------------
  1439. Default: ``full``
  1440. The state_output setting controls which results will be output full multi line:
  1441. * ``full``, ``terse`` - each state will be full/terse
  1442. * ``mixed`` - only states with errors will be full
  1443. * ``changes`` - states with changes and errors will be full
  1444. ``full_id``, ``mixed_id``, ``changes_id`` and ``terse_id`` are also allowed;
  1445. when set, the state ID will be used as name in the output.
  1446. .. code-block:: yaml
  1447. state_output: full
  1448. .. conf_master:: state_output_diff
  1449. ``state_output_diff``
  1450. ---------------------
  1451. Default: ``False``
  1452. The state_output_diff setting changes whether or not the output from
  1453. successful states is returned. Useful when even the terse output of these
  1454. states is cluttering the logs. Set it to True to ignore them.
  1455. .. code-block:: yaml
  1456. state_output_diff: False
  1457. .. conf_master:: state_aggregate
  1458. ``state_aggregate``
  1459. -------------------
  1460. Default: ``False``
  1461. Automatically aggregate all states that have support for mod_aggregate by
  1462. setting to ``True``. Or pass a list of state module names to automatically
  1463. aggregate just those types.
  1464. .. code-block:: yaml
  1465. state_aggregate:
  1466. - pkg
  1467. .. code-block:: yaml
  1468. state_aggregate: True
  1469. .. conf_master:: state_events
  1470. ``state_events``
  1471. ----------------
  1472. Default: ``False``
  1473. Send progress events as each function in a state run completes execution
  1474. by setting to ``True``. Progress events are in the format
  1475. ``salt/job/<JID>/prog/<MID>/<RUN NUM>``.
  1476. .. code-block:: yaml
  1477. state_events: True
  1478. .. conf_master:: yaml_utf8
  1479. ``yaml_utf8``
  1480. -------------
  1481. Default: ``False``
  1482. Enable extra routines for YAML renderer used states containing UTF characters.
  1483. .. code-block:: yaml
  1484. yaml_utf8: False
  1485. ``runner_returns``
  1486. ------------------
  1487. Default: ``False``
  1488. If set to ``True``, runner jobs will be saved to job cache (defined by
  1489. :conf_master:`master_job_cache`).
  1490. .. code-block:: yaml
  1491. runner_returns: True
  1492. .. _master-file-server-settings:
  1493. Master File Server Settings
  1494. ===========================
  1495. .. conf_master:: fileserver_backend
  1496. ``fileserver_backend``
  1497. ----------------------
  1498. Default: ``['roots']``
  1499. Salt supports a modular fileserver backend system, this system allows the salt
  1500. master to link directly to third party systems to gather and manage the files
  1501. available to minions. Multiple backends can be configured and will be searched
  1502. for the requested file in the order in which they are defined here. The default
  1503. setting only enables the standard backend ``roots``, which is configured using
  1504. the :conf_master:`file_roots` option.
  1505. Example:
  1506. .. code-block:: yaml
  1507. fileserver_backend:
  1508. - roots
  1509. - gitfs
  1510. .. note::
  1511. For masterless Salt, this parameter must be specified in the minion config
  1512. file.
  1513. .. conf_master:: fileserver_followsymlinks
  1514. ``fileserver_followsymlinks``
  1515. -----------------------------
  1516. .. versionadded:: 2014.1.0
  1517. Default: ``True``
  1518. By default, the file_server follows symlinks when walking the filesystem tree.
  1519. Currently this only applies to the default roots fileserver_backend.
  1520. .. code-block:: yaml
  1521. fileserver_followsymlinks: True
  1522. .. conf_master:: fileserver_ignoresymlinks
  1523. ``fileserver_ignoresymlinks``
  1524. -----------------------------
  1525. .. versionadded:: 2014.1.0
  1526. Default: ``False``
  1527. If you do not want symlinks to be treated as the files they are pointing to,
  1528. set ``fileserver_ignoresymlinks`` to ``True``. By default this is set to
  1529. False. When set to ``True``, any detected symlink while listing files on the
  1530. Master will not be returned to the Minion.
  1531. .. code-block:: yaml
  1532. fileserver_ignoresymlinks: False
  1533. .. conf_master:: fileserver_limit_traversal
  1534. ``fileserver_limit_traversal``
  1535. ------------------------------
  1536. .. versionadded:: 2014.1.0
  1537. .. deprecated:: 2018.3.4
  1538. This option is now ignored. Firstly, it only traversed
  1539. :conf_master:`file_roots`, which means it did not work for the other
  1540. fileserver backends. Secondly, since this option was added we have added
  1541. caching to the code that traverses the file_roots (and gitfs, etc.), which
  1542. greatly reduces the amount of traversal that is done.
  1543. Default: ``False``
  1544. By default, the Salt fileserver recurses fully into all defined environments
  1545. to attempt to find files. To limit this behavior so that the fileserver only
  1546. traverses directories with SLS files and special Salt directories like _modules,
  1547. set ``fileserver_limit_traversal`` to ``True``. This might be useful for
  1548. installations where a file root has a very large number of files and performance
  1549. is impacted.
  1550. .. code-block:: yaml
  1551. fileserver_limit_traversal: False
  1552. .. conf_master:: fileserver_list_cache_time
  1553. ``fileserver_list_cache_time``
  1554. ------------------------------
  1555. .. versionadded:: 2014.1.0
  1556. .. versionchanged:: 2016.11.0
  1557. The default was changed from ``30`` seconds to ``20``.
  1558. Default: ``20``
  1559. Salt caches the list of files/symlinks/directories for each fileserver backend
  1560. and environment as they are requested, to guard against a performance
  1561. bottleneck at scale when many minions all ask the fileserver which files are
  1562. available simultaneously. This configuration parameter allows for the max age
  1563. of that cache to be altered.
  1564. Set this value to ``0`` to disable use of this cache altogether, but keep in
  1565. mind that this may increase the CPU load on the master when running a highstate
  1566. on a large number of minions.
  1567. .. note::
  1568. Rather than altering this configuration parameter, it may be advisable to
  1569. use the :mod:`fileserver.clear_file_list_cache
  1570. <salt.runners.fileserver.clear_file_list_cache>` runner to clear these
  1571. caches.
  1572. .. code-block:: yaml
  1573. fileserver_list_cache_time: 5
  1574. .. conf_master:: fileserver_verify_config
  1575. ``fileserver_verify_config``
  1576. ----------------------------
  1577. .. versionadded:: 2017.7.0
  1578. Default: ``True``
  1579. By default, as the master starts it performs some sanity checks on the
  1580. configured fileserver backends. If any of these sanity checks fail (such as
  1581. when an invalid configuration is used), the master daemon will abort.
  1582. To skip these sanity checks, set this option to ``False``.
  1583. .. code-block:: yaml
  1584. fileserver_verify_config: False
  1585. .. conf_master:: hash_type
  1586. ``hash_type``
  1587. -------------
  1588. Default: ``sha256``
  1589. The hash_type is the hash to use when discovering the hash of a file on
  1590. the master server. The default is sha256, but md5, sha1, sha224, sha384, and
  1591. sha512 are also supported.
  1592. .. code-block:: yaml
  1593. hash_type: sha256
  1594. .. conf_master:: file_buffer_size
  1595. ``file_buffer_size``
  1596. --------------------
  1597. Default: ``1048576``
  1598. The buffer size in the file server in bytes.
  1599. .. code-block:: yaml
  1600. file_buffer_size: 1048576
  1601. .. conf_master:: file_ignore_regex
  1602. ``file_ignore_regex``
  1603. ---------------------
  1604. Default: ``''``
  1605. A regular expression (or a list of expressions) that will be matched
  1606. against the file path before syncing the modules and states to the minions.
  1607. This includes files affected by the file.recurse state.
  1608. For example, if you manage your custom modules and states in subversion
  1609. and don't want all the '.svn' folders and content synced to your minions,
  1610. you could set this to '/\.svn($|/)'. By default nothing is ignored.
  1611. .. code-block:: yaml
  1612. file_ignore_regex:
  1613. - '/\.svn($|/)'
  1614. - '/\.git($|/)'
  1615. .. conf_master:: file_ignore_glob
  1616. ``file_ignore_glob``
  1617. --------------------
  1618. Default ``''``
  1619. A file glob (or list of file globs) that will be matched against the file
  1620. path before syncing the modules and states to the minions. This is similar
  1621. to file_ignore_regex above, but works on globs instead of regex. By default
  1622. nothing is ignored.
  1623. .. code-block:: yaml
  1624. file_ignore_glob:
  1625. - '\*.pyc'
  1626. - '\*/somefolder/\*.bak'
  1627. - '\*.swp'
  1628. .. note::
  1629. Vim's .swp files are a common cause of Unicode errors in
  1630. :py:func:`file.recurse <salt.states.file.recurse>` states which use
  1631. templating. Unless there is a good reason to distribute them via the
  1632. fileserver, it is good practice to include ``'\*.swp'`` in the
  1633. :conf_master:`file_ignore_glob`.
  1634. .. conf_master:: master_roots
  1635. ``master_roots``
  1636. ----------------
  1637. Default: ``/srv/salt-master``
  1638. A master-only copy of the :conf_master:`file_roots` dictionary, used by the
  1639. state compiler.
  1640. .. code-block:: yaml
  1641. master_roots: /srv/salt-master
  1642. roots: Master's Local File Server
  1643. ---------------------------------
  1644. .. conf_master:: file_roots
  1645. ``file_roots``
  1646. **************
  1647. Default:
  1648. .. code-block:: yaml
  1649. base:
  1650. - /srv/salt
  1651. Salt runs a lightweight file server written in ZeroMQ to deliver files to
  1652. minions. This file server is built into the master daemon and does not
  1653. require a dedicated port.
  1654. The file server works on environments passed to the master. Each environment
  1655. can have multiple root directories. The subdirectories in the multiple file
  1656. roots cannot match, otherwise the downloaded files will not be able to be
  1657. reliably ensured. A base environment is required to house the top file.
  1658. As of 2018.3.5 and 2019.2.1, it is possible to have `__env__` as a catch-all environment.
  1659. Example:
  1660. .. code-block:: yaml
  1661. file_roots:
  1662. base:
  1663. - /srv/salt
  1664. dev:
  1665. - /srv/salt/dev/services
  1666. - /srv/salt/dev/states
  1667. prod:
  1668. - /srv/salt/prod/services
  1669. - /srv/salt/prod/states
  1670. __env__:
  1671. - /srv/salt/default
  1672. .. note::
  1673. For masterless Salt, this parameter must be specified in the minion config
  1674. file.
  1675. .. conf_master:: roots_update_interval
  1676. ``roots_update_interval``
  1677. *************************
  1678. .. versionadded:: 2018.3.0
  1679. Default: ``60``
  1680. This option defines the update interval (in seconds) for
  1681. :conf_master:`file_roots`.
  1682. .. note::
  1683. Since ``file_roots`` consists of files local to the minion, the update
  1684. process for this fileserver backend just reaps the cache for this backend.
  1685. .. code-block:: yaml
  1686. roots_update_interval: 120
  1687. gitfs: Git Remote File Server Backend
  1688. -------------------------------------
  1689. .. conf_master:: gitfs_remotes
  1690. ``gitfs_remotes``
  1691. *****************
  1692. Default: ``[]``
  1693. When using the ``git`` fileserver backend at least one git remote needs to be
  1694. defined. The user running the salt master will need read access to the repo.
  1695. The repos will be searched in order to find the file requested by a client and
  1696. the first repo to have the file will return it. Branches and tags are
  1697. translated into salt environments.
  1698. .. code-block:: yaml
  1699. gitfs_remotes:
  1700. - git://github.com/saltstack/salt-states.git
  1701. - file:///var/git/saltmaster
  1702. .. note::
  1703. ``file://`` repos will be treated as a remote and copied into the master's
  1704. gitfs cache, so only the *local* refs for those repos will be exposed as
  1705. fileserver environments.
  1706. As of 2014.7.0, it is possible to have per-repo versions of several of the
  1707. gitfs configuration parameters. For more information, see the :ref:`GitFS
  1708. Walkthrough <gitfs-per-remote-config>`.
  1709. .. conf_master:: gitfs_provider
  1710. ``gitfs_provider``
  1711. ******************
  1712. .. versionadded:: 2014.7.0
  1713. Optional parameter used to specify the provider to be used for gitfs. More
  1714. information can be found in the :ref:`GitFS Walkthrough <gitfs-dependencies>`.
  1715. Must be either ``pygit2`` or ``gitpython``. If unset, then each will be tried
  1716. in that same order, and the first one with a compatible version installed will
  1717. be the provider that is used.
  1718. .. code-block:: yaml
  1719. gitfs_provider: gitpython
  1720. .. conf_master:: gitfs_ssl_verify
  1721. ``gitfs_ssl_verify``
  1722. ********************
  1723. Default: ``True``
  1724. Specifies whether or not to ignore SSL certificate errors when fetching from
  1725. the repositories configured in :conf_master:`gitfs_remotes`. The ``False``
  1726. setting is useful if you're using a git repo that uses a self-signed
  1727. certificate. However, keep in mind that setting this to anything other ``True``
  1728. is a considered insecure, and using an SSH-based transport (if available) may
  1729. be a better option.
  1730. .. code-block:: yaml
  1731. gitfs_ssl_verify: False
  1732. .. note::
  1733. pygit2 only supports disabling SSL verification in versions 0.23.2 and
  1734. newer.
  1735. .. versionchanged:: 2015.8.0
  1736. This option can now be configured on individual repositories as well. See
  1737. :ref:`here <gitfs-per-remote-config>` for more info.
  1738. .. versionchanged:: 2016.11.0
  1739. The default config value changed from ``False`` to ``True``.
  1740. .. conf_master:: gitfs_mountpoint
  1741. ``gitfs_mountpoint``
  1742. ********************
  1743. .. versionadded:: 2014.7.0
  1744. Default: ``''``
  1745. Specifies a path on the salt fileserver which will be prepended to all files
  1746. served by gitfs. This option can be used in conjunction with
  1747. :conf_master:`gitfs_root`. It can also be configured for an individual
  1748. repository, see :ref:`here <gitfs-per-remote-config>` for more info.
  1749. .. code-block:: yaml
  1750. gitfs_mountpoint: salt://foo/bar
  1751. .. note::
  1752. The ``salt://`` protocol designation can be left off (in other words,
  1753. ``foo/bar`` and ``salt://foo/bar`` are equivalent). Assuming a file
  1754. ``baz.sh`` in the root of a gitfs remote, and the above example mountpoint,
  1755. this file would be served up via ``salt://foo/bar/baz.sh``.
  1756. .. conf_master:: gitfs_root
  1757. ``gitfs_root``
  1758. **************
  1759. Default: ``''``
  1760. Relative path to a subdirectory within the repository from which Salt should
  1761. begin to serve files. This is useful when there are files in the repository
  1762. that should not be available to the Salt fileserver. Can be used in conjunction
  1763. with :conf_master:`gitfs_mountpoint`. If used, then from Salt's perspective the
  1764. directories above the one specified will be ignored and the relative path will
  1765. (for the purposes of gitfs) be considered as the root of the repo.
  1766. .. code-block:: yaml
  1767. gitfs_root: somefolder/otherfolder
  1768. .. versionchanged:: 2014.7.0
  1769. This option can now be configured on individual repositories as well. See
  1770. :ref:`here <gitfs-per-remote-config>` for more info.
  1771. .. conf_master:: gitfs_base
  1772. ``gitfs_base``
  1773. **************
  1774. Default: ``master``
  1775. Defines which branch/tag should be used as the ``base`` environment.
  1776. .. code-block:: yaml
  1777. gitfs_base: salt
  1778. .. versionchanged:: 2014.7.0
  1779. This option can now be configured on individual repositories as well. See
  1780. :ref:`here <gitfs-per-remote-config>` for more info.
  1781. .. conf_master:: gitfs_saltenv
  1782. ``gitfs_saltenv``
  1783. *****************
  1784. .. versionadded:: 2016.11.0
  1785. Default: ``[]``
  1786. Global settings for :ref:`per-saltenv configuration parameters
  1787. <gitfs-per-saltenv-config>`. Though per-saltenv configuration parameters are
  1788. typically one-off changes specific to a single gitfs remote, and thus more
  1789. often configured on a per-remote basis, this parameter can be used to specify
  1790. per-saltenv changes which should apply to all remotes. For example, the below
  1791. configuration will map the ``develop`` branch to the ``dev`` saltenv for all
  1792. gitfs remotes.
  1793. .. code-block:: yaml
  1794. gitfs_saltenv:
  1795. - dev:
  1796. - ref: develop
  1797. .. conf_master:: gitfs_disable_saltenv_mapping
  1798. ``gitfs_disable_saltenv_mapping``
  1799. *********************************
  1800. .. versionadded:: 2018.3.0
  1801. Default: ``False``
  1802. When set to ``True``, all saltenv mapping logic is disregarded (aside from
  1803. which branch/tag is mapped to the ``base`` saltenv). To use any other
  1804. environments, they must then be defined using :ref:`per-saltenv configuration
  1805. parameters <gitfs-per-saltenv-config>`.
  1806. .. code-block:: yaml
  1807. gitfs_disable_saltenv_mapping: True
  1808. .. note::
  1809. This is is a global configuration option, see :ref:`here
  1810. <gitfs-per-remote-config>` for examples of configuring it for individual
  1811. repositories.
  1812. .. conf_master:: gitfs_ref_types
  1813. ``gitfs_ref_types``
  1814. *******************
  1815. .. versionadded:: 2018.3.0
  1816. Default: ``['branch', 'tag', 'sha']``
  1817. This option defines what types of refs are mapped to fileserver environments
  1818. (i.e. saltenvs). It also sets the order of preference when there are
  1819. ambiguously-named refs (i.e. when a branch and tag both have the same name).
  1820. The below example disables mapping of both tags and SHAs, so that only branches
  1821. are mapped as saltenvs:
  1822. .. code-block:: yaml
  1823. gitfs_ref_types:
  1824. - branch
  1825. .. note::
  1826. This is is a global configuration option, see :ref:`here
  1827. <gitfs-per-remote-config>` for examples of configuring it for individual
  1828. repositories.
  1829. .. note::
  1830. ``sha`` is special in that it will not show up when listing saltenvs (e.g.
  1831. with the :py:func:`fileserver.envs <salt.runners.fileserver.envs>` runner),
  1832. but works within states and with :py:func:`cp.cache_file
  1833. <salt.modules.cp.cache_file>` to retrieve a file from a specific git SHA.
  1834. .. conf_master:: gitfs_saltenv_whitelist
  1835. ``gitfs_saltenv_whitelist``
  1836. ***************************
  1837. .. versionadded:: 2014.7.0
  1838. .. versionchanged:: 2018.3.0
  1839. Renamed from ``gitfs_env_whitelist`` to ``gitfs_saltenv_whitelist``
  1840. Default: ``[]``
  1841. Used to restrict which environments are made available. Can speed up state runs
  1842. if the repos in :conf_master:`gitfs_remotes` contain many branches/tags. More
  1843. information can be found in the :ref:`GitFS Walkthrough
  1844. <gitfs-whitelist-blacklist>`.
  1845. .. code-block:: yaml
  1846. gitfs_saltenv_whitelist:
  1847. - base
  1848. - v1.*
  1849. - 'mybranch\d+'
  1850. .. conf_master:: gitfs_saltenv_blacklist
  1851. ``gitfs_saltenv_blacklist``
  1852. ***************************
  1853. .. versionadded:: 2014.7.0
  1854. .. versionchanged:: 2018.3.0
  1855. Renamed from ``gitfs_env_blacklist`` to ``gitfs_saltenv_blacklist``
  1856. Default: ``[]``
  1857. Used to restrict which environments are made available. Can speed up state runs
  1858. if the repos in :conf_master:`gitfs_remotes` contain many branches/tags. More
  1859. information can be found in the :ref:`GitFS Walkthrough
  1860. <gitfs-whitelist-blacklist>`.
  1861. .. code-block:: yaml
  1862. gitfs_saltenv_blacklist:
  1863. - base
  1864. - v1.*
  1865. - 'mybranch\d+'
  1866. .. conf_master:: gitfs_global_lock
  1867. ``gitfs_global_lock``
  1868. *********************
  1869. .. versionadded:: 2015.8.9
  1870. Default: ``True``
  1871. When set to ``False``, if there is an update lock for a gitfs remote and the
  1872. pid written to it is not running on the master, the lock file will be
  1873. automatically cleared and a new lock will be obtained. When set to ``True``,
  1874. Salt will simply log a warning when there is an update lock present.
  1875. On single-master deployments, disabling this option can help automatically deal
  1876. with instances where the master was shutdown/restarted during the middle of a
  1877. gitfs update, leaving a update lock in place.
  1878. However, on multi-master deployments with the gitfs cachedir shared via
  1879. `GlusterFS`__, nfs, or another network filesystem, it is strongly recommended
  1880. not to disable this option as doing so will cause lock files to be removed if
  1881. they were created by a different master.
  1882. .. code-block:: yaml
  1883. # Disable global lock
  1884. gitfs_global_lock: False
  1885. .. __: http://www.gluster.org/
  1886. .. conf_master:: gitfs_update_interval
  1887. ``gitfs_update_interval``
  1888. *************************
  1889. .. versionadded:: 2018.3.0
  1890. Default: ``60``
  1891. This option defines the default update interval (in seconds) for gitfs remotes.
  1892. The update interval can also be set for a single repository via a
  1893. :ref:`per-remote config option <gitfs-per-remote-config>`
  1894. .. code-block:: yaml
  1895. gitfs_update_interval: 120
  1896. GitFS Authentication Options
  1897. ****************************
  1898. These parameters only currently apply to the pygit2 gitfs provider. Examples of
  1899. how to use these can be found in the :ref:`GitFS Walkthrough
  1900. <gitfs-authentication>`.
  1901. .. conf_master:: gitfs_user
  1902. ``gitfs_user``
  1903. ~~~~~~~~~~~~~~
  1904. .. versionadded:: 2014.7.0
  1905. Default: ``''``
  1906. Along with :conf_master:`gitfs_password`, is used to authenticate to HTTPS
  1907. remotes.
  1908. .. code-block:: yaml
  1909. gitfs_user: git
  1910. .. note::
  1911. This is is a global configuration option, see :ref:`here
  1912. <gitfs-per-remote-config>` for examples of configuring it for individual
  1913. repositories.
  1914. .. conf_master:: gitfs_password
  1915. ``gitfs_password``
  1916. ~~~~~~~~~~~~~~~~~~
  1917. .. versionadded:: 2014.7.0
  1918. Default: ``''``
  1919. Along with :conf_master:`gitfs_user`, is used to authenticate to HTTPS remotes.
  1920. This parameter is not required if the repository does not use authentication.
  1921. .. code-block:: yaml
  1922. gitfs_password: mypassword
  1923. .. note::
  1924. This is is a global configuration option, see :ref:`here
  1925. <gitfs-per-remote-config>` for examples of configuring it for individual
  1926. repositories.
  1927. .. conf_master:: gitfs_insecure_auth
  1928. ``gitfs_insecure_auth``
  1929. ~~~~~~~~~~~~~~~~~~~~~~~
  1930. .. versionadded:: 2014.7.0
  1931. Default: ``False``
  1932. By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This
  1933. parameter enables authentication over HTTP. **Enable this at your own risk.**
  1934. .. code-block:: yaml
  1935. gitfs_insecure_auth: True
  1936. .. note::
  1937. This is is a global configuration option, see :ref:`here
  1938. <gitfs-per-remote-config>` for examples of configuring it for individual
  1939. repositories.
  1940. .. conf_master:: gitfs_pubkey
  1941. ``gitfs_pubkey``
  1942. ~~~~~~~~~~~~~~~~
  1943. .. versionadded:: 2014.7.0
  1944. Default: ``''``
  1945. Along with :conf_master:`gitfs_privkey` (and optionally
  1946. :conf_master:`gitfs_passphrase`), is used to authenticate to SSH remotes.
  1947. Required for SSH remotes.
  1948. .. code-block:: yaml
  1949. gitfs_pubkey: /path/to/key.pub
  1950. .. note::
  1951. This is is a global configuration option, see :ref:`here
  1952. <gitfs-per-remote-config>` for examples of configuring it for individual
  1953. repositories.
  1954. .. conf_master:: gitfs_privkey
  1955. ``gitfs_privkey``
  1956. ~~~~~~~~~~~~~~~~~
  1957. .. versionadded:: 2014.7.0
  1958. Default: ``''``
  1959. Along with :conf_master:`gitfs_pubkey` (and optionally
  1960. :conf_master:`gitfs_passphrase`), is used to authenticate to SSH remotes.
  1961. Required for SSH remotes.
  1962. .. code-block:: yaml
  1963. gitfs_privkey: /path/to/key
  1964. .. note::
  1965. This is is a global configuration option, see :ref:`here
  1966. <gitfs-per-remote-config>` for examples of configuring it for individual
  1967. repositories.
  1968. .. conf_master:: gitfs_passphrase
  1969. ``gitfs_passphrase``
  1970. ~~~~~~~~~~~~~~~~~~~~
  1971. .. versionadded:: 2014.7.0
  1972. Default: ``''``
  1973. This parameter is optional, required only when the SSH key being used to
  1974. authenticate is protected by a passphrase.
  1975. .. code-block:: yaml
  1976. gitfs_passphrase: mypassphrase
  1977. .. note::
  1978. This is is a global configuration option, see :ref:`here
  1979. <gitfs-per-remote-config>` for examples of configuring it for individual
  1980. repositories.
  1981. .. conf_master:: gitfs_refspecs
  1982. ``gitfs_refspecs``
  1983. ~~~~~~~~~~~~~~~~~~
  1984. .. versionadded:: 2017.7.0
  1985. Default: ``['+refs/heads/*:refs/remotes/origin/*', '+refs/tags/*:refs/tags/*']``
  1986. When fetching from remote repositories, by default Salt will fetch branches and
  1987. tags. This parameter can be used to override the default and specify
  1988. alternate refspecs to be fetched. More information on how this feature works
  1989. can be found in the :ref:`GitFS Walkthrough <gitfs-custom-refspecs>`.
  1990. .. code-block:: yaml
  1991. gitfs_refspecs:
  1992. - '+refs/heads/*:refs/remotes/origin/*'
  1993. - '+refs/tags/*:refs/tags/*'
  1994. - '+refs/pull/*/head:refs/remotes/origin/pr/*'
  1995. - '+refs/pull/*/merge:refs/remotes/origin/merge/*'
  1996. hgfs: Mercurial Remote File Server Backend
  1997. ------------------------------------------
  1998. .. conf_master:: hgfs_remotes
  1999. ``hgfs_remotes``
  2000. ****************
  2001. .. versionadded:: 0.17.0
  2002. Default: ``[]``
  2003. When using the ``hg`` fileserver backend at least one mercurial remote needs to
  2004. be defined. The user running the salt master will need read access to the repo.
  2005. The repos will be searched in order to find the file requested by a client and
  2006. the first repo to have the file will return it. Branches and/or bookmarks are
  2007. translated into salt environments, as defined by the
  2008. :conf_master:`hgfs_branch_method` parameter.
  2009. .. code-block:: yaml
  2010. hgfs_remotes:
  2011. - https://username@bitbucket.org/username/reponame
  2012. .. note::
  2013. As of 2014.7.0, it is possible to have per-repo versions of the
  2014. :conf_master:`hgfs_root`, :conf_master:`hgfs_mountpoint`,
  2015. :conf_master:`hgfs_base`, and :conf_master:`hgfs_branch_method` parameters.
  2016. For example:
  2017. .. code-block:: yaml
  2018. hgfs_remotes:
  2019. - https://username@bitbucket.org/username/repo1
  2020. - base: saltstates
  2021. - https://username@bitbucket.org/username/repo2:
  2022. - root: salt
  2023. - mountpoint: salt://foo/bar/baz
  2024. - https://username@bitbucket.org/username/repo3:
  2025. - root: salt/states
  2026. - branch_method: mixed
  2027. .. conf_master:: hgfs_branch_method
  2028. ``hgfs_branch_method``
  2029. **********************
  2030. .. versionadded:: 0.17.0
  2031. Default: ``branches``
  2032. Defines the objects that will be used as fileserver environments.
  2033. * ``branches`` - Only branches and tags will be used
  2034. * ``bookmarks`` - Only bookmarks and tags will be used
  2035. * ``mixed`` - Branches, bookmarks, and tags will be used
  2036. .. code-block:: yaml
  2037. hgfs_branch_method: mixed
  2038. .. note::
  2039. Starting in version 2014.1.0, the value of the :conf_master:`hgfs_base`
  2040. parameter defines which branch is used as the ``base`` environment,
  2041. allowing for a ``base`` environment to be used with an
  2042. :conf_master:`hgfs_branch_method` of ``bookmarks``.
  2043. Prior to this release, the ``default`` branch will be used as the ``base``
  2044. environment.
  2045. .. conf_master:: hgfs_mountpoint
  2046. ``hgfs_mountpoint``
  2047. *******************
  2048. .. versionadded:: 2014.7.0
  2049. Default: ``''``
  2050. Specifies a path on the salt fileserver which will be prepended to all files
  2051. served by hgfs. This option can be used in conjunction with
  2052. :conf_master:`hgfs_root`. It can also be configured on a per-remote basis, see
  2053. :conf_master:`here <hgfs_remotes>` for more info.
  2054. .. code-block:: yaml
  2055. hgfs_mountpoint: salt://foo/bar
  2056. .. note::
  2057. The ``salt://`` protocol designation can be left off (in other words,
  2058. ``foo/bar`` and ``salt://foo/bar`` are equivalent). Assuming a file
  2059. ``baz.sh`` in the root of an hgfs remote, this file would be served up via
  2060. ``salt://foo/bar/baz.sh``.
  2061. .. conf_master:: hgfs_root
  2062. ``hgfs_root``
  2063. *************
  2064. .. versionadded:: 0.17.0
  2065. Default: ``''``
  2066. Relative path to a subdirectory within the repository from which Salt should
  2067. begin to serve files. This is useful when there are files in the repository
  2068. that should not be available to the Salt fileserver. Can be used in conjunction
  2069. with :conf_master:`hgfs_mountpoint`. If used, then from Salt's perspective the
  2070. directories above the one specified will be ignored and the relative path will
  2071. (for the purposes of hgfs) be considered as the root of the repo.
  2072. .. code-block:: yaml
  2073. hgfs_root: somefolder/otherfolder
  2074. .. versionchanged:: 2014.7.0
  2075. Ability to specify hgfs roots on a per-remote basis was added. See
  2076. :conf_master:`here <hgfs_remotes>` for more info.
  2077. .. conf_master:: hgfs_base
  2078. ``hgfs_base``
  2079. *************
  2080. .. versionadded:: 2014.1.0
  2081. Default: ``default``
  2082. Defines which branch should be used as the ``base`` environment. Change this if
  2083. :conf_master:`hgfs_branch_method` is set to ``bookmarks`` to specify which
  2084. bookmark should be used as the ``base`` environment.
  2085. .. code-block:: yaml
  2086. hgfs_base: salt
  2087. .. conf_master:: hgfs_saltenv_whitelist
  2088. ``hgfs_saltenv_whitelist``
  2089. **************************
  2090. .. versionadded:: 2014.7.0
  2091. .. versionchanged:: 2018.3.0
  2092. Renamed from ``hgfs_env_whitelist`` to ``hgfs_saltenv_whitelist``
  2093. Default: ``[]``
  2094. Used to restrict which environments are made available. Can speed up state runs
  2095. if your hgfs remotes contain many branches/bookmarks/tags. Full names, globs,
  2096. and regular expressions are supported. If using a regular expression, the
  2097. expression must match the entire minion ID.
  2098. If used, only branches/bookmarks/tags which match one of the specified
  2099. expressions will be exposed as fileserver environments.
  2100. If used in conjunction with :conf_master:`hgfs_saltenv_blacklist`, then the subset
  2101. of branches/bookmarks/tags which match the whitelist but do *not* match the
  2102. blacklist will be exposed as fileserver environments.
  2103. .. code-block:: yaml
  2104. hgfs_saltenv_whitelist:
  2105. - base
  2106. - v1.*
  2107. - 'mybranch\d+'
  2108. .. conf_master:: hgfs_saltenv_blacklist
  2109. ``hgfs_saltenv_blacklist``
  2110. **************************
  2111. .. versionadded:: 2014.7.0
  2112. .. versionchanged:: 2018.3.0
  2113. Renamed from ``hgfs_env_blacklist`` to ``hgfs_saltenv_blacklist``
  2114. Default: ``[]``
  2115. Used to restrict which environments are made available. Can speed up state runs
  2116. if your hgfs remotes contain many branches/bookmarks/tags. Full names, globs,
  2117. and regular expressions are supported. If using a regular expression, the
  2118. expression must match the entire minion ID.
  2119. If used, branches/bookmarks/tags which match one of the specified expressions
  2120. will *not* be exposed as fileserver environments.
  2121. If used in conjunction with :conf_master:`hgfs_saltenv_whitelist`, then the subset
  2122. of branches/bookmarks/tags which match the whitelist but do *not* match the
  2123. blacklist will be exposed as fileserver environments.
  2124. .. code-block:: yaml
  2125. hgfs_saltenv_blacklist:
  2126. - base
  2127. - v1.*
  2128. - 'mybranch\d+'
  2129. .. conf_master:: hgfs_update_interval
  2130. ``hgfs_update_interval``
  2131. ************************
  2132. .. versionadded:: 2018.3.0
  2133. Default: ``60``
  2134. This option defines the update interval (in seconds) for
  2135. :conf_master:`hgfs_remotes`.
  2136. .. code-block:: yaml
  2137. hgfs_update_interval: 120
  2138. svnfs: Subversion Remote File Server Backend
  2139. --------------------------------------------
  2140. .. conf_master:: svnfs_remotes
  2141. ``svnfs_remotes``
  2142. *****************
  2143. .. versionadded:: 0.17.0
  2144. Default: ``[]``
  2145. When using the ``svn`` fileserver backend at least one subversion remote needs
  2146. to be defined. The user running the salt master will need read access to the
  2147. repo.
  2148. The repos will be searched in order to find the file requested by a client and
  2149. the first repo to have the file will return it. The trunk, branches, and tags
  2150. become environments, with the trunk being the ``base`` environment.
  2151. .. code-block:: yaml
  2152. svnfs_remotes:
  2153. - svn://foo.com/svn/myproject
  2154. .. note::
  2155. As of 2014.7.0, it is possible to have per-repo versions of the following
  2156. configuration parameters:
  2157. * :conf_master:`svnfs_root`
  2158. * :conf_master:`svnfs_mountpoint`
  2159. * :conf_master:`svnfs_trunk`
  2160. * :conf_master:`svnfs_branches`
  2161. * :conf_master:`svnfs_tags`
  2162. For example:
  2163. .. code-block:: yaml
  2164. svnfs_remotes:
  2165. - svn://foo.com/svn/project1
  2166. - svn://foo.com/svn/project2:
  2167. - root: salt
  2168. - mountpoint: salt://foo/bar/baz
  2169. - svn//foo.com/svn/project3:
  2170. - root: salt/states
  2171. - branches: branch
  2172. - tags: tag
  2173. .. conf_master:: svnfs_mountpoint
  2174. ``svnfs_mountpoint``
  2175. ********************
  2176. .. versionadded:: 2014.7.0
  2177. Default: ``''``
  2178. Specifies a path on the salt fileserver which will be prepended to all files
  2179. served by hgfs. This option can be used in conjunction with
  2180. :conf_master:`svnfs_root`. It can also be configured on a per-remote basis, see
  2181. :conf_master:`here <svnfs_remotes>` for more info.
  2182. .. code-block:: yaml
  2183. svnfs_mountpoint: salt://foo/bar
  2184. .. note::
  2185. The ``salt://`` protocol designation can be left off (in other words,
  2186. ``foo/bar`` and ``salt://foo/bar`` are equivalent). Assuming a file
  2187. ``baz.sh`` in the root of an svnfs remote, this file would be served up via
  2188. ``salt://foo/bar/baz.sh``.
  2189. .. conf_master:: svnfs_root
  2190. ``svnfs_root``
  2191. **************
  2192. .. versionadded:: 0.17.0
  2193. Default: ``''``
  2194. Relative path to a subdirectory within the repository from which Salt should
  2195. begin to serve files. This is useful when there are files in the repository
  2196. that should not be available to the Salt fileserver. Can be used in conjunction
  2197. with :conf_master:`svnfs_mountpoint`. If used, then from Salt's perspective the
  2198. directories above the one specified will be ignored and the relative path will
  2199. (for the purposes of svnfs) be considered as the root of the repo.
  2200. .. code-block:: yaml
  2201. svnfs_root: somefolder/otherfolder
  2202. .. versionchanged:: 2014.7.0
  2203. Ability to specify svnfs roots on a per-remote basis was added. See
  2204. :conf_master:`here <svnfs_remotes>` for more info.
  2205. .. conf_master:: svnfs_trunk
  2206. ``svnfs_trunk``
  2207. ***************
  2208. .. versionadded:: 2014.7.0
  2209. Default: ``trunk``
  2210. Path relative to the root of the repository where the trunk is located. Can
  2211. also be configured on a per-remote basis, see :conf_master:`here
  2212. <svnfs_remotes>` for more info.
  2213. .. code-block:: yaml
  2214. svnfs_trunk: trunk
  2215. .. conf_master:: svnfs_branches
  2216. ``svnfs_branches``
  2217. ******************
  2218. .. versionadded:: 2014.7.0
  2219. Default: ``branches``
  2220. Path relative to the root of the repository where the branches are located. Can
  2221. also be configured on a per-remote basis, see :conf_master:`here
  2222. <svnfs_remotes>` for more info.
  2223. .. code-block:: yaml
  2224. svnfs_branches: branches
  2225. .. conf_master:: svnfs_tags
  2226. ``svnfs_tags``
  2227. **************
  2228. .. versionadded:: 2014.7.0
  2229. Default: ``tags``
  2230. Path relative to the root of the repository where the tags are located. Can
  2231. also be configured on a per-remote basis, see :conf_master:`here
  2232. <svnfs_remotes>` for more info.
  2233. .. code-block:: yaml
  2234. svnfs_tags: tags
  2235. .. conf_master:: svnfs_saltenv_whitelist
  2236. ``svnfs_saltenv_whitelist``
  2237. ***************************
  2238. .. versionadded:: 2014.7.0
  2239. .. versionchanged:: 2018.3.0
  2240. Renamed from ``svnfs_env_whitelist`` to ``svnfs_saltenv_whitelist``
  2241. Default: ``[]``
  2242. Used to restrict which environments are made available. Can speed up state runs
  2243. if your svnfs remotes contain many branches/tags. Full names, globs, and
  2244. regular expressions are supported. If using a regular expression, the expression
  2245. must match the entire minion ID.
  2246. If used, only branches/tags which match one of the specified expressions will
  2247. be exposed as fileserver environments.
  2248. If used in conjunction with :conf_master:`svnfs_saltenv_blacklist`, then the subset
  2249. of branches/tags which match the whitelist but do *not* match the blacklist
  2250. will be exposed as fileserver environments.
  2251. .. code-block:: yaml
  2252. svnfs_saltenv_whitelist:
  2253. - base
  2254. - v1.*
  2255. - 'mybranch\d+'
  2256. .. conf_master:: svnfs_saltenv_blacklist
  2257. ``svnfs_saltenv_blacklist``
  2258. ***************************
  2259. .. versionadded:: 2014.7.0
  2260. .. versionchanged:: 2018.3.0
  2261. Renamed from ``svnfs_env_blacklist`` to ``svnfs_saltenv_blacklist``
  2262. Default: ``[]``
  2263. Used to restrict which environments are made available. Can speed up state runs
  2264. if your svnfs remotes contain many branches/tags. Full names, globs, and
  2265. regular expressions are supported. If using a regular expression, the
  2266. expression must match the entire minion ID.
  2267. If used, branches/tags which match one of the specified expressions will *not*
  2268. be exposed as fileserver environments.
  2269. If used in conjunction with :conf_master:`svnfs_saltenv_whitelist`, then the subset
  2270. of branches/tags which match the whitelist but do *not* match the blacklist
  2271. will be exposed as fileserver environments.
  2272. .. code-block:: yaml
  2273. svnfs_saltenv_blacklist:
  2274. - base
  2275. - v1.*
  2276. - 'mybranch\d+'
  2277. .. conf_master:: svnfs_update_interval
  2278. ``svnfs_update_interval``
  2279. *************************
  2280. .. versionadded:: 2018.3.0
  2281. Default: ``60``
  2282. This option defines the update interval (in seconds) for
  2283. :conf_master:`svnfs_remotes`.
  2284. .. code-block:: yaml
  2285. svnfs_update_interval: 120
  2286. minionfs: MinionFS Remote File Server Backend
  2287. ---------------------------------------------
  2288. .. conf_master:: minionfs_env
  2289. ``minionfs_env``
  2290. ****************
  2291. .. versionadded:: 2014.7.0
  2292. Default: ``base``
  2293. Environment from which MinionFS files are made available.
  2294. .. code-block:: yaml
  2295. minionfs_env: minionfs
  2296. .. conf_master:: minionfs_mountpoint
  2297. ``minionfs_mountpoint``
  2298. ***********************
  2299. .. versionadded:: 2014.7.0
  2300. Default: ``''``
  2301. Specifies a path on the salt fileserver from which minionfs files are served.
  2302. .. code-block:: yaml
  2303. minionfs_mountpoint: salt://foo/bar
  2304. .. note::
  2305. The ``salt://`` protocol designation can be left off (in other words,
  2306. ``foo/bar`` and ``salt://foo/bar`` are equivalent).
  2307. .. conf_master:: minionfs_whitelist
  2308. ``minionfs_whitelist``
  2309. **********************
  2310. .. versionadded:: 2014.7.0
  2311. Default: ``[]``
  2312. Used to restrict which minions' pushed files are exposed via minionfs. If using
  2313. a regular expression, the expression must match the entire minion ID.
  2314. If used, only the pushed files from minions which match one of the specified
  2315. expressions will be exposed.
  2316. If used in conjunction with :conf_master:`minionfs_blacklist`, then the subset
  2317. of hosts which match the whitelist but do *not* match the blacklist will be
  2318. exposed.
  2319. .. code-block:: yaml
  2320. minionfs_whitelist:
  2321. - server01
  2322. - dev*
  2323. - 'mail\d+.mydomain.tld'
  2324. .. conf_master:: minionfs_blacklist
  2325. ``minionfs_blacklist``
  2326. **********************
  2327. .. versionadded:: 2014.7.0
  2328. Default: ``[]``
  2329. Used to restrict which minions' pushed files are exposed via minionfs. If using
  2330. a regular expression, the expression must match the entire minion ID.
  2331. If used, only the pushed files from minions which match one of the specified
  2332. expressions will *not* be exposed.
  2333. If used in conjunction with :conf_master:`minionfs_whitelist`, then the subset
  2334. of hosts which match the whitelist but do *not* match the blacklist will be
  2335. exposed.
  2336. .. code-block:: yaml
  2337. minionfs_blacklist:
  2338. - server01
  2339. - dev*
  2340. - 'mail\d+.mydomain.tld'
  2341. .. conf_master:: minionfs_update_interval
  2342. ``minionfs_update_interval``
  2343. ****************************
  2344. .. versionadded:: 2018.3.0
  2345. Default: ``60``
  2346. This option defines the update interval (in seconds) for :ref:`MinionFS
  2347. <tutorial-minionfs>`.
  2348. .. note::
  2349. Since :ref:`MinionFS <tutorial-minionfs>` consists of files local to the
  2350. master, the update process for this fileserver backend just reaps the cache
  2351. for this backend.
  2352. .. code-block:: yaml
  2353. minionfs_update_interval: 120
  2354. azurefs: Azure File Server Backend
  2355. ----------------------------------
  2356. .. versionadded:: 2015.8.0
  2357. See the :mod:`azurefs documentation <salt.fileserver.azurefs>` for usage
  2358. examples.
  2359. .. conf_master:: azurefs_update_interval
  2360. ``azurefs_update_interval``
  2361. ***************************
  2362. .. versionadded:: 2018.3.0
  2363. Default: ``60``
  2364. This option defines the update interval (in seconds) for azurefs.
  2365. .. code-block:: yaml
  2366. azurefs_update_interval: 120
  2367. s3fs: S3 File Server Backend
  2368. ----------------------------
  2369. .. versionadded:: 0.16.0
  2370. See the :mod:`s3fs documentation <salt.fileserver.s3fs>` for usage examples.
  2371. .. conf_master:: s3fs_update_interval
  2372. ``s3fs_update_interval``
  2373. ************************
  2374. .. versionadded:: 2018.3.0
  2375. Default: ``60``
  2376. This option defines the update interval (in seconds) for s3fs.
  2377. .. code-block:: yaml
  2378. s3fs_update_interval: 120
  2379. .. _pillar-configuration-master:
  2380. Pillar Configuration
  2381. ====================
  2382. .. conf_master:: pillar_roots
  2383. ``pillar_roots``
  2384. ----------------
  2385. Default:
  2386. .. code-block:: yaml
  2387. base:
  2388. - /srv/pillar
  2389. Set the environments and directories used to hold pillar sls data. This
  2390. configuration is the same as :conf_master:`file_roots`:
  2391. .. code-block:: yaml
  2392. pillar_roots:
  2393. base:
  2394. - /srv/pillar
  2395. dev:
  2396. - /srv/pillar/dev
  2397. prod:
  2398. - /srv/pillar/prod
  2399. .. conf_master:: on_demand_ext_pillar
  2400. ``on_demand_ext_pillar``
  2401. ------------------------
  2402. .. versionadded:: 2016.3.6,2016.11.3,2017.7.0
  2403. Default: ``['libvirt', 'virtkey']``
  2404. The external pillars permitted to be used on-demand using :py:func:`pillar.ext
  2405. <salt.modules.pillar.ext>`.
  2406. .. code-block:: yaml
  2407. on_demand_ext_pillar:
  2408. - libvirt
  2409. - virtkey
  2410. - git
  2411. .. warning::
  2412. This will allow minions to request specific pillar data via
  2413. :py:func:`pillar.ext <salt.modules.pillar.ext>`, and may be considered a
  2414. security risk. However, pillar data generated in this way will not affect
  2415. the :ref:`in-memory pillar data <pillar-in-memory>`, so this risk is
  2416. limited to instances in which states/modules/etc. (built-in or custom) rely
  2417. upon pillar data generated by :py:func:`pillar.ext
  2418. <salt.modules.pillar.ext>`.
  2419. .. conf_master:: decrypt_pillar
  2420. ``decrypt_pillar``
  2421. ------------------
  2422. .. versionadded:: 2017.7.0
  2423. Default: ``[]``
  2424. A list of paths to be recursively decrypted during pillar compilation.
  2425. .. code-block:: yaml
  2426. decrypt_pillar:
  2427. - 'foo:bar': gpg
  2428. - 'lorem:ipsum:dolor'
  2429. Entries in this list can be formatted either as a simple string, or as a
  2430. key/value pair, with the key being the pillar location, and the value being the
  2431. renderer to use for pillar decryption. If the former is used, the renderer
  2432. specified by :conf_master:`decrypt_pillar_default` will be used.
  2433. .. conf_master:: decrypt_pillar_delimiter
  2434. ``decrypt_pillar_delimiter``
  2435. ----------------------------
  2436. .. versionadded:: 2017.7.0
  2437. Default: ``:``
  2438. The delimiter used to distinguish nested data structures in the
  2439. :conf_master:`decrypt_pillar` option.
  2440. .. code-block:: yaml
  2441. decrypt_pillar_delimiter: '|'
  2442. decrypt_pillar:
  2443. - 'foo|bar': gpg
  2444. - 'lorem|ipsum|dolor'
  2445. .. conf_master:: decrypt_pillar_default
  2446. ``decrypt_pillar_default``
  2447. --------------------------
  2448. .. versionadded:: 2017.7.0
  2449. Default: ``gpg``
  2450. The default renderer used for decryption, if one is not specified for a given
  2451. pillar key in :conf_master:`decrypt_pillar`.
  2452. .. code-block:: yaml
  2453. decrypt_pillar_default: my_custom_renderer
  2454. .. conf_master:: decrypt_pillar_renderers
  2455. ``decrypt_pillar_renderers``
  2456. ----------------------------
  2457. .. versionadded:: 2017.7.0
  2458. Default: ``['gpg']``
  2459. List of renderers which are permitted to be used for pillar decryption.
  2460. .. code-block:: yaml
  2461. decrypt_pillar_renderers:
  2462. - gpg
  2463. - my_custom_renderer
  2464. .. conf_master:: pillar_opts
  2465. ``pillar_opts``
  2466. ---------------
  2467. Default: ``False``
  2468. The ``pillar_opts`` option adds the master configuration file data to a dict in
  2469. the pillar called ``master``. This can be used to set simple configurations in
  2470. the master config file that can then be used on minions.
  2471. Note that setting this option to ``True`` means the master config file will be
  2472. included in all minion's pillars. While this makes global configuration of services
  2473. and systems easy, it may not be desired if sensitive data is stored in the master
  2474. configuration.
  2475. .. code-block:: yaml
  2476. pillar_opts: False
  2477. .. conf_master:: pillar_safe_render_error
  2478. ``pillar_safe_render_error``
  2479. ----------------------------
  2480. Default: ``True``
  2481. The pillar_safe_render_error option prevents the master from passing pillar
  2482. render errors to the minion. This is set on by default because the error could
  2483. contain templating data which would give that minion information it shouldn't
  2484. have, like a password! When set ``True`` the error message will only show:
  2485. .. code-block:: shell
  2486. Rendering SLS 'my.sls' failed. Please see master log for details.
  2487. .. code-block:: yaml
  2488. pillar_safe_render_error: True
  2489. .. _master-configuration-ext-pillar:
  2490. .. conf_master:: ext_pillar
  2491. ``ext_pillar``
  2492. --------------
  2493. The ext_pillar option allows for any number of external pillar interfaces to be
  2494. called when populating pillar data. The configuration is based on ext_pillar
  2495. functions. The available ext_pillar functions can be found herein:
  2496. :blob:`salt/pillar`
  2497. By default, the ext_pillar interface is not configured to run.
  2498. Default: ``[]``
  2499. .. code-block:: yaml
  2500. ext_pillar:
  2501. - hiera: /etc/hiera.yaml
  2502. - cmd_yaml: cat /etc/salt/yaml
  2503. - reclass:
  2504. inventory_base_uri: /etc/reclass
  2505. There are additional details at :ref:`salt-pillars`
  2506. .. conf_master:: ext_pillar_first
  2507. ``ext_pillar_first``
  2508. --------------------
  2509. .. versionadded:: 2015.5.0
  2510. Default: ``False``
  2511. This option allows for external pillar sources to be evaluated before
  2512. :conf_master:`pillar_roots`. External pillar data is evaluated separately from
  2513. :conf_master:`pillar_roots` pillar data, and then both sets of pillar data are
  2514. merged into a single pillar dictionary, so the value of this config option will
  2515. have an impact on which key "wins" when there is one of the same name in both
  2516. the external pillar data and :conf_master:`pillar_roots` pillar data. By
  2517. setting this option to ``True``, ext_pillar keys will be overridden by
  2518. :conf_master:`pillar_roots`, while leaving it as ``False`` will allow
  2519. ext_pillar keys to override those from :conf_master:`pillar_roots`.
  2520. .. note::
  2521. For a while, this config option did not work as specified above, because of
  2522. a bug in Pillar compilation. This bug has been resolved in version 2016.3.4
  2523. and later.
  2524. .. code-block:: yaml
  2525. ext_pillar_first: False
  2526. .. conf_minion:: pillarenv_from_saltenv
  2527. ``pillarenv_from_saltenv``
  2528. --------------------------
  2529. Default: ``False``
  2530. When set to ``True``, the :conf_master:`pillarenv` value will assume the value
  2531. of the effective saltenv when running states. This essentially makes ``salt-run
  2532. pillar.show_pillar saltenv=dev`` equivalent to ``salt-run pillar.show_pillar
  2533. saltenv=dev pillarenv=dev``. If :conf_master:`pillarenv` is set on the CLI, it
  2534. will override this option.
  2535. .. code-block:: yaml
  2536. pillarenv_from_saltenv: True
  2537. .. note::
  2538. For salt remote execution commands this option should be set in the Minion
  2539. configuration instead.
  2540. .. conf_master:: pillar_raise_on_missing
  2541. ``pillar_raise_on_missing``
  2542. ---------------------------
  2543. .. versionadded:: 2015.5.0
  2544. Default: ``False``
  2545. Set this option to ``True`` to force a ``KeyError`` to be raised whenever an
  2546. attempt to retrieve a named value from pillar fails. When this option is set
  2547. to ``False``, the failed attempt returns an empty string.
  2548. .. _git-pillar-config-opts:
  2549. Git External Pillar (git_pillar) Configuration Options
  2550. ------------------------------------------------------
  2551. .. conf_master:: git_pillar_provider
  2552. ``git_pillar_provider``
  2553. ***********************
  2554. .. versionadded:: 2015.8.0
  2555. Specify the provider to be used for git_pillar. Must be either ``pygit2`` or
  2556. ``gitpython``. If unset, then both will be tried in that same order, and the
  2557. first one with a compatible version installed will be the provider that is
  2558. used.
  2559. .. code-block:: yaml
  2560. git_pillar_provider: gitpython
  2561. .. conf_master:: git_pillar_base
  2562. ``git_pillar_base``
  2563. *******************
  2564. .. versionadded:: 2015.8.0
  2565. Default: ``master``
  2566. If the desired branch matches this value, and the environment is omitted from
  2567. the git_pillar configuration, then the environment for that git_pillar remote
  2568. will be ``base``. For example, in the configuration below, the ``foo``
  2569. branch/tag would be assigned to the ``base`` environment, while ``bar`` would
  2570. be mapped to the ``bar`` environment.
  2571. .. code-block:: yaml
  2572. git_pillar_base: foo
  2573. ext_pillar:
  2574. - git:
  2575. - foo https://mygitserver/git-pillar.git
  2576. - bar https://mygitserver/git-pillar.git
  2577. .. conf_master:: git_pillar_branch
  2578. ``git_pillar_branch``
  2579. *********************
  2580. .. versionadded:: 2015.8.0
  2581. Default: ``master``
  2582. If the branch is omitted from a git_pillar remote, then this branch will be
  2583. used instead. For example, in the configuration below, the first two remotes
  2584. would use the ``pillardata`` branch/tag, while the third would use the ``foo``
  2585. branch/tag.
  2586. .. code-block:: yaml
  2587. git_pillar_branch: pillardata
  2588. ext_pillar:
  2589. - git:
  2590. - https://mygitserver/pillar1.git
  2591. - https://mygitserver/pillar2.git:
  2592. - root: pillar
  2593. - foo https://mygitserver/pillar3.git
  2594. .. conf_master:: git_pillar_env
  2595. ``git_pillar_env``
  2596. ******************
  2597. .. versionadded:: 2015.8.0
  2598. Default: ``''`` (unset)
  2599. Environment to use for git_pillar remotes. This is normally derived from the
  2600. branch/tag (or from a per-remote ``env`` parameter), but if set this will
  2601. override the process of deriving the env from the branch/tag name. For example,
  2602. in the configuration below the ``foo`` branch would be assigned to the ``base``
  2603. environment, while the ``bar`` branch would need to explicitly have ``bar``
  2604. configured as it's environment to keep it from also being mapped to the
  2605. ``base`` environment.
  2606. .. code-block:: yaml
  2607. git_pillar_env: base
  2608. ext_pillar:
  2609. - git:
  2610. - foo https://mygitserver/git-pillar.git
  2611. - bar https://mygitserver/git-pillar.git:
  2612. - env: bar
  2613. For this reason, this option is recommended to be left unset, unless the use
  2614. case calls for all (or almost all) of the git_pillar remotes to use the same
  2615. environment irrespective of the branch/tag being used.
  2616. .. conf_master:: git_pillar_root
  2617. ``git_pillar_root``
  2618. *******************
  2619. .. versionadded:: 2015.8.0
  2620. Default: ``''``
  2621. Path relative to the root of the repository where the git_pillar top file and
  2622. SLS files are located. In the below configuration, the pillar top file and SLS
  2623. files would be looked for in a subdirectory called ``pillar``.
  2624. .. code-block:: yaml
  2625. git_pillar_root: pillar
  2626. ext_pillar:
  2627. - git:
  2628. - master https://mygitserver/pillar1.git
  2629. - master https://mygitserver/pillar2.git
  2630. .. note::
  2631. This is a global option. If only one or two repos need to have their files
  2632. sourced from a subdirectory, then :conf_master:`git_pillar_root` can be
  2633. omitted and the root can be specified on a per-remote basis, like so:
  2634. .. code-block:: yaml
  2635. ext_pillar:
  2636. - git:
  2637. - master https://mygitserver/pillar1.git
  2638. - master https://mygitserver/pillar2.git:
  2639. - root: pillar
  2640. In this example, for the first remote the top file and SLS files would be
  2641. looked for in the root of the repository, while in the second remote the
  2642. pillar data would be retrieved from the ``pillar`` subdirectory.
  2643. .. conf_master:: git_pillar_ssl_verify
  2644. ``git_pillar_ssl_verify``
  2645. *************************
  2646. .. versionadded:: 2015.8.0
  2647. .. versionchanged:: 2016.11.0
  2648. Default: ``False``
  2649. Specifies whether or not to ignore SSL certificate errors when contacting the
  2650. remote repository. The ``False`` setting is useful if you're using a
  2651. git repo that uses a self-signed certificate. However, keep in mind that
  2652. setting this to anything other ``True`` is a considered insecure, and using an
  2653. SSH-based transport (if available) may be a better option.
  2654. In the 2016.11.0 release, the default config value changed from ``False`` to
  2655. ``True``.
  2656. .. code-block:: yaml
  2657. git_pillar_ssl_verify: True
  2658. .. note::
  2659. pygit2 only supports disabling SSL verification in versions 0.23.2 and
  2660. newer.
  2661. .. conf_master:: git_pillar_global_lock
  2662. ``git_pillar_global_lock``
  2663. **************************
  2664. .. versionadded:: 2015.8.9
  2665. Default: ``True``
  2666. When set to ``False``, if there is an update/checkout lock for a git_pillar
  2667. remote and the pid written to it is not running on the master, the lock file
  2668. will be automatically cleared and a new lock will be obtained. When set to
  2669. ``True``, Salt will simply log a warning when there is an lock present.
  2670. On single-master deployments, disabling this option can help automatically deal
  2671. with instances where the master was shutdown/restarted during the middle of a
  2672. git_pillar update/checkout, leaving a lock in place.
  2673. However, on multi-master deployments with the git_pillar cachedir shared via
  2674. `GlusterFS`__, nfs, or another network filesystem, it is strongly recommended
  2675. not to disable this option as doing so will cause lock files to be removed if
  2676. they were created by a different master.
  2677. .. code-block:: yaml
  2678. # Disable global lock
  2679. git_pillar_global_lock: False
  2680. .. __: http://www.gluster.org/
  2681. .. conf_master:: git_pillar_includes
  2682. ``git_pillar_includes``
  2683. ***********************
  2684. .. versionadded:: 2017.7.0
  2685. Default: ``True``
  2686. Normally, when processing :ref:`git_pillar remotes
  2687. <git-pillar-configuration>`, if more than one repo under the same ``git``
  2688. section in the ``ext_pillar`` configuration refers to the same pillar
  2689. environment, then each repo in a given environment will have access to the
  2690. other repos' files to be referenced in their top files. However, it may be
  2691. desirable to disable this behavior. If so, set this value to ``False``.
  2692. For a more detailed examination of how includes work, see :ref:`this
  2693. explanation <git-pillar-multiple-remotes>` from the git_pillar documentation.
  2694. .. code-block:: yaml
  2695. git_pillar_includes: False
  2696. ``git_pillar_update_interval``
  2697. ******************************
  2698. .. versionadded:: neon
  2699. Default: ``60``
  2700. This option defines the default update interval (in seconds) for git_pillar
  2701. remotes. The update is handled within the global loop, hence
  2702. ``git_pillar_update_interval`` should be a multiple of ``loop_interval``.
  2703. .. code-block:: yaml
  2704. git_pillar_update_interval: 120
  2705. .. _git-ext-pillar-auth-opts:
  2706. Git External Pillar Authentication Options
  2707. ******************************************
  2708. These parameters only currently apply to the ``pygit2``
  2709. :conf_master:`git_pillar_provider`. Authentication works the same as it does
  2710. in gitfs, as outlined in the :ref:`GitFS Walkthrough <gitfs-authentication>`,
  2711. though the global configuration options are named differently to reflect that
  2712. they are for git_pillar instead of gitfs.
  2713. .. conf_master:: git_pillar_user
  2714. ``git_pillar_user``
  2715. ~~~~~~~~~~~~~~~~~~~
  2716. .. versionadded:: 2015.8.0
  2717. Default: ``''``
  2718. Along with :conf_master:`git_pillar_password`, is used to authenticate to HTTPS
  2719. remotes.
  2720. .. code-block:: yaml
  2721. git_pillar_user: git
  2722. .. conf_master:: git_pillar_password
  2723. ``git_pillar_password``
  2724. ~~~~~~~~~~~~~~~~~~~~~~~
  2725. .. versionadded:: 2015.8.0
  2726. Default: ``''``
  2727. Along with :conf_master:`git_pillar_user`, is used to authenticate to HTTPS
  2728. remotes. This parameter is not required if the repository does not use
  2729. authentication.
  2730. .. code-block:: yaml
  2731. git_pillar_password: mypassword
  2732. .. conf_master:: git_pillar_insecure_auth
  2733. ``git_pillar_insecure_auth``
  2734. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  2735. .. versionadded:: 2015.8.0
  2736. Default: ``False``
  2737. By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This
  2738. parameter enables authentication over HTTP. **Enable this at your own risk.**
  2739. .. code-block:: yaml
  2740. git_pillar_insecure_auth: True
  2741. .. conf_master:: git_pillar_pubkey
  2742. ``git_pillar_pubkey``
  2743. ~~~~~~~~~~~~~~~~~~~~~
  2744. .. versionadded:: 2015.8.0
  2745. Default: ``''``
  2746. Along with :conf_master:`git_pillar_privkey` (and optionally
  2747. :conf_master:`git_pillar_passphrase`), is used to authenticate to SSH remotes.
  2748. .. code-block:: yaml
  2749. git_pillar_pubkey: /path/to/key.pub
  2750. .. conf_master:: git_pillar_privkey
  2751. ``git_pillar_privkey``
  2752. ~~~~~~~~~~~~~~~~~~~~~~
  2753. .. versionadded:: 2015.8.0
  2754. Default: ``''``
  2755. Along with :conf_master:`git_pillar_pubkey` (and optionally
  2756. :conf_master:`git_pillar_passphrase`), is used to authenticate to SSH remotes.
  2757. .. code-block:: yaml
  2758. git_pillar_privkey: /path/to/key
  2759. .. conf_master:: git_pillar_passphrase
  2760. ``git_pillar_passphrase``
  2761. ~~~~~~~~~~~~~~~~~~~~~~~~~
  2762. .. versionadded:: 2015.8.0
  2763. Default: ``''``
  2764. This parameter is optional, required only when the SSH key being used to
  2765. authenticate is protected by a passphrase.
  2766. .. code-block:: yaml
  2767. git_pillar_passphrase: mypassphrase
  2768. .. conf_master:: git_pillar_refspecs
  2769. ``git_pillar_refspecs``
  2770. ~~~~~~~~~~~~~~~~~~~~~~~
  2771. .. versionadded:: 2017.7.0
  2772. Default: ``['+refs/heads/*:refs/remotes/origin/*', '+refs/tags/*:refs/tags/*']``
  2773. When fetching from remote repositories, by default Salt will fetch branches and
  2774. tags. This parameter can be used to override the default and specify
  2775. alternate refspecs to be fetched. This parameter works similarly to its
  2776. :ref:`GitFS counterpart <gitfs-custom-refspecs>`, in that it can be
  2777. configured both globally and for individual remotes.
  2778. .. code-block:: yaml
  2779. git_pillar_refspecs:
  2780. - '+refs/heads/*:refs/remotes/origin/*'
  2781. - '+refs/tags/*:refs/tags/*'
  2782. - '+refs/pull/*/head:refs/remotes/origin/pr/*'
  2783. - '+refs/pull/*/merge:refs/remotes/origin/merge/*'
  2784. .. conf_master:: git_pillar_verify_config
  2785. ``git_pillar_verify_config``
  2786. ----------------------------
  2787. .. versionadded:: 2017.7.0
  2788. Default: ``True``
  2789. By default, as the master starts it performs some sanity checks on the
  2790. configured git_pillar repositories. If any of these sanity checks fail (such as
  2791. when an invalid configuration is used), the master daemon will abort.
  2792. To skip these sanity checks, set this option to ``False``.
  2793. .. code-block:: yaml
  2794. git_pillar_verify_config: False
  2795. .. _pillar-merging-opts:
  2796. Pillar Merging Options
  2797. ----------------------
  2798. .. conf_master:: pillar_source_merging_strategy
  2799. ``pillar_source_merging_strategy``
  2800. **********************************
  2801. .. versionadded:: 2014.7.0
  2802. Default: ``smart``
  2803. The pillar_source_merging_strategy option allows you to configure merging
  2804. strategy between different sources. It accepts 5 values:
  2805. * ``none``:
  2806. It will not do any merging at all and only parse the pillar data from the passed environment and 'base' if no environment was specified.
  2807. .. versionadded:: 2016.3.4
  2808. * ``recurse``:
  2809. It will recursively merge data. For example, theses 2 sources:
  2810. .. code-block:: yaml
  2811. foo: 42
  2812. bar:
  2813. element1: True
  2814. .. code-block:: yaml
  2815. bar:
  2816. element2: True
  2817. baz: quux
  2818. will be merged as:
  2819. .. code-block:: yaml
  2820. foo: 42
  2821. bar:
  2822. element1: True
  2823. element2: True
  2824. baz: quux
  2825. * ``aggregate``:
  2826. instructs aggregation of elements between sources that use the #!yamlex renderer.
  2827. For example, these two documents:
  2828. .. code-block:: yaml
  2829. #!yamlex
  2830. foo: 42
  2831. bar: !aggregate {
  2832. element1: True
  2833. }
  2834. baz: !aggregate quux
  2835. .. code-block:: yaml
  2836. #!yamlex
  2837. bar: !aggregate {
  2838. element2: True
  2839. }
  2840. baz: !aggregate quux2
  2841. will be merged as:
  2842. .. code-block:: yaml
  2843. foo: 42
  2844. bar:
  2845. element1: True
  2846. element2: True
  2847. baz:
  2848. - quux
  2849. - quux2
  2850. * ``overwrite``:
  2851. Will use the behaviour of the 2014.1 branch and earlier.
  2852. Overwrites elements according the order in which they are processed.
  2853. First pillar processed:
  2854. .. code-block:: yaml
  2855. A:
  2856. first_key: blah
  2857. second_key: blah
  2858. Second pillar processed:
  2859. .. code-block:: yaml
  2860. A:
  2861. third_key: blah
  2862. fourth_key: blah
  2863. will be merged as:
  2864. .. code-block:: yaml
  2865. A:
  2866. third_key: blah
  2867. fourth_key: blah
  2868. * ``smart`` (default):
  2869. Guesses the best strategy based on the "renderer" setting.
  2870. .. note::
  2871. In order for yamlex based features such as ``!aggregate`` to work as expected
  2872. across documents using the default ``smart`` merge strategy, the :conf_master:`renderer`
  2873. config option must be set to ``jinja|yamlex`` or similar.
  2874. .. conf_master:: pillar_merge_lists
  2875. ``pillar_merge_lists``
  2876. **********************
  2877. .. versionadded:: 2015.8.0
  2878. Default: ``False``
  2879. Recursively merge lists by aggregating them instead of replacing them.
  2880. .. code-block:: yaml
  2881. pillar_merge_lists: False
  2882. .. conf_master:: pillar_includes_override_sls
  2883. ``pillar_includes_override_sls``
  2884. ********************************
  2885. .. versionadded:: 2017.7.6,2018.3.1
  2886. Default: ``False``
  2887. Prior to version 2017.7.3, keys from :ref:`pillar includes <pillar-include>`
  2888. would be merged on top of the pillar SLS. Since 2017.7.3, the includes are
  2889. merged together and then the pillar SLS is merged on top of that.
  2890. Set this option to ``True`` to return to the old behavior.
  2891. .. code-block:: yaml
  2892. pillar_includes_override_sls: True
  2893. .. _pillar-cache-opts:
  2894. Pillar Cache Options
  2895. --------------------
  2896. .. conf_master:: pillar_cache
  2897. ``pillar_cache``
  2898. ****************
  2899. .. versionadded:: 2015.8.8
  2900. Default: ``False``
  2901. A master can cache pillars locally to bypass the expense of having to render them
  2902. for each minion on every request. This feature should only be enabled in cases
  2903. where pillar rendering time is known to be unsatisfactory and any attendant security
  2904. concerns about storing pillars in a master cache have been addressed.
  2905. When enabling this feature, be certain to read through the additional ``pillar_cache_*``
  2906. configuration options to fully understand the tunable parameters and their implications.
  2907. .. code-block:: yaml
  2908. pillar_cache: False
  2909. .. note::
  2910. Setting ``pillar_cache: True`` has no effect on
  2911. :ref:`targeting minions with pillar <targeting-pillar>`.
  2912. .. conf_master:: pillar_cache_ttl
  2913. ``pillar_cache_ttl``
  2914. ********************
  2915. .. versionadded:: 2015.8.8
  2916. Default: ``3600``
  2917. If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
  2918. of time, in seconds, before the cache is considered invalid by a master and a fresh
  2919. pillar is recompiled and stored.
  2920. .. conf_master:: pillar_cache_backend
  2921. ``pillar_cache_backend``
  2922. ************************
  2923. .. versionadded:: 2015.8.8
  2924. Default: ``disk``
  2925. If an only if a master has set ``pillar_cache: True``, one of several storage providers
  2926. can be utilized:
  2927. * ``disk`` (default):
  2928. The default storage backend. This caches rendered pillars to the master cache.
  2929. Rendered pillars are serialized and deserialized as ``msgpack`` structures for speed.
  2930. Note that pillars are stored UNENCRYPTED. Ensure that the master cache has permissions
  2931. set appropriately (sane defaults are provided).
  2932. * ``memory`` [EXPERIMENTAL]:
  2933. An optional backend for pillar caches which uses a pure-Python
  2934. in-memory data structure for maximal performance. There are several caveats,
  2935. however. First, because each master worker contains its own in-memory cache,
  2936. there is no guarantee of cache consistency between minion requests. This
  2937. works best in situations where the pillar rarely if ever changes. Secondly,
  2938. and perhaps more importantly, this means that unencrypted pillars will
  2939. be accessible to any process which can examine the memory of the ``salt-master``!
  2940. This may represent a substantial security risk.
  2941. .. code-block:: yaml
  2942. pillar_cache_backend: disk
  2943. Master Reactor Settings
  2944. =======================
  2945. .. conf_master:: reactor
  2946. ``reactor``
  2947. -----------
  2948. Default: ``[]``
  2949. Defines a salt reactor. See the :ref:`Reactor <reactor>` documentation for more
  2950. information.
  2951. .. code-block:: yaml
  2952. reactor:
  2953. - 'salt/minion/*/start':
  2954. - salt://reactor/startup_tasks.sls
  2955. .. conf_master:: reactor_refresh_interval
  2956. ``reactor_refresh_interval``
  2957. ----------------------------
  2958. Default: ``60``
  2959. The TTL for the cache of the reactor configuration.
  2960. .. code-block:: yaml
  2961. reactor_refresh_interval: 60
  2962. .. conf_master:: reactor_worker_threads
  2963. ``reactor_worker_threads``
  2964. --------------------------
  2965. Default: ``10``
  2966. The number of workers for the runner/wheel in the reactor.
  2967. .. code-block:: yaml
  2968. reactor_worker_threads: 10
  2969. .. conf_master:: reactor_worker_hwm
  2970. ``reactor_worker_hwm``
  2971. ----------------------
  2972. Default: ``10000``
  2973. The queue size for workers in the reactor.
  2974. .. code-block:: yaml
  2975. reactor_worker_hwm: 10000
  2976. .. _salt-api-master-settings:
  2977. Salt-API Master Settings
  2978. ========================
  2979. There are some settings for :ref:`salt-api <netapi-introduction>` that can be
  2980. configured on the Salt Master.
  2981. .. conf_master:: api_logfile
  2982. ``api_logfile``
  2983. ---------------
  2984. Default: ``/var/log/salt/api``
  2985. The logfile location for ``salt-api``.
  2986. .. code-block:: yaml
  2987. api_logfile: /var/log/salt/api
  2988. .. conf_master:: api_pidfile
  2989. ``api_pidfile``
  2990. ---------------
  2991. Default: /var/run/salt-api.pid
  2992. If this master will be running ``salt-api``, specify the pidfile of the
  2993. ``salt-api`` daemon.
  2994. .. code-block:: yaml
  2995. api_pidfile: /var/run/salt-api.pid
  2996. .. conf_master:: rest_timeout
  2997. ``rest_timeout``
  2998. ----------------
  2999. Default: ``300``
  3000. Used by ``salt-api`` for the master requests timeout.
  3001. .. code-block:: yaml
  3002. rest_timeout: 300
  3003. .. _syndic-server-settings:
  3004. Syndic Server Settings
  3005. ======================
  3006. A Salt syndic is a Salt master used to pass commands from a higher Salt master
  3007. to minions below the syndic. Using the syndic is simple. If this is a master
  3008. that will have syndic servers(s) below it, set the ``order_masters`` setting to
  3009. ``True``.
  3010. If this is a master that will be running a syndic daemon for passthrough the
  3011. ``syndic_master`` setting needs to be set to the location of the master server.
  3012. Do not forget that, in other words, it means that it shares with the local minion
  3013. its ID and PKI directory.
  3014. .. conf_master:: order_masters
  3015. ``order_masters``
  3016. -----------------
  3017. Default: ``False``
  3018. Extra data needs to be sent with publications if the master is controlling a
  3019. lower level master via a syndic minion. If this is the case the order_masters
  3020. value must be set to True
  3021. .. code-block:: yaml
  3022. order_masters: False
  3023. .. conf_master:: syndic_master
  3024. ``syndic_master``
  3025. -----------------
  3026. .. versionchanged:: 2016.3.5,2016.11.1
  3027. Set default higher level master address.
  3028. Default: ``masterofmasters``
  3029. If this master will be running the ``salt-syndic`` to connect to a higher level
  3030. master, specify the higher level master with this configuration value.
  3031. .. code-block:: yaml
  3032. syndic_master: masterofmasters
  3033. You can optionally connect a syndic to multiple higher level masters by
  3034. setting the ``syndic_master`` value to a list:
  3035. .. code-block:: yaml
  3036. syndic_master:
  3037. - masterofmasters1
  3038. - masterofmasters2
  3039. Each higher level master must be set up in a multi-master configuration.
  3040. .. conf_master:: syndic_master_port
  3041. ``syndic_master_port``
  3042. ----------------------
  3043. Default: ``4506``
  3044. If this master will be running the ``salt-syndic`` to connect to a higher level
  3045. master, specify the higher level master port with this configuration value.
  3046. .. code-block:: yaml
  3047. syndic_master_port: 4506
  3048. .. conf_master:: syndic_pidfile
  3049. ``syndic_pidfile``
  3050. ------------------
  3051. Default: ``/var/run/salt-syndic.pid``
  3052. If this master will be running the ``salt-syndic`` to connect to a higher level
  3053. master, specify the pidfile of the syndic daemon.
  3054. .. code-block:: yaml
  3055. syndic_pidfile: /var/run/syndic.pid
  3056. .. conf_master:: syndic_log_file
  3057. ``syndic_log_file``
  3058. -------------------
  3059. Default: ``/var/log/salt/syndic``
  3060. If this master will be running the ``salt-syndic`` to connect to a higher level
  3061. master, specify the log file of the syndic daemon.
  3062. .. code-block:: yaml
  3063. syndic_log_file: /var/log/salt-syndic.log
  3064. .. conf_master:: syndic_failover
  3065. ``syndic_failover``
  3066. -------------------
  3067. .. versionadded:: 2016.3.0
  3068. Default: ``random``
  3069. The behaviour of the multi-syndic when connection to a master of masters failed.
  3070. Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
  3071. will be iterated in random order. If ``ordered`` is specified, the configured
  3072. order will be used.
  3073. .. code-block:: yaml
  3074. syndic_failover: random
  3075. .. conf_master:: syndic_wait
  3076. ``syndic_wait``
  3077. ---------------
  3078. Default: ``5``
  3079. The number of seconds for the salt client to wait for additional syndics to
  3080. check in with their lists of expected minions before giving up.
  3081. .. code-block:: yaml
  3082. syndic_wait: 5
  3083. .. conf_master:: syndic_forward_all_events
  3084. ``syndic_forward_all_events``
  3085. -----------------------------
  3086. .. versionadded:: 2017.7.0
  3087. Default: ``False``
  3088. Option on multi-syndic or single when connected to multiple masters to be able to
  3089. send events to all connected masters.
  3090. .. code-block:: yaml
  3091. syndic_forward_all_events: False
  3092. .. _peer-publish-settings:
  3093. Peer Publish Settings
  3094. =====================
  3095. Salt minions can send commands to other minions, but only if the minion is
  3096. allowed to. By default "Peer Publication" is disabled, and when enabled it
  3097. is enabled for specific minions and specific commands. This allows secure
  3098. compartmentalization of commands based on individual minions.
  3099. .. conf_master:: peer
  3100. ``peer``
  3101. --------
  3102. Default: ``{}``
  3103. The configuration uses regular expressions to match minions and then a list
  3104. of regular expressions to match functions. The following will allow the
  3105. minion authenticated as foo.example.com to execute functions from the test
  3106. and pkg modules.
  3107. .. code-block:: yaml
  3108. peer:
  3109. foo.example.com:
  3110. - test.*
  3111. - pkg.*
  3112. This will allow all minions to execute all commands:
  3113. .. code-block:: yaml
  3114. peer:
  3115. .*:
  3116. - .*
  3117. This is not recommended, since it would allow anyone who gets root on any
  3118. single minion to instantly have root on all of the minions!
  3119. By adding an additional layer you can limit the target hosts in addition to the
  3120. accessible commands:
  3121. .. code-block:: yaml
  3122. peer:
  3123. foo.example.com:
  3124. 'db*':
  3125. - test.*
  3126. - pkg.*
  3127. .. conf_master:: peer_run
  3128. ``peer_run``
  3129. ------------
  3130. Default: ``{}``
  3131. The peer_run option is used to open up runners on the master to access from the
  3132. minions. The peer_run configuration matches the format of the peer
  3133. configuration.
  3134. The following example would allow foo.example.com to execute the manage.up
  3135. runner:
  3136. .. code-block:: yaml
  3137. peer_run:
  3138. foo.example.com:
  3139. - manage.up
  3140. .. _master-logging-settings:
  3141. Master Logging Settings
  3142. =======================
  3143. .. conf_master:: log_file
  3144. ``log_file``
  3145. ------------
  3146. Default: ``/var/log/salt/master``
  3147. The master log can be sent to a regular file, local path name, or network
  3148. location. See also :conf_log:`log_file`.
  3149. Examples:
  3150. .. code-block:: yaml
  3151. log_file: /var/log/salt/master
  3152. .. code-block:: yaml
  3153. log_file: file:///dev/log
  3154. .. code-block:: yaml
  3155. log_file: udp://loghost:10514
  3156. .. conf_master:: log_level
  3157. ``log_level``
  3158. -------------
  3159. Default: ``warning``
  3160. The level of messages to send to the console. See also :conf_log:`log_level`.
  3161. .. code-block:: yaml
  3162. log_level: warning
  3163. .. conf_master:: log_level_logfile
  3164. ``log_level_logfile``
  3165. ---------------------
  3166. Default: ``warning``
  3167. The level of messages to send to the log file. See also
  3168. :conf_log:`log_level_logfile`. When it is not set explicitly
  3169. it will inherit the level set by :conf_log:`log_level` option.
  3170. .. code-block:: yaml
  3171. log_level_logfile: warning
  3172. .. conf_master:: log_datefmt
  3173. ``log_datefmt``
  3174. ---------------
  3175. Default: ``%H:%M:%S``
  3176. The date and time format used in console log messages. See also
  3177. :conf_log:`log_datefmt`.
  3178. .. code-block:: yaml
  3179. log_datefmt: '%H:%M:%S'
  3180. .. conf_master:: log_datefmt_logfile
  3181. ``log_datefmt_logfile``
  3182. -----------------------
  3183. Default: ``%Y-%m-%d %H:%M:%S``
  3184. The date and time format used in log file messages. See also
  3185. :conf_log:`log_datefmt_logfile`.
  3186. .. code-block:: yaml
  3187. log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
  3188. .. conf_master:: log_fmt_console
  3189. ``log_fmt_console``
  3190. -------------------
  3191. Default: ``[%(levelname)-8s] %(message)s``
  3192. The format of the console logging messages. See also
  3193. :conf_log:`log_fmt_console`.
  3194. .. note::
  3195. Log colors are enabled in ``log_fmt_console`` rather than the
  3196. :conf_master:`color` config since the logging system is loaded before the
  3197. master config.
  3198. Console log colors are specified by these additional formatters:
  3199. %(colorlevel)s
  3200. %(colorname)s
  3201. %(colorprocess)s
  3202. %(colormsg)s
  3203. Since it is desirable to include the surrounding brackets, '[' and ']', in
  3204. the coloring of the messages, these color formatters also include padding
  3205. as well. Color LogRecord attributes are only available for console
  3206. logging.
  3207. .. code-block:: yaml
  3208. log_fmt_console: '%(colorlevel)s %(colormsg)s'
  3209. log_fmt_console: '[%(levelname)-8s] %(message)s'
  3210. .. conf_master:: log_fmt_logfile
  3211. ``log_fmt_logfile``
  3212. -------------------
  3213. Default: ``%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s``
  3214. The format of the log file logging messages. See also
  3215. :conf_log:`log_fmt_logfile`.
  3216. .. code-block:: yaml
  3217. log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s'
  3218. .. conf_master:: log_granular_levels
  3219. ``log_granular_levels``
  3220. -----------------------
  3221. Default: ``{}``
  3222. This can be used to control logging levels more specifically. See also
  3223. :conf_log:`log_granular_levels`.
  3224. .. conf_master:: log_rotate_max_bytes
  3225. ``log_rotate_max_bytes``
  3226. ------------------------
  3227. Default: ``0``
  3228. The maximum number of bytes a single log file may contain before it is rotated.
  3229. A value of 0 disables this feature. Currently only supported on Windows. On
  3230. other platforms, use an external tool such as 'logrotate' to manage log files.
  3231. :conf_log:`log_rotate_max_bytes`
  3232. .. conf_master:: log_rotate_backup_count
  3233. ``log_rotate_backup_count``
  3234. ---------------------------
  3235. Default: ``0``
  3236. The number of backup files to keep when rotating log files. Only used if
  3237. :conf_master:`log_rotate_max_bytes` is greater than 0. Currently only supported
  3238. on Windows. On other platforms, use an external tool such as 'logrotate' to
  3239. manage log files.
  3240. :conf_log:`log_rotate_backup_count`
  3241. .. _node-groups:
  3242. Node Groups
  3243. ===========
  3244. .. conf_master:: nodegroups
  3245. ``nodegroups``
  3246. --------------
  3247. Default: ``{}``
  3248. Node groups allow for logical groupings of minion nodes.
  3249. A group consists of a group name and a compound target.
  3250. .. code-block:: yaml
  3251. nodegroups:
  3252. group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
  3253. group2: 'G@os:Debian and foo.domain.com'
  3254. group3: 'G@os:Debian and N@group1'
  3255. group4:
  3256. - 'G@foo:bar'
  3257. - 'or'
  3258. - 'G@foo:baz'
  3259. More information on using nodegroups can be found :ref:`here <targeting-nodegroups>`.
  3260. .. _range-cluster-settings:
  3261. Range Cluster Settings
  3262. ======================
  3263. .. conf_master:: range_server
  3264. ``range_server``
  3265. ----------------
  3266. Default: ``'range:80'``
  3267. The range server (and optional port) that serves your cluster information
  3268. https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec
  3269. .. code-block:: yaml
  3270. range_server: range:80
  3271. .. _include-configuration:
  3272. Include Configuration
  3273. =====================
  3274. Configuration can be loaded from multiple files. The order in which this is
  3275. done is:
  3276. 1. The master config file itself
  3277. 2. The files matching the glob in :conf_master:`default_include`
  3278. 3. The files matching the glob in :conf_master:`include` (if defined)
  3279. Each successive step overrides any values defined in the previous steps.
  3280. Therefore, any config options defined in one of the
  3281. :conf_master:`default_include` files would override the same value in the
  3282. master config file, and any options defined in :conf_master:`include` would
  3283. override both.
  3284. .. conf_master:: default_include
  3285. ``default_include``
  3286. -------------------
  3287. Default: ``master.d/*.conf``
  3288. The master can include configuration from other files. Per default the
  3289. master will automatically include all config files from ``master.d/*.conf``
  3290. where ``master.d`` is relative to the directory of the master configuration
  3291. file.
  3292. .. note::
  3293. Salt creates files in the ``master.d`` directory for its own use. These
  3294. files are prefixed with an underscore. A common example of this is the
  3295. ``_schedule.conf`` file.
  3296. .. conf_master:: include
  3297. ``include``
  3298. -----------
  3299. Default: ``not defined``
  3300. The master can include configuration from other files. To enable this,
  3301. pass a list of paths to this option. The paths can be either relative or
  3302. absolute; if relative, they are considered to be relative to the directory
  3303. the main minion configuration file lives in. Paths can make use of
  3304. shell-style globbing. If no files are matched by a path passed to this
  3305. option then the master will log a warning message.
  3306. .. code-block:: yaml
  3307. # Include files from a master.d directory in the same
  3308. # directory as the master config file
  3309. include: master.d/*
  3310. # Include a single extra file into the configuration
  3311. include: /etc/roles/webserver
  3312. # Include several files and the master.d directory
  3313. include:
  3314. - extra_config
  3315. - master.d/*
  3316. - /etc/roles/webserver
  3317. Keepalive Settings
  3318. ==================
  3319. .. conf_master:: tcp_keepalive
  3320. ``tcp_keepalive``
  3321. -----------------
  3322. Default: ``True``
  3323. The tcp keepalive interval to set on TCP ports. This setting can be used to tune Salt
  3324. connectivity issues in messy network environments with misbehaving firewalls.
  3325. .. code-block:: yaml
  3326. tcp_keepalive: True
  3327. .. conf_master:: tcp_keepalive_cnt
  3328. ``tcp_keepalive_cnt``
  3329. ---------------------
  3330. Default: ``-1``
  3331. Sets the ZeroMQ TCP keepalive count. May be used to tune issues with minion disconnects.
  3332. .. code-block:: yaml
  3333. tcp_keepalive_cnt: -1
  3334. .. conf_master:: tcp_keepalive_idle
  3335. ``tcp_keepalive_idle``
  3336. ----------------------
  3337. Default: ``300``
  3338. Sets ZeroMQ TCP keepalive idle. May be used to tune issues with minion disconnects.
  3339. .. code-block:: yaml
  3340. tcp_keepalive_idle: 300
  3341. .. conf_master:: tcp_keepalive_intvl
  3342. ``tcp_keepalive_intvl``
  3343. -----------------------
  3344. Default: ``-1``
  3345. Sets ZeroMQ TCP keepalive interval. May be used to tune issues with minion disconnects.
  3346. .. code-block:: yaml
  3347. tcp_keepalive_intvl': -1
  3348. .. _winrepo-master-config-opts:
  3349. Windows Software Repo Settings
  3350. ==============================
  3351. .. conf_master:: winrepo_provider
  3352. ``winrepo_provider``
  3353. --------------------
  3354. .. versionadded:: 2015.8.0
  3355. Specify the provider to be used for winrepo. Must be either ``pygit2`` or
  3356. ``gitpython``. If unset, then both will be tried in that same order, and the
  3357. first one with a compatible version installed will be the provider that is
  3358. used.
  3359. .. code-block:: yaml
  3360. winrepo_provider: gitpython
  3361. .. conf_master:: winrepo_dir
  3362. .. conf_master:: win_repo
  3363. ``winrepo_dir``
  3364. ---------------
  3365. .. versionchanged:: 2015.8.0
  3366. Renamed from ``win_repo`` to ``winrepo_dir``.
  3367. Default: ``/srv/salt/win/repo``
  3368. Location on the master where the :conf_master:`winrepo_remotes` are checked out
  3369. for pre-2015.8.0 minions. 2015.8.0 and later minions use
  3370. :conf_master:`winrepo_remotes_ng <winrepo_remotes_ng>` instead.
  3371. .. code-block:: yaml
  3372. winrepo_dir: /srv/salt/win/repo
  3373. .. conf_master:: winrepo_dir_ng
  3374. ``winrepo_dir_ng``
  3375. ------------------
  3376. .. versionadded:: 2015.8.0
  3377. A new :ref:`ng <windows-package-manager>` repo was added.
  3378. Default: ``/srv/salt/win/repo-ng``
  3379. Location on the master where the :conf_master:`winrepo_remotes_ng` are checked
  3380. out for 2015.8.0 and later minions.
  3381. .. code-block:: yaml
  3382. winrepo_dir_ng: /srv/salt/win/repo-ng
  3383. .. conf_master:: winrepo_cachefile
  3384. .. conf_master:: win_repo_mastercachefile
  3385. ``winrepo_cachefile``
  3386. ---------------------
  3387. .. versionchanged:: 2015.8.0
  3388. Renamed from ``win_repo_mastercachefile`` to ``winrepo_cachefile``
  3389. .. note::
  3390. 2015.8.0 and later minions do not use this setting since the cachefile
  3391. is now generated by the minion.
  3392. Default: ``winrepo.p``
  3393. Path relative to :conf_master:`winrepo_dir` where the winrepo cache should be
  3394. created.
  3395. .. code-block:: yaml
  3396. winrepo_cachefile: winrepo.p
  3397. .. conf_master:: winrepo_remotes
  3398. .. conf_master:: win_gitrepos
  3399. ``winrepo_remotes``
  3400. -------------------
  3401. .. versionchanged:: 2015.8.0
  3402. Renamed from ``win_gitrepos`` to ``winrepo_remotes``.
  3403. Default: ``['https://github.com/saltstack/salt-winrepo.git']``
  3404. List of git repositories to checkout and include in the winrepo for
  3405. pre-2015.8.0 minions. 2015.8.0 and later minions use
  3406. :conf_master:`winrepo_remotes_ng <winrepo_remotes_ng>` instead.
  3407. .. code-block:: yaml
  3408. winrepo_remotes:
  3409. - https://github.com/saltstack/salt-winrepo.git
  3410. To specify a specific revision of the repository, prepend a commit ID to the
  3411. URL of the repository:
  3412. .. code-block:: yaml
  3413. winrepo_remotes:
  3414. - '<commit_id> https://github.com/saltstack/salt-winrepo.git'
  3415. Replace ``<commit_id>`` with the SHA1 hash of a commit ID. Specifying a commit
  3416. ID is useful in that it allows one to revert back to a previous version in the
  3417. event that an error is introduced in the latest revision of the repo.
  3418. .. conf_master:: winrepo_remotes_ng
  3419. ``winrepo_remotes_ng``
  3420. ----------------------
  3421. .. versionadded:: 2015.8.0
  3422. A new :ref:`ng <windows-package-manager>` repo was added.
  3423. Default: ``['https://github.com/saltstack/salt-winrepo-ng.git']``
  3424. List of git repositories to checkout and include in the winrepo for
  3425. 2015.8.0 and later minions.
  3426. .. code-block:: yaml
  3427. winrepo_remotes_ng:
  3428. - https://github.com/saltstack/salt-winrepo-ng.git
  3429. To specify a specific revision of the repository, prepend a commit ID to the
  3430. URL of the repository:
  3431. .. code-block:: yaml
  3432. winrepo_remotes_ng:
  3433. - '<commit_id> https://github.com/saltstack/salt-winrepo-ng.git'
  3434. Replace ``<commit_id>`` with the SHA1 hash of a commit ID. Specifying a commit
  3435. ID is useful in that it allows one to revert back to a previous version in the
  3436. event that an error is introduced in the latest revision of the repo.
  3437. .. conf_master:: winrepo_branch
  3438. ``winrepo_branch``
  3439. ------------------
  3440. .. versionadded:: 2015.8.0
  3441. Default: ``master``
  3442. If the branch is omitted from a winrepo remote, then this branch will be
  3443. used instead. For example, in the configuration below, the first two remotes
  3444. would use the ``winrepo`` branch/tag, while the third would use the ``foo``
  3445. branch/tag.
  3446. .. code-block:: yaml
  3447. winrepo_branch: winrepo
  3448. winrepo_remotes:
  3449. - https://mygitserver/winrepo1.git
  3450. - https://mygitserver/winrepo2.git:
  3451. - foo https://mygitserver/winrepo3.git
  3452. .. conf_master:: winrepo_ssl_verify
  3453. ``winrepo_ssl_verify``
  3454. ----------------------
  3455. .. versionadded:: 2015.8.0
  3456. .. versionchanged:: 2016.11.0
  3457. Default: ``False``
  3458. Specifies whether or not to ignore SSL certificate errors when contacting the
  3459. remote repository. The ``False`` setting is useful if you're using a
  3460. git repo that uses a self-signed certificate. However, keep in mind that
  3461. setting this to anything other ``True`` is a considered insecure, and using an
  3462. SSH-based transport (if available) may be a better option.
  3463. In the 2016.11.0 release, the default config value changed from ``False`` to
  3464. ``True``.
  3465. .. code-block:: yaml
  3466. winrepo_ssl_verify: True
  3467. Winrepo Authentication Options
  3468. ------------------------------
  3469. These parameters only currently apply to the ``pygit2``
  3470. :conf_master:`winrepo_provider`. Authentication works the same as it does in
  3471. gitfs, as outlined in the :ref:`GitFS Walkthrough <gitfs-authentication>`,
  3472. though the global configuration options are named differently to reflect that
  3473. they are for winrepo instead of gitfs.
  3474. .. conf_master:: winrepo_user
  3475. ``winrepo_user``
  3476. ****************
  3477. .. versionadded:: 2015.8.0
  3478. Default: ``''``
  3479. Along with :conf_master:`winrepo_password`, is used to authenticate to HTTPS
  3480. remotes.
  3481. .. code-block:: yaml
  3482. winrepo_user: git
  3483. .. conf_master:: winrepo_password
  3484. ``winrepo_password``
  3485. ********************
  3486. .. versionadded:: 2015.8.0
  3487. Default: ``''``
  3488. Along with :conf_master:`winrepo_user`, is used to authenticate to HTTPS
  3489. remotes. This parameter is not required if the repository does not use
  3490. authentication.
  3491. .. code-block:: yaml
  3492. winrepo_password: mypassword
  3493. .. conf_master:: winrepo_insecure_auth
  3494. ``winrepo_insecure_auth``
  3495. *************************
  3496. .. versionadded:: 2015.8.0
  3497. Default: ``False``
  3498. By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. This
  3499. parameter enables authentication over HTTP. **Enable this at your own risk.**
  3500. .. code-block:: yaml
  3501. winrepo_insecure_auth: True
  3502. .. conf_master:: winrepo_pubkey
  3503. ``winrepo_pubkey``
  3504. ******************
  3505. .. versionadded:: 2015.8.0
  3506. Default: ``''``
  3507. Along with :conf_master:`winrepo_privkey` (and optionally
  3508. :conf_master:`winrepo_passphrase`), is used to authenticate to SSH remotes.
  3509. .. code-block:: yaml
  3510. winrepo_pubkey: /path/to/key.pub
  3511. .. conf_master:: winrepo_privkey
  3512. ``winrepo_privkey``
  3513. *******************
  3514. .. versionadded:: 2015.8.0
  3515. Default: ``''``
  3516. Along with :conf_master:`winrepo_pubkey` (and optionally
  3517. :conf_master:`winrepo_passphrase`), is used to authenticate to SSH remotes.
  3518. .. code-block:: yaml
  3519. winrepo_privkey: /path/to/key
  3520. .. conf_master:: winrepo_passphrase
  3521. ``winrepo_passphrase``
  3522. **********************
  3523. .. versionadded:: 2015.8.0
  3524. Default: ``''``
  3525. This parameter is optional, required only when the SSH key being used to
  3526. authenticate is protected by a passphrase.
  3527. .. code-block:: yaml
  3528. winrepo_passphrase: mypassphrase
  3529. .. conf_master:: winrepo_refspecs
  3530. ``winrepo_refspecs``
  3531. ~~~~~~~~~~~~~~~~~~~~
  3532. .. versionadded:: 2017.7.0
  3533. Default: ``['+refs/heads/*:refs/remotes/origin/*', '+refs/tags/*:refs/tags/*']``
  3534. When fetching from remote repositories, by default Salt will fetch branches and
  3535. tags. This parameter can be used to override the default and specify
  3536. alternate refspecs to be fetched. This parameter works similarly to its
  3537. :ref:`GitFS counterpart <gitfs-custom-refspecs>`, in that it can be
  3538. configured both globally and for individual remotes.
  3539. .. code-block:: yaml
  3540. winrepo_refspecs:
  3541. - '+refs/heads/*:refs/remotes/origin/*'
  3542. - '+refs/tags/*:refs/tags/*'
  3543. - '+refs/pull/*/head:refs/remotes/origin/pr/*'
  3544. - '+refs/pull/*/merge:refs/remotes/origin/merge/*'
  3545. .. _configure-master-on-windows:
  3546. Configure Master on Windows
  3547. ===========================
  3548. The master on Windows requires no additional configuration. You can modify the
  3549. master configuration by creating/editing the master config file located at
  3550. ``c:\salt\conf\master``. The same configuration options available on Linux are
  3551. available in Windows, as long as they apply. For example, SSH options wouldn't
  3552. apply in Windows. The main differences are the file paths. If you are familiar
  3553. with common salt paths, the following table may be useful:
  3554. ============= ========= =================
  3555. linux Paths Windows Paths
  3556. ============= ========= =================
  3557. ``/etc/salt`` ``<--->`` ``c:\salt\conf``
  3558. ``/`` ``<--->`` ``c:\salt``
  3559. ============= ========= =================
  3560. So, for example, the master config file in Linux is ``/etc/salt/master``. In
  3561. Windows the master config file is ``c:\salt\conf\master``. The Linux path
  3562. ``/etc/salt`` becomes ``c:\salt\conf`` in Windows.
  3563. Common File Locations
  3564. ---------------------
  3565. ====================================== =============================================
  3566. Linux Paths Windows Paths
  3567. ====================================== =============================================
  3568. ``conf_file: /etc/salt/master`` ``conf_file: c:\salt\conf\master``
  3569. ``log_file: /var/log/salt/master`` ``log_file: c:\salt\var\log\salt\master``
  3570. ``pidfile: /var/run/salt-master.pid`` ``pidfile: c:\salt\var\run\salt-master.pid``
  3571. ====================================== =============================================
  3572. Common Directories
  3573. ------------------
  3574. ====================================================== ============================================
  3575. Linux Paths Windows Paths
  3576. ====================================================== ============================================
  3577. ``cachedir: /var/cache/salt/master`` ``cachedir: c:\salt\var\cache\salt\master``
  3578. ``extension_modules: /var/cache/salt/master/extmods`` ``c:\salt\var\cache\salt\master\extmods``
  3579. ``pki_dir: /etc/salt/pki/master`` ``pki_dir: c:\salt\conf\pki\master``
  3580. ``root_dir: /`` ``root_dir: c:\salt``
  3581. ``sock_dir: /var/run/salt/master`` ``sock_dir: c:\salt\var\run\salt\master``
  3582. ====================================================== ============================================
  3583. Roots
  3584. -----
  3585. **file_roots**
  3586. ================== =========================
  3587. Linux Paths Windows Paths
  3588. ================== =========================
  3589. ``/srv/salt`` ``c:\salt\srv\salt``
  3590. ``/srv/spm/salt`` ``c:\salt\srv\spm\salt``
  3591. ================== =========================
  3592. **pillar_roots**
  3593. ==================== ===========================
  3594. Linux Paths Windows Paths
  3595. ==================== ===========================
  3596. ``/srv/pillar`` ``c:\salt\srv\pillar``
  3597. ``/srv/spm/pillar`` ``c:\salt\srv\spm\pillar``
  3598. ==================== ===========================
  3599. Win Repo Settings
  3600. -----------------
  3601. ========================================== =================================================
  3602. Linux Paths Windows Paths
  3603. ========================================== =================================================
  3604. ``winrepo_dir: /srv/salt/win/repo`` ``winrepo_dir: c:\salt\srv\salt\win\repo``
  3605. ``winrepo_dir_ng: /srv/salt/win/repo-ng`` ``winrepo_dir_ng: c:\salt\srv\salt\win\repo-ng``
  3606. ========================================== =================================================