Most infrastructures are made up of groups of machines, each machine in the group performing a role similar to others. Those groups of machines work in concert with each other to create an application stack.
To effectively manage those groups of machines, an administrator needs to be able to create roles for those groups. For example, a group of machines that serve front-end web traffic might have roles which indicate that those machines should all have the Apache webserver package installed and that the Apache service should always be running.
In Salt, the file which contains a mapping between groups of machines on a
network and the configuration roles that should be applied to them is
Top files are named
top.sls by default and they are so-named because they
always exist in the "top" of a directory hierarchy that contains state files.
That directory hierarchy is called a
Top files have three components:
- Environment: A state tree directory containing a set of state files to configure systems.
- Target: A grouping of machines which will have a set of states applied to them.
- State files: A list of state files to apply to a target. Each state file describes one or more states to be configured and enforced on the targeted machines.
The relationship between these three components is nested as follows:
- Environments contain targets
- Targets contain states
Putting these concepts together, we can describe a scenario in which all
minions with an ID that begins with
web have an
apache state applied
base: # Apply SLS files from the directory root for the 'base' environment
'web*': # All minions with a minion_id that begins with 'web'
- apache # Apply the state file named 'apache.sls'
Environments are directory hierarchies which contain a top files and a set of state files.
Environments can be used in many ways, however there is no requirement that
they be used at all. In fact, the most common way to deploy Salt is with
a single environment, called
base. It is recommended that users only
create multiple environments if they have a use case which specifically
calls for multiple versions of state trees.
Each environment is defined inside a salt master configuration variable
In the most common single-environment setup, only the
base environment is
file_roots along with only one directory path for
the state tree.
In the above example, the top file will only have a single environment to pull from.
Next is a simple single-environment top file placed in
illustrating that for the environment called
base, all minions will have the
state files named
edit.sls applied to them.
file_roots configuration from above, Salt will look in the
/srv/salt directory for
In some cases, teams may wish to create versioned state trees which can be used to test Salt configurations in isolated sets of systems such as a staging environment before deploying states into production.
For this case, multiple environments can be used to accomplish this task.
To create multiple environments, the
file_roots option can be
In the above, we declare three environments:
Each environment has a single directory assigned to it.
Our top file references the environments:
As seen above, the top file now declares the three environments and for each,
targets are defined to map globs of minion IDs to state files. For example,
all minions which have an ID beginning with the string
webserver will have the
webserver state from the requested environment assigned to it.
In this manner, a proposed change to a state could first be made in a state
/srv/salt/dev and then be applied to development webservers before
moving the state into QA by copying the state file into
The top file is used to assign a minion to an environment unless overridden
using the methods described below. The environment in the top file must match
an environment in
file_roots in order for any states to be
applied to that minion. The states that will be applied to a minion in a given
environment can be viewed using the
state.show_top execution function.
Minions may be pinned to a particular environment by setting the
value in the minion configuration file. In doing so, a minion will only
request files from the environment to which it is assigned.
The environment to use may also be dynamically selected at the time that
salt-ssh by passing passing a flag to the
execution module being called. This is most commonly done with
functions in the
state module by using the
saltenv= argument. For
example, to run a
highstate on all minions, using the state files in
prod state tree, run:
salt '*' state.highstate saltenv=prod.
Not all functions accept
saltenv as an argument See individual
function documentation to verify.
If you assign only one SLS to a system, as in this example, a shorthand is also available:
Below is a slightly more complex top file example, showing the different types of matches you can perform:
# All files will be taken from the file path specified in the base
# environment in the ``file_roots`` configuration value.
# All minions get the following three state files applied
# All minions which have an ID that begins with the phrase
# 'salt-master' will have an SLS file applied that is named
# 'master.sls' and is in the 'salt' directory, underneath
# the root specified in the ``base`` environment in the
# configuration value for ``file_roots``.
# Minions that have an ID matching the following regular
# expression will have the state file called 'web.sls' in the
# nagios/mon directory applied. Additionally, minions matching
# the regular expression will also have the 'server.sls' file
# in the apache/ directory applied.
# Take note of the 'match' directive here, which tells Salt
# to treat the target string as a regex to be matched!
- match: pcre
# Minions that have a grain set indicating that they are running
# the Ubuntu operating system will have the state file called
# 'ubuntu.sls' in the 'repos' directory applied.
# Again take note of the 'match' directive here which tells
# Salt to match against a grain instead of a minion ID.
- match: grain
# Minions that are either RedHat or CentOS should have the 'epel.sls'
# state applied, from the 'repos/' directory.
- match: grain_pcre
# The three minions with the IDs of 'foo', 'bar' and 'baz' should
# have 'database.sls' applied.
- match: list
# Any minion for which the pillar key 'somekey' is set and has a value
# of that key matching 'abc' will have the 'xyz.sls' state applied.
- match: pillar
# All minions which begin with the strings 'nag1' or any minion with
# a grain set called 'role' with the value of 'monitoring' will have
# the 'server.sls' state file applied from the 'nagios/' directory.
'nag1* or G@role:monitoring':
- match: compound
When using multiple environments, it is not necessary to create a top file for each environment. The most common approach, and the easiest to maintain, is to use a single top file placed in only one environment.
However, some workflows do call for multiple top files. In this case, top
files may be merged together to create
high data for the state compiler
to use as a source to compile states on a minion.
For the following discussion of top file compilation, assume the following configuration:
The astute reader will ask how the state compiler resolves which should be an obvious conflict if a minion is not pinned to a particular environment and if no environment argument is passed into a state function.
Given the above, it is initially unclear whether
first.sls will be applied
second.sls will be applied in a
salt '*' state.highstate command.
When conflicting keys arise, there are several configuration options which control the behaviour of salt:
env_orderwill set the order in which environments are processed by the state compiler.
Can be set to
same, which will process only the top file from the environment that the minion belongs to via the
environmentconfiguration setting or the environment that is requested via the
saltenvargument supported by some functions in the
Can also be set to
merge. This is the default. When set to
merge, top files will be merged together. The order in which top files are merged together can be controlled with
top_file_merging_strategyis set to
sameand an environment does not contain a top file, the top file in the environment specified by
default_topwill be used instead.