Pillar 演练

注解

This walkthrough assumes that the reader has already completed the initial Salt walkthrough.

Pillars are tree-like structures of data defined on the Salt Master and passed through to minions. They allow confidential, targeted data to be securely sent only to the relevant minion.

注解

Grains and Pillar are sometimes confused, just remember that Grains are data about a minion which is stored or generated from the minion. This is why information like the OS and CPU type are found in Grains. Pillar is information about a minion or many minions stored or generated on the Salt Master.

Pillar数据对以下情况很有用:

高度敏感的数据:
Information transferred via pillar is guaranteed to only be presented to the minions that are targeted, making Pillar suitable for managing security information, such as cryptographic keys and passwords.
Minion 配置:

Minion模块如执行模块,states,和returners通常可以通过存储在pillar中的数据配置。

变量:

需要分配给指定minions或minions组的变量可以在pillar中定义,然后访问内部sls公式和模板文件。

任意的数据:
Pillar can contain any basic data structure in dictionary format, so a key/value store can be defined making it easy to iterate over a group of values in sls formulas.

Pillar is therefore one of the most important systems when using Salt. This walkthrough is designed to get a simple Pillar up and running in a few minutes and then to dive into the capabilities of Pillar and where the data is available.

设置Pillar

The pillar is already running in Salt by default. To see the minion's pillar data:

salt '*' pillar.items

注解

在0.16.2版本之前,这个函数被命名为 pillar.data。这个函数的命名依然保持着向后兼容。

By default the contents of the master configuration file are loaded into pillar for all minions. This enables the master configuration file to be used for global configuration of minions.

Similar to the state tree, the pillar is comprised of sls files and has a top file. The default location for the pillar is in /srv/pillar.

注解

The pillar location can be configured via the pillar_roots option inside the master configuration file. It must not be in a subdirectory of the state tree or file_roots. If the pillar is under file_roots, any pillar targeting can be bypassed by minions.

要开始设置pillar,需要准备/srv/pillar目录:

mkdir /srv/pillar

Now create a simple top file, following the same format as the top file used for states:

/srv/pillar/top.sls:

base:
  '*':
    - data

This top file associates the data.sls file to all minions. Now the /srv/pillar/data.sls file needs to be populated:

/srv/pillar/data.sls:

info: some data

To ensure that the minions have the new pillar data, issue a command to them asking that they fetch their pillars from the master:

salt '*' saltutil.refresh_pillar

Now that the minions have the new pillar, it can be retrieved:

salt '*' pillar.items

The key info should now appear in the returned pillar data.

更多复杂的数据

和states不同,pillar文件不需要定义 formulas。这个范例设置带有一个UID的用户数据:

/srv/pillar/users/init.sls:

users:
  thatch: 1000
  shouse: 1001
  utahdave: 1002
  redbeard: 1003

注解

The same directory lookups that exist in states exist in pillar, so the file users/init.sls can be referenced with users in the top file.

The top file will need to be updated to include this sls file:

/srv/pillar/top.sls:

base:
  '*':
    - data
    - users

Now the data will be available to the minions. To use the pillar data in a state, you can use Jinja:

/srv/salt/users/init.sls

{% for user, uid in pillar.get('users', {}).items() %}
{{user}}:
  user.present:
    - uid: {{uid}}
{% endfor %}

This approach allows for users to be safely defined in a pillar and then the user data is applied in an sls file.

用Pillar参数化States

state文件可以使用Pillar数据为每个minion定制动作。适用于各个minion的所有pillar(和grain)数据在被使用前通过templating代入到state文件中。通常的用法包括恰当地为minion设置路径和跳过不应用的states。

一个简单的例子是在pillar中为不同的Linux发行版设定包名字的映射:

/srv/pillar/pkg/init.sls:

pkgs:
  {% if grains['os_family'] == 'RedHat' %}
  apache: httpd
  vim: vim-enhanced
  {% elif grains['os_family'] == 'Debian' %}
  apache: apache2
  vim: vim
  {% elif grains['os'] == 'Arch' %}
  apache: apache
  vim: vim
  {% endif %}

新的 pkg sls需要被添加到top文件中:

/srv/pillar/top.sls:

base:
  '*':
    - data
    - users
    - pkg

现在minion们将会自动映射在pillar中基于各自操作系统的值,这样sls文件就能安全地被参数化了:

/srv/salt/apache/init.sls:

apache:
  pkg.installed:
    - name: {{ pillar['pkgs']['apache'] }}

亦或者,如果没有pillar可用,一个默认的设置同样可以启用:

注解

这个例子中使用的``pillar.get``函数是在0.14.0版被添加到Salt中

/srv/salt/apache/init.sls:

apache:
  pkg.installed:
    - name: {{ salt['pillar.get']('pkgs:apache', 'httpd') }}

在上面的例子中,如果pillar值 pillar['pkgs']['apache'] 在minion的pillar未设置,那么默认值``httpd`` 将被使用。

注解

在“引擎盖下”,pillar不过是一个Python字典,因此Python字典的方法如`get` 和 items 同样可以使用。

Pillar使简单States扩展更容易

pillar的设计原则的之一是让简单的sls公式不需要重构或复杂化states就能轻松地扩展成更加灵活的公式。

一个简单的公式:

/srv/salt/edit/vim.sls:

vim:
  pkg.installed: []

/etc/vimrc:
  file.managed:
    - source: salt://edit/vimrc
    - mode: 644
    - user: root
    - group: root
    - require:
      - pkg: vim

可以轻松的被转化成一个强大的,参数化的公式:

/srv/salt/edit/vim.sls:

vim:
  pkg.installed:
    - name: {{ pillar['pkgs']['vim'] }}

/etc/vimrc:
  file.managed:
    - source: {{ pillar['vimrc'] }}
    - mode: 644
    - user: root
    - group: root
    - require:
      - pkg: vim

vimrc的源地址现在可以在pillar中修改:

/srv/pillar/edit/vim.sls:

{% if grains['id'].startswith('dev') %}
vimrc: salt://edit/dev_vimrc
{% elif grains['id'].startswith('qa') %}
vimrc: salt://edit/qa_vimrc
{% else %}
vimrc: salt://edit/vimrc
{% endif %}

确保正确的vimrc被发送到正确的minions上。

通过命令行设置Pillar数据

Pillar数据可以像这样通过命令行设置:

salt '*' state.highstate pillar='{"foo": "bar"}'

state.sls 命令同样可以用命令行的方式来设置pillar值:

salt '*' state.sls my_sls_file pillar='{"hello": "world"}'

Nested pillar values can also be set via the command line:

salt '*' state.sls my_sls_file pillar='{"foo": {"bar": "baz"}}'

注解

如果命令行中传递的一个关键字已经存在于minion中,传入的关键字会重写那个关键字的全部值,而不是合并只是通过命令行设置的指定值。

The example below will swap the value for vim with telnet in the previously specified list, notice the nested pillar dict:

salt '*' state.sls edit.vim pillar='{"pkgs": {"vim": "telnet"}}'

注解

This will attempt to install telnet on your minions, feel free to uninstall the package or replace telnet value with anything else.

更多关于Pillar

Pillar数据由Salt master生成,安全地分发给minions。Salt在设置pillar时可以检索来自外部资源的数据而并不是局限于pillar sls文件。当一个基础设施的相关信息存放在一个单独的位置时会很有帮助。

pillar和外部pillar接口的参考信息可以在Salt文档中找到:

Pillar

Minion Config in Pillar

Minion configuration options can be set on pillars. Any option that you want to modify, should be in the first level of the pillars, in the same way you set the options in the config file. For example, to configure the MySQL root password to be used by MySQL Salt execution module:

mysql.pass: hardtoguesspassword

This is very convenient when you need some dynamic configuration change that you want to be applied on the fly. For example, there is a chicken and the egg problem if you do this:

mysql-admin-passwd:
  mysql_user.present:
    - name: root
    - password: somepasswd

mydb:
  mysql_db.present

The second state will fail, because you changed the root password and the minion didn't notice it. Setting mysql.pass in the pillar, will help to sort out the issue. But always change the root admin password in the first place.

This is very helpful for any module that needs credentials to apply state changes: mysql, keystone, etc.