Home
Salt support in Foreman is implemented by two plugins, smart_proxy_salt and foreman_salt. These are compatible with Foreman 1.6 or newer. RPM and DEB packages are available in the official Foreman repositories.
The core plugin's major version will increment with the specific Foreman release, as shown in the table below. Proxy releases tend to be compatible for longer, as the Foreman Proxy plugin API changes less frequently.
| Foreman | Core plugin | Proxy plugin |
|---|---|---|
| 1.6.x | 0.x | 0.x - 1.x |
| 1.7.x | 1.x | 0.x - 1.x |
-
1.1.0:
- Support for importing Salt state.highstate reports
- Fix an issue where Salt environment is not applied to a host from the hostgroup
-
1.0.0:
- Fixes for compatibility with Foreman 1.7 and other minor code clean-up only
-
0.0.4:
- Fixed an issue where the ENC would not render correctly for any other environment than 'base'
-
0.0.3:
- Renamed 'Salt Modules' to the proper term, 'Salt States'
- Allowed periods in Salt state name
- Support Salt-specific environments
- Fixed an issue where a user could not delete a host without salt
-
0.0.2: First public release. Support for automated provisioning of minions, node classification, states, pillars, key management, highstate run on a node, and grain import
-
1.0.0: Support for uploading Salt state.highstate reports
-
0.0.2: First public release. See the wiki for info on current API end points.
We'd like to thank the following people who contributed to ForemanSalt:
Arnold Bechtoldt, Daniel Lobato, Dominic Cleal, Michael Moll, Stephen Benjamin
You will need to install the Smart Proxy plugin, smart_proxy_salt, as well
as the Foreman plugin, foreman_salt.
See How to Install a Plugin for more info.
Install the Salt Smart Proxy package for your operating system (see above).
The Salt smart proxy needs to run on the same server as your Salt master, and the foreman-proxy user needs to be able to run the 'salt' and 'salt-key' commands via sudo.
Add this to /etc/sudoers:
Cmnd_Alias SALT = /usr/bin/salt, /usr/bin/salt-key
foreman-proxy ALL = NOPASSWD: SALT
Defaults:foreman-proxy !requiretty
In /etc/salt/master, make the following changes:
-
Configure Salt to use the Foreman external node classifier:
master_tops: ext_nodes: /usr/bin/foreman-node
-
In order to enable pillar data as well:
ext_pillar: - puppet: /usr/bin/foreman-node
-
Enable the autosign file, which the Smart Proxy will manage:
autosign_file: /etc/salt/autosign.conf
-
Set group ownership to foreman-proxy and allow group writing:
touch /etc/salt/autosign.conf chgrp foreman-proxy /etc/salt/autosign.conf chmod g+w /etc/salt/autosign.conf -
Edit
/etc/salt/foreman.yamlto set the appropriate settings:--- :proto: https :host: foreman.example.com :port: 443 :ssl_ca: "/etc/puppet/ssl_ca.pem" :ssl_cert: "/etc/puppet/client_cert.pem" :ssl_key: "/etc/puppet/client_key.pem" :timeout: 10 :salt: /usr/bin/salt :upload_grains: true
If your Smart Proxy uses SSL, then the certs and key configured in the YAML should be the same ones it uses to talk to Foreman. If you're already using Puppet in Foreman, consult
/etc/puppet/foreman.yamlor/etc/puppet/node.rbfor those settings. -
Lastly, restart the
foreman-proxyservice
Add the Smart Proxy to Foreman (under Infrastructure, Smart Proxies). If it is an existing smart proxy, click 'Refresh Features'. You should see it has the Salt feature.
When creating a new Host, you'll see a drop down to select the 'Salt Master'.
Hosts assigned a Salt Master will provision and register as minions automatically. The default Foreman templates support this. If you are installing on an existing Foreman installation, you may need to update your templates to the latest, perhaps by using the templates plugin.
Provisioning works as follows on a host with a salt master defined:
- When the host requests it's template, Foreman temporarily adds a record to Salt's autosign file
- At the end of the provisioning process (e.g. kickstart %post)
- salt-minion package is installed
-
/etc/salt/minionis configured -
salt-call --grainsis run in order to trigger key signing
- When the host finishes the build, Foreman removes the autosign entry
Foreman provides an interface for adding Salt states to either a Foreman host group or a host. Salt will know to apply these states through the external node classification feature. This is done in addition to top.sls.
In the example below, the inherited states are coming from the host's host group, and you may add additional states specifically to this new host:
This plugin provides a UI interface to both Salt Keys and the Autosign entries. Navigate to the Smart Proxy's page, and click on 'Salt Keys' or 'Salt Autosign' next to the Smart Proxy in the action buttons.
Foreman manages the lifecycle of a salt minion's keys. When the minion provisions, the autosign record will be added automatically, and when the build finishes it is removed. You may also manually enter an autosign entry, for example, to support automatically signing an entire domain managed outside foreman (e.g. '*.example.com').
The Salt Keys interface allows you to manually accept, reject, or delete keys. This is useful for managing hosts outside of Foreman's orchestration.
"Run Salt" button on the hosts page will trigger a state.highstate run.
Results of a highstate run will show up in Monitor / Reports if using the upload-salt-reports feature of the Smart Proxy. See Reports for more info.
You can also review executed state.highstate runs with the jobs runner on the Salt Master:
salt-run jobs.lookup_jid 20140921213537978546
Foreman parameters are available inside Salt by setting ext_pillar in /etc/salt/master:
ext_pillar:
- puppet: /usr/bin/foreman-node
Currently, we will upload the cached grains to Foreman when an external node classifier is run (e.g. when running state.highstate). You can view them in Foreman's Fact browser. Structured facts are navigable by clicking on the name and drilling down in child values.
Reports are available starting with foreman_salt 1.1 and smart_proxy_salt 1.0.
When running state.highstate, you can have Foreman process the results and show them in the UI. These reports show statistics about what was done, how long it took, complete with pie charts and file diffs.
By default, reports are uploaded to Foreman once every 10 minutes from the Salt master's job cache. You may modify the smart_proxy_salt cron job to customize this.
Note!! If you are using scheduling as per the Salt documentation, this will NOT upload reports to Foreman as minions do not return locally called state.highstate runs to the job cache. This is being tracked as a feature request at https://github.com/saltstack/salt/issues/12653.
If you want to schedule your minions to run Salt on a recurring basis, you could modify the cron job to execute something like this (doing in batches, if needed, see scalability section below as well):
(salt '*' -b 1000 state.highstate && sleep 60 && /usr/sbin/upload-salt-reports) >> /var/log/foreman-proxy/salt-cron.log
Why not use a returner?
Support for a custom returner would make this cron on the master unnecessary, however, there are limitations on both the Salt and Foreman Proxy side that make this impossible to do securely (for now).
In a large environment, synchronous processing of Highstate reports for many thousands of nodes will not scale. However, we can move processing to be an async task: if you install the ForemanTasks plugin, we'll automatically perform report importing asynchronously (status is viewable from the Monitor/ Tasks page).
If you find a bug, please file it in Redmine. You can find us on freenode on #theforeman as well.
See the troubleshooting section in the Foreman manual for more info.
Follow the same process as Foreman for contributing.