Salt Foreman and Syndic

97 views
Skip to first unread message

charles...@noaa.gov

unread,
Sep 2, 2015, 11:23:59 AM9/2/15
to Salt-users
I'm curious to know if anyone knows how to get the master_tops system to use pass the foreman enc top files from a master to a syndic.  I have salt and foreman working very well together with few to no problems, what I can't seem to figure out is how to get it to work with a syndic.  My master looks like this:


master_tops:
  ext_nodes: /usr/bin/foreman-node



file_roots:
  security:
    - /srv/security
  base:
    - /srv/salt/base/states

order_masters: True



My syndic is configured like this:


syndic_master: salt-foreman

file_roots
:
 security:
   - /srv/security
 base:
   - /srv/salt/base/states

Everything looks alright, I can see the nodes connected to the syndic but they don't receive any top files from the master.  When I run highstate I get this:

salt-minion2:
----------
          ID: states
    Function: no.None
      Result: False
     Comment: No Top file or external nodes data matches found
     Started: 
    Duration: 
     Changes:   

Summary
------------
Succeeded: 0
Failed:    1
------------


As far as I can tell, there's no log output related to this node either so I can't really tell what's going on.

Arnold Bechtoldt

unread,
Sep 2, 2015, 2:22:03 PM9/2/15
to salt-...@googlegroups.com
You need to specify master_tops on the syndic's Salt master
configuration, too.


Gruß

Arnold

--
+arnoldbechtoldt • arnoldB@IRC • bechtoldt@GH • arbe.io
> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com
> <mailto:salt-users+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
0xE2356889.asc
signature.asc

charles...@noaa.gov

unread,
Sep 2, 2015, 3:14:06 PM9/2/15
to Salt-users
Does master_tops have a way of pulling the top file from the master when configured in the syndic?  If so, where in the docs does it specify how to do that.  The only way I've figured it out is through foreman and the syndic is not running foreman.

Arnold Bechtoldt

unread,
Sep 2, 2015, 3:21:21 PM9/2/15
to salt-...@googlegroups.com
Like file_roots you also need to specifiy the master_tops settings in
the Salt Master configuration of your syndic. Both masters don't share
node data so every master needs to gather this data himself for his minions.

The advantage of having syndics is to declare "sub"-masters that receive
commands from the top-level salt master (for the minions). This way you
can distribute load on multiple masters and separate by network
zones/tiers/etc..

I hope this makes it more clear to you.


Arnold

--
+arnoldbechtoldt • arnoldB@IRC • bechtoldt@GH • arbe.io

On 02.09.15 21:14, charles...@noaa.gov wrote:
> Does master_tops have a way of pulling the top file from the master when
> configured in the syndic? If so, where in the docs does it specify how
> to do that. The only way I've figured it out is through foreman and the
> syndic is not running foreman.
>
> On Wednesday, September 2, 2015 at 12:22:03 PM UTC-6, Arnold Bechtoldt
> wrote:
>
> You need to specify master_tops on the syndic's Salt master
> configuration, too.
>
>
> Gruß
>
> Arnold
>
> --
> +arnoldbechtoldt • arnoldB@IRC • bechtoldt@GH • arbe.io
> <http://arbe.io>
> > an email to salt-users+...@googlegroups.com <javascript:>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com
> <mailto:salt-users+...@googlegroups.com>.
0xE2356889.asc
signature.asc

Stephen Benjamin

unread,
Sep 2, 2015, 3:35:41 PM9/2/15
to salt-...@googlegroups.com
On Wed, Sep 02, 2015 at 12:14:05PM -0700, charles...@noaa.gov wrote:
> Does master_tops have a way of pulling the top file from the master when
> configured in the syndic? If so, where in the docs does it specify how to
> do that. The only way I've figured it out is through foreman and the
> syndic is not running foreman.

You have a couple of options. The easiest would be to install the smart
proxy on the syndic.

Although, really, you just need the foreman-node script, and then ensure
its configured with valid ssl certificates to talk to Foreman:
https://github.com/theforeman/smart_proxy_salt/blob/master/bin/foreman-node
https://github.com/theforeman/smart_proxy_salt/blob/master/etc/foreman.yaml.example

You would also need to turn off 'restrict_registered_smart_proxies'
Setting as the syndic wouldn't be known to the foreman.
> > > an email to salt-users+...@googlegroups.com <javascript:>
> > > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.


--
Best Regards,

Stephen Benjamin
Red Hat Engineering
signature.asc

charles...@noaa.gov

unread,
Sep 3, 2015, 9:28:05 AM9/3/15
to Salt-users
This is what I ended up doing yesterday afternoon.  I used the full smart proxy installation though.  After that everything started working very well.  I was thinking about this too and it seems like you wouldn't necesarily need to configure the syndic either.  Since the syndic needs the file_roots directories already and foreman will see the minions via the smart proxy you could just configure this as another master as well. 
Reply all
Reply to author
Forward
0 new messages