Calling salt from a different host (e.g., CI server) ?
214 views
Skip to first unread message
Jeff
May 9, 2015, 1:52:04 AM5/9/15
to salt-...@googlegroups.com
In our CI system, I eventually want to update pillar/state information, push those changes to the Git server, then initiate a salt '...' state.highstate on a subset of minions.
I've also enabled LDAP and it seems to work, but I want both our CI system and developers to have some access without having to remote into the salt master and run as root.
What is the 'best-practice' for doing this? For some reason, this is one area of using Salt that throws me because all tutorials show running salt as root (or sudo) and that can't be the standard use case in enterprise environments. The documentation (at least that I've found) is somewhat lacking in providing me perspective.
The closest I've seen is hand coding a python script directly.
Charles Baker
May 9, 2015, 7:25:35 AM5/9/15
to salt-...@googlegroups.com
I think this is a good use case for the peering system.
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tehmasp Chaudhri
May 9, 2015, 10:51:16 AM5/9/15
to salt-...@googlegroups.com
A couple of ideas:
- Set up a Syndic server that can manage those subset of nodes - and only allow folks access to this Syndic server.
- Explore the Reactor system - you may be able to come up with a way to allow an event being called on the CI system or something your developers could do that would invoke some reaction on the Salt Master.
Cheers,
Tehmasp
Matthew Williams
May 9, 2015, 12:08:41 PM5/9/15
to salt-...@googlegroups.com
You might find salt-api useful. It allows publishing events via a REST interface. This post (not mine) gives an example: http://bencane.com/2014/07/17/integrating-saltstack-with-other-services-via-salt-api/
I've not yet used salt-api, so others may have more detailed input.
--
Shane Gibson
May 9, 2015, 8:18:15 PM5/9/15
to salt-...@googlegroups.com
~~shane
Jeff
May 12, 2015, 1:30:06 PM5/12/15
to salt-...@googlegroups.com
I've been going through these suggestions and it all seems overly complicated when I simply want to do something like:
How are others integrating with continuous build/deployment processes?salt-cli -h <saltmaster_url> -e ldap -u <ldapUser> -p <ldapPassword> 'dev-aut*' state.highstate
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Christian McHugh
May 21, 2015, 8:10:10 PM5/21/15
to salt-...@googlegroups.com
It was because of this problem that I created the SaltStack plugin for Jenkins: https://wiki.jenkins-ci.org/display/JENKINS/saltstack-plugin
It uses the saltapi to contact the salt master to perform tasks. It was originally developed with a fairly simple use case in mind, and has been expanded slightly. If you have any problems or requests, feel free to contact me.
At the moment it handles:
- async salt jobs
- sync salt jobs
- batch jobs
- pillar variable setting
- jenkins parameters
(once salt supports batch operations in orchestrate operations as in bug #12556, the jenkins plugin will also support orchestration commands)
Alternatively, I know of other shops that use jenkins slaves to run commands on the saltmaster itself.
Jeff
May 22, 2015, 2:41:19 PM5/22/15
to salt-...@googlegroups.com
Cool, I may look to see how you did it :). We are not going to use Jenkins for our pipeline process. Jenkins will only will be doing the build/unit test/analysis phase then kick off a ThoughtWorks GoCD pipeline. I was thinking of creating a simple SaltAPI java library that I could use with our Groovy/Gradle and other scripts.
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Seth House
May 22, 2015, 6:11:50 PM5/22/15
to salt users list
On Fri, May 22, 2015 at 12:40 PM, Jeff <preda...@gmail.com> wrote:
> I was
> thinking of creating a simple SaltAPI java library that I could use with our
> Groovy/Gradle and other scripts.
There's an excellent Rundeck plugin for salt-api that may be helpful
> I was
> thinking of creating a simple SaltAPI java library that I could use with our
> Groovy/Gradle and other scripts.
either directly or as an example.
https://github.com/rundeck-plugins/salt-step
One other note is that if you can install the Salt minion on the
Jenkins server the integration is much simpler (fewer moving pieces).
The `event.send` execution module has several examples of directly
integrating with Jenkins:
http://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.event.html#salt.modules.event.send
Rohit Sood
Jun 28, 2015, 9:39:59 AM6/28/15
to salt-...@googlegroups.com
Cristian,
i get an error with the plugin when testing the connection :
i get an error with the plugin when testing the connection :
{"Error": "javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I created the self signed cert and set the cherry configuration to point to it on the Salt master :
# salt-call -c . --local tls.create_self_signed_cert CN="salt.***.com"
rest_cherrypy:
port: 9000
ssl_crt: /etc/pki/tls/certs/salt.****.crt
ssl_key: /etc/pki/tls/certs/salt.***.key
The Salt master error log :
File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
self.do_handshake()
File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
....RohitI created the self signed cert and set the cherry configuration to point to it on the Salt master :
# salt-call -c . --local tls.create_self_signed_cert CN="salt.***.com"
rest_cherrypy:
port: 9000
ssl_crt: /etc/pki/tls/certs/salt.****.crt
ssl_key: /etc/pki/tls/certs/salt.***.key
The Salt master error log :
File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
self.do_handshake()
File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Stephen Spencer
Jun 28, 2015, 11:18:56 AM6/28/15
to salt-...@googlegroups.com
Java--always the little snowflake. ;)
Use the following command on the jenkins host to add your salt certificate to the trusted keystore:
keytool -import -alias 'salt ca certificate' -file /path/to/self-signed/cert -keystore /path/to/java/jre/lib/security/cacerts -trustcacerts
The default keystore password is "changeit"
It is the same process for either Oracle or Open JRE/JDK. I imagine that IBM's java works identically.
-S
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe.
Rohit Sood
Jun 30, 2015, 10:37:25 AM6/30/15
to salt-...@googlegroups.com
Worked after importing.
thanks Stephen !
...Rohit
thanks Stephen !
...Rohit
Reply all
Reply to author
Forward
0 new messages