using saltstack across docker containers

[Daniel Garcia]

I'm trying to use saltstack to execute predefined commands on remote hosts from within a docker container running a web server. I have a docker container running the salt-stack master and i've exposed the publish and return ports. From within inside the saltstack-master container I can verify that the minions as up and running. I've tried several ways of executing saltstack commands from within the webserver container. I've mounted, /etc/salt/pki and /var/cache/salt directories from the salt-stack master but I looks like salt stack needs to talk over unix sockets on the master and I don't know of a way to change that.

The  options I'm about to try are:

1. Add an ssh server to the saltstack-master and use ssh from my webserver containers to execute salt commands

2. Add a minion to every web server container instance and configure the saltstack master to allow execution of commands from minions

3. Modify my proxing layer to support injecting/proxing unix sockets (seems like a lot of work, in unit testing at least)

4. Figure out a way to get the salt stack tools to communicate over TCP

Any suggestions?

Regards,

Daniel

[Elias Probst]

I'm running my Master and a shell container completely Docker-based.

The problem you describe is outlined in this issue:
https://github.com/saltstack/salt/issues/8009 (Salt CLI can't
communicate via AF_UNIX socket with master) which also provides a
workaround.

I have one Master container running and use 'n' shell containers to
operate the master.

Have a look at my Dockerfiles (and further auxiliary files) here:
https://gist.github.com/eliasp/7385009

Take a look at salt#master.sls to see how I run the master.

I connect to the master using my shell containers like this:
docker run --rm --interactive --tty --volumes-from=saltmaster-daemon
--link=saltmaster-daemon:master saltmaster-shell

Now that since Docker 1.0 the link-alias is also resolvable via DNS from
inside the container, you could also try to simply put 'interface:
master' into ~/.saltrc of the shell container.

Good luck!

- Elias

> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com
> <mailto:salt-users+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Daniel Garcia]

Elias,

My Use case is slightly different. The containers are not on the same hosts so sharing a volume that has the unix socket won't work for me. At this point I think I can attempt to add support for TCP and the admin interface or add support to my cluster environment to proxy unix sockets across a network.

Regards,

Daniel

> <mailto:salt-users+unsub...@googlegroups.com>.

[Colton Myers]

Daniel,

Don't know whether you're still trying to solve this problem, but have you checked out salt-api?  https://github.com/saltstack/salt-api

You can control salt via a REST interface, may solve your issue nicely.

--

Colton Myers

To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.