Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to Configuration Management wit...

Joël Perras
February 21, 2015

An Introduction to Configuration Management with SaltStack

Salt, a relatively new player in the configuration management space, offers quite an impressive amount of features for startups and agencies, both big and small. We'll look at how Salt's explicit separation of state and data, it's parallel execution model, ease of extensibility and remote data querying capabilities make it a first class candidate for ensuring your servers and development environments are in a known and reproducible state.

Joël Perras

February 21, 2015
Tweet

More Decks by Joël Perras

Other Decks in Technology

Transcript

  1. Created by Mark Burgess. Used a DSL to hide platform

    differences. CFEngine Anomaly detection, machine learning, secure communications. CFEngine 2 1993 1998
  2. Declarative XML model, validation done via schema. Allowed “auditing” of

    off-book changes on machines. BCFG2 DSL, core written in Ruby. System facts discovered, manifests compiled to catalogs with dependencies. Puppet 2004 2005
  3. Ruby (mostly). Reusable “recipes” grouped together as “cookbooks”. Collects facts

    in Solr that recipes can query. Chef Written in Python. Remote command execution, infrastructure-as-code, highly- modular. SaltStack (!) 2009 2011
  4. Minimalist - only requires SSH on target machines, reusable playbooks,

    quick to get started. Ansible Combination of monitoring, anomaly detection, provisioning, reporting, idempotent system theory Who Knows? 2012 2015-?
  5. Deployment Install packages and run configuration scripts on relevant servers,

    avoiding race conditions. Two-phase deploys are your friend. what topology?
  6. Which packages need to be insta configured. Debugging There’s nothing

    quite like deploying major architecture changes and it not working as expected. So we DO IT LIVE.
  7. Master: Compiles states & data to send to targets. Minion:

    Authenticated agent on target runs commands. Multi-Master: Hot master setup; minions need list of masters.
  8. Asymmetric encryption between master and minions for authentication. Can seed

    minions with pre-generated keys. AES-encrypted msgpack-serialized communication payload over ZeroMQ.
  9. The basic state (or SLS) definition can be written in

    as a YAML dictionary. The states are mapped to targets in top.sls.
  10. base:                  

               ‘web*’:                                    -­‐  webserver       /var/salt/roots/top.sls /var/salt/roots/webserver.sls nginx:                            #  ID  declaration      pkg:                            #  state  declaration          -­‐  installed          #  function  declaration  
  11. include:      -­‐  ruby.dev   unicorn:      gem:

             -­‐  installed          -­‐  require:              -­‐  pkg:  rubygems              -­‐  pkg:  ruby-­‐dev  
  12. Templating can be done with Jinja. There are several other

    renderers, and you can adapt your own.
  13. {%set  postgres  =  pillar['postgres']['config']  %}   include:      -­‐

     postgres.apt   postgresql-­‐client-­‐9.3:      pkg:          -­‐  installed          -­‐  version:  {{  postgres.ve1rsion  }}          -­‐  require:              -­‐  pkgrepo:  apt-­‐postgresql   /var/www/app/api:          file.directory:                  -­‐  user:  www-­‐data                  -­‐  group:  www-­‐data                  -­‐  mode:  0755                  -­‐  makedirs:  True
  14. Instead, you specify the end result of a desired state,

    and let abstractions take care of the details.
  15. ntp:      pkg:          -­‐  installed

         service:          -­‐  running          -­‐  watch:              -­‐  pkg:  ntp              -­‐  file:  /etc/ntp.conf   /etc/ntp.conf:      file.managed:          -­‐  mode:  0644          -­‐  require:              -­‐  pkg:  ntp  
  16. Instead, you specify the end result of a desired state,

    and let abstractions take care of the details.
  17. base:      '*':          -­‐  users

             -­‐  packages   development:      'env:development':          -­‐  match:  grain          -­‐  postgres      ‘os:Debian':          -­‐  names   production:      'env:production':          -­‐  match:  grain          -­‐  postgres   /var/salt/pillar/top.sls
  18. Pillar files are all merged together; unique top- level names

    for each dictionary are recommended. (they are effectively dictionary keys)
  19. aws:          s3_avatar_upload:        

             key:  <redacted>                  secret:  <redacted>          cloudfront:                  key:  <redacted>                  secret:  <redacted>   /var/salt/pillar/aws.sls
  20. Data from pillar can also be accessed within included file

    sources, such as configuration files.
  21. nginx:          pkg:        

             -­‐  installed                  -­‐  name:  {{  pillar.get(‘nginx’)[‘name’]  }}   /var/salt/roots/nginx.sls /var/salt/pillar/nginx.sls nginx:          name:  nginx-­‐extras  
  22. Grain and ID-based targeting can also be used in state

    files via Jinja templating, e.g. for boolean logic.
  23. This pattern can spiral out of control. Always try to

    specify targeting as high up in the state catalog as possible.
  24. vim: pkg: - installed {% if grains['os_family'] == 'RedHat' %}

    - name: vim-enhanced {% elif grains['os'] == 'Debian' %} - name: vim-nox {% endif %}