Everything is better with salt – even Foreman. This presentation discusses the use of Salt as a configuration management tool in Foreman. New features of the Salt plugin will also be demonstrated, such as Salt Variables and the Remote Execution Salt Provider.

2. #oscamp
Salted Foreman
07.11.2019
Bernhard Suttner

3. #atix #cfgmgmtcamp
SIMPLIFY YOUR DATACENTER

4. #oscamp
SaltStack
●
Open Source project initiated by
Thomas Hatch committed on 13 Feb 2011
●
Driven by SaltStack Inc, founded Aug 2012
●
Written in python
●
Infrastructure as code: yaml + jinja templates
●
Event driven, full infrastructure management tool
➢
~ 2150 contributors
➢
~ 106.000 commits
➢
~ 320 formulas

5. #oscamp
SaltStack: Use case

6. #oscamp
SaltStack: Flexibility
●
Architecture:
– Client (= minion) / Server
– Client-less (= salt-ssh)
●
Modes:
– Push: ‘salt’ on Salt Master
– Pull: ‘salt-call’ on Salt Minion
●
Event bus: Reactor and Beacons
●
Scheduled jobs
schedule:
highstate:
function: state.highstate
minutes: 20

7. #oscamp
Grains & States → Terminology
Ansible Salt puppet
Facts Grains Facts
Modules Modules Resources
Tasks States Manifests
Roles Formulas Modules
Playbook top.sls Roles/Profiles
Inventory Pillar Hiera

8. #oscamp
SaltStack: Modular System
Execution modules
State
Grains
Pillar
Returner
Cloud
Beacon
Runner
…. and many more

9. #oscamp
Foreman & Salt: Scenario
Smart Proxy
Managed Host
foreman_salt
Salt Master
smart_proxy_salt
Salt Minion
REST APIv2 (SSL)
REST
CLI
ZeroMQ (AES)

10. #oscamp
Foreman & Salt: Features
●
During host provisioning
– Install salt minion
– Configure salt minion
– Auto-accept key of salt minion
●
Configuration
– Import salt states from smart proxies
– Assign salt states to hostgroups / hosts
– Configure salt variables using (global/host/hostgroup) parameters
●
Run state.highstate via foreman task
– Receive salt grains from hosts
– Import salt reports (via cronjob)
– Show salt report
●
Smart Proxy handling: Salt Keys / Autosign

11. #oscamp
foreman_salt: Supported features
Host
states
Global /
Host Group /
Host
Parameters
Assign Configure
Report
Use pillars
Grains
Run
state.highstate
Salt Key
Accept
Upload
Assigned states

12. #oscamp
Salt Keys

13. #oscamp
Import Salt states

14. #oscamp
Assign Salt states

15. #oscamp
Salt ENC: pillars
In salt states use:
salt['pillar.get']('foreman_subnets')

16. #oscamp
Ready to run salt state.highstate?
Host
states
Global /
Host Group /
Host
Parameters
Assign Configure
Report
Use pillars
Grains
Run
state.highstate
Salt Key
Accept
Upload
Assigned states

17. #oscamp
Run Salt by ‘push’
Smart Proxy
Salt Master
smart_proxy_salt
Managed Host
Salt Minion
Push state.highstate
OLD: Salt Run via foreman-task (output only
available in Monitor → Tasks)
salt managed.host
state.highstate

18. #oscamp
Salt grains

19. #oscamp
Salt reports

20. #oscamp

21. #oscamp
WTF, I’m maintainer!
●
PR handling
●
A lot of more tests in foreman_salt
●
Tests for smart_proxy_salt
●
Fixes + rubocop
Unit tests
Integration tests
UI tests

22. #oscamp
Challenge accepted!
Hard to configure salt pillar data
Uploading the salt report happens only every 10
minutes by a cronjob
No Salt Remote Execution Provider for using salt to
run jobs (shell, state.highstate, and other
salt.modules.* methods)

23. #oscamp
New: run state.highstate by ‘pull’
Smart Proxy
Salt Master
smart_proxy_salt
Managed Host
Salt Minion
Run state.highstate (and other) via
Remote Execution
Why:
- use salt-ssh
- see job progress / output
salt-call state.highstate
Pull state.highstate

24. #oscamp
state.highstate

25. #oscamp
Remote Execution Provider
Salt Master
Managed Host
Salt Minion
SSH (+ Ansible)
Managed Host
Salt Minion
ZeroMQREX
NEW!!!

26. #oscamp
New: Salt Remote Execution Provider
●
Thanks to Adam Růžička
●
Use salt to execute (every) Remote Execution Job
●
Run state.highstate on one/multiple salt minions

27. #oscamp
Report, please!
Salt Minion
cronjob
Salt Master state.highstate
upload
collect jobs
Salt Minion
state.highstate
upload
NEW!!!
Reactor
Event
event bus
Salt
Master
Smart Proxy

28. #oscamp
New: Salt Reactor for uploading reports
/srv/salt/foreman_report_upload.sls
{% if 'cmd' in data and
data['cmd'] == '_return' and
'fun' in data and
data['fun'] == 'state.highstate' %}
foreman_report_upload:
runner.foreman_report_upload.now:
- args:
- highstate: '{{data|json}}'
{% endif %}
/srv/salt/_runners/foreman_report_upload.py
try:
import HTTPConnection, HTTPSConnection
connection = HTTPSConnection(config[':host'],
port=config[':port'], context=ctx)
connection.request('POST',
'/salt/api/v2/jobs/upload', json.dumps(report),
headers)
salt/master cfg snippet
reactor:
- 'salt/job/*/ret/*':
- /srv/salt/foreman_report_upload.sls

29. #oscamp
Need more pillars!
Salt Master Salt Minionstate.highstate
Host
params
Host Group
params
Global
paramsxyz
params

30. #oscamp
New: Salt Variables
Salt variables similar to puppet / ansible
variables
Why:
- Variable types
- Overwrite values by ‘matchers’
- More user-friendly

31. #oscamp
Salt Variable matchers

32. #oscamp
Be (even) more salt-like
Use the Salt remote execution ecosystem
Support of salt-ssh without minion installation
gitorize everything

33. #oscamp
Links
●
https://www.theforeman.org
●
https://community.theforeman.org
●
https://github.com/ATIX-AG/
●
https://github.com/theforeman/foreman/
●
https://github.com/theforeman/foreman_salt/
●
https://github.com/saltstack/salt/
●
https://www.saltstack.com

34. #oscamp
sbernhard @ #theforeman-dev
https://github.com/sbernhard
@_sBernhard
suttner@atix.de
Thank you!