Salt support in Foreman is implemented through two plugins, smart_proxy_salt and foreman_salt. These plugins enable Foreman to manage Salt minions, including provisioning, keys, states, pillars, and grains, as well as providing advanced reporting features.
The core plugin major version will increment with the specific Foreman release, as shown in the table below. Proxy releases tend to be compatible for longer, as the Foreman Proxy plugin API changes less frequently.
|1.6.x||0.x||0.x - 1.x|
|1.7.x||1.x||0.x - 1.x|
2.0: Foreman 1.8 compatibility
1.0: Support for uploading Salt state.highstate reports
0.0.2: First public release. See the wiki for info on current API end points.
We’d like to thank the following people who contributed to Foreman Salt:
Arnold Bechtoldt, Daniel Lobato, Dominic Cleal, Michael Moll, Lukáš Zapletal, Stephen Benjamin
You will need to install the Smart Proxy plugin,
smart_proxy_salt, as well as the Foreman plugin,
foreman_salt. RPM and DEB packages are available in the official Foreman repositories.
If using the Foreman installer, install the core and smart proxy plugins with:
foreman-installer --enable-foreman-plugin-salt --enable-foreman-proxy-plugin-salt
For manual installation, see How to Install a Plugin for more info.
Install the Salt Smart Proxy package for your operating system (see above). The Salt smart proxy needs to run on the same server as your Salt master, and the foreman-proxy user needs to be able to run the ‘salt’ and ‘salt-key’ commands via sudo.
Add this to /etc/sudoers:
Cmnd_Alias SALT = /usr/bin/salt, /usr/bin/salt-key foreman-proxy ALL = (ALL) NOPASSWD: SALT Defaults:foreman-proxy !requiretty
/etc/salt/master, make the following changes:
Configure Salt to use the Foreman external node classifier:
master_tops: ext_nodes: /usr/bin/foreman-node
In order to enable pillar data as well:
ext_pillar: - puppet: /usr/bin/foreman-node
Enable the autosign file, which the Smart Proxy will manage:
Set group ownership to foreman-proxy and allow group writing:
touch /etc/salt/autosign.conf chgrp foreman-proxy /etc/salt/autosign.conf chmod g+w /etc/salt/autosign.conf
/etc/salt/foreman.yaml to set the appropriate settings:
--- :proto: https :host: foreman.example.com :port: 443 :ssl_ca: "/etc/puppet/ssl_ca.pem" :ssl_cert: "/etc/puppet/client_cert.pem" :ssl_key: "/etc/puppet/client_key.pem" :timeout: 10 :salt: /usr/bin/salt :upload_grains: true
If your Smart Proxy uses SSL, then the certs and key configured in the YAML should be the same ones it uses to talk to Foreman. If you’re already using Puppet in Foreman, consult
/etc/puppet/node.rb for those settings.
Add the Smart Proxy to Foreman (under Infrastructure, Smart Proxies). If it is an existing smart proxy, click ‘Refresh Features’. You should see it has the Salt feature.
When creating a new Host, you’ll see a drop down to select the ‘Salt Master’.
Hosts assigned a Salt Master will provision and register as minions automatically. The default Foreman templates support this. If you are installing on an existing Foreman installation, you may need to update your templates to the latest, perhaps by using the templates plugin.
Provisioning works as follows on a host with a salt master defined:
salt-call --grainsis run in order to trigger key signing
Foreman provides an interface for adding Salt states to either a Foreman host group or a host. Salt will know to apply these states through the external node classification feature. This is done in addition to top.sls.
In the example below, the inherited states are coming from the host’s host group, and you may add additional states specifically to this new host:
This plugin provides a UI interface to both Salt Keys and the Autosign entries. Navigate to the Smart Proxy’s page, and click on ‘Salt Keys’ or ‘Salt Autosign’ next to the Smart Proxy in the action buttons.
Foreman manages the lifecycle of a salt minion’s keys. When the minion provisions, the autosign record will be added automatically, and when the build finishes it is removed. You may also manually enter an autosign entry, for example, to support automatically signing an entire domain managed outside foreman (e.g. ‘*.example.com’).
The Salt Keys interface allows you to manually accept, reject, or delete keys. This is useful for managing hosts outside of Foreman’s orchestration.
“Run Salt” button on the hosts page will trigger a
Results of a highstate run will show up in Monitor / Reports if using the upload-salt-reports feature of the Smart Proxy.
You can also review executed state.highstate runs with the jobs runner on the Salt Master:
salt-run jobs.lookup_jid 20140921213537978546
Foreman parameters are available inside Salt by setting ext_pillar in /etc/salt/master:
ext_pillar: - puppet: /usr/bin/foreman-node
By default, Foreman pillars are sent to the top-level pillar namespace, but if you’d like them confined to their own namespace, change the Foreman setting called
salt_namespace_pillars to true. Currently, Foreman parameters are limited to String values only.
Cached grains are uploaded to Foreman when an external node classifier is run (e.g. when running state.highstate). You can view them in Foreman’s Fact browser. Structured facts are navigable by clicking on the name and drilling down in child values.
state.highstate, you can have Foreman process the results and show them in the UI. These reports show statistics about what was done, how long it took, complete with pie charts and file diffs.
By default, reports are uploaded to Foreman once every 10 minutes from the Salt master’s job cache. You may modify the smart_proxy_salt cron job to customize this.
If you want to schedule your minions to run Salt on a recurring basis, you could modify the cron job to execute something like this:
(salt '*' -b 1000 state.highstate && sleep 60 && /usr/sbin/upload-salt-reports) >> /var/log/foreman-proxy/salt-cron.log
Why not use a returner?
Support for a custom returner would make this cron on the master unnecessary, however, there are limitations on both the Salt and Foreman Proxy side that make this impossible to do securely (for now).
Foreman Salt extends v2 of the Foreman RESTful API with Salt-specific features. See the Foreman manual for general info on the API, and view the full API documentation is available on your Foreman server:
Using Curl to get a list of keys from “smartproxy.example.com”:
curl -k -u admin:changeme -H "Accept: version=2,application/json" https://localhost/salt/api/v2/salt_keys/smartproxy.example.com
hammer salt-state create --name foo.bar
hammer salt-minion info --name minion.example.com
hammer salt-minion update --name minion.example.com --salt-states foo.bar
If you find a bug, please file it in Redmine. You can find us on libera.chat on #theforeman as well.
See the troubleshooting section in the Foreman manual for more info.
Follow the same process as Foreman for contributing.
The 2021 community survey is now live! Please take a few minutes to fill it out and help us make Foreman better!