Salt support in Foreman is implemented through two plugins, smart_proxy_salt and foreman_salt. These plugins enable Foreman to manage Salt minions, including provisioning, keys, states, pillars, and grains, as well as providing advanced reporting features.
The core plugin major version will increment with the specific Foreman release, as shown in the table below. Proxy releases tend to be compatible for longer, as the Foreman Proxy plugin API changes less frequently.
|1.6.x||0.x||0.x - 1.x|
|1.7.x||1.x||0.x - 1.x|
We’d like to thank the following people who contributed to Foreman Salt:
Arnold Bechtoldt, Daniel Lobato, Dominic Cleal, Marek Hulán, Michael Moll, Sherif Nagy, Lukáš Zapletal, Stephen Benjamin
You will need to install the Smart Proxy plugin,
smart_proxy_salt, as well as the Foreman plugin,
foreman_salt. RPM and DEB packages are available in the official Foreman repositories.
If using the Foreman installer, install the core and smart proxy plugins with:
foreman-installer --enable-foreman-plugin-salt --enable-foreman-proxy-plugin-salt
For manual installation, see the plugin manual for more info.
Install the Salt Smart Proxy package for your operating system (see above). The Salt smart proxy needs to run on the same server as your Salt master, and the foreman-proxy user needs to be able to run the ‘salt’ and ‘salt-key’ commands via sudo.
Add this to /etc/sudoers:
Cmnd_Alias SALT = /usr/bin/salt, /usr/bin/salt-key foreman-proxy ALL = (ALL) NOPASSWD: SALT Defaults:foreman-proxy !requiretty
For the salt-api, ensure the salt-api package is installed, and a supported server such as python-cherrypy is installed.
/etc/salt/master, make the following changes:
Configure Salt to use the Foreman external node classifier:
master_tops: ext_nodes: /usr/bin/foreman-node
In order to enable pillar data as well:
ext_pillar: - puppet: /usr/bin/foreman-node
Enable the autosign file, which the Smart Proxy will manage:
Set group ownership to foreman-proxy and allow group writing:
touch /etc/salt/autosign.conf chgrp foreman-proxy /etc/salt/autosign.conf chmod g+w /etc/salt/autosign.conf
/etc/salt/foreman.yaml, make the following changes:
:proto: https :host: foreman.example.com :port: 443 :ssl_ca: "/etc/puppetlabs/puppet/ssl/ssl_ca.pem" :ssl_cert: "/etc/puppetlabs/puppet/ssl/client_cert.pem" :ssl_key: "/etc/puppetlabs/puppet/ssl/client_key.pem" :timeout: 10 :salt: /usr/bin/salt :upload_grains: true
If your Smart Proxy uses SSL, then the certs and key configured in the YAML should be the same ones it uses to talk to Foreman. If you’re already using Puppet in Foreman, consult
/etc/puppet/node.rb for those settings.
To support state and environment importing, configure salt-api as per the Salt documentation. The user for the Smart Proxy requires a minimum of the
@runner permission. An example for CherryPy is below, using the Puppet certificates for SSL.
Create a system user for the API to use (in this case ‘saltuser’):
adduser --no-create-home -s /bin/false -d / saltuser passwd saltuser # enter "saltpassword" twice
Add the following section to your /etc/salt/master, and specify the system user you have just created (in this case ‘saltuser’):
external_auth: pam: saltuser: - '@runner' rest_cherrypy: port: 9191 host: 0.0.0.0 ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem ssl_crt: /etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
/etc/foreman-proxy/settings.d/salt.yml, and configure the API-related settings:
:use_api: true :api_auth: pam :api_url: https://saltmaster.bitbin.de:9191 :api_username: saltuser :api_password: saltpassword
Then restart the services mentioned in the next section for the changes to take effect.
If you’re struggling to get SSL to work between the Salt API and the Foreman Proxy, you can disable SSL on the Salt API. Obviously this would be for troubleshooting or sandbox environments, not production installs. You can configure it like this:
rest_cherrypy: port: 9191 host: 127.0.0.1 disable_ssl: true
You’ll also need to change the URL in the Foreman Proxy config to
http (the rest of the config remains as above):
... :api_url: http://saltmaster.bitbin.de:9191 ....
Add the Smart Proxy to Foreman (under Infrastructure, Smart Proxies). If it is an existing smart proxy, click ‘Refresh Features’. You should see it has the Salt feature.
Ensure you have the latest stable foreman-release package, and follow the Foreman upgrade instructions, including backing up your database.
To support state and environment importing, configure salt-api as per the Salt documentation, and ensure the service is started on boot. See the Smart Proxy installation section for an example of how to configure the API.
When creating a new Host, you’ll see a drop down to select the ‘Salt Master’.
Hosts assigned a Salt Master will provision and register as minions automatically. The default Foreman templates support this. If you are installing on an existing Foreman installation, you may need to update your templates to the latest, perhaps by using the templates plugin.
Provisioning works as follows on a host with a salt master defined:
salt-call --grainsis run in order to trigger key signing
From the States index page, you have an overview of all the states from your Salt master, and the environments they are available in. To refresh this data, use the Import button on the top right of the screen.
Foreman provides an interface for adding Salt states to either a Foreman host group or a host. Salt will know to apply these states through the external node classification feature. This is done in addition to top.sls.
In the example below, the inherited states are coming from the host’s host group, and you may add additional states specifically to this new host:
This plugin provides a UI interface to both Salt Keys and the Autosign entries. Navigate to the Smart Proxy’s page, and click on ‘Salt Keys’ or ‘Salt Autosign’ next to the Smart Proxy in the action buttons.
Foreman manages the lifecycle of a salt minion’s keys. When the minion provisions, the autosign record will be added automatically, and when the build finishes it is removed. You may also manually enter an autosign entry, for example, to support automatically signing an entire domain managed outside foreman (e.g. ‘*.example.com’).
The Salt Keys interface allows you to manually accept, reject, or delete keys. This is useful for managing hosts outside of Foreman’s orchestration.
“Run Salt” button on the hosts page will trigger a
Results of a highstate run will show up in Monitor / Reports if using the upload-salt-reports feature of the Smart Proxy.
You can also review executed state.highstate runs with the jobs runner on the Salt Master:
salt-run jobs.lookup_jid 20140921213537978546
Foreman parameters are available inside Salt by setting ext_pillar in /etc/salt/master:
ext_pillar: - puppet: /usr/bin/foreman-node
By default, Foreman pillars are sent to the top-level pillar namespace, but if you’d like them confined to their own namespace, change the Foreman setting called
salt_namespace_pillars to true. Currently, Foreman parameters are limited to String values only.
Cached grains are uploaded to Foreman when an external node classifier is run (e.g. when running state.highstate). You can view them in Foreman’s Fact browser. Structured facts are navigable by clicking on the name and drilling down in child values.
state.highstate, you can have Foreman process the results and show them in the UI. These reports show statistics about what was done, how long it took, complete with pie charts and file diffs.
By default, reports are uploaded to Foreman once every 10 minutes from the Salt master’s job cache. You may modify the smart_proxy_salt cron job to customize this.
If you want to schedule your minions to run Salt on a recurring basis, you could modify the cron job to execute something like this:
(salt '*' -b 1000 state.highstate && sleep 60 && /usr/sbin/upload-salt-reports) >> /var/log/foreman-proxy/salt-cron.log
Why not use a returner?
Support for a custom returner would make this cron on the master unnecessary, however, there are limitations on both the Salt and Foreman Proxy side that make this impossible to do securely (for now).
Foreman Salt extends v2 of the Foreman RESTful API with Salt-specific features. See the Foreman manual for general info on the API, and view the full API documentation is available on your Foreman server:
Using Curl to get a list of keys from “smartproxy.example.com”:
curl -k -u admin:changeme -H "Accept: version=2,application/json" https://localhost/salt/api/v2/salt_keys/smartproxy.example.com
hammer salt-state create --name foo.bar
hammer salt-minion info --name minion.example.com
hammer salt-minion update --name minion.example.com --salt-states foo.bar
If you find a bug, please file it in Redmine. You can find us on libera.chat on #theforeman as well.
See the troubleshooting section in the Foreman manual for more info.
Follow the same process as Foreman for contributing.