Saltmaster Dockerfiles

salt#master.sls

python-pip:
    pkg.installed

docker-py:
    pip.installed:
        - require:
            - pkg: python-pip

# TODO: ensure docker-py is declared a requirement for all dockerio states without having to explicitely declare the requirement in each container state again

saltmaster-container:
    docker.installed:
        - name: saltmaster-daemon
        - hostname: salt.dep.institution.tld
        - image: saltmaster-daemon
        - require_in: saltmaster

saltmaster:
    docker.running:
        - container: saltmaster-daemon
        - binds:
            /media/volumes/salt/master/pki: /var/lib/salt/pki
            /media/volumes/salt/master/fileserver: /srv/salt
        - port_bindings:
            "4505/tcp":
                HostIp: "0.0.0.0"
                HostPort: "4505"
            "4506/tcp":
                HostIp: "0.0.0.0"
                HostPort: "4506"

saltmaster-base#Dockerfile

FROM ubuntu:14.04

RUN apt-get update
RUN apt-get install -y --force-yes \
        software-properties-common \
        pciutils \
        debconf-utils
RUN add-apt-repository -y ppa:saltstack/salt

RUN apt-get update
# Make sure, the Salt installation succeeds, although it can't find any running Upstart
RUN dpkg-divert --local --rename --add /sbin/initctl
RUN ln -sf /bin/true /sbin/initctl
RUN apt-get install -y --force-yes \
        salt-common \
        salt-master \
        python-pip \
        python-cherrypy3 \
        python-ldap \
        python-git

# SSH identity for accessing the git repository for saltmaster's gitfs
ADD id_rsa /root/.ssh/id_rsa
ADD id_rsa.pub /root/.ssh/id_rsa.pub
ADD known_hosts /root/.ssh/known_hosts

ENV HOME /root
WORKDIR /root

saltmaster-daemon#Dockerfile

FROM saltmaster-base

ADD external_auth.conf /etc/salt/master.d/external_auth.conf
ADD fileserver.conf /etc/salt/master.d/fileserver.conf
ADD pki.conf /etc/salt/master.d/pki.conf 

RUN mkdir -p /var/lib/salt/pki/master

EXPOSE 4505 4506 8080

VOLUME /etc/salt
# Should be mounted from the host as it contains persistent data (the Salt PKI), defining it as a volume will cause a mess when running the container…
#VOLUME /var/lib/salt/pki/master
VOLUME /var/cache/salt/master
VOLUME /run/salt/master
# Should be mounted from the host as it contains persistent data (the Salt repository)
#VOLUME /srv/salt

RUN mkdir -p /var/cache/salt/master/gitfs

ENV HOME /root
CMD ["/usr/bin/salt-master", "-l", "info"]

saltmaster-daemon#external_auth.conf

external_auth:
  pam:
    salt:
      - .*
      - '@runner'
      - '@wheel'

saltmaster-daemon#fileserver.conf

fileserver_backend:
  - roots
  - git

file_roots:
  base:
    - /srv/salt
  dev:
    - /srv/salt

gitfs_remotes:
  - git@git.dep.institution.tld:salt-states.git
  - git@git.dep.institution.tld:salt-minions.git
  - git@git.dep.institution.tld:salt-formulas.git

saltmaster-daemon#pki.conf

pki_dir: /var/lib/salt/pki/master

saltmaster-shell#Dockerfile

FROM saltmaster-base

RUN apt-get install -y --force-yes vim git openssh-client
# Workaround for https://github.com/saltstack/salt/issues/8009
ADD local-salt.conf /root/.saltrc

ENV HOME /root
CMD ["/bin/bash"]

saltmaster-shell#local-salt.conf

# to be removed once https://github.com/saltstack/salt/issues/8009 is fixed
# simply using 'master' works fine without any changes, as long as the saltmaster-shell container is started with `--link=saltmaster-shell:master`
interface: master

Please note, that using root as user is not optimal. This should be nowadays replaced with a dedicated salt user or something similar. That's a relict of the early Docker days which was required back then for a workaround I don't remember anymore.

@eliasp can you clarify this section?

VOLUME /etc/salt
# Should be mounted from the host as it contains persistent data (the Salt PKI), defining it as a volume will cause a mess when running the container…
#VOLUME /var/lib/salt/pki/master
VOLUME /var/cache/salt/master
VOLUME /run/salt/master
# Should be mounted from the host as it contains persistent data (the Salt repository)
#VOLUME /srv/salt

specifically, do you mean /var/lib/salt/pki/master and /srv/salt should be added as volumes at runtime but not here?

• /var/lib/salt/pki/master

  contains the PKI (CA, Minion certificates waiting to be accepted, already accepted Minion certificates). This means, the data in this volume/directory should not be stored in the container itself, otherwise the whole PKI would be lost when destroying the container. Instead, the PKI should reside outside the container (e.g. on the host's filesystem, on a NFS share mounted on the host, …). This way the PKI is stored in a persistent way and is not interfered by destroying the saltmaster-daemon container.

• /srv/salt

  contains here binary data (mostly installers) required for the Win Repo. The same as for the PKI applies here - these are persistent data which should not go into the container itself. For people not using GitFS, this would also serve all other persistent Salt files like SLS files, templates, etc.

So if you start your saltmaster-daemon container manually, it should be done like this:

docker run --detach --name=saltmaster-daemon --volume=/media/volumes/salt/pki:/var/lib/salt/pki/master --volume=/media/volumes/salt/fileserver:/srv/salt --publish=4505:4505 --publish=4506:4506 saltmaster-daemon

As many saltmaster-shell containers as required can then be attached to the saltmaster-daemon:

docker run --interactive --tty --rm --volumes-from=saltmaster-daemon --link=saltmaster-daemon:master saltmaster-shell

Something I should have mentioned in my previous comment:
The whole idea of Docker containers is: to be disposable. They provide a static set of runtime data, but should never contain any persistent data. All working data need to be stored outside of a container.

Otherwise, one would lose all these data each time a container is updated (e.g. updating from Salt 2014.1.9 to 2014.1.10).