Last active
December 27, 2015 20:29
-
-
Save eliasp/7385009 to your computer and use it in GitHub Desktop.
Saltmaster Dockerfiles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
python-pip: | |
pkg.installed | |
docker-py: | |
pip.installed: | |
- require: | |
- pkg: python-pip | |
# TODO: ensure docker-py is declared a requirement for all dockerio states without having to explicitely declare the requirement in each container state again | |
saltmaster-container: | |
docker.installed: | |
- name: saltmaster-daemon | |
- hostname: salt.dep.institution.tld | |
- image: saltmaster-daemon | |
- require_in: saltmaster | |
saltmaster: | |
docker.running: | |
- container: saltmaster-daemon | |
- binds: | |
/media/volumes/salt/master/pki: /var/lib/salt/pki | |
/media/volumes/salt/master/fileserver: /srv/salt | |
- port_bindings: | |
"4505/tcp": | |
HostIp: "0.0.0.0" | |
HostPort: "4505" | |
"4506/tcp": | |
HostIp: "0.0.0.0" | |
HostPort: "4506" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM ubuntu:14.04 | |
RUN apt-get update | |
RUN apt-get install -y --force-yes \ | |
software-properties-common \ | |
pciutils \ | |
debconf-utils | |
RUN add-apt-repository -y ppa:saltstack/salt | |
RUN apt-get update | |
# Make sure, the Salt installation succeeds, although it can't find any running Upstart | |
RUN dpkg-divert --local --rename --add /sbin/initctl | |
RUN ln -sf /bin/true /sbin/initctl | |
RUN apt-get install -y --force-yes \ | |
salt-common \ | |
salt-master \ | |
python-pip \ | |
python-cherrypy3 \ | |
python-ldap \ | |
python-git | |
# SSH identity for accessing the git repository for saltmaster's gitfs | |
ADD id_rsa /root/.ssh/id_rsa | |
ADD id_rsa.pub /root/.ssh/id_rsa.pub | |
ADD known_hosts /root/.ssh/known_hosts | |
ENV HOME /root | |
WORKDIR /root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM saltmaster-base | |
ADD external_auth.conf /etc/salt/master.d/external_auth.conf | |
ADD fileserver.conf /etc/salt/master.d/fileserver.conf | |
ADD pki.conf /etc/salt/master.d/pki.conf | |
RUN mkdir -p /var/lib/salt/pki/master | |
EXPOSE 4505 4506 8080 | |
VOLUME /etc/salt | |
# Should be mounted from the host as it contains persistent data (the Salt PKI), defining it as a volume will cause a mess when running the container… | |
#VOLUME /var/lib/salt/pki/master | |
VOLUME /var/cache/salt/master | |
VOLUME /run/salt/master | |
# Should be mounted from the host as it contains persistent data (the Salt repository) | |
#VOLUME /srv/salt | |
RUN mkdir -p /var/cache/salt/master/gitfs | |
ENV HOME /root | |
CMD ["/usr/bin/salt-master", "-l", "info"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
external_auth: | |
pam: | |
salt: | |
- .* | |
- '@runner' | |
- '@wheel' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fileserver_backend: | |
- roots | |
- git | |
file_roots: | |
base: | |
- /srv/salt | |
dev: | |
- /srv/salt | |
gitfs_remotes: | |
- git@git.dep.institution.tld:salt-states.git | |
- git@git.dep.institution.tld:salt-minions.git | |
- git@git.dep.institution.tld:salt-formulas.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pki_dir: /var/lib/salt/pki/master |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM saltmaster-base | |
RUN apt-get install -y --force-yes vim git openssh-client | |
# Workaround for https://github.com/saltstack/salt/issues/8009 | |
ADD local-salt.conf /root/.saltrc | |
ENV HOME /root | |
CMD ["/bin/bash"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# to be removed once https://github.com/saltstack/salt/issues/8009 is fixed | |
# simply using 'master' works fine without any changes, as long as the saltmaster-shell container is started with `--link=saltmaster-shell:master` | |
interface: master |
Something I should have mentioned in my previous comment:
The whole idea of Docker containers is: to be disposable. They provide a static set of runtime data, but should never contain any persistent data. All working data need to be stored outside of a container.
Otherwise, one would lose all these data each time a container is updated (e.g. updating from Salt 2014.1.9 to 2014.1.10).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
/var/lib/salt/pki/master
contains the PKI (CA, Minion certificates waiting to be accepted, already accepted Minion certificates). This means, the data in this volume/directory should not be stored in the container itself, otherwise the whole PKI would be lost when destroying the container. Instead, the PKI should reside outside the container (e.g. on the host's filesystem, on a NFS share mounted on the host, …). This way the PKI is stored in a persistent way and is not interfered by destroying the
saltmaster-daemon
container./srv/salt
contains here binary data (mostly installers) required for the Win Repo. The same as for the PKI applies here - these are persistent data which should not go into the container itself. For people not using GitFS, this would also serve all other persistent Salt files like SLS files, templates, etc.
So if you start your
saltmaster-daemon
container manually, it should be done like this:docker run --detach --name=saltmaster-daemon --volume=/media/volumes/salt/pki:/var/lib/salt/pki/master --volume=/media/volumes/salt/fileserver:/srv/salt --publish=4505:4505 --publish=4506:4506 saltmaster-daemon
As many
saltmaster-shell
containers as required can then be attached to thesaltmaster-daemon
:docker run --interactive --tty --rm --volumes-from=saltmaster-daemon --link=saltmaster-daemon:master saltmaster-shell