ContextQMD
Back to Salt

MinionFS Backend Walkthrough

doc/topics/tutorials/minionfs.rst

2019.85.2 KB
Original Source

.. _tutorial-minionfs:

============================ MinionFS Backend Walkthrough

.. versionadded:: 2014.1.0

.. note::

This walkthrough assumes basic knowledge of Salt and :mod:`cp.push
<salt.modules.cp.push>`. To get up to speed, check out the
:ref:`Salt Walkthrough <tutorial-salt-walk-through>`.

Sometimes it is desirable to deploy a file located on one minion to one or more other minions. This is supported in Salt, and can be accomplished in two parts:

#. Minion support for pushing files to the master (using :py:func:cp.push <salt.modules.cp.push>)

#. The :mod:minionfs <salt.fileserver.minionfs> fileserver backend

This walkthrough will show how to use both of these features.

Enabling File Push

To set the master to accept files pushed from minions, the :conf_master:file_recv option in the master config file must be set to True (the default is False).

.. code-block:: yaml

file_recv: True

.. note:: This change requires a restart of the salt-master service.

Pushing Files

Once this has been done, files can be pushed to the master using the :py:func:cp.push <salt.modules.cp.push> function:

.. code-block:: bash

salt 'minion-id' cp.push /path/to/the/file

This command will store the file in a subdirectory named minions under the master's :conf_master:cachedir. On most masters, this path will be /var/cache/salt/master/minions. Within this directory will be one directory for each minion which has pushed a file to the master, and underneath that the full path to the file on the minion. So, for example, if a minion with an ID of dev1 pushed a file /var/log/myapp.log to the master, it would be saved to /var/cache/salt/master/minions/dev1/var/log/myapp.log.

Serving Pushed Files Using MinionFS

While it is certainly possible to add /var/cache/salt/master/minions to the master's :conf_master:file_roots and serve these files, it may only be desirable to expose files pushed from certain minions. Adding /var/cache/salt/master/minions/<minion-id> for each minion that needs to be exposed can be cumbersome and prone to errors.

Enter :mod:minionfs <salt.fileserver.minionfs>. This fileserver backend will make files pushed using :py:func:cp.push <salt.modules.cp.push> available to the Salt fileserver, and provides an easy mechanism to restrict which minions' pushed files are made available.

Simple Configuration

To use the :mod:minionfs <salt.fileserver.minionfs> backend, add minionfs to the list of backends in the :conf_master:fileserver_backend configuration option on the master:

.. code-block:: yaml

file_recv: True

fileserver_backend:
  - roots
  - minionfs

.. note:: minion also works here. Prior to the 2018.3.0 release, only minion would work.

Also, as described earlier, ``file_recv: True`` is needed to enable the
master to receive files pushed from minions. As always, changes to the
master configuration require a restart of the ``salt-master`` service.

Files made available via :mod:minionfs <salt.fileserver.minionfs> are by default located at salt://<minion-id>/path/to/file. Think back to the earlier example, in which dev1 pushed a file /var/log/myapp.log to the master. With :mod:minionfs <salt.fileserver.minionfs> enabled, this file would be addressable in Salt at salt://dev1/var/log/myapp.log.

If many minions have pushed to the master, this will result in many directories in the root of the Salt fileserver. For this reason, it is recommended to use the :conf_master:minionfs_mountpoint config option to organize these files underneath a subdirectory:

.. code-block:: yaml

minionfs_mountpoint: salt://minionfs

Using the above mountpoint, the file in the example would be located at salt://minionfs/dev1/var/log/myapp.log.

Restricting Certain Minions' Files from Being Available Via MinionFS

A whitelist and blacklist can be used to restrict the minions whose pushed files are available via :mod:minionfs <salt.fileserver.minionfs>. These lists can be managed using the :conf_master:minionfs_whitelist and :conf_master:minionfs_blacklist config options. Click the links for both of them for a detailed explanation of how to use them.

A more complex configuration example, which uses both a whitelist and blacklist, can be found below:

.. code-block:: yaml

file_recv: True

fileserver_backend:
  - roots
  - minionfs

minionfs_mountpoint: salt://minionfs

minionfs_whitelist:
  - host04
  - web*
  - 'mail\d+\.domain\.tld'

minionfs_blacklist:
  - web21

Potential Concerns

  • There is no access control in place to restrict which minions have access to files served up by :mod:minionfs <salt.fileserver.minionfs>. All minions will have access to these files.

  • Unless the :conf_master:minionfs_whitelist and/or :conf_master:minionfs_blacklist config options are used, all minions which push files to the master will have their files made available via :mod:minionfs <salt.fileserver.minionfs>.