-
-
Save eliasp/7385009 to your computer and use it in GitHub Desktop.
| python-pip: | |
| pkg.installed | |
| docker-py: | |
| pip.installed: | |
| - require: | |
| - pkg: python-pip | |
| # TODO: ensure docker-py is declared a requirement for all dockerio states without having to explicitely declare the requirement in each container state again | |
| saltmaster-container: | |
| docker.installed: | |
| - name: saltmaster-daemon | |
| - hostname: salt.dep.institution.tld | |
| - image: saltmaster-daemon | |
| - require_in: saltmaster | |
| saltmaster: | |
| docker.running: | |
| - container: saltmaster-daemon | |
| - binds: | |
| /media/volumes/salt/master/pki: /var/lib/salt/pki | |
| /media/volumes/salt/master/fileserver: /srv/salt | |
| - port_bindings: | |
| "4505/tcp": | |
| HostIp: "0.0.0.0" | |
| HostPort: "4505" | |
| "4506/tcp": | |
| HostIp: "0.0.0.0" | |
| HostPort: "4506" |
| FROM ubuntu:14.04 | |
| RUN apt-get update | |
| RUN apt-get install -y --force-yes \ | |
| software-properties-common \ | |
| pciutils \ | |
| debconf-utils | |
| RUN add-apt-repository -y ppa:saltstack/salt | |
| RUN apt-get update | |
| # Make sure, the Salt installation succeeds, although it can't find any running Upstart | |
| RUN dpkg-divert --local --rename --add /sbin/initctl | |
| RUN ln -sf /bin/true /sbin/initctl | |
| RUN apt-get install -y --force-yes \ | |
| salt-common \ | |
| salt-master \ | |
| python-pip \ | |
| python-cherrypy3 \ | |
| python-ldap \ | |
| python-git | |
| # SSH identity for accessing the git repository for saltmaster's gitfs | |
| ADD id_rsa /root/.ssh/id_rsa | |
| ADD id_rsa.pub /root/.ssh/id_rsa.pub | |
| ADD known_hosts /root/.ssh/known_hosts | |
| ENV HOME /root | |
| WORKDIR /root |
| FROM saltmaster-base | |
| ADD external_auth.conf /etc/salt/master.d/external_auth.conf | |
| ADD fileserver.conf /etc/salt/master.d/fileserver.conf | |
| ADD pki.conf /etc/salt/master.d/pki.conf | |
| RUN mkdir -p /var/lib/salt/pki/master | |
| EXPOSE 4505 4506 8080 | |
| VOLUME /etc/salt | |
| # Should be mounted from the host as it contains persistent data (the Salt PKI), defining it as a volume will cause a mess when running the container… | |
| #VOLUME /var/lib/salt/pki/master | |
| VOLUME /var/cache/salt/master | |
| VOLUME /run/salt/master | |
| # Should be mounted from the host as it contains persistent data (the Salt repository) | |
| #VOLUME /srv/salt | |
| RUN mkdir -p /var/cache/salt/master/gitfs | |
| ENV HOME /root | |
| CMD ["/usr/bin/salt-master", "-l", "info"] |
| external_auth: | |
| pam: | |
| salt: | |
| - .* | |
| - '@runner' | |
| - '@wheel' |
| fileserver_backend: | |
| - roots | |
| - git | |
| file_roots: | |
| base: | |
| - /srv/salt | |
| dev: | |
| - /srv/salt | |
| gitfs_remotes: | |
| - [email protected]:salt-states.git | |
| - [email protected]:salt-minions.git | |
| - [email protected]:salt-formulas.git |
| pki_dir: /var/lib/salt/pki/master |
| FROM saltmaster-base | |
| RUN apt-get install -y --force-yes vim git openssh-client | |
| # Workaround for https://github.com/saltstack/salt/issues/8009 | |
| ADD local-salt.conf /root/.saltrc | |
| ENV HOME /root | |
| CMD ["/bin/bash"] |
| # to be removed once https://github.com/saltstack/salt/issues/8009 is fixed | |
| # simply using 'master' works fine without any changes, as long as the saltmaster-shell container is started with `--link=saltmaster-shell:master` | |
| interface: master |
@eliasp can you clarify this section?
VOLUME /etc/salt
# Should be mounted from the host as it contains persistent data (the Salt PKI), defining it as a volume will cause a mess when running the container…
#VOLUME /var/lib/salt/pki/master
VOLUME /var/cache/salt/master
VOLUME /run/salt/master
# Should be mounted from the host as it contains persistent data (the Salt repository)
#VOLUME /srv/salt
specifically, do you mean /var/lib/salt/pki/master and /srv/salt should be added as volumes at runtime but not here?
-
/var/lib/salt/pki/mastercontains the PKI (CA, Minion certificates waiting to be accepted, already accepted Minion certificates). This means, the data in this volume/directory should not be stored in the container itself, otherwise the whole PKI would be lost when destroying the container. Instead, the PKI should reside outside the container (e.g. on the host's filesystem, on a NFS share mounted on the host, …). This way the PKI is stored in a persistent way and is not interfered by destroying the
saltmaster-daemoncontainer. -
/srv/saltcontains here binary data (mostly installers) required for the Win Repo. The same as for the PKI applies here - these are persistent data which should not go into the container itself. For people not using GitFS, this would also serve all other persistent Salt files like SLS files, templates, etc.
So if you start your saltmaster-daemon container manually, it should be done like this:
docker run --detach --name=saltmaster-daemon --volume=/media/volumes/salt/pki:/var/lib/salt/pki/master --volume=/media/volumes/salt/fileserver:/srv/salt --publish=4505:4505 --publish=4506:4506 saltmaster-daemon
As many saltmaster-shell containers as required can then be attached to the saltmaster-daemon:
docker run --interactive --tty --rm --volumes-from=saltmaster-daemon --link=saltmaster-daemon:master saltmaster-shell
Something I should have mentioned in my previous comment:
The whole idea of Docker containers is: to be disposable. They provide a static set of runtime data, but should never contain any persistent data. All working data need to be stored outside of a container.
Otherwise, one would lose all these data each time a container is updated (e.g. updating from Salt 2014.1.9 to 2014.1.10).
Please note, that using
rootas user is not optimal. This should be nowadays replaced with a dedicatedsaltuser or something similar. That's a relict of the early Docker days which was required back then for a workaround I don't remember anymore.