Config for running a Salt Master in docker, built on the fine work at
cdalvaro/docker-salt-master
.
Notes to remind me how to use Salt with a master and minions:
Ensure that the master is configured in the minion config:
master: locke
The new minion should show up with the following command.
> docker compose exec salt-master salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
rand
Proceed? [n/Y] Y
Key for minion rand accepted.
> docker compose exec salt-master salt-key -L
Accepted Keys:
caul
jorg
locke
ringil
Denied Keys:
Unaccepted Keys:
Rejected Keys:
docker compose exec salt-master salt 'jorg' grains.items
Apply a single state, sshd
, so the host locke
:
docker compose exec salt-master salt 'locke' state.apply sshd
Due to the async nature of Salt, and the complex configuration, errors are often non-obvious.
From the master, run a state apply including debug logging:
docker compose exec salt-master salt -l debug 'locke' state.apply
On the target host, you can tail the minion logs during state.apply
, but this will show INFO
level information that you can see on the salt-master
after the state.apply
:
sudo tail -f /var/log/salt/minion
On the target host, try running the salt-minion
in the foreground with debug logging:
sudo systemctl stop salt-minion
sudo /usr/bin/salt-minion -l debug
docker compose exec salt-master cat /etc/salt/master
To make another secret available in the pillar, add it to the "Homelab" vault in 1password. This
secret will be fetched at run time from 1password-connect
, which runs locally as part of this
compose project.
A multiline secret should be created using a 1Password Secure Note.
A custom external pillar is submoduled from
mafrosis/1password-connect-config
.
For this to work you need to add following to config/ext_pillar.conf
:
ext_pillar:
- 1password:
connect_host: http://example.com:8081
connect_token: eyJhbGc .. snip .. 2YCkucw
vault_id: b6hmle4xxxxxxxxxxxxy4lcwza
A connect client token should be created and added to the ext_pillar.conf
file shown above.
> op connect token create "$(hostname)-connect" --server ringil --vault Homelab
eyJhbGciOiJFUzI1...snip
Find your vault ID with the following:
> op vault list
ID NAME
b6hmle4xxxxxxxxxxxxx4lcwza Homelab
h5d36nexxxxxxxxxxxxxgxusqi Personal
dlhabvtxxxxxxxxxxxxx6needq Work
Test the external pillar is working with the following command, which connects from the current host to the salt master to pull pillar data:
sudo salt-call pillar.data