EC2 Salt Stack Management Server
Table of Contents
Installing Salt on EC2 servers with central Master
Links:
https://docs.saltstack.com/en/latest/topics/cloud/aws.htmlhttps://blog.jixee.me/saltstack-how-to-deploy-ec2-instances-with-salt-cloud/
http://wiki.votesmart.org/ManagementServer
Dependencies
US East Inbound Rules
Add inbound rule for N. Virgina vpnCommunications
Salt Cloud not needed for what we are doing and requires ID/Secret to get working, recommended setup is to use IAM since all servers are housed on AWS services. For our needs we need only open ports.Create Security Groups on AWS
TCP/4505-4506
Master Config
/etc/salt/master
interface: 10.1.20.5 ipv6: False user: root worker_threads: 32 file_roots: base: - /srv/salt dev: - /srv/salt/dev/services - /srv/salt/dev/states prod: - /srv/salt/prod/services - /srv/salt/prod/states pillar_roots: base: - /srv/pillar
Setup Master keys
[root@util0 ec2-user]# salt-key -F master Local Keys: master.pem: 16:fa:19:cd:4d:82:74:8d:30:8a:e5:40:6d:ec:45:14 master.pub: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64
Minion Config
master: 10.1.20.5 ipv6: False user: root id: or-www0 file_client: remote master_finger: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64 ###### Beacons ##### ########################################### beacons: inotify: root/testfile: mask: - modify
Grains Associated with Servers
Custom grains found at /etc/salt/grainsroles: - customrole
| Machine Role | Grain | Servers |
| Web Head | webhead | www[0-9] |
| Database | database | db[0-9] |
| MasterDB | masterdb | db0 |
| Utility | utility | util[0-1] |
| Salt Master | saltmaster | util0 |
| VPN | vpn | or-vpn[0-1] |
| API | api | api[0-1] |
| Test | test | test servers |
| Virgina | east | East coast servers |
| Oregon | west | West coast servers |
Salt-Cloud Setup
Not Implemented at this timeSetup AWS CLI
http://docs.aws.amazon.com/cli/latest/userguide/installing.htmlCreated User in AWS IAM Users
User: SaltConnector
Access Key ID: <ID>
Secret Access Key: <Secret Access Key>
Configure via command line on util0
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
[root@util0 ec2-user]# aws configure
AWS Access Key ID [None]: <ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: us-west-2
Default output format [None]: <ENTER>
Create an IAM Role
Role Name: SaltStackConnector[root@util0 ec2-user]aws iam create-instance-profile --instance-profile-name PROFILE_NAME [root@util0 ec2-user]aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME
credentials are stored in ~/.aws/credentials and are secured with 400 permissions and owner root
util0 (Oregon Utility server)
[root@util0 ec2-user# yum install salt-cloud
Copy AWS key pair up to Salt master
[root@ip-10-1-10-5 .ssh]# scp -i ~/.ssh/aws2-west.pem ~/.ssh/aws2-west.pem ec2-user@10.1.20.5:~/ [root@util0 ec2-user]# mv /home/ec2-user/aws2-west.pem /etc/salt [root@util0 ec2-user]#chown root. /etc/salt/aws2-west.pem [root@util0 ec2-user]# chmod 400 /etc/salt/aws2-west.pem
Setup Providers
[root@util0 ec2-user]# vim /etc/salt/cloud.providers.d/ec2-us-west-2.conf
ec2-us-west-2.conf
ec2-us-west-2-public: # Set up the location of the salt master # minion: master: util0.cloud.votesmart.org # Set up grains information, which will be common for all nodes # using this provider grains: node_type: broker release: 1.0.1 # Specify whether to use public or private IP for deploy script. # # Valid options are: # private_ips - The salt-cloud command is run inside the EC2 # public_ips - The salt-cloud command is run outside of EC2 # ssh_interface: private_ips # Set the EC2 access credentials (see below) # Note: if either id or key is set to 'use-instance-role-credentials' # it is assumed that Salt is running on an AWS instance, and the # instance role credentials will be retrieved and used. Since both # the id and key are required parameters for the AWS ec2 provider, it # is recommended to set both to 'use-instance-role-credentials' for # this functionality. # id: 'use-instance-role-credentials' key: 'use-instance-role-credentials' # Make sure this key is owned by root with permissions 0400. # private_key: /etc/salt/aws2-west.pem keyname: salt-cloud-deployed # This one should NOT be specified if VPC was not configured in AWS to be # the default. It might cause an error message which says that network # interfaces and an instance-level security groups may not be specified # on the same request. # # Using Security group for util servers securitygroup: sg-02eaf564 # Optionally configure default region # Use salt-cloud --list-locations <provider> to obtain valid regions # location: us-west-2 availability_zone: us-west-2b # Configure which user to use to run the deploy script. This setting is # dependent upon the AMI that is used to deploy. It is usually safer to # configure this individually in a profile, than globally. Typical users # are: # # Amazon Linux -> ec2-user # RHEL -> ec2-user # CentOS -> ec2-user # Ubuntu -> ubuntu # ssh_username: ec2-user # Optionally add an IAM profile # iam_profile: 'User ARN: arn:aws:iam::846597906540:user/SaltConnector' #driver: ec2 # driver is used in salt-cloud version 2015.8 where provider is used in 2015.5 provider: ec2
CategoryITDoc
