Wiki source for SaltStackEC2
======EC2 Salt Stack Management Server======
>>{{{toc levels="h2,h3,h4"}}}>>
==Installing Salt on EC2 servers with central Master==
=====Links:=====
https://docs.saltstack.com/en/latest/topics/cloud/aws.html
https://blog.jixee.me/saltstack-how-to-deploy-ec2-instances-with-salt-cloud/
http://wiki.votesmart.org/ManagementServer
=====Dependencies=====
====US East Inbound Rules====
Add inbound rule for N. Virgina vpn
====Communications====
Salt Cloud not needed for what we are doing and requires ID/Secret to get working, recommended setup is to use IAM since all servers are housed on AWS services. For our needs we need only open ports.
Create Security Groups on AWS
TCP/4505-4506
====Master Config====
==/etc/salt/master==
%%
interface: 10.1.20.5
ipv6: False
user: root
worker_threads: 32
file_roots:
base:
- /srv/salt
dev:
- /srv/salt/dev/services
- /srv/salt/dev/states
prod:
- /srv/salt/prod/services
- /srv/salt/prod/states
pillar_roots:
base:
- /srv/pillar
%%
==Setup Master keys==
%%
[root@util0 ec2-user]# salt-key -F master
Local Keys:
master.pem: 16:fa:19:cd:4d:82:74:8d:30:8a:e5:40:6d:ec:45:14
master.pub: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64
%%
====Minion Config====
%%
master: 10.1.20.5
ipv6: False
user: root
id: or-www0
file_client: remote
master_finger: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64
###### Beacons #####
###########################################
beacons:
inotify:
root/testfile:
mask:
- modify
%%
====Grains Associated with Servers====
Custom grains found at /etc/salt/grains
%%
roles:
- customrole
%%
||Machine Role||Grain||Servers||
||Web Head||webhead||www[0-9]||
||Database||database||db[0-9]||
||MasterDB||masterdb||db0||
||Utility||utility||util[0-1]||
||Salt Master||saltmaster||util0||
||VPN||vpn||or-vpn[0-1]||
||API||api||api[0-1]||
||Test||test||test servers||
||Virgina||east||East coast servers||
||Oregon||west||West coast servers||
=====Salt-Cloud Setup=====
Not Implemented at this time
====Setup AWS CLI====
#### http://docs.aws.amazon.com/cli/latest/userguide/installing.html
#### Created User in AWS IAM Users
User: SaltConnector
Access Key ID: <ID>
Secret Access Key: <Secret Access Key>
#### Configure via command line on util0
#### http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
[root@util0 ec2-user]# aws configure
AWS Access Key ID [None]: <ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: us-west-2
Default output format [None]: <ENTER>
===Create an IAM Role===
Role Name: SaltStackConnector
%%
[root@util0 ec2-user]aws iam create-instance-profile --instance-profile-name PROFILE_NAME
[root@util0 ec2-user]aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME
%%
#### credentials are stored in ~/.aws/credentials and are secured with 400 permissions and owner root
=====util0 (Oregon Utility server)=====
%%
[root@util0 ec2-user# yum install salt-cloud
%%
====Copy AWS key pair up to Salt master====
%%
[root@ip-10-1-10-5 .ssh]# scp -i ~/.ssh/aws2-west.pem ~/.ssh/aws2-west.pem ec2-user@10.1.20.5:~/
[root@util0 ec2-user]# mv /home/ec2-user/aws2-west.pem /etc/salt
[root@util0 ec2-user]#chown root. /etc/salt/aws2-west.pem
[root@util0 ec2-user]# chmod 400 /etc/salt/aws2-west.pem
%%
===Setup Providers===
%%
[root@util0 ec2-user]# vim /etc/salt/cloud.providers.d/ec2-us-west-2.conf
%%
==ec2-us-west-2.conf==
%%
ec2-us-west-2-public:
# Set up the location of the salt master
#
minion:
master: util0.cloud.votesmart.org
# Set up grains information, which will be common for all nodes
# using this provider
grains:
node_type: broker
release: 1.0.1
# Specify whether to use public or private IP for deploy script.
#
# Valid options are:
# private_ips - The salt-cloud command is run inside the EC2
# public_ips - The salt-cloud command is run outside of EC2
#
ssh_interface: private_ips
# Set the EC2 access credentials (see below)
# Note: if either id or key is set to 'use-instance-role-credentials'
# it is assumed that Salt is running on an AWS instance, and the
# instance role credentials will be retrieved and used. Since both
# the id and key are required parameters for the AWS ec2 provider, it
# is recommended to set both to 'use-instance-role-credentials' for
# this functionality.
#
id: 'use-instance-role-credentials'
key: 'use-instance-role-credentials'
# Make sure this key is owned by root with permissions 0400.
#
private_key: /etc/salt/aws2-west.pem
keyname: salt-cloud-deployed
# This one should NOT be specified if VPC was not configured in AWS to be
# the default. It might cause an error message which says that network
# interfaces and an instance-level security groups may not be specified
# on the same request.
#
# Using Security group for util servers
securitygroup: sg-02eaf564
# Optionally configure default region
# Use salt-cloud --list-locations <provider> to obtain valid regions
#
location: us-west-2
availability_zone: us-west-2b
# Configure which user to use to run the deploy script. This setting is
# dependent upon the AMI that is used to deploy. It is usually safer to
# configure this individually in a profile, than globally. Typical users
# are:
#
# Amazon Linux -> ec2-user
# RHEL -> ec2-user
# CentOS -> ec2-user
# Ubuntu -> ubuntu
#
ssh_username: ec2-user
# Optionally add an IAM profile
# iam_profile: 'User ARN: arn:aws:iam::846597906540:user/SaltConnector'
#driver: ec2
# driver is used in salt-cloud version 2015.8 where provider is used in 2015.5
provider: ec2
%%
----
CategoryITDoc
>>{{{toc levels="h2,h3,h4"}}}>>
==Installing Salt on EC2 servers with central Master==
=====Links:=====
https://docs.saltstack.com/en/latest/topics/cloud/aws.html
https://blog.jixee.me/saltstack-how-to-deploy-ec2-instances-with-salt-cloud/
http://wiki.votesmart.org/ManagementServer
=====Dependencies=====
====US East Inbound Rules====
Add inbound rule for N. Virgina vpn
====Communications====
Salt Cloud not needed for what we are doing and requires ID/Secret to get working, recommended setup is to use IAM since all servers are housed on AWS services. For our needs we need only open ports.
Create Security Groups on AWS
TCP/4505-4506
====Master Config====
==/etc/salt/master==
%%
interface: 10.1.20.5
ipv6: False
user: root
worker_threads: 32
file_roots:
base:
- /srv/salt
dev:
- /srv/salt/dev/services
- /srv/salt/dev/states
prod:
- /srv/salt/prod/services
- /srv/salt/prod/states
pillar_roots:
base:
- /srv/pillar
%%
==Setup Master keys==
%%
[root@util0 ec2-user]# salt-key -F master
Local Keys:
master.pem: 16:fa:19:cd:4d:82:74:8d:30:8a:e5:40:6d:ec:45:14
master.pub: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64
%%
====Minion Config====
%%
master: 10.1.20.5
ipv6: False
user: root
id: or-www0
file_client: remote
master_finger: 56:79:41:c0:27:ff:15:05:57:fe:ee:f9:b7:40:84:64
###### Beacons #####
###########################################
beacons:
inotify:
root/testfile:
mask:
- modify
%%
====Grains Associated with Servers====
Custom grains found at /etc/salt/grains
%%
roles:
- customrole
%%
||Machine Role||Grain||Servers||
||Web Head||webhead||www[0-9]||
||Database||database||db[0-9]||
||MasterDB||masterdb||db0||
||Utility||utility||util[0-1]||
||Salt Master||saltmaster||util0||
||VPN||vpn||or-vpn[0-1]||
||API||api||api[0-1]||
||Test||test||test servers||
||Virgina||east||East coast servers||
||Oregon||west||West coast servers||
=====Salt-Cloud Setup=====
Not Implemented at this time
====Setup AWS CLI====
#### http://docs.aws.amazon.com/cli/latest/userguide/installing.html
#### Created User in AWS IAM Users
User: SaltConnector
Access Key ID: <ID>
Secret Access Key: <Secret Access Key>
#### Configure via command line on util0
#### http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
[root@util0 ec2-user]# aws configure
AWS Access Key ID [None]: <ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: us-west-2
Default output format [None]: <ENTER>
===Create an IAM Role===
Role Name: SaltStackConnector
%%
[root@util0 ec2-user]aws iam create-instance-profile --instance-profile-name PROFILE_NAME
[root@util0 ec2-user]aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME
%%
#### credentials are stored in ~/.aws/credentials and are secured with 400 permissions and owner root
=====util0 (Oregon Utility server)=====
%%
[root@util0 ec2-user# yum install salt-cloud
%%
====Copy AWS key pair up to Salt master====
%%
[root@ip-10-1-10-5 .ssh]# scp -i ~/.ssh/aws2-west.pem ~/.ssh/aws2-west.pem ec2-user@10.1.20.5:~/
[root@util0 ec2-user]# mv /home/ec2-user/aws2-west.pem /etc/salt
[root@util0 ec2-user]#chown root. /etc/salt/aws2-west.pem
[root@util0 ec2-user]# chmod 400 /etc/salt/aws2-west.pem
%%
===Setup Providers===
%%
[root@util0 ec2-user]# vim /etc/salt/cloud.providers.d/ec2-us-west-2.conf
%%
==ec2-us-west-2.conf==
%%
ec2-us-west-2-public:
# Set up the location of the salt master
#
minion:
master: util0.cloud.votesmart.org
# Set up grains information, which will be common for all nodes
# using this provider
grains:
node_type: broker
release: 1.0.1
# Specify whether to use public or private IP for deploy script.
#
# Valid options are:
# private_ips - The salt-cloud command is run inside the EC2
# public_ips - The salt-cloud command is run outside of EC2
#
ssh_interface: private_ips
# Set the EC2 access credentials (see below)
# Note: if either id or key is set to 'use-instance-role-credentials'
# it is assumed that Salt is running on an AWS instance, and the
# instance role credentials will be retrieved and used. Since both
# the id and key are required parameters for the AWS ec2 provider, it
# is recommended to set both to 'use-instance-role-credentials' for
# this functionality.
#
id: 'use-instance-role-credentials'
key: 'use-instance-role-credentials'
# Make sure this key is owned by root with permissions 0400.
#
private_key: /etc/salt/aws2-west.pem
keyname: salt-cloud-deployed
# This one should NOT be specified if VPC was not configured in AWS to be
# the default. It might cause an error message which says that network
# interfaces and an instance-level security groups may not be specified
# on the same request.
#
# Using Security group for util servers
securitygroup: sg-02eaf564
# Optionally configure default region
# Use salt-cloud --list-locations <provider> to obtain valid regions
#
location: us-west-2
availability_zone: us-west-2b
# Configure which user to use to run the deploy script. This setting is
# dependent upon the AMI that is used to deploy. It is usually safer to
# configure this individually in a profile, than globally. Typical users
# are:
#
# Amazon Linux -> ec2-user
# RHEL -> ec2-user
# CentOS -> ec2-user
# Ubuntu -> ubuntu
#
ssh_username: ec2-user
# Optionally add an IAM profile
# iam_profile: 'User ARN: arn:aws:iam::846597906540:user/SaltConnector'
#driver: ec2
# driver is used in salt-cloud version 2015.8 where provider is used in 2015.5
provider: ec2
%%
----
CategoryITDoc
