A Docker image running a containerised Salt-Master server with Salt-API and Molten UI with an optional Multi-Master-PKI setup.
Docker must be installed.
You can easily run the container like so:
docker run --rm -it --name salt-master --publish 4505:4505 --publish 4506:4506 --publish 443:443 mgolly/salt-master
or in docker swarm:
docker service create --publish 4505:4505 --publish 4506:4506 --publish 443:443 mgolly/salt-master
Use docker exec to enter the salt-master container and execute salt commands.
Once installed run:
$ CONTAINER_ID=$(docker run -d --name salt-master --publish 4505:4505 --publish 4506:4506 --publish 443:443 mgolly/salt-master)
$ docker exec -it $CONTAINER_ID /bin/sh
$ root@CONTAINER_ID:~# salt '*' test.ping
$ root@CONTAINER_ID:~# salt '*' grains.items
The following exposed ports allow minions to communicate with the Salt Master:
45054506
The following exposed port allows access to Salt-API and the Molten UI:
443
This container recognizes the following environment variables. They can be set to the values desired, or optionally in "swarm" mode (i.e. container executed with docker service), they can be set to the name of a docker secret that contains the value desired.
LOG_LEVEL: The level to log at, defaults toerror
MASTER_PEM: Salt Master private key, defaults to autogenerated on first run.MASTER_PUB: Salt Master public key, defaults to autogenerated on first run.
MINIONS: List of minions to pre-accept keys for, space delimited, default blank. Requires MASTER_* keys to be set.${minion}_KEY: Key of a minion for pre-acceptance. Requires MASTER_* keys to be set.
ACCOUNTS: List of user or group accounts for access to salt-api and molten, space delimited, default blank.${account}_PASSWORD: Password for a user account. If set,${account_LIST}should not be set.${account}_LIST: List of user accounts in this group, space delimited, default blank. If set,${account_PASSWORD}should not be set.${account}_ACCESS: Salt-API / Molten account settings. Contents should only be the final settings below the username in SaltStack eauth settings and be left-justified (no spaces) unless YAML-indented. It should look something like:
- .*
- '@runner'
- '@wheel'
- '@jobs'
API_CERT_INDEX: Salt-API certificate index. Will be auto-generated if left undefined or blank.API_CERT_CRT: Salt-API certificate. Will be auto-generated if left undefined or blank.API_CERT_KEY: Salt-API certificate key. Will be auto-generated if left undefined or blank.
Extra Salt Master Config
CONFIGS: List of other config to insert into master's configuration (/etc/salt/master.d), space delimited, default blank. (Can use docker swarm secrets or configs.)${config}_CONFIG: Config to insert into master's configuration (i.e. /etc/salt/master.d/). (Can use docker swarm secrets or configs.)
The following volumes can be mounted:
/etc/salt/master.d- Master configuration include directory/etc/salt/pki- This holds the Salt Minion authentication keys and the Salt API / Molten UI TLS certificate/srv/salt- Holds your states, pillars, etc/var/cache/salt- Job and Minion data cache/var/logs/salt- Salts log directory
Note that mounting a volume on /etc/salt/pki/ could provide easier access to the master.pem key. This is a security risk and should be properly mitigated in secure environments.
This project uses the Apache License 2.0. See the LICENSE file for details.
- SaltStack for a great piece of software!
- digitalr00ts for:
- the alpine base image,
- tini integration,
- TLS for the API (with autogenerating self-signed certs), and
- salt-master and API healthcheck.
- dkiser for:
- list of volumes for a salt-master container, and
- the multi-master PKI setup.
- bbinet for:
- how to integrate Molten UI into a salt-master docker container, and
- pre-creating users and master keys.