Custom Salt States
You can create your own custom Salt states with SUSE Manager as centrally managed configuration channels. Custom states are stored as Salt state files on the SUSE Manager Server with a .sls
extension.
1. Create a New Custom Salt Channel
You can use the SUSE Manager Web UI to create and edit custom Salt state files. You must create a state channel first, with an initial state named init.sls
. The init.sls
file is used to reference all other state files within the channel. The custom states that you create using the Web UI are stored on the SUSE Manager Server in the the /srv/susemanager/salt/<organization>/
directory.
After the channel is created with an init.sls
file, you can write additional state files in the Web UI. Alternatively, you can upload existing state files to use within your state channel, or import them from other channels or clients.
-
In the SUSE Manager Web UI, navigate to
. -
Click Create State Channel.
-
In the
Name
field, type a name for your state. -
In the
Label
field, type a label. Use alphanumeric characters, hyphens, and underscores. Do not use spaces. -
In the
Description
field, type a short description of the configuration your state performs. -
In the
SLS Contents
field, type the contents of yourinit.sls
state. If you want to reference file templates in this configuration channel, ensure your file starts by specifying the source of the managed file, using this syntax:file.managed: - source: salt://<org_name>/<channel_name>/etc/<ID>/<filename>
Example custom state files are given later in this section. . Click btn:[Update Channel] to save your state.
-
In the SUSE Manager Web UI, navigate to
. . Click the name of the channel you want to add files to. -
To create a new file, click btn:
Create configuration file
and type the contents of the file. -
To upload an existing file, click Upload Configuration Files and select the file to upload.
-
To copy an existing file, click Import a File from Another Channel or System and select the file to copy.
-
In the SUSE Manager Web UI, navigate to
. -
Click View/Edit <filename>.sls File.
-
Make your changes to the file.
-
Click Update Configuration File to save your state.
You can also manage revisions, compare the state to others in your organization, and download the .sls
file from this dialog.
-
In the SUSE Manager Web UI, navigate to
. -
Click the name of the state you want to assign a client to.
-
Navigate to the
tab. -
Check the clients you want to assign.
-
Click Subscribe systems.
For more information about Salt state modules, see https://docs.saltproject.io/en/latest/ref/states/all/index.html.
2. Example Custom State Files
This section contains some example custom state files. Use these as a basis for writing your own custom states.
my_config_change_id: file.managed: - name: /etc/my.conf - source: salt://example_org/example_channel/etc/my.conf - user: root - group: root - mode: 644 - template: jinja
my_pkg_id: pkg.installed: - refresh: True - pkgs: - glibc - kernel-default - hello: 1.0-42
ip_forward-on: cmd.run: - name: echo "1" > /proc/sys/net/ipv4/ip_forward - onlyif: - test `cat /proc/sys/net/ipv4/ip_forward` -eq 0
time_service_id: service.running: - name: chronyd - enable: True
3. Custom State to Trust a GPG Key
By default, operating systems trust only their own GPG keys when they are installed, and do not trust keys provided by third party packages. The clients can be successfully bootstrapped without the GPG key being trusted. However, you cannot install new third party packages or update them until the keys are trusted.
Salt clients are set to trust SUSE tools channels GPG keys when they are bootstrapped. For all other clients and channels, you need to manually trust third party GPG keys.
If you are bootstrapping Salt clients from the SUSE Manager Web UI, you can use a custom Salt state to trust the GPG key.
-
Locate the key that you need to trust. Ensure you have the correct key, and that you also have the fingerprint used to verify the key. This information is available from the vendor or, in some cases, from a key server.
-
Copy the key to a file location where the client can access it. We recommend saving it in the
/srv/www/htdocs/pub/
directory, where all SUSE public keys are also saved. -
In the SUSE Manager Web UI, navigate to
. -
Click Create State Channel.
-
In the
Name
field, type a name for your state. For example,GPG Key Trusts
. -
In the
Label
field, type a label. For example,GPG_Key_Trusts
. -
In the
Description
field, type a short description of the configuration your state performs. For example,Trusts GPG Keys for CentOS
. -
In the
SLS Contents
field, create a state to retrieve the appropriate key from the SUSE Manager Server and trust it on the client. The exact contents of your state varies depending on your client operating system. For example:rpm_trust_gpg_key: cmd.run: - name: rpm --import https://{{ salt['pillar.get']('mgr_server') }}/pub/<third-party-gpg>.key - unless: rpm -q gpg-pubkey-<key_id> deb_trust_gpg_key: mgrcompat.module_run: - name: pkg.add_repo_key - path: https://{{ salt['pillar.get']('mgr_server') }}/pub/<third-party-gpg>.key
Alternatively, you can add GPG keys to a configuration channel, using a managed file to deploy them directly on the client. In this case, you would use a local path to the key, rather than a URL. . Click btn:[Update Channel] to save your state. . Navigate to menu:Configuration[Channels] and click the name of the state you want to assign a client to. . Navigate to the menu:Systems[Target Systems] tab and check the clients you want to assign. . Click btn:[Subscribe systems]. When the configuration file is next run on the client, the GPG key is trusted.
Alternatively, you can manage your GPG keys from your own repository hosted on an external file management system.
4. Apply a custom state at highstate
To apply a custom state at highstate create a mapping in /srv/salt/top.sls
. This short example maps the test
state to the system group 12
:
# /srv/salt/top.sls base: 'group_ids:12': - match: pillar - test