[openstack-dev] Unified Guest Agent proposal

David Boucha dave at saltstack.com
Mon Dec 9 16:41:05 UTC 2013

On Sat, Dec 7, 2013 at 11:09 PM, Monty Taylor <mordred at inaugust.com> wrote:

> On 12/08/2013 07:36 AM, Robert Collins wrote:
> > On 8 December 2013 17:23, Monty Taylor <mordred at inaugust.com> wrote:
> >>
> >
> >> I suggested salt because we could very easily make trove and savana into
> >> salt masters (if we wanted to) just by having them import salt library
> >> and run an api call. When they spin up nodes using heat, we could easily
> >> have that to the cert exchange - and the admins of the site need not
> >> know _anything_ about salt, puppet or chef - only about trove or savana.
> >
> > Are salt masters multi-master / HA safe?
> >
> > E.g. if I've deployed 5 savanna API servers to handle load, and they
> > all do this 'just import', does that work?
> >
> > If not, and we have to have one special one, what happens when it
> > fails / is redeployed?
> Yes. You can have multiple salt masters.
> > Can salt minions affect each other? Could one pretend to be a master,
> > or snoop requests/responses to another minion?
> Yes and no. By default no - and this is protected by key encryption and
> whatnot. They can affect each other if you choose to explicitly grant
> them the ability to. That is - you can give a minion an acl to allow it
> inject specific command requests back up into the master. We use this in
> the infra systems to let a jenkins slave send a signal to our salt
> system to trigger a puppet run. That's all that slave can do though -
> send the signal that the puppet run needs to happen.
> However - I don't think we'd really want to use that in this case, so I
> think they answer you're looking for is no.
> > Is salt limited: is it possible to assert that we *cannot* run
> > arbitrary code over salt?
> In as much as it is possible to assert that about any piece of software
> (bugs, of course, blah blah) But the messages that salt sends to a
> minion are "run this thing that you have a local definition for" rather
> than "here, have some python and run it"
> Monty

Salt was originally designed to be a unified agent for a system like
openstack. In fact, many people use it for this purpose right now.

I discussed this with our team management and this is something SaltStack
wants to support.

Are there any specifics things that the salt minion lacks right now to
support this use case?

Dave Boucha  |  Sr. Engineer

Join us at SaltConf, Jan. 28-30, 2014 in Salt Lake City. www.saltconf.com

5272 South College Drive, Suite 301 | Murray, UT 84123
*office* 801-305-3563
dave at saltstack.com | www.saltstack.com <http://saltstack.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131209/2b94fecb/attachment.html>

More information about the OpenStack-dev mailing list