<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sat, Dec 7, 2013 at 11:09 PM, Monty Taylor <span dir="ltr"><<a href="mailto:mordred@inaugust.com" target="_blank" class="ci-email ci-contact">mordred@inaugust.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br>
<br>
On 12/08/2013 07:36 AM, Robert Collins wrote:<br>
> On 8 December 2013 17:23, Monty Taylor <<a href="mailto:mordred@inaugust.com" target="_blank" class="ci-email ci-contact">mordred@inaugust.com</a>> wrote:<br>
>><br>
><br>
>> I suggested salt because we could very easily make trove and savana into<br>
>> salt masters (if we wanted to) just by having them import salt library<br>
>> and run an api call. When they spin up nodes using heat, we could easily<br>
>> have that to the cert exchange - and the admins of the site need not<br>
>> know _anything_ about salt, puppet or chef - only about trove or savana.<br>
><br>
> Are salt masters multi-master / HA safe?<br>
><br>
> E.g. if I've deployed 5 savanna API servers to handle load, and they<br>
> all do this 'just import', does that work?<br>
><br>
> If not, and we have to have one special one, what happens when it<br>
> fails / is redeployed?<br>
<br>
</div>Yes. You can have multiple salt masters.<br>
<div><br>
> Can salt minions affect each other? Could one pretend to be a master,<br>
> or snoop requests/responses to another minion?<br>
<br>
</div>Yes and no. By default no - and this is protected by key encryption and<br>
whatnot. They can affect each other if you choose to explicitly grant<br>
them the ability to. That is - you can give a minion an acl to allow it<br>
inject specific command requests back up into the master. We use this in<br>
the infra systems to let a jenkins slave send a signal to our salt<br>
system to trigger a puppet run. That's all that slave can do though -<br>
send the signal that the puppet run needs to happen.<br>
<br>
However - I don't think we'd really want to use that in this case, so I<br>
think they answer you're looking for is no.<br>
<div><br>
> Is salt limited: is it possible to assert that we *cannot* run<br>
> arbitrary code over salt?<br>
<br>
</div>In as much as it is possible to assert that about any piece of software<br>
(bugs, of course, blah blah) But the messages that salt sends to a<br>
minion are "run this thing that you have a local definition for" rather<br>
than "here, have some python and run it"<br>
<span><font color="#888888"><br>
Monty<br>
</font></span><div><div><br></div></div></blockquote><div><br></div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">Salt was originally designed to be a unified agent for a system like openstack.</span> In fact, many people use it for this purpose right now.</div>
<div><br></div><div>I discussed this with our team management and this is something SaltStack wants to support.</div><div><br></div><div>Are there any specifics things that the salt minion lacks right now to support this use case?</div>
</div><div><br></div>-- <br><div dir="ltr"><div style="color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif"><font face="verdana, sans-serif" color="#666666">Dave Boucha | Sr. Engineer</font></div>
<div style="color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif"><font face="verdana, sans-serif" color="#666666"><br></font></div><div style="color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif">
<span style="color:rgb(34,34,34);font-family:arial;font-size:small">Join us at SaltConf, </span><span style="color:rgb(34,34,34);font-family:arial;font-size:small"><span>Jan. 28-30, 2014</span></span><span style="color:rgb(34,34,34);font-family:arial;font-size:small"> in Salt Lake City. </span><a href="http://www.saltconf.com/" style="color:rgb(17,85,204);font-family:arial;font-size:small" target="_blank">www.saltconf.com</a><font face="verdana, sans-serif" color="#666666"><br>
</font></div><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><div><br></div><div><img src="http://1.bp.blogspot.com/-xMUn4pgJgvw/UKWeJOl4UXI/AAAAAAAAAVQ/3mEvwY-Zsmk/s320/Saltstack-logo-white.jpg" width="200" height="39"><br>
</div>5272 South College Drive, Suite 301 | Murray, UT 84123</span><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><b style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">office</b><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </span><a value="+12126266618" style="color:rgb(17,85,204);font-size:13px;font-family:arial,sans-serif">801-305-3563</a><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<a href="mailto:dave@saltstack.com" style="color:rgb(17,85,204);font-size:13px;font-family:arial,sans-serif" target="_blank" class="ci-email ci-contact"><span style="color:blue">dave@saltstack.com</span></a><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> | </span><span style="color:blue;font-size:13px;font-family:arial,sans-serif"><a href="http://saltstack.com/" style="color:rgb(17,85,204)" target="_blank">www.saltstack.com</a></span></div>
</div></div>