3. Speaker
Iman Kurniawan
SRE at DKatalis
Previous Experiences:
1. Schlumberger Oilfield Services (Jakarta, Dubai, India)
2. DKatalis (Jakarta)
Can be reached at:
1.https://github.com/footprns
2.https://www.linkedin.com/in/iman-kurniawan-4b738225/
3.https://www.facebook.com/groups/385005352371154/?ref=share
4. Who’s DKatalis?
● A team of tech and digital product enthusiasts,
focusing on building relevant digital solutions.
● The proud engineering arms that create Jago
digital bank app, Amaan digital platform based on
sharia values, and many more solutions to come.
● Growing rapidly in Jakarta, Singapore & Pune
(India).
● Stimulating growth through technology & enabled
by collaborative environment that fosters
creativity and innovation.
www.dkatalis.co
6. What is SaltStack
6
● Configuration Management tool that can do orchestration very well
● Written in Python
● Use Client (salt minion) - Server (salt master) architecture
● Using event-driven architecture
● Key based authentication (RSA/AES)
● Oct 2020, acquired by VMWare
● The opensource is in https://docs.saltproject.io/en/latest/
7. Use Case for SaltStack
7
● SecOps - Apply patch according to CVE
● Prevent configuration drift
● Self-remediation / self-healing
● Setup complex cluster (with orchestration)
● Network Automation (using salt-proxy)
11. Salt Command and Grains
● salt <target minion> <module>.<function> <arguments>
● Ex. salt salt-minion-001 pkg.install vim
● Grains is an information about underlying system
● There is custom grains
imankurniawan@salt-master-001:~$ sudo salt salt-minion-001 grains.items
salt-minion-001:
----------
biosreleasedate:
01/01/2011
biosversion:
Google
domain:
asia-southeast2-a.c.jago-sre-gcp-poc.internal
fqdn:
salt-minion-001.asia-southeast2-a.c.jago-sre-gcp-poc.internal
fqdn_ip6:
fqdns:
- salt-minion-001.asia-southeast2-a.c.jago-sre-gcp-poc.internal
salt-minion-001
init:
systemd
ip4_gw:
10.106.64.1
kernel:
Linux
lvm:
----------
machine_id:
bbfd6efc4772103b73e837d5fec91028
os:
Ubuntu
os_family:
Debian
saltpath:
/usr/lib/python3/dist-packages/salt
saltversion:
3002.6
shell:
/bin/sh
12. Salt State
● The state of the host using salt state file (configuration file in yaml format)
● Best practice in salt-formula (https://github.com/saltstack-formulas)
● Example: Last line in text file
add string at the end of file:
file.append:
- name: /tmp/appendfile.txt
- text: last line
13. Salt Returner
● Result data redirected to external data-stores
● Returner list
○ Cassandra
○ Couchdb
○ Elasticsearch
○ MySQL
○ PostgreSQL
○ MongoDB
○ Slack
○ Splunk
○ Sqlite3
○ Nagios
○ Kafka
○ https://docs.saltproject.io/en/latest/ref/returners/all/index.html
14. Salt Reactor
● React (run command) if there is a specific
event
salt/job/20210326152042932642/ret/salt-minion-001 {
"_stamp": "2021-03-26T15:20:51.888045",
"cmd": "_return",
"fun": "state.single",
"fun_args": [
{
"fun": "pkg.installed",
"name": "zsh"
}
],
"id": "salt-minion-001",
"jid": "20210326152042932642",
"out": "highstate",
"retcode": 0,
"return": {
"pkg_|-zsh_|-zsh_|-installed": {
"__id__": "zsh",
"__run_num__": 0,
"__sls__": null,
"changes": {
"zsh": {
"new": "5.4.2-3ubuntu3.1",
"old": ""
},
"zsh-common": {
"new": "5.4.2-3ubuntu3.1",
"old": ""
}
},
"comment": "The following packages were installed/updated:
zsh",
"duration": 7516.035,
"name": "zsh",
"result": true,
"start_time": "15:20:44.357773"
}
},
"success": true
}
15. Salt Beacon
● A process in minion that can translate external events into salt event bus
salt/beacon/salt-minion-001/inotify//etc/important_file {
"_stamp": "2021-03-27T14:25:31.156136",
"change": "IN_IGNORED",
"id": "salt-minion-001",
"path": "/etc/important_file"
}
16. Salt Orchestration
● Orchestrate order of task and
target
----------
ID: apply on minion1
Function: salt.state
Result: True
Comment: States ran successfully. Updating salt-minion-001.
Started: 03:32:04.587496
Duration: 558.065 ms
Changes:
salt-minion-001:
----------
ID: time stamp for orchestration
Function: file.managed
Name: /tmp/timestamp.txt
Result: True
Comment: File /tmp/timestamp.txt updated
Started: 03:32:05.018703
Duration: 12.949 ms
Changes:
----------
diff:
New file
Summary for salt-minion-001
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 12.949 ms
----------
ID: apply on minion2
Function: salt.state
Result: True
Comment: States ran successfully. Updating salt-minion-002.
Started: 03:32:05.145740
Duration: 457.751 ms
Changes:
salt-minion-002:
----------
ID: time stamp for orchestration
Function: file.managed
Name: /tmp/timestamp.txt
Result: True
Comment: File /tmp/timestamp.txt updated
Started: 03:32:05.477723
Duration: 11.74 ms
Changes:
----------
diff:
New file
Summary for salt-minion-002
------------
Succeeded: 1 (changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 11.740 ms
Summary for salt-master-001.asia-southeast2-a.c.jago-sre-gcp-
poc.internal_master
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 1.016 s
17. Salt API
● Execute salt state from API call
curl -sSk https://localhost:8000/login
-H 'Accept: application/x-yaml'
-d username=saltdev
-d password=saltdev
-d eauth=pam
curl -sSk https://localhost:8000
-H 'Accept: application/x-yaml'
-H 'X-Auth-Token: 2cceff677b76d4b668653bae4055ee471547c2d7'
-d client=local
-d tgt='*'
-d fun=test.ping
18. 1
8
Tips and Tricks
● Don’t execute raw shell script. Execute raw shell as last option
● Use jinja for as template engine
● Separate code logic and configuration value
● Use best practices from salt-formula
● Use virtual environments for salt-minion to avoid python version/update conflict (OS
or application)
● Use salt environment approach
● Use vault to store secret
● Put salt state in git repo and release as salt using CI/CD or use gitfs
● Advance topic, salt proxy, salt syndic (master of master), salt cloud (IaC)
19. More Information About DKatalis
Website : https://dkatalis.co/
Job Opportunity : https://dkatalis.com/opportunity
LinkedIn : DKatalis (Digital Katalis)
https://www.linkedin.com/company/dkatalis/jobs/
Instagram : @dkatalis
https://www.instagram.com/dkatalis/