One of the (many) things I like about Salt is that it doesn’t have an
obscure language of its own: as I always like to say, to start automating
all you need to know is YAML and Jinja, 3 rules each. For example, when you need
a simple iteration you don’t need to check the documentation and see “what’s
that specific instruction that iterates through a list”, but just a simple and
straight Jinja loop, i.e., {%- for element in list %} .. {%- endfor %}.
However, there are particular cases where Jinja itself is not enough either, or
it simply can become too complex and unreadable. When I need to deal with a
complex task, I sometimes feel that “I’d better write this in Python than
Jinja (or a combination of both)”.
As we know already, Salt is a very flexible framework, due to its
simple internal architecture: a dense core that allows pluggable interfaces
to be added. For instance, if you look at the official repository on
GitHub, you will notice
a pretty long list of directories (and many others can be added): acl,
auth, engines, beacons, netapi, states, and so on; they all
are just pluggable interfaces for different subsystems that have been added
as Salt has grown in capabilities.
The pure Python Renderer
One of these pluggable interfaces is called Renderer: this is a subsystem that facilitates the low level input-output interaction. For Salt it doesn’t matter if your file is structured as YAML, or JSON, or TOML etc. - the data is represented as Python object: you’re working with data, not with chunks of text!
Thanks to this intelligent approach, adding a pure Python renderer (about 6 years ago) was certainly the most natural thing to do. This is why you are able today to write - without exaggeration - everything in pure Python. But don’t just take my word, bear with me and I will prove.
Python Pillars
If you are new to Salt, SLS (SaLtStack) is the file format used by Salt. By default, SLS is Jinja + YAML (Jinja is rendered first), then the resulting YAML is translated into a Python object and loaded in memory. Let’s consider the following SLS example:
ip_addresses:
- 10.10.10.0
- 10.10.10.1
- 10.10.10.2
- 10.10.10.3
- 10.10.10.4
In this simple example, we define a list of IP addresses, as plain YAML. But what happens if we have a longer list of addresses and we want to avoid typing each and every one manually? As previously said, SLS is by default a smart combination of YAML and Jinja, so you can rewrite the equivalent SLS, as follows:
ip_addresses:
{%- for i in range(5) %}
- 10.10.10.{{ i }}
{%- endfor %}
Even though in this particular example one could argue that it doesn’t shrink the size massively, it certainly does when dealing with a huge amount of data!
Remember: you can apply the exact same logic in any SLS file, whether it is
a Pillar, a State, a Reactor, or the top.sls file, and so on.
Before going forward, I would like to clarify that both Jinja and YAML belong to that Renderer interface I reminded before. In other words, the SLS is using by default these two Renderers.
You are able to choose any combination of Renderers that works for you, and you
can do this very easily, just adding a shebang (#!) at the top of the file
and name the Renderers you’d like to use, separated by pipe (|).
With these said, the default header is #!jinja|yaml.
The shebang required to select the Python renderer is #!py. The only
constraint is that you need a function named run that returns the data you
need. For instance, the equivalent SLS for the examples above would be the
following:
/etc/salt/pillar/ip_addresses.sls
#!py
def run():
return {
'ip_addresses': ['10.10.10.{}'.format(i) for i in range(5)]
}
And this is as simple as it looks like: we are writing pure Python that can be
used, for example, as input data for our system. So let’s do that: save this
content to /etc/salt/pillar/ip_addresses.sls and referencing this file
in the Pillar top file (/etc/salt/pillar/top.sls - as configured on the
Master, in the pillar_roots),
in such a way that any Minion can read the contents (due to the * - see
the top file documentation
for a more details):
/etc/salt/pillar/top.sls
base:
'*':
- ip_addresses
After refreshing the Pillar (using the saltutil.refresh_pillar execution
function), we can verify that indeed the data is available:
$ sudo salt 'minion1' saltutil.refresh_pillar
minion1:
True
$ sudo salt 'minion1' pillar.get ip_addresses
minion1:
- 10.10.10.0
- 10.10.10.1
- 10.10.10.2
- 10.10.10.3
- 10.10.10.4
But wait: I defined the Pillar top file as default SLS, purely YAML. Even though in this trivial example it is overkill, there are good production cases when the top file can be equally made as dynamic as needed, hence we have the possibility to dynamically bind Pillars to Minions (or Formulas, for the State top file):
/etc/salt/pillar/top.sls
#!py
def run():
return {
'base': {
'*': [ 'ip_addresses' ]
}
}
And with this we have confirmed that we are able to introduce data into the system using only Python. Although the examples I provided so far are trivial, they can be extended to more complex implementations, as much as required to solve the problem.
An example that I always like to give is loading Pillar data from external systems, say from an HTTP API accessible at https://example.com/api.json (that provides data formatted as JSON):
/etc/salt/pillar/example.sls
#!py
import salt.utils.http
def run():
ret = salt.utils.http.query('https://example.com/api.json', decode=True)
return ret['dict']
With this 5 liner SLS using the Python renderer, we can directly introduce data
into Salt from a remote endpoint. Of course, there are security and other
considerations you need to evaluate before an implementation like that. Besides
that - when dealing with very complex problems you’ll need to look at the
problem from more than one angle and you should always consider using the
External Pillar
or External Tops
systems, as they are another nice way to deal with input data. Moreover, they
offer the flexibility to be loaded before or after the regular Pillars (using
the ext_pillar_first Master configuration
option).
There isn’t a general recommendation: each particular case must be analysed
individually. Writing an extension module in your own environment for the
External Pillar subsystem is also very
easy.
Python SLS Formulas
In a similar way we can write our SLS Formulas purely in Python. For example, the following State SLS (taken from the napalm-ntp-formula):
oc_ntp_netconfig:
netconfig.managed:
- template_name: salt://ntp/templates/init.jinja
- {{ salt.pillar.get('openconfig-system') }}
Can be rewritten, using the py Renderer:
#!py
def run():
return {
'oc_ntp_netconfig': {
'netconfig.managed': [
{'template_name': 'salt://ntp/templates/init.jinja'},
__salt__['pillar.get']('openconfig-system')
]
}
}
Again, in this particular example, the Python Renderer doesn’t bring more
benefits compared to its default behaviour, but it was a good occasion to see
introduce the __salt__ dunder which is the hash with all the execution
functions available.
Writing Python Formulas proves very useful when our states require very complex
decisions.
I prefer (and recommend) however moving the complexity into an execution function, as detailed in the Writing Executing Modules section.
Python templates
Yes, you read that right, and it is not overzealous. Again, there are cases
when Jinja or another templating engine are not enough. For example, I use this
when I need to generate text containing unicode characters, as Jinja is really
bad at doing that, or overly complicated, while in Python it is as simple as
adding # -*- coding: utf-8 -*- at the top of the file.
If you think about it, at the end of the day, a template engine only returns a
chunk of plain text given a set of input variables. Achieving that using Python
is close to trivial. There is another element specific to the Salt py
Renderer you need to be aware of: where to find the input variables. Salt
injects a global variable named context that is a dictionary containing the
variables you are sending to the template.
Consider the following template (the file extension doesn’t actually matter, but it’s good to keep it consistent so you and your text editor know the file format):
/etc/salt/templates/example.py
#!py
def run():
length = context['ntp_peers_count']
lines = []
for i in range(length):
lines.append('set system ntp peer 10.10.10.{}'.format(i))
return '\n'.join(lines)
This Python template can be used as any other: we only need to tell Salt
to generate the text via the py engine. We can verify and load the generated
content, from the CLI, using the net.load_template execution function
(minion1 is a Juniper network device):
$ sudo salt 'minion1' net.load_template salt://templates/example.py \
debug=True test=True template_engine=py ntp_peers_count=2
minion1:
----------
already_configured:
False
comment:
Configuration discarded.
diff:
[edit system ntp]
+ peer 10.10.10.0;
+ peer 10.10.10.1;
loaded_config:
set system ntp peer 10.10.10.0
set system ntp peer 10.10.10.1
result:
True
Or via the State system:
/etc/salt/states/example.sls
/tmp/ntp_peers.cfg:
file.managed:
- source: salt://templates/example.py
- template: py
- context:
ntp_peers_count: 2
When executing the example.sls Formula, it will generate the /tmp/ntp_peers.cfg
text file, processing the salt://templates/example.py template (remember
that salt:// points to the location of the Salt fileserver, which is
/etc/salt in this case, as configured via file_roots) through
the py interface. Executing $ sudo salt 'minion1' state.sls example, it
will result the following content:
$ cat /tmp/ntp_peers.cfg
set system ntp peer 10.10.10.0
set system ntp peer 10.10.10.1
Writing Executing Modules
It is not a secret that the Execution Modules are the most flexible subsystem in Salt, as they allow you to reuse code, thanks to the fact that they are available in various other subsystems, including: Renderers (and, implicitly, templates), State modules, Engines, Returners, Beacons, and so on. Basically once you wrote an Execution Module it is available immediately in the named parts of Salt.
All you need to write an Execution Module is very basic knowledge of Python,
and read the file_roots
documentation to understand how the Salt filesystem works and where to save the
files. Suppose we have the following file_roots configuration:
file_roots:
base:
- /etc/salt
Then just save a file in a directory called _modules under one of the
paths referenced in the file_roots, e.g., /etc/salt/_modules:
/etc/salt/_modules/ip_addresses.py
def generate(length=5):
return ['10.10.10.{}'.format(i) for i in range(length)]
Tip
There is a massive arsenal of helper functions that you can re-use. They are found in the
utilsdirectory. Take a few moments to skim through this directory and its files. Don’t worry, from experience I can tell that it will take you months or years to know where to look for the exact function you need, in order to avoid reinventing wheels. Been there, done that, got the “wheel reinventor” t-shirt. :-)Moreover, remember that you can invoke execution functions from other execution function, as described below.
To let Salt know that there is another Execution Module to load, you must
run saltutil.sync_modules, and simply execute the newly defined function
(the syntax being <module name>.<function name>; in our case the module
name is the name of the file save, ip_addresses, and the name of the
function is generate):
$ sudo salt 'minion1' saltutil.sync_modules
minion1:
- modules.ip_addresses
$ sudo salt 'minion1' ip_addresses.generate
minion1:
- 10.10.10.0
- 10.10.10.1
- 10.10.10.2
- 10.10.10.3
- 10.10.10.4
$ sudo salt 'minion1' ip_addresses.generate length=1
minion1:
- 10.10.10.0
Note in the last example the key-value argument length is passed from the
CLI to the generate function, with the name preserved as we defined in the
Python module.
Note
By default, the name of the Execution Module is simply the name of the Python module (file). To use a different name instead, you can use the
__virtualname__dunder. This is a beautiful way to overload the name depending on special circumstances, which is a unique capability of Salt. For more details, please refer to this page.
So we have a new function defined for our own environment. This can be invoked from the command line, as we’ve seen, but also available in different areas, as follows.
Invoking Execution Modules inside template
The new ip_addresses.generate execution function can be called from any
of the templating languages supported by Salt, for example Jinja:
{%- for addr in salt.ip_addresses.generate(length=3) %}
IP Address {{ addr }}
{%- endfor %}
The template above would be rendered as:
IP Address 10.10.10.0
IP Address 10.10.10.1
IP Address 10.10.10.2
Invoking Execution Modules inside Pillar SLS
Using the ip_addresses.generate function we can rewrite the
/etc/salt/pillar/ip_addresses.sls Pillar from the examples above as:
ip_addresses: {{ salt.ip_addresses.generate() }}
Invoking Execution Modules inside Formulas works in the exact same way.
Invoking Execution Modules from other Salt modules
In general, we can use the __salt__ dunder to execute a function from a
different Salt module. For example, we can define the following Execution
Module which will invoke the ip_address.generate function:
/etc/salt/_modules/ixp_interfaces.py
def addresses(extension):
default_addresses = __salt__['ip_addresses.generate'](length=100)
extension_addresses = [
'172.17.17.{}'.format(i) for i in range(extension)
]
default_addresses.extend(extension_addresses)
return default_addresses
Note that in the example above, the extension argument is no longer a
key-value and we will always need to pass a value when executing this function:
$ sudo salt 'minion1' ixp_interfaces.addresses 20
# Output omitted: a list of 120 IP Addresses
In a similar way, we can reuse the code from ip_addresses.generate in other
subsystems, such as Beacons, Engines, Runners, or Pillars etc.
Another bonus of doing this is that you can control easier various parameters.
For example, in the way we designed the generate function, it returns IP
addresses from the 10.10.10.0 network; let’s suppose that at some point we
decide to generate addresses from the 172.17.19.0 network, we only have a
single place to make the adjustment. Moving forward, if this is very likely to
change frequently we can move the base into another key-value argument, or
in a configuration option:
- IP Network as kwarg:
/etc/salt/_modules/ip_addresses.py
def generate(base='10.10.10', length=5):
return [
'{base}.{i}'.format(base=base, i=i) for i in range(length)
]
- IP Network as config option:
/etc/salt/_modules/ip_addresses.py
def generate(length=5);
base = __opts__.get('ip_addresses_base', '10.10.10')
return [
'{base}.{i}'.format(base=base, i=i) for i in range(length)
]In the second approach, the __opts__ dunder is the dictionary having the
Minion configuration options (read from the configuration file –
/etc/salt/minion for regular Minions, or /etc/salt/proxy for Proxy
Minions), merged with the Pillar and Grains data. To propagate a change in your
system - as described above, would only imply adjusting the (Proxy) Minion
config file, e.g.,:
/etc/salt/minion
ip_addresses_base: 192.168.1Note
Before defining your own configuration option, check that it’s not already defined, to avoid eventual conflicts: configuring the Salt Minion.
Conclusions
As always in Salt there is no “best rule”: Salt is very flexible and your environment dictates what makes the most sense to you. Not only that Salt exposes to you the power of Python, but it also behaves like Python from this perspective and provides you the means to tackle any problem in several ways; there are no hard constraints. This is why you always must evaluate and decide what approach is the most suitable for you.
My recommendation is to try to move the complexity into the Execution Modules. Yes, write many extension modules in your own environment (and it would also be very nice for the community to open source what is not heavily tied to your business logic). Simplify your complex Jinja templates by using execution functions. Write many helpers for your team. Keep the SLS files extremely simple. When an SLS (or a logical section of an SLS), or a template is longer than 5-10 lines, you should start asking questions and find ways to optimize and make your code more reusable. Though, when you cannot break the complexity apart, or it doesn’t necessarily make sense to be moved elsewhere, you are again covered, and you can avoid complex YAML/Jinja by leveraging the power of the regular Python Renderer (as an aside, it is my favourite interface).