Site Reliability Engineering / DevOps SaltStack configuration files
The Creative Commons team is committed to fostering a welcoming community. This project and all other Creative Commons open source projects are governed by our Code of Conduct. Please report unacceptable behavior to conduct@creativecommons.org per our reporting guidelines.
See CONTRIBUTING.md
.
git-crypt unlock
on clones that are not otherwise
secured (ex. strong login password, disk encryption).Sign your commits:
The commit signing option has been adjusted in the repository to facilitate smoother collaboration. This modification is intended to ease the contribution process. However, it is strongly encourged that staff members continue to adhere to best practices by using GPG for all signed commits, ensuring the security and integrity of the project.
Ensure you are using RemoteForward
in your SSH configuration to forward
your GnuPG agent to salt-prime
(see the example configuration, under
Setup, below).
Ensure you have configured your newly cloned repository to sign commits
(see the git config
command, under Setup, below).
SSH connection information: example local/laptop ~/.ssh/config
configugration:
Host bastion-us-east-2
HostName bastion-us-east-2.creativecommons.org
User ARTHUR
Host salt-prime
HostName 10.22.11.11
ProxyJump bastion-us-east-2
RemoteForward /run/user/4242/gnupg/S.gpg-agent /Users/ARTHUR/.gnupg/S.gpg-agent.extra
User ARTHUR
Host *
ServerAliveCountMax 60
ServerAliveInterval 30
TCPKeepAlive no
ssh salt-prime
from your local/laptop.salt-prime
:
/srv
with your username. For example:
cd /srv
git clone git@github.com:creativecommons/sre-salt-prime.git ${USER}
cd /srv/${USER}
git config user.email YOUR_EMAIL
git config user.signingkey YOUR_GPG_ID
git config commit.gpgsign true
cd /srv/${USER}
git-crypt unlock
sudo salt \* state.highstate saltenv=${USER} test=True
--state-verbose=True
to see successes--state-output=full_id
to see full detail of successes--log-level=debug --log-file-level=warning
to see debug messages
(without logging those debug messages, which may contain secrets, to the
log file)grains['id']
which contains
the Minion ID. (FAQ Q.21)us-east-2
3006.8
minion_target_version
in
pillars/salt/init.sls
Minions are added and configured from salt-prime
with the following Minion ID
schema: HST__POD__LOC
(host/rolepod/grouplocation). These variables
are used to determine the state and pillar data.
Show top states example command:
sudo salt \* pillar.item states saltenv=${USER}
See docs/Host_Classification.md
for details.
grains['id']
which contains
the Minion ID. (FAQ Q.21)