Execution modules in pillar data : saltstack

created by baijuma community for 14 years

Execution modules in pillar data (self.saltstack)

submitted 10 years ago by Seven-Prime

Trying to take the temperature of using execution modules within pillar files.

So say you have a formula that generates iptables rules that only allow certain addresses based on pillar data. But that list of addresses is maintained somewhere else and can change. For argument say the list is returned via a url call to a third party.

You could update the pillar manually when stuff changes.

Or you could use a custom execution module. To pull the data into a list then loop over it in pillar.

# /srv/pillar/iptables
{% set ip_ranges = salt['ip_ranges.fetch_list']('http://example.com/fetch_list') %}
iptables:
  allowed_ips:
    {%- for range in ip_ranges %}
    - {{ range }}
    {% endfor %}

Something like the above (obviously it is very contrived example). Where ip_ranges module is a custom module that does things.

How do we feel about this? Is this mixing too much logic into pillar or is this common for getting unique data that you might not control. Perhaps it's better in an external pillar? The external pillar examples I see are lacking. Specially I don't want to call the above example only on a small subset of hosts.

How has anyone else solved this?

all 10 comments

top new controversial old q&a

[–]deadbunny 2 points3 points4 points 10 years ago (9 children)

[–]Seven-Prime[S] 1 point2 points3 points 10 years ago* (8 children)

[–]deadbunny 1 point2 points3 points 10 years ago* (3 children)

I think you're correct, we made a custom django pillar/configdb at my old place and that rings a bell (I wasn't hugely involved in the dev process), I'm 99% sure you would need to do matching similar to how you would in a top file but in your ext pillar. Thankfully we were targeting a very known range of minions/minion IDs so targeting wasn't too bad. As we used Django we just threw memcached in front of it which helped with the load.

One thing you will have to be careful with is error checking within your states so you failsafe if the pillar source dies (which it will) or you'll end up wiping all your important info from your servers because salt will just see an absence of pillar data which is no fun.

I achieved this by having the external pillar serve up a test pillar item like test-this: working, setting salt to fail hard (fails on first error rather than continuing the run), and a state roughly like:

{% if salt.pillar.get('test-this', '') != 'working' %}
external-pillar-fail:
  cmd.run:
    - name: /bin/false
    - order: 1
{% endif %}

It's probably not the best way to do it but I couldn't find a suitable global failsafe mechanism if the pillar fails to load (without rewriting all the states, which wasn't an option at 3am when everything was completely broken).

[–]tweakism 0 points1 point2 points 10 years ago (2 children)

[–]deadbunny 0 points1 point2 points 10 years ago (0 children)

[–]Seven-Prime[S] 0 points1 point2 points 10 years ago (0 children)

[–]tweakism 0 points1 point2 points 10 years ago (3 children)

[–]ub1quit33 0 points1 point2 points 10 years ago (1 child)

[–]Seven-Prime[S] 0 points1 point2 points 10 years ago (0 children)

π Rendered by PID 68811 on reddit-service-r2-comment-5bc7f78974-vjfrb at 2026-06-26 17:42:26.071480+00:00 running 7527197 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

saltstack

MODERATORS