salt master - where and how to provision

[tobiasmcnulty]

When setting up a new project recently I decided to put a single, centralized master on a small, 512 MB machine. This lined up with how I thought salt was intended to be used (having a centralized master) and also matched the current fabfile.py (a single env.master outside of any environment methods).

I ran into a couple issues when deploying this way, which I'll try to summarize here:

1. In most deployment commands, e.g., fab staging deploy, no -u is given. If you don't provision the master with salt, you need to specify -u <root-user> here like you do when calling sync. For those used to having fab staging deploy run commands on the staging server, it may be confusing that this command doesn't (directly) connect to staging server(s) at all. Once I got to this point I realized my assumption might have been made in error, so I went back and provisioned the salt master itself as a minion.
2. Now, the documented command for setup_minion (which contains -u root and calls accept_key), relies on being able to connect to the salt master as the root user. This fails if the master has been provisioned with salt, thereby disabling direct root access. It fails in away that is not at all intuitive, namely, it prompts you for the password to an SSH key. To get around this I eventually discovered that I need to add user='tobias' to the settings(host_string=env.master) call in accept_key, and then removed it once the machine had been provisioned with salt and I could SSH to the minion as my normal user (and hence -u root was no longer necessary to setup_minion). Now that I look back at it, an alternative work around might have been to document and call accept_key as a separate command outside of setup_minion.

All of this is to say that, while the current provisioning docs make it seem optional as to whether you want to provision the master itself with salt, I think it might make sense (a) to recommend in the documentation (for any new salt master, at least), that the salt master be provisioned with salt, and/or (b) to assume that you can SSH to the salt master as your local user. Alternatively, we could add an env.master_user (or something to that effect) to the fabfile which could be set to os.environ['USER'] or root by default, and then use that any time we need to connect to the salt master (which is the case for the majority of the fab commands now).

[mlavin]

Some pieces of this template and the documentation point towards using single master for multiple environments which in my experience has been a rare step. Typically we have a master per environment. It would be a good clean up to update the template to reflect that as the common case.