Before you start

When do you need to install the Master Plugin?

Install and configure the PostgreSQL database
Install and configure the Redis database
Enable SSL (optional)

# sseapi-config --default >/tmp/raas.conf 
# cd /etc/salt/master.d 
# vim -d raas.conf /tmp/raas.conf 
...

Install the Master Plugin Using the Master Plugins Workspace

Install the Master Plugin Using CLI

많은 수의 대상 그룹(100개 이상)
많은 수의 미니언(3000개 이상)
잦은 미니언 입자 변경(매일 또는 더 자주)
잦은 미니언 생성 및 삭제(매일 또는 더 자주)

target_groups_from_master_only: true

Log in to your Salt master.

If necessary, download the Master Plugin wheel from Customer Connect.

The Master Plugin is included in the Automated Installer .tar.gz file. After you download and extract the .tar.gz file, you can find the Master Plugin in the

sse-installer/salt/sse/eapi_plugin/files

directory.

Upgrade the Master Plugin by manually uninstalling and reinstalling the updated Python wheel. Use the following example commands, replacing the exact name of the wheel file:

The existing plugin must be uninstalled to prevent multiple instances of sseapi-config.

pip3 uninstall SSEAPE-8.12.1.3-py3-none-any.whl
mv /etc/salt/master.d/raas.conf /tmp
salt-call pip.install SSEAPE-8.12.1.3-py3-none-any.whl
cp /tmp/raas.conf /etc/salt/master.d/raas.conf
systemctl restart salt-master

Configure the Master Plugin

Log in to your Salt master and verify the

/etc/salt/master.d

directory exists, or create it.

Generate the master configuration settings.

If you want to preserve your settings when upgrading your installation, make a backup of your existing Master Plugin configuration file before running this step. Then copy relevant settings from your existing configuration to the newly generated file.

sudo sseapi-config --all > /etc/salt/master.d/raas.conf

If you installed Salt using onedir, the path to this executable is

/opt/saltstack/salt/extras-3.10/bin/sseapi-config

.

Edit the generated

raas.conf

file and update the values as follows:

Value	Description
sseapi_ssl_validate_cert	Validates the certificate the API (RaaS) uses. The default is True . If you are using your own CA-issued certificates, set this value to True and configure the sseapi_ssl_ca , sseapi_ssl_cert , and sseapi_ssl_cert: settings. Otherwise, set this to False to not validate the certificate. sseapi_ssl_validate_cert:False
sseapi_server	HTTP IP address of your RaaS node, for example, http://example.com , or https://example.com if SSL is enabled.
sseapi_command_age_limit	Sets the age (in seconds) after which old, potentially stale jobs are skipped. For example, to skip jobs older than a day, set it to: sseapi_command_age_limit:86400 Skipped jobs continue to exist in the database and display with a status of Completed in the Automation Config user interface. Some environments might need the Salt master to be offline for long periods of time and will need the Salt master to run any jobs that were queued after it comes back online. If this applies to your environment, set the age limit to 0 .
sseapi_windows_minion_deploy_delay	Sets a delay to allow all requisite Windows services to become active. The default value is 180 seconds.
sseapi_linux_minion_deploy_delay	Sets a delay to allow all requisite Linux services to become activate. The default value is 90 seconds.
sseapi_local_cache load: 3600 tgt: 86400 pillar: 3600 exprmatch: 86400 tgtmatch: 86400	Sets the length of time that certain data is cached locally on each salt master. Values are in seconds. The example values are recommended values. load- salt save_load() payloads tgt- SSE target groups pillar- SSE pillar data (encrypted) exprmatch- SSE target expression matching data tgtmatch- SSE target group matching data

OPTIONAL:

This step is necessary for manual installations only. To verify you can connect to SSL before connecting the Master Plugin, edit the generated

raas.conf

file to update the following values. If you do not update these values, the Master Plugin uses the default generated certificate.

Value	Description
sseapi_ssl_ca	The path to a CA file.
sseapi_ssl_cert	The path to the certificate. The default value is /etc/pki/raas/certs/localhost.crt .
sseapi_ssl_key	The path to the certificate’s private key. The default value is /etc/pki/raas/certs/localhost.key .
id	Comment this line out by adding a # at the beginning. It is not required.

OPTIONAL:

Update performance-related settings. For large or busy environments, you can improve the performance of the communications between the Salt master and

Automation Config

by adjusting the following settings.

Configure the master plugin engines:
The master plugin
eventqueue
and
rpcqueue
engines offload some communications with
Automation Config
from performance-critical code paths to dedicated processes. While the engines are waiting to communicate with
Automation Config
, payloads are stored in the Salt master’s local filesystem so the data can persist across restarts of the Salt master. The
tgtmatch
engine moves the calculation of minion target group matches from the RaaS server to the salt-masters.
To enable the engines, ensure that the following settings are present in the Salt Master Plugin configuration file (raas.conf):
engines: 
     - sseapi: {} 
     - eventqueue: {} 
     - rpcqueue: {} 
     - jobcompletion: {}      
     - tgtmatch: {}
To configure the
eventqueue
engine, verify that the following settings are present:
sseapi_event_queue: 
  name: sseapi-events 
  strategy: always 
  push_interval: 5 
  batch_limit: 2000 
  age_limit: 86400 
  size_limit: 35000000 
  vacuum_interval: 86400 
  vacuum_limit: 350000 
The queue parameters can be adjusted with consideration to how they work together. For example, assuming an average of 400 events per second on the Salt event bus, the settings shown above allow for about 24 hours of queued event traffic to collect on the Salt master before the oldest events are discarded due to size or age limits.
To configure the
rpcqueue
engine, verify the following settings in raas.conf:
sseapi_rpc_queue: 
  name: sseapi-rpc 
  strategy: always 
  push_interval: 5 
  batch_limit: 500 
  age_limit: 3600 
  size_limit: 360000 
  vacuum_interval: 86400 
  vacuum_limit: 100000 
tgtmatch 엔진을 구성하려면 이러한 설정이 마스터 플러그인 구성 파일(/etc/salt/master.d/raas.conf)에 있는지 확인합니다.
engines: 
    - sseapi: {} 
    - eventqueue: {} 
    - rpcqueue: {} 
    - jobcompletion: {}    
    - tgtmatch: {} 

sseapi_local_cache:     
    load: 3600 
    tgt: 86400 
    pillar: 3600 
    exprmatch: 86400 
    tgtmatch: 86400 

sseapi_tgt_match: 
    poll_interval: 60     
    workers: 0 
    nice: 19
To make use of target matching on the salt-masters, the following config setting must also be present in the RaaS configuration:
target_groups_from_master_only: true
.
Limit minion grains payload sizes:
sseapi_max_minion_grains_payload: 2000
Enable skipping jobs that are older than a defined time (in seconds). For example, use
86400
to set it to skip jobs older than a day. When set to
0
, this feature is disabled:
sseapi_command_age_limit:0
During system upgrades, enabling this setting is useful to prevent old commands stored in the database from running unexpectedly.

Together, event queuing in Salt and the queuing engines, salt-master target matching, grains payload size limit, and command age limit in the Salt Master Plugin increase the throughput and reduce the latency of communications between the Salt master and

Automation Config

in the most performance-sensitive code paths.

Restart the master service.

sudo systemctl restart salt-master

OPTIONAL:

You might want to run a test job to ensure the Master Plugin is now enabling communication between the master and the RaaS node.

salt -v '*' test.ping

Configuration settings reference

What to do next