SaltStack Support

Optimizing Pillar: How to avoid Pillar overload

Abstract

This article describes common practices to reduce Pillar usage, a common issue found especially in large environments, including moving non-sensitive data from Pillar to map files (yaml, json, jinja files) imported by the states that require the data. In addition SDB can be used to move data away from Pillar to other sources.

The basics

If at this moment you are asking yourself what is Pillar,

Salt pillar is a system that lets you define secure data that are ‘assigned’ to one or more minions using targets. Salt pillar data stores values such as ports, file paths, configuration parameters, and passwords.

Pay attention to the word 'secure' in the previous definition, it is a key in understanding the goal of Pillar usage.

Pillar can be used to store any sort of data, but ideally it should be used primarily for sensitive data, due the additional security layer it provides.

For further information, please see these articles:

What's the problem

Pillar is great! So great that it is commonly overused, causing an overloaded Pillar which may lead to performance issues in your Salt Master servers, as the Pillar rendering process gets heavier and slower over time.

A common issue often seen is that Pillar is initially small and everything works great, as a limited group of people builds initial Pillar data, but over time, more and more people add Pillar data as more apps and services get managed via Salt, until Pillar grows so much that it gets out of control, at which point rendering issues become a problem.

Remember Pillar should be used mainly for sensitive data; if your Pillar is large, it is likely that much of the data in Pillar is not that sensitive.

The solution

The solution is simple: reduce Pillar load by moving non-sensitive data to other resources, usually map files accompanying, and imported by, state files.

At first, given Pillar has grown so large, it may seem to be a daunting task, so it's time to sit down and do a proper assessment. If possible, gather information from the people involved in Pillar data provisioning to understand what's there. Prioritize by criticality, sensitiveness, most commonly used, etc.

A simple assessment could be to find out Pillar state files with more data, running the following command from the pillar root directory (usually /srv/salt):

# find . -type f -name "*.sls" -print0 | xargs -0 wc -l
 15 ./vault_config.sls
  3 ./top.sls
 20 ./users/dc1_users.sls
 50 ./users/dc2_users.sls
 88 total
Additionally, it's a good idea, as a secondary task, to review the targets in your top file, are the targets properly set to only provide each pillar data to the required systems?

In this guide we will focus in standard Pillar, but don't forget to review any external Pillar too.

What's next

Let's take vault_config.sls pillar for this example. This data is used by a Vault state to install and configure Vault service. Let's review the content and classify what's sensitive and must remain in Pillar, and what data can be moved to map files.

# cat /srv/pillar/vault_config.sls
vault_configuration:
  data_dir: '/vault/data'
  log_dir: '/logs/vault'
  bin: '/usr/bin/vault'
  mode: 'server'
  config_filename: '/etc/vault/config.hcl'
  svc_address: '0.0.0.0:8200'
  tls_disable: 1
  storage_path: '/vault/data'
  api_addr: 'http://192.168.250.96:8200'
  log_level: 'Info'
  ui: 'true'
  StandardOutput: '/logs/vault/output.log'
  StandardError: '/logs/vault/error.log'


# salt minion1 pillar.items
minion1:
    ----------
    vault_configuration:
        ----------
        StandardError:
            /logs/vault/error.log
        StandardOutput:
            /logs/vault/output.log
        api_addr:
            http://192.168.250.96:8200
        bin:
            /usr/bin/vault
        config_filename:
            /etc/vault/config.hcl
        data_dir:
            /vault/data
        log_dir:
            /logs/vault
        log_level:
            Info
        mode:
            server
        storage_path:
            /vault/data
        svc_address:
            0.0.0.0:8200
        tls_disable:
            1
        ui:
            true
For the purpose of this example, let's consider what's sensitive this way:
 data_dir: NO SENSITIVE
  log_dir: NO SENSITIVE
  bin: 'NO SENSITIVE
  mode: NO SENSITIVE
  config_filename: NO SENSITIVE
  svc_address: YES SENSITIVE
  tls_disable: 1
  storage_path: NO SENSITIVE
  api_addr: YES SENSITIVE
  log_level: NO SENSITIVE
  ui: NO SENSITIVE
  StandardOutput: NO SENSITIVE
  StandardError: NO SENSITIVE
Based on this assessment, the next step is to move all "NO SENSITIVE" data to a map file in the Vault state folder. In this example we will use a yaml file (json and jinja can be used too).

Assuming the Vault state file is under /srv/salt/vault, put the map file in /srv/salt/vault/files/vault_defaults.yaml

# cat files/vault_defaults.yaml
configuration:
  data_dir: '/vault/data'
  log_dir: '/logs/vault'
  bin: '/usr/bin/vault'
  mode: 'server'
  config_filename: '/etc/vault/config.hcl'
  svc_address: {{ salt['pillar.get']('vault_configuration:svc_address') }}
  tls_disable: 1
  storage_path: '/vault/data'
  api_addr: {{ salt['pillar.get']('vault_configuration:api_addr') }}
  log_level: 'Info'
  ui: 'true'
  StandardOutput: '/logs/vault/output.log'
  StandardError: '/logs/vault/error.log'
Look at the injection of pillar data for svc_address and api_addr in the map file, this could have been done in the state file itself, but doing it here in the map files puts all the data in a single place, leaving your state file cleaner. Now if any data changes, you just need to apply the change in the map file, giving you a single point to manage the state data.

Clear the pillar vault file, removing the data that was moved to map file:

# cat /srv/pillar/vault_config.sls
vault_configuration:
  svc_address: '0.0.0.0:8200'
  api_addr: 'http://192.168.250.96:8200'

# salt \* saltutil.refresh_pillar

# salt minion1 pillar.items
minion1:
    ----------
    vault_configuration:
        ----------
        api_addr:
            http://192.168.250.96:8200
        svc_address:
            0.0.0.0:8200
Edit the state file to import the data from the map file instead of pillar:
# cat /srv/salt/vault/init.sls

# THIS line imports the map file slspath(/srv/salt/vault)/files/vault_defaults.yaml to a variable called vault_defaults
{% import_yaml slspath + '/files/vault_defaults.yaml' as vault_defaults %}

# Observe the use of the variable vault_defaults to inject data in the state


# Put binary in /usr/bin
vault_bin_path:
  file.managed:
    - name: {{ vault_defaults.configuration.bin }}
    - source: salt://{{ slspath }}/files/vault
    - user: root
    - group: root
    - mode: 500

# create /etc/vault directory
/etc/vault:
  file.directory:
    - user: root
    - group: root
    - makedirs: True

# create '/vault/data'
{{ vault_defaults.configuration.data_dir }}:
  file.directory:
    - user: root
    - group: root
    - makedirs: True

# create '/logs/vault'
{{ vault_defaults.configuration.log_dir }}:
  file.directory:
    - user: root
    - group: root
    - makedirs: True


# Create Vault configuration file
# The source is a jinja template file, passing the vault_defaults.configuration object
# The destination file is generated on the fly with the data from this variable
vault_configuration:
  file.managed:
    - name: {{ vault_defaults.configuration.config_filename }}
    - source: salt://{{ slspath }}/files/config.hcl
    - template: jinja
    - defaults:
        vault_defaults_config: {{ vault_defaults.configuration }}


# Create Vault service configuration file
# The source is a jinja template file, passing values from vault_defaults.configuration. object
# The destination file is generated on the fly with the data from these variables
vault_service:
  file.managed:
    - name: /etc/systemd/system/vault.service
    - source: salt://{{ slspath }}/files/vault.service
    - template: jinja
    - defaults:
        vault_defaults_bin: {{ vault_defaults.configuration.bin }}
        vault_defaults_mode: {{ vault_defaults.configuration.mode }}
        vault_defaults_config_filename: {{ vault_defaults.configuration.config_filename }}
        vault_defaults_StandardOutput: {{ vault_defaults.configuration.StandardOutput }}
        vault_defaults_StandardError: {{ vault_defaults.configuration.StandardError }}

  service.running:
    - name: vault
    - enable: True
Jinja template files are used by the state, observe the use of the variables passed by the state.
# cat /srv/salt/vault/files/config.hcl
listener "tcp" {
  address = "{{ vault_defaults_config.svc_address }}"
  tls_disable = {{ vault_defaults_config.tls_disable }}
}

storage "file" {
  path = "{{ vault_defaults_config.storage_path }}"
}
api_addr = "{{ vault_defaults_config.api_addr }}"
log_level = "{{ vault_defaults_config.log_level}}"
ui = {{ vault_defaults_config.ui }} 
# cat /srv/salt/vault/files/vault.service
[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ vault_defaults_config_filename }}

[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart={{ vault_defaults_bin}} {{ vault_defaults_mode }} -config={{ vault_defaults_config_filename }}
StandardOutput={{ vault_defaults_StandardOutput }}
StandardError={{ vault_defaults_StandardError }}
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

Test 

# salt minion1 state.sls vault
minion1:
----------
          ID: vault_bin_path
    Function: file.managed
        Name: /usr/bin/vault
      Result: True
     Comment: File /usr/bin/vault updated
     Started: 16:35:31.749390
    Duration: 1149.321 ms
     Changes:
              ----------
              diff:
                  New file
              mode:
                  0500
----------
          ID: /etc/vault
    Function: file.directory
      Result: True
     Comment: Directory /etc/vault updated
     Started: 16:35:32.898978
    Duration: 1.744 ms
     Changes:
              ----------
              /etc/vault:
                  New Dir
----------
          ID: /vault/data
    Function: file.directory
      Result: True
     Comment: Directory /vault/data updated
     Started: 16:35:32.900874
    Duration: 1.909 ms
     Changes:
              ----------
              /vault/data:
                  New Dir
----------
          ID: /logs/vault
    Function: file.directory
      Result: True
     Comment: Directory /logs/vault updated
     Started: 16:35:32.902934
    Duration: 1.807 ms
     Changes:
              ----------
              /logs/vault:
                  New Dir
----------
          ID: vault_configuration
    Function: file.managed
        Name: /etc/vault/config.hcl
      Result: True
     Comment: File /etc/vault/config.hcl updated
     Started: 16:35:32.904890
    Duration: 29.475 ms
     Changes:
              ----------
              diff:
                  New file
              mode:
                  0644
----------
          ID: vault_service
    Function: file.managed
        Name: /etc/systemd/system/vault.service
      Result: True
     Comment: File /etc/systemd/system/vault.service updated
     Started: 16:35:32.934597
    Duration: 28.356 ms
     Changes:
              ----------
              diff:
                  New file
              mode:
                  0644
----------
          ID: vault_service
    Function: service.running
        Name: vault
      Result: True
     Comment: Service vault is already enabled, and is running
     Started: 16:35:33.570589
    Duration: 275.344 ms
     Changes:
              ----------
              vault:
                  True

Summary for minion1

Conclusion:

The state executed successfully, retrieving all the required data from the map file. The map file has most values set locally except for the selected sensitive data svc_address and api_addr that remain in pillar.

The map file is the single point in which all the state data is defined, whether locally or from pillar, making the state file more flexible to changes in your data sources.

Next question would be, what else can we do to clean up pillar, can we retrieve secrets or sensitive information from other sources other than Pillar? The answer is yes.

For instance, you can move the data to an external source like a database and use SDB to retrieve the information.

How to use SDB to retrieve secrets instead of Pillar?

The SDB interface is designed to store and retrieve data that, unlike pillars and grains, is not necessarily minion-specific. The initial design goal was to allow passwords to be stored in a secure database, such as one managed by the keyring package, rather than as plain-text files. However, as a generic database interface, it could conceptually be used for a number of other purposes.

For detailed information on SDB and available modules, please visit:

Let's use SDB to interface with Hashicorp Vault to retrieve secrets in this example.

Salt SDB Vault configuration is intentionally out of scope of this article, look for other articles explaining this setup in this library. Please follow Salt and Vault documentation for further information. Adjust the steps as needed.

Start by provisioning the remaining pillar data to Vault:

# salt minion1 pillar.items
minion1:
    ----------
    vault_configuration:
        ----------
        api_addr:
            http://192.168.250.96:8200
        svc_address:
            0.0.0.0:8200
Put api_addr and svc_address under salt/vault_configuration in Vault.
#  vault kv put salt/vault_configuration api_addr=http://192.168.250.96:8200 svc_address=0.0.0.0:8200
Key              Value
---              -----
created_time     2019-05-03T18:03:32.739691817Z
deletion_time    n/a
destroyed        false
version          1


# vault kv get salt/vault_configuration
====== Metadata ======
Key              Value
---              -----
created_time     2019-05-03T18:03:32.739691817Z
deletion_time    n/a
destroyed        false
version          1

======= Data =======
Key            Value
---            -----
api_addr       http://192.168.250.96:8200
svc_address    0.0.0.0:8200
Configure Salt Master to connect to Vault using approle with role_id and secret_id and SDB to use Vault driver.
# vi /etc/salt/master.d/vault.conf

# SDB CONFIG
myvault:
  driver: vault


# VAULT CONFIG FOR TOKEN OR APPROLE AUTH MODE
vault:
  url: http://192.168.251.252:8200
  auth:
    method: approle
    role_id: 538a13ed-e15c-8050-6d26-431b05bf1bf3
    secret_id: ec166dae-f98a-4825-e599-eb1f3772b336
  policies:
    - saltmaster
Check SDB works fine trying to get the secret.
# salt-run sdb.get 'sdb://myvault/salt/data/vault_configuration' --out=json
{
    "data": {
        "svc_address": "0.0.0.0:8200",
        "api_addr": "http://192.168.250.96:8200"
    },
    "metadata": {
        "created_time": "2019-05-03T18:03:32.739691817Z",
        "destroyed": false,
        "version": 1,
        "deletion_time": ""
    }
}
This option will allow you to use SDB in your pillar data. Remember the Pillar is rendered by the master server, this adds an extra layer of security given your data is no longer exposed in the Pillar files, but Pillar is still used and rendered by Salt Master.

Change pillar file to retrieve data from SDB, refresh pillar and get pillar items:

# cat /srv/pillar/vault_config.sls
vault_configuration:
  svc_address: {{ salt['sdb.get']('sdb://myvault/salt/data/vault_configuration')['data']['svc_address'] }}
  api_addr: {{ salt['sdb.get']('sdb://myvault/salt/data/vault_configuration')['data']['api_addr'] }}


# salt \* saltutil.pillar_refresh

# salt minion1 pillar.items
minion1:
    ----------
    vault_configuration:
        ----------
        api_addr:
            http://192.168.250.96:8200
        svc_address:
            0.0.0.0:8200

Conclusion: While pillar still in use, the source of data is in an external source retrieved to Pillar by SDB interface.

If the minions were allowed to reach the Vault server, the vault.conf file can be placed in the minions config, and let the minions use SDB to retrieve the secrets while rendering the state file locally, allowing a complete removal of Pillar data from the formula.

Change the /srv/salt/vault/files/vault_defaults.yaml map file to retrieve data from SDB for svc_address and api_addr

# cat /srv/salt/vault/files/vault_defaults.yaml
configuration:
  data_dir: '/vault/data'
  log_dir: '/logs/vault'
  bin: '/usr/bin/vault'
  mode: 'server'
  config_filename: '/etc/vault/config.hcl'
  svc_address: {{ salt['sdb.get']('sdb://myvault/salt/data/vault_configuration')['data']['svc_address'] }}
  tls_disable: 1
  storage_path: '/vault/data'
  api_addr: {{ salt['sdb.get']('sdb://myvault/salt/data/vault_configuration')['data']['api_addr'] }}
  log_level: 'Info'
  ui: 'true'
  StandardOutput: '/logs/vault/output.log'
  StandardError: '/logs/vault/error.log'
Configure peer communication to allow minion to use SDB with Vault.
# cat /etc/salt/master.d/peer_run.conf
peer_run:
  .*:
    - vault.generate_token
Configure minion/s for SDB Vault (remember in this setup the minions are connecting to Vault to retrieve secrets).
#cat /etc/salt/minion.d/vault.conf

# SDB CONFIG
myvault:
  driver: vault


# VAULT CONFIG FOR TOKEN OR APPROLE AUTH MODE
vault:
  url: http://54.172.112.42:8200
  auth:
    method: approle
    role_id: 538a13ed-e15c-8050-6d26-431b05bf1bf3
    secret_id: ec166dae-f98a-4825-e599-eb1f3772b336
  policies:
    - saltmaster
Restart salt-minion to read new configuration.

Remove the data from pillar.

# salt \* saltutil.refresh_pillar

# salt minion1 pillar.items
minion1:
    ----------
Run the state and verify the configuration file.
# salt minion1 state.sls vault 

# cat /etc/vault/config.hcl
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

storage "file" {
  path = "/vault/data"
}
api_addr = "http://192.168.250.96:8200"
log_level = "Info"
ui = true

Conclusion:

With this latest setup we have completely eliminated the use of Pillar by moving pillar data to map files and secrets to an external source consumed by SDB from minions instead of Pillar.

Related articles