You could use Salt to build and run Docker containers but that is not how I use it here. This blogpost is about Docker containers that run Salt minions, which is just an experiment. The use case? Suppose you have several containers that run a particular piece of middleware, and this piece of middleware needs a security update, i.e. an OpenSSL hotfix. It is necessary to perform the update immediately.
The Dockerfile
In order to build a container you have to write down the container description in a file called Dockerfile. Here is the Dockerfile:
#------- # Standard heading stuff FROM centos MAINTAINER No Reply noreply@xebia.com # Do Salt install stuff and squeeze in a master.conf snippet that tells the minion # to contact the master specified. RUN rpm -Uvh https://ftp.linux.ncsu.edu/pub/epel/6/i386/epel-release-6-8.noarch.rpm RUN yum install -y salt-minion --enablerepo=epel-testing RUN [ ! -d /etc/salt/minion.d ] && mkdir /etc/salt/minion.d ADD ./master.conf /etc/salt/minion.d/master.conf # Run the Salt Minion and do not detach from the terminal. # This is important because the Docker container will exit whenever # the CMD process exits. CMD /usr/bin/salt-minion #-------
Build the image
Time to run the Dockerfile through docker. The command is:
$ docker build --rm=true -t salt-minion .
provided that you run this command in the directory where file Dockerfile and master.conf resides. Docker creates an image with tag ‘salt-minion’ and throws away all intermediate images after a successful build.
Run a container
The command is:
$ docker run -d salt-minion
and Docker returns:
aab154310ba6452ba2c686d15b1e3ca5fd85124d38c7935f1200d33b3a3e7ced
The Salt minion on the container is started and searches for a Salt master to connect to, defined by the configuration setting “master” in file /etc/salt/minion.d/master.conf. You might want to run the Salt master in “auto_accept” mode so that minion keys are accepted automatically. Docker assigns a container id to the running container. That is the magic key that docker reports as a result of the run command.
The following command shows the running container:
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS NAMES 273a6b77a8fa salt-minion:latest /bin/sh -c /etc/rc.l 3 seconds ago Up 3 seconds distracted_lumiere
Apply the hot fix
There you are: the Salt minion is controlled by your Salt master. Provided that you have a state module that contains the OpenSSL hot fix, you can now easily update all docker nodes to include the hotfix:
salt \* state.sls openssl-hotfix
That is all there is to it.