I wanted to use file.recurse to copy a directory from /opt which is outside of my main root:
file_roots:
base:
- /data/salt/roots
- /opt
That worked, but it made calling even a simple state like this one very, very slow even when applied to just the salt master itself - ~25 seconds each time:
local-groups:
group.present:
- name: apache
Turning on tracing on the salt master showed that the salt-master is checking every single file in the entire /opt tree each time any state is applied - ~50,000 files in various /opt subdirs in my case; Removing /opt from the the list returned the state application to normal speed.
Why is it doing that?
Is there a way to get the master to stop checking or re-indexing file_roots each time a state is applied?
OS: Rocky 8
Salt version: 3006.3 (rpm from Salt Project yum repo)
When compiling a state it uses a list of all available states in order to check includes against. Unfortunately this involves scanning the entire fileserver to build the list.
There's no way to avoid it without some core rewrites. The only solution is to avoid very large Salt fileservers and instead use e.g. http
, ftp
, or s3
to serve your content to minions.
https://github.com/saltstack/salt/issues/65348
Note that anything under your file roots not only becomes available to all minions, but also has the possibility of overwriting your configuration with something malicious. Therefore you should always avoid adding arbitrary chunks of your filesystem to salt without considering proper access controls.