Ensure that only required data stay and outdated are removed

Question

We use salt to bootstrap our web server. We host multiple different domains. I create a file in /etc/apache2/sites-available for each of our domains. Then I symlink it to sites-enabled.

The problem is that if I move the domain to different server, the link from sites-enabled is not removed. If I change the domain name and keep the data in place - then I have old.domain.com and new.domain.com vhost files. I expect to end up with only new.domain.com in sites-enabled, but both files are there and the working domain depends on alphabet (I guess) - which of the vhosts is loaded first.

I have the domains stored in pillars and generate the vhosts like:

{%- for site in pillar.sites %}
/etc/apache2/sites-available/{{ site.name }}:
  file:
  - managed
  - source: salt://apache/conf/sites/site
  - template: jinja
  - require: 
    - file: /etc/apache2/sites-available/default
    - cmd: apache_rewrite_enable
  - defaults:
    site_name: "{{ site.name }}"
/etc/apache2/sites-enabled/{{ site.name }}:
  file.symlink:
  - target: /etc/apache2/sites-available/{{ site.name }}
  - require:
    - file: /etc/apache2/sites-available/{{ site.name }}
{% endfor %}

I need to make sure that only the vhosts listed in pillars stay after highstate. I thought about emptying the folder first, but that feels dangerous as the highstate may fail mid-air and I would be left withou any vhosts - crippling all the other domains - just because I tried to add one.

Is there a way to enforce something like: "remove everything that was not present in this highstate run"?

Answer 1

Yes, the problem is that Salt doesn't do anything you don't specify. It would be too hard (and quite dangerous) to try to automatically manage a whole server by default. So file.managed and file.symlink just make sure that their target files and symlinks are present and in the correct state -- they can't afford to worry about other files.

You have a couple of options. The first is to clean the directory at the beginning of each highstate. Like you mentioned, this is not ideal, because it's a bit dangerous (and if a highstate fails, none of your sites will work).

The better option would be to put all of your sites in each minion's pillar: some would go under the 'sites' key in pillar, and the rest might go under the 'disabled' key in pillar. Then you could use the file.absent state to make sure each of the 'disabled' site-files is absent. (as well as the symlink for those files)

Then when you move a domain from host to host, rather than just removing that domain from the pillar of the previous minion, you would actually move it from the 'sites' key to the 'disabled' key. Then you'd be guaranteed that that site would be gone.

Hope that helps!