Setting up SaltStack

Installation of Master and Minions

For the Master and Minions, make sure static name resolution points local hostname not only to ipv4 but also ipv6 e.g.,

vi /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4 host.example.local host
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 host.example.local host

For the Minion, make sure the salt host resolves (default name for Master daemon),

ping salt

Note. if using static name resolution, you cannot check with the host command.

Proceed with Salt component installation,

yum install systemd systemd-python python-hashlib
wget ""
rpm -ivh salt-repo-latest-2.el7.noarch.rpm
yum clean expire-cache

#yum install salt-master
#cp -pi /etc/salt/master /etc/salt/master.dist

yum install salt-minion
cp -pi /etc/salt/minion /etc/salt/minion.dist

yum install salt-ssh

#yum install salt-syndic
#yum install salt-cloud
#yum install salt-api

work around the minion-2016.11.5 FIPS bug,

rpm -qa | grep domex
rpm -e --nodeps python2-pycryptodomex
yum install python-crypto

Ready to go,

#systemctl start salt-master
#systemctl status salt-master
systemctl start salt-minion
systemctl status salt-minion

and check (make sure firewalls are not blocking those two ports on the master, so the minions can call it),

netstat -antupe | egrep '450[56]'


Key Management

On the master node, print all the fingerprints,

salt-key -F master

On the master node, print all pub keys,

salt-key --list all (or -L)

On the minion nodes, print the local key fingerprint,

salt-call --local key.finger

On the master node, check that it corresponds to known minions,

salt-key --finger <minion id>

Accept all the pending minion keys at once,

salt-key -A

Now check that the communications are working against all minions from the master,

salt '*'

System Management

Prepare the folder that is going to contain modules and state files,

mkdir -p /srv/salt/
vi /etc/salt/master

extension_modules: /srv/salt

systemctl restart salt-master.service

Create sample state files,

vi /srv/salt/network_packages.sls

    - pkgs:
      - rsync
      - lftp
      - curl

vi /srv/salt/specific_shit.sls

    - name: /opt/my_new_directory
    - user: root
    - group: root
    - mode: 755

Create a top state file,

vi /srv/salt/top.sls

    - network_packages
    - specific_shit

And apply (assuming only redhat hosts for now),

salt '*' state.apply


Targeting versus Node Groups

Either use minion ids, adv targeting or node groups.

Configure node groups using adv targeting -G grains e.g.,

vi /etc/salt/master

  linux: 'G@kernel:linux'
  redhat: 'G@os_family:redhat' 
  rhel: 'G@os:redhat'
  centos: 'G@os:centos'


Remote Execution


salt '*'
salt '*' 'uname -a'
salt '*' disk.usage
salt '*' 'ls -l /etc'
salt '*' cmd.exec_code python 'import sys; print sys.version'
salt '*' pkg.install vim
salt '*' network.interfaces

e.g. compound execution,

salt '*',,test.echo 'cat /proc/cpuinfo',,foo

see what other functions are available,

salt '*' sys.doc|less


Operating SaltStack

Check the status of the SS cluster,

salt '*' state.apply
salt '*' saltutil.sync_modules
salt '*' saltutil.sync_all

Search for service names,

salt minion1 service.get_all


Copyright © 2022 Pierre-Philipp Braun