I can't believe I have been ignoring one of my most favorite tools – Saltstack or Salt! Salt is a python based configuration management tool. If you're familiar with Ansible, Chef and the venerable Puppet; you'll want to check out Salt. Similar to Ansible, Salt uses yaml syntax for its state files or formulas.

How is Salt different? Salt uses the ZeroMQ protocol (port 4505) to communicate between master and minions. This allows Salt to communicate relatively quickly compared to competitors. Along with the speedy communication, Salt operators to take advantage of the event bus system to create event-driven automation tasks.

Today I'll teach you the basics of Salt in the realm of configuration management!

Prerequisite Tasks

On all of the hosts (master and minions) do the following:

  1. Edit the host file to include entries for all of your hosts. Make sure to add an entry for salt-master called salt. This is needed so that the salt-minion can find out who is the salt-master.
  2. Add static IP addresses to every hosts.
  3. Ensure each host can ping the master and vice-versa using hostnames.
  4. Open ports 4505 and 4506, to allow Salt to communicate.
firewall-cmd --permanent --add-port=4505-4506/tcp 
firewall-cmd --reload 
firewall-cmd --list-ports 

Setting up Salt Master Server

To get the Salt Master up and running as quickly as possible I will be installing it using the bootstrap method. What it will do is execute a script that will configure the host to act as the master.

  1. Download the Salt bootstrap script. (you can view the script here)
curl -L https://bootstrap.saltstack.com -o install_salt.sh 

2. Execute the script. -P enables pip based install and -M specifically installs components needed by the master. -X does not allow the salt master daemon to start after the installation.

bash install_salt.sh -P -M

3. Verify Salt Master is running.

systemctl status salt-master

Installing Salt Minion

  1. Execute the same script as you ran for the salt-master, but without the -M option. -X will not automatically start the salt daemon
bash install_salt.sh -P -X

2. Edit Salt Minion config and specify the master and its finger (public key) by uncommenting those.

To get the master's finger execute the salt-key -F command on your salt-master. What you're looking for is master.pub. Copy that and keep it in a text editor

[root@salt-master phil]# salt-key -F
Local Keys:
master.pem:  9d:82:c5:ef:34:77:a5:f4:78:ed:e6:13:c8:02:aa:f1:4e:9e:6c:4d:f7:70:a7:e4:6a:2a:cb:4a:29:6e:72:e9
master.pub:  7a:4d:b9:9b:f3:c7:e5:af:6c:cc:8d:ba:40:ee:5f:c4:1f:53:a2:76:07:3e:91:94:62:20:05:ab:ec:97:d4:bd

Open up the salt-minion config file and the following lines below.

vim /etc/salt/minion
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
master: salt
# Fingerprint of the master public key to validate the identity of your Salt master
# before the initial key exchange. The master fingerprint can be found by running
# "salt-key -f master.pub" on the Salt master.
master_finger: '7a:4d:b9:9b:f3:c7:e5:af:6c:cc:8d:ba:40:ee:5f:c4:1f:53:a2:76:07:3e:91:94:62:20:05:ab:ec:97:d4:bd'

3. Start up the Salt Minion and enable it.

systemctl start salt-minion && systemctl enable salt-minion

4. Accept the minion's keys on your master.

When you execute salt-key -F you should now see "Unaccepted Keys" on the bottom.

[root@salt-master phil]# salt-key -F
Local Keys:
master.pem:  9d:82:c5:ef:34:77:a5:f4:78:ed:e6:13:c8:02:aa:f1:4e:9e:6c:4d:f7:70:a7:e4:6a:2a:cb:4a:29:6e:72:e9
master.pub:  7a:4d:b9:9b:f3:c7:e5:af:6c:cc:8d:ba:40:ee:5f:c4:1f:53:a2:76:07:3e:91:94:62:20:05:ab:ec:97:d4:bd
Unaccepted Keys:
minion-02:  d7:18:f4:74:99:67:8b:41:6c:84:b3:4f:c5:00:9c:2b:aa:83:e4:33:32:44:ae:df:48:5b:d8:a8:9e:36:23:5c

To verify if the public is in fact from minion-02, connect to the minion and execute the salt-call --local key.finger.

[root@minion-02 phil]# salt-call --local key.finger
local:
    d7:18:f4:74:99:67:8b:41:6c:84:b3:4f:c5:00:9c:2b:aa:83:e4:33:32:44:ae:df:48:5b:d8:a8:9e:36:23:5c

salt-call is specific to the minion. Only the minion will reply back, removing the salt-master from the equation.

If this is correct you can proceed and accept the key on the master. It will prompt you if you want to proceed. Hit "y" for yes.

salt-key -a minion-02

5. Verify the minion's key was accepted by the master by using the salt-key command again.

[root@salt-master phil]# salt-key
Accepted Keys:
minion-02
Denied Keys:
Unaccepted Keys:
Rejected Keys:

Great the master is now showing that it has accepted minion-02's public key. Let's test it out!.

Issue the the test.ping command while on the master.

[root@salt-master phil]# salt '*' test.ping
minion-02:
    True

Fantastic!!! The minion is now responding to the master.