Salt is an awesome 100% open source configuration management and remote
execution tool. Salt is a new approach to infrastructure management. Easy
enough to get running in minutes, scalable enough to manage tens of thousands of servers, and fast enough to communicate with them in seconds.
In this article we will accomplish the following:
- Install a Salt Master and a Salt Minion on running Ubuntu 12.04
- Install salt minion on running Windows server 2008 R2
The latest packages for Ubuntu are published in the saltstack PPA. If you have the add-apt-repositoryutility, you can add the repository and import the key in one step:
sudo add-apt-repository ppa:saltstack/salt
add-apt-repository: command not found?
The add-apt-repository command is not always present on Ubuntu systems. This can be fixed by installing python-software-properties:
sudo apt-get install python-software-properties
Note that since Ubuntu 12.10 (Raring Ringtail), add-apt-repository is found in the software-properties-common package, and is part of the base install. Thus, add-apt-repository should be able to be used out-of-the-box to add the PPA.
Alternately, manually add the repository and import the PPA key with these commands:
echo deb http://ppa.launchpad.net/saltstack/salt/ubuntu `lsb_release -sc` main | sudo tee /etc/apt/sources.list.d/saltstack.list wget -q -O- "http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x4759FA960E27C0A6" | sudo apt-key add -
After adding the repository, update the package management database:
sudo apt-get update
Install the Salt master, minion, or syndic from the repository with the apt-get command. These examples each install one daemon, but more than one package name may be given at a time:
sudo apt-get install salt-master
sudo apt-get install salt-minion
sudo apt-get install salt-syndic
Salt configuration is very simple. The default configuration for the master will work for most installations and the only requirement for setting up a minion is to set the location of the master in the minion configuration file.
The configuration files will be installed to /etc/salt and are named after the respective components,/etc/salt/master and /etc/salt/minion.
By default the Salt master listens on ports 4505 and 4506 on all interfaces (0.0.0.0). To bind Salt to a specific IP, redefine the “interface” directive in the master configuration file, typically/etc/salt/master, as follows:
- #interface: 0.0.0.0 + interface: 10.0.0.1
After updating the configuration file, restart the Salt master. See the master configuration reference for more details about other configurable options.
Although there are many Salt Minion configuration options, configuring a Salt Minion is very simple. By default a Salt Minion will try to connect to the DNS name “salt”; if the Minion is able to resolve that name correctly, no configuration is needed.
If the DNS name “salt” does not resolve to point to the correct location of the Master, redefine the “master” directive in the minion configuration file, typically /etc/salt/minion, as follows:
- #master: salt + master: 10.0.0.1
After updating the configuration file, restart the Salt minion. See the minion configuration reference for more details about other configurable options.
Start the master in the foreground (to daemonize the process, pass the -d flag):
Start the minion in the foreground (to daemonize the process, pass the -d flag):
The simplest way to troubleshoot Salt is to run the master and minion in the foreground with log level set to debug:
For information on salt’s logging system please see the logging document.
Run as an unprivileged (non-root) user
To run Salt as another user, set the user parameter in the master config file.
Additionally, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):
More information about running salt as a non-privileged user can be found here.
There is also a full troubleshooting guide available.
Salt uses AES encryption for all communication between the Master and the Minion. This ensures that the commands sent to the Minions cannot be tampered with, and that communication between Master and Minion is authenticated through trusted, accepted keys.
Before commands can be sent to a Minion, its key must be accepted on the Master. Run the salt-keycommand to list the keys known to the Salt Master:
[root@master ~]# salt-key -L Unaccepted Keys: alpha bravo charlie delta Accepted Keys:
This example shows that the Salt Master is aware of four Minions, but none of the keys has been accepted. To accept the keys and allow the Minions to be controlled by the Master, again use the salt-key command:
[root@master ~]# salt-key -A [root@master ~]# salt-key -L Unaccepted Keys: Accepted Keys: alpha bravo charlie delta
The salt-key command allows for signing keys individually or in bulk. The example above, using -Abulk-accepts all pending keys. To accept keys individually use the lowercase of the same option, -akeyname.
Communication between the Master and a Minion may be verified by running the test.pingcommand:
[root@master ~]# salt alpha test.ping alpha: True
Communication between the Master and all Minions may be tested in a similar way:
[root@master ~]# salt '*' test.ping alpha: True bravo: True charlie: True delta: True
Each of the Minions should send a True response as shown above.