Salt consists of a master server that controls or manages client servers and computers. The master server is known as the Salt-Master and the clients are known as Salt-Minions.
This is PART 1: Installing and Configuring SaltStack
PART 2 will be all about managing minions.
Installing the Salt-Master
Following the Zero Trust architecture standards, this should ideally be a Fedora Server on a hosted VPS through your favorite cloud provider.
Fedora
The Salt-Master package is available in the standard Fedora repository.
- Install Salt-Master:
dnf install salt-master
Ubuntu
- Import the SaltStack repository key:
wget -O - https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
- Add the SaltStack repo:
echo 'deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main' > /etc/apt/sources.list.d/saltstack.list
- Update:
sudo apt-get update
- Install Salt-Master:
sudo apt-get install salt-master
Post-Install Configuration Tasks
- Start Salt-Master automatically at boot:
systemctl enable salt-master.service
- Start the Salt-Master service:
systemctl start salt-master.service
- Fedora firewall config:
firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp firewall-cmd --reload
- Ubuntu firewall config:
sudo ufw allow 4505 sudo ufw allow 4506
Configuring the Salt-Master
GitLab Integration
This part assumes you want to use and have a private git repository set up to use for your Salt-Master fileserver backend.
Prerequisites
To use Git, you will need to install PyGit2 or GitPython on your Salt-Master.
- Install PyGit2 or GitPython (Fedora & Ubuntu):
dnf install python-pygit2
dnf install GitPython
apt-get install python-pygit2
SSH Keys
- Change directory to:
cd /etc/salt/master.d
- Generate an SSH key:
sudo ssh-keygen -t rsa -b 4096 -C "SaltStack Git"
- Enter the path and file name:
/etc/salt/master.d/ssh-git-ro
- Hit enter twice to skip passphrase.
- Change the name of the private key to make both keys easily identifyable:
sudo mv /etc/salt/master.d/ssh-git-ro /etc/salt/master.d/ssh-git-ro.priv
- Now if you type ls -lash you should see both of the following SSH keys:
ssh-git-ro.priv ssh-git-ro.pub
- Enter the path and file name:
- Copy the public key so you can paste it into GitLab:
cat ssh-git-ro.pub
- In GitLab, click Settings > SSH Keys
- Paste the public key into the text area.
- Give it a title, then click Add key. Write access is not needed if the option is available.
- Configure the Salt-Master to use this new SSH Key to connect to the GitLab repo:
- Create an SSH config file in roots home:
vi /root/.ssh/config
- Type and save the following into /root/.ssh/config
Host gitlab.com Hostname gitlab.com User git StrictHostKeyChecking no IdentityFile /etc/salt/master.d/ssh-git-ro.priv IdentitiesOnly yes
- Connect to GitLab.com via SSH:
ssh gitlab.com
- Enter yes when prompted to save GitLab’s key to known hosts. If you get an error connecting, which you most likely will, it doesn’t matter.
- Create an SSH config file in roots home:
- For the GitFS backend to work, the fileserver config file needs to be configured appropriately, done in the next step.
Create Config File
Create and save the following text exactly (paying careful attention to spacing), as it follows yaml formatting.
vi /etc/salt/master.d/custom.conf
- Save the below text in the custom.conf configuration file above:
fileserver_backend: - roots - git file_roots: base: - /srv/salt pillar_roots: base: - /srv/pillar gitfs_remotes: - git@gitlab.com:username/salt.git: - pubkey: /etc/salt/master.d/ssh-git-ro.pub - privkey: /etc/salt/master.d/ssh-git-ro.priv gitfs_env_whitelist: - base
- Note that in the above custom.conf, under gitfs_remotes, you get that git@gitlab.com:username/salt.git from your GitLab repository SSH link.
Restart Salt-Master Service
Because we changed the configuration, the salt-master service needs to be restarted:
sudo salt-master restart
Testing GitLab Integration
Run the following command to verify what you have in your GitLab repository shows up:
sudo salt-run fileserver.file_list
Installing the Salt-Minion
Each computer or server you want to have managed by your Salt-Master needs to have the Salt-Minion client installed.
By default, the salt-minion looks for the salt-master via the DNS name: salt
Easy Minion Install Summary
This part is just a quick and easy, so you can skip the following 4 sections and just do these next 5 steps:
- Install Fedora Workstation from Net Install ISO.
- Fully update (if needed)
dnf upgrade --refresh
- Fully update (if needed)
- Run the “Linux_Minion_Setup.sh” script, which does the following:
#!/bin/bash sudo echo '172.19.23.41 salt' >> /etc/hosts sudo dnf install salt-minion -y sudo systemctl enable salt-minion.service sudo systemctl start salt-minion.service
- On the Salt-Master, add the new Salt-Minion’s key:
sudo salt-key -L sudo salt-key -A
- On GitLab.com, add the new Salt-Minion and desired states to the top.sls file:
base: 'fwtest': - virtworkstation
- Run a HighState: (assuming you already have states set up, this will be in Part 2)
sudo salt 'fwtest' state.apply
Installing on Fedora
- First, add the SALT DNS entry:
- Create a DNS record on your network called salt that points to your Salt-Master; or
- Add salt to your hosts file:
echo '172.19.23.41 salt' >> /etc/hosts
- Install the Salt-Minion:
dnf install salt-minion
Post-Install Tasks for Salt-Minion
- Start the Minion service automatically at boot time:
systemctl enable salt-minion.service
- Start the Minion:
systemctl start salt-minion.service
Installing on Windows
The easiest way to install the Salt Minion on Windows is via Chocolately. You may specify your Salt Master during installation of the Salt minion.
- Create an entry in your hosts file: C:\Windows\System32\drivers\etc\hosts
ip.ad.dr.ess salt
- Or, specify when installing with the following switch:
choco install saltminion /master=salt.yourdomain.com /y
- Or, specify when installing with the following switch:
- In a command prompt (cmd.exe), enter one of the following to install Salt minion:
choco install saltminion /y
choco upgrade saltminion /y
(to upgrade)- If Chocolately is not installed, you may install it by entering the following in cmd.exe:
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
- If Chocolately is not installed, you may install it by entering the following in cmd.exe:
Adding a Minion to the Master
Before your Master can command Minions, their keys must first be accepted on the Master.
On your Salt-Master server, run the following command to check if your Master is yet aware of any Minions:
sudo salt-key -L
You will now see a list of Minions and their acceptance status.
To accept ALL pending keys, use the following command:
sudo salt-key -A
To accept individual keys, use the following:
sudo salt-key -a keyname
Testing / Verifying Communication
Communication between the Master and a Minion may be verified by running the test.ping command:
sudo salt '*' test.ping
sudo salt minionName test.ping
Stay tuned for PART2 – SaltStack: Managing the Salt Master and Minions.
References
- https://docs.saltstack.com/en/latest/topics/installation/index.html
- https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html#tutorial-salt-walk-through
- https://docs.saltstack.com/en/latest/ref/configuration/master.html#std:conf_master-fileserver_backend
- https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html
- https://docs.saltstack.com/en/latest/contents.html
- https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html#authentication
- https://www.youtube.com/watch?v=RaeKLKaqPoo
- https://www.youtube.com/watch?v=0VFKRExZotM