SaltStack: Installation and Configuration

Salt consists of a master server that controls or manages client servers and computers.  The master server is known as the Salt-Master and the clients are known as Salt-Minions.

This is PART 1:  Installing and Configuring SaltStack

PART 2 will be all about managing minions.

Installing the Salt-Master

Following the Zero Trust architecture standards, this should ideally be a Fedora Server on a hosted VPS through your favorite cloud provider.

Fedora

The Salt-Master package is available in the standard Fedora repository.

1. Install Salt-Master:
   dnf install salt-master

Ubuntu

1. Import the SaltStack repository key:
   wget -O - https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
2. Add the SaltStack repo:

   echo 'deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main' > /etc/apt/sources.list.d/saltstack.list
   

3. Update:
   sudo apt-get update
4. Install Salt-Master:
   sudo apt-get install salt-master

Post-Install Configuration Tasks

1. Start Salt-Master automatically at boot:
   systemctl enable salt-master.service
2. Start the Salt-Master service:
   systemctl start salt-master.service
3. Fedora firewall config:

   firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
   firewall-cmd --reload

4. Ubuntu firewall config:

   sudo ufw allow 4505
   sudo ufw allow 4506

Configuring the Salt-Master

GitLab Integration

This part assumes you want to use and have a private git repository set up to use for your Salt-Master fileserver backend.

Prerequisites

To use Git, you will need to install PyGit2 or GitPython on your Salt-Master.

1. Install PyGit2 or GitPython (Fedora & Ubuntu):
   dnf install python-pygit2
dnf install GitPython
apt-get install python-pygit2

SSH Keys

1. Change directory to:
   cd /etc/salt/master.d
2. Generate an SSH key:
   sudo ssh-keygen -t rsa -b 4096 -C "SaltStack Git"
   1. Enter the path and file name:
      /etc/salt/master.d/ssh-git-ro
   2. Hit enter twice to skip passphrase.
   3. Change the name of the private key to make both keys easily identifyable:
      sudo mv /etc/salt/master.d/ssh-git-ro /etc/salt/master.d/ssh-git-ro.priv
   4. Now if you type ls -lash you should see both of the following SSH keys:

      ssh-git-ro.priv
      ssh-git-ro.pub

3. Copy the public key so you can paste it into GitLab:
   cat ssh-git-ro.pub
   1. In GitLab, click Settings > SSH Keys
   2. Paste the public key into the text area.
   3. Give it a title, then click Add key.  Write access is not needed if the option is available.
4. Configure the Salt-Master to use this new SSH Key to connect to the GitLab repo:
   1. Create an SSH config file in roots home:
      vi /root/.ssh/config
   2. Type and save the following into /root/.ssh/config
      

      Host gitlab.com
          Hostname gitlab.com
          User git
          StrictHostKeyChecking no
          IdentityFile /etc/salt/master.d/ssh-git-ro.priv
          IdentitiesOnly yes

   3. Connect to GitLab.com via SSH:
      ssh gitlab.com
   4. Enter yes when prompted to save GitLab’s key to known hosts.  If you get an error connecting, which you most likely will, it doesn’t matter.
5. For the GitFS backend to work, the fileserver config file needs to be configured appropriately, done in the next step.

Create Config File

Create and save the following text exactly (paying careful attention to spacing), as it follows yaml formatting.
vi /etc/salt/master.d/custom.conf

1. Save the below text in the custom.conf configuration file above:

   fileserver_backend:
     - roots
     - git
   
   file_roots:
     base:
       - /srv/salt
   
   pillar_roots:
      base:
       - /srv/pillar
   
   gitfs_remotes:
     - git@gitlab.com:username/salt.git:
       - pubkey: /etc/salt/master.d/ssh-git-ro.pub
       - privkey: /etc/salt/master.d/ssh-git-ro.priv
   
   gitfs_env_whitelist:
     - base

   1. Note that in the above custom.conf, under gitfs_remotes, you get that git@gitlab.com:username/salt.git from your GitLab repository SSH link.

Restart Salt-Master Service

Because we changed the configuration, the salt-master service needs to be restarted:
sudo salt-master restart

Testing GitLab Integration

Run the following command to verify what you have in your GitLab repository shows up:
sudo salt-run fileserver.file_list

Installing the Salt-Minion

Each computer or server you want to have managed by your Salt-Master needs to have the Salt-Minion client installed.

By default, the salt-minion looks for the salt-master via the DNS name:  salt

Easy Minion Install Summary

This part is just a quick and easy, so you can skip the following 4 sections and just do these next 5 steps:

1. Install Fedora Workstation from Net Install ISO.
   1. Fully update (if needed)
      dnf upgrade --refresh
2. Run the “Linux_Minion_Setup.sh” script, which does the following:

   #!/bin/bash
   sudo echo '172.19.23.41 salt' >> /etc/hosts
   sudo dnf install salt-minion -y
   sudo systemctl enable salt-minion.service
   sudo systemctl start salt-minion.service

3. On the Salt-Master, add the new Salt-Minion’s key:

   sudo salt-key -L
   sudo salt-key -A

4. On GitLab.com, add the new Salt-Minion and desired states to the top.sls file:

   base:
     'fwtest':
       - virtworkstation

5. Run a HighState: (assuming you already have states set up, this will be in Part 2)
   sudo salt 'fwtest' state.apply

Installing on Fedora

1. First, add the SALT DNS entry:
   1. Create a DNS record on your network called salt that points to your Salt-Master; or
   2. Add salt to your hosts file:
      echo '172.19.23.41 salt' >> /etc/hosts
2. Install the Salt-Minion:
   dnf install salt-minion

Post-Install Tasks for Salt-Minion

1. Start the Minion service automatically at boot time:
   systemctl enable salt-minion.service
2. Start the Minion:
   systemctl start salt-minion.service

Installing on Windows

The easiest way to install the Salt Minion on Windows is via Chocolately.  You may specify your Salt Master during installation of the Salt minion.

1. Create an entry in your hosts file: C:\Windows\System32\drivers\etc\hosts
   ip.ad.dr.ess salt
   1. Or, specify when installing with the following switch:
      choco install saltminion /master=salt.yourdomain.com /y
2. In a command prompt (cmd.exe), enter one of the following to install Salt minion:
   choco install saltminion /y
choco upgrade saltminion /y (to upgrade)
   1. If Chocolately is not installed, you may install it by entering the following in cmd.exe:
      @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"


Adding a Minion to the Master

Before your Master can command Minions, their keys must first be accepted on the Master.

On your Salt-Master server, run the following command to check if your Master is yet aware of any Minions:
sudo salt-key -L

You will now see a list of Minions and their acceptance status.

To accept ALL pending keys, use the following command:
sudo salt-key -A

To accept individual keys, use the following:
sudo salt-key -a keyname

Testing / Verifying Communication

Communication between the Master and a Minion may be verified by running the test.ping command:
sudo salt '*' test.ping

sudo salt minionName test.ping

Stay tuned for PART2 – SaltStack: Managing the Salt Master and Minions.

References

1. https://docs.saltstack.com/en/latest/topics/installation/index.html
2. https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html#tutorial-salt-walk-through
3. https://docs.saltstack.com/en/latest/ref/configuration/master.html#std:conf_master-fileserver_backend
4. https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html
5. https://docs.saltstack.com/en/latest/contents.html
6. https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html#authentication
7. https://www.youtube.com/watch?v=RaeKLKaqPoo
8. https://www.youtube.com/watch?v=0VFKRExZotM