In this article by Colton Myers, author of the book Learning SaltStack, we will learn the basic architecture of a Salt deployment.
The two main pieces of Salt are the Salt Master and the Salt Minion. The master is the central hub. All minions connect to the master to receive instructions. From the master, you can run commands and apply configuration across hundreds or thousands of minions in seconds.
The minion, as mentioned before, connects to the master and treats the master as the source of all truth. Although minions can exist without a master, the full power of Salt is realized when you have minions and the master working together.
Salt is built on two major concepts: remote execution and configuration management. In the remote execution system, Salt leverages Python to accomplish complex tasks with single-function calls. The configuration management system in Salt, called States, builds upon the remote execution foundation to create repeatable, enforceable configuration for the minions.
With this bird’s-eye view in mind, let’s get Salt installed so that we can start learning how to use it to make managing our infrastructure easier!
(For more resources related to this topic, see here.)
The dependencies for running Salt at the time of writing are as follows:
The easiest way to ensure that the dependencies for Salt are met is to use system-specific package management systems, such as apt on Ubuntu systems, that will handle the dependency-resolution automatically. You can also use a script called Salt-Bootstrap to handle all of the system-specific commands for you. Salt-Bootstrap is an open source project with the goal of creating a Bourne shell-compatible script that will install Salt on any compatible server. The project is managed and hosted by the SaltStack team. You can find more information at https://github.com/saltstack/salt-bootstrap.
We will explore each of these methods of installation in turn.
The latest release of Salt for Ubuntu is provided in Personal Package Archive (PPA), which is a type of package repository for Ubuntu. The easiest way to access the PPA to install Salt is using the add-apt-repository command, as follows:
# sudo add-apt-repository ppa:saltstack/salt
If the add-apt-repository command is not found, you can add it by installing the python-software-properties package:
sudo apt-get install python-software-propertiesIf you are using Ubuntu Version 12.10 or greater, this step should not be required as the add-apt-repository command should be included in the base system.
After you have added the repository, you must update the package management database, as follows:
# sudo apt-get update
If the system asks whether you should accept a gpg key, press Enter to accept.
You should then be able to install the Salt master and the Salt minion with the following command:
# sudo apt-get install salt-master salt-minion
Assuming there are no errors after running this command, you should be done! Salt is now installed on your machine.
Note that we installed both the Salt master and the Salt minion. The term master refers to the central server—the server from which we will be controlling all of our other servers. The term minion refers to the servers connected to and controlled by a master.
Information about manual installation on other major Linux distributions can be found online, at http://docs.saltstack.com. However, in most cases, it is easier and more straightforward to use tool called Salt-Bootstrap. In-depth documentation can be found on the project page at https://github.com/saltstack/salt-bootstrap—however, the tool is actually quite easy to use, as follows:
# curl -L https://bootstrap.saltstack.com -o install_salt.sh # sudo sh install_salt.sh –h
We won’t include the help text for Bootstrap here as it would take up too much space. However, it should be noted that, by default, Bootstrap will install only the Salt minion. We want both the Salt minion and the Salt master, which can be accomplished by passing in the -M flag, as follows:
# sudo sh install_salt.sh -M
The preceding command will result in a fully-functional installation of Salt on your machine! The supported operating system list is extensive, as follows:
The version of Salt used for the examples in this book is the 2014.7 release. Here is the full version information:
# sudo salt --versions-report Salt: 2014.7.0 Python: 2.7.6 Jinja2: 2.7.2 M2Crypto: 0.21.1 msgpack-python: 0.3.0 msgpack-pure: Not Installed pycrypto: 2.6.1 libnacl: Not Installed PyYAML: 3.10 ioflo: Not Installed PyZMQ: 14.0.1 RAET: Not Installed ZMQ: 4.0.4 Mako: 0.9.1It’s probable that the version of Salt you installed is a newer release and might have slightly different output. However, the examples should still all work in the latest version of Salt.
Now that we have the master and the minion installed on our machine, we must do a couple of pieces of configuration in order to allow them to talk to each other.
Since Salt minions connect to masters, the only firewall configuration that must be done is on the master. By default, ports 4505 and 4506 must be able to accept incoming connections on the master. The default install of Ubuntu 14.04, used for these examples, actually requires no firewall configuration out-of-the-box to be able to run Salt; the ports required are already open. However, many distributions of Linux come with much more restrictive default firewall settings. The most common firewall software in use by default is iptables.
Note that you might also have to change firewall settings on your network hardware if there is network filtering in place outside the software on the machine on which you’re working.
Firewall configuration is a topic that deserves its own book. However, our needs for the configuration of Salt are fairly simple. First, you must find the set of rules currently in effect for your system. This varies from system to system; for example, the file is located in /etc/sysconfig/iptables on RedHat distributions, while it is located in /etc/iptables/iptables.rules in Arch Linux.
Once you find that file, add the following lines to that file, but be sure to do it above the line that says DROP:
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
For more information about configuring on your operating system of choice so that your Salt minion can connect successfully to your Salt master, see the Salt documentation at http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html.
In version 2014.7.0, a new experimental transport option was introduced in Salt, called RAET. The use of this transport system is beyond the scope of this book. This book will deal exclusively with the default, ZeroMQ-based transport in Salt.
Out of the box, the Salt minion is configured to connect to a master at the location salt. The reason for this default is that, if DNS is configured correctly such that salt resolves to the master’s IP address, no further configuration is needed. The minion will connect successfully to the master.
However, in our example, we do not have any DNS configuration in place, so we must configure this ourselves.
The minion and master configuration files are located in the /etc/salt/ directory.
The /etc/salt/ directory should be created as part of the installation of Salt, assuming you followed the preceding directions. If it does not exist for some reason, please create the directory, and create two files, minion and master, within the directory.
Open /etc/salt/minion with your text editor of choice (remember to use sudo!). We will be making a couple of changes to this file.
First, find the commented-out line for the configuration option master. It should look like this:
#master: salt
Uncomment that line and change salt to localhost (as we have this minion connected to the local master). It should look like this:
master: localhost
If you cannot find the appropriate line in the file, just add the line shown previously to the top of the file.
You should also manually configure the minion ID so that you can more easily follow along with the examples in this text. Find the ID line:
#id:
Uncomment it and set it to myminion:
id: myminion
Again, if you cannot find the appropriate line in the file, just add the line shown previously to the top of the file.
Save and close the file.
Without a manually-specified minion ID, the minion will try to intelligently guess what its minion ID should be at startup. For most systems, this will mean the minion ID will be set to the Fully-Qualified Domain Name (FQDN) for the system.
Now we need to start (or restart) our Salt master and Salt minion. Assuming you’re following along on Ubuntu (which I recommend), you can use the following commands:
# sudo service salt-minion restart # sudo service salt-master restart
Packages in other supported distributions ship with init scripts for Salt. Use whichever service system is available to you to start or restart the Salt minion and Salt master.
There is one last step remaining before we can run our first Salt commands. We must tell the master that it can trust the minion. To help us with this, Salt comes with the salt-key command to help us manage minion keys:
# sudo salt-key Accepted Keys: Unaccepted Keys: myminion Rejected Keys:
Notice that our minion, myminion, is listed in the Unaccepted Keys section. This means that the minion has contacted the master and the master has cached that minion’s public key, and is waiting for further instructions as to whether to accept the minion or not.
If your minion is not showing up in the output of salt-key, it’s possible that the minion cannot reach the master on ports 4505 and 4506. Please refer to the Firewall section described previously for more information.
Troubleshooting information can also be found in the Salt documentation at http://docs.saltstack.com/en/latest/topics/troubleshooting/.
We can inspect the key’s fingerprint to ensure that it matches our minion’s key, as follows:
# sudo salt-key -f myminion Unaccepted Keys: myminion: a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1
We can use the salt-call command to run a command on the minion to obtain the minion’s key, as follows:
# sudo salt-call --local key.finger local: a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1
Since the fingerprints match, we can accept the key on the master, as follows:
# sudo salt-key -a myminion The following keys are going to be accepted: Unaccepted Keys: myminion Proceed? [n/Y] Y Key for minion myminion accepted.
We can check that the minion key was accepted, as follows:
# sudo salt-key Accepted Keys: myminion Unaccepted Keys: Rejected Keys:
Success! We are ready to run our first Salt command!
We’ve covered a lot of ground in this article. We’ve installed the Salt minion and Salt master on our machines and configured them to talk to each other, including accepting the minion’s key on the master.
Further resources on this subject:
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…