how to install and configure salt master on ubuntu
TRANSCRIPT
How To Install and Configure Salt Master on Ubuntu
i | P a g e
Contents
Overview ....................................................................................................................................................... 1
Applies To ...................................................................................................................................................... 2
Pre-requisites ................................................................................................................................................ 2
Install Salt ...................................................................................................................................................... 2
What is PPA? ............................................................................................................................................. 2
Install PPA Salt Repository ........................................................................................................................ 2
Package Install – Resync Package & Dependencies .............................................................................. 3
Salt Master – Install Package .................................................................................................................... 3
Salt Master – View Package ..................................................................................................................... 4
Salt Master Configuration ............................................................................................................................. 4
Create Salt Directories .............................................................................................................................. 5
Salt Directories – File Roots .................................................................................................................. 5
Salt Directories – Pillar Roots ................................................................................................................ 6
Configure Firewall – UFW Rules ................................................................................................................ 6
View Firewall Rules – Salt Rules ............................................................................................................ 7
View Firewall Rules – Current ............................................................................................................... 7
Activate Firewall Rule - Salt................................................................................................................... 8
Configure Minion .......................................................................................................................................... 8
Service Management – Salt .......................................................................................................................... 9
Service Start – salt-master & salt-minion ............................................................................................. 9
Service Stop – salt-master & salt-minion .............................................................................................. 9
Service Status – salt-master & salt-minion ........................................................................................... 9
Salt Key Management – Key Identity ........................................................................................................ 9
Salt-Key Management – Key Identity - Status Table ........................................................................... 10
Salt-Key Management – Key Identity - Commands Table ................................................................... 10
Key Management .................................................................................................................................... 11
Key Management - Listing Keys .......................................................................................................... 11
Salt Key Management – Key Fingerprint – Master ............................................................................. 11
Salt Key Management – Key Fingerprint – Minion ............................................................................. 11
How To Install and Configure Salt Master on Ubuntu
ii | P a g e
Salt Key Management – Accept Key ................................................................................................... 12
Salt Key Management – Verify Accept Key ......................................................................................... 12
Test Minion ............................................................................................................................................. 13
Salt Master – Test.Ping ....................................................................................................................... 13
Salt Master – Cmd.Run ....................................................................................................................... 13
Salt Master – Cmd.Run – Filtered Output ........................................................................................... 13
How To Install and Configure Salt Master on Ubuntu
1 | P a g e
Overview
Salt a configuration management system, capable of maintaining remote nodes in defined states (for
example, ensuring that specific packages are installed and specific services are running).
It’s a distributed remote execution system used to execute commands and query data on remote nodes,
either individually or by arbitrary selection criteria.
One of the major advantages of implementing “Salt” in managing your existing infrastructure are;
Features Description
Simplicity Salt is very simple to set up and maintain, regardless of the size of the project.
The architecture of Salt is designed to work with any number of servers, from a handful of local network systems to international deployments across different data centers.
Parallel Execution Enable commands to remote systems to be called in parallel rather than serially.
Use a secure and encrypted protocol.
Use the smallest and fastest network payloads possible.
Provide a simple programming interface.
Fast, Flexible and scalable System that can execute commands at high speed on target server groups ranging from one to very many servers.
Salt is very fast, easy to set up.
Single remote execution architecture that can manage the diverse requirements of any number of servers.
Built on Proven Technology Salt takes advantage of a number of technologies and techniques. The networking layer is built with the excellent ZeroMQ networking library;
so the Salt daemon includes a viable and transparent AMQ broker.
Salt uses public keys for authentication with the master daemon, then uses faster AES encryption for payload communication;
Authentication and encryption are integral to Salt. Salt takes advantage of communication via msgpack, enabling fast and light network traffic.
Python client Interface Salt execution routines can be written as plain Python modules.
The data collected from Salt executions can be sent back to the master server, or to any arbitrary program.
Open Source Salt is developed under the Apache 2.0 license, and can be used for open and proprietary projects.
How To Install and Configure Salt Master on Ubuntu
2 | P a g e
Applies To
Ubuntu 14.x, tested on Ubuntu 14.04.2 LTS
Pre-requisites
Python 2.7.6 or above
Preferably, configuring salt master server hostname as “salt” is good
System Update (Resynchronize Repository – Packages & dependencies)
Install Salt
To install salt packages, saltstack personal package archives (PPA) repository has to be added. In this
section we will install PPA, install saltstack packages.
What is PPA?
Personal Package Archives , allow you to upload Ubuntu source packages to be built and published as an
apt repository by Launchpad. PPAs are for non-standard software/updates.
Install PPA Salt Repository
To install saltstack bundle, saltstack repository has to be added to the system; to add “SaltStack PPA” run
the command;
dpkg-query -W --showformat='${Package}\t ${Status}\n' salt-*
Since saltstack related packages are not installed, we will go ahead and add PPA saltstack repository, to
add new repository, run the command;
sudo add-apt-repository ppa:saltstack/salt
How To Install and Configure Salt Master on Ubuntu
3 | P a g e
Package Install – Resync Package & Dependencies
After adding saltstack repository, overall update (resynchronization) from different repository for latest
packages and dependencies with newer versions is fetched and listed for update.
List of available packages is fetched from “/etc/apt/sources.list” file, to update run the command;
sudo apt-get update
Note: To upgrade the package(s) “apt-get upgrade <Package Name>” has to be executed.
Salt Master – Install Package
After confirming the pre-requisites are met, PPA is installed and system package update is done, next step
is to install salt master and related packages.
sudo apt-get install salt-master salt-minion salt-cloud salt-doc
How To Install and Configure Salt Master on Ubuntu
4 | P a g e
Salt Master – View Package
Once the installation of the salt-master is done, you can verify the installation status manually, by running
the either of the below command(s);
dpkg-query -l salt* or
dpkg-query -W --showformat='${Package}\t ${Status}\n' salt-*
Salt Master Configuration
After installing salt-master package on the server, there are few configurations steps have to be done so
that salt master can work efficiently.
When we start configuring saltstack, salt configuration directories have to be created, these directories
contain configuration management instructions; different configuration sections are listed below;
1) Salt Directories
a) File Roots
b) Pillar Roots
2) Configure Firewall
3) Configure Minion
4) Key Management
5) Test Minion
How To Install and Configure Salt Master on Ubuntu
5 | P a g e
Create Salt Directories
In this section we will create basic directories that are needed for salt, create directories for file server &
pillar; to create directories run the command; if the directories already exists, ignore command execution;
sudo mkdir -p /srv/{salt,pillar}
Salt Directories – File Roots
The Salt file server defaults to the mandatory base environment. This environment MUST be defined and
is used to download files when no environment is specified.
Environments allow for files and sls data to be logically separated, but environments are not isolated from
each other. This allows for logical isolation of environments by the engineer using Salt, but also allows for
information to be used in multiple environments.
This file server is built into the master daemon and does not require a dedicated port.
By default this configuration entry is disabled, to enable uncomment the entries as below;
file_roots:
base:
- /srv/salt
How To Install and Configure Salt Master on Ubuntu
6 | P a g e
Note: This attribute specifies the locations where the salt master has to look for configuration
management instructions.
Salt Directories – Pillar Roots
Pillars are tree-like structures of data defined on the Salt Master and passed through to minions. They
allow confidential, targeted data to be securely sent only to the relevant minion.
By default this configuration entry is disabled, to enable uncomment the entries as below;
pillar_roots:
base:
- /srv/pillar
Configure Firewall – UFW Rules
When salt is installed, salt installs firewall rules its read when the firewall is enabled, upon enabling
firewall will read salt firewall rules from the salt configuration file, stored in the folder;
ls -l /etc/ufw/applications.d/
How To Install and Configure Salt Master on Ubuntu
7 | P a g e
View Firewall Rules – Salt Rules
By default all application related firewall rules are stored in the directory “/etc/ufw/applications.d/”,
each application is configured as the need similarly, salt firewall rules file “salt.ufw” is created in the
directory, To view the rules that would be configured by salt when activated, run the command;
cat /etc/ufw/applications.d/salt.ufw
View Firewall Rules – Current
Before we configure the firewall rules, check current firewall rules configured on the server, run the
command; you need to switch to super user to check the firewall rules.
ufw status
How To Install and Configure Salt Master on Ubuntu
8 | P a g e
Activate Firewall Rule - Salt
If the firewall is enabled, activation of salt service rule(s) is necessary, to activate the firewall rule; run the
command;
ufw allow salt
Configure Minion
We will configure only master attribute which is required for the minion to connect & communicate.
In this demonstration, the minion should connect to the master process that is running on the same
machine as master. (both master and minion are deployed on same server)
Set the master key as local loopback address i.e., “127.0.0.1” in order for the minion to correctly connect.
vi /etc/salt/minion
master: 127.0.0.1
How To Install and Configure Salt Master on Ubuntu
9 | P a g e
Service Management – Salt
After configuring salt-minion, salt-master and salt-minion service have to started, this can be done with
service manager (system manager utility).
Service Start – salt-master & salt-minion
To start the salt-master service & salt-minion service, run the command;
sudo service salt-master start
sudo service salt-minion start
Service Stop – salt-master & salt-minion
To stop the salt-master service & salt-minion service, run the command;
sudo service salt-master stop
Service Status – salt-master & salt-minion
To check the service current status of salt-master service & salt-minion service, run the command;
sudo service salt-master status
Salt Key Management – Key Identity
Salt provides commands to validate the identity of your Salt master and Salt minions before the initial key
exchange.
Validating key identity helps avoid inadvertently connecting to the wrong Salt master, and helps prevent
a potential MiTM (man-in-the-middle) attack when establishing the initial connection.
How To Install and Configure Salt Master on Ubuntu
10 | P a g e
Salt-Key Management – Key Identity - Status Table
Salt-key executes simple management of Salt server public keys used for authentication.
Initially when the connection has to be established between Salt server and Salt Minion, a public key is
generated and sent to salt master. Generated key has to be accepted by Salt-Master. Following table will
give insight into the different states of keys and its purpose.
Minion Key Status Purpose
Unaccepted Keys Key is waiting to be accepted by the salt-master
Denied Keys Key was rejected using salt-key command; these minions can’t communicate with salt-master
Accepted Keys Key has been accepted and minion can communicate with salt-master
Rejected Keys Key has been rejected by salt-master automatically, this state occurs when there is a duplicate Minion ID, minion was rebuilt or when minion has created a new key without deleting old minion key.
Salt-Key Management – Key Identity - Commands Table
Basic key management commands are listed below;
Salt-key Command Minion Key States
salt-key -L List all Keys
Salt-key -F Print all keys fingerprints
salt-key -a Accept Key
salt-key -l <Argument> List keys based on argument(all, accepted, rejected, denied and rejected)
salt-key -d <Argument> Delete key
How To Install and Configure Salt Master on Ubuntu
11 | P a g e
Key Management
Key management of salt-master and salt-minion is one of the most important tasks, which enables
authentication & communication between master/minion(s).
Key Management - Listing Keys
After starting salt-master & salt-minion, salt-minion will automatically generate key, this key has to be
accepted for authentication and communication between salt-master and salt-minion, when salt-minion
is started a key will be sent to salt-master; to list all the keys run the command;
salt-key --list all
Salt Key Management – Key Fingerprint – Master
After listing the keys, to accept the key that is generated, run the command; keys generate on minion and
listed on master should match, to know the key of a minion run the command;
salt-key -f salt
Salt Key Management – Key Fingerprint – Minion
After starting the salt-minion, a key is generated automatically, to know the key of local minion key run
the command;
salt-call key.finger --local
How To Install and Configure Salt Master on Ubuntu
12 | P a g e
Salt Key Management – Accept Key
After validating the key on salt-master and salt-minion, go ahead and accept the key on the salt-master,
to accept the key run the command;
salt-key -a salt
Salt Key Management – Verify Accept Key
After accepting the key on salt-master, to validate if the key is accepted run the command;
salt-key -f salt
How To Install and Configure Salt Master on Ubuntu
13 | P a g e
Test Minion
Once the key is accepted, we can do a test minion’s. In this section we will test few commands such as
(test.ping and cmd.run).
Salt Master – Test.Ping
We will run a first minion command, this command will communicate from salt-master and retrieve
current status all the minions “test.ping” all servers and show the results.
If the minion is communicating command will return “True” else it will return “False”
Note: It’s is not an ICMP ping command.
salt '*' test.ping
Salt Master – Cmd.Run
To run a command on the server, that is passed as an argument.
salt '*' cmd.run 'free -m'
Salt Master – Cmd.Run – Filtered Output
To run a command on the server, that is passed as an argument with a filtered output.
salt '*' cmd.run 'df -kh | grep -E "mapper|\root"'