SaltStack – is a python-based open source management software. This is such as puppet and ansible. Saltstack as puppet, needs agent software. Client nodes naming as minions.
In SaltStack application, have master server and minions(client nodes).
We have 5 servers as following:
saltmaster.unixmen.com – Ubuntu 14.04 x64 Master server
node1salt.unixmen.com – Ubuntu 14.04 x64 node1
node2salt.unixmen.com – CentOS6.7 x64 node2
node3salt.unixmen.com – CentOS6.7 x64 node3
node4salt.unixmen.com – FreeBSD 10.1 x64 node4
Network topology will be as flowing:
The name of SaltMaster server as saltmaster.unixmen.com and firstly we will install and configure this server.
Update repositories and packages in saltmaster server:
root@saltmaster:~# apt-get update
root@saltmaster:~# apt-get dist-upgrade
Install all packages from sudo username::
jamal@saltmaster:~$ sudo add-apt-repository ppa:saltstack/salt
Indexing new packages and install packages needs for saltmaster (salt-master package for master server, salt-ssh and salt-cloud packages for resource control and for documentations we will install salt-doc package):
jamal@saltmaster:~$ sudo apt-get update
jamal@saltmaster:~$ sudo apt-get install salt-master salt-ssh salt-cloud salt-doc
Firstly we create configuration control folder structure. By default everything is placed there in the /srv folder. For start the work we needs /srv/salt and /srv/pillar folders. Create this folders with the following command:
jamal@saltmaster:~$ sudo mkdir -p /srv/{salt,pillar}
Configure master file. We must define fire_roots dictionary. This is sets salt master configuration control instructions path. base define default environment. We will use folders created before, for this purpose. We use administrator instructions from /srv/salt folder and /srv/formulas folder for configurations downloaded from external sources.
jamal@saltmaster:~$ sudo nano /etc/salt/master
file_roots:
base:
– /srv/salt/
– /srv/formulas
Note: Write with correct format is important because, Salt accept configurations with YAML style. For that, if before of lines will not be empty spaces, daemon will not start.
Then we define root folder for Salt pillar configuration. This is similar to configuration before. In the /etc/salt/master file we defines the following lines:
jamal@saltmaster:~$ sudo vi /etc/salt/master
pillar_roots:
base:
– /srv/pillar
Before all we copy public key from our saltmaster.unixmen.com server. We need this key(Selected bold fingerprint will be used in all minions) in minion configurations:
jamal@saltmaster:~$ sudo salt-key -F master
[sudo] password for jamal:
Local Keys:
master.pem: 01:f5:a2:55:01:97:36:4e:14:a7:5a:7b:b6:30:10:c1
master.pub: de:a8:00:e1:2b:5a:86:0e:3a:32:3a:b1:74:e1:cb:52
We finished salt master configurations.
Start the Salt Minion configurations
We will do all step by step. This means we will start install minions from node1salt.unixmen.com to node4salt.unixmen.com servers and then configure.
Install minion to node1salt.unixmen.com server(Ubuntu):
jamal@node1salt:~$ sudo apt-get update
jamal@node1salt:~$ sudo apt-get dist-upgrade
jamal@node1salt:~$ sudo add-apt-repository ppa:saltstack/salt
jamal@node1salt:~$ sudo apt-get update
jamal@node1salt:~$ sudo apt-get install salt-minion -y
jamal@node1salt:~$ sudo service salt-minion restart
Install minion to node2salt.unixmen.com and node3salt.unixmen.com servers(CentOS):
Install EPEL repositories.
[root@node2salt ~]# yum -y install wget
[root@node3salt ~]# yum -y install wget
[root@node2salt ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@node3salt ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@node2salt ~]# rpm -ivh epel-release-latest-7.noarch.rpm
[root@node2salt ~]# rpm -ivh epel-release-latest-7.noarch.rpm
Disable Firewall and SeLinux for each nodes:
[root@node2salt ~]# systemctl disable firewalld
[root@node3salt ~]# systemctl disable firewalld
Change the following line in the /etc/selinux/config file for each of centos nodes:
SELINUX=disabled
Import salt repository key for each of centos nodes:
[root@node2salt ~]# rpm –import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@node3salt ~]# rpm –import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
Create the /etc/yum.repos.d/saltstack.repo file and add the following lines to the each of centos(node2salt and node3salt) nodes:
[saltstack-repo]
name=SaltStack repo for RHEL/CentOS $releasever
baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest
enabled=1
gpgcheck=1
gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/$releaseverSALTSTACK-GPG-KEY.pub
Install salt-minion package for each of centos nodes:
[root@node2salt ~]# yum clean expire-cache
[root@node3salt ~]# yum clean expire-cache
[root@node2salt ~]# yum install salt-minion -y
[root@node3salt ~]# yum install salt-minion -y
Add minion daemon to StartUP for each of centos nodes:
[root@node2salt ~]# service salt-minion start
[root@node2salt ~]# chkconfig salt-minion on
[root@node3salt ~]# service salt-minion start
[root@node3salt ~]# chkconfig salt-minion on
Install minion to node4salt.unixmen.com server(FreeBSD):
root@node4salt:~ # portsnap fetch extract update
root@node4salt:~ # pkg update
root@node4salt:~ # pkg upgrade
root@node4salt:~ # pkg install py27-salt
If you will not find salt from system repositories you can add the following lines to the /usr/local/etc/pkg/repos/saltstack.conf file and install minion:
saltstack: {
url: “https://repo.saltstack.com/freebsd/${ABI}/”,
mirror_type: “http”,
enabled: yes
priority: 10
}
After installation copy minion comfiguration from the sample file.
root@node4salt:~ # cp /usr/local/etc/salt/minion.sample /usr/local/etc/salt/minion
Add minion to StartUP and start:
root@node4salt:~ # sysrc salt_minion_enable=”YES”
salt_minion_enable: -> YES
root@node4salt:~ # service salt_minion start
Depends of operation system, for all Linux and FreeBSD servers we defines master server path and fingerprint in the corresponding /etc/salt/minion and /usr/local/etc/salt/minion files.
master: saltmaster.unixmen.com
master_finger: ‘de:a8:00:e1:2b:5a:86:0e:3a:32:3a:b1:74:e1:cb:52’
After that we restart minion daemon for all servers:
jamal@saltmaster:~$ sudo restart salt-master
jamal@node1salt:~$ sudo service salt-minion restart
[root@node2salt ~]# service salt-minion restart
[root@node3salt ~]# service salt-minion restart
root@node4salt:~ # service salt_minion restart
We already sent keys from all minions to saltmaster server but, master server is not accept this keys.
We can see salt minion key from minion servers as foloowing:
jamal@node1salt:~$ sudo salt-call key.finger –local
local:
a2:32:9d:78:ab:ef:4e:1b:80:31:ae:a0:2b:a0:d5:85
[root@node2salt ~]# sudo salt-call key.finger –local
local:
31:38:72:7f:22:6c:08:83:db:48:e1:35:4e:c4:7a:de
[root@node3salt ~]# sudo salt-call key.finger –local
local:
28:a7:27:ea:79:0e:65:9a:32:f7:bb:26:60:36:ff:58
root@node4salt:~ # salt-call key.finger –local
local:
df:0d:01:7d:73:d1:3d:93:af:80:4b:8d:be:4b:2b:32
Note: If you want to see approved keys from saltmaster.unixmen.com server use the following command.
jamal@saltmaster:~$ sudo salt-key -f node1salt.unixmen.com
Accepted Keys:
node1salt.unixmen.com: a2:32:9d:78:ab:ef:4e:1b:80:31:ae:a0:2b:a0:d5:85
To see the list of unaccepted keys in the saltmaster.unixmen.com server use the following command(The lines below Unaccepted Keys keys is the minion servers and we must approve this servers):
jamal@saltmaster:~$ sudo salt-key –list all
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node1salt.unixmen.com
node2salt.unixmen.com
node3salt.unixmen.com
node4salt.opeensource.az
Rejected Keys:
Accept all node’s in saltmaster.unixmen.com master server:
jamal@saltmaster:~$ sudo salt-key -a node1salt.unixmen.com
The following keys are going to be accepted:
Unaccepted Keys:
node1salt.unixmen.com
Proceed? [n/Y] Y
Key for minion node1salt.unixmen.com accepted.
jamal@saltmaster:~$ sudo salt-key -a node2salt.unixmen.com
The following keys are going to be accepted:
Unaccepted Keys:
node2salt.unixmen.com
Proceed? [n/Y] Y
Key for minion node2salt.unixmen.com accepted.
jamal@saltmaster:~$ sudo salt-key -a node3salt.unixmen.com
The following keys are going to be accepted:
Unaccepted Keys:
node3salt.unixmen.com
Proceed? [n/Y] Y
Key for minion node3salt.unixmen.com accepted.
jamal@saltmaster:~$ sudo salt-key -a node4salt.opeensource.az
The following keys are going to be accepted:
Unaccepted Keys:
node4salt.opeensource.az
Proceed? [n/Y] Y
Key for minion node4salt.opeensource.az accepted.
For test purpose send ping packets to all minion nodes:
jamal@saltmaster:~$ sudo salt ‘*’ test.ping
node1salt.unixmen.com:
True
node2salt.unixmen.com:
True
node3salt.unixmen.com:
True
node4salt.opeensource.az:
True
Note: If we want accept all minions with one command use salt-key -A
For examples you can read SaltStack examples article.