Master SaltStack: From Basics to Advanced Automation for Operations
This comprehensive guide walks you through SaltStack fundamentals, installation, master‑minion configuration, communication modes, key management, state files, highstate, Grains and Pillar data, targeting methods, and practical examples such as file management, package installation, cron jobs, and LAMP deployment, providing a solid foundation for modern automated operations.
SaltStack Automation Operations Introduction
1. SaltStack Overview
SaltStack is a client‑server automation system where the server is called Master and the client is called Minion . It uses a ZeroMQ publish/subscribe message queue for communication. The Master and Minion run as daemons and listen on ports 4505 (publish) and 4506 (request).
1.1 Simple Introduction
SaltStack follows a C/S architecture. Minions automatically connect to the Master’s address and port, authenticate using RSA keys, and encrypt traffic with AES.
1.2 Communication Modes
Salt uses a publish‑subscribe model. The Minion initiates the connection, so no inbound ports need to be opened on the managed systems, reducing attack surface. The Master uses port 4505 for publishing messages and port 4506 for receiving Minion requests.
1.3 Minion Authentication
When a Minion starts for the first time, it searches for a Salt system, performs a handshake, and sends its public key to the Master. The Master must accept the key with salt-key before the Minion can execute commands. After acceptance, the Master sends an encrypted AES key to the Minion.
2. SaltStack Installation
1. Download YUM repository
wget -P /etc/yum.repos.d https://mirrors.aliyun.com/saltstack/yum/redhat/7.6/x86_64/saltstack-rhel7.repo2. Install Master yum -y install salt-master 3. Install Minion
yum -y install salt-minion3. SaltStack Configuration
Set the hostname and edit /etc/hosts as needed.
Master Configuration
# /etc/salt/master
master: 10.0.100.132
user: root
interface: 0.0.0.0
file_roots:
base:
- /srv/salt
pillar_roots:
base:
- /srv/pillarStart the Master:
systemctl start salt-masterMinion Configuration
# /etc/salt/minion
master: 10.0.100.132
user: root
id: agent1Start the Minion:
service salt-minion startKey Management
# List all keys
sudo salt-key --list-all
# Accept a specific key
salt-key --accept=<key>
# Accept all pending keys
salt-key --accept-all
# Delete a specific key
salt-key -d <key>
# Delete all keys
salt-key -D4. Basic Remote Execution
# Ping all minions
salt '*' test.ping
# Run a command on a specific minion
salt 'agent1' cmd.run 'df -h'
# Run a command on multiple minions
salt -L 'agent2,agent3' cmd.run 'uptime'
# Run a command on a subnet
salt -S '192.168.122.0/24' cmd.run 'uptime'5. Configuration Management Practice
5.1 File Management
# Create directories for Salt files
mkdir -p /srv/{salt,pillar}
# Example state file: host_file.sls
/etc/hosts:
file.managed:
- source: salt://files/hosts
- user: root
- group: root
- mode: 644Apply the state:
salt '*' state.sls host_file5.2 Copy Files
salt-cp '*' /etc/hosts /root5.3 Install Nginx
nginx-install:
pkg.installed:
- names:
- nginx
/etc/hosts:
file.managed:
- source: salt://files/hosts
- user: root
- group: root
- mode: 644
- require:
- pkg: nginx-install
service.running:
- names:
- nginx5.4 Install Apache
apache-service:
pkg.installed:
- names:
- httpd
- mod_ssl
service.running:
- name: httpd
- enable: True5.5 Cron Jobs
/usr/sbin/ntpdate time.aliyun.com >> /dev/null:
cron.present:
- user: root
- minute: '*/5'6. State vs. Highstate
state.sls runs a specific SLS file in the default base environment without reading top.sls.
state.highstate applies all states defined in top.sls across all environments.
7. Grains (Client‑Side Data)
Grains collect system information on the Minion, such as OS family, release, IP addresses, etc.
# List all grain items
salt '*' grains.ls
# Show all grain values
salt '*' grains.items
# Query a specific grain
salt '*' grains.item os_family
# Use grain matching
salt -G 'os:CentOS' test.ping7.1 Custom Grains
# /etc/salt/minion
grains:
roles:
- webserver
- dbserver
deployment: datacenter1
cabinet: 13
cab_u: 14-158. Pillar (Server‑Side Data)
Pillar stores sensitive configuration data such as passwords and version numbers.
# /etc/salt/master
pillar_roots:
base:
- /srv/pillar
# /srv/pillar/env_salt01.sls
roles:
- webserver
- dbserver
deployment: datacenter1
cabinet: 13
cab_u: 14-15
# /srv/pillar/top.sls
base:
'*':
- env_salt019. Targeting (Remote Execution)
Targeting methods include globbing, regex, list, subnet/IP, grains, pillar, compound matchers, and node groups.
# Ping a specific minion
salt 'salt01.tianyun.com' test.ping
# Glob pattern
salt 'salt01*' test.ping
# Regex example
salt -E 'salt0[^14].tianyun.com' test.ping
# Subnet
salt -S '10.0.100.0/24' test.ping
# Grain match
salt -G 'os:CentOS' test.ping
# Pillar match
salt -I 'roles:webserver' test.ping
# Compound matcher
salt -C 'I@roles:dbserver and G@os:CentOS'10. States (Configuration Language)
States are written in YAML (or Python) to describe desired system configuration, such as creating users, installing packages, managing files, and ensuring services run.
# Example state file: lamp.sls
lamp-pkg-install:
pkg.installed:
- names:
- httpd
- php
- php-mysql
- php-gd
- gd
- mariadb-server
httpd-files:
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://files/httpd.conf
- require:
- pkg: lamp-pkg-install
httpd-service:
service.running:
- name: httpd
- enable: True
- require:
- file: httpd-files
- reload: True
mysql-files:
file.managed:
- name: /etc/my.cnf
- source: salt://files/my.cnf
mysql-service:
service.running:
- name: mariadb
- enable: True
- require:
- pkg: lamp-pkg-install11. State Relationships
Key relationship directives:
require : ensure a state runs after another.
require_in : declare that another state depends on this one.
watch : restart/reload a service when a watched state changes.
watch_in : declare that another state watches this one.
unless : run a command only if the given test command returns false.
12. LAMP Deployment (dev environment)
Prepare template files for httpd.conf and my.cnf, then define a state to install packages, manage configuration files, and start services.
# /srv/salt/dev/lamp.sls
lamp-pkg-install:
pkg.installed:
- names:
- httpd
- php
- php-mysql
- php-gd
- gd
- mariadb-server
httpd-files:
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://files/httpd.conf
- require:
- pkg: lamp-pkg-install
httpd-service:
service.running:
- name: httpd
- enable: True
- require:
- file: httpd-files
- reload: True
mysql-files:
file.managed:
- name: /etc/my.cnf
- source: salt://files/my.cnf
mysql-service:
service.running:
- name: mariadb
- enable: True
- require:
- pkg: lamp-pkg-installApply with:
salt '*' state.sls lamp saltenv=dev13. Additional Resources
For further reading, see the official SaltStack documentation at https://docs.saltproject.io/en/latest/ and the linked blog posts throughout the guide.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.