SaltStack Configuration Management Fundamentals

Official Website: https://www.saltstack.com/
Official Documentation: https://docs.saltstack.cn/contents.html
GitHub Repository: https://github.com/saltstack
Chinese SaltStack Community: https://www.saltstack.cn/

Architecture Overview

SaltStack master and minion nodes communicate through encrypted key exchange. The master disrtibutes configurations and commands to minions via ZeroMQ messaging system.

Installation and Setup

To install SaltStack master:


[root@controller ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@controller ~]# yum -y install salt-master
[root@controller ~]# systemctl start salt-master

Configure host entries:


[root@controller ~]# vim /etc/hosts
10.240.17.100 controller
10.240.17.103 worker1

For minion setup:


[root@worker1 ~]# vim /etc/salt/minion
16 master 211.103.138.122
[root@worker1 ~]# systemctl start salt-minion

If hostname changes, remove cached files:


[root@worker1 ~]# rm -f /etc/salt/minion_id
[root@controller ~]# rm -rf /etc/salt/master/minions_pre/worker1

Key Management


[root@controller ~]# salt-key -A  # Accept all pending keys

Basic Commands


[root@controller ~]# salt '*' test.ping  # Test connectivity
[root@controller ~]# salt '*' cmd.run 'w'  # Execute command remotely

Communication Ports

Minions connect to master on port 4505 for publishing events. The master sends commands to minions on port 4506.

Configuration Structure

Edit master configuration to define file roots:


[root@controller ~]# vim /etc/salt/master


file_roots:
  base:
    - /srv/salt/base
  dev:
    - /srv/salt/dev
  test:
    - /srv/salt/test
  prod:
    - /srv/salt/prod

Create directory structure:


[root@controller ~]# mkdir -p /srv/salt/{base,dev,test,prod}
[root@controller ~]# systemctl restart salt-master

Writing State Files (SLS)

Create an Apache configuration state file:


[root@controller base]# vim webserver/apache.sls


webserver-install:
  pkg.installed:
    - name: httpd

webserver-service:
  service.running:
    - name: httpd
    - enable: True

Apply the state to a minion:


[root@controller base]# salt 'worker1' state.sls webserver.apache

Organizing States

Create a top file to orchestrate states:


[root@controller base]# vim top.sls


base:
  'controller':
    - webserver.apache
  'worker1':
    - webserver.apache

Apply highstate (all states defined in top file):


[root@controller base]# salt '*' state.highstate

Advanced State Management

Create a more comprehensive LAMP stack configuration:


[root@controller base]# mkdir -p web/files
[root@controller base]# vim web/lamp.sls


lamp-install:
  pkg.installed:
    - pkgs:
      - httpd
      - php
      - php-pdo
      - php-mysql

apache-config:
  file.managed:
    - name: /etc/httpd/conf/httpd.conf
    - source: salt://web/files/httpd.conf
    - user: root
    - group: root
    - mode: 644
    - require:
      - pkg: lamp-install

apache-conf:
  file.recurse:
    - name: /etc/httpd/conf.d
    - source: salt://web/files/apache-conf.d

php-config:
  file.managed:
    - name: /etc/php.ini
    - source: salt://web/files/php.ini
    - user: root
    - group: root
    - mode: 644

lamp-service:
  service.running:
    - name: httpd
    - enable: True
    - watch:
      - file: apache-conf
      - file: apache-config

Using Templates and Variables

Modify state file to use Jinja templating:


[root@controller base]# vim web/lamp.sls


apache-config:
  file.managed:
    - name: /etc/httpd/conf/httpd.conf
    - source: salt://web/files/httpd.conf
    - user: root
    - group: root
    - mode: 644
    - require:
      - pkg: lamp-install
    - template: jinja
    - defaults:
      PORT: 80
      IPADDR: {{ grains['fqdn_ip4'][0] }}

Update configuration template to use variables:


[root@controller base]# vim web/files/httpd.conf


Listen {{ IPADDR }}:{{ PORT }}

Managing Authentication

Add authentication configuration to the state file:


[root@controller base]# vim web/lamp.sls


apache-auth:
  pkg.installed:
    - name: httpd-tools
    - require_in:
      - cmd: apache-auth
  cmd.run:
    - name: htpasswd -bc /etc/httpd/conf/htpasswd_file admin admin
    - unless: test -f /etc/httpd/conf/htpasswd_file

Application Deployment

Example for Tomcat deployment:


[root@controller base]# vim appserver/tomcat.sls


jdk-install:
  pkg.installed:
    - name: java-1.8.0-openjdk

tomcat-install:
  file.managed:
    - name: /usr/local/src/apache-tomcat-8.0.46.tar.gz
    - source: salt://appserver/files/apache-tomcat-8.0.46.tar.gz
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name: cd /usr/local/src && tar xvf apache-tomcat-8.0.46.tar.gz && mv apache-tomcat-8.0.46 /usr/local/ && ln -s /usr/local/apache-tomcat-8.0.46 /usr/local/tomcat
    - unless: test -L /usr/local/tomcat && test -d /usr/local/apache-tomcat-8.0.46

Using Grains

Grains provide system information:


[root@controller ~]# salt 'worker1' grains.items
[root@controller ~]# salt 'worker1' grains.item fqdn_ip4
[root@controller ~]# salt -G 'os:CentOS' cmd.run 'uptime'

Minion Re-enrollment

To re-enroll a minion:

  1. Stop salt-minion service
  2. On master: salt-key -d <minion_id></minion_id>
  3. Delete /etc/salt/minion_id on minion
  4. Delete /etc/salt/pki directory on minion
  5. Update minion ID if needed
  6. Start salt-minion service
  7. On master: salt-key -a <minion_id></minion_id>

Cache Location

Salt cache files are located in /var/log/salt/cache/

Monitoring Agent Example

Example Zabbix agent configuration:


[root@controller base]# vim monitoring/zabbix.sls


zabbix-install:
  pkg.installed:
    - name: zabbix-agent

agent-config:
  file.managed:
    - name: /etc/zabbix/zabbix_agentd.conf
    - source: salt://monitoring/files/zabbix_agentd.conf
    - user: root
    - group: root
    - require:
      - pkg: zabbix-install
  cmd.run:
    - name: chmod 755 /var/log/zabbix/ /var/run/zabbix/ && useradd zabbix && chown zabbix.zabbix /var/log/zabbix/ -R && chown zabbix.zabbix /var/run/zabbix/ -R
    - unless: test -d /home/zabbix/
    - template: jinja
    - defaults:
      Server: {{ 'monitoring-server' }}

agent-service:
  service.running:
    - name: zabbix-agent
    - enable: True
    - reload: True
    - watch:
      - file: agent-config

Tags: SaltStack configuration-management infrastructure-automation SLS-states ZeroMQ

Posted on Sun, 10 May 2026 15:30:19 +0000 by aod

Hot Tags

©2026 Freaks City