Installing and configuring the Salt master
In this section, we are going to configure the most important component of the Salt architecture—the Salt master. We'll install the Salt master package and configure the most important parameters needed for our infrastructure.
How to do it...
Let's see how we can install the Salt master on various types of OS.
Installing the Salt master on RedHat/CentOS/Fedora
- Salt packages are available in the EPEL repository. First, the repository needs to be added to the system. As the system being used is CentOS 6.5 (64-bit), we are using the
epel-releasepackage at http://dl.fedoraproject.org/pub/epel/6/x86_64/. This needs to be changed as per the version and architecture of the operating system being used:[root@salt-master ~]# rpm -ihv \ http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6- 8.noarch.rpm - After the EPEL release package has been installed, we will install the
salt-masterpackage with the following command, and the dependencies should automatically be fetched from the repository:[root@salt-master ~]# yum –y install salt-master
Installing the Salt master on Ubuntu
While installing the Salt master on Ubuntu, the SaltStack PPA repository needs to be added to the system. It is to be noted that the following commands need to be executed as a privileged user, that is, either the root user can be used, or the sudo command needs to be added before the mentioned commands:
- The following command adds the
add-apt-repositorybinary to the system:[root@salt-master ~]# apt-get –y install python-software- properties - Now, we will add the repository with the command given here:
[root@salt-master ~]# add-apt-repository ppa:saltstack/salt - The Salt master package then needs to be installed with the following command:
[root@salt-master ~]# apt-get -y install salt-master
Configuring the Salt master
The primary configuration file for the Salt master is /etc/salt/master. It is also a good practice to create additional configuration files in /etc/salt/master.d/ with the .conf extension, and they will get read along with all the other files when the Salt master daemon starts.
Most of the Salt configuration parameters are set by default and need not be set explicitly. However, let's look at some of the important parameters that can be altered to suit one's needs:
- To determine which network interface the service binds to:
interface: 0.0.0.0 - The port on which to listen to for client node (minion) communications:
publish_port: 4505 - The path that gets prepended to other files such as
log_file,pki_dir, andcache_dirif set. It is also to be noted that this path gets prepended to all other defined configuration parameters in the master configuration files, where each of them is also explained in detail:root_dir: / - The directory to hold the master and minion keys that have already been authenticated or rejected:
pki_dir: /etc/salt/pki/master - The file containing log entries for the master daemon:
log_file: /var/log/salt/master - The file that allows the keys of the host's that match the listed patterns to be accepted automatically (it is always a good practice to define this file). We will uncomment this line and set the filename as follows:
autosign_file: /etc/salt/autosign.conf - Edit the file
/etc/salt/autosign.confand set the content to be a wild card entry as follows (this is being done to facilitate easier demonstrations in the rest of the book, it is to be noted that this is a security risk otherwise):*
- The Salt service daemon then needs to be started and configured to start at boot time.
On RedHat/CentOS/Fedora:
[root@salt-master ~]# service salt-master start [root@salt-master ~]# chkconfig salt-master on
On Ubuntu, the installation process automatically starts the daemon, hence the daemon needs to be restarted:
[root@salt-master ~]# service salt-master restart [root@salt-master ~]# update-rc.d salt-master defaults
The firewall needs to be configured to allow communication on ports 4505 and 4506 from the minions:
[root@salt-master ~]# iptables -A INPUT -m state --state new \ -m tcp -p tcp --dport 4505 -j ACCEPT [root@salt-master ~]# iptables -A INPUT -m state --state new \ -m tcp -p tcp --dport 4506 -j ACCEPT
- Save the firewall rules:
On RedHat/CentOS/Fedora:
[root@salt-master ~]# service iptables saveOn Ubuntu:
[root@salt-master ~]# iptables-save
In the scenario that a virtualized environment is being used, such as a cloud provider, the aforementioned ports should be opened in the respective security group of the master node.
How it works...
The salt-master is the package for the Salt master service and it also requires a few other dependencies, such as the ZeroMQ library, msgpack, jinja, yaml, and so on, which is automatically pulled along with the package from the configured repositories.
Most of the Salt configuration parameters are set by default and need not be explicitly mentioned in the file. The options can be found commented in the file and act as the defaults. However, if they need to be changed, then they can be uncommented and necessary changes can be made.
We have explicitly uncommented the autosign_file parameter and set the value as /etc/salt/autosign.conf:
autosign_file: /etc/salt/autosign.conf
We then populated the file with a wildcard entry, that is, *, to allow all minions' certificate requests to be automatically signed and accepted by the master.
Finally, the service daemons for salt master are started/restarted, configured to start automatically at boot time, and firewalls are configured to open the ports 4505 and 4506 for communication with the minions using the system-specific commands.
See also
- The Salt multi-master setup (active-active mode) and Salt multi-master setup (active-passive mode) recipes in Chapter 3, Modules, Orchestration, and Scaling Salt, to learn more about highly available and redundant Salt master setups
- The Configuring the Salt environment and pillar paths recipe, for advanced configuration of the Salt master
