Now that we have the master and the minion installed on our machine, we must do a couple of pieces of configuration in order to allow them to talk to each other. From here on out, we're back to using a single Ubuntu 14.04 machine with both master and minion installed on the machine.
Since minions connect to masters, the only firewall configuration that must be done is on the master. By default, ports
4506 must be able to accept incoming connections on the master. The default install of Ubuntu 14.04, used for these examples, actually requires no out-of-the-box firewall configuration to be able to run Salt; the ports required are already open. However, many distributions of Linux come with much more restrictive default firewall settings. The most common firewall software in use on Linux systems is iptables.
Note that you might also have to change firewall settings on your network hardware if there is network filtering in place outside the software on the machine on which you're working.
Firewall configuration is a topic that deserves its own book. However, our needs for the configuration of Salt are fairly simple. First, you must find the set of rules currently in effect for your system. This varies from system to system; for example, the file is located in
/etc/sysconfig/iptables on RedHat distributions, while it is located at
/etc/iptables/iptables.rules in Arch Linux.
Once you find that file, add the following lines to that file, but be sure to do it above the line that says
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
For more information about configuring on your operating system of choice so that your Salt minion can connect successfully to your Salt master, see the Salt documentation at http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html.
Out of the box, the Salt minion is configured to connect to a master at the location
salt. The reason for this default is that, if DNS is configured correctly such that
salt resolves to the master's IP address, no further configuration is needed. The minion will connect successfully to the master.
However, in our example, we do not have any DNS configuration in place, so we must configure it ourselves.
The minion and master configuration files are located in the
/etc/salt/ directory should be created as part of the installation of Salt, assuming that you followed the preceding directions. If it does not exist for some reason, please create the directory and create two files,
master, within the directory.
/etc/salt/minion file with your text editor of choice (remember to use the
sudo command!). We will be making a couple of changes to this file.
First, find the commented-out line for the configuration option
master. It should look like this:
Uncomment that line and change
localhost (as we have this minion connected to the local master). It should look like this:
If you cannot find the appropriate line in the file, just add the line shown previously to the top of the file.
You should also manually configure the minion ID so that you can more easily follow along with the examples in this text. Find the ID line:
Uncomment it and set it to
Save and close the file.
# sudo service salt-minion restart # sudo service salt-master restart
Packages in other supported distributions ship with
init scripts for Salt. Use whichever service system is available to you to start or restart the Salt minion and Salt master.
There is one last step remaining before we can run our first Salt commands. We must tell the master that it can trust the minion. To help us with this, Salt comes with the
salt-key command to help us manage minion keys:
# sudo salt-key Accepted Keys: Denied Keys: Unaccepted Keys: myminion Rejected Keys:
Note that our minion,
myminion, is listed in the
Unaccepted Keys section. This means that the minion has contacted the master and the master has cached that minion's public key, and is waiting for further instructions as to whether to accept the minion or not.
If your minion is not showing up in the output of
salt-key, it's possible that the minion cannot reach the master on ports
4506. Please refer to the Firewall configuration section described previously for more information.
Troubleshooting information can also be found in the Salt documentation at http://docs.saltstack.com/en/latest/topics/troubleshooting/.
# sudo salt-key -f myminion Unaccepted Keys: myminion: a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1
We can use the
salt-call command to run a command on the minion to obtain the minion's key, as follows:
# sudo salt-call --local key.finger local: a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1
Since the fingerprints match, we can accept the key on the master, as follows:
# sudo salt-key -a myminion The following keys are going to be accepted: Unaccepted Keys: myminion Proceed? [n/Y] Y Key for minion myminion accepted.
We can check that the minion key was accepted, as follows:
# sudo salt-key Accepted Keys: myminion Denied Keys: Unaccepted Keys: Rejected Keys:
Success! We are ready to run our first Salt command!