Book Image

Learning SaltStack

By : Colton Myers
Book Image

Learning SaltStack

By: Colton Myers

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Learning SaltStack
Colton Myers
Jan, 2015 | 174 pages
No titles found
Table of Contents (15 chapters)
Learning SaltStack
Learning SaltStack
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Diving In – Our First Salt Commands
Diving In – Our First Salt Commands
Introducing Salt
Installing Salt
Configuring Salt
A game of ping pong
Masterless Salt
Summary
2
Controlling Your Minions with Remote Execution
Controlling Your Minions with Remote Execution
The structure of a remote execution command
Summary
3
Execution Modules – Write Your Own Solution
Execution Modules – Write Your Own Solution
Exploring the source
An advanced example
Summary
4
Defining the State of Your Infrastructure
Defining the State of Your Infrastructure
Our first state
The pieces of a state declaration
Expanding to encompass multiple pieces of state
Dependencies using requisites
Summary
5
Expanding Our States with Jinja2 and Pillar
Expanding Our States with Jinja2 and Pillar
Adding a new minion
Jinja2
Defining secure minion-specific data in pillar
Summary
6
The Highstate and Environments
The Highstate and Environments
The highstate
Storing our states in Git with GitFS
Summary
7
Using Salt Cloud to Manage Virtual Minions
Using Salt Cloud to Manage Virtual Minions
Setting up Salt Cloud
Managing groups of VMs with map files
Summary
8
The Reactor and the Event System
The Reactor and the Event System
The Salt event system
Reacting to events
Summary
Index
Index

Configuring Salt

Now that we have the master and the minion installed on our machine, we must do a couple of pieces of configuration in order to allow them to talk to each other.

Firewall configuration

Since Salt minions connect to masters, the only firewall configuration that must be done is on the master. By default, ports 4505 and 4506 must be able to accept incoming connections on the master. The default install of Ubuntu 14.04, used for these examples, actually requires no firewall configuration out-of-the-box to be able to run Salt; the ports required are already open. However, many distributions of Linux come with much more restrictive default firewall settings. The most common firewall software in use by default is iptables.

Tip

Note that you might also have to change firewall settings on your network hardware if there is network filtering in place outside the software on the machine on which you're working.

Firewall configuration is a topic that deserves its own book. However, our needs for the configuration of Salt are fairly simple. First, you must find the set of rules currently in effect for your system. This varies from system to system; for example, the file is located in /etc/sysconfig/iptables on RedHat distributions, while it is located in /etc/iptables/iptables.rules in Arch Linux.

Once you find that file, add the following lines to that file, but be sure to do it above the line that says DROP:

-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

For more information about configuring on your operating system of choice so that your Salt minion can connect successfully to your Salt master, see the Salt documentation at http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html.

Note

In version 2014.7.0, a new experimental transport option was introduced in Salt, called RAET. The use of this transport system is beyond the scope of this book. This book will deal exclusively with the default, ZeroMQ-based transport in Salt.

Salt minion configuration

Out of the box, the Salt minion is configured to connect to a master at the location salt. The reason for this default is that, if DNS is configured correctly such that salt resolves to the master's IP address, no further configuration is needed. The minion will connect successfully to the master.

However, in our example, we do not have any DNS configuration in place, so we must configure this ourselves.

The minion and master configuration files are located in the /etc/salt/ directory.

Note

The /etc/salt/ directory should be created as part of the installation of Salt, assuming you followed the preceding directions. If it does not exist for some reason, please create the directory, and create two files, minion and master, within the directory.

Open /etc/salt/minion with your text editor of choice (remember to use sudo!). We will be making a couple of changes to this file.

First, find the commented-out line for the configuration option master. It should look like this:

#master: salt

Uncomment that line and change salt to localhost (as we have this minion connected to the local master). It should look like this:

master: localhost

If you cannot find the appropriate line in the file, just add the line shown previously to the top of the file.

You should also manually configure the minion ID so that you can more easily follow along with the examples in this text. Find the ID line:

#id:

Uncomment it and set it to myminion:

id: myminion

Again, if you cannot find the appropriate line in the file, just add the line shown previously to the top of the file.

Save and close the file.

Note

Without a manually-specified minion ID, the minion will try to intelligently guess what its minion ID should be at startup. For most systems, this will mean the minion ID will be set to the Fully-Qualified Domain Name (FQDN) for the system.

Starting the Salt master and Salt minion

Now we need to start (or restart) our Salt master and Salt minion. Assuming you're following along on Ubuntu (which I recommend), you can use the following commands:

# sudo service salt-minion restart
# sudo service salt-master restart

Packages in other supported distributions ship with init scripts for Salt. Use whichever service system is available to you to start or restart the Salt minion and Salt master.

Accepting the minion key on the master

There is one last step remaining before we can run our first Salt commands. We must tell the master that it can trust the minion. To help us with this, Salt comes with the salt-key command to help us manage minion keys:

# sudo salt-key
Accepted Keys:
Unaccepted Keys:
myminion
Rejected Keys:

Notice that our minion, myminion, is listed in the Unaccepted Keys section. This means that the minion has contacted the master and the master has cached that minion's public key, and is waiting for further instructions as to whether to accept the minion or not.

Tip

If your minion is not showing up in the output of salt-key, it's possible that the minion cannot reach the master on ports 4505 and 4506. Please refer to the Firewall section described previously for more information.

Troubleshooting information can also be found in the Salt documentation at http://docs.saltstack.com/en/latest/topics/troubleshooting/.

We can inspect the key's fingerprint to ensure that it matches our minion's key, as follows:

# sudo salt-key -f myminion
Unaccepted Keys:
myminion:  a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1

We can use the salt-call command to run a command on the minion to obtain the minion's key, as follows:

# sudo salt-call --local key.finger
local:    a8:1f:b0:c2:ab:9d:27:13:60:c9:81:b1:11:a3:68:e1

Since the fingerprints match, we can accept the key on the master, as follows:

# sudo salt-key -a myminion
The following keys are going to be accepted:
Unaccepted Keys:
myminion
Proceed? [n/Y] Y
Key for minion myminion accepted.

We can check that the minion key was accepted, as follows:

# sudo salt-key
Accepted Keys:
myminion
Unaccepted Keys:
Rejected Keys:

Success! We are ready to run our first Salt command!

Previous Section
End of Section 4
Next Section