Server Administration

How To Install & Configure SaltStack on CentOS 7

Garrett 2019/01/26 No Comments

First of all, I don’t recommend using the Python 3 version of SaltStack because in my testing, when following the instructions to the letter on a fresh copy of the OS, it just didn’t work at all. So I’ll be using and recommending the Python 2 version for now.

I’m also assuming you have a CentOS box ready to go. If not, take just a few seconds and spin up a box with 1GB of RAM and 25GB of SSD storage with Vultr for less than $0.01/hour. (I’m on Vultr, and my experience has been great so far. Haven’t even needed support.)

Step 1: Install the master

The “master”, in SaltStack parlance, is the machine responsible for controlling all the others (the “minions”. I’ll be assuming that you are running these commands as a non-root user, as is typically recommended. Of course, if you prefer to login as root, just drop the sudo calls. (Personally, as I like to live on the wild side, I did just that.)

sudo yum install https://repo.saltstack.com/yum/redhat/salt-repo-2018.3-1.el7.noarch.rpm
sudo yum clean expire-cache
sudo yum install salt-master
sudo service salt-master start (if it’s not already started)

Now, just open the Salt ports in firewalld.

sudo firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
sudo firewall-cmd --reload

Step 2: Grab master’s fingerprint

You’ll need this to get your minions up and running. All you need is the one that starts with master.pub.

sudo salt-key -F master

Step 3: Install and configure a minion

sudo yum install https://repo.saltstack.com/yum/redhat/salt-repo-2018.3-1.el7.noarch.rpm
sudo yum clean expire-cache
sudo yum install salt-minion

Next, you’ll need to edit /etc/salt/minion and look for the following 3 properties to uncomment and set:

master: host.or.ip
id: # optional; defaults to machine's FQDN. make it catchy; you'll use it a lot.
master_finger: # the master.pub fingerprint from above

Once you’ve done that, you’ll have to reload the minion to pick up the new config:

sudo systemctl restart salt-minion

Step 4: Connect minion to master

On the minion, run:

sudo salt-call test.ping

Then on the master, run this and verify that the name of your minion appears under Unaccepted Keys:

sudo salt-key -L

Assuming it does, you can run either one of the following to accept it:

sudo salt-key -A (accepts all unaccepted keys)
sudo salt-key -a <MINION_ID> (where <MINION_ID> is the ID of your minion whose key you want to accept)

Step 5: Verify matching fingerprints

Running this on a minion:

sudo salt-call --local key.finger

… should match the output of this on the master:

sudo salt-key -f <MINION_ID>

Step 6: Test all minion connections

If you have multiple minions to set up, you may want to wait on this after you’ve done steps 3-5 for each minion.

On the master, just run:

sudo salt '*' test.ping

You should see each minion reply with “Ok”.

Step 7: Configure the master

Source some formulas from GitHub

Edit /etc/salt/master and set the following settings in order to use formulas directly from GitHub:

fileserver_backend:
  - roots
  - gitfs # you're basically just adding this line
gitfs_remotes:
  - git@github.com:user/repo.git # each of these are just examples of how you can source a repo
  - ssh://user@domain.tld/path/to/repo.git
  - https://github.com/saltstack-formulas/salt-formula.git

Here are some useful formulas you might want to use:

  - https://github.com/saltstack-formulas/nginx-formula.git
  - https://github.com/GeoffMontee/mariadb-saltstack-formula.git
  - https://github.com/saltstack-formulas/crontab-formula.git
  - https://github.com/saltstack-formulas/packages-formula.git
  - https://github.com/saltstack-formulas/apache-formula.git
  - https://github.com/saltstack-formulas/letsencrypt-formula.git
  - https://github.com/saltstack-formulas/letsencrypt-sh-formula.git
  - https://github.com/saltstack-formulas/epel-formula.git
  - https://github.com/saltstack-formulas/sudoers-formula.git
  - https://github.com/saltstack-formulas/php-formula.git
  - https://github.com/saltstack-formulas/fail2ban-formula.git
  - https://github.com/saltstack-formulas/aegir-formula.git
  - https://github.com/saltstack-formulas/git-formula.git
  - https://github.com/saltstack-formulas/ius-formula.git
  - https://github.com/saltstack-formulas/remi-formula.git
  - https://github.com/saltstack-formulas/rsyncd-formula.git
  - https://github.com/saltstack-formulas/openssh-formula.git

Set up your top file

In /etc/salt/master, uncomment this:

file_roots:
  base:
    - /srv/salt

Then, run these commands:

mkdir /srv/salt
vi /srv/salt/top.sls

Paste this into your new file:

base:
  '*':
    - webserver

This top file is separated into environments, the default of which is “base”. The next line is a collection of minion matches; here we’re matching all with '*'. (The asterisk to match all minions will always be inside single quotes.) Underneath that is a list of SLS files that are to be applied to those minions; for right now we’re making them all web servers.

Leave a Reply

Your email address will not be published. Required fields are marked *