Installing Salt Open can be really easy. The folk from Utah want you to get up and running with Salt configuration management and orchestration as quickly as possible and to be using the latest versions. Pretty much you can use the distribution that you want but we will be installing the main controller or Salt Master on CentOS 8.2 for, the master will also have its own Salt Minion or agent so we can manage the master as well as other systems. Using Ubuntu 18.04 as a second Minion helps show the benefits of Salt.
The Salt Master listens on the ZeroMQ ports of TCP 4505 and 4506. CentOS 8 has firewalld as a host based firewall running by default so we can highlight the need of opening these ports. The Minions (agents) connect to the Master on port 4505 for the the Job Publisher, new jobs and port 4506 for returning data to the Master. Installing Salt Open on CentOS 8 as the master emphasising the ports that we need to open. Installing Salt Open on Ubuntu is used to so we can highlight how we can easily work with different distributions.
Lastest Salt Open Version
When installing any product we want it to be easy and especially when installing salt open . Choosing the distribution repositories is often the simplest idea but it is also likely that this will be an older release. Saltstack have made life really easy. Firstly, we can visit https://repo.saltstack.com for more details on how wand where to install latest versions depending on your distribution. Currently the Salt Master can only be installed on Linux but it is expected in late 2020 there will be a Windows version of the master.
The first and probably the best mechanism in installing Salt Open is to use the bootstrap installer. This added the Salt repo for your distribution and installs form the repo. On the CentOS 8 system to be the master we download and install from the installed script:
# curl -L https://bootstrap.saltstack.com -o install.sh # sh install.sh -P -M -X -x python3
With these two command entered we have the system installed! The options we have used:
- -P: Install Python modules with PIP if they are not available in standard repos
- -M: Install the Salt-Master, the Salt-Minion is installed by default, use -N to disable the Minion install
- -X: Don’t start the service after the install. This works on CentOS but not Ubuntu
- -x: Here we have elected to use a Python 3 install. Python 2.7 is now deprecated and we should focus on Python 3
Configuring the Salt-Minion on the Master
The default settings for the salt-master service are good to work with as a starting point. The salt-minion will need some basic settings configured. The configuration file is /etc/salt/minion but we prefer to use the extension directory and add in are own configuration file. In this way it will never be overwritten in an update. We will create the file /etc/salt/minion.d/my_minion.conf.
id: master-minion master: 127.0.0.1
The id sets the name that the system will see this agent as and the master key sets the address of the master that the salt-minion service should connect to. For new task to run the minion connects to the master on TCP port 4505 to the job publisher. Using the 127.0.0.1 service we should not need to concern ourselves with the default firewalld settings in CentOS that allow all traffic from the localhost to the localhost. Having made the configuration we can start the services.
# systemctl enable --now salt-master salt-minion
Minions connect to the salt-master and authenticate. If their public key has not already been accepted then no communication is allowed. The salt-key command can be run on the master to list and authorise keys.
# salt-key # salt-key -a master-minion
Having accepted the minion public key the master’s public key is sent to the minion and is automatically accepted by the minion. It is only the master that is required to accept the minion’s key for security.
Open Firewall After Installing Salt Open Master
The firewall is in place on CentOS 8 by default. It is only the Salt Master that requires any additional ports being open and Salt uses the ZeroMQ ports 4505 and 4506 on TCP. Rather than disable firewalld we will add TCP ports 4505 and 4506 to the firewall rules using salt itself. We can communicate via 127.0.0.1 avoiding the firewall from the minion to the master which is local.
# salt 'master-minion' firewalld.add_port public 4505-4506/tcp # salt 'master-minion' firewalld.reload_rules # salt 'master-minion' firewalld.list_all public
Of course, we could use the native commands but we are learning Salt so it makes sense.
We can now install just the minion on Ubuntu
# curl -L https://bootstrap.saltstack.com -o install.sh # sh install.sh -P -x python3
On the ubuntu host, as before we will create the file /etc/salt/minion.d/my_minion.conf.
id: minion-1 master: 172.16.120.130
We then restart the service
# sudo systemctl restart salt-minion
On the master we use salt-key -a to accept the key