Extend your Salt infrastructure

After you have installed and integrated the Tanzu Salt service, you also need to install, run, and register the Salt minion service on any nodes that you intend to manage using Tanzu Salt. You can deploy the Salt minion agent to your nodes using either VMware Aria Automation cloud templates or by installing the service through Secure Shell (SSH).

Open source Salt and its relationship to Tanzu Salt

Tanzu Salt runs on open source Salt, a Python-based open-source remote execution framework used for:

• Configuration management
• Automation
• Provisioning
• Orchestration

Salt is the technology that underlies the core functionality of Tanzu Salt. Tanzu Salt enhances and extends Salt, providing additional functionality and features that improve ease of use.

Salt uses the controller-client model in which a controller issues commands to a client and the client executes the command. In the Salt ecosystem, the controller is a server that is running the Salt master service. It issues commands to one or more Salt minions, which are nodes that are running the Salt minion service and that are registered with that particular master.

Another way to describe Salt is as a publisher-subscriber model. The master publishes jobs that need to be executed and minions subscribe to those jobs. When a specific job applies to that minion, it executes the job. When a minion finishes executing a job, it sends job return data back to the master.

Minions are nodes that run the salt-minion service. The service listens to commands from a Salt master and performs the requested tasks. You can deploy minions from VMware Aria Automation cloud templates.

Before you can begin using Tanzu Salt for configuration management, you must first install the Salt minion service on all nodes that you want to manage. You must also register the minions by sending and accepting their keys to Tanzu Salt .

Before you start

• Install and configure the Tanzu Salt and integrate it with VMware Aria Automation.
• Nodes that are managed by Tanzu Salt must be able to reach the Salt master and must reside on the same network as the Tanzu Salt integration point and the Salt master.
• vSphere machines that are deployed to a private network must be able to initiate a connection with Tanzu Salt integration and the Salt master.

Installing the Salt minion service through SSH

The process for installing the Salt minion service using SSH depends on the operating system running on those nodes.

• For information about installing the Salt minion service on RedHat Linux or CentOS, see Required Tanzu Salt dependencies.
• For other operating systems, see Salt supported operating systems.

After installing the Salt minion service:

1. Configure each minion to communicate with the master by creating a master.conf file in the /etc/salt/minion.d directory. In this file, provide the master’s IP address. For example: master: 192.0.2.1

2. Start the minion service:

   sudo systemctl enable salt-minion

   sudo systemctl start salt-minion

3. Repeat the previous steps for all remaining nodes.

After configuring these minion files to point to the Salt master, accept the minion keys in the Tanzu Salt service in the Minion Keys workspace.

Installing the Salt minion service using VMware Aria Automation cloud templates

To deploy the Salt minion service using cloud templates, you must have access to, and be proficient at using, cloud-init (Linux) or Cloudbase-init (Windows). To add Salt minions to the Salt master that is configured for the Tanzu Salt integration, the virtual machine in your cloud template must support cloud-init (Linux) or Cloudbase-init (Windows).

The following sections explain how to deploy the Salt minion service using cloud templates.

Add minions to the Salt master configured for VMware Aria Automation

When Tanzu Salt is installed, a Salt master IP address is specified. That master IP address is used as the masterAddress property when you deploy minions from a VMware Aria Automation cloud template.

You install and deploy minions by using cloud-init or Cloudbase-init scripting in a VMware Aria Automation cloud template or deployment. You can also use an image mapping that represents a cloud configuration script that uses either of those formats. To add Salt minions to the Salt master that is associated to a VMware Aria Automation Tanzu Salt integration, the target machine must support cloud-init (Linux) or Cloudbase-init (Windows). VMware Aria Automation cloud configuration scripting supports both formats.

You configure a machine resource in the cloud template with a minionId value and cloudConfig value and refer to the property group SaltStackConfiguration. The SaltStackConfiguration property group is created during Tanzu Salt service installation and configuration in VMware Aria Suite Lifecycle. It contains the masterAddress and masterFingerprint properties.

The minionId value must match the value specified for the machine’s /salt/minion_id in the cloudConfig section of the cloud template code.

Note:
By default, minions identify themselves to the master by their host name, but you can set a custom minion ID. For information about how to set a custom minion ID, see Setting a custom minion ID (optional) in the Installing Tanzu Salt documentation.

Examples of Windows-based and Linux-based VMware Aria Automation cloud template code are shown below. Note that the cloud configuration scripting can be specified using any of the following methods:

• VMware Aria Automation image that is called from the cloud template code
• Cloud configuration script that is called from the cloud template code
• Cloud configuration script content that is added directly to the cloud template code

Note:
When you deploy a cloud template that contains Salt minions, if the deployment is not visible in Automation Assembler, you can display the deployment by using the Automation Service Broker service.

Example - Linux-based deployment and cloud-init

A sample cloud template configuration for deploying minions for a Linux-based machine that supports cloud-init is shown below:

resources:
  Salt-Minion:
    type: Cloud.Machine
    properties:
      image: Ubuntu-18
      flavor: medium
      constraints:
        - tag: 'env:vsphere'
      cloudConfig: |
        #cloud-config
        hostname: ${input.saltminionhostname}
        users:
          - name: ${input.user}
            sudo: ['ALL=(ALL) NOPASSWD:ALL']
            groups: sudo
            shell: /bin/bash
        runcmd:
          - PASS=${input.password}
          - USER=${input.user}
          - echo $USER:$PASS | /usr/sbin/chpasswd
          - sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
          - service ssh reload
          - curl -L https://bootstrap.saltstack.com -o install_salt.sh
          - sudo sh install_salt.sh -A ${propgroup.SaltStackConfiguration.masterAddress}

Example - Windows-based deployment and Cloudbase-init

A sample cloud template configuration for deploying minions for a Windows-based machine that supports Cloudbase-init is shown below:

formatVersion: 1
inputs: {}
resources:
  WindowsVM-Minion:
    type: Cloud.vSphere.Machine
    properties:
      image: win2016
      flavor: medium
      **customizationSpec: Windows**
      **minionId:** '${resource.WindowsVM-Minion.resourceName}'
      networks:
        - network: '${resource.wpnet.id}'
          name: '${wpnet.name}'
          assignPublicIpAddress: true
      **cloudConfig:** |
        #ps1_sysnative
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -OutFile C:\Salt-Minion-3002.2-Py3-AMD64-Setup.exe -Uri https://repo.saltstack.com/windows/Salt-Minion-3002.2-Py3-AMD64-Setup.exe
        Start-Process -Wait -FilePath "C:\Salt-Minion-3002.2-Py3-AMD64-Setup.exe" -ArgumentList "/S" -PassThru
        ((Get-Content -path C:\salt\conf\minion -Raw) -replace "#master: salt", "master: ${**propgroup.SaltStackConfiguration.masterAddress**}") | Set-Content -Path C:\salt\conf\minion
        ((Get-Content -path C:\salt\conf\minion -Raw) -replace "#master_finger: ''", "master_finger: '${**propgroup.SaltStackConfiguration.masterFingerPrint**}'") | Set-Content -Path C:\salt\conf\minion
        Set-Content -Path C:\salt\conf\**minion\_id** -Value '${resource.WindowsVM-Minion.resourceName}'
        C:\salt\salt-call.bat service.restart salt-minion
  wpnet:
    type: Cloud.Network
    properties:
      name: wpnet
      networkType: existing

How to configure PowerShell commands

You configure PowerShell commands in the cloudConfig section of your cloud templates.

Before you enable PowerShell commands, download the Salt minion package from the Salt repo web site. Then complete the following steps:

1. Install the Salt minion service in the Windows VM.
2. Update the Salt master host name value in the minion configuration.
3. Update the Salt master fingerprint value in the minion configuration.
4. Set the minion_id to the VM resource name that will be used to accept the minion on the Salt master.
5. Restart the minion.

More information about deploying Salt minions

For alternative methods of using integrated Tanzu Salt to deploy Salt minions from a VMware Aria Automation cloud template, see Assembler and ABX Secrets (and how to use them for installing Tanzu Salt Minion Agents).

For related information about defining and deploying Automation Assembler templates in general, especially if you are familiar with Config but new to Aria Automation, see Designing your Assembler deployments.