Salt is necessary to run the SaltStack Config installation. At a bare minimum, Salt and its dependencies must be installed on the nodes that are involved in a standard SaltStack Config installation scenario.
You are strongly encouraged to install Salt beforehand on any infrastructure that you plan to manage with SaltStack Config. Installing Salt simplifies and streamlines the process of updating to future versions of Salt. Before you begin your SaltStack Config installation, consider installing Salt on your infrastructure and then monitoring it for a period of time to ensure it is stable and running as expected.
Consult these guides to ensure your environment is following best practices when implementing Salt in your infrastructure:
In order to prepare your machines for a standard installation of SaltStack Config, you need to install or upgrade Salt and Python. Salt and Python need to be present and updated on all nodes that are involved in the installation. The installation fails if Salt and the installer’s dependencies are not installed on your nodes.
Install Salt dependencies
These dependencies must be installed on all nodes that are involved in the installation. In a standard installation, you must install these dependencies on all nodes that will host the Salt master, RaaS, the Redis database, and the PostgreSQL database:
- OpenSSL
- Extra Packages for Enterprise Linux (EPEL)
- Python cryptography
- Python OpenSSL library
To check that these dependencies are present:
- In the terminal, verify that these dependencies are installed on each node:
sudo yum list installed | grep openssl sudo yum list installed | grep epel-release sudo yum list installed | grep python36-cryptography sudo yum list installed | grep python36-pyOpenSSL
- If the dependencies are not present, install the dependencies:
sudo yum install openssl sudo yum install epel-release -y sudo yum install python36-cryptography sudo yum install python36-pyOpenSSL
Caution:Ensure that you install the
python36-pyOpenSSL
package. It is necessary to configure SSL after installation, but this step must be complete before installation.
Install Salt on the Salt master(s)
In a standard installation, you need to install both the Salt master service and the minion service on the Salt master host.
firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
firewall-cmd --reload
- Install the Salt project repository and key:
sudo yum install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest.el7.noarch.rpm
- Clear the cache:
sudo yum clean expire-cache
- Install the Salt master service and the minion service on the Salt master node:
sudo yum install salt-master sudo yum install salt-minion
- Create a
master.conf
file in the/etc/salt/minion.d
directory. In this file, set the Salt master’s IP address to point to itself:master: localhost
- Start the Salt master service and minion service:
sudo systemctl start salt-master sudo systemctl enable salt-minion sudo systemctl start salt-minion
Use
service salt-minion restart
to restart the minions if needed.
Install Salt on the Salt minions
After installing Salt on the Salt master as described in the previous section, the next step is to install the minion service (not the master service) on the three nodes that will become the RaaS, a Redis database, and a PostgreSQL database.
Then, you need to configure the minions to communicate with the Salt master. For more detailed information about installing the minion service, see Minion Configuration in the Salt documentation.
To install the minion service:
- Install only the minion service by running the following command:
sudo yum install salt-minion
- Answer
y
to all prompts to accept all changes. - Configure each minion to communicate with the Salt master by creating a
master.conf
file in the/etc/salt/minion.d
directory. In this file, provide the Salt master’s IP address. For example:master: 192.0.2.1
- Start the minion service:
sudo systemctl enable salt-minion sudo systemctl start salt-minion
Use
servicesalt-minionrestart
to restart the minions if needed. - Repeat the previous steps for all remaining nodes.
Accept the minion keys on the master(s)
At this point, you have installed the Salt master service and minion service, and you have provided your minions with the Salt master’s IP address. Now, in order for the Salt master to send commands to the minions, the next step to accept the minion keys on the Salt master.
Before proceeding:
- Ensure the Salt master service is enabled and started.
- Ensure the minion is enabled and started on all the nodes.
To accept the keys:
- In the Salt master’s terminal, list all the keys that are on Salt master:
salt-key -L
- Check that all the minion IDs are listed in
Unacceptedkeys
.If the minion IDs appear in
Acceptedkeys
, no further action is needed as this is the end goal. - Accept each minion ID using the following command, replacing the <your-minion-id> with the ID from your network:
salt-key -a <your-minion-ID>
Running
salt-key-A
accepts all keys. - Answer
y
to all prompts. - Run the
salt-key-L
command a second time to confirm all minions appear inAcceptedkeys
.
Installing Salt in an air-gapped system
The one exception to the general recommendation to install Salt beforehand is when you are installing SaltStack Config in an air-gapped system. Be aware that there are trade-offs of installing Salt on your infrastructure in an air-gapped system.
The SaltStack Config installer can install the latest stable version of Salt as it runs. However, the version of Salt that is installed by the SaltStack Config installer is called the Salt Crystal package. This package is primarily intended for use in air-gapped systems where it is not possible to update Salt over the Internet. Because it is intended for use in air-gapped systems, the version of Salt in the Salt Crystal package cannot be updated over the Internet and must be manually updated. For information about updating the Salt Crystal package, see Upgrading Salt Crystal.
The inability to update Salt regularly over the Internet could become problematic for your network unless your network is air-gapped. For that reason, it is strongly recommended that you install Salt beforehand rather than using the Salt Crystal package.