Salt is necessary to run the SaltStack Config installation. At a bare minimum, Salt and its dependencies must be installed on the nodes that are involved in a standard SaltStack Config installation scenario.

You are strongly encouraged to install Salt beforehand on any infrastructure that you plan to manage with SaltStack Config. Installing Salt simplifies and streamlines the process of updating to future versions of Salt. Before you begin your SaltStack Config installation, consider installing Salt on your infrastructure and then monitoring it for a period of time to ensure it is stable and running as expected.

Consult these guides to ensure your environment is following best practices when implementing Salt in your infrastructure:

In order to prepare your machines for a standard installation of SaltStack Config, you need to install or upgrade Salt and Python. Salt and Python need to be present and updated on all nodes that are involved in the installation. The installation fails if Salt and the installer’s dependencies are not installed on your nodes.

Install Salt dependencies

These dependencies must be installed on all nodes that are involved in the installation. In a standard installation, you must install these dependencies on all nodes that will host the Salt master, RaaS, the Redis database, and the PostgreSQL database:

  • OpenSSL
  • Extra Packages for Enterprise Linux (EPEL)
  • Python cryptography
  • Python OpenSSL library

To check that these dependencies are present:

  1. In the terminal, verify that these dependencies are installed on each node:
    sudo yum list installed | grep openssl
    sudo yum list installed | grep epel-release
    sudo yum list installed | grep python36-cryptography
    sudo yum list installed | grep python36-pyOpenSSL
  2. If the dependencies are not present, install the dependencies:
    sudo yum install openssl
    sudo yum install epel-release -y
    sudo yum install python36-cryptography
    sudo yum install python36-pyOpenSSL
    Caution:

    Ensure that you install the python36-pyOpenSSL package. It is necessary to configure SSL after installation, but this step must be complete before installation.

Install Salt on the Salt master(s)

In a standard installation, you need to install both the Salt master service and the minion service on the Salt master host.

These instructions install the latest Salt release on Redhat/Centos 7 PY3. If your machine is running a different operating system or version of Python, the script will not work. For information about installing Salt on other operating systems or Python versions, see the SaltStack Package Repo.
Note: Centos 7, by default, blocks connections to the Salt master. You must create firewall rules to allow connectivity:
  • firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
  • firewall-cmd --reload
For more information, see Opening the Firewall up for Salt.
  1. Install the Salt project repository and key:
    sudo yum install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest.el7.noarch.rpm
  2. Clear the cache:
    sudo yum clean expire-cache
  3. Install the Salt master service and the minion service on the Salt master node:
    sudo yum install salt-master
    sudo yum install salt-minion
  4. Create a master.conf file in the /etc/salt/minion.d directory. In this file, set the Salt master’s IP address to point to itself:
    master: localhost
  5. Start the Salt master service and minion service:
    sudo systemctl start salt-master
    sudo systemctl enable salt-minion
    sudo systemctl start salt-minion

    Use service salt-minion restart to restart the minions if needed.

Install Salt on the Salt minions

After installing Salt on the Salt master as described in the previous section, the next step is to install the minion service (not the master service) on the three nodes that will become the RaaS, a Redis database, and a PostgreSQL database.

Then, you need to configure the minions to communicate with the Salt master. For more detailed information about installing the minion service, see Minion Configuration in the Salt documentation.

To install the minion service:

  1. Install only the minion service by running the following command:
    sudo yum install salt-minion
  2. Answer y to all prompts to accept all changes.
  3. Configure each minion to communicate with the Salt master by creating a master.conf file in the /etc/salt/minion.d directory. In this file, provide the Salt master’s IP address. For example:
    master: 192.0.2.1
  4. Start the minion service:
    sudo systemctl enable salt-minion
    sudo systemctl start salt-minion

    Use servicesalt-minionrestart to restart the minions if needed.

  5. Repeat the previous steps for all remaining nodes.

Accept the minion keys on the master(s)

At this point, you have installed the Salt master service and minion service, and you have provided your minions with the Salt master’s IP address. Now, in order for the Salt master to send commands to the minions, the next step to accept the minion keys on the Salt master.

Before proceeding:

  • Ensure the Salt master service is enabled and started.
  • Ensure the minion is enabled and started on all the nodes.

To accept the keys:

  1. In the Salt master’s terminal, list all the keys that are on Salt master:
    salt-key -L
  2. Check that all the minion IDs are listed in Unacceptedkeys.

    If the minion IDs appear in Acceptedkeys, no further action is needed as this is the end goal.

  3. Accept each minion ID using the following command, replacing the <your-minion-id> with the ID from your network:
    salt-key -a <your-minion-ID>

    Running salt-key-A accepts all keys.

  4. Answer y to all prompts.
  5. Run the salt-key-L command a second time to confirm all minions appear in Acceptedkeys.

Installing Salt in an air-gapped system

The one exception to the general recommendation to install Salt beforehand is when you are installing SaltStack Config in an air-gapped system. Be aware that there are trade-offs of installing Salt on your infrastructure in an air-gapped system.

The SaltStack Config installer can install the latest stable version of Salt as it runs. However, the version of Salt that is installed by the SaltStack Config installer is called the Salt Crystal package. This package is primarily intended for use in air-gapped systems where it is not possible to update Salt over the Internet. Because it is intended for use in air-gapped systems, the version of Salt in the Salt Crystal package cannot be updated over the Internet and must be manually updated. For information about updating the Salt Crystal package, see Upgrading Salt Crystal.

The inability to update Salt regularly over the Internet could become problematic for your network unless your network is air-gapped. For that reason, it is strongly recommended that you install Salt beforehand rather than using the Salt Crystal package.