Most users find it helpful to understand what SaltStack Config is and how it works before they begin the installation process. SaltStack Config includes four or more architectural components including the RaaS server, the Master Plugin, and two central databases.

Note: As part of VMware’s initiative to remove problematic terminology, the term Salt master will be replaced with a better term in SaltStack Config and related products and documentation. This terminology update may take a few release cycles before it is fully complete.

What is SaltStack Config?

With SaltStack Config, you can provision, configure, and deploy software to your virtual machines at any scale using event-driven automation. You can also use SaltStack Config to define and enforce optimal, compliant software states across your entire environment.

SaltStack Config is powered by Salt, an open-source configuration management and automation system. If you are new to Salt and are unfamiliar with how it works, see Salt system architecture.

SaltStack Config extends Salt’s automated, event-driven configuration management platform by providing additional features, such as:

  • Role-based access controls - Ensures that network engineers only have access to the resources and jobs that are necessary to fulfill their specific work responsibilities.
  • A user-friendly interface - In addition to the ability to execute commands from the command line, SaltStack Config also provides a graphical user interface for ease of use.
  • Security automation - Optional add-ons bringing you automated vulnerability remediation and continuous compliance for hybrid IT systems.

The following diagram shows the primary components of the basic SaltStack Config architecture that are relevant to installation:

The following sections describe the core components of the SaltStack Config architecture.

Note: SaltStack Config supports two core installation scenarios, which results in two different system architectures. In the Lifecycle Manager installation scenario, a Salt master, SaltStack Config, a Redis database, and a PostgreSQL database all run on the same node. In the multi-node installation scenario, a Salt master, SaltStack Config, a Redis database, and a PostgreSQL database are distributed across at least two nodes. Each service could run on a separate node, or you can combine two or more services on a given node.

Salt masters and the Master Plugin

The Salt master is the main connection between SaltStack Config and the rest of the nodes on your network (the minions). When you issue a command from SaltStack Config (such as a job), the command goes to the Salt master for distribution to the targeted minions.

The Master Plugin is installed on the Salt master. It allows the Salt master to communicate with the SaltStack Config backend server, the RaaS node. The Master Plugin allows the Salt master to access jobs or processes initiated by SaltStack Config, as well as external files and pillar data that are stored on the PostgreSQL database.

The plugin integrates with the existing extension points provided by Salt. For example, job returns are collected using a Salt master-side Salt external job cache, and the RaaS file server uses a Salt fileserver plugin.

Note: You can connect more than one Salt master to SaltStack Config. Each Salt master that connects to SaltStack Config needs to have the Master Plugin installed.


RaaS, which stands for Returner as a Service, is the central component in SaltStack Config. In fact, when some people refer to SaltStack Config itself, they are often talking about RaaS.

RaaS provides RPC endpoints to receive management commands from the SaltStack Config user interface, as well as RPC control endpoints to interface with connected Salt masters. All communication is sent using RPC API calls over WebSockets or HTTP(s).

SaltStack Config user interface

The SaltStack Config user interface is a web application that provides the graphical user interface front end for RaaS. Though SaltStack Config is API-first, the user interface interfaces directly with the API (RaaS) to enable simple management of all systems in your environment. Different workspaces provide users with the ability to manage minions, users, roles, jobs, and more.

PostgreSQL Database

RaaS uses a PostgreSQL database to store minion data, job returns, event data, files and pillar data, local user accounts, as well as additional settings for the user interface.

Redis Database

RaaS uses a Redis database to store certain types of data in temporary storage, such as cached data. It also uses temporary data storage to distribute queued work to background workers.

SaltStack SecOps

vRealize Automation SaltStack SecOps is an add-on to SaltStack Config that harnesses event-driven automation technology to deliver security compliance and vulnerability remediation. It provides the following types of content:

  • Compliance - Automated compliance detection and remediation for your infrastructure. The compliance content library consists of industry best-practice security and compliance content, such as CIS.
  • Vulnerability - Manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

SaltStack SecOps includes regularly-updated content and can also support custom compliance content built inside your own organization. You can automatically or manually download new content as it is developed and released.