Salt is an open-source configuration management, remote execution, and infrastructure automation platform. It enables centralized management of servers and cloud systems by allowing administrators to:
- Execute commands across multiple systems simultaneously
- Enforce desired configurations (Infrastructure as Code)
- Automate deployments and patching
- Orchestrate complex workflows
- Manage hybrid and multi-cloud environments
Salt primarily operates using a Master–Minion architecture, with optional agentless execution using salt-ssh.
salt-master:
The central control node responsible for:
The agent installed on managed systems:
Agentless execution method:
Hierarchical scaling component:
Cloud provisioning tool:
RESTful API interface:
Enables external systems to interact with Salt
Used in CI/CD, dashboards, and automation platforms
Allows programmatic control of infrastructure
The central control node responsible for:
- Sending commands to minions
- Managing authentication keys
- Storing and serving state files
- Publishing jobs on port 4505
- Receiving job returns on port 4506
The agent installed on managed systems:
- Establishes encrypted connection to master
- Executes commands and states
- Returns execution results
- Maintains persistent communication
Agentless execution method:
- Uses SSH instead of minion service
- No agent installation required
- Suitable for restricted environments
Hierarchical scaling component:
- Connects multiple lower-level masters to a higher-level master
- Used in large enterprise environments
- Improves scalability and segmentation
Cloud provisioning tool:
- Creates and manages cloud instances
- Integrates with public cloud providers
- Can automatically bootstrap minions
RESTful API interface:
Enables external systems to interact with Salt
Used in CI/CD, dashboards, and automation platforms
Allows programmatic control of infrastructure
Communication Model:
Salt uses a high-speed publish/subscribe (pub/sub) messaging system.
Salt uses a high-speed publish/subscribe (pub/sub) messaging system.
- Port 4505 → Master publishes commands
- Port 4506 → Minions return execution results
Authentication Process:
- Minion starts and connects to master
- Minion sends its public key
- Master administrator accepts the key
- Secure communication begins
salt-key
1. Installing Salt Components
1.1 Add Salt Repository
# curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo | sudo tee /etc/yum.repos.d/salt.repo
1.2 Install Packages
# dnf install salt-master
# dnf install salt-minion
# dnf install salt-ssh
# dnf install salt-syndic
# dnf install salt-cloud
# dnf install salt-api
1.1 Add Salt Repository
# curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo | sudo tee /etc/yum.repos.d/salt.repo
1.2 Install Packages
# dnf install salt-master
# dnf install salt-minion
# dnf install salt-ssh
# dnf install salt-syndic
# dnf install salt-cloud
# dnf install salt-api
2. Service Management
Enable and start services:
# systemctl enable salt-master && sudo systemctl start salt-master
# systemctl enable salt-minion && sudo systemctl start salt-minion
# systemctl enable salt-syndic && sudo systemctl start salt-syndic
# systemctl enable salt-api && sudo systemctl start salt-api
Check status:
# systemctl status salt-master
# systemctl status salt-minion
3. Salt Master Configuration
3.1 Network Settings
Default:
Binds to all interfaces
Ports 4505 and 4506
Custom configuration:
# vi /etc/salt/master.d/network.conf
interface: 192.168.10.20
ret_port: 4506
publish_port: 4505
3.2 Worker Threads
# vi /etc/salt/master.d/thread_options.conf
worker_threads: 5
4. Salt Minion Configuration
4.1 Master Address
# vi /etc/salt/minion.d/master.conf
master: 192.168.10.20
4.2 Minion ID
# vi /etc/salt/minion.d/id.conf
id: rebel_1
5. Remote Deployment via Jump Server:
Deployment can be automated using shell scripts executed from a centralized jump server.
5.1 master.sh
Usage
# ./master.sh <master-server>
Script:
#!/bin/bash
if [ -z "$1" ]; then
echo "Usage: ./master.sh <master-server>"
exit 1
fi
MASTER_HOST=$1
ssh $MASTER_HOST <<'EOF'
sudo curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo -o /etc/yum.repos.d/salt.repo
sudo dnf install -y salt-master salt-ssh salt-syndic salt-cloud salt-api
sudo mkdir -p /etc/salt/master.d
sudo tee /etc/salt/master.d/network.conf > /dev/null <<EOC
interface: 0.0.0.0
ret_port: 4506
publish_port: 4505
EOC
sudo tee /etc/salt/master.d/thread_options.conf > /dev/null <<EOC
worker_threads: 5
EOC
sudo systemctl enable salt-master
sudo systemctl restart salt-master
sudo systemctl enable salt-api
sudo systemctl restart salt-api
EOF
5.2 minion.sh
Usage
# ./minion.sh <client-server> <master-ip>
Script:
#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
echo "Usage: ./minion.sh <client-server> <master-ip>"
exit 1
fi
CLIENT_HOST=$1
MASTER_IP=$2
ssh $CLIENT_HOST <<EOF
sudo curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo -o /etc/yum.repos.d/salt.repo
sudo dnf install -y salt-minion
sudo mkdir -p /etc/salt/minion.d
sudo tee /etc/salt/minion.d/master.conf > /dev/null <<EOC
master: $MASTER_IP
EOC
sudo tee /etc/salt/minion.d/id.conf > /dev/null <<EOC
id: \$(hostname -s)
EOC
sudo systemctl enable salt-minion
sudo systemctl restart salt-minion
EOF
Usage
# ./minion.sh <client-server> <master-ip>
Script:
#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
echo "Usage: ./minion.sh <client-server> <master-ip>"
exit 1
fi
CLIENT_HOST=$1
MASTER_IP=$2
ssh $CLIENT_HOST <<EOF
sudo curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo -o /etc/yum.repos.d/salt.repo
sudo dnf install -y salt-minion
sudo mkdir -p /etc/salt/minion.d
sudo tee /etc/salt/minion.d/master.conf > /dev/null <<EOC
master: $MASTER_IP
EOC
sudo tee /etc/salt/minion.d/id.conf > /dev/null <<EOC
id: \$(hostname -s)
EOC
sudo systemctl enable salt-minion
sudo systemctl restart salt-minion
EOF
6. Key Management
View keys:
salt-key
Accept specific key:
# salt-key -a <minion-id>
Accept all:
# salt-key -A
Delete key:
# salt-key -d <minion-id>
Automatically accepting keys is not recommended in production environments.
View keys:
salt-key
Accept specific key:
# salt-key -a <minion-id>
Accept all:
# salt-key -A
Delete key:
# salt-key -d <minion-id>
Automatically accepting keys is not recommended in production environments.
7. Testing Connectivity
# salt '*' test.ping
Expected output:
minion-id:
True
8. Security Best Practices
- Do not expose Salt Master to the public internet
- Restrict ports 4505 and 4506
- Avoid auto_accept: True in production
- Bind master to private interface
- Regularly audit and rotate keys
- Monitor /var/log/salt/
9. Salt Master Reference — Execution Modules + State Keys + Orchestration
This reference provides a comprehensive overview of SaltStack for system administrators and DevOps engineers. It includes:
- Execution Modules – Commands to manage packages, services, files, users, networking, cloud resources, and Windows systems.
- State / SLS Keys – All keys and arguments used in Salt states (name, enable, require, watch, onlyif, onchanges, etc.) for declarative configuration management.
- Orchestration & Targeting Keys – Keys for multi-minion orchestration (tgt, tgt_type, batch, queue, failhard, pillar) to coordinate tasks across complex environments.
This master cheat sheet enables efficient, consistent, and secure automation across Linux, Windows, VMware, Azure, GCP, and cloud-native infrastructure, providing a one-stop reference for both beginners and experienced Salt users.
Targeting Keys (Orchestration / Remote Execution)
tgt ---> Target expression for minions (e.g., '*', 'web*', 'G@os:Ubuntu')
tgt_type ---> Type of target expression (glob, list, grain, pillar, regex, etc.)
batch ---> Run state in batches (percentage or count)
queue ---> Queue states to run sequentially
expr_form ---> Alias for tgt_type
failhard ---> Stop orchestration if a minion fails (True/False)
State / SLS Keys (All States)
name ---> Name of the resource (package, service, file, user)
sls ---> Reference SLS file(s) to apply
include ---> Include other SLS files
exclude ---> Exclude specific SLS files
extend ---> Extend another state declaration
require ---> Require another state before running
require_in ---> Make other state depend on this state
watch ---> Trigger state if watched state changes
watch_in ---> Watch another state to trigger this state
onchanges ---> Run only if another state changes
onfail ---> Run only if another state fails
listen ---> Listen for events
listen_in ---> Trigger state in response to events
order ---> Force execution order (numeric)
force ---> Force execution even if already correct
test ---> Dry-run / check mode (True/False)
File & Directory Keys
source ---> Source file (salt:// or URL)
contents ---> Direct content for file
template ---> Template engine (jinja/mako)
user ---> File owner user
group ---> File owner group
mode ---> File permissions
backup ---> Keep backup of modified file
replace ---> Replace content in file (True/False)
makedirs ---> Create parent directories if missing
saltenv ---> Environment to get source from
Package / Service Keys
version ---> Specific version of package
refresh ---> Refresh repo cache
skip_verify ---> Skip GPG verification
allow_downgrade ---> Allow downgrades
enable ---> Enable service at boot (True/False)
start ---> Start service (True/False)
stop ---> Stop service (True/False)
reload ---> Reload service configuration
masked ---> Mask service
start_type ---> Windows service start type (auto/manual/disabled)
Command / Execution Keys
cwd ---> Current working directory
shell ---> Shell to run command (bash, sh, powershell)
env ---> Environment variables dictionary
timeout ---> Max time to run command (seconds)
runas ---> Run command as a specific user
runas_group ---> Run command as a specific group
onlyif ---> Run state only if command returns True
unless ---> Skip state if command returns True
Cloud / VM Keys
vm_name ---> Name of the VM
host ---> VMware host
datacenter ---> VMware datacenter
resource_group ---> Azure resource group
project ---> GCP project
zone ---> GCP VM zone
template ---> Template to deploy VM
snapshot_name ---> Name of VM snapshot
state ---> Desired state (running, stopped, present, absent)
Pillars & Variables
pillar ---> Pass pillar dictionary or reference
saltenv ---> Specify Salt environment (base, dev, prod)
grains ---> Grain expressions to target minions
context ---> Pass context variables
Scheduling Keys
function ---> Function to execute
minutes ---> Minute interval
hours ---> Hour interval
when ---> Specific time to run
enabled ---> Enable/disable schedule
return_job ---> Return job ID for scheduled state
Orchestration / Event Keys
listen ---> Listen for events
listen_in ---> Trigger state based on another state’s event
onchanges ---> Run if watched state changes
onfail ---> Run if watched state fails
require_in ---> Make other states depend on this state
failhard ---> Stop orchestration on failure
concurrent ---> Run state concurrently
batch ---> Run states in batches
queue ---> Queue execution for sequential order
System & Package Modules
pkg.upgrade ---> Upgrade all packages on a minion
pkg.install ---> Install specified packages
pkg.remove ---> Remove specified packages
pkg.version ---> Check version of a package
pkg.available ---> List available packages from repositories
system.reboot ---> Reboot the minion system
system.shutdown ---> Shutdown the minion system
system.halt ---> Halt the minion system
system.get_hw_info ---> Retrieve hardware info
system.reboot_required ---> Check if reboot required
sysctl.get ---> Get sysctl parameters
sysctl.set ---> Set sysctl parameters
Service & Process Modules
service.start ---> Start a service on a minion
service.stop ---> Stop a service
service.restart ---> Restart a service
service.status ---> Get status of a service
service.enable ---> Enable service at boot
service.disable ---> Disable service at boot
ps.ps ---> List processes
ps.kill ---> Kill process by PID
File & Command Modules
file.manage ---> Manage file attributes and content
file.remove ---> Remove a file or directory
file.copy ---> Copy files on a minion
file.makedirs ---> Create directories recursively
file.symlink ---> Manage symbolic links
file.append ---> Append text to a file
file.replace ---> Replace content in a file
cmd.run ---> Execute arbitrary shell command
cmd.shell ---> Run command in shell interpreter
cmd.exec_code ---> Execute code string
archive.extracted ---> Extract archive file
Users & Groups Modules
user.add ---> Create system user
user.delete ---> Delete system user
user.chpasswd ---> Change user password
group.add ---> Create group
group.delete ---> Delete group
group.adduser ---> Add user to a group
Grains & System Info
grains.items ---> Show all grains
grains.item ---> Show specific grain
grains.setval ---> Set custom grain
grains.delval ---> Delete grain
status.diskusage ---> Show disk usage
status.cpuinfo ---> Show CPU info
status.meminfo ---> Show memory usage
status.uptime ---> Show system uptime
system.version ---> Show Salt version
Windows Modules
win_wua.list ---> List Windows updates
win_wua.update ---> Apply Windows updates
win_service.start ---> Start Windows service
win_service.stop ---> Stop Windows service
win_service.restart ---> Restart Windows service
win_pkg.install ---> Install Windows package (Chocolatey)
win_pkg.remove ---> Remove Windows package
win_user.add ---> Create Windows user
win_user.delete ---> Delete Windows user
reg.read_key ---> Read registry key
reg.write_key ---> Write registry key
reg.delete_key ---> Delete registry key
win_timezone.get ---> Get Windows timezone
win_timezone.set ---> Set Windows timezone
Cloud / Virtualization Modules
vsphere.list_vms ---> List VMs in VMware vCenter
vsphere.power_on ---> Power on VMware VM
vsphere.power_off ---> Power off VMware VM
vsphere.snapshot_create ---> Create snapshot of VM
vsphere.snapshot_revert ---> Revert VM to snapshot
azurearm.vm_start ---> Start Azure VM
azurearm.vm_stop ---> Stop Azure VM
azurearm.vm_restart ---> Restart Azure VM
gcpcompute.list_instances ---> List GCP VMs
gcpcompute.start ---> Start GCP VM
gcpcompute.stop ---> Stop GCP VM
saltcloudmod.create ---> Create cloud instance via Salt Cloud
saltcloudmod.destroy ---> Destroy cloud instance via Salt Cloud
Networking & Misc Modules
network.interfaces ---> List network interfaces
network.ip_addrs ---> List IP addresses
network.routes ---> Show routing table
hosts.manage ---> Manage /etc/hosts
dnsmasq.configure ---> Configure dnsmasq
iptables.append_rule ---> Append iptables rule
iptables.delete_rule ---> Delete iptables rule
firewalld.add_port ---> Add port to firewalld
firewalld.remove_port ---> Remove port from firewalld
docker.running ---> Ensure Docker container running
docker.stopped ---> Ensure Docker container stopped
Scheduling & Utility Modules
schedule.list ---> List scheduled jobs
schedule.modify ---> Modify scheduled job
schedule.delete ---> Delete scheduled job
saltutil.refresh_modules ---> Refresh modules on minion
saltutil.sync_all ---> Sync modules, states, grains, etc.
mine.send ---> Publish data to Salt Mine
mine.get ---> Retrieve data from Salt Mine
mine.update ---> Update mine functions
test.ping ---> Ping minion
test.version ---> Show minion version
test.echo ---> Echo message
random.get_bytes ---> Generate random bytes
sysmod.list_functions ---> List loaded functions
sysmod.doc ---> Show module documentation
Common State / SLS Keys
name ---> Name of resource (package, service, file, user)
sls ---> Reference SLS file(s)
include ---> Include other SLS files
exclude ---> Exclude SLS files
extend ---> Extend another state declaration
require ---> Require another state before running
require_in ---> Make other state depend on this state
watch ---> Trigger state if watched state changes
watch_in ---> Watch another state to trigger this state
onchanges ---> Run only if another state changes
onfail ---> Run only if another state fails
listen ---> Listen for events
listen_in ---> Trigger state based on event in another state
order ---> Force execution order (numeric)
force ---> Force execution even if already correct
test ---> Dry-run / check mode (True/False)
onlyif ---> Run state only if command returns True
unless ---> Skip state if command returns True
backup ---> Keep backup of modified file
template ---> Template engine (jinja/mako)
contents ---> Direct content for file
source ---> File source (salt:// or URL)
user ---> Owner user
group ---> Owner group
mode ---> File permissions
makedirs ---> Create parent directories if missing
start_type ---> Windows service start type
timeout ---> Max time to run command
env ---> Environment variables dictionary
cwd ---> Current working directory
shell ---> Shell for command execution
runas ---> Run as specific user
runas_group ---> Run as specific group
Orchestration / Remote Execution Keys
tgt ---> Target minions (*, web*, G@os:Ubuntu)
tgt_type ---> Target expression type (glob, list, grain, pillar, regex)
expr_form ---> Alias for tgt_type
batch ---> Run state in batches (percentage or number)
queue ---> Queue execution sequentially
failhard ---> Stop orchestration on failure (True/False)
pillar ---> Pass pillar data dictionary
saltenv ---> Salt environment (base/dev/prod)
grains ---> Grain expression for targeting
context ---> Pass context variables
concurrent ---> Run state concurrently
return_job ---> Return job ID
10. Salt Command CLI Reference:
salt (Remote Execution)
salt '*' test.ping ---> Test connectivity to all minions
salt 'web*' cmd.run 'uptime' ---> Run shell command on minions matching web*
salt -G 'os:Rocky' test.version ---> Run function on minions with grain os:Rocky
salt -L 'web1,db1' service.restart nginx ---> Restart nginx on specific minions
salt -E 'web[0-9]' pkg.install vim ---> Install vim on minions matching regex
salt -C 'G@os:Rocky and web*' cmd.run 'uptime' ---> Compound targeting based on grains and names
salt '*' state.apply nginx ---> Apply nginx state to all minions
salt '*' state.highstate ---> Apply top file states to all minions
salt '*' state.apply test=True ---> Dry-run state application (no changes)
salt '*' grains.items ---> Show all grains
salt '*' grains.item os ---> Show specific grain
salt '*' grains.setval role web ---> Set grain 'role' to 'web'
salt '*' grains.delval role ---> Delete grain 'role'
salt '*' pillar.items ---> Show all pillar data
salt '*' pillar.item database ---> Show specific pillar item
salt '*' saltutil.refresh_pillar ---> Refresh pillar data on minions
salt '*' network.interfaces ---> Show network interfaces
salt '*' saltutil.sync_all ---> Sync all modules from master to minions
salt '*' saltutil.refresh_modules ---> Refresh modules on minions
salt-call (Local Execution)
salt-call test.ping ---> Test connectivity locally on minion
salt-call state.apply ---> Apply all states locally
salt-call grains.items ---> Show all grains on minion
salt-call pillar.items ---> Show all pillar data on minion
salt-call --local test.ping ---> Run command locally without master
salt-key (Key Management)
salt-key -L ---> List all minion keys (Accepted, Unaccepted, Rejected)
salt-key -a <minion-id> ---> Accept a specific minion key
salt-key -A ---> Accept all pending minion keys
salt-key -r <minion-id> ---> Reject a specific minion key
salt-key -R ---> Reject all pending keys
salt-key -d <minion-id> ---> Delete a specific minion key
salt-key -D ---> Delete all minion keys
salt-key -f <minion-id> ---> Show fingerprint of a specific key
salt-key --list-accepted ---> List only accepted keys
salt-key --list-unaccepted ---> List only unaccepted keys
salt-key --list-rejected ---> List only rejected keys
salt-key --gen-keys=<name> ---> Generate new key pair
salt-key --gen-signature ---> Generate signing key
salt-run (Runner Modules / Orchestration)
salt-run jobs.list_jobs ---> List all jobs executed by Salt
salt-run jobs.lookup_jid <job_id> ---> Lookup result of a specific job
salt-run jobs.active ---> Show currently running jobs
salt-run manage.up ---> Show minions currently connected
salt-run manage.down ---> Show minions currently disconnected
salt-run state.orchestrate <orchestrate_file> ---> Run orchestration file
salt-run state.orchestrate test=True ---> Dry-run orchestration
salt-run state.event ---> Listen to Salt event bus
salt-run state.event pretty=True ---> Pretty-print events for debugging
salt-cp (File Copy)
salt-cp '*' /etc/hosts /tmp/hosts ---> Copy /etc/hosts from master to all minions
salt-cp 'web1' /tmp/nginx.conf /etc/nginx/nginx.conf ---> Copy file to specific minion
salt-ssh (Agentless Execution)
salt-ssh '*' test.ping ---> Test connectivity over SSH without minion
salt-ssh 'web1' cmd.run 'uptime' ---> Run shell command via SSH on minion
salt-ssh 'db*' state.apply ---> Apply states on agentless minions
salt-cloud (Cloud Management)
salt-cloud --list-providers ---> List configured cloud providers
salt-cloud --list-instances ---> List current cloud instances
salt-cloud -p <profile> <vm_name> ---> Create new VM using profile
salt-cloud -d <vm_name> ---> Destroy a cloud instance
salt-cloud --destroy-all ---> Destroy all cloud instances
salt-cloud -f <provider> ---> Destroy all instances for a specific provider
salt-cloud --profile-list ---> List all profiles
salt-master / salt-minion (Daemon Management)
salt-master ---> Start Salt master in foreground
salt-minion ---> Start Salt minion in foreground
systemctl start salt-master ---> Start Salt master service
systemctl stop salt-master ---> Stop Salt master service
systemctl restart salt-minion ---> Restart Salt minion service
systemctl status salt-minion ---> Check status of minion service
systemctl start salt-syndic ---> Start syndic service
systemctl status salt-syndic ---> Check syndic status
systemctl start salt-api ---> Start Salt API service
systemctl stop salt-api ---> Stop Salt API service
Testing & Debug
salt '*' test.ping ---> Test connectivity
salt '*' test.version ---> Show Salt version
salt '*' test.echo "hello" ---> Echo a message
salt '*' saltutil.sync_all ---> Sync all modules from master to minions
salt '*' saltutil.refresh_modules ---> Refresh modules on minions
Example Salt Playbook — example.sls
# example.sls
# Description: Demonstrates pkg, service, file, user, grains, pillar, and orchestration keys
# 1. Upgrade all packages
upgrade_system:
pkg.upgrade:
- name: '*'
- refresh: True
- test: False # Set True for dry-run
# 2. Install nginx package
install_nginx:
pkg.installed:
- name: nginx
- require:
- pkg: upgrade_system
# 3. Ensure nginx service is running and enabled
nginx_service:
service.running:
- name: nginx
- enable: True
- require:
- pkg: install_nginx
# 4. Deploy nginx configuration file from master
nginx_config:
file.managed:
- name: /etc/nginx/nginx.conf
- source: salt://nginx/files/nginx.conf
- user: root
- group: root
- mode: '0644'
- require:
- pkg: install_nginx
- service: nginx_service
- watch_in:
- service: nginx_service
# 5. Add a deploy user
deploy_user:
user.present:
- name: deploy
- uid: 1500
- shell: /bin/bash
- groups:
- sudo
# 6. Set a custom grain value
set_role_grain:
grains.present:
- name: role
- value: web
# 7. Conditional execution example
reload_nginx_if_config_changed:
service.running:
- name: nginx
- watch:
- file: nginx_config
# 8. Orchestration key example (batch + failhard)
upgrade_and_restart_web:
module.run:
- name: state.apply
- tgt: 'web*'
- batch: 50%
- failhard: True
Example Execution Script — run_playbook.sh
#!/bin/bash
# Script: run_playbook.sh
# Description: Execute Salt states on a remote minion or group
# Usage: ./run_playbook.sh <target-minion>
TARGET=$1
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target-minion>"
exit 1
fi
# Test connectivity
echo "Testing connectivity to minion $TARGET..."
salt "$TARGET" test.ping
# Apply top file highstate
echo "Applying highstate on $TARGET..."
salt "$TARGET" state.highstate
# Apply specific SLS file
echo "Applying example.sls on $TARGET..."
salt "$TARGET" state.apply example
# Restart nginx if configuration changed
echo "Ensuring nginx service is running and config is applied..."
salt "$TARGET" state.apply example test=False
No comments:
Post a Comment