Installing and configuring the Salt master

In this section, we are going to configure the most important component of the Salt architecture—the Salt master. We'll install the Salt master package and configure the most important parameters needed for our infrastructure.

How to do it...

Let's see how we can install the Salt master on various types of OS.

Installing the Salt master on RedHat/CentOS/Fedora

1. Salt packages are available in the EPEL repository. First, the repository needs to be added to the system. As the system being used is CentOS 6.5 (64-bit), we are using the epel-release package at http://dl.fedoraproject.org/pub/epel/6/x86_64/. This needs to be changed as per the version and architecture of the operating system being used:

   [root@salt-master ~]# rpm -ihv \ http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6- 8.noarch.rpm
   

2. After the EPEL release package has been installed, we will install the salt-master package with the following command, and the dependencies should automatically be fetched from the repository:

   [root@salt-master ~]# yum –y install salt-master
   

Installing the Salt master on Ubuntu

While installing the Salt master on Ubuntu, the SaltStack PPA repository needs to be added to the system. It is to be noted that the following commands need to be executed as a privileged user, that is, either the root user can be used, or the sudo command needs to be added before the mentioned commands:

1. The following command adds the add-apt-repository binary to the system:

   [root@salt-master ~]# apt-get –y install python-software- properties
   

2. Now, we will add the repository with the command given here:

   [root@salt-master ~]# add-apt-repository ppa:saltstack/salt
   

3. The Salt master package then needs to be installed with the following command:

   [root@salt-master ~]# apt-get -y install salt-master
   

Configuring the Salt master

The primary configuration file for the Salt master is /etc/salt/master. It is also a good practice to create additional configuration files in /etc/salt/master.d/ with the .conf extension, and they will get read along with all the other files when the Salt master daemon starts.

Most of the Salt configuration parameters are set by default and need not be set explicitly. However, let's look at some of the important parameters that can be altered to suit one's needs:

• To determine which network interface the service binds to:

  interface: 0.0.0.0
  

• The port on which to listen to for client node (minion) communications:

  publish_port: 4505
  

• The path that gets prepended to other files such as log_file, pki_dir, and cache_dir if set. It is also to be noted that this path gets prepended to all other defined configuration parameters in the master configuration files, where each of them is also explained in detail:

  root_dir: /
  

• The directory to hold the master and minion keys that have already been authenticated or rejected:

  pki_dir: /etc/salt/pki/master
  

• The file containing log entries for the master daemon:

  log_file: /var/log/salt/master
  

• The file that allows the keys of the host's that match the listed patterns to be accepted automatically (it is always a good practice to define this file). We will uncomment this line and set the filename as follows:

  autosign_file: /etc/salt/autosign.conf
  

• Edit the file /etc/salt/autosign.conf and set the content to be a wild card entry as follows (this is being done to facilitate easier demonstrations in the rest of the book, it is to be noted that this is a security risk otherwise):

  *

• The Salt service daemon then needs to be started and configured to start at boot time.

  On RedHat/CentOS/Fedora:

  [root@salt-master ~]# service salt-master start
  [root@salt-master ~]# chkconfig salt-master on
  

  On Ubuntu, the installation process automatically starts the daemon, hence the daemon needs to be restarted:

  [root@salt-master ~]# service salt-master restart
  [root@salt-master ~]# update-rc.d salt-master defaults
  

  The firewall needs to be configured to allow communication on ports 4505 and 4506 from the minions:

  [root@salt-master ~]# iptables -A INPUT -m state --state new \ -m tcp -p tcp --dport 4505 -j ACCEPT
  [root@salt-master ~]# iptables -A INPUT -m state --state new \ -m tcp -p tcp --dport 4506 -j ACCEPT
  

• Save the firewall rules:

  On RedHat/CentOS/Fedora:

  [root@salt-master ~]# service iptables save
  

  On Ubuntu:

  [root@salt-master ~]# iptables-save
  

In the scenario that a virtualized environment is being used, such as a cloud provider, the aforementioned ports should be opened in the respective security group of the master node.

How it works...

The salt-master is the package for the Salt master service and it also requires a few other dependencies, such as the ZeroMQ library, msgpack, jinja, yaml, and so on, which is automatically pulled along with the package from the configured repositories.

Most of the Salt configuration parameters are set by default and need not be explicitly mentioned in the file. The options can be found commented in the file and act as the defaults. However, if they need to be changed, then they can be uncommented and necessary changes can be made.

We have explicitly uncommented the autosign_file parameter and set the value as /etc/salt/autosign.conf:

autosign_file: /etc/salt/autosign.conf

We then populated the file with a wildcard entry, that is, *, to allow all minions' certificate requests to be automatically signed and accepted by the master.

Finally, the service daemons for salt master are started/restarted, configured to start automatically at boot time, and firewalls are configured to open the ports 4505 and 4506 for communication with the minions using the system-specific commands.

See also

• The Salt multi-master setup (active-active mode) and Salt multi-master setup (active-passive mode) recipes in Chapter 3, Modules, Orchestration, and Scaling Salt, to learn more about highly available and redundant Salt master setups
• The Configuring the Salt environment and pillar paths recipe, for advanced configuration of the Salt master