How to Install SaltStack on Ubuntu 18

What is SaltStack?

SaltStack is an open-source infrastructure management platform built on a dynamic communications bus. The main structure of SaltStack contains two main components for work: one Salt Master and several Salt Minions. Salt Master is the main control system used to send commands to Salt Minion and their configuration. Salt Minions (they are also called Nodes) are subsystems that work on managed servers and receive commands from the master, as well as their configuration. At least two servers are required for interaction settings. One for the Master and one for the node. All nodes are configured in the same way.

Pre-Installation Notes

There are two concerns which need to be put forward prior to installing SaltStack.

• Upgrade PyCrypto: The PyCrypto library usually provided by the default system packages is currently unmaintained and likely insecure. Salt requires PyCrypto as a "lowest common denominator" for backward compatibility, however, because PyCrypto is unmaintained, the best practice is to manually upgrade the system to use a more modern and continually maintained library such as PyCryptodome or better yet, M2Crypto.
• Because Python 2.7 reached its End of Life (EOL) status on Jan. 1st 2020, Python 2.x is deprecated in SaltStack version 3000 (Sodium) release and later.

Salt Master Installation

We will perform these install processes on both the Master server and the Minion server. The first step is to make sure our system packages are up to date

[root@host ~]# apt-get update
Hit:1 http://by.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://by.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://by.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]  
Get:5 http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic InRelease [2.126 B]
Get:6 http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic/main amd64 Packages [3.200 B]
Ign:7 https://dl.bintray.com/tetrate/getenvoy-deb bionic InRelease         
Get:8 https://dl.bintray.com/tetrate/getenvoy-deb bionic Release [5.356 B]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [38,5 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [17,6 kB]
Get:12 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 64x64 Icons [41,5 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [42,1 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16,4 kB]
Get:15 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [111 kB]
Get:16 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2.464 B]
Fetched 369 kB in 1s (258 kB/s)                                 
Reading package lists... Done
Building dependency tree    
Reading state information... Done
All packages are up to date.
[root@host ~]#

Now, we need to download the repository key for SaltStack and import it into our system.

[root@host ~]# wget -O- https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
--2020-03-08 19:00:32--  https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub
Resolving repo.saltstack.com (repo.saltstack.com)... 54.192.230.5, 54.192.230.104, 54.192.230.29, ...
Connecting to repo.saltstack.com (repo.saltstack.com)|54.192.230.5|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1727 (1,7K) [application/octet-stream]
Saving to: 'STDOUT'
 
-                   100%[==================>]   1,69K  --.-KB/s	in 0s     
 
2020-03-08 19:00:34 (374 MB/s) - written to stdout [1727/1727]
 
OK
[root@host ~]#

Next, we can add the repository itself.

echo "deb http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic main" | sudo tee /etc/apt/sources.list.d/saltstack.list
deb http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic main
[root@host ~]#

Now, we need to update our repo list so our available system packages are up to date.

[root@host ~]# apt-get update
Hit:1 http://by.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://by.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://by.archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]  
Get:5 http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic InRelease [2.126 B]
Get:6 http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic/main amd64 Packages [3.200 B]
Ign:7 https://dl.bintray.com/tetrate/getenvoy-deb bionic InRelease         
Get:8 https://dl.bintray.com/tetrate/getenvoy-deb bionic Release [5.356 B]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [38,5 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [17,6 kB]
Get:12 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 64x64 Icons [41,5 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [42,1 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16,4 kB]
Get:15 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [111 kB]
Get:16 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2.464 B]
Fetched 369 kB in 1s (258 kB/s)                                 
Reading package lists... Done
Building dependency tree    
Reading state information... Done
All packages are up to date.
[root@host ~]#

Next, lets install SaltStack Master packages.

[root@host ~]# apt -y install salt-api salt-cloud salt-master salt-ssh salt-syndic
Reading package lists... Done
Building dependency tree    
Reading state information... Done

The following additional packages will be installed:
  git git-man ieee-data liberror-perl libnorm1 libpgm-5.2-0 libzmq5
  python3-cherrypy3 python3-croniter python3-git python3-gitdb python3-gnupg
  python3-jinja2 python3-libcloud python3-lockfile python3-msgpack
  python3-netaddr python3-openssl python3-psutil python3-repoze.lru
  python3-routes python3-smmap python3-webob python3-zmq salt-common
Suggested packages:
  git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk
  gitweb git-cvs git-mediawiki git-svn python-git-doc python-jinja2-doc
  python-lockfile-doc ipython3 python-netaddr-docs python-openssl-doc
  python3-openssl-dbg python-psutil-doc python3-paste python3-nose
  python-webob-doc python3-botocore python3-pycurl python3-twisted
The following NEW packages will be installed:
  git git-man ieee-data liberror-perl libnorm1 libpgm-5.2-0 libzmq5
  python3-cherrypy3 python3-croniter python3-git python3-gitdb python3-gnupg
  python3-jinja2 python3-libcloud python3-lockfile python3-msgpack
  python3-netaddr python3-openssl python3-psutil python3-repoze.lru
  python3-routes python3-smmap python3-webob python3-zmq salt-api salt-cloud
  salt-common salt-master salt-ssh salt-syndic
0 upgraded, 30 newly installed, 0 to remove and 0 not upgraded.
Need to get 16,5 MB of archives.
After this operation, 98,8 MB of additional disk space will be used.
…
…
…

Created symlink /etc/systemd/system/multi-user.target.wants/salt-master.service → /lib/systemd/system/salt-master.service.
Setting up salt-api (3000+ds-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/salt-api.service → /lib/systemd/system/salt-api.service.
Setting up salt-syndic (3000+ds-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/salt-syndic.service → /lib/systemd/system/salt-syndic.service.
Processing triggers for systemd (237-3ubuntu10.39) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
[root@host ~]#

Salt Master Configuration

Using the nano or vim text editor, open the file /etc/salt/master.

[root@host ~]# vim /etc/salt/master

Now, find the following line.

#interface: 0.0.0.0

Once the value is located, uncomment it out and then specify the servers IP replacing the 0.0.0.0 IP address. In this example, we will use 64.91.225.162. This will be the IP address from which we will control the minion servers.

# The address of the interface to bind to:
interface: 64.91.225.162

Use :wq to save the file and exit. After editing, we should restart the service.

[root@host ~]# systemctl restart salt-master.service
[root@host ~]#

Next, we need to create a key that will be used by the minions to connect to the master nodes. We generated a unique key, so yours will be different.

root@host:~# salt-key -F master
Local Keys:
master.pem:  f8:01:d9:13:19:3f:a2:37:a5:03:cb:e8:0e:3d:9f:75:7c:f7:36:10:1d:51:70:b2:4c:b8:5f:04:4b:04:fc:28
master.pub:  d0:71:50:26:f7:05:d7:84:6c:f8:38:1f:ce:5b:d8:6a:80:6c:1a:76:05:a8:48:3a:d7:5a:86:ff:bc:14:3b:49
root@host:~#

You will want to make note of the master.pub key as we will need to add it into the configuration on the salt minion shortly.

Lastly, we will want to open the default ports in the firewall. By default, Salt uses ports 4505 and 4506.

[root@host ~]# ufw allow proto tcp from any to any port 4505,4506

Salt Minion Installation

First, we will install the software on our minion server.

[root@host ~]# apt -y install salt-minion
Reading package lists... Done
Building dependency tree   	
Reading state information... Done
The following additional packages will be installed:
  dctrl-tools debconf-utils
Suggested packages:
  debtags python3-augeas
The following NEW packages will be installed:
  dctrl-tools debconf-utils salt-minion
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 146 kB of archives.
After this operation, 527 kB of additional disk space will be used.
Get:1 http://by.archive.ubuntu.com/ubuntu bionic/main amd64 dctrl-tools amd64 2.24-2build1 [60,9 kB]
Get:2 http://by.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 debconf-utils all 1.5.66ubuntu1 [56,6 kB]
Get:3 http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic/main amd64 salt-minion all 3000+ds-1 [28,1 kB]
Fetched 146 kB in 1s (235 kB/s)    	
Selecting previously unselected package dctrl-tools.
(Reading database ... 178806 files and directories currently installed.)
Preparing to unpack .../dctrl-tools_2.24-2build1_amd64.deb ...
Unpacking dctrl-tools (2.24-2build1) ...
Selecting previously unselected package debconf-utils.
Preparing to unpack .../debconf-utils_1.5.66ubuntu1_all.deb ...
Unpacking debconf-utils (1.5.66ubuntu1) ...
Selecting previously unselected package salt-minion.
Preparing to unpack .../salt-minion_3000+ds-1_all.deb ...
Unpacking salt-minion (3000+ds-1) ...
Setting up debconf-utils (1.5.66ubuntu1) ...
Setting up dctrl-tools (2.24-2build1) ...
Setting up salt-minion (3000+ds-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /lib/systemd/system/salt-minion.service.
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.39) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
[root@host ~]#

Salt Minion Configuration

Next, we will configure the software on the minion server. By default, the Salt Minion connects to the master Salt servers DNS named above in the /etc/hosts file. We will need to modify this setting. Again we will use our vim editor and open the file /etc/hosts and add the IP of the Salt Master. In this case 10.0.2.15. After that entry is created, save the file using :wq.

127.0.0.1       localhost
64.91.225.162   saltmaster

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now, we need to create a unique identifier for the Salt minion.

vim /etc/salt/minion_id

Let's add the identifier name for the minion. Care should be taken to create a naming scheme in advance to allow for additional minions e.g.

• ubuntu-minion_01
• us.mi.lan-ubuntu_01
• company.location.dept-ubuntu_01

We will use ubuntu-minion_01 as our salt minion server name.

Next, copy the master.pub fingerprint we created on the master server above, and set this value as the master_finger setting in the minion configuration file /etc/salt/minion_id. You can search for this value in vim using /finger within the file. After adding the fingerprint, use :wq to save the and exit the file.

# Fingerprint of the master public key to validate the identity of your Salt master
# before the initial key exchange. The master fingerprint can be found by running
# "salt-key -f master.pub" on the Salt master.
master_finger: 'd0:71:50:26:f7:05:d7:84:6c:f8:38:1f:ce:5b:d8:6a:80:6c:1a:76:05:a8:48:3a:d7:5a:86:ff:bc:14:3b:49'

If you change any of the settings (like the IP address of the salt master in /etc/salt/minion), you’ll need to restart salt-minion service

[root@host ~]# systemctl restart salt-minion

Now, login to the salt master server and list/check for the Accepted Keys using the following command.

root@host:~# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
ubuntu-minion_01 <<<<<
Rejected Keys:
root@host:~#

As you can see, we now have a key waiting to be accepted "ubuntu-minion_01". Next, we will accept the salt-key for the minion on the salt master server.

root@host:~# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
ubuntu-minion_01
Proceed? [n/Y] y
Key for minion ubuntu-minion_01 accepted.
root@host:~#

Now we can run the following command on the Salt minion to check the minions key fingerprint.

root@host:~# salt-call --local key.finger
local:
    cf:b7:01:00:9f:78:27:03:42:91:f1:7c:f1:3f:81:2f:a3:e6:11:48:bc:10:ba:2b:0c:df:f0:78:e0:07:1c:df
root@host:~#

Next, we can compare the above value to the value that is shown when we run the command "salt-key –finger <MINION_ID>" on the Salt master.

root@host:~# salt-key –finger ubuntu-minion_01
Accepted Keys:
ubuntu-minion_01 <<<<<
Denied Keys:
Unaccepted Keys:
Rejected Keys:
root@host:~#

Now, lets verify the communication between the salt master and the salt minion by running the test.ping command.

root@host:~# salt ubuntu-minion_01 test.ping
ubuntu-minion_01:
    True
root@host:~#

Success!

Conclusion

Saltstack is one of the most popular IT automation, remote task execution, and configuration management tools in use today. In this article we learned how to install and configure Saltstack on both a salt master and salt minion server.

Would you like to try improving your ability to solve many of your server automation tasks? Give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Solutions or Experienced Hosting advisors to learn how you can take advantage of this technology today!