123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234 |
- .. _configuring-salt:
- ================
- Configuring Salt
- ================
- Salt configuration is very simple. The default configuration for the
- :term:`master <Master>` will work for most installations and the only requirement for
- setting up a :term:`minion <Minion>` is to set the location of the master in the minion
- configuration file.
- The configuration files will be installed to :file:`/etc/salt` and are named
- after the respective components, :file:`/etc/salt/master`, and
- :file:`/etc/salt/minion`.
- Master Configuration
- ====================
- By default the Salt master listens on ports 4505 and 4506 on all
- interfaces (0.0.0.0). To bind Salt to a specific IP, redefine the
- "interface" directive in the master configuration file, typically
- ``/etc/salt/master``, as follows:
- .. code-block:: diff
- - #interface: 0.0.0.0
- + interface: 10.0.0.1
- After updating the configuration file, restart the Salt master.
- See the :ref:`master configuration reference <configuration-salt-master>`
- for more details about other configurable options.
- Minion Configuration
- ====================
- Although there are many Salt Minion configuration options, configuring
- a Salt Minion is very simple. By default a Salt Minion will
- try to connect to the DNS name "salt"; if the Minion is able to
- resolve that name correctly, no configuration is needed.
- If the DNS name "salt" does not resolve to point to the correct
- location of the Master, redefine the "master" directive in the minion
- configuration file, typically ``/etc/salt/minion``, as follows:
- .. code-block:: diff
- - #master: salt
- + master: 10.0.0.1
- After updating the configuration file, restart the Salt minion.
- See the :ref:`minion configuration reference <configuration-salt-minion>`
- for more details about other configurable options.
- Proxy Minion Configuration
- ==========================
- A proxy minion emulates the behaviour of a regular minion
- and inherits their options.
- Similarly, the configuration file is ``/etc/salt/proxy`` and the proxy
- tries to connect to the DNS name "salt".
- In addition to the regular minion options,
- there are several proxy-specific - see the
- :ref:`proxy minion configuration reference <configuration-salt-proxy>`.
- Running Salt
- ============
- 1. Start the master in the foreground (to daemonize the process, pass the
- :option:`-d flag <salt-master -d>`):
- .. code-block:: bash
- salt-master
- 2. Start the minion in the foreground (to daemonize the process, pass the
- :option:`-d flag <salt-minion -d>`):
- .. code-block:: bash
- salt-minion
- .. admonition:: Having trouble?
- The simplest way to troubleshoot Salt is to run the master and minion in
- the foreground with :option:`log level <salt-master -l>` set to ``debug``:
- .. code-block:: bash
- salt-master --log-level=debug
- For information on salt's logging system please see the :ref:`logging
- document<logging>`.
- .. admonition:: Run as an unprivileged (non-root) user
- To run Salt as another user, set the :conf_master:`user` parameter in the
- master config file.
- Additionally, ownership, and permissions need to be set such that the
- desired user can read from and write to the following directories (and
- their subdirectories, where applicable):
- * /etc/salt
- * /var/cache/salt
- * /var/log/salt
- * /var/run/salt
- More information about running salt as a non-privileged user can be found
- :ref:`here <configuration-non-root-user>`.
- There is also a full :ref:`troubleshooting guide<troubleshooting>`
- available.
- .. _key-identity:
- Key Identity
- ============
- Salt provides commands to validate the identity of your Salt master
- and Salt minions before the initial key exchange. Validating key identity helps
- avoid inadvertently connecting to the wrong Salt master, and helps prevent
- a potential MiTM attack when establishing the initial connection.
- Master Key Fingerprint
- ----------------------
- Print the master key fingerprint by running the following command on the Salt master:
- .. code-block:: bash
- salt-key -F master
- Copy the ``master.pub`` fingerprint from the *Local Keys* section, and then set this value
- as the :conf_minion:`master_finger` in the minion configuration file. Save the configuration
- file and then restart the Salt minion.
- Minion Key Fingerprint
- ----------------------
- Run the following command on each Salt minion to view the minion key fingerprint:
- .. code-block:: bash
- salt-call --local key.finger
- Compare this value to the value that is displayed when you run the
- ``salt-key --finger <MINION_ID>`` command on the Salt master.
- Key Management
- ==============
- Salt uses AES encryption for all communication between the Master and
- the Minion. This ensures that the commands sent to the Minions cannot
- be tampered with, and that communication between Master and Minion is
- authenticated through trusted, accepted keys.
- Before commands can be sent to a Minion, its key must be accepted on
- the Master. Run the ``salt-key`` command to list the keys known to
- the Salt Master:
- .. code-block:: bash
- [root@master ~]# salt-key -L
- Unaccepted Keys:
- alpha
- bravo
- charlie
- delta
- Accepted Keys:
- This example shows that the Salt Master is aware of four Minions, but none of
- the keys has been accepted. To accept the keys and allow the Minions to be
- controlled by the Master, again use the ``salt-key`` command:
- .. code-block:: bash
- [root@master ~]# salt-key -A
- [root@master ~]# salt-key -L
- Unaccepted Keys:
- Accepted Keys:
- alpha
- bravo
- charlie
- delta
- The ``salt-key`` command allows for signing keys individually or in bulk. The
- example above, using ``-A`` bulk-accepts all pending keys. To accept keys
- individually use the lowercase of the same option, ``-a keyname``.
- .. seealso:: :ref:`salt-key manpage <salt-key>`
- Sending Commands
- ================
- Communication between the Master and a Minion may be verified by running
- the ``test.version`` command:
- .. code-block:: bash
- [root@master ~]# salt alpha test.version
- alpha:
- 2018.3.4
- Communication between the Master and all Minions may be tested in a
- similar way:
- .. code-block:: bash
- [root@master ~]# salt '*' test.version
- alpha:
- 2018.3.4
- bravo:
- 2018.3.4
- charlie:
- 2018.3.4
- delta:
- 2018.3.4
- Each of the Minions should send a ``2018.3.4`` response as shown above,
- or any other salt version installed.
- What's Next?
- ============
- Understanding :ref:`targeting <targeting>` is important. From there, depending
- on the way you wish to use Salt, you should also proceed to learn about
- :ref:`Remote Execution <remote-execution>` and :ref:`Configuration Management
- <configuration-management>`.
|