1
0

index.rst 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234
  1. .. _configuring-salt:
  2. ================
  3. Configuring Salt
  4. ================
  5. Salt configuration is very simple. The default configuration for the
  6. :term:`master` will work for most installations and the only requirement for
  7. setting up a :term:`minion` is to set the location of the master in the minion
  8. configuration file.
  9. The configuration files will be installed to :file:`/etc/salt` and are named
  10. after the respective components, :file:`/etc/salt/master`, and
  11. :file:`/etc/salt/minion`.
  12. Master Configuration
  13. ====================
  14. By default the Salt master listens on ports 4505 and 4506 on all
  15. interfaces (0.0.0.0). To bind Salt to a specific IP, redefine the
  16. "interface" directive in the master configuration file, typically
  17. ``/etc/salt/master``, as follows:
  18. .. code-block:: diff
  19. - #interface: 0.0.0.0
  20. + interface: 10.0.0.1
  21. After updating the configuration file, restart the Salt master.
  22. See the :ref:`master configuration reference <configuration-salt-master>`
  23. for more details about other configurable options.
  24. Minion Configuration
  25. ====================
  26. Although there are many Salt Minion configuration options, configuring
  27. a Salt Minion is very simple. By default a Salt Minion will
  28. try to connect to the DNS name "salt"; if the Minion is able to
  29. resolve that name correctly, no configuration is needed.
  30. If the DNS name "salt" does not resolve to point to the correct
  31. location of the Master, redefine the "master" directive in the minion
  32. configuration file, typically ``/etc/salt/minion``, as follows:
  33. .. code-block:: diff
  34. - #master: salt
  35. + master: 10.0.0.1
  36. After updating the configuration file, restart the Salt minion.
  37. See the :ref:`minion configuration reference <configuration-salt-minion>`
  38. for more details about other configurable options.
  39. Proxy Minion Configuration
  40. ==========================
  41. A proxy minion emulates the behaviour of a regular minion
  42. and inherits their options.
  43. Similarly, the configuration file is ``/etc/salt/proxy`` and the proxy
  44. tries to connect to the DNS name "salt".
  45. In addition to the regular minion options,
  46. there are several proxy-specific - see the
  47. :ref:`proxy minion configuration reference <configuration-salt-proxy>`.
  48. Running Salt
  49. ============
  50. 1. Start the master in the foreground (to daemonize the process, pass the
  51. :option:`-d flag <salt-master -d>`):
  52. .. code-block:: bash
  53. salt-master
  54. 2. Start the minion in the foreground (to daemonize the process, pass the
  55. :option:`-d flag <salt-minion -d>`):
  56. .. code-block:: bash
  57. salt-minion
  58. .. admonition:: Having trouble?
  59. The simplest way to troubleshoot Salt is to run the master and minion in
  60. the foreground with :option:`log level <salt-master -l>` set to ``debug``:
  61. .. code-block:: bash
  62. salt-master --log-level=debug
  63. For information on salt's logging system please see the :ref:`logging
  64. document<logging>`.
  65. .. admonition:: Run as an unprivileged (non-root) user
  66. To run Salt as another user, set the :conf_master:`user` parameter in the
  67. master config file.
  68. Additionally, ownership, and permissions need to be set such that the
  69. desired user can read from and write to the following directories (and
  70. their subdirectories, where applicable):
  71. * /etc/salt
  72. * /var/cache/salt
  73. * /var/log/salt
  74. * /var/run/salt
  75. More information about running salt as a non-privileged user can be found
  76. :ref:`here <configuration-non-root-user>`.
  77. There is also a full :ref:`troubleshooting guide<troubleshooting>`
  78. available.
  79. .. _key-identity:
  80. Key Identity
  81. ============
  82. Salt provides commands to validate the identity of your Salt master
  83. and Salt minions before the initial key exchange. Validating key identity helps
  84. avoid inadvertently connecting to the wrong Salt master, and helps prevent
  85. a potential MiTM attack when establishing the initial connection.
  86. Master Key Fingerprint
  87. ----------------------
  88. Print the master key fingerprint by running the following command on the Salt master:
  89. .. code-block:: bash
  90. salt-key -F master
  91. Copy the ``master.pub`` fingerprint from the *Local Keys* section, and then set this value
  92. as the :conf_minion:`master_finger` in the minion configuration file. Save the configuration
  93. file and then restart the Salt minion.
  94. Minion Key Fingerprint
  95. ----------------------
  96. Run the following command on each Salt minion to view the minion key fingerprint:
  97. .. code-block:: bash
  98. salt-call --local key.finger
  99. Compare this value to the value that is displayed when you run the
  100. ``salt-key --finger <MINION_ID>`` command on the Salt master.
  101. Key Management
  102. ==============
  103. Salt uses AES encryption for all communication between the Master and
  104. the Minion. This ensures that the commands sent to the Minions cannot
  105. be tampered with, and that communication between Master and Minion is
  106. authenticated through trusted, accepted keys.
  107. Before commands can be sent to a Minion, its key must be accepted on
  108. the Master. Run the ``salt-key`` command to list the keys known to
  109. the Salt Master:
  110. .. code-block:: bash
  111. [root@master ~]# salt-key -L
  112. Unaccepted Keys:
  113. alpha
  114. bravo
  115. charlie
  116. delta
  117. Accepted Keys:
  118. This example shows that the Salt Master is aware of four Minions, but none of
  119. the keys has been accepted. To accept the keys and allow the Minions to be
  120. controlled by the Master, again use the ``salt-key`` command:
  121. .. code-block:: bash
  122. [root@master ~]# salt-key -A
  123. [root@master ~]# salt-key -L
  124. Unaccepted Keys:
  125. Accepted Keys:
  126. alpha
  127. bravo
  128. charlie
  129. delta
  130. The ``salt-key`` command allows for signing keys individually or in bulk. The
  131. example above, using ``-A`` bulk-accepts all pending keys. To accept keys
  132. individually use the lowercase of the same option, ``-a keyname``.
  133. .. seealso:: :ref:`salt-key manpage <salt-key>`
  134. Sending Commands
  135. ================
  136. Communication between the Master and a Minion may be verified by running
  137. the ``test.version`` command:
  138. .. code-block:: bash
  139. [root@master ~]# salt alpha test.version
  140. alpha:
  141. 2018.3.4
  142. Communication between the Master and all Minions may be tested in a
  143. similar way:
  144. .. code-block:: bash
  145. [root@master ~]# salt '*' test.version
  146. alpha:
  147. 2018.3.4
  148. bravo:
  149. 2018.3.4
  150. charlie:
  151. 2018.3.4
  152. delta:
  153. 2018.3.4
  154. Each of the Minions should send a ``2018.3.4`` response as shown above,
  155. or any other salt version installed.
  156. What's Next?
  157. ============
  158. Understanding :ref:`targeting <targeting>` is important. From there, depending
  159. on the way you wish to use Salt, you should also proceed to learn about
  160. :ref:`Remote Execution <remote-execution>` and :ref:`Configuration Management
  161. <configuration-management>`.