/r/saltstack

Photograph via snooOG

Salt is an open source tool to manage your infrastructure via remote execution and configuration management.

Feel free to ask questions here. Or in the discord community at https://discord.gg/GC5U3SEF

Salt is a powerful remote execution manager that can be used to administer servers in a fast and efficient way.

Salt allows commands to be executed across large groups of servers. This means systems can be easily managed, but data can also be easily gathered. Quick introspection into running systems becomes a reality.

Remote execution is usually used to set up a certain state on a remote system. Salt addresses this problem as well, the salt state system uses salt state files to define the state a server needs to be in.

Between the remote execution system, and state management Salt addresses the backbone of cloud and data center management.

See the wiki page for more links and other resources.

/r/saltstack

5,583 Subscribers

2

Disclosure of sensitive data via salt-call

Hi. I have the following problem:

I'm trying to enroll a server into a domain via Salt, I'm sending out the domain enroll-admin account details to execute the ipa-client install command via salt-pillars. At the same time through salt-call any user with sudo rights can read the admin password. What are best practices for similar tasks that will prevent this data from being exposed?

15 Comments
2024/11/26
05:18 UTC

23

Why are so many posts about leaving SaltStack?

Heya!
So, I don't really like Ansible. Or chef, or puppet. But I do like Saltstack.
Now the big question, why are so many giving up on Saltstack after the latest aquisition?
Ansible is owned by IBM, kind of. IBM have ruined ansible according to me. SaltStack was bought by VmWare and to me made it better, and now Broadcom bought VmWare, so by proxy bought SaltStack - right?

Did Boradcom screw up Saltstack?

15 Comments
2024/11/18
08:59 UTC

3

Trouble targeting with grains

I'm having trouble targeting servers with grains on my v3006.9 salt master. There's a custom grain [myCustomGrain] that only certain servers have. I use this grain to target salt command [here, test.ping]. Then, in the output, servers without the grain have output. In the past, only servers with the grain would have output.

salt  -G myCustomGrain:someValue test.ping 
...
validserver001:
    True
invalidserver001:
    Minion did not return. [No response]
    The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:

    salt-run jobs.lookup_jid 20241113183605042208
...

Also, the job info has those extra minions present in the Minions list

Arguments:
Function:
    test.ping
Minions:
    - validserver001
    - invalidserver001
...
Target:
    myCustomGrain:someValue
Target-type:
    grain

Does someone have a fix for this or is this the new, expected behavior? This new behavior is incompatible with a bunch of scripts and I really don't want to change everything. Thanks in advance for any information.

2 Comments
2024/11/14
15:39 UTC

2

Migration to ansible

With the migration to broadcom, many link are dead… I think to migrate to ansible… I just tried to ask chatgpt to convert some sls to ansible playbook, and the result is very good in most of case… 🤔

5 Comments
2024/11/07
19:36 UTC

1

Custom grain visible from the master but not the minion

I have created the custom grain holding the full Debian version
as non of the build-in ones show that for some reason.
It is called osreleasefull and it is in the file called osreleasefull.py
which is in the _grains dir in the salt root dir.
It works fine from the master but not on the minion
even though gains syncing works fine,
new grain is recognized and the file is in the cache on the minion:

[master]:
-rw-r--r-- 1 root root 323 Nov 7 05:45 /srv/salt/_grains/osreleasefull.py

[master]# salt minion1 grains.get osreleasefull
minion1:
12.1

[minion]:
-rw-r--r-- 1 root root 323 Nov 7 05:48 /var/cache/salt/minion/files/base/_grains/osreleasefull.py

[minion1]# salt-call saltutil.sync_grains
local:
- grains.osreleasefull

[minion1]# salt-call grains.get osreleasefull
local:

osreleasefull.py:
#!/usr/bin/env python
import os
def osreleasefull():
grains = {}
if os.path.isfile('/etc/debian_version'):
with open('/etc/debian_version', 'r') as f:
# Setting the grain name to match the expected output
grains['osreleasefull'] = f.read().strip()
return grains

Any tips on what am I missing?

6 Comments
2024/11/07
14:19 UTC

2

No more salt .deb for armhf (armv7l) !?

I have Odroid-HC1 ARM machine (Samsung Exynos5422 Cortex-A15) running Debian 12. It's my personal mail server.

After Broadcom migration I get:

N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'https://packages.broadcom.com/artifactory/saltproject-deb stable InRelease
' doesn't support architecture 'armhf'

I do not see `armhf` in https://packages.broadcom.com/artifactory/saltproject-deb/dists/stable/main/ so I guess I'm f...?

3 Comments
2024/11/04
18:53 UTC

14

Where are older versions of Salt now?

You can only get salt 3006 or newer on the Broadcom site. Where are the packages for the older versions? This is having a horrific affect on our faith in using salt going forward.

Did anyone have archive mirrors of the previous salt versions?

How would ANYONE in Broadcom think this was a good idea?

Why should ANYONE continue using Salt?

19 Comments
2024/11/01
11:58 UTC

10

So broadcom's repos... Anyone mirroring them yet?

I have to mirror salt's repos for various reasons, but broadcom's using jFrog or whatever's 'Artifactory' instead of standard repository structure.

Any insight on how to rclone from there?

Or am I stuck mirroring it myself with createrepo before my pulp server pulls it?

11 Comments
2024/10/30
21:04 UTC

2

How to deal with circular dependencies between services and servers

I’m rebuilding my homelab and learning SaltStack as well. I want to automate everything but there is one thing that bothers me and I haven’t found a solution in the docs.

Let’s say that I need a proxy server, but that depends on a DNS Resolver. But the DNS Resolver depends on the Proxy Server to install the Unbound.

Is possible to do something like this and how to do it?

  • Install the DNS Server
  • Install and configure the proxy to use the DNS Server
  • Go back to the DNS Server and configure the package manager to use the new Proxy server.

If someone is willing to point to some “production ready” examples on GitHub, I would be thankful.

4 Comments
2024/10/24
23:04 UTC

2

targeting by grain from top.sls

I currently have a /srv/salt/base/top.sls that looks like:

base:
  '*':
  - motd
  - lnav

Now, I have a state called myteam-ssh-keys that should be targeted to minions having a specific grain (managed_by) equal to a specific value (myteam).

How can I update the top.sls to apply the myteam-ssh-keys only to the targeted minion ?

The overall goal is to end up putting a cron job that runs salt '*' state-apply regularly to keep the minions in sync.

6 Comments
2024/10/23
09:29 UTC

1

Windows - Configure Attack Surface Reduction Rules

I'm trying to use Salt lgpo.set to configure windows 'Attack Surface Reduction Rules'. This setting requires a list with values. I have successfully configured other lists without values e.g

Local_Policies:
  lgpo.set:
    - computer_policy:
       Access this computer from the network:
         - Administrators
         - Remote Desktop Users

How do I include values in the list items?
5 Comments
2024/10/20
21:13 UTC

2

do credentials in /etc/salt/master (or master.d/*.conf) have to be plain text?

well, what the title says. If I have passwords or keys defined in `/etc/salt/master` do they have to be in plain text? I'm trying to define external pillar source using hashicorp vault, which works pretty well, but in a master config file I need to define the app role secret id. I would rather the secret id not be in scm.

6 Comments
2024/10/17
18:18 UTC

0

Problemas para limpar um diretório

Olá pessoal,

Sou iniciante no salt e gostaria de uma ajuda de vocês. Criei um state para modificar a pasta C:\ProgramData\Microsoft\Windows\Start Menu\. Gostaria que todos os arquivos dela fossem limpos e só ficasse o arquivo do state cria_atalho. Quando eu executo a primeira vez ele funciona corretamente mas após isso eu crio arquivos manualmente nessa pasta e mesmo executando o state novamente ele não limpa esses arquivos. O retorno que tenho no master é que não houveram mudanças na pasta. Sabem me dizer o que estou fazendo de errado?

remove.arquivos:
  file.directory:
    - name: 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\'
    - clean: True
    - require:
      - cria.atalho

cria.atalho:
  file.managed:
    - name: 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\atalho.lnk'
    - source: 'salt://win/atalhos/atalho.lnk'
    - source_hash: 43808f02b6f82eb7b68906bec8cfa7be

Obrigado.

5 Comments
2024/10/10
18:17 UTC

2

Aerospike configuration management using SaltStack

Hey all, Does anyone use SaltStack to streamline Aerospike configuration management for different clusters at your workplace/org?
Would love to hear whats your approach in deploying aerospike configuration dynamically for different aerospike clusters using saltstack.
Need ideas to streamline configuration management while setting up a new cluster.

1 Comment
2024/10/10
17:13 UTC

4

Why are my minions disconnecting constantly?

I am having an issue where I cannot communicate with my salt minions from master even though they have their salt key accepted and the salt service is installed and running.

When I try to run test.ping I get an error "Minion did not return. [Not Connected]"

To resolve this I often have to remove the minion keys and reinstall minion with a new key. Surely, there has to be a solution for this, or maybe my salt configuration is wrong??

1 Comment
2024/10/09
20:27 UTC

1

SecureBoot enabled according to mokutil, but disable according to efi-secure-boot salt grain?

I have a situation where by on a VMware based virtual machine when I check if Secure Boot is enabled using mokutil it says it is, but when I check the efi-secure-boot grain it's saying Secure Boot isn't enabled.

When I check the VMs firmware configuration the vCenter it's configured to use EFI (and not BIOS) and Secure Boot is ticked.

This seems to be case across my entire estate of approx. 20 Debian and Ubuntu based VMs.

root@host:~ # mokutil --sb-state
SecureBoot enabled
root@host:~ # sudo salt-call grains.item efi efi-secure-boot
local:
    ----------
    efi:
        True
    efi-secure-boot:
        False

Anyone else experiencing the same thing?

2 Comments
2024/10/09
17:09 UTC

5

Config management using Salt

hey all, im trying to solve a problem in using saltstack:

lets say we have aerospike clusters being used across different teams in the company. The thing is when a team is needed to create a new aerospike cluster or make any changes in the existing clusters, they create new folder in the salt:// folder specific to a cluster and add relevant hosts, config and namespaces to it that they need and spin up or make changes to a cluster

ex: config.sls host.yml install.sls etc

the problem here is since every cluster has its own folder and it creates more folders and it's kind of cumbersome. how do i improve this? using salt pillar? and how do i optimise this?

2 Comments
2024/10/05
16:59 UTC

3

salt or jinja: parse URL (akin to Python's urlparse)

Is there really no built-in way to parse a URL in salt or jinja1

Python has urlparse, and Ansible has urlsplit.

Yes, I know I can cobble this together in many ways, but I'd expect salt or jinja to have a simple call that puts a URL in an array of parts or even a dictionary.

Am I missing something?

10 Comments
2024/10/04
01:50 UTC

1

OS upgrade on the minions

What is the best way to upgrade OS (Debian in my case) on the minions?
I use pkg.uptodate in my state but for some reason it does not install all the packages available.
(apt update/upgrade shows packages available for upgrade like linux-image or kernel headers)

Any tip or what am I missing?

2 Comments
2024/09/25
09:38 UTC

4

Salt for managing AD DNS

Is it possible to use salt to add/update/delete A, PTR, etc. records with AD based DNS?

I want DNS changes to be tied to salt deploying or terminating servers as well as using Salt to automate reoccurring hygiene activities.

Any examples would be awesome.

TIA

2 Comments
2024/09/18
21:03 UTC

2

Is salt the tool I'm looking for, or should I look at something else?

So, I have a specific problem to solve and have been advised to look at salt as a possible tool to solve it.

I've spent the last two hours reading documentation and setting up a master and a windows minion, but now I'm a bit stuck.

In hindsight, I'm not sure I need the master, but I might play around with it at some point if I end up solving my problem with salt and using it more.

Anyway, so here's what I actually want to accomplish:

The plan is to use packer to build monthly images that will be used to deploy remote desktop session host. There are about 40 different "profiles" (I know, we're trying to cut it down. But licensing and very different workloads make it a bit of a pain). So part of the build would be installing the required applications and installing them.

At this stage I'm having packer upload the required installation files to the image, running the installations in the required order and then deleting the installation files.

I was hoping to use salt for this. I'm not sure salt is the right tool. Anything requiring use of github is a no-go. That's both disallowed by policy and actively blocked in the firewall. Any installation files need to be fetched from a local repository as we have custom packaged applications hosted on SMB-shares.

My hope would be that I could during my packer build just make a call similar to "install Developer Desktop packages" and there would be a role (not sure what it's called in salt?) that then lists everything that needs to be installed and in what order. Bonus if it can fetch it from a self-hosted repository. I can do https if I have to, but if smb isn't an option I'd rather just have packer upload the files at build time. But then I also need to keep track of the roles in packer so it knows which files to upload...

Is salt a good fit? I've been trying to find a good solution for this, but everywhere I look most tools are focused on cloud and using services hosted on the internet like git, which infosec will shut down instantly. I need something that can run on-prem with no outside dependencies. The machines also only need to be provisioned, not managed. The image will never be booted up once it's built, the workers will be clones of the image and non-persistent. As in they reboot daily and all written data is discarded and the workers revert to a clean clone. We would then rebuild the images monthly in order to apply patches and updates.

20 Comments
2024/09/12
20:39 UTC

2

CIS hardening windows

Looking to apply the CIS hardening guidelines to our windows 10 systems via a salt state

Has anyone attempted this with salt?

The list is enormous

1 Comment
2024/09/11
15:07 UTC

Back To Top