Salt Master Configuration

/etc/salt/master is the master flat-file config, however making changes in /etc/salt/master.d/ for each specific conifugration area is preferred to clarify server changes, as well as enabling easy management on the config. Any file with .conf will be loaded in this directory and take precedence over the flat file.

File Section

Where salt locates files and states to apply to minions. This will create three branches. Base is applied to all environments and is unused in this config. Files are compared using sha512 hashing.

Files can be directly checked out from a revision system (like git). Adding or removing file paths require a reload of the master server.

0644 root root /etc/salt/master.d/file.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
file_roots:
  base:
    - /srv/salt/static/base
  dev:
    - /srv/salt/static/dev
    - /srv/salt/template/dev/{FORMULA 1}
    - /srv/salt/template/dev/{FORMULA 2}
  prod:
    - /srv/salt/static/prod
    - /srv/salt/template/prod/{FORMULA 1}
    - /srv/salt/template/prod/{FORMULA 2}

top_file_merging_strategy: same
default_top: dev
hash_type: sha512

Pillar Section

Pillar defines the dynamic client data sent to minions and acts as an ACL for access to that data. Prod and Dev environments are used, forcing missing data requested by a minion to halt state application, and prevents error messages on minions (reported on server). This prevents leaking potentially sensitive data users shouldn’t have access to if a formula fails.

0644 root root /etc/salt/master.d/pillar.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
pillar_roots:
  dev:
    - /srv/salt/data/dev
  prod:
    - /srv/salt/data/prod

pillar_safe_render_error: True
pillar_source_merging_strategy: none
pillarenv_from_saltenv: True
pillar_raise_on_missing: True

Primary Section

Primary configuration for salt-master. This forces the master to run as salt, ensures the master is validated before started (perms, etc), pings minions on AES key rotation and prevents minions from unmanaging themselves. See Non-root User for setup instructions.

0644 root root /etc/salt/master.d/primary.conf
1
2
3
4
5
6
user: salt
verify_env: True
enable_gpu_grains: True
ping_on_rotate: True
allow_minion_key_revoke: False
timeout: 30

Security Section

Security configuration. Require 4096 bit keys for signing. All messages are signed. All minions added require manaul approval. Use SSL/TLS1.2 for protcol encryption. See Use TLS for protocol encryption for cert creation.

drop_messages_signature_fail is set to False, as this requires minions to have verifiable signing certs, which self-signed certs cannot provide. Otherwise this option will drop any message that is not verified to a root CA.

0644 root root /etc/salt/master.d/security.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
keysize: 4096
autosign_timeout: 0
master_sign_pubkey: True
master_use_pubkey_signature: True
sign_pub_messages: True
require_minion_sign_messages: True
drop_messages_signature_fail: False
ssl:
  keyfile: /etc/salt/pki/certs/salt.key
  certfile: /etc/sale/pki/certs/salt.crt
  ssl_version: PROTOCOL_TLSv1_2
Generate keys for Minions to authenticate the master.
salt-key --gen-signature --auto-create

Note

This will generate master_sign.pub, master_sign.pem and master_pubkey_signature in /etc/salt/pki/master.

master_sign.pub must be installed on minions and enabled before they will be able to validate the master and connect. See Minion Security Section.

State Section

Defines how states are applied to minions. Minions will immediately fail is there is an error, instead of continuing to apply state.

0644 root root /etc/salt/master.d/state.conf
1
failhard: True

See Minion Management for managing minions on Salt Master.