Minion Configuration

Initial configuration to connect to the Salt Master server as configured in Salt Master Configuration. Salt Master should be setup to manage the minion configurations remotely.

/etc/salt/minion is the minion flat-file config, however making changes in /etc/salt/minion.d/ for each specific conifugration area is preferred to clarify minion changes, as well as enabling easy management on the config. Any file with .conf will be loaded in this directory and take precedence over the flat file.

Windows minion configuration files are located in c:\salt\conf\minion and c:\salt\conf\minion.d\ respectively.

Schedule Section

Determines how often Salt Minion runs, when it runs and how many resources it is allowed to use.

This will enable the Salt Minion, apply state on boot, check state every 60 minutes and have a max of two running processes at once.

0644 root root /etc/salt/minion.d/_schedule.conf
1
2
3
schedule:
  __mine_interval: {enabled: true, function: mine.update, jid_include: true, maxrunning: 2,
    minutes: 60, return_job: false, run_on_start: true}

File Section

Files are compared to master files using sha512 hashes.

0644 root root /etc/salt/minion.d/file.conf
1
hash_type: sha512

Logging Section

Set minions to only log errors by default.

0644 root root /etc/salt/minion.d/logging.conf
1
log_level: error

Pillar Section

Minion will use the same pillar environment as the salt environment and not raise immediate errors if requested pillar data does not exist (default Python values will be used instead).

0644 root root /etc/salt/minion.d/pillar.conf
1
2
pillarenv_from_saltenv: True
pillar_raise_on_missing: False

Primary Section

Minion will run as root and check in every 60 seconds on the default port, verifying files and permissions on startup. It will not timeout waiting for a reponse from the Master, and will not cache pillar data.

0644 root root /etc/salt/minion.d/primary.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
master: salt
minion_alive_interval: 60

# If interface not defined, will bind to all.
source_interface_name: eth0
retry_dns: 120
master_port: 4506
user: root
append_domain: example.com
verify_env: True
acceptance_wait_time: 10
random_startup_delay: 60
master_tries: -1
auth_tries: 10
auth_safemode: True
ping_interval: 2
minion_pillar_cache: False

Security Section

Require 4096 bit keys for signing as well as accepting Master messages. PKI access is restricted and the Master server is independently verified using a fingerprint.

0644 root root /etc/salt/minion.d/security.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
keysize: 4096
minion_sign_messages: True
permissive_pki_access: False
verify_master_pubkey_sign: True
always_verify_signature: True

# Fingerprint of the master public key to validate the identity of your Salt master
# before the initial key exchange. The master fingerprint can be found by running
# "salt-key -f master.pub" on the Salt master.
master_finger: '{MASTER FINGERPRINT}'

Note

Copy master_sign.pub to /etc/salt/pki/minion. See Master Security Section.

Note

For the initial configuration master_finger does not need to be setup, however it is highly recommended to seed configuration files to always maintain a chain of trust by verifying the master service independently.

Determine Salt Master fingerprint (on Salt Master).
salt-key -f master.pub

Startup Section

Defines the default startup states for Salt Minion. Launch minion into highstate.

0644 root root /etc/salt/minion.d/startup.conf
1
2
# Run states when the minion daemon starts.
startup_states: highstate

State Section

Defines the default state and state options to use for minion runs. Run minions using the prod environment.

0644 root root /etc/salt/minion.d/state.conf
1
saltenv: prod