Service Setup ¶

Salt can run on both Python 2 and 3. Use Python 3. See Best Practices.

0644 root root /etc/apt/sources.list.d/saltstack.list¶

deb http://repo.saltstack.com/py3/ubuntu/16.04/amd64/latest bionic main

Add the salt repository signing key.¶

wget -O - https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -

Install salt. A minion can be installed on the master as well to have the master manage itself.¶

sudo apt update && sudo apt install salt-master

Use TLS for protocol encryption ¶

Communication is automatically encrypted, but TCP is not. Force TLS encryption.

Generate a 4096 bit certificate for TLS.¶

mkdir -p /etc/salt/pki/certs && cd /etc/salt/pki/certs
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out salt.crt -keyout salt.key
chmod 0400 salt.key

Non-root User ¶

By default salt-master runs as root. Nothing the master does requires root.

Create salt user for master and set permissions.¶

adduser --shell /bin/bash --no-create-home --disabled-password --disabled-login salt
chown -R salt:salt /etc/salt /var/cache/salt /var/log/salt /var/run/salt /srv/salt
systemctl restart salt-master

Note

Verify any custom directories are modified as well. salt-master does require a shell to run commands such as salt-run.

Minions require root to properly install software, update apt and execute commands.

Service Setup¶

Use TLS for protocol encryption¶

Non-root User¶

Service Setup ¶

Use TLS for protocol encryption ¶

Non-root User ¶