##########Please note that is this page the YAML structure is not good###########

 

Multiples way to target a minion:

  • To target minion with Grains PCRE >> salt -C 'P@os:(RedHat|Suse)' test.ping

Salt command line module:

To list all grains on a Salt minion >> salt '*' grains.items

 

To send a file from the master to the minions >> salt-cp '*' salt://myenv/myconfig.conf /etc/myconfig.conf

Remove a file >> salt 'your_minion_id' file.remove /path/to/your/file.txt

Which Salt version

  • salt '<minion>' test.versions_report

Witch OS version

  • salt '<minion>' grains.item os_family osrelease

State module summary:

  • use the cmd.run module in a state
    • cmd.run:
    • - name: <the name off the command>

to verify that a file exist >>

  • file.file_exists:
  • - name: /path/to/your/file.txt
  • to erase a file >>  
    • file.absent:
    • - name: /path/to/your/file.txt
  • To push a file from minion to the master
    • module.run:
      • - name: cp.push
      • - path: path/to/the/file
    • The file will be store on teh master in >> /var/cache/salt/master/minions/minion-id/files

Jinja templating:

For grain matching >> {% if grains['os_family'] == 'RedHat' %}

To set a variable >> {% set osfam = grains['os_family']|lower %}

To call the osfam variable >> {% if osfam == 'suse' %} 

For using the hostname of the server as variable

  • {% if salt['file.file_exists']('/root/' ~ grains['host'] ~ '.txt') %} 

    • Why this works

    • ~ concatenates strings in Jinja.

    • Nothing is quoted inside another quoted string, so the parser doesn’t get confused.

    • grains['host'] is evaluated, and the full path (e.g., /root/myhost.txt) is passed to file.file_exists.

 

 

Jinja and state example:

Push a config file

pam_password_config:

 file.managed:

   - name: /etc/pam.d/password

   - source: salt://pam/password

   - user: root

   - group: root

   - mode: '0644'

   - makedirs: True

   - backup: minion

Romove the cofig file first

pam_password_remove:

 file.absent:

   - name: /etc/pam.d/password

 

pam_password_install:

 file.managed:

   - name: /etc/pam.d/password

   - source: salt://pam/password

   - user: root

   - group: root

   - mode: '0644'

   - makedirs: True

   - require:

      - file: pam_password_remove

 

my_File_Red_{% if grains['os_family'] == 'RedHat' %}Config:
 file.managed:
   - name: /etc/yum.repos.d/local_red.repo
   - source: salt://local_red.repo
   - user: root
   - mode: '0644'

update_pkgs_redhat:
 pkg.uptodate:
   - refresh: True
   - require:
     - file: my_File_Red_Config

{% elif grains['os_family'] == 'Suse' %}
my_File_Suse_Config:
 file.managed:
   - name: /etc/zypp/repos.d/local_suse.repo
   - source: salt://local_red.repo
   - user: root
   - mode: '0644'

update_pkgs_suse:
 pkg.uptodate:
   - refresh: True
   - require:
     - file: my_File_Suse_Config
{% endif %}

 

 

Troubleshoot minion

Solve the key issue after updating a minion

Stop the service >> sudo systemctl stop salt-minion
Remove the old keys >>sudo rm -rf /etc/salt/pki/minion/* /var/cache/salt/minion/*
Start back the service >> sudo systemctl start salt-minion
# on the master
salt-key -d <minion_id> -y
salt-key -a <minion_id> -y
salt '<minion_id>' test.ping

 

Change the root password:

This returns a $6$ hash

  • salt 'minion-id' shadow.gen_password 'YourNewPass' algorithm=sha512

Copy the returned hash, then:

  • salt 'minion-id' shadow.set_password root '$6$...returned_hash...'

Add a resa key to ssh to the server:

This created if not already created the folder “.ssh” in the “/root” directory:

  • salt 'minion-id' file.mkdir /root/.ssh user=root group=root mode=700

This send the rsa key to the server and append it to the “authorized_keys” file:

  • salt 'minion-id' file.append /root/.ssh/authorized_keys 'ssh-ed25519 AAAAC3Nz... your@machine'

This changes the permission on the folder “authorized_keys”

  • salt 'minion-id' file.set_mode /root/.ssh/authorized_keys 600

 

Create a new rescue user with sudo access:

  • salt 'minion-id' user.present rescueadmin home=/home/rescueadmin createhome=True groups='wheel'

Add the new user to the sudoer (this one without a password):

  • salt 'minion-id' file.uncomment /etc/sudoers '^# %wheel ALL=\(ALL\) NOPASSWD:ALL' backup=False

 

How to install salt on Rocky 9

Fix the repo so we can install the minion:

sudo dnf -y install curl dnf-plugins-core
curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download... \
 | sudo tee /etc/yum.repos.d/salt.repo
sudo dnf clean expire-cache

 

sudo dnf config-manager --set-disable salt-repo-*
sudo dnf config-manager --set-enabled salt-repo-3007-sts

# install latest 3007.x (or specify -3007.6)
sudo dnf -y install salt-minion-3007.6