In some environments, you might just want Salt to bootstrap the client into a
particular state - nothing more. This is likely common in certain organizations
that don’t want staff to be able to run arbitrary commands from the salt master
against every server. Depending on your access control setup, having a Salt
master where you can run
salt '*' cmd.run 'rm -rf /' might not be the best
idea regardless of the potential benefit of running
salt '*' cmd.run 'yum update bash' to patch things like shellshock immediately
After all, you can accomplish similar tasks by defining your states carefully and having those states sync on a schedule and run. Without exposing all your systems if your Salt master gets hacked. An interesting configuration here would be to have your states in AWS S3 (or in AWS CodeCommit when it’s released) which your EC2 instances could have readonly permissions to. As an example you could have your instances sync every 15 minutes and call a highstate.
Lets set that up.
First we’ll need a bucket in S3 in order to store our states.
aws s3 mb [prefix]-salt-cm --region us-west-2
Easy enough if you have a working Amazon CLI. Otherwise, stop by the AWS console and create your bucket. Depending on your preferences you might want to create more than one bucket.
Next we’ll need to sync our configuration management files into the configured S3 bucket. I recommend not compressing them into a zip file or similar. With a straight copy you’ll be able to enable version control in S3.
aws s3 sync . s3://[prefix]-salt-cm
Make sure that your add an IAM role to your minions that has permissions to the S3 bucket. Amazon has great documentation for implementing IAM roles.
Next to create a masterless minion (repeat this on all minions):
wget -O - https://bootstrap.saltstack.com | sudo sh # Or host the rpm in S3. echo "file\_client: local" >> /etc/salt/minion
Do not start the salt-minion daemon. Instead we can use
salt-call --local state.highstate to run the local highstate or
salt-call --local state.sls httpd to execute the ‘httpd’ state.
Make sure the salt service is disabled with
service salt-minion stop and
chkconfig salt-minion off.
Next sync the S3 folder to the correct location on the minion. For example:
aws s3 sync s3://[prefix]-salt-cm /
Here’s an example command to add a crontab job that runs the
every 15 mins:
crontab -l | fgrep -i -v 'salt-call --local state.highstate' | echo '\*/15 \* \* \* \* salt-call --local state.highstate' | crontab -
For official SaltStack documentation on a masterless configuration, check out this quickstart document.
You can also see this mini bootstrap script that you can use with your own infrastructure: aws_bs_saltstack.sh