Easy client configuration management (no master required!)

In some environments, you might just want Salt to bootstrap the client into a particular state - nothing more. This is likely common in certain organizations that don’t want staff to be able to run arbitrary commands from the salt master against every server. Depending on your access control setup, having a Salt master where you can run salt '*' cmd.run 'rm -rf /' might not be the best idea regardless of the potential benefit of running salt '*' cmd.run 'yum update bash' to patch things like shellshock immediately on demand.

After all, you can accomplish similar tasks by defining your states carefully and having those states sync on a schedule and run. Without exposing all your systems if your Salt master gets hacked. An interesting configuration here would be to have your states in AWS S3 (or in AWS CodeCommit when it’s released) which your EC2 instances could have readonly permissions to. As an example you could have your instances sync every 15 minutes and call a highstate.

Lets set that up.

First we’ll need a bucket in S3 in order to store our states.

aws s3 mb [prefix]-salt-cm --region us-west-2

Easy enough if you have a working Amazon CLI. Otherwise, stop by the AWS console and create your bucket. Depending on your preferences you might want to create more than one bucket.

Next we’ll need to sync our configuration management files into the configured S3 bucket. I recommend not compressing them into a zip file or similar. With a straight copy you’ll be able to enable version control in S3.

aws s3 sync . s3://[prefix]-salt-cm

Make sure that your add an IAM role to your minions that has permissions to the S3 bucket. Amazon has great documentation for implementing IAM roles.

Next to create a masterless minion (repeat this on all minions):

wget -O - https://bootstrap.saltstack.com | sudo sh # Or host the rpm in S3.
echo "file\_client: local" >> /etc/salt/minion

Do not start the salt-minion daemon. Instead we can use salt-call --local state.highstate to run the local highstate or salt-call --local state.sls httpd to execute the ‘httpd’ state.

Make sure the salt service is disabled with service salt-minion stop and chkconfig salt-minion off.

Next sync the S3 folder to the correct location on the minion. For example:

aws s3 sync s3://[prefix]-salt-cm /

Here’s an example command to add a crontab job that runs the salt-call command every 15 mins:

crontab -l | fgrep -i -v 'salt-call --local state.highstate' | echo '\*/15 \* \* \* \* salt-call --local state.highstate' | crontab -

For official SaltStack documentation on a masterless configuration, check out this quickstart document.

You can also see this mini bootstrap script that you can use with your own infrastructure: aws_bs_saltstack.sh