<h1 style='font-family: helvetica',align = 'center'>SaltStack Administration </h1>
<h2 style='font-family: helvetica',align='center'>Created 2017/02/01 by Braun Brelin</h2>


## What is DevOps?
- All about bringing together developers and operations teams
- Automating the environment
- Measuring application performance


### Automate everything
- Automate code testing
- Automate workflows
- Automate infrastructure

 ### Constant iteration of development
- Write new features and bug fixes in small chunks
- Automatically create, test and monitor new software additions


### Synchronize environments
- Identical environments for development, test and production


### Monitor yourself
- Adopt iterative processes to monitor and measure code and operations daily.
- Improve ability to quickly respond to customer concerns and market conditions. 

### Write code rather than perform manual actions
- Teams write code to automate configuration management
- Teams write code to handle triggered events.
- Teams write code to allow them to scale their environment


### Use source code control
- Manage and document all changes to application code
- Manage and document all changes to configurations and documentation.

### Adopt proper discipline
- Use devops to develop processes in place to manage your environment and your applications
- Put an end to controlled chaos that is the lot of most IT departments
- Understand the control the impact of unforseen events and disasters. 

### Reduce time to market
- Use devops to reduce the time it takes to bring new features and bug fixes from weeks and months to days and hours.
- Deploy frequently using an Agile like methodology.

## What does Saltstack allow us to do?
- Describe our infrastructure with code.
- Makes our infrastructure scalable
- Makes our infrastructure reliable.
- Gives us consistent environments. 
- Better Security
- Ability to quickly duplicate our environments. 
- Simplifies auditing and tracking capabilities

### Managing infrastructure as code
- Gives us revision control
- Allows use of bug tracking and ticketing systems. 
- Ability to do peer review before changes happen.
- Gives us infrastucture design patterns. 
- Test infrastucture changes the same way we test application changes.

### Monitoring and Metrics
- Allows to track every possible resource
- Gives us alerts on all services, availability and response times
- Capture, learn and improve
- Share access and data with everyone on the team
- Plan metrics and monitoring into the application lifecycle.
- Easily integrate third party monitoring and logging tools.

## What is SaltStack?
- A tool to turn your infrastructure into software. 
- Automates packing and provisioning of code to your IT environment.
- A massive finite state machine
- Configuration manger for your operations devops and cloudops environments. 



## Saltstack components
 - Salt Master
 - Salt Minions
 - Execution Modules
 - States 
 - Grains
 - Pillars
 - Top File
 - Runners
 - Returners
 - Reactors
 - Salt Cloud
 - Salt SSH 

### Salt Master
- Central Management Server
- Used to send commands and configuration data to salt minions running on managed systems.

### Salt Minion
- Software that runs on a managed system. 
- Receives commands and configuration data from the Salt master


### Execution Modules
- Ad hoc commands executed from the command line against one or more managed systems.
- perform real-time monitoring, status and inventory
- Run one-off commands or scripts
- Deploying critical updates.

### States
- A representation of a system configuration. Can be declarative or imperative.

### Grains
- Static system information about the managed system.
- Examples include the operating system. CPU, Memory, and other properties.
- You can define customized grains (properties) for your systems.

### Pillars
- User defined properties.  
- Stored securely on the salt master.
- Assignable to one or more minions using targets
- Examples include network ports, file paths, passwords, configuration parameters



### Top file
- Matches states and pillar data to minions


### Runners
- Modules that execute on the salt master to perform tasks. 
- Examples include runners that report job status, connection status, and query minions

### Returners
- Modules that can return data to various sources, such as a database.
- Returners can run on the Salt minions or the Salt master.

### Reactor
- Component that can be programmed to trigger reactions to specific events. 


### Salt Cloud
- Allows provisioning of systems on cloud providers or hypervisors 
- Immediately brings these systems under salt management. 

### Salt SSH
- Allows us to run Salt commands over SSH for systems that do not have a minion provisioned.

## Architectural overview of remote execution
Salt is a highly configurable, scalable and robust application that allows one master to manage thousands of minions simultaneously with almost no performance loss.  This means that the time required to update many minions is at worst a logarithmic function rather than a linear or exponential function.    

All Salt minions receive commands at the same time.  Salt can use multiple protocols to achieve this, however the recommended (and default) protocol is the ZeroMQ message queuing system.  While Salt can interface with many types of data stores, it's real win is being able to query minions in real time.  

While Salt mainstains a master/slave relationship between the master and the minions, communication with the minions is mostly a set of instructions or commands to run.  The minion is responsible for doing the heavy lifting and returning the results back to the master.

Salt normalizes commands between different hardware platforms.  All commands and states are the same regardless of the underlying operating system being run on the minion. 

Salt will run wherever you can install Python.  If a minion cannot run Python, then Salt provides a *proxy minion* that can interface with the real minion and issue commands on behalf of the master un the minion's native protocol. Additionally, the proxy parses and returns all output from the minion back to the master. 

Salt can perform all of its functions without requiring or using a programming language (Although you will get its best performance if you know some of the Python programming language).   

Everything in Salt is extensible.  You can even change the underlying network protocol.  You can create your own modules as well.  Following is an example of the remote execution architecture diagram. 

<img src = '../graphics/RemoteMethodExecutionArchitecture.png'> </img>

The preceeding diagram shows an example of the execution model.  Note that this diagram omits the configuration management portion of SaltStack and focuses on the remote execution subsystem.  It shows that when a job runs, many different subsystems of Salt.  Looking at this diagram we see the following<br><br>
- Start jobs by calling the command line interface, a RESTful service or a Python script.
- Output is formatted by default as YAML, however, other formats, such as JSON, plain text and other formats are also supported.
- Results can be stored in many ways, SQL databases, NoSQL databases, flat text files, or any other data store. 
- The job returner can be any one of a number of plugins to other applications, or even not exist at all. 
- Salt can abstract details of the underlying O/S or applications by using the concept of a *virtual module*. For example the *pkg* module contains support for both the Debian *aptpkg* and the Red Hat *yumpkg* modules, however, we only need to call the *pkg* module directly.


Salt uses a publish/subscribe model (also known as an observer pattern).  The Salt minion subscribes to the salt master via a persistent connection.  When an even happens, the master publishes messages that the minions can receive and act upon.

Salt uses Public Key Infrastructure for secure authentication.  <br>
The Salt minion on starting up for the first time looks for a master named *salt* (The default name).  The minion sends its public key to the master.  The master must accept the key, either through manual intervention (The salt-key command) or through an automated process. Note that the minion won't be able to run any commands until this key is accepted. <br>
Encryption is achieved through the use of the Advanced Encryption Standard (AES).  The AES key is changed everytime the salt-master reboots or a minion key is deleted.<br>
Access Control verification is done through the Publisher ACL (or whatever ACL standard you choose).  Every command run on a minion must be verified through this ACL to make sure that the command sender has permission to do so. 

## Salt States
The core of the Salt system is the *Salt state*.  States are kept in .sls files known as Salt State Files. Salt State files are data structures that define the desired state of any minion.  These state files are implemented in Python as Python data structures, such as lists, dictionarys, strings and so on.  


Salt state files are kept in a heirarchical format known as a state tree  with the root of the tree  being the *top.sls* file. Beneath the top level directory you can create directories for each type of state that you wish.

Here's an example of a state tree hierarchy. 


<img src='../graphics/State%20Heirarchy%20Diagram.png'> </img>

Let's see how this directory and file structure might be implemented.  The top level state file is always called top.sls.  Beneath this, for each state that we define, we create a directory and put the configuration files for that state there.  Salt looks for an *init.sls* file as the main configuration file for that state.
Let's take a look at the nginx init.sls file.


<table align='left', width='950px'>
<tr>
<td>
<p style='font-family:courier'>
nginx:    \# <--- The state identifier<br>
&nbsp;&nbsp;pkg:    <br>
&nbsp;&nbsp;&nbsp;&nbsp;- installed    \# < --- This is the pkg.installed fuction.  I.e. we want the nginx package installed <br>
&nbsp;&nbsp;service.running: \# <--- This is the service.running function. It will automatically start nginx. <br>
&nbsp;&nbsp;&nbsp;&nbsp;- watch:       \# <--- When certain files change, we want to restart the nginx server. Watch tells salt <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\#      to monitor the files listed below and restart when they change. <br>
&nbsp;&nbsp;- pkg: nginx<br>
&nbsp;&nbsp;&nbsp;&nbsp;- file: /etc/nginx/nginx.conf    \# <--- File to watch for. <br>
<br>
\# The next two sections describe how we manage the files specified on the monitor watch list.  <br>
&nbsp;&nbsp;      /etc/nginx/nginx.conf:<br>
&nbsp;&nbsp;&nbsp;&nbsp;  file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;    - source: salt://nginx/files/etc/nginx/nginx.conf <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;    - user: root <br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;   - group: root <br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;   - mode: 640<br><br>
\# This section controls the nginx defaults file.  We'd like to customize this for each web server we set up.<br>
\# To do this, we use a jinja template.  We put the .jinja on the end of the filename so we know that it's a
\# jinja template.  Also, we tell Salt to use jinja as the template format. <br>
&nbsp;&nbsp;/etc/nginx/sites-available/default:<br>
&nbsp;&nbsp;&nbsp;&nbsp;  file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;    - source: salt://nginx/files/etc/nginx/sites-available/default.jinja<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   - template: jinja<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   - user: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;    - group: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;    - mode: 640<br><br>
\# The sites-enabled default file is set up as a symbolic link.  Note that we require the source file in the<br> 
\# link to be available before we try and set up the symbolic link.<br>
/etc/nginx/sites-enabled/default:<br>
 &nbsp;&nbsp; file.symlink:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;   - target: /etc/nginx/sites-available/default<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   - require:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;     - file: /etc/nginx/sites-available/default<br>

</p>
</td>
</tr>
</table>

Once the sls file is written, we need to be able to test it.  To do this, run the following command:]
<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
salt-call state.apply -l debug<br>
</p>
</td>
</tr>
</table>

## Salt Grains


What are Grains?  Grains are pieces of information, ususally about the minion itself.  For example grains may include information about the Operating System distribution and type or the hardware platform, such as CPU or memory. 

SaltStack provides many grains called *core* grains immediately.  You can also define customized grains at your convenience. 

To find out what grains are available by default, you can list them from the grains module by typing in the following command:
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '*' grains.ls
</p>
</td>
</tr>
</table>

You can also list the values in the salt grains by using the command:
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '*' grains.items
</p>
</td>
</tr>
</table>

Customized grains can be stored in different places.  
- The minion configuration file.
- The grain configuration file in /etc/salt/grains
<br><br>

Here is an example of storing customized grains in the minion configuration file. 
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
grains:<br>
&nbsp;&nbsp;roles:<br>
&nbsp;&nbsp;&nbsp;&nbsp;   - webserver<br>
&nbsp;&nbsp;&nbsp;&nbsp;    - memcache<br>
&nbsp;&nbsp;deployment: datacenter4<br>
&nbsp;&nbsp;cabinet: 13<br>
&nbsp;&nbsp;cab_u: 14-15<br>
</p>
</td>
</tr>
</table>

And here is an example of storing customized grains in the /etc/salt/grains file
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
&nbsp;&nbsp;roles:<br>
&nbsp;&nbsp;&nbsp;&nbsp;   - webserver<br>
&nbsp;&nbsp;&nbsp;&nbsp;    - memcache<br>
&nbsp;&nbsp;deployment: datacenter4<br>
&nbsp;&nbsp;cabinet: 13<br>
&nbsp;&nbsp;cab_u: 14-15<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br>
Because the grain is already stored in the grain configuration file, we don't need the top level 'grain' key.

Customized grains can override the core grain objects.  When Salt loads grains it has an order of precedence. 
Custom grains in /etc/salt/minion.
1. Custom grain modules in \_grains directory, synced to minions.
2. Custom grains in /etc/salt/grains.
3. Custom grains in /etc/salt/minion.
4. Core grains.

If it finds the grain in anyone of these areas, it finishes its lookup.  I.e. a Custom grain with the same name as the core grain will be found and used instead of the core grain.


When a grain is changed in some way, we need to re-sync it for all or some of the minions who's states depend on it.  We can do this one of two ways.

<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
saltutil.sync.grains <br>
or<br>
saltutil.sync_all
</p>
</td>
</tr>
</table>

## Salt Pillars
Pillars are somewhat similar to Grains in that they store data about minions.  They're tree-like structures that store data about minions on the salt master.  They allow confidential, secure data to be stored and passed on only to the minions who have allowed access to it. 

Pillars data is useful for:

- Sensitive data such as passwords.
- Minion configuration
- Variables that are specific to a minion or group of minions and accessible via a template formula.
- Any arbitrary data needed.


The pillar subsystem runs in salt by default.  To look at a minion's pillar data, type
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '*' pillar.items
</p>
</td>
</tr>
</table>


The default root for pillars is located in /srv/pillars.  This can be changed in the master's configuration file via the key pillar_root: <br>
As we saw with states, we can create a top level file *top.sls*.  We can then define a pillar heirarchy underneath it.  For example, consider a pillar heirarchy with a *users* pillar underneath the root.  We define our top.sls fil e in /srv/pillar like so:
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
base:<br>
&nbsp;&nbsp;'*':<br>
&nbsp;&nbsp;&nbsp;&nbsp;- users
</p>
</td>
</tr>
</table>


Now, underneath /srv/pillars/users, we can create an init.sls file that looks like this:
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>

users:<br>
&nbsp;&nbsp;bbrelin: 1000<br>
&nbsp;&nbsp;bobama: 1001<br>
&nbsp;&nbsp;hclinton: 1002<br>
&nbsp;&nbsp;bsanders: 1003<br>
</p>
</td>
</tr>
</table>


Later on, we'll see how we can use the Jinja2 templating system to parameterize pillar data and use it within states. 

## Salt Grains vs Pillars

Both grains and Pillars define input data to parameterize Salt states.

Depending on the purpose of data, one should make a choice to put it in one place or another.

NOTE:

Here we talk about the practical differences between Grains and Pillars for the default use case only.

<table align='left'>
<tr><th>Differences</th><th>	Grains</th><th>	Pillars</th>

<tr><td>Info which...	</td><td>... Minion knows about itself	</td><td>... Minion asks Master about</td></tr>
<tr><td>Distributed:</td>	<td>Yes</td>	<td>No</td><tr>
<tr><td>Centralized:</td>	<td>No</td>	<td>Yes</td><tr>
<tr><td>Computed automatically:</td><td>	Yes (mostly should)</td><td>	No</td><tr>
<tr><td>Assigned manually:</td><td>	No (or kept to minimum)	</td><td>Yes</td><tr>
<tr><td>Conceptually intrinsic to...</td><td>	... individual Minion node</td><td>	... entire system managed by Master</td><tr>
<tr><td>Data under revision control:</td><td>	No (if static values)</td><td>	Yes</td></tr>
<tr><td>Defines...</td><td>	provided resources</td><td>	required resources</td></tr>
</table>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
Default use case

In our default case the entire system is managed by a single person (authority).

By default Grains are both:

good case: evaluated automatically by Minion software in built-in (like functions in core.py) or custom Grains;<br>
bad case: assigned manually in /etc/salt/minion file (or files it includes) on each Minion individually.
By default Pillars are data defined manually in files under /srv/pillars. If not sure, it is almost always good to define required data in pillar (first).

Distributed vs Centralized

Because Grains are distributed, they are disadvantageous for manual management: one has to access Minions individually to configure Grains for specific Minion.

Instead, it is more convenient to define manual data centrally in Pillars.

It is crucial to differentiate between static and non-static custom Grains:

Static grains have to be distributed across Minions (in their configuration files).
Non-static grains are effectively centralized on Master and pushed to Minions for evaluation.
Probably, the only static Grain one wants to define is Minion id. The rest information about Minion should either be assigned to it through Pillars (using Minion id as a key) or evaluated in non-static grains.

In other words:

static Grains are the bad (impractical) use of Grains;
non-static Grains are the good (practical) use of Grains.
This also suggests that:

Pillars values are normally under revision control centrally on Master;
static Grains values are less convenient to be kept revisioned (or even used);
source code (not values) for non-static Grains is also normally under revision control on Master.
Manual vs Automatic

Because Grains can be computed automatically, they are meant to collect information which is Minion-specific and unknown in advance.

The only practical cases for custom Grains are non-static ones with automatic evaluation on the minion.

Pillars are manually defined for the required state of the system which Salt is supposed to manage and enforce.

System-wide vs Node-specific

Pillars suit more to define (top-down) entire system of Minions as required: roles, credentials, platforms, policies, etc.
Grains suit more to define (bottom-up) environment of individual Minions as provided.
Good vs Bad

Defining good as practical and bad as impractical is heavily influenced by managing system with two hands at a time (single person).

In other cases, static grains may actually be very useful to let (multiple) owners of individual hodes manage preferences. This effectively makes distributed nature of static Grains match nature of responsibilities distributed among the owners. This is simply not default use case.

## Introduction to YAML
YAML stands for YAML Ain't a Markup Language.  YAML is a text based format for creating structured data that is very readable and understandable.  This differs in marked contrast to other types of markup languages such as XML, which is notorious for being difficult to read and expensive to parse. <br>
YAML consists of keys and values, For example let us consider a YAML file which describes an automibile:


<table align='left', width='800px'>
<tr>
<td>
<p style='font-family: courier'>
\# A YAML example <br>
Mercedes: <br>
&nbsp;&nbsp;Type:<br> 
&nbsp;&nbsp;&nbsp;&nbsp;-<br> 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hatchback:<br> 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fuel: "-- 'Petrol' -- 'Diesel'" <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Model: A<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Weight: 1400<br>
&nbsp;&nbsp;&nbsp;&nbsp;-<br> 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Saloon: <br> 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fuel: "-- 'Petrol' -- 'Diesel' -- 'Electric'"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Model: C<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Weight: 2250
</p>
</td>
</tr>
</table>   
<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
Note that we have a top level key, 'Mercedes', which maps to a complex value.  We have a list called 'Type' with two elements.  We also have an internal list 'Fuel' which is part of the value mapped to 'Type'.
Notice that YAML uses indentation to resolve heirarchy.  'Type is part of the 'Mercedes' key because it has been indented.  If it were on the same indentation level, then it would be a completely separate key/value pair.


YAML Best Practices
- Use UTF-8 encoding when saving files.
- Always use spaces for indentation, never tabs.
- Edit with a text editor, not a WYSIWYG editor such as Microsoft Word.
- Use a monowidth/monospace font such as Courier when viewing YAML files.

## The Jinja2 templating system. 
So far, all of the examples of salt files, such as states, pillars and grains that we've seen having been using static YAML files.  That is, all of the variables have been directly assigned values in YAML.  However, many times, we want to be able to assign values to these variables dynamically, for example if I want to perform some action on a minion based on its operating system, then we need a new tool allow this.  That tool is *Jinja2*.  <br>
Jinja2 is known a templating system, that is, a system that allows us to replace the value of variables  dynamically at runtime.  <br>
Jinja2 adds limited programming capabilities to your state, pillar and custom grain files.<br><br>


Let us consider the following problem. When we want to install the packages Apache web server and vim text editor on a minion, the name of the web server varies from distribution to distribution. In a RedHat based distribution, the server is called 'httpd' and vim is called 'vim-enhanced'.  In a Debian based distribution, the server is called 'apache' and vim is just called 'vim'.  This means that we need to be able to distinguish on the fly what type of Linux distribution is being run on the minion. To do this, let's create a *pkg* pillar. <br>
Here we define a pillar file called */srv/pillar/pkg/init.sls* <br><br>
<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
pkgs:<br>
&nbsp;&nbsp;{% if grains['os_family'] == 'RedHat' %}<br>
&nbsp;&nbsp;  apache: httpd<br>
&nbsp;&nbsp;  vim: vim-enhanced<br>
&nbsp;&nbsp;  {% elif grains['os_family'] == 'Debian' %}<br>
&nbsp;&nbsp;  apache: apache2<br>
&nbsp;&nbsp; vim: vim<br>
&nbsp;&nbsp;  {% elif grains['os'] == 'Arch' %}<br>
 &nbsp;&nbsp; apache: apache<br>
&nbsp;&nbsp;  vim: vim<br>
&nbsp;&nbsp;  {% endif %}<br>
</p>
</td>
</tr>
</table>

Now we add this pkg.sls to the pillars top.sls file
<table align='left', width='750px'>
<tr>
<td>
<p style='font-family:courier'>
base:
&nbsp;&nbsp;'*':<br>
&nbsp;&nbsp;&nbsp;&nbsp;- data<br>
&nbsp;&nbsp;&nbsp;&nbsp;- users<br>
&nbsp;&nbsp;&nbsp;&nbsp;- pkg<br>
</p>
</td>
</tr>
</table>

Now, instead of having to write YAML text to cover every possible type of Linux O/S distribution, we can write the following into our /srv/packages/apache/init.sls file:

<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
apache:<br>
&nbsp;&nbsp;pkg.installed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;- name: {{ salt\['pillar.get'\]('pkgs:apache', 'httpd') }}<br>
</p>
</td>
</tr>
</table>

The Jinja template expression here is looking up the pillar.get function inside the main salt dictionary, and then runs it with the following parameters 'pkgs:apache' and 'httpd'.  <br>
Saltstack then goes to the the apache init.sls file and runs the Jinja2 expression.  From there it goes to the pkg init.sls and evaluates which type of O/S the minion is running which will get returned in to the 'apache' key.  If it isn't running either of the two Linux distribution, the default evaluates to 'httpd'. 

Notice the use of the Jinja2 templating system in the above examples.  Jinja2 statements begin and end  with one of the following types.'
- '{%' and '%}' for Jinja statements.
- '{{' and '}}' for Jinja expressions.
- '{#' and '#}' for Jinja comments. 

When salt reads the pkgs file prior to executing it, it evaluates the Jinja2 statements and produces a formatted output file in YAML format (the default output) which will be evaluated. 

Jinja has some limited control flow capabilities.  For example:

<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
{% if grains['os'] != 'FreeBSD' %}<br>
tcsh:<br>
&nbsp;&nbsp;&nbsp;&nbsp;pkg:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- installed<br>
{% endif %}<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br>
Here we see an example of the if statement.  Note that all if's must end with an 'endif' statement in Jinja.
This template code checks the value of the 'os' grain.  If the minion is not running FreeBSD, then install the 'tcsh' shell on the system. 


Let's see a further example.
<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
motd:<br>
&nbsp;&nbsp;file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;{% if grains['os'] == 'FreeBSD' %}<br>
&nbsp;&nbsp;&nbsp;&nbsp;- name: /etc/motd<br>
&nbsp;&nbsp;&nbsp;&nbsp;{% elif grains['os'] == 'Debian' %}<br>
&nbsp;&nbsp;&nbsp;&nbsp;- name: /etc/motd.tail<br>
&nbsp;&nbsp;&nbsp;&nbsp;{% endif %}<br>
&nbsp;&nbsp;&nbsp;&nbsp;- source: salt://motd<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br>
In this example we have a compound if statement.  Here we check to see if the minion is running FreeBSD. If it is, then the name of the motd file will be set to /etc/mod, otherwise we'll set the file name to motd.tail.  We then tell salt that the default location source for this file is in /srv/salt/base/motd/httpd.conf by referring to the salt URI.
</p>
</td>
</tr>
</table>

We can also use for loops to iterate over collections of data. Continuing our motd example:
<table align='left',width='750px'>
<tr>
<td>
<p style='font-family:courier'>
{% set motd = ['/etc/motd'] %}<br>
{% if grains['os'] == 'Debian' %}<br>
&nbsp;&nbsp;{% set motd = ['/etc/motd.tail', '/var/run/motd'] %}<br>
{% endif %}<br>
<br>
{% for motdfile in motd %}<br>
{{ motdfile }}:<br>
&nbsp;&nbsp;&nbsp;&nbsp;file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;- source: salt://motd<br>
{% endfor %}<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br><br><br><br>
Here, we set a list variable called *motd* to have as it's first element the default location and name of the motd file. We test our os grain and if it's value is set to Debian, then we change the file name and add a second element. '/var/run/motd', to the motd list.
<br><br>
We can then loop over each element of the motd list and run the file.managed method setting each file's source location to /srv/salt/base/motd. 

One of the real advantages of the jinja templating system is that allows us to expand state files without having to completely rewrite them.  Let's consider the following problem.  We have a QA and a development environment.  Each environment has a different .vimrc file with different settings to better fit which ever environment needed.  How can we deploy this so that QA servers get the .qavimrc and development servers get the .devrimrc files?
Let's first look at our naive vim state implementation located in /srv/salt/edit/vim.sls. 
<table align='left',width='750px'>
<tr>
<td>
</p style='font-family:courier'>
vim:<br>
&nbsp;&nbsp;pkg.installed: []<br>
<br>
/etc/vimrc:<br>
&nbsp;&nbsp;file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;- source: salt://edit/vimrc<br>
&nbsp;&nbsp;&nbsp;&nbsp;- mode: 644<br>
&nbsp;&nbsp;&nbsp;&nbsp;- user: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;- group: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;- require:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- pkg: vim<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br><br><br><br>
This pillar deploys a vimrc file that is the same across all of our environments. So let's change it to be more intelligent by determing which type of vimrc file we want to install. 

Here is our new /srv/salt/edit/vim.sls state file. 
<table align='left',width='750px'>
<tr>
<td>
</p style='font-family:courier'>
vim:<br>
&nbsp;&nbsp;pkg.installed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;- name: {{ pillar['pkgs']['vim'] }}<br>
<br>
/etc/vimrc:<br>
&nbsp;&nbsp;file.managed:<br>
&nbsp;&nbsp;&nbsp;&nbsp;- source: {{ pillar['vimrc'] }}<br>
&nbsp;&nbsp;&nbsp;&nbsp;- mode: 644<br>
&nbsp;&nbsp;&nbsp;&nbsp;- user: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;- group: root<br>
&nbsp;&nbsp;&nbsp;&nbsp;- require:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- pkg: vim<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br><br><br><br>

And here is our vim pillar in /srv/pillar/edit/vim.sls

<table width='750px',align='left'>
<tr>
<td>
<p style='font-family:courier'>
{% if grains['id'].startswith('dev') %}<br>
vimrc: salt://edit/dev_vimrc<br>
{% elif grains['id'].startswith('qa') %}<br>
vimrc: salt://edit/qa_vimrc<br>
{% else %}<br>
vimrc: salt://edit/vimrc<br>
{% endif %}<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br>
Note that the pillar file defines the value of the variable vimrc by checking to see if the id of the minion starts with a 'qa' or a 'dev'.  This assumes, of course that your organization has a naming convention for their servers such that all development servers start with a 'dev' and all qa servers start with a 'qa'. Thus, the vimrc variable defines the source location for the vimrc file. 

## Salt Installation and Configuration
- Getting Salt
- Source Installation
- Packaged Installation
- Salt Bootstrap
- Salt Master Network Ports
- Minion Firewall
- Basic Minion Configuration
- Salt Security
- Lab 1.  Installing Salt

### Getting Salt
- Installing from source on Linux.
- Installing on Ubuntu via apt.

### Installing from source
Make sure that you have git installed on your system. 
Then run the following command
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
git clone https://github.com/saltstack/salt<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br>
Cloning the repository is enough to start working with Salt and contributing to the source code. You may wish, however to fetch additional tags from git.  Salt needs to be able to report the correct version for itself. 
First, we need to add the git repository as an upstream source.
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
git remote add upstream https://github.com/saltstack/salt<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br>
Then fetch tags with the 'git fetch' utility.
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
git fetch --tags upstream<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br>

As of this writing, Saltstack only works with Python version 2.  However, Python 3 is now in wide deployment.  This means that we'll want a virtual environment set up.<br><br>
We can then create a new virtual environment with virtualenv.
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
virtualenv --system-site-packages -p /path/to/your/python2/installation /path/to/your/virtualenv
</p>
</td>
</tr>
</table>
<br><br><br><br><br>
Once you have virtualenv installed, run it like so:
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
source /path/to/your/virtualenv/bin/activate
</p>
</td>
</tr>
</table>
<br><br><br><br><br>
A quick note to Arch Linux users, Python 3 is the default environment.  Use virtualenv2 rather than virtualenv. 
If you're using another distribution besides Debian or Ubuntu, and you are installing M2Crypto via pip, then you must make sure that you have the gcc C compiler installed. 

Now you can install Salt into your virtual environment. 
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
pip install pyzmq PyYAML pycrypto msgpack-python jinja2 psutil futures tornado
pip install -e ./salt   # the path to the salt git clone from above
</p>
</td>
</tr>
</table>
<br><br><br><br><br>
Note:  Don't install the M2Crypto library from pip if you're using Debian or Ubuntu.  They have a patched version of OpenSSL and you need that version before you can use M2Crypto. Instead of using pip, use apt like so:
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
apt-get install python-m2crypto
</p>
</td>
</tr>
</table>
<br><br><br><br><br>

Once you have your virtual environment running, copy the salt master and salt minion configuration files into your virtual environment. 
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
mkdir -p /path/to/your/virtualenv/etc/salt<br>
cp ./salt/conf/master ./salt/conf/minion /path/to/your/virtualenv/etc/salt/
<br>
</p>
</td>
</tr>
</table>
<br><br><br>

Now, you'll need to edit your master configuration file.

1.    Uncomment and change the user: root value to your own user.
2.    Uncomment and change the root_dir: / value to point to /path/to/your/virtualenv.
3.    If you are running version 0.11.1 or older, uncomment, and change the pidfile: /var/run/salt-master.pid value to point to /path/to/your/virtualenv/salt-master.pid.
4.    If you are also running a non-development version of Salt you will have to change the publish_port and ret_port values as well.



And also edit the minion configuration file. <br>
1. Repeat the edits you made in the master config for the user and root_dir values as well as any port changes.
2. If you are running version 0.11.1 or older, uncomment, and change the pidfile: /var/run/salt-minion.pid value to point to /path/to/your/virtualenv/salt-minion.pid.
3. Uncomment and change the master: salt value to point at localhost.
4. Uncomment and change the id: value to something descriptive like "saltdev". This isn't strictly necessary but it will serve as a reminder of which Salt installation you are working with.
5. If you changed the ret_port value in the master config because you are also running a non-development version of Salt, then you will have to change the master_port value in the minion config to match.

Start up the master and the minion, accept the minion's RSA key and verify that your local Salt installation is working. 

<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
cd /path/to/your/virtualenv<br>
salt-master -c ./etc/salt -d<br>
salt-minion -c ./etc/salt -d<br>
salt-key -c ./etc/salt -L<br>
salt-key -c ./etc/salt -A<br>
salt -c ./etc/salt '*' test.ping<br>
<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><br><br><br>
Note that running the salt master and the minion with the *-l debug* option adds debugging output. If you want the output to go to the console rather than the log file, remove the -d option from the run commands. 

### Installing from Ubuntu with apt

Saltstack has a PPA to allow installation of Salt on Ubuntu.
Run the following command as root
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltmaster:~# apt-get --yes -q install python-software properties<br>
root@saltmaster:~# add-apt-repository ppa:saltstack/salt<br>
You are about to add the following PPA to your system:<br>
 Salt, the remote execution and configuration management tool.<br>
 More info: https://launchpad.net/~saltstack/+archive/salt<br>
Press [ENTER] to continue or ctrl-c to cancel adding it<br>
</p>
</td>
</tr>
</table>
<br><br><br><br><br><br><br><Br><br><br>
You must press the [Enter] key, otherwise it won't add the repository

Make sure you update Apt's package index.
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltmaster:~# apt-get --yes -q update<br>
</p>
</td>
</tr>
</table>
<br><br><br>
Also, install the Python development package. 
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltmaster:~# apt-get -y python-dev<br>
</p>
</td>
</tr>
</table>
<br><br><br>
<p align='left'>Then install the salt-master package.</p> 
<table align='left', width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltmaster:~# apt-get --yes -q install salt-master<br>
</p>
</td>
</tr>
</table>

Now we can configure the salt master. Let's do a real example of a simple configuration. 
1. Edit the /etc/salt/master configuration file and configure the interface parameter. 
Change it's value to the IP address of the salt master. 
<br>
2. Change the base directory for the salt states files.  The default is /srv/salt.  Change that to 
/salt/states/base.  To do that, uncomment and edit the *file_roots:* parameter with the new value.
3.  Create a new development environment in the top.sls file by adding the following:<br>
<table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
file_roots:<br>
    base:<br>
    \- /salt/states/base <br>
    development:<br>
    \- /salt/states/dev<br>
 </p>
 </td></tr></table>
 <br> <br> <br> <br> <br> <br> <br>
 <p align='left'>4.  Set the pillar_roots
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
pillar_roots:<br>
    base:<br>
    \- /salt/pillars/base <br>
 </p>
 </td></tr></table>
 <br> <br> <br> <br> <br>
 Don't forget to create the directories specified in the salt master file!
 

Once we have the master configured, we can then create a minion on a remote machine.  Note that we'll have to log in to the remote system to set up its configuration.  Once that is done, however, you may never need to log into it again.


Start by installing the required python libraries onto the minion.

<table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltminion:~# apt-get --yes -q install python-software-properties
 </p>
 </td></tr></table>
 <br> <br> <br> <br> <br>
 Add the repository to apt. 
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltminion:~# add-apt-repository ppa:saltstack/salt<br>
You are about to add the following PPA to your system:<br>
Salt, the remote execution and configuration management tool.<br>
More info: https://launchpad.net/~saltstack/+archive/salt<br>
Press [ENTER] to continue or ctrl-c to cancel adding it<br>
 </td></tr></table>
 <br> <br> <br> <br> <br><br><br><br><br>
 Update apt with apt-update
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltminion:~# apt-get --yes -q update
 </p>
 </td></tr></table>
 <br> <br> <br> <br> <br>
 Finally, install the salt-minion package
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
root@saltminion:~# apt-get --yes -q install salt-minion
 </p>
 </td></tr></table>
 <br> <br> <br> <br> <br>
 Repeat this process for every minion you wish to configure. 

Finally, the last thing we need to do is to configure the salt minion.  The only thing we really  need to do here is to set the IP address of the salt master.  A very nice workaround is to simply edit the minion's /etc/host file and have the default server name 'salt' resolve to the salt master's IP address.  Then simply push down a new, updated salt minion configuration file.  No manual editing of the salt minion's config file is needed. 

Restart the salt-minion.  Note that it is going to try and communicate with the salt-master, however, it will fail because the key hasn't been accepted yet.  The procedure for this is the same a the one noted above for installing via the source code. 

### Installing with bootstrap
A third way of installing salt is by using the bootstrap bash script provided by SaltStack. There are multiple ways of downloading this script. 

Via Curl.
<table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
 </p>
 </td></tr></table>
 <br><br><br><br>
 Via Wget
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
wget -O bootstrap-salt.sh https://bootstrap.saltstack.com
 </p>
 </td></tr></table>
 <br><br><br><br>
 Via Python <br>
 <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
python -m urllib "https://bootstrap.saltstack.com" > bootstrap-salt.sh
 </p>
 </td></tr></table>
 <br><br><br><br>
 Once you have the script, by whichever method you choose, run it like so:
  <table align='left',width='700px'>
<tr>
<td>
<p style='font-family:courier'>
sudo sh bootstrap-salt.sh
 </p>
 </td></tr></table>
 <br><br><br><br>
 This will download and install the latest stable version of SaltStack. Once done, we can now configure the master and create minions as we see fit. 

## Installing Salt to Amazon AWS


Let's now do an example of implementing a package with Salt.  We'll install a webserver called *nginx* though salt. 


## Running Saltstack<br>

Salt is primarily controlled by a command line interface run by the root user on the salt master.
Let's look at the anatomy of the following salt command. 
<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '\*' test.ping
</p>
</td>
</tr>
</table>
<br><br><br><br>
The first string 'salt' is the salt executable command.  There are multiple commands available with saltstack, including salt and salt-call.
The second argument is the *target*.  This defines the target minion or minions that the salt command will run on. 
In this case we use the globbing wildcard '\*' to specifiy all minions controlled by the master. Finally, we tell salt what execution module and method to run, in this case, we're going to use the test module and run the ping method.  The output will be the result of running a *ping* command on all minions controlled by this master. 



When you run a salt command from the command line, every single minion targeted by that master will run the command simultaneously.  The cmd module allows you to run specific shell commands directly on the minion by invoking the run method of the module.  For example. 

<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '\*' cmd.run 'cat /etc/hosts'
</td>
</tr>
</table>
<br><br><br><br>
Here we run the command 'cat /etc/hosts' on all minions since the target is '*'. 

While using the cmd module can be useful for running shell commands, you are far better served by running the execution modules available with salt.  These modules express the true power and ability of the Salt application. 
for example, if we want to get the disk space usage ('df') of a minion, instead of doing a cmd.run df, we can do the following:

<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '\*' disk.usage
</p>
</td>
</tr>
</table>
<br><br><br><br>
This command will call the disk module's usage method and execute it on all targeted minions.

There are many other types of modules, for example, a network module that has a method to list the network interfaces. 


<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '\*' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>

Or a module to install a specific package. 

<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt '\*' pkg.install vim
</p>
</td>
</tr>
</table>
<br><br><br><br>

Another important salt executable is *salt-call*.  Unlike salt, which runs its command on the salt master, the salt-call is called from the target minion.  This makes it very useful for debugging purposes.  For example running


<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt-call -l debug state.highstate
</p>
</td>
</tr>
</table>
<br><br><br><br>
on a specific minion will give detailed debugging information on the command line. 

## Targeting minions
It is somewhat rare that you will run a specific execution module that will target all minions.  More likely, you will specify some filtering criteria to only target a specific minion or group of minions.  For example,
<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt 'webserver001' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>
will run the network.interfaces execution only on the minion with the ID 'webserver001'.  

We can target multiple minions by ordering them into a like so:
<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt -L 'webserver001, webserver002, webserver003' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>

This, however, is the least of what we can do.  We can for example target minions by the value of a grain.  Recall that grains are platform computed values, such as memory, cpu, operating system type, etc. <br><br> Let's now target all minions that run Red Hat Enterprise Linux.

<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt -G 'os:RHEL' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>
We see here that the -G option to salt will expect as the next paramter the value of a specific grain.  In this case, the grain is the os attribute and we're looking for all os keys that have the value of 'RHEL'.  

We can also target minions using regular expressions.  For example, if we name our webservers webserver001 through webserver009 and we'd like to run a command targeting webservers 1-4 and 7, we can do the following:

<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt -E ' webserver00[1-47]' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>

We also have the ability to do compound matches, i.e. to match on more than one criteria.  Let's see an example. 
<table align='left', width = '750px'>
<tr>
<td>
<p style='font-family:courier'>
salt -C 'E@webserver00[1-47]' and 'G@os:Ubuntu' network.interfaces
</p>
</td>
</tr>
</table>
<br><br><br><br>
This will return all of the network interfaces from webserver's 001 though 004 and 007 only if the operating system being run by the webserver is Ubuntu.