Girish Raja

March 6, 2023

Saltstack Introduction:

Salt is a Python-based open-source remote execution framework used for:
  • Configuration management
  • Automation
  • Provisioning
  • Orchestration

Salt uses the master-client model in which a master issues commands to a client and the client executes the command. In the Salt ecosystem, the Salt Master is a server that is running the salt-master service. It issues commands to one or more Salt Minions, which are servers that are running the salt-minion service and that are registered with that Salt Master.

Salt Master

Salt master is the central control bus that connects with the clients called as minions. The minions securely connect back with the master servers using a secure handshake through keys. A salt environment can have multiple salt masters and each master can manage its own set of minions. All the integrations with endpoints are configured on the master. We have a single pane of management to control the multi-master environment and that is done by the eAPI (or) RaaS Server.

Enterprise API / RaaS (Returner as a Service):

The RaaS Server functions as a front end to the Salt Environment and it constitutes of two components 1) Graphic User Interface (GUI) 2) API Endpoints. The RaaS server holds the license keys and interfaces will all the master nodes in the infrastructure thru RPC control endpoints. It provides the capabilities like RBAC, Centralized File Server using Postgres backend, Redis - an in-memory database, and centralized job management interface.

Salt Minions:

Minions are agents that are installed in the workloads that need to be managed by salt master for pushing commands, configurations, patches, updates, etc. Once installed, a key exchange happens from the minion to the master, and if accepted the minions join as part of the salt-master. Even though the preferred method of deploying SaltStack is thru agents, it supports agentless and proxy-based minions as well.

Saltstack Config:

An IT Admin / DevOps Administrators role involves more than just setting up servers and running services. SaltStack Config helps your team automate common infrastructure administration tasks and ensures that all the components of your infrastructure are operating in a consistent desired state.

The Salt modules can quickly and consistently automate common infrastructure administration tasks such as:

  • Managing operating system deployment and configuration
  • Installing and configuring software applications and services
  • Managing servers, virtual machines, containers, databases, web servers, network devices, and more.
  • Remote execution of commands/scripts on minions either agent-based or agentless as well.

Saltstack SecOps:

SaltStack SecOps harnesses SaltStack Config’s event-driven automation technology to provide two additional security services:

Security Compliance

Create security policies and scan your system to determine whether it is compliant with supported, industry-recognized security benchmarks. SaltStack SecOps can immediately deploy the updates or patches to bring your system into compliance.

Vulnerability Remediation

Create security policies and scan your system for common vulnerabilities and exposures (CVEs), then immediately apply the updates or patches to remediate the advisories. You can also import security scans from other third-party scanning services such as Tenable or Rapid7, then immediately remediate these advisories as well.

Benefits of Saltstack Config & SecOps Management:

  • The statefiles in Saltstack config can be used to apply configuration to multiple nodes simultaneously.
  • These statefiles are compatible with workloads running on any of the private or public clouds.
  • The state management system ensures that the nodes are configured properly as per the organization policies / guidelines. In case of any drift, they are remediated immediately back to their desired configuration
  • The event driven architecture of Salt helps to react to events and responds by initiating the configured actions.
  • The SecOps component in Saltstack can assess the infrastructure for any compliance benchmarking deviations we had set or the vulnerabilities that arises out of the configuration. It then uses the configuration management component to remediate them to the actual desired configuration
  • Saltstack SecOps can also integrate with vulnerability scanner tools like Qualys, RAPID7, Tenable, Carbon Black etc to get the export of the scan assessment and then use it to remediate the workloads.


Related Articles