vRealize Automation SaltStack Config
Updated: Apr 27, 2022
Founded in 2011, SaltStack was one of the industry leaders in configuration management. They built and maintained the Salt Open project, developed a commercial platform called SaltStack Enterprise, and offer a compliance and vulnerability add-on to SaltStack Enterprise called SecOps.
In October 2020, VMware acquired SaltStack, re-branded SaltStack Enterprise to SaltStack Config, and is now including it in vRealize Automation 8.3 (vRA Standard Plus and above).
There are several great blogs out there highlighting SaltStack Config, here are a few of my favorites:
vRealize Automation 8.3 and SaltStack Config - Technical Overview by VMware Technical Marketing Manager (TMM) Vincent Riccio: https://blogs.vmware.com/management/2021/02/vrealize-automation-8-3-and-saltstack-config-technical-overview.html
VMware vRealize Automation Adds Native Configuration Management with vRealize Automation SaltStack Config by VMware Product Marketing Manager Kendall Lovett: https://blogs.vmware.com/management/2020/11/vmware-vrealize-automation-saltstack-config-launch.html
vRealize Automation SaltStack Config - A Technical Overview by VMware TMM Vincent Riccio: https://blogs.vmware.com/management/2020/11/vrealize-automation-saltstack-config-a-technical-overview.html
Deploying SaltStack Config via Lifecycle Manager in a vRA Environment by VMware SE Cosmin Trif: https://cosmin.gq/2021/02/02/deploying-saltstack-config-via-lifecycle-manager-in-a-vra-environment/
We're going to explore the User Interface (UI) in this blog, but first let's take a look at the SaltStack Config architecture.
The general architecture includes at least one Salt Master (server) with many Salt Minions (agents). Multiple Salt Masters can be deployed and are used as your source. Configurations, Jobs, Files, and more are pushed out from the Salt Masters to the Salt Minions over an Event bus. SaltStack Glossary can be found here: https://docs.saltproject.io/en/latest/glossary.html
Salt Minion agents are supported on CentOS, Linux, MacOS, RedHat, SUSE, Ubuntu, and Windows. These agents allow SaltStack to remain performant at massive scale. The general SaltStack config framework uses Python and YAML. Assuming we've deployed vRA SaltStack Config, let's take a look at the UI. Upon login you'll be taken to the Dashboard, which contains Reports.
These reports give you visibility into your SaltStack Config environment, showing things like Salt Events, Database Activity, Jobs, and more. You can insert additional reports into the Dashboard by clicking the ADD REPORT button, there are a total of 13 available.
The Reports tab includes Key states, Licensing information, Versioning details, and more. The Key state tab will show you the key state for each Master/Minion pair.
The Licenses tab provides the user with license entitlement and consumption data.
Master version, Minion version, and OS version tabs give the user visibility into running versions. The Presence tab will show the user how many Minion are present or disconnected.
Next to the Home tab is the Minions tab, which will show all Minions in your environment with the ability to run Jobs or commands against them. Here you can accept and delete Minion keys.
To run a job, select the Targets on the left that you'd like to run the job against, then click the RUN JOB box. You will be presented with a dropdown to select the Job you'd like to run (we will discuss Jobs later). You also have the ability to dry run the Job and be notified of completion or failure.
The next main tab is Activity, which will list Completed, In Progress, Upcoming Jobs, and details for each Job.
Each Job includes a link to the Job ID (JID) as well. The JID will give you insight into the Job itself: a summary, return values, the raw Pyhton/YAML the Job is running, and Job information.
The In Progress tab allows the user to PAUSE, RESUME, and STOP Jobs that are in progress.
The Upcoming tab will show you all Scheduled Jobs and give you the ability to skip one if you'd like.
The next tab is Elements which is where most of the content sits. Here you'll create Jobs and Schedules and use Pillars and Files. Let's explore each of these.
Jobs - SaltStack executes Jobs, which consist of targets, functions, and arguments. The "salt" command button will run Jobs against Minions, whereas the "salt-run" command button will run Jobs against Masters.
Jobs run functions, with arguments, against the targets listed. There are hundreds of functions built into SaltStack Config based on SaltStack Open. List of functions (and the modules they're in) can be found here: https://docs.saltproject.io/en/latest/py-modindex.html. General documentation can be found here: https://docs.saltproject.io/en/latest/contents.html
Users can run these functions (or the commands in them) via the SaltStack CLI as well. Think of it as a way to run commands remotely on Minions. https://docs.saltproject.io/en/latest/topics/execution/remote_execution.html
Schedules are just that, schedules of jobs that you'd like to run in the future or on a certain schedule.
Click the CREATE SCHEDULE to create one. Give it a Name, point it at a Job, provide Targets, and you're off and running.
The next tab is Pillars. Pillars are used to store passwords, config files, certificates, and more. VMware SaltStack SE Dave Boucha explains Pillars like this: "...Pillar is essentially a key/value store...A minion requests its Pillar info from the Salt Master and the Salt Master consults with whatever backends are configured to get the data...By default it uses YAML files on the Salt Master, but you can use things like Vault, Confidant, databases, Git, etc..."
There are 48 different Salt Pillars in SaltStack Config provided by the Salt Open community. https://docs.saltproject.io/en/latest/ref/pillar/all/index.html#all-salt-pillars
The File Server tab presents the SaltStack Config file server which is used for distributing files to the Salt minions. Documentation: https://docs.saltproject.io/en/latest/ref/file_server/index.html
Next time we'll focus on vRA SaltStack Config SecOps, a Compliance and Vulnerability add-on to the base SaltStack Config.