Why use SaltStack for automation and orchestration

SaltStack is a good choice for very large networks, thanks to its message queue networking and multi-master architecture

At a Glance

Thomas S. Hatch released Salt, aka the SaltStack Platform, in 2011 after becoming frustrated with the (slow) speed of the Ruby-based open source configuration management systems available at the time, including Puppet and Chef. Hatch used the open source ZeroMQ messaging library for networking and Python as the implementation language. Later the more scalable RAET (Reliable Asynchronous Event Transport Protocol) transport was developed as an alternative message queue.

The result is a massively scalable automation system, supporting many thousands of nodes, with message queue networking and a multi-master architecture. If you have huge networks, SaltStack—whether open source Salt or SaltStack Enterprise—might be a better choice than Puppet, Chef, or Ansible. To open source Salt, SaltStack Enterprise adds features like a web console with customizable dashboards and reports, role-based access control with LDAP integration, database encryption and activity auditing, and commercial support.  

SaltStack architecture

SaltStack provides event-driven automation, orchestration, and remediation, since Salt minions (agents) can report back to their masters when their client is out of spec. SaltStack can also talk to agentless nodes using SSH; the nodes must have Python installed as well as SSH. Agentless communication is slower than using a message queue.

Salt controllers are called masters; Salt agents are called minions. Salt configuration modules are called states, and they are written in Jinja-based YAML, Python, or PyDSL. Data is held in pillars; grains hold static information about a system in RAM. Execution modules perform local actions when called by the remote execution engine and contain cross-platform compatibility information.

Between the Salt state modules and execution modules, I couldn’t come up with many important omissions except for a few recent cloud offerings. Serverless is hot right now: I found official support for AWS Lambda, but not Azure Functions or Google Cloud Functions. When I asked SaltStack about this, they said “We have started to do research on serverless to see how Salt can work with some of these serverless providers but it has not been formalized into our product.”

YAML is about as simple as you can get for configuration files, and is within the abilities of almost all administrators. Using Python, PyDSL, or Jinja, a Python templating language, gives you as much flexibility as you need, but requires a little bit of programming skill.

Salt minions can connect to multiple masters at one time, either with all masters active or using a single active master with failover. A separate “syndic” feature allows the network to be partitioned in such a way that certain masters can control certain segments of the infrastructure, and “master of masters” nodes can control multiple segments underneath them.

SaltStack Enterprise

SaltStack Enterprise extends the already-scalable Salt architecture with an enterprise API, an enterprise console (web GUI with Chrome and Firefox browser support), and a Salt master plug-in. As shown in the diagram below, the enterprise API adds command-and-control of all Salt masters, a remote file server, external pillar storage, a job returns database, and role-based access control with external LDAP authentication. For large networks (beyond 1,000 total minions), SaltStack Enterprise uses a PostgreSQL database for the back end. The enterprise API replaces the Salt master syndic component.

saltstack enterprise api IDG

The SaltStack Enterprise API adds seven new functions to the open source Salt architecture. SaltStack Enterprise can be added to a Salt installation at any time.

SaltStack Enterprise provides devops engineers and IT operators with event-driven automation and orchestration for natively integrated configuration management, infrastructure security and compliance, and control over clouds and containers. The event-driven capability comes because minions can report back to their masters about out-of-spec conditions over the message queue, and the masters can remediate the issues through Event Reactors. In the security and compliance area, SaltStack Enterprise audits against internal and external policy definitions for firewall rules, listening ports, CVE scans, CIS, OpenSSL and more.

On the ITIL side, SaltStack Enterprise has integrations with enterprise IT solutions from Hewlett Packard Enterprise, Nutanix, ServiceNow, Suse, VMware, and Zenoss. On the cloud, SaltStack Enterprise can do multi-cloud orchestration with IBM, AWS, Microsoft Azure, Google, OpenStack, and others, for a total of more than two dozen different public and private cloud providers. It does orchestration and introspection for both Docker and LXC containers. For devops, SaltStack Enterprise not only integrates with Jenkins and Git, but also works with other automation systems such as Puppet and Chef.

Salt Cloud

The Salt Cloud is part of open source Salt. It provisions systems on cloud hosts and hypervisors and brings them under the control of the Salt automation platform. Salt Cloud interacts with DNS, cloud storage, and load balancers, and automatically connects new VMs to a Salt Master for tight integration with the rest of the Salt platform.

SaltStack installation and setup

Installation of open source Salt with its bootstrap is as simple as running a Curl command and a shell command on each master and minion. If you give the master the DNS name “salt” then the minions will connect to it automatically; otherwise they need to know the IP address of the master. You also have the options of running agentless nodes over SSH and using a proxy minion for controlling devices, such as network gear with a proprietary OS.

SaltStack Enterprise is only a little harder to install. If you’re starting from scratch, it’s a matter of one Yum (RHEL/CentOS) or Zypper (SLES) command to install the SaltStack Enterprise server, and then installing the open source Salt masters and minions as above. If you’re upgrading, you can use Salt states to upgrade each master with the enterprise plug-in.

Open source Salt installs its own copy of Python if needed on each master and minion. SaltStack Enterprise also installs its own copy of PostgreSQL if needed.

You may also need to configure roles in SaltStack Enterprise, and credentials in all Salt masters. You should also install a Salt presence beacon in all minions, but that only requires one action from the SaltStack Enterprise console.

Cost: Salt is free open source. SaltStack Enterprise is offered via a subscription license starting at $120 per managed node per year. Volume and multi-year agreement discounts are available. Several support package options are available and included with this annual subscription. Services and training are also available to SaltStack Enterprise customers.

Platform: SaltStack Enterprise: master supported on CentOS, RHEL, and SLES. Open source Salt: most recent operating systems including CentOS, Debian, RHEL, SLES, and Ubuntu supported as both masters and minions; AIX, Solaris, Windows, and MacOS supported as minions.

At a Glance
  • Salt is a good choice for very large networks, thanks to its message queue networking and multi-master architecture. SaltStack Enterprise offers even more scalability and convenience.


    • Vast scalability
    • Both agent-based and agentless control of nodes
    • Minions (agents) run on most modern operating systems
    • Message queue networking performs well


    • SaltStack Enterprise masters run only on CentOS, RHEL, and SLES
    • Not available as part of AWS OpsWorks

Copyright © 2018 IDG Communications, Inc.