Salt Master on OpenBSD 6.0

Let’s get started with SaltStack, but let’s put a twist on it and install our Salt Master on OpenBSD 6.0.

Why OpenBSD?

In the world of “Cloud Computing”, more and more data is no longer hosted on-site and on a huge scale. Security is, and should be, the biggest concern. Whilst no OS can mitigate poor code, a good secure OS out of the box helps. Our Salt Master must remain secure at all costs as it will touch on all of our infrastructure. Luckily OpenBSD prides itself on security:

Only two remote holes in the default install, in a heck of a long time!

Getting started

OK, so this is going to be the OpenBSD rehash of a Digital Ocean article, but I wanted to illustrate how easy it is to get a master installed ready for configuration.

First off, let’s grab Salt from the repositories, easy enough. As root, use pkg_add to get the OpenBSD version of Salt.

# pkg_add salt

Now create your directories for Salt base and it’s pillars.

# mkdir -p /var/salt/{base,pillar}

Awesome, so now we are going to configure our Salt master service. The configuration file for our Salt master can be found in /etc/salt/master.

# vi /etc/salt/master

You will notice quickly that this is a YAML file, if you hadn’t already guessed SaltStack uses YAML pretty much everywhere.

The section you want to uncomment and change is the section for file_roots, here we want to set out base to be /var/salt/base as we had created above.

    - /var/salt/base

Now we want to also set out pillar_roots to point to /var/salt/pillar.

    - /var/salt/pillar

Done. Save and quit.

We need to have our Minion configured on our Master server. Let’s edit our minion configuration located in /etc/salt/minion.

# vi /etc/salt/minion

We’re only really after one line in particular, naming our master. Easy enough, look for the line with master: on it and change this to your local IP address.


Time to enable and start our services. First we are going to enable salt_master and salt_minion using rcctl.

# rcctl enable salt_master
# rcctl enable salt_minion

Now we are going to start the services:

# rcctl start salt_master
# rcctl start salt_minion

So all’s good right? Well… not quite. Currently our local server’s instance of the Salt Minion cannot talk to the Salt Master. The reason why is because our key has not been accepted.

Let’s see what I mean. On our server:

# salt-key --list all

You will see that our server’s name appears under “Unaccepted Keys:” (here my server is called, you probably should have a better name for yours).

Example output:

Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

What we need to do is ‘accept’ our key. This is done by issuing the ‘-a’ flag to salt-key with the hostname:

# salt-key -a

You will be prompted to confirm whether or not you are sure this is what you want to do.

Example output:

The following keys are going to be accepted
Unaccepted Keys:
Proceed? [n/Y]

Enter ‘y’:

Key for minion accepted.

We can now check that our key has been accepted:

# salt-key --list all

It should now appear under “Accepted Keys:”

Example output:

Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

Now we can test to see that our Salt Minion is successfully listening to our Salt Master:

# salt "*"

Example output:


That’s it for now. Simple Ubuntu to OpenBSD translation for Salt Master installation.

Source (Adapted for OpenBSD):