{"id":52541,"date":"2025-09-30T13:54:55","date_gmt":"2025-09-30T10:54:55","guid":{"rendered":"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/"},"modified":"2025-09-30T13:54:55","modified_gmt":"2025-09-30T10:54:55","slug":"how-to-configure-salt-step-by-step","status":"publish","type":"post","link":"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/","title":{"rendered":"How to Configure Salt Step by Step"},"content":{"rendered":"<p><\/p>\n<article><\/p>\n<p>\n      Salt is <a href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-2fa-step-by-step\/\">a<\/a> fast, flexible configuration management and orchestration tool that handles configuration, remote execution, and automation across fleets of servers. This article walks through practical steps to get a Salt master and minions running, explains how to author basic states and pillars, and covers useful operational <a href=\"https:\/\/www.hostinger.com\/tutorials\/linux-commands\" target=\"_blank\" rel=\"noopener\">commands<\/a> and troubleshooting. The goal is a clean, repeatable setup you can extend as your environment grows.\n    <\/p>\n<p><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Prerequisites_and_planning\" >Prerequisites and planning<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Installing_Salt\" >Installing Salt<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Debian_ubuntu\" >Debian \/ ubuntu<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#RHEL_centos_Alma\" >RHEL \/ centos \/ Alma<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Notes_on_containers_and_single-node_testing\" >Notes on containers and single-node testing<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Initial_master_configuration\" >Initial master configuration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Initial_minion_configuration\" >Initial minion configuration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Start_services_and_accept_keys\" >Start services and accept keys<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Basic_state_structure_and_applying_a_state\" >Basic state structure and applying a state<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Pillars_and_sensitive_data\" >Pillars and sensitive data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Grains_targeting_and_environments\" >Grains, targeting, and environments<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Salt-ssh_and_alternative_workflows\" >Salt-ssh and alternative workflows<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Operational_tips_and_best_practices\" >Operational tips and best practices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Troubleshooting_common_issues\" >Troubleshooting common issues<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Security_considerations\" >Security considerations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#Summary\" >Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#FAQs\" >FAQs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#How_do_I_test_states_without_affecting_production\" >How do I test states without affecting production?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#What_should_I_do_if_a_minion_keeps_reconnecting_or_losing_keys\" >What should I do if a minion keeps reconnecting or losing keys?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#When_should_I_use_Salt-SSH_instead_of_a_minion\" >When should I use Salt-SSH instead of a minion?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#How_can_I_manage_secrets_like_database_passwords\" >How can I manage secrets like database passwords?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-salt-step-by-step\/#What_is_the_recommended_way_to_structure_a_large_Salt_deployment\" >What is the recommended way to structure a large Salt deployment?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Prerequisites_and_planning\"><\/span>Prerequisites and planning<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Before installing, decide which machine will be the Salt master and which machines will act as minions. Salt uses ports 4505 and 4506 for the event bus and the request\/response channel, so confirm firewalls allow those connections. Keep time synchronized across systems (chrony or ntp) to avoid issues with authentication and logs. If you plan to scale, sketch out environments (base, dev, prod), a repository structure for your state files, and whether you&#8217;ll use file server backends like GitFS for version control.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installing_Salt\"><\/span>Installing Salt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Salt packages are available for major distributions. Below are the typical installation commands; adjust for your distribution and architecture. Using distribution packages keeps system integration simple.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Debian_ubuntu\"><\/span>Debian \/ <a href=\"https:\/\/www.hostinger.com\/tutorials\/what-is-ubuntu\" target=\"_blank\" rel=\"noopener\">ubuntu<\/a><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<pre><code><a href=\"https:\/\/www.hostinger.com\/tutorials\/sudo-and-the-sudoers-file\/\" target=\"_blank\" rel=\"noopener\">sudo<\/a> apt-get update<br \/>\nsudo <a href=\"https:\/\/hostadvice.com\/how-to\/web-hosting\/ubuntu\/how-to-use-the-apt-command-to-manage-ubuntu-packages\/\" target=\"_blank\" rel=\"noopener\">apt-get install<\/a> -y salt-master salt-minion<\/code><\/pre>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"RHEL_centos_Alma\"><\/span>RHEL \/ <a href=\"https:\/\/www.hostinger.com\/tutorials\/what-is-centos\" target=\"_blank\" rel=\"noopener\">centos<\/a> \/ Alma<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<pre><code>sudo yum install -y <br \/>\nsudo yum clean expire-cache<br \/>\nsudo yum install -y salt-master salt-minion<\/code><\/pre>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Notes_on_containers_and_single-node_testing\"><\/span>Notes on containers and single-node testing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      For quick testing you can run salt-minion and salt-master on the same <a href=\"https:\/\/www.a2hosting.com\/\" target=\"_blank\" rel=\"noopener\">host<\/a>. Use salt-call &#8211;local to test states locally without requiring a master, which is useful while developing SLS files.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Initial_master_configuration\"><\/span>Initial master configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      The primary configuration file is \/etc\/salt\/master. At minimum define where state files live, the environment structure, and any master-specific options such as external auth or <a href=\"https:\/\/support.hostinger.com\/en\/articles\/1583302-how-to-deploy-a-git-repository\" target=\"_blank\" rel=\"noopener\">git<\/a> backends. A minimal file_roots setup looks like this:\n    <\/p>\n<p><\/p>\n<pre><code># \/etc\/salt\/master (excerpt)<br \/>\nfile_roots:<br \/>\n  base:<br \/>\n    - \/srv\/salt<br>pillar_roots:<br \/>\n  base:<br \/>\n    - \/srv\/pillar<br>auto_accept: False<\/code><\/pre>\n<p><\/p>\n<p>\n      Keep auto_accept disabled in production to prevent unknown minions from being trusted automatically. If you use GitFS, configure the fileserver_backend and gitfs_remotes sections instead of local file_roots.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Initial_minion_configuration\"><\/span>Initial minion configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Edit \/etc\/salt\/minion to point to your master. Set the master IP or <a href=\"https:\/\/hostadvice.com\/blog\/domains\/difference-between-hostname-and-domain-name\/\" target=\"_blank\" rel=\"noopener\">hostname<\/a> and optionally an id for predictable naming. You can also define grains in this file to tag minions with roles, environments, or other attributes that will be useful for targeting states.\n    <\/p>\n<p><\/p>\n<pre><code># \/etc\/salt\/minion (excerpt)<br \/>\nmaster: salt-master.example.com<br \/>\nid: webserver-01<br># Optional static grains<br \/>\ngrains:<br \/>\n  role: web<br \/>\n  environment: production<\/code><\/pre>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Start_services_and_accept_keys\"><\/span>Start services and accept keys<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Start the master and minion services and then manage keys using salt-key. When a minion first connects it presents a public key on the master which must be accepted before commands will run. For safety, review keys before accepting.\n    <\/p>\n<p><\/p>\n<pre><code>sudo systemctl enable --now salt-master<br \/>\nsudo systemctl enable --now salt-minion<br># On the master, list and accept keys<br \/>\nsudo salt-key -L            # list accepted, unaccepted, rejected keys<br \/>\nsudo salt-key -a webserver-01   # accept a specific key<br \/>\nsudo salt-key -A            # accept all pending keys (use cautiously)<\/code><\/pre>\n<p><\/p>\n<p>\n      After accepting a key, verify connectivity with a simple ping test: salt &#8216;*&#8217; test.ping should return True for connected minions.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Basic_state_structure_and_applying_a_state\"><\/span>Basic state structure and applying a state<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      States live under the file_roots path (\/srv\/salt by default). Create a top.sls to map minions to the states they should receive, then add SLS files. The example below installs and ensures <a href=\"https:\/\/www.a2hosting.com\/kb\/developer-corner\/nginx-web-server\/installing-the-nginx-web-server\/\" target=\"_blank\" rel=\"noopener\">nginx<\/a> is running on all minions with the role web.\n    <\/p>\n<p><\/p>\n<pre><code># \/srv\/salt\/top.sls<br \/>\nbase:<br \/>\n  'G@role:web':<br \/>\n    - match: grain<br \/>\n    - <a href=\"https:\/\/www.a2hosting.com\/kb\/developer-corner\/nginx-web-server\/installing-the-nginx-web-server\/\" target=\"_blank\" rel=\"noopener\">nginx<\/a><\/code><\/pre>\n<p><\/p>\n<pre><code># \/srv\/salt\/nginx.sls<br \/>\nnginx:<br \/>\n  pkg.installed:<br \/>\n    - <a href=\"https:\/\/www.hostinger.com\/domain-name-search\" target=\"_blank\" rel=\"noopener\">name<\/a>: nginx<br>nginx-service:<br \/>\n  service.running:<br \/>\n    - name: nginx<br \/>\n    - require:<br \/>\n      - pkg: nginx<\/code><\/pre>\n<p><\/p>\n<p>\n      Apply the state with a targeted highstate. Using grain targeting ensures only intended minions receive the state.\n    <\/p>\n<p><\/p>\n<pre><code>sudo salt -G 'role:web' state.apply<br \/>\n# or to force all configured states on each minion:<br \/>\nsudo salt '*' state.highstate<\/code><\/pre>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Pillars_and_sensitive_data\"><\/span>Pillars and sensitive data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Pillars provide per-minion data that is delivered securely from the master. Use \/srv\/pillar\/top.sls to map pillar SLS files to minions, then reference pillar data from states. Pillars are never served to unauthenticated clients; they are targeted to minion IDs or via grains.\n    <\/p>\n<p><\/p>\n<pre><code># \/srv\/pillar\/top.sls<br \/>\nbase:<br \/>\n  'webserver-01':<br \/>\n    - nginx<br># \/srv\/pillar\/nginx.sls<br \/>\nnginx:<br \/>\n  port: 8080<\/code><\/pre>\n<p><\/p>\n<p>\n      Access pillar data from a state with {{ pillar[&#8216;nginx&#8217;][&#8216;port&#8217;] }} or use the jinja\/sls pillar lookup. Test pillars with sudo salt &#8216;webserver-01&#8217; pillar.items.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Grains_targeting_and_environments\"><\/span>Grains, targeting, and environments<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Grains are static facts from minions (OS, CPU, custom tags). They are ideal for targeting and for conditional logic inside states. You can set persistent grains in \/etc\/salt\/grains or set them dynamically via salt &#8216;*&#8217; grains.setval key value. Use environments to separate development and production state trees by configuring multiple file_roots keys (base, dev, prod) and running salt with saltenv if needed.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Salt-ssh_and_alternative_workflows\"><\/span>Salt-<a href=\"https:\/\/www.a2hosting.com\/kb\/getting-started-guide\/accessing-your-account\/using-ssh-secure-shell\/\" target=\"_blank\" rel=\"noopener\">ssh<\/a> and alternative workflows<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      If you cannot run a minion on target hosts, salt-<a href=\"https:\/\/www.a2hosting.com\/kb\/getting-started-guide\/accessing-your-account\/using-ssh-secure-shell\/\" target=\"_blank\" rel=\"noopener\">ssh<\/a> allows Salt to operate over SSH without persistent agents. It translates Salt states to commands executed via SSH and is useful for occasional management or environments with strict policies. To use salt-ssh, create a roster and run salt-ssh &#8216;target&#8217; state.apply.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Operational_tips_and_best_practices\"><\/span>Operational tips and best practices<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Organize states in a predictable layout, keep them in version control, and test locally prior to pushing changes. Use salt-call &#8211;local on a representative minion for debugging. Avoid auto_accept in production; manage keys explicitly. Implement CI for your state tree so changes are validated by linters and unit tests. Consider using the Reactor to trigger actions based on events and the Scheduler for recurring jobs. For large deployments, explore the Syndic pattern or run multiple masters with a REST\/API gateway for scaling.\n    <\/p>\n<p><!--KB_CAT_BLOCK--><\/p>\n<figure class=\"kb-cat-placeholder\" style=\"margin:1.75rem 0;display:block;\">\n<div class=\"kb-cat-wrap\" style=\"position:relative; overflow:hidden; border-radius:12px; box-shadow:0 10px 36px rgba(0,0,0,0.14);\"><img src=\"https:\/\/infinitydomainhosting.com\/kb\/assets\/img\/cat-default.webp\" alt=\"How to Configure Salt Step by Step\" loading=\"lazy\" decoding=\"async\" style=\"max-width:100%;height:auto;display:block;border-radius:12px;box-shadow:0 8px 28px rgba(0,0,0,0.12);\" \/><\/p>\n<div class=\"kb-cat-gradient\" style=\"position:absolute; inset:0; background:linear-gradient(180deg, rgba(9,23,60,0.66) 0%, rgba(11,30,70,0.45) 40%, rgba(11,30,70,0.15) 100%);\"><\/div>\n<div class=\"kb-cat-textbox\" style=\"position:absolute; inset:auto 5% 7% 5%; color:#fff; text-align:center; display:flex; flex-direction:column; gap:.4rem; align-items:center; justify-content:flex-end;\">\n<div class=\"kb-cat-title\" style=\"font-weight:800; font-size:clamp(20px,3.6vw,34px); line-height:1.2; letter-spacing:.2px; text-shadow:0 1px 2px rgba(0,0,0,.35);\">How to Configure Salt Step by Step<\/div>\n<div class=\"kb-cat-meta\" style=\"opacity:1; font-weight:600; font-size:clamp(13px,2.6vw,16px); line-height:1.45; text-shadow:0 1px 2px rgba(0,0,0,.28);\">Salt is a fast, flexible configuration management and orchestration tool that handles configuration, remote execution, and automation across fleets of servers. This article walks through practical steps to get a\u2026<\/div>\n<div class=\"kb-cat-desc\" style=\"opacity:1; font-weight:500; font-size:clamp(12px,2.4vw,15px); line-height:1.5; max-width:900px; text-wrap:balance; text-shadow:0 1px 2px rgba(0,0,0,.25);\">AI<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Troubleshooting_common_issues\"><\/span>Troubleshooting common issues<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      If a minion does not show up, confirm network routes and that ports 4505\/4506 are open between master and minion. Check \/var\/log\/salt\/master and \/var\/log\/salt\/minion for errors. Key mismatches often come from duplicated minion IDs; ensure each minion has a unique id in \/etc\/salt\/minion or derived from the system hostname. If states do not apply, run salt-call &#8211;local state.apply on the minion to see local renderer errors; common causes are indentation or YAML syntax problems in SLS files. When using GitFS, ensure the master can access the repository and that credentials are configured if the repo is private.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Security_considerations\"><\/span>Security considerations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Salt uses public\/private keypairs for authentication between master and minion. Keep the master secure and limit access to its API. Use eauth (external authentication) for APIs, enable <a href=\"https:\/\/www.hostinger.com\/tutorials\/what-is-tls\" target=\"_blank\" rel=\"noopener\">tls<\/a> verification where applicable for Git backends, and avoid placing secrets in plain SLS files , use pillars or an external secrets backend. Review permission and ownership of \/srv\/salt and \/srv\/pillar so the Salt master process can read them but unauthorized users cannot.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Getting Salt running involves installing the master and minion packages, configuring file_roots and pillars on the master, setting the master address and grains on minions, accepting minion keys, and authoring states and top.sls mappings. Use pillars for secret or per-minion data, grains for targeting, and salt-call for local testing. Keep your state tree in version control, test changes before applying them broadly, and monitor logs to catch issues early.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"FAQs\"><\/span>FAQs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_do_I_test_states_without_affecting_production\"><\/span>How do I test states without affecting production?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Use salt-call &#8211;local on a non-production or test minion to run states locally and debug <a href=\"https:\/\/www.hostinger.com\/tutorials\/what-is-rendering\" target=\"_blank\" rel=\"noopener\">rendering<\/a>. Maintain a separate environment (dev) in your file_roots and run states there first. Use CI pipelines to run salt-lint and unit tests on SLS files before merging changes to production branches.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_should_I_do_if_a_minion_keeps_reconnecting_or_losing_keys\"><\/span>What should I do if a minion keeps reconnecting or losing keys?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Check that the minion ID is unique and consistent. <a href=\"https:\/\/support.hostinger.com\/en\/articles\/2152545-how-to-inspect-website-elements-in-your-browser\" target=\"_blank\" rel=\"noopener\">inspect<\/a> master and minion logs for messages about key rejections. Ensure network stability and that time synchronization is working. If a key was rotated or replaced, remove the old key on the master (salt-key -d <id>) and accept the new one after verifying identity.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"When_should_I_use_Salt-SSH_instead_of_a_minion\"><\/span>When should I use Salt-SSH instead of a minion?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Use salt-ssh when you cannot or do not want to run a persistent minion on target hosts, such as in locked-down environments or for occasional ad-hoc management. Salt-ssh works over SSH and does not require the Salt master\/minion <a href=\"https:\/\/www.hostinger.com\/tutorials\/tcp-protocol\" target=\"_blank\" rel=\"noopener\">tcp<\/a> ports, but it may not support every feature available to a full minion.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_can_I_manage_secrets_like_database_passwords\"><\/span>How can I manage secrets like database passwords?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Store secrets in pillars and limit pillar access through top.sls mappings so only intended minions receive those values. For stronger security, integrate Salt with a secrets backend (HashiCorp Vault, AWS Secrets Manager) or use the external pillars system to pull secrets dynamically.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_is_the_recommended_way_to_structure_a_large_Salt_deployment\"><\/span>What is the recommended way to structure a large Salt deployment?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      For larger environments, adopt multiple environments (base, prod, dev), keep state files in a version-controlled repository and use GitFS, leverage the Syndic pattern or multi-master setup for scale and redundancy, and implement CI pipelines to validate state changes. Use roles and grains for consistent targeting and monitor master health and job return statuses regularly.\n    <\/p>\n<p>\n  <\/article>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Salt is a fast, flexible configuration management and orchestration tool that handles configuration, remote execution, and automation across fleets of servers. This&hellip;<\/p>\n","protected":false},"author":1,"featured_media":52542,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[8,9405,4593,9,1,4594,3,10,4,11,7,88,2],"tags":[911,811,11353,10643,670,706,13375,13362,13304,13354,719,525,406],"class_list":["post-52541","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website-security","category-ai","category-databases","category-domains","category-general","category-networking","category-php-scripts","category-servers","category-ssl-certificates","category-support","category-web-design","category-web-hosting","category-wordpress","tag-automation","tag-configuration","tag-configuration-management","tag-devops","tag-guide","tag-how-to","tag-how-to-configure-salt-step-by-step","tag-infrastructure-as-code","tag-salt","tag-saltstack","tag-setup","tag-step-by-step","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/comments?post=52541"}],"version-history":[{"count":1,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52541\/revisions"}],"predecessor-version":[{"id":52543,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52541\/revisions\/52543"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/media\/52542"}],"wp:attachment":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/media?parent=52541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/categories?post=52541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/tags?post=52541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}