SaltStack Essentials: Architecture, Commands, and When to Use It
— ny_wk
Salt (SaltStack) gets lumped in with Chef, Puppet, and Ansible — and rightly so, they all solve the same problem: keeping configuration consistent across machines, whether you run 2 or 20,000. But Salt's design is genuinely different, built around a blazing-fast, encrypted message bus. Understand that bus and the rest of Salt clicks into place. Here's the architecture, the commands you'll actually use, and where Salt shines.
The problem Salt solves
Manual configuration doesn't scale: machines drift, changes get missed, and "is every box patched?" becomes unanswerable. Salt enforces a declared state across your fleet and runs commands across all of it in seconds — config management and remote execution in one tool.
What makes Salt different: the event bus
Salt's backbone is a high-speed, encrypted communication bus. The master and minions establish an authenticated channel, and from there Salt layers everything else on top. Because the bus is so fast, Salt can target a handful of hosts or thousands with the same low latency — that speed is its signature advantage over polling-based tools.
The core components
- Master — the control server that issues commands and stores state.
- Minion — an agent on each managed host that authenticates to the master and executes work.
- Remote execution engine — run any command/module across targeted minions instantly (
salt '*' test.ping). - Grains — static facts about each minion (OS, CPU, role) used for targeting.
- Pillars — secure, per-minion data (secrets, config values) delivered only to the minions that need it.
- States — the declarative config (SLS files) describing desired state.
- Top file — maps which states apply to which minions.
The two modes you'll use daily
1. Remote execution (imperative)
Fire commands across the fleet right now:
salt '*' test.ping — are minions alive?
salt 'web*' pkg.install nginx — install on web minions.
salt -G 'os:CentOS' cmd.run 'uptime' — target by grain.
2. States (declarative)
Describe desired state in an SLS file and apply it:
apply nginx: pkg.installed; service.running (enabled) — then salt 'web*' state.apply nginx. Minions converge to that state and stay there.
Targeting: the superpower
Salt lets you aim commands precisely — by glob (web*), by grain (-G 'os:Ubuntu'), by subnet, or by custom node groups. This is how you patch in waves or push a change only to one role, instead of all-or-nothing.
Salt vs the other config tools
| Tool | Model | Language | Standout |
|---|---|---|---|
| Salt | Master + minions (agent) | YAML + Jinja | Very fast event bus; remote execution |
| Ansible | Agentless (SSH) | YAML | Simplest to start, no agents |
| Puppet | Master + agent (pull) | Puppet DSL | Mature, strong reporting |
| Chef | Server + agent (pull) | Ruby | Powerful, code-first |
Common pitfalls
- Unaccepted minion keys — minions won't respond until you
salt-key -Aon the master. - Closed ports — 4505/4506 must be reachable master→minions.
- Putting secrets in states — use Pillars for secrets; states are world-readable on the master.
- No targeting discipline — test on a subset (
-G/ node groups) before'*'.
When to choose Salt
Pick Salt when you need speed at scale and want both remote execution and config management in one tool — large fleets, real-time orchestration, event-driven automation (reactors). If you want zero agents and the simplest start, Ansible may fit better; Salt's edge is raw speed and its event-driven model.
Key takeaways
- Salt = remote execution + config management on a fast, encrypted master↔minion bus.
- Core pieces: grains (facts), pillars (secure data), states (desired config), top file (mapping).
- Use it imperatively (
salt '*' ...) and declaratively (state.apply); target precisely by glob/grain/group. - Open 4505/4506, accept minion keys, keep secrets in Pillars, and test on subsets first.
Frequently asked questions
What's the difference between grains and pillars?
Grains are static facts about a minion (OS, CPU) gathered on the minion; pillars are secure data assigned to minions from the master (secrets, config). Target with grains; store sensitive values in pillars.
Is Salt agent-based?
Typically yes (minions), though Salt also supports an agentless SSH mode (salt-ssh) for hosts you can't install an agent on.
How is Salt faster than the others?
Its persistent, encrypted message bus pushes commands to minions in near real time, instead of each node polling on a schedule.
Salt or Ansible?
Ansible for agentless simplicity and quick adoption; Salt for speed at large scale and event-driven orchestration.
Learn the bus, master targeting, and split your work into remote-execution one-liners and declarative states — and Salt will manage two servers or twenty thousand with the same speed.