Install Salt on Debian 13 Trixie
Salt is a configuration management tool. You can define your infrastucture as code, then control a huge number of Windows and Linux computers.
This short article shows how to install Salt on Debian 13-Trixie.
Too short summary at the end.
What You'll Learn
In this article, you'll
- Install Salt (for infra-as-code) on Debian 13-Trixie
- Learn how to install new repository for apt-get
A new repository for apt is needed, because salt is not available in Debian standard repositories.
By adding an apt repository, your new software updates automatically. Upgrades happen automated if you have unattended-upgrades package installed, or manually when you run 'sudo apt-get update; sudo apt-get dist-upgrade'.
New repository is 2 files
A new apt repository is just two files:
- PGP public key - we trust binaries when signature matches this key
- sources.list - URL where the binaries are downloaded (and where the public key is found locally)
Prerequisites
Install wget to download files
$ sudo apt-get update
$ sudo apt-get install wget
Verify repository files
Let's first collect and investigate the two files adding the repository. They are the public key for verifying the packages; and the sources.list file that gives the URL for downloading packages.
$ mkdir saltrepo/
$ cd saltrepo/
Download the two files. These URLs are from official Salt installation instructions
$ wget https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
$ wget https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.sources
Let's examine the files
$ less public # q quits less
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGPazmABDAC6qc2st6/Uh/5AL325OB5+Z1XMFM2HhQNjB/VcYbLvcCx9AXsU
...
4QVLffuw76FanTH6advqdWIqtlWPoAQcEkKf5CdmfT2ei2wX1QLatTs=
=ZKPF
-----END PGP PUBLIC KEY BLOCK-----
It's a PGP public key. It's in ASCII armor, base64 - it's written in copy-pastable and printable letters.
$ less salt.sources
X-Repolib-Name: Salt Project
Description: Salt has many possible uses...
Enabled: yes
Types: deb
URIs: https://packages.broadcom.com/artifactory/saltproject-deb
Signed-By: /etc/apt/keyrings/salt-archive-keyring.pgp
Suites: stable
Components: main
This is the new format. Note that it says where the trusted PGP public has to be, "Signed-By". This is fingerprint that identifies the key
$ gpg --show-key --with-fingerprint public
pub rsa3072 2023-02-01 [SC]
1085 7FFD D3F9 1EAE 577A 21D6 64CB BC81 73D7 6B3F
uid Salt Project Packaging <saltproject-packaging@vmware.com>
sub rsa3072 2023-02-01 [E]
Trust and Install the Repository
By adding the key, we trust the project. This is a lot of trust. It's the same as installing any piece of software from them system-wide. Effectively, anyone who gets to install a binary in your system gets root/Administrator/SYSTEM level access.
$ sudo cp public /etc/apt/keyrings/salt-archive-keyring.pgp
$ sudo cp salt.sources /etc/apt/sources.list.d/
Install Salt
Now we should be able to install software from the new repository. 'sudo apt-get update' updates the list of what's available, and the other apt-get commands use this information.
$ sudo apt-get update
$ sudo apt-get install salt-minion salt-master
Test Salt
Let's test it
$ salt --version
salt 3007.8 (Chlorine)
What about a real salt command
$ sudo salt-call --local state.single file.managed /tmp/hellotero
file /tmp/hellotero created
Is it really there?
$ ls /tmp/hellotero
/tmp/hellotero
Yes. We have now succesfully installed Salt on Debian.
Too Short Summary
$ wget https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
$ wget https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.sources
$ sudo cp public /etc/apt/keyrings/salt-archive-keyring.pgp
$ sudo cp salt.sources /etc/apt/sources.list.d/
$ sudo apt-get update
$ sudo apt-get install salt-minion salt-master
What next
Subscribe Tero's Newsletter.
Read more about Salt.