SaltStack,  VMWARE

Patching Linux VM using VMware SaltStack Config Management

This blog will cover VM workload configuration management by using SaltStack, which provides configuration management besides compliance and vulnerability capabilities for the workload. 

Before we dive into how to use SaltStack config management functionalities, I will quickly share a bit more on VMware SaltStack. 

SaltStack, by default, comes as SaltStack Config, which helps maintain configuration and perform day 2 actions. Essentially, the benefit of SaltStack is to provide native config management, self-healing config with event-driven automation & orchestration. It supports building and scheduling repeatable jobs for self-service automation. Also, preserve tons of workload/systems with fast, hyper-scale automation. SaltStack supports flexible control with agents, agentless, and API proxy agents.

For more details on SaltStack, please refer to the official VMware documentation.

So I will cover a fully automated way of deploying VM workload, Install SaltStack Minion agent as part of the vRA Cloud Template.

Once the VM gets deployed, SaltStack Config will automatically accept the VM key and make it ready for the config/compliance management.

Let us see the vRA Cloud Assembly Cloud Template. In this Cloud Template, I have added the CloudConfig runcmd config to install and set the VM metadata as Grains in the SaltStack.

Let us deploy the Cloud Template and verify if SaltStack agents get installed on the VM workload. First, note the IP address assigned to the VM workload as part of the vRA Provisioning.

Let’s login into the SaltStack UI and verify if the VM workload agent is present and accepted by SaltStack Config management.

Notice the VM workload is present in the SaltStack Config. It means SaltStack accepted the VM key in an automated fashion.

In case of the VM workload isn’t listed in the SaltStack config as you have seen in the above screenshot, essentially, you can check if the CloudConfig code executed correctly as part of the vRA Cloud Template.

Notice I am connecting to the VM console to verify the VM provisioning CloudConfig execution record or output.

Now we have a VM workload deployed via vRA. In addition, we have the SaltStack accepted the VM workload into the config management.

We will patch the VM workload OS using SaltStack Config. I will show a simple use case of OS patching here by executing ‘Yum Update -y’ in an automated fashion from SaltStack.

Think as you have a hundred of Vm workload that needs to be patched at a particular time in one go.

before we patch the VM workload OS, let us capture if updates need to be done on the VM workload by running ‘yum check-update.’

Notice we have multiple packages that can be updated.

Let’s see the SaltStack config ‘Salt State File – sls’  that I have created to execute the VM workload OS updates.

We will execute the above Salt Stack State file against the Minions as an On-Demand or Adhoc basic, In this case, the minions are the VM workload. Later we will see how to schedule such configuration in a Job.

Specify the parameters highlighted below in the Run Command configuration. Note that the argument points to the Salt State File we created in the earlier step.

We can check the status of the Run Command execution under the Activity tab.

Once the execution is completed successfully, we can verify if the previously listed VM packages are updated successfully.

Noticed there are no pending updates on the VM workload anymore.

 

Hope you enjoyed this post, I’d be very grateful if you’d help to share it on Social Media. Thank you!