Salting your LXC Container Fleet
Saltstack is an awesome configuration management system that can make managing 10 to 10,000 servers very simple. Salt can be used to deploy, manage, configure, report around, and even troubleshoot all of your servers. It can also be used to manage a fleet of LXC containers which we will be doing in this blog post. If you have been reading this blog, you know that I love Linux Containers. I am using them for pretty much anything these days. Salt is a great way to keep track of and manage all of these containers. On my main server, I have three containers that are running various applications. In order to update the packages on these containers I would have to log into each one, and run apt-get update and apt-get upgrade. This is not so bad for three containers, but you can imagine how annoying and cumbersome this gets as your container lists grows. This is where salt comes to the rescue, with salt I can update all of these containers with a single command. The official Salt Walkthrough is a great place to start to learn about how Salt works. This short post will show you how to set up a small salt configuration on a single server that is hosting several containers. All of my containers are pretty boring because they run Ubuntu 14.04. The best part about salt is that it is really OS agnostic and can manage a diverse fleet of different versions and types of operating systems. For this post, my host and all of my LXC containers are running Ubuntu 14.04 LTS Salt works by having a master that manages a bunch of minions. Setting up salt master is a breeze. For the purpose of this blog post, we refer to the master as being your host server and the minions as being your LXC containers.
Setting up Salt Master
On your host server you will need to install salt master. First we will need to add the saltstack repo to our repository list:sudo add-apt-repository ppa:saltstack/salt
sudo apt-get update sudo apt-get install salt-master
netstat -plntu | grep python to see which port(s) it is currently running on.
Setting up your Firewall
One thing I ran into during the installation was getting the firewall working. This is all running on a Linode, and I used Linode’s Securing Your Server guide to set up my firewall. If you have a similar setup you can add the following lines to /etc/iptables.firewall.rules to allow the minions to communicate with the master.# Allow Minions from these networks -I INPUT -s 10.0.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPTAllow Salt to communicate with Master on the loopback interface
-A INPUT -i lo -p tcp -m multiport –dports 4505,4506 -j ACCEPT
Reject everything else
-A INPUT -p tcp -m multiport –dports 4505,4506 -j REJECT
sudo iptables-restore < /etc/iptables.firewall.rules
Setting up your Minions
Once your master is set up, running, and allows minions through the firewall we can set up the minions. Since LXC is a pretty barebones system we will need to install a couple of prerequisites first to get everything working. First we want to log into our container. I usually run the containers in a screen session so it would look something like this.screen -dRR container1 lxc-attach -n container1
sudo apt-get install software-properties-common sudo add-apt-repository ppa:saltstack/salt sudo apt-get update sudo apt-get install salt-minion
/etc/hosts configuration. If you are not sure what the IP address of the master is you can run ip a | grep ineton the master and look for the IP address that starts with a 10.
vim /etc/hosts # Now add the master IP 10.0.3.1 salt
/etc/init.d/salt-minion start
salt-key -Ain order to accept the key from your minion. You should see the name of your container pop up and you will want to say ‘Y’ to accept its key. You can test to see that everything is working by running:
salt '*' test.ping
hci: True git: True usel: True
Thank you for reading! Share your thoughts with me on bluesky, mastodon, or via email.
Check out some more stuff to read down below.
Most popular posts this month
- 2024
- Setting up ANTLR4 on Windows
- My Custom Miniflux CSS Theme
- SQLite DB Migrations with PRAGMA user_version
- Ten Years of Dreaming of San Francisco
Recent Favorite Blog Posts
This is a collection of the last 8 posts that I bookmarked.
- Fedora Magazine: Contribute to Fedora 44 KDE and GNOME Test Days from Fedora People
- Pluralistic: bunnie's piggyback hack (09 Jan 2026) from Pluralistic: Daily links from Cory Doctorow
- Clicks Communicator from Chris Hannah
- A Year Of Vibes from Armin Ronacher's Thoughts and Writings
- Pluralistic: A perfect distillation of the social uselessness of finance (18 Dec 2025) from Pluralistic: Daily links from Cory Doctorow
- Moving from WordPress to Substack from charity.wtf
- Grow, Like a Tree Not a Cancer from Jim Nielsen’s Blog
- Pluralistic: All the books I reviewed in 2025 (02 Dec 2025) from Pluralistic: Daily links from Cory Doctorow
Articles from blogs I follow around the net
Announcing Live AI & Design Systems Jam Sessions!
Ian, TJ, and I are excited to announce live AI & Design Systems Jam Sessions with our AI & Design Systems course community! Our first jam session will be Thursday, February 26 at 10AM ET. In these recurring biweekly Zoom […]
via Blog – Brad Frost February 16, 2026I Sold Out for $20 a Month and All I Got Was This Perfectly Generated Terraform
Until recently the LLM tools I’ve tried have been, to be frank, worthless. Copilot was best at writing extremely verbose comments. Gemini would turn a 200 line script into a 700 line collection of gibberish. It was easy for me to, more or less, ignore LLM…
via matduggan.com February 16, 2026Pluralistic: The online community trilemma (16 Feb 2026)
Today's links The online community trilemma: Reach, community and information, pick two. Hey look at this: Delights to delectate. Object permanence: Bruces x Sony DRM; Eniac tell-all; HBO v PVRs; Fucking damselflies; Gil Scout Cookie wine-pairings; Bi…
via Pluralistic: Daily links from Cory Doctorow February 16, 2026Generated by openring