SaltStack Config system architecture


Most users find it helpful to understand what SaltStack Config is and how it works before they begin the installation process. This page provides a high-level overview of the SaltStack Config system architecture and its different components.


As part of VMware’s initiative to remove problematic terminology, the term Salt master will be replaced with Salt controller in SaltStack Config and related products and documentation. This terminology update may take a few release cycles before it is fully complete.

What is SaltStack Config?

SaltStack Config is powered by Salt, an open-source configuration management and orchestration system. If you are new to Salt and are unfamiliar with how it works, see Salt system architecture.

SaltStack Config extends Salt’s automated, event-driven configuration management platform by providing additional features, such as:

  • Role-based access controls - Ensures that network engineers only have access to the resources and jobs that are necessary to fulfill their specific work responsibilities.
  • A user-friendly interface - In addition to the ability to execute commands from the command line, SaltStack Config also provides a graphical user interface for ease of use.
  • Security automation - Optional add-ons bringing you automated vulnerability remediation and continuous compliance for hybrid IT systems.

The SaltStack Config system architecture

The following diagram shows the primary components of the basic SaltStack Config architecture that are relevant to installation:


The following sections describe the core components of the SaltStack Config architecture.

Salt masters and the Master Plugin

The master is the main connection between SaltStack Config and the rest of the nodes on your network (the minions). When you issue a command from SaltStack Config (such as a job), the command goes to the master for distribution to the targeted minions.

The Master Plugin is installed on the master. It allows the master to communicate with the SaltStack Config backend server, the RaaS node. The Master Plugin allows the master to access jobs or processes initiated by SaltStack Config, as well as external files and pillar data that are stored on the PostgreSQL database.

The plugin integrates with the existing extension points provided by Salt. For example, job returns are collected using a master-side Salt external job cache, and the RaaS file server uses a Salt fileserver plugin.


You can connect more than one master to SaltStack Config. Each master that connects to SaltStack Config needs to have the Master Plugin installed.


RaaS, which stands for Returner as a Service, is the central component in SaltStack Config. In fact, when some people refer to SaltStack Config itself, they are often talking about RaaS.

RaaS provides RPC endpoints to receive management commands from the SaltStack Config user interface, as well as RPC control endpoints to interface with connected masters. All communication is sent using RPC API calls over WebSockets or HTTP(s).

SaltStack Config user interface

The SaltStack Config user interface is a web application that provides the graphical user interface front end for RaaS. Though SaltStack Config is API-first, the user interface interfaces directly with the API (RaaS) to enable simple management of all systems in your environment. Different workspaces provide users with the ability to manage minions, users, roles, jobs, and more.

PostgreSQL Database

RaaS uses a PostgreSQL database to store minion data, job returns, event data, files and pillar data, local user accounts, as well as additional settings for the user interface.

Redis Database

RaaS uses a Redis database to store certain types of data in temporary storage, such as cached data. It also uses temporary data storage to distribute queued work to background workers.

SaltStack SecOps

vRealize Automation SaltStack SecOps is an add-on to SaltStack Config that harnesses event-driven automation technology to deliver security compliance and vulnerability remediation. It provides the following types of content:

  • Compliance - Automated compliance detection and remediation for your infrastructure. The compliance content library consists of industry best-practice security and compliance content, such as CIS.
  • Vulnerability - Manages vulnerabilities on all the systems in your environment. Its content library includes advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries.

In contrast with the standalone SaltStack Config architecture, SaltStack SecOps includes regularly-updated content and can support custom compliance content. Customers can automatically or manually download new content as it is developed and released.

Differences in system architecture by installation scenario

SaltStack Config supports two core installation scenarios, which results in two different system architectures.

In the single-node installation scenario, a Salt master, SaltStack Config, a Redis database, and a PostgreSQL database all run on the same node.

In the multi-node installation scenario, a Salt master, SaltStack Config, a Redis database, and a PostgreSQL database are distributed across at least two nodes. Each service could run on a separate node, or you can combine two or more services on a given node.

It is possible to set up multiple masters or multiple RaaS nodes. High availability requirements may require consultation services.

For more information about the installation scenarios, see Installation overview.