Decision Lab Acquired by Optiv Security

Expanded Cyber Security Services and Solutions

Learn More
02 Mar 2016
Deploying Nginx to Digital Ocean with Salt Cloud
Written By Drew Malone

Deploying Nginx to Digital Ocean with Salt Cloud

Salt is more than configuration management. In this post, we’ll show you how Salt allows you to command and control your cloud infrastructure. For this demonstration, we’ll show how you can manage droplets in Digital Ocean.

While Salt (and Salt Cloud) support the most popular operating systems, we’ll be using CentOS 7 for this exercise.

Salt Cloud Explained

Just as Salt allows you to codify your infrastructure, Salt Cloud lets you codify your deployment footprint in a cloud of your choice. The number of supported clouds is, in a word, staggering. For this post, however, we’ll be using Digital Ocean.

If you’re following along with us, we recommend making yourself a droplet on Digital Ocean (or the public cloud of your choice) and working with that VM.


A provider is, in short, the cloud provider plus some details. In this case, it is the combination of “Digital Ocean” plus the region of our choice. For our example, we’ll be using New York 3


A profile defines the footprint of a single VM - image plus size. There are many other options we can add in here but, for now, we’ll keep things simple.

Gathering the Ingredients

Let’s gather all the information needed to successfully deploy our Droplet.

Installing Salt Cloud

The best place to go for the latest instructions is Saltstack’s documentation. However, here’s a quick copy/paste for you:

rpm --import
cat >/etc/yum.repos.d/saltstack.repo<<EOL
# Enable SaltStack's package repository
name=SaltStack repo for RHEL/CentOS 7

yum clean expire-cache

yum install -y salt-master salt-cloud
systemctl start salt-master

Personal Access Token

Programmatic access to Digital Ocean requires a Personal Access Token. You can generate one in the settings panel of your account. Once created, keep a note of it. For this demonstration, we’ll assume a fictional token of superspecialtoken.


You’ll need to define the SSH key you want Salt Cloud to use when it logs into newly-created droplets. Head over to your account’s security section of the settings and add this key.

For this demonstration, we’ll assume that the key has a name of salt-cloud-demo in the Digital Ocean panel.

This key needs to not be encrypted because Salt Cloud will not decrypt your key for you.

Place the key in the location /etc/salt/digital-ocean.pem.

If you need help generating your SSH key, here are some hints. Remember to not enter a pass phrase as Salt Cloud cannot decrypt the key.

$ ssh-keygen -t rsa -f digital-ocean.pem
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in digital-ocean.pem.
Your public key has been saved in
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|..oo   .         |
|..+ . . .        |
|.= . . +         |
|o E   . o        |
|.o     oS        |
|o     .o=        |
|    . =+ .       |
|     = ..        |
|    . ..         |

mv digital-ocean.pem /etc/salt/.
chmod 600 /etc/salt/digital-ocean.pem

You want to paste the contents of into the panel in your security settings.


The easiest way to find the regions available is by just going to Digital Ocean’s status page and viewing the list there. For this exercise, we’ll be using New York 3

Define Your Provider

Create a file at /etc/salt/cloud.providers.d/digital-ocean.conf with the following contents:

  driver: digital_ocean
  personal_access_token: superspecialtoken
  location: New York 3
  ssh_key_name: salt-cloud-demo  ### Remember, this is the name in the Digital Ocean panel in your browser
  ssh_key_file: /etc/salt/digital-ocean.pem

Image ID

For Digital Ocean, you can supply the ‘slug’. The simplest way to find this is to ask Salt Cloud to fetch a list of images and redirect that output to a text file, where you can search for your favorite image.

salt-cloud --list-images digital-ocean-nyc3 > do-images.txt

As an example, here’s the relevant section for the CentOS 7 image.

        7.1 x64
        [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1']

This means we’ll be using centos-7-0-x64 as our image ID.


Again, we can ask Salt Cloud to fetch a list of sizes.

salt-cloud --list-sizes digital-ocean-nyc3

Here’s the section for their 512MB size:

        [u'ams1', u'ams2', u'ams3', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sgp1', u'tor1']

We will be using the 512mb size for this exercise.

Define Your Profile

Now that we have everything for our profile, make a file at /etc/salt/cloud.profiles.d/digital-ocean.conf

  # NOTE: This needs to be your real master's IP

  provider: digital-ocean-nyc3
  image: centos-7-0-x64
  size: 512mb
  location: New York 3
  ssh_username: root
  private_networking: False
  ipv6: False

Protip: Many options that we put here in the profile (such as ssh_username and private_networking can, instead, be put in the provider config file. Doing that will apply those options to all profiles that fall under that provider.

Deploying Your Droplet

Now that your provider and profile are configured, you’re ready to start launching droplets from the command line.

salt-cloud -p do-centos-7.0 salt-cloud-demo-01

Protip: With this command, Salt Cloud will attempt to bootstrap a Salt minion onto the new droplet (this is incredibly powerful for hands-free deployments). However, if you want to disable this behavior, add --no-deploy to the end of the command.

You should now have a new droplet in Digital Ocean with a Salt minion on it.

[root@salt-cloud-master-01 salt]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

[root@salt-cloud-master-01 salt]# salt '*'

Salting the Nginx Install

Arguably the best way to install Nginx on CentOS is to use the repo that Ngninx maintains. That means we need to do two things:

1) Configure a Yum repo for the Nginx repository. 2) Install Nginx

Let’s work on #1.

By default, Salt stores state files in /srv/salt. Make a directory /srv/salt/yum and write the state file to configure the Nginx Yum repo.

mkdir -p /srv/salt/yum
    - humanname: nginx repo
    - baseurl:$releasever/$basearch/
    - gpgcheck: 0
    - enabled: 1

Great! Now on to #2.

Make a directory /srv/salt/nginx and write the state file to install Nginx.

mkdir -p /srv/salt/nginx
# /srv/salt/nginx/install.sls
  - yum.nginx

    - name: nginx

    - name: nginx
    - require:
      - pkg: install-nginx

We’re telling Salt to be sure to configure our Yum repository before attempting to install Nginx. After that’s done, we tell Salt to start Nginx for us. Let’s see if it works.

salt salt-cloud-demo-01 state.sls nginx.install

It will take a moment to return. When it does, you should see something like this:

Summary for salt-cloud-demo-01
Succeeded: 3 (changed=3)
Failed:    0
Total states run:     3

When that’s finished, visit your droplets IP in your browser. You can find your droplet’s IP with:

salt salt-cloud-demo-01 network.ip_addrs


Cleaning up

When you’re all done with your droplet, you can delete it with:

salt-cloud -d salt-cloud-demo-01

In Review

This is a lot of work just to install Nginx, yes. But what we’ve built for ourselves here is a platform. Don’t want to use Nginx? Want to use Apache httpd? Change out your automation. Want to use Ubuntu instead of CentOS? Change the OS image you’re using.

The point here isn’t just to install Nginx. The point here is to build a foundation from which you can quickly deploy systems and have them build & configure themselves. To see more about deploying and configuring multiple droplets, see How To Use Salt Cloud Map Files to Deploy App Servers and an Nginx Reverse Proxy.

Remember, the more things you can get the machine to do for you, the more time you have to work on the stuff that matters.