Pillars of Salt system

Pillars are tree-like structures of data defined on the Salt Master and passed through to minions. They allow confidential, targeted data to be securely sent only to the relevant minion. Pillar data is useful for:

Highly Sensitive Data

Information transferred via pillar is guaranteed to only be presented to the minions that are targeted, making Pillar suitable for managing security information, such as cryptographic keys and passwords.

Minion Configuration

Minion modules such as the execution modules, states, and returners can often be configured via data stored in pillar.


Variables which need to be assigned to specific minions or groups of minions can be defined in pillar and then accessed inside sls formulas and template files.

Arbitrary Data

Pillar can contain any basic data structure in dictionary format, so a key/value store can be defined making it easy to iterate over a group of values in sls formulas.

Pillar is therefore one of the most important systems when using Salt.

Salt Pillar system

Default Pillar tree

Pillar data is managed in a similar way as the Salt State Tree. The Salt master maintains a pillar_roots setup that matches the structure of the file_roots used in the Salt file server. Like the Salt file server the pillar_roots option in the master config is based on environments mapping to directories. The pillar data is then mapped to minions based on matchers in a top file which is laid out in the same way as the state top file. Salt pillars can use the same matcher types as the standard top file.

    - /srv/salt/pillar

This example configuration declares that the base environment will be located in the /srv/salt/pillar directory. It must not be in a subdirectory of the state tree.

The top file /srv/salt/pillar/top.sls used matches the name of the top file used for States, and has the same structure:

    - common_pillar

And the actual pillar file at /srv/salt/pillar/common_pillar.sls:

foo: bar
boo: baz

If the same pillar key is defined in multiple pillar SLS files, and the keys in both files refer to nested dictionaries, then the content from these dictionaries will be recursively merged.

External Pillar backends

Salt provides a mechanism for generating pillar data by calling external pillar interfaces. The external pillars that are called when a minion refreshes its pillars is controlled by the ext_pillar option in the Salt master configuration:

  - example_a: some argument
  - example_b:
    - argumentA

etcd pillar backend

In order to use an etcd server, a profile must be created in the master configuration file:

    etcd.port: 4001

After the profile is created, configure the external pillar system to use it. Optionally.

  - etcd: my_etcd_config

reclass pillar backend

This ext_pillar plugin provides access to the reclass database, such that Pillar data for a specific minion are fetched using reclass.

  - reclass:
        storage_type: yaml_fs
        inventory_base_uri: /srv/salt

reclass assumes a node-centric perspective into your inventory. This is obvious when you query reclass for node-specific information, but it might not be clear when you ask reclass to provide you with a list of groups. In that case, reclass loops over all nodes it can find in its database, reads all information it can find about the nodes, and finally reorders the result to provide a list of groups with the nodes they contain.

Since the term “groups” is somewhat ambiguous, it helps to start off with a short glossary of reclass-specific terminology:

reclass concepts
Concept Description
Node A node, usually a computer in your infrastructure
Class A category, tag, feature, or role that applies to a node Classes may be nested, i.e. there can be a class hierarchy
Application A specific set of behaviour to apply
Parameter Node-specific variables, with inheritance throughout the class hierarchy.

A class consists of zero or more parent classes, zero or more applications, and any number of parameters. A class name must not contain spaces. A node is almost equivalent to a class, except that it usually does not (but can) specify applications.

When reclass parses a node (or class) definition and encounters a parent class, it recurses to this parent class first before reading any data of the node (or class). When reclass returns from the recursive, depth first walk, it then merges all information of the current node (or class) into the information it obtained during the recursion.

Furthermore, a node (or class) may define a list of classes it derives from, in which case classes defined further down the list will be able to override classes further up the list.

Lab: Create simple Salt pillar

Pillar data is managed in a similar way as the Salt State tree. The Salt master maintains a pillar_roots setup that matches the structure of the file_roots used in the Salt file server.

Create Salt master configuration file /etc/salt/master.d/pillar.conf with following content to enable basic pillar engine:

    - /srv/salt/pillar

This configuration declares that the base environment will be located in the /srv/salt/pillar directory.

Now create pillar top file /srv/salt/pillar/top.sls on cfg01 node:

    - common
    - apache

And the create pillar file at /srv/salt/pillar/common.sls on cfg01 node containing common server parameters:

  time_zone: Europe/Prague
  data_center: prg01
  environment: stg
      version: latest
      version: latest

And then create apache pillar file at /srv/salt/pillar/apache.sls on cfg01 node containg apache2 specific configuration parameters:

      - wsgi_module
        type: redirect

Now you can test the content of your pillar data for all nodes in your infrastructure:

cfg01# salt '*' pillar.items