Skip to content

VCF Salt (SSE) Install Guide – Air-Gapped

Overview

This guide walks through deploying a VCF Salt (SSE) environment using the offline installer bundle. The deployment consists of a Salt Master and a RaaS node, with services installed locally and configured via Salt highstate.

The process follows a simple flow:

  1. Prepare OS and install Salt components
  2. Configure Master and Minion relationships
  3. Prepare pillar and SSE installer content
  4. Execute highstate to deploy RaaS and services

All steps assume you are logged in as root on a fresh RHEL9/Rocky9 VMs with network and DNS already configured.

1. OS Preparation (All Nodes)

Update the system and install required packages.

dnf update -y

dnf install -y git java python39 openssl \
  python3-cryptography python3-pyOpenSSL \
  unzip pinentry tree rsync

2. Extract Installer Bundle (All VMs)

Download the installer bundle from https://support.broadcom.com and copy to the VMs and extract it.

mkdir -p /tmp/salt
scp VMware_Salt_RaaS-*.tar.gz /tmp/salt/

cd /tmp/salt
tar zxvf VMware_Salt_RaaS-*.tar.gz

3. Install Salt (Master Node)

Install Salt components from the bundle.

cd /tmp/salt/sse-installer

rpm -ivh salt-*.rpm salt-master-*.rpm salt-minion-*.rpm

Set minion ID to hostname:

hostname -s > /etc/salt/minion_id

Set master config to local:

cat <<'EOF' > /etc/salt/minion.d/master.conf
master:
  - localhost
EOF

Change master conf to have salt run as root and not the default salt user:

sed -i 's/^user: salt$/user: root/' /etc/salt/master

Enable and start services:

systemctl enable salt-master && systemctl start salt-master
systemctl enable salt-minion && systemctl start salt-minion

Accept the local minion key:

salt-key -A

4. Install Salt (RaaS Node)

Install Salt minion only:

cd /tmp/salt/sse-installer

rpm -ivh salt-*.rpm salt-minion-*.rpm

Set minion ID:

hostname -s > /etc/salt/minion_id

Point to master:

cat <<'EOF' > /etc/salt/minion.d/master.conf
master:
  - <salt-master-fqdn>
EOF

Start service:

systemctl enable salt-minion && systemctl start salt-minion

Once the salt-minion service is running on the RaaS node, make all future changes using Salt from the Salt master.

5. Accept RaaS Key (Master)

salt-key -A
salt '*' test.ping

6. Prepare SSE Content (Master Only)

Copy Salt and pillar content from installer:

mkdir -p /srv/salt /srv/pillar

cp -r /tmp/salt/sse-installer/salt/sse /srv/salt/
cp -r /tmp/salt/sse-installer/pillar/sse /srv/pillar/
cp /tmp/salt/sse-installer/pillar/top.sls /srv/pillar/
cp /tmp/salt/sse-installer/salt/top.sls /srv/salt/

7. Configure Pillar (SSE Settings)

Update Pillar Top File

Edit:

vim /srv/pillar/top.sls

Update only the server list at the top to include RaaS + Master minion IDs:

{% load_yaml as sse_servers %}
  - <raas-minion-id>
  - <master-minion-id>
{% endload %}

Remove any unused entries (pgsql, redis, extra eapi nodes, etc.)

Update SSE Settings File

Edit:

vim /srv/pillar/sse/sse_settings.yaml

Update Server Mapping

Set all backend services to the RaaS minion ID, and master separately.

servers:
  pg_server: <raas-minion-id>
  redis_server: <raas-minion-id>

  eapi_servers:
    - <raas-minion-id>

  salt_masters:
    - <master-minion-id>

Update Endpoints (RaaS FQDN/IP)

pg:
  pg_endpoint: <raas-fqdn-or-ip>

redis:
  redis_endpoint: <raas-fqdn-or-ip>

eapi:
  eapi_endpoint: <raas-fqdn-or-ip>

Refresh and Verify

salt '*' saltutil.refresh_pillar
salt '*' pillar.items | grep -E 'pg_server|redis_server|eapi_servers|salt_masters'

8. Install Required Python Packages

Install the Python packages required by the SSE plugin on the Salt Master.

Option A – Local PyPI Repository

If the environment has an internal PyPI repo, configure salt-pip to use it:

cat <<'EOF' > /opt/saltstack/salt/pip.conf
[global]
index-url = https://<pypi-host>/api/pypi/<repo>/simple
trusted-host = <pypi-host>
timeout = 60
EOF

Then install the required packages:

salt-pip install PyJWT pika pyspnego smbprotocol pypsexec

Option B – Offline / No PyPI Repository

If there is no local PyPI repo, copy the required wheel files to the Salt Master and install them locally.

Change to the wheel directory from the installer bundle:

cd /tmp/salt/sse-installer/pip/

Install the bundled dependencies:

salt-pip install PyJWT-*.whl
salt-pip install pika-*.whl
salt-pip install pyspnego-*.whl
salt-pip install smbprotocol-*.whl
salt-pip install pypsexec-*.whl

Install any additional wheel files required for your environment from the same directory.

Optional (GitFS backend only)

If you intend to configure Salt to use GitFS for pillar or state files you will also need the pygit2 package. Install it using salt-pip:

salt-pip install pygit2

Install the SSE Plugin Wheel

Change to the plugin wheel location:

cd /tmp/salt/sse-installer/salt/sse/eapi_plugin/files/

Install the plugin:

salt-pip install SSEAPE-*.whl

Verify

salt-pip list | grep -E 'pygit2|PyJWT|pika|pyspnego|smbprotocol|pypsexec|SSEAPE'

9. Refresh Salt Data

salt '*' saltutil.refresh_grains

10. Take VM Snapshots

Take snapshots of all nodes before applying highstate:

  • Salt Master
  • RaaS

Snapshot point is just before SSE deployment.

11. Run Highstate (RaaS First)

salt '<raas-minion-id>' state.highstate

Wait for completion.

12. Update RaaS Configuration

Append required settings to the RaaS config from the master.

Now that Salt is configured on the RaaS node, you don't need to SSH into it to make this change.

salt '<raas-minion-id>' cmd.run "cat <<'EOF' >> /etc/raas/raas

# Minion deployment settings
minion_deployment:
  max_minion_deployment_time: 3600

# Install minion from salt-master (air-gapped)
airgap_install: true

EOF"

Restart RaaS:

salt '<raas-minion-id>' service.restart raas

13. Run Highstate (Master)

salt '<master-minion-id>' state.highstate

14. Validate Deployment

Access RaaS UI:

https://<raas-fqdn>

Verify:

  • Masters appear under Administration → Master Plugins
  • Accept any pending keys if prompted
  • Minions responding

15. Prepare Minion Bundle Directories

Create required directories on the master:

mkdir -p /etc/salt/cloud.providers.d
mkdir -p /etc/salt/cloud.profiles.d
mkdir -p /etc/salt/cloud.deploy.d

16. Copy Minion Bundles

Copy the minion bundle archives to the master. Bundles are downloaded from Broadcom alongside the installer.

scp salt-*-windows*.tar.gz root@<master>:/etc/salt/cloud.deploy.d/
scp salt-*-redhat*.tar.gz root@<master>:/etc/salt/cloud.deploy.d/
scp salt-*-ubuntu*.tar.gz root@<master>:/etc/salt/cloud.deploy.d/

Verify:

ls -l /etc/salt/cloud.deploy.d/

17. Final Checklist

Confirm the following before handing over:

Salt Services

salt '*' test.ping
  • All minions respond (master + raas)

RaaS UI

  • Accessible via: https://<raas-fqdn>
  • Masters listed under Administration → Master Plugins
  • No pending key warnings (or accepted)

Pillar + SSE Mapping

salt '*' pillar.items | grep -E 'pg_server|redis_server|eapi_servers|salt_masters'
  • RaaS mapped as:
  • pg_server
  • redis_server
  • eapi_servers
  • Master mapped under salt_masters

Highstate Status

salt '<raas-minion-id>' state.apply test=True
salt '<master-minion-id>' state.apply test=True

No errors returned.

Minion Bundles

ls /etc/salt/cloud.deploy.d/
  • Required OS bundles present (windows / redhat / ubuntu as needed)

RaaS Config

salt '<raas-minion-id>' cmd.run "grep airgap_install /etc/raas/raas"
  • airgap_install: true present

See also