Learn Salt

Salt Cheat Sheet.

Every Salt command worth knowing, organized by category. The 60-ish you'll actually run.

Cmd+D / Ctrl+D this page. Bookmark it now, save the search later.

v1.0 · Updated 2026-05-09

Vibe check
salt '*' test.ping
salt '*' test.version
salt --versions-report

Run these first, every session. They tell you which minions are responding.

Keys
salt-key -L              # list everything
salt-key -A              # accept all pending
salt-key -a my-minion    # accept just one
salt-key -d old-minion   # delete

Key lifecycle. Accept, list, delete.

Targeting
salt 'web1' …                    # exact
salt 'web*' …                    # glob
salt -E 'web\d+' …               # regex on minion ID
salt -G 'os:Windows' …           # grain
salt -P 'os:RedHat|CentOS' …     # PCRE on grain
salt -L 'web1,web2' …            # list
salt -I 'role:webserver' …       # pillar
salt -S '10.0.0.0/24' …          # subnet
salt -C 'web* and G@env:prod' …  # compound

Nine ways to pick a target. Reach for compound (-C) when you need to combine flavors.

Run anything
salt '*' cmd.run 'uptime'
salt 'web*' cmd.run 'systemctl status nginx'
salt '*' test.version --async

Fleet-wide shell. Useful for ad-hoc checks; prefer states for anything you'll run twice.

Apply states
salt '*' state.highstate
salt 'web*' state.apply nginx
salt '*' state.highstate test=True   # dry run!
salt '*' state.show_sls nginx        # peek at compiled

test=True is your friend. Always dry-run first in prod.

Inspect facts
salt '*' grains.items
salt '*' grains.get os
salt '*' pillar.items
salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_grains

Grains = host facts (from the minion). Pillar = your data (from the master).

Mine
salt '*' mine.update                          # publish my data
salt '*' mine.get '*' network.get_hostname    # all hostnames
salt '*' mine.get 'web*' network.ip_addrs     # web fleet IPs

Cross-minion data sharing. Minions publish via mine.update; anyone reads via mine.get. Useful when one minion needs another minion's grain or function output (e.g. all webserver IPs without a network scan).

Packages
salt '*' pkg.install nginx
salt '*' pkg.upgrade
salt '*' pkg.list_upgrades
salt '*' pkg.remove nginx
salt '*' pkg.purge nginx           # pkg + config

Same command on RHEL, Debian, and Windows. The pkg module dispatches to the right backend.

Services
salt '*' service.status nginx
salt '*' service.start nginx
salt '*' service.restart nginx
salt '*' service.stop nginx
salt '*' service.available nginx

Fleet-wide service control.

Network
salt '*' network.ip_addrs
salt '*' network.connect google.com port=53
salt '*' network.dig saltify.work
salt '*' network.default_route
salt '*' network.interface eth0

Quick fleet-wide network sanity. Useful when a host says it can reach a service but the app says it can't.

Jobs
salt-run jobs.active                 # running NOW
salt-run jobs.list_jobs              # history
salt-run jobs.lookup_jid 20260101...
salt 'minion' saltutil.kill_job <jid>

If an async job hangs, list it with jobs.active, look up its return with lookup_jid, and kill it with saltutil.kill_job.

Debug
salt-master -l debug                 # foreground
salt-minion -l debug
salt-run state.event pretty=True     # tail event bus
salt '*' saltutil.clear_cache
salt '*' saltutil.sync_all           # nuclear

When something's misbehaving, tail state.event pretty=True on the master first; it's the bus everything writes to.

Events
salt-call event.fire '{"key": "val"}' 'my/tag'    # local bus only
salt-call event.send 'my/tag' '{"key": "val"}'    # send to master

Push events onto the Salt event bus. Reactors on the master watch for matching tags and fire states or orchestrations in response. event.fire stays on the minion's local bus; event.send forwards to the master.

Discover
salt '*' sys.doc                     # EVERYTHING
salt '*' sys.doc pkg                 # one module
salt '*' sys.list_modules
salt '*' sys.list_functions
salt-call sys.list_state_modules

Built-in docs. Faster than a tab switch.

System
salt '*' status.uptime
salt '*' system.reboot               # the big red button
salt 'web*' system.shutdown 5

Reboot the fleet. Test on one box first.

Schedule
salt '*' schedule.add nightly_pull \
  function='cmd.run' \
  job_args="['git -C /srv/salt pull']" \
  hours=24
salt '*' schedule.list
salt '*' schedule.disable_job nightly_pull

Cron-style scheduling without leaving Salt.

HTTP
salt-run http.query https://api.github.com/zen
salt '*' http.query http://example.com/ \
  method=POST params='k=v'

Lightweight HTTP from inside Salt. Useful for webhooks and health checks.

Orchestrate
salt-run state.orchestrate orch.<sls>
salt-run state.orchestrate orch.<sls> test=True   # dry run
salt-run state.orchestrate orch.<sls> saltenv=prod

Run a multi-step state across the fleet from one place. The runner sequences salt.state / salt.function calls in order, with requisites between steps.

Local mode
salt-call --local state.apply test=True
salt-call --local grains.items
salt-call --local pkg.install nginx

Run from the minion without contacting the master. Useful when the master is down. State files must already be on the minion (typically /srv/salt).

Further reading

When you hit the edges of this page.

Inspired by eon01's SaltStack Cheat Sheet, with our additions and field notes.