Learn Salt

Salt Cheat Sheet.

Every Salt command worth knowing, organized by category. The 60-ish you'll actually run.

Cmd+D this page. You'll be back.

v1.0 · Updated 2026-05-09

Vibe check
salt '*' test.ping
salt '*' test.version
salt --versions-report

The "is anyone home?" set. First thing you run, every session.

Keys
salt-key -L              # list everything
salt-key -A              # accept all pending
salt-key -a my-minion    # accept just one
salt-key -d old-minion   # delete

Key lifecycle, no drama.

Targeting
salt 'web1' …                    # exact
salt 'web*' …                    # glob
salt -G 'os:Windows' …           # grain
salt -L 'web1,web2' …            # list
salt -C 'web* and G@env:prod' …  # compound

Five ways to pick a target. Compound (-C) is overkill until it isn't.

Run anything
salt '*' cmd.run 'uptime'
salt 'web*' cmd.run 'systemctl status nginx'
salt '*' test.version --async

Fleet-wide shell. Use sparingly — states are better.

Apply states
salt '*' state.highstate
salt 'web*' state.apply nginx
salt '*' state.highstate test=True   # dry run!
salt '*' state.show_sls nginx        # peek at compiled

test=True is your friend. Always dry-run first in prod.

Inspect facts
salt '*' grains.items
salt '*' grains.get os
salt '*' pillar.items
salt '*' saltutil.refresh_pillar
salt '*' saltutil.sync_grains

Grains = host facts (from the minion). Pillar = your data (from the master).

Packages
salt '*' pkg.install nginx
salt '*' pkg.upgrade
salt '*' pkg.list_upgrades
salt '*' pkg.remove nginx
salt '*' pkg.purge nginx           # pkg + config

Same command on RHEL, Debian, Windows. Cross-OS magic.

Services
salt '*' service.status nginx
salt '*' service.start nginx
salt '*' service.restart nginx
salt '*' service.stop nginx
salt '*' service.available nginx

systemctl, but for the whole fleet.

Network
salt '*' network.ip_addrs
salt '*' network.connect google.com port=53
salt '*' network.dig saltify.work
salt '*' network.default_route
salt '*' network.interface eth0

Quick fleet-wide network sanity. Saved me hours when DNS was lying.

Jobs
salt-run jobs.active                 # running NOW
salt-run jobs.list_jobs              # history
salt-run jobs.lookup_jid 20240101...
salt 'minion' saltutil.kill_job <jid>

Async ran sideways? Find it. Kill it.

Debug
salt-master -l debug                 # foreground
salt-minion -l debug
salt-run state.event pretty=True     # tail event bus
salt '*' saltutil.clear_cache
salt '*' saltutil.sync_all           # nuclear

When stuff is weird. state.event pretty=True on the master is the first window you open.

Discover
salt '*' sys.doc                     # EVERYTHING
salt '*' sys.doc pkg                 # one module
salt '*' sys.list_modules
salt '*' sys.list_functions
salt-call sys.list_state_modules

Built-in docs. Lazier than Googling.

System
salt '*' status.uptime
salt '*' system.reboot               # the big red button
salt 'web*' system.shutdown 5

Reboot the fleet. Test on one box first. Always.

Schedule
salt '*' schedule.add nightly_pull \
  function='cmd.run' \
  job_args="['git -C /srv/salt pull']" \
  hours=24
salt '*' schedule.list
salt '*' schedule.disable_job nightly_pull

Cron-style scheduling without leaving Salt.

HTTP
salt-run http.query https://api.github.com/zen
salt '*' http.query http://example.com/ \
  method=POST params='k=v'

Lightweight HTTP from inside Salt. Useful for webhooks and health checks.

Local mode
salt-call --local state.apply test=True
salt-call --local grains.items
salt-call --local pkg.install nginx

Run from the minion alone, no master. Master's down? You're not stuck.

Pro tips

The non-obvious stuff that saves hours.

Tip 01

test.ping returns nothing? Check salt-key -L first. New minion = unaccepted key = silent treatment. Salt won't yell at you.

Tip 02

Always run states with test=True in prod. Salt prints what it would change. Catch typos before they hit your fleet.

Tip 03

Master down? salt-call --local state.apply runs straight from the minion. No master, no waiting. Useful when you're rebuilding the master itself.

Tip 04

Edit pillar, run salt '*' saltutil.refresh_pillar. Without it, minions cache the old data and you'll wonder why your change didn't land.

Tip 05

Forget a module's options? salt '*' sys.doc <module> dumps every function and arg. Faster than Googling, no tab switch.

Tip 06

Two terminals open: one running your command, the other tailing salt-run state.event pretty=True. You see what Salt is actually doing in real time.

Further reading

When you hit the edges of this page.

Inspired by eon01's SaltStack Cheat Sheet, with our additions and field notes.