SaltStack grains and pillar
Grains and pillar are one of the most important conceptual separations in Salt.
Grains
Grains are minion-side facts about a system. According to the Salt user guide, they cover things like operating system, kernel, interfaces, CPU architecture, and custom role-like attributes.
They are useful for targeting and templating because they answer questions such as:
- What OS is this machine running?
- Which init system is present?
- Which role or environment should this host belong to?
Pillar
Pillar comes from the other direction. It is master-side data compiled for targeted minions and commonly used for configuration values, credentials, and environment-specific settings.
The user guide emphasizes that pillar data is encrypted per minion in transit, which is why it is commonly used for sensitive data and role-specific configuration.
Why the distinction matters
Salt becomes far easier to reason about when discovered facts and intended configuration are kept separate.
- Grains answer: what is this machine?
- Pillar answers: what should this machine receive?
That distinction is especially valuable in Linux operations because real fleets are rarely uniform. Roles, regions, storage classes, security profiles, and service variants all need structure.
Design cautions
- Grain-driven targeting can become messy if host taxonomy is inconsistent.
- Pillar compilation can become expensive and complex in large deployments.
- Pillar caching improves speed but introduces security and freshness trade-offs.