The Core Difference
Ansible = Agentless, push-based, YAML playbooks, SSH transport SaltStack = Agent-based, event-driven, YAML states, ZeroMQ transport
Ansible: SaltStack:
ββββββββββββ ββββββββββββ
β Control βββSSHβββΆ Node 1 β Master ββββZMQβββ
β Node βββSSHβββΆ Node 2 ββββββ¬ββββββ β
β(Playbook)βββSSHβββΆ Node 3 β ββββββ΄βββββ
ββββββββββββ ββββββΌβββββ β Minion β
β Minion β β N β
β 1 β βββββββββββ
βββββββββββSpeed and Scale
This is SaltStackβs biggest advantage:
| Metric | Ansible | SaltStack |
|---|---|---|
| 10 nodes | 5s | 3s |
| 100 nodes | 45s | 5s |
| 1,000 nodes | 8min | 8s |
| 10,000 nodes | 60min+ | 15s |
SaltStackβs ZeroMQ pub/sub executes commands on all minions simultaneously. Ansibleβs SSH is sequential per fork (default 5 forks, max ~50 practical).
Why the Speed Difference?
Ansible: Opens SSH connection β transfers Python modules β executes β returns result β next host SaltStack: Publishes command via ZeroMQ β all minions execute concurrently β return results via ZeroMQ
Configuration Examples
Package Installation
Ansible:
# playbook.yml
- hosts: webservers
become: true
tasks:
- name: Install nginx
ansible.builtin.dnf:
name: nginx
state: present
- name: Start nginx
ansible.builtin.systemd:
name: nginx
state: started
enabled: true
- name: Deploy config
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart nginx
handlers:
- name: Restart nginx
ansible.builtin.systemd:
name: nginx
state: restartedSaltStack:
# /srv/salt/nginx/init.sls
nginx:
pkg.installed: []
service.running:
- enable: True
- watch:
- file: /etc/nginx/nginx.conf
/etc/nginx/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
- template: jinja
- require:
- pkg: nginxApplying Configuration
# Ansible
ansible-playbook -i inventory playbook.yml --limit webservers
# SaltStack
salt 'web*' state.apply nginx
salt -G 'role:webserver' state.apply nginxEvent-Driven Automation
SaltStackβs reactor system responds to events in real-time:
# /etc/salt/master.d/reactor.conf
reactor:
- 'salt/minion/*/start':
- /srv/reactor/minion_start.sls
- 'salt/beacon/*/disk_usage':
- /srv/reactor/disk_alert.sls# /srv/reactor/disk_alert.sls
{% if data['usage'] > 90 %}
cleanup_disk:
local.state.apply:
- tgt: {{ data['id'] }}
- arg:
- disk_cleanup
{% endif %}Ansible has no equivalent real-time event system (Event-Driven Ansible / EDA is a separate product requiring AAP).
Targeting
Ansible uses inventory groups and patterns:
ansible webservers -m ping
ansible 'web*:&production' -m pingSaltStack uses grains, pillars, and compound targeting:
salt -G 'os:RedHat' test.ping
salt -C 'G@os:RedHat and G@role:web' state.apply
salt -N production_web state.applySecret Management
Ansible Vault:
ansible-vault encrypt secrets.yml
ansible-playbook site.yml --ask-vault-passSaltStack Pillar:
# /srv/pillar/secrets.sls (encrypted with GPG)
#!gpg|yaml
db_password: |
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----When to Choose
Choose Ansible when:
- No agents allowed β strict security policies, DMZ hosts
- Simple infrastructure β under 500 nodes
- Multi-purpose β provisioning + config + deployment + networking
- Team familiarity β YAML is approachable for all skill levels
- Red Hat ecosystem β AAP, Tower/Controller, EDA, Lightspeed AI
- Network automation β Cisco, Juniper, Arista modules
- Cloud provisioning β AWS, Azure, GCP modules
Choose SaltStack when:
- Scale β 1,000+ nodes needing sub-second execution
- Real-time events β reactor-driven automation
- Remote execution β ad-hoc commands at massive scale
- Windows heavy β Salt minion works well on Windows
- Speed is critical β parallel execution across fleet
Consider Both:
Many organizations use Ansible for provisioning and orchestration but SaltStack for day-2 configuration at scale.
