Remote resource management

Salt SSH

Salt SSH is very easy to use, simply set up a basic roster file of the systems to connect to and run salt-ssh commands in a similar way as standard salt commands. While Salt SSH is not as fast as traditional SaltStack, Salt SSH was still designed from the ground up to be fast and scalable. By preserving SaltStack’s high performance design principals, Salt SSH sets the standard for agentless systems orchestration and automation.

Salt SSH

Python is required on the remote system (unless using the -r option to send raw ssh commands). On many systems, the salt-ssh executable will be in its own package, usually named salt-ssh. The Salt SSH system does not supersede the standard Salt communication systems, it simply offers an SSH-based alternative that does not require ZeroMQ and a remote agent. Be aware that since all communication with Salt SSH is executed via SSH it is substantially slower than standard Salt with ZeroMQ.

Salt SSH Roster

The roster system in Salt allows for remote minions to be easily defined.

Simply create the roster file, the default location is /etc/salt/roster:

web1: 192.168.42.1

This is a very basic roster file where a Salt ID is being assigned to an IP address. A more elaborate roster can be created:

web1:
  host: 192.168.42.1 # The IP addr or DNS hostname
  user: jdoe         # Remote executions will be executed as user fred
  passwd: foobar     # The password to use for login, if omitted, keys are used
  sudo: True         # Whether to sudo to root, not enabled by default
web2:
  host: 192.168.42.2

Note

sudo works only if NOPASSWD is set for user in /etc/sudoers: jdoe ALL=(ALL) NOPASSWD: ALL

Salt proxy pinion

Proxy minions are a developing Salt feature that enables controlling devices that, for whatever reason, cannot run a standard salt-minion. Examples include network gear that has an API but runs a proprietary OS, devices with limited CPU or memory, or devices that could run a minion, but for security reasons, will not.

Salt proxy minion

Proxy minions are not an “out of the box” feature. Because there are an infinite number of controllable devices, you will most likely have to write the interface yourself. Fortunately, this is only as difficult as the actual interface to the proxied device. Devices that have an existing Python module (PyUSB for example) would be relatively simple to interface. Code to control a device that has an HTML REST-based interface should be easy. Code to control your typical housecat would be excellent source material for a PhD thesis.

Salt proxy-minions provide the ‘plumbing’ that allows device enumeration and discovery, control, status, remote execution, and state management.

Lab: Using Salt SSH

apt-get install salt-ssh

The roster system in Salt allows for remote SSH minions to be easily defined.

Note

See the Roster documentation for more details.

Simply create the roster file, the default location is /etc/salt/roster:

svc02: 172.10.10.102

This is a very basic roster file where a Salt ID is being assigned to an IP address. A more elaborate roster can be created:

svc02:
  host: 172.10.10.102 # The IP addr or DNS hostname
  user: root         # Remote executions will be executed as user fred
  passwd: root       # The password to use for login, if omitted, keys are used
  sudo: True         # Whether to sudo to root, not enabled by default

Copy SSH key into minion node:

[email protected]:~# ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with: ssh root@172.10.10.103 and check to make sure that only the key(s) you wanted were added.

[email protected]:~# salt-ssh '*' test.ping
Permission denied for host svc02, do you want to deploy the salt-ssh key? (password required): [Y/n]

[email protected]:~# salt-ssh '*' test.ping
svc02:
    True