Understanding “Salt” CLI syntax

Salt is very well structured. A very important functionality is represented by the execution modules. They are the main entry point into the Salt world. The execution modules are Python modules, and are very easy to read (and eventually write) by anyone with basic Python programming knowledge. Everything is linear, which makes them flexible and easy to understand; in general, they consist only of simple functions.

For complete list of modules – refer to Salt Module Index. It’s respective python repository can be found at Github

Refer to below image for “salt” cli syntax.

In this post, we will look at the most frequently used module

Grains Module

Function: “items”
Purpose: To collect all grains from the managed system.  

root@mrcissp-master-1:/# salt '*' grains.items
Router1:
    ----------
    cpuarch:
        x86_64
    dns:
        ----------
        domain:
        ip4_nameservers:
            - 8.8.8.8
        ip6_nameservers:
        nameservers:
            - 8.8.8.8
        options:
        search:
        sortlist:
    fqdns:
    gpus:
    host:
        192.168.200.1
    hostname:
        R1
    hwaddr_interfaces:
        ----------
        eth0:
            d2:32:87:c9:f2:8f
    id:
        Router1
    interfaces:
        - GigabitEthernet0/0
        - GigabitEthernet0/1
        - GigabitEthernet0/2
        - GigabitEthernet0/3
        - Loopback0
    kernel:
        proxy
    kernelrelease:
        proxy
    kernelversion:
        proxy
    locale_info:
        ----------
    machine_id:
        578962dbb63ae45b159330245dd26e77
    master:
        192.168.100.2
    mem_total:
        0
    model:
        IOSv
    nodename:
        mrcissp-minion-1
    num_gpus:
        0
    optional_args:
        ----------
        config_lock:
            False
        keepalive:
            5
    os:
        ios
    os_family:
        proxy
    osarch:
        x86_64
    osfinger:
        proxy-proxy
    osfullname:
        proxy
    osrelease:
        proxy
    osrelease_info:
        - proxy
    path:
        /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    ps:
        ps -efHww
    pythonexecutable:
        /usr/bin/python
    pythonpath:
        - /usr/local/bin
        - /usr/lib/python2.7
        - /usr/lib/python2.7/plat-x86_64-linux-gnu
        - /usr/lib/python2.7/lib-tk
        - /usr/lib/python2.7/lib-old
        - /usr/lib/python2.7/lib-dynload
        - /usr/local/lib/python2.7/dist-packages
        - /usr/lib/python2.7/dist-packages
    pythonversion:
        - 2
        - 7
        - 15
        - final
        - 0
    saltpath:
        /usr/local/lib/python2.7/dist-packages/salt
    saltversion:
        2019.2.2
    saltversioninfo:
        - 2019
        - 2
        - 2
        - 0
    serial:
        97277GPG1FLKXDX5WL1G0
    shell:
        /bin/sh
    uptime:
        240
    username:
        mrcissp
    vendor:
        Cisco
    version:
        IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
    virtual:
        VMware
    zmqversion:
        4.3.2
wlc1:
    ----------
    cpuarch:
        x86_64
    dns:
        ----------
        domain:
        ip4_nameservers:
            - 8.8.8.8
        ip6_nameservers:
        nameservers:
            - 8.8.8.8
        options:
        search:
        sortlist:
    fqdns:
    gpus:
    hwaddr_interfaces:
        ----------
        eth0:
            d2:32:87:c9:f2:8f
    id:
        wlc1
    kernel:
        proxy
    kernelrelease:
        proxy
    kernelversion:
        proxy
    locale_info:
        ----------
    machine_id:
        578962dbb63ae45b159330245dd26e77
    master:
        192.168.100.2
    mem_total:
        0
    nodename:
        mrcissp-minion-1
    num_gpus:
        0
    os:
        proxy
    os_family:
        proxy
    osarch:
        x86_64
    osfinger:
        proxy-proxy
    osfullname:
        proxy
    osrelease:
        proxy
    osrelease_info:
        - proxy
    path:
        /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    ps:
        ps -efHww
    pythonexecutable:
        /usr/bin/python
    pythonpath:
        - /usr/local/bin
        - /usr/lib/python2.7
        - /usr/lib/python2.7/plat-x86_64-linux-gnu
        - /usr/lib/python2.7/lib-tk
        - /usr/lib/python2.7/lib-old
        - /usr/lib/python2.7/lib-dynload
        - /usr/local/lib/python2.7/dist-packages
        - /usr/lib/python2.7/dist-packages
    pythonversion:
        - 2
        - 7
        - 15
        - final
        - 0
    saltpath:
        /usr/local/lib/python2.7/dist-packages/salt
    saltversion:
        2019.2.2
    saltversioninfo:
        - 2019
        - 2
        - 2
        - 0
    shell:
        /bin/sh
    virtual:
        VMware
    zmqversion:
        4.3.2
mrcissp-minion-1:
    ----------
    SSDs:
    biosreleasedate:
        07/29/2019
    biosversion:
        6.00
    cpu_flags:
        - fpu
        - vme
        - de
        - pse
        - tsc
        - msr
        - pae
        - mce
        - cx8
        - apic
        - sep
        - mtrr
        - pge
        - mca
        - cmov
        - pat
        - pse36
        - clflush
        - mmx
        - fxsr
        - sse
        - sse2
        - ss
        - ht
        - syscall
        - nx
        - pdpe1gb
        - rdtscp
        - lm
        - constant_tsc
        - arch_perfmon
        - nopl
        - xtopology
        - tsc_reliable
        - nonstop_tsc
        - cpuid
        - pni
        - pclmulqdq
        - vmx
        - ssse3
        - fma
        - cx16
        - pcid
        - sse4_1
        - sse4_2
        - x2apic
        - movbe
        - popcnt
        - aes
        - xsave
        - avx
        - f16c
        - rdrand
        - hypervisor
        - lahf_lm
        - 3dnowprefetch
        - cpuid_fault
        - pti
        - ssbd
        - ibrs
        - ibpb
        - stibp
        - tpr_shadow
        - vnmi
        - ept
        - vpid
        - fsgsbase
        - smep
        - arat
        - flush_l1d
        - arch_capabilities
    cpu_model:
        Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
    cpuarch:
        x86_64
    disks:
        - loop1
        - sdb
        - loop6
        - loop4
        - sr0
        - loop2
        - loop0
        - loop7
        - sda
        - loop5
        - loop3
    dns:
        ----------
        domain:
        ip4_nameservers:
            - 8.8.8.8
        ip6_nameservers:
        nameservers:
            - 8.8.8.8
        options:
        search:
        sortlist:
    domain:
    fqdn:
        mrcissp-minion-1
    fqdn_ip4:
        - 127.0.1.1
    fqdn_ip6:
    fqdns:
    gid:
        0
    gpus:
    groupname:
        root
    host:
        mrcissp-minion-1
    hwaddr_interfaces:
        ----------
        eth0:
            d2:32:87:c9:f2:8f
    id:
        mrcissp-minion-1
    init:
        unknown
    ip4_interfaces:
        ----------
        eth0:
            - 192.168.100.3
        lo:
            - 127.0.0.1
    ip6_interfaces:
        ----------
        eth0:
            - fe80::d032:87ff:fec9:f28f
        lo:
            - ::1
    ip_interfaces:
        ----------
        eth0:
            - 192.168.100.3
            - fe80::d032:87ff:fec9:f28f
        lo:
            - 127.0.0.1
            - ::1
    ipv4:
        - 127.0.0.1
        - 192.168.100.3
    ipv6:
        - ::1
        - fe80::d032:87ff:fec9:f28f
    kernel:
        Linux
    kernelrelease:
        4.15.0-55-generic
    kernelversion:
        #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019
    locale_info:
        ----------
        defaultencoding:
            None
        defaultlanguage:
            None
        detectedencoding:
            ANSI_X3.4-1968
        timezone:
            unknown
    localhost:
        mrcissp-minion-1
    lsb_distrib_codename:
        bionic
    lsb_distrib_description:
        Ubuntu 18.04.3 LTS
    lsb_distrib_id:
        Ubuntu
    lsb_distrib_release:
        18.04
    machine_id:
        578962dbb63ae45b159330245dd26e77
    manufacturer:
        VMware, Inc.
    master:
        192.168.100.2
    mdadm:
    mem_total:
        3944
    nodename:
        mrcissp-minion-1
    num_cpus:
        4
    num_gpus:
        0
    os:
        Ubuntu
    os_family:
        Debian
    osarch:
        amd64
    oscodename:
        bionic
    osfinger:
        Ubuntu-18.04
    osfullname:
        Ubuntu
    osmajorrelease:
        18
    osrelease:
        18.04
    osrelease_info:
        - 18
        - 4
    path:
        /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    pid:
        4560
    productname:
        VMware Virtual Platform
    ps:
        ps -efHww
    pythonexecutable:
        /usr/bin/python
    pythonpath:
        - /usr/local/bin
        - /usr/lib/python2.7
        - /usr/lib/python2.7/plat-x86_64-linux-gnu
        - /usr/lib/python2.7/lib-tk
        - /usr/lib/python2.7/lib-old
        - /usr/lib/python2.7/lib-dynload
        - /usr/local/lib/python2.7/dist-packages
        - /usr/lib/python2.7/dist-packages
    pythonversion:
        - 2
        - 7
        - 15
        - final
        - 0
    saltpath:
        /usr/local/lib/python2.7/dist-packages/salt
    saltversion:
        2019.2.2
    saltversioninfo:
        - 2019
        - 2
        - 2
        - 0
    serialnumber:
        VMware-56 4d e4 6c d3 e5 53 d5-0c 20 c1 55 a4 0e b9 4e
    server_id:
        822305722
    shell:
        /bin/sh
    swap_total:
        924
    systemd:
        ----------
        features:
            +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid
        version:
            237
    uid:
        0
    username:
        root
    uuid:
        564de46c-d3e5-53d5-0c20-c155a40eb94e
    virtual:
        VMware
    virtual_subtype:
        Docker
    zfs_feature_flags:
        False
    zfs_support:
        False
    zmqversion:
        4.3.2

Note: When devices is managed by NAPALM i.e. in this case “Router1” – additional grains are collected. Details of these grains can found at Saltstack documentation

We can also observe that not many grains are found on WLC i.e. “wlc1”. Because of following reasons

  1. It is managed by “netmiko”
  2. By default – there is not any existing module for grains collected by “netmiko”

Function: “get”
Purpose: To get the value of a given grain.
Argument: requested grain

root@mrcissp-master-1:/# salt '*' grains.get os
wlc1:
    proxy
Router1:
    ios
mrcissp-minion-1:
    Ubuntu
root@mrcissp-master-1:/# salt '*' grains.get master
wlc1:
    192.168.100.2
Router1:
    192.168.100.2
mrcissp-minion-1:
    192.168.100.2
root@mrcissp-master-1:/# salt '*' grains.get host
Router1:
    192.168.200.1
wlc1:
mrcissp-minion-1:
    mrcissp-minion-1
root@mrcissp-master-1:/#

Pillar Module

Function: “items”
Purpose: To collect all pillar found at a Minion.

root@mrcissp-master-1:/# salt '*' pillar.items
Router1:
    ----------
    proxy:
        ----------
        driver:
            ios
        host:
            192.168.200.1
        passwd:
            Nvidia@123
        proxytype:
            napalm
        username:
            mrcissp
wlc1:
    ----------
    proxy:
        ----------
        device_type:
            cisco_wlc
        ip:
            192.168.241.2
        password:
            Nvidia@123
        proxytype:
            netmiko
        username:
            mrcissp
mrcissp-minion-1:
    ----------

Function: “get”
Purpose: to get a value of given pillar. 

root@mrcissp-master-1:/# salt '*' pillar.get proxy
wlc1:
    ----------
    device_type:
        cisco_wlc
    ip:
        192.168.241.2
    password:
        Nvidia@123
    proxytype:
        netmiko
    username:
        mrcissp
Router1:
    ----------
    driver:
        ios
    host:
        192.168.200.1
    passwd:
        Nvidia@123
    proxytype:
        napalm
    username:
        mrcissp
mrcissp-minion-1:

Test Module

Function: “ping”
Purpose: Verify connectivity from Master to Minion and to check if Minion is configured properly.

root@mrcissp-master-1:/# salt '*' test.ping
wlc1:
    True
Router1:
    True
mrcissp-minion-1:
    True
root@mrcissp-master-1:/#

Netmiko Module

Function: “send_command”
Purpose: Execute command_string on the SSH channel using a pattern-based mechanism. Generally used for show commands. By default this method will keep waiting to receive data until the network device prompt is detected. The current network device prompt will be determined automatically.

root@mrcissp-master-1:/# salt wlc1 netmiko.send_command 'show sysinfo'
wlc1:

    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 8.9.111.0
    RTOS Version..................................... 8.9.111.0
    Bootloader Version............................... 8.5.1.85
    Emergency Image Version.......................... 8.9.111.0

    OUI File Last Update Time........................ Tue Feb 06 10:44:07 UTC 2018
    r,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc
    Build Type....................................... DATA + WPS

    System Name...................................... Cisco-0c0c.9da2.b501
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
    IP Address....................................... 192.168.241.2
    IPv6 Address..................................... ::
    System Up Time................................... 0 days 0 hrs 34 mins 4 secs
    System Timezone Location.........................
    System Stats Realtime Interval................... 5
    System Stats Normal Interval..................... 180

    Configured Country............................... US  - United States

    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 1
    Number of Active Clients......................... 0

    OUI Classification Failure Count................. 0

    Memory Current Usage............................. 52
    Memory Average Usage............................. 52
    CPU Current Usage................................ 0
    CPU Average Usage................................ 0

    Flash Type....................................... Compact Flash Card
    Flash Size....................................... 1073741824

    Burned-in MAC Address............................ 0C:0C:9D:A2:B5:01
    Maximum number of APs supported.................. 200
    System Nas-Id....................................
    WLC MIC Certificate Types........................ SHA1
    Licensing Type................................... RTU
    vWLC config...................................... Small

Net Module (aka napalm_network)

Virtual name of “napalm_network” module
Function: “connected”
Purpose: Verify connectivity from Master to Network devices managed by “napalm” proxy.

root@mrcissp-master-1:/# salt Router1 net.connected
Router1:
    ----------
    out:
        True
root@mrcissp-master-1:/#

Function: “arp”
Purpose: to get arp entries on all interfaces.

root@mrcissp-master-1:/# salt Router1 net.arp
Router1:
    ----------
    comment:
    out:
        |_
          ----------
          age:
              0.0
          interface:
              GigabitEthernet0/0
          ip:
              192.168.100.1
          mac:
              0C:0C:9D:A4:BF:00
        |_
          ----------
          age:
              0.0
          interface:
              GigabitEthernet0/0
          ip:
              192.168.100.2
          mac:
              56:EC:C7:5B:E8:9C
        |_
          ----------
          age:
              65.0
          interface:
              GigabitEthernet0/0
          ip:
              192.168.100.3
          mac:
              D2:32:87:C9:F2:8F
        |_
          ----------
          age:
              1.0
          interface:
              GigabitEthernet0/1
          ip:
              192.168.108.2
          mac:
              00:50:56:E5:45:56
        |_
          ----------
          age:
              0.0
          interface:
              GigabitEthernet0/1
          ip:
              192.168.108.131
          mac:
              0C:0C:9D:A4:BF:01
        |_
          ----------
          age:
              53.0
          interface:
              GigabitEthernet0/1
          ip:
              192.168.108.254
          mac:
              00:50:56:ED:B5:FA
        |_
          ----------
          age:
              0.0
          interface:
              GigabitEthernet0/2
          ip:
              192.168.240.1
          mac:
              0C:0C:9D:A4:BF:02
        |_
          ----------
          age:
              68.0
          interface:
              GigabitEthernet0/2
          ip:
              192.168.240.2
          mac:
              0C:0C:9D:77:06:00
    result:
        True

Napalm Module (aka napalm_mod)

Virtual name of “napalm_mod” module
Function: “call”
Purpose: To execute remote commands on the devices.

root@mrcissp-master-1:/# salt Router1 napalm.call 'cli' ['show version','show ip int br']
Router1:
    ----------
    comment:
    out:
        ----------
        show ip int br:
            Interface                  IP-Address      OK? Method Status                Protocol
            GigabitEthernet0/0         192.168.100.1   YES NVRAM  up                    up
            GigabitEthernet0/1         192.168.108.131 YES DHCP   up                    up
            GigabitEthernet0/2         192.168.240.1   YES NVRAM  up                    up
            GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down
            Loopback0                  192.168.200.1   YES NVRAM  up                    up
        show version:
            Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
            Technical Support: http://www.cisco.com/techsupport
            Copyright (c) 1986-2016 by Cisco Systems, Inc.
            Compiled Tue 22-Mar-16 16:19 by prod_rel_team


            ROM: Bootstrap program is IOSv

            R1 uptime is 1 hour, 10 minutes
            System returned to ROM by reload
            System restarted at 18:45:09 UTC Sun Nov 24 2019
            System image file is "flash0:/vios-adventerprisek9-m"
            Last reload reason: Unknown reason



            This product contains cryptographic features and is subject to United
            States and local country laws governing import, export, transfer and
            use. Delivery of Cisco cryptographic products does not imply
            third-party authority to import, export, distribute or use encryption.
            Importers, exporters, distributors and users are responsible for
            compliance with U.S. and local country laws. By using this product you
            agree to comply with applicable laws and regulations. If you are unable
            to comply with U.S. and local laws, return this product immediately.

            A summary of U.S. laws governing Cisco cryptographic products may be found at:
            http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

            If you require further assistance please contact us by sending email to
            export@cisco.com.

            Cisco IOSv (revision 1.0) with  with 460017K/62464K bytes of memory.
            Processor board ID 97277GPG1FLKXDX5WL1G0
            4 Gigabit Ethernet interfaces
            DRAM configuration is 72 bits wide with parity disabled.
            256K bytes of non-volatile configuration memory.
            2097152K bytes of ATA System CompactFlash 0 (Read/Write)
            0K bytes of ATA CompactFlash 1 (Read/Write)
            1024K bytes of ATA CompactFlash 2 (Read/Write)
            0K bytes of ATA CompactFlash 3 (Read/Write)



            Configuration register is 0x0
    result:
        True
root@mrcissp-master-1:/#

Sys Module

Function: “ list_modules ”
Purpose: To get list of loaded modules with their virtual names.

root@mrcissp-master-1:/# salt '*' sys.list_modules
Router1:
    - aliases
    - alternatives
    - ansible
    - archive
    - artifactory
    - beacons
    - bgp
    - bigip
    - buildout
    - chassis
    - chronos
    - ciscoconfparse
    - cisconso
    - cloud
    - cmd
    - composer
    - config
    - consul
    - container_resource
    - cp
    - cpan
    - cryptdev
    - data
    - ddns
    - defaults
    - devmap
    - disk
    - django
    - dnsmasq
    - dnsutil
    - drbd
    - environ
    - esxcluster
    - esxdatacenter
    - esxi
    - esxvm
    - etcd
    - ethtool
    - event
    - extfs
    - file
    - gem
    - genesis
    - git
    - glassfish
    - gnome
    - google_chat
    - grafana4
    - grains
    - hashutil
    - highstate_doc
    - hipchat
    - hosts
    - http
    - hue
    - incron
    - ini
    - inspector
    - introspect
    - iosconfig
    - jboss7
    - jboss7_cli
    - k8s
    - key
    - keyboard
    - locale
    - locate
    - log
    - logrotate
    - mandrill
    - marathon
    - match
    - mattermost
    - mine
    - minion
    - modjk
    - mount
    - msteams
    - nagios_rpc
    - namecheap_domains
    - namecheap_domains_dns
    - namecheap_domains_ns
    - namecheap_ssl
    - namecheap_users
    - napalm
    - napalm_bgp
    - napalm_formula
    - napalm_net
    - napalm_ntp
    - napalm_route
    - napalm_snmp
    - napalm_users
    - net
    - netaddress
    - netmiko
    - network
    - nexus
    - nova
    - ntp
    - nxos
    - nxos_api
    - openscap
    - openstack_config
    - opsgenie
    - out
    - pagerduty
    - pagerduty_util
    - pam
    - parallels
    - peeringdb
    - pillar
    - pip
    - pkg_resource
    - probes
    - publish
    - pushover
    - pyeapi
    - pyenv
    - random
    - random_org
    - rbenv
    - rest_sample_utils
    - ret
    - route
    - rvm
    - s3
    - s6
    - salt_proxy
    - saltcheck
    - saltutil
    - schedule
    - scp
    - scsi
    - sdb
    - seed
    - serverdensity_device
    - slack
    - slsutil
    - smbios
    - smtp
    - snmp
    - solrcloud
    - sqlite3
    - ssh
    - state
    - status
    - statuspage
    - supervisord
    - sys
    - sysfs
    - syslog_ng
    - system
    - telegram
    - telemetry
    - temp
    - test
    - textfsm
    - timezone
    - uptime
    - users
    - vault
    - vcenter
    - virtualenv
    - vsphere
    - zabbix
    - zenoss
wlc1:
    - aliases
    - alternatives
    - ansible
    - archive
    - artifactory
    - beacons
    - bigip
    - buildout
    - chassis
    - chronos
    - ciscoconfparse
    - cisconso
    - cloud
    - cmd
    - composer
    - config
    - consul
    - container_resource
    - cp
    - cpan
    - cryptdev
    - data
    - ddns
    - defaults
    - devmap
    - disk
    - django
    - dnsmasq
    - dnsutil
    - drbd
    - environ
    - esxcluster
    - esxdatacenter
    - esxi
    - esxvm
    - etcd
    - ethtool
    - event
    - extfs
    - file
    - gem
    - genesis
    - git
    - glassfish
    - gnome
    - google_chat
    - grafana4
    - grains
    - hashutil
    - highstate_doc
    - hipchat
    - hosts
    - http
    - hue
    - incron
    - ini
    - inspector
    - introspect
    - iosconfig
    - jboss7
    - jboss7_cli
    - k8s
    - key
    - keyboard
    - locale
    - locate
    - log
    - logrotate
    - mandrill
    - marathon
    - match
    - mattermost
    - mine
    - minion
    - modjk
    - mount
    - msteams
    - nagios_rpc
    - namecheap_domains
    - namecheap_domains_dns
    - namecheap_domains_ns
    - namecheap_ssl
    - namecheap_users
    - netaddress
    - netmiko
    - network
    - nexus
    - nova
    - nxos
    - nxos_api
    - openscap
    - openstack_config
    - opsgenie
    - out
    - pagerduty
    - pagerduty_util
    - pam
    - parallels
    - peeringdb
    - pillar
    - pip
    - pkg_resource
    - publish
    - pushover
    - pyeapi
    - pyenv
    - random
    - random_org
    - rbenv
    - rest_sample_utils
    - ret
    - rvm
    - s3
    - s6
    - salt_proxy
    - saltcheck
    - saltutil
    - schedule
    - scp
    - scsi
    - sdb
    - seed
    - serverdensity_device
    - slack
    - slsutil
    - smbios
    - smtp
    - solrcloud
    - sqlite3
    - ssh
    - state
    - status
    - statuspage
    - supervisord
    - sys
    - sysfs
    - syslog_ng
    - system
    - telegram
    - telemetry
    - temp
    - test
    - textfsm
    - timezone
    - uptime
    - vault
    - vcenter
    - virtualenv
    - vsphere
    - zabbix
    - zenoss
mrcissp-minion-1:
    - aliases
    - alternatives
    - ansible
    - archive
    - artifactory
    - beacons
    - bigip
    - btrfs
    - buildout
    - ciscoconfparse
    - cloud
    - cmd
    - composer
    - config
    - consul
    - container_resource
    - cp
    - cpan
    - cryptdev
    - data
    - ddns
    - debconf
    - defaults
    - devmap
    - disk
    - django
    - dnsmasq
    - dnsutil
    - drbd
    - environ
    - etcd
    - ethtool
    - event
    - extfs
    - file
    - gem
    - genesis
    - git
    - glassfish
    - gnome
    - google_chat
    - grafana4
    - grains
    - group
    - hashutil
    - highstate_doc
    - hipchat
    - hosts
    - http
    - incron
    - ini
    - inspector
    - introspect
    - iosconfig
    - ip
    - jboss7
    - jboss7_cli
    - k8s
    - kernelpkg
    - key
    - keyboard
    - kmod
    - locale
    - locate
    - log
    - logrotate
    - lowpkg
    - mandrill
    - match
    - mattermost
    - mine
    - minion
    - modjk
    - mount
    - msteams
    - nagios_rpc
    - namecheap_domains
    - namecheap_domains_dns
    - namecheap_domains_ns
    - namecheap_ssl
    - namecheap_users
    - netaddress
    - netmiko
    - network
    - nexus
    - nova
    - nxos_api
    - openscap
    - openstack_config
    - opsgenie
    - out
    - pagerduty
    - pagerduty_util
    - pam
    - parallels
    - peeringdb
    - pillar
    - pip
    - pkg
    - pkg_resource
    - publish
    - pushover
    - pyeapi
    - pyenv
    - random
    - random_org
    - rbenv
    - rest_sample_utils
    - ret
    - rvm
    - s3
    - s6
    - salt_proxy
    - saltcheck
    - saltutil
    - schedule
    - scp
    - scsi
    - sdb
    - seed
    - serverdensity_device
    - service
    - shadow
    - slack
    - slsutil
    - smbios
    - smtp
    - solrcloud
    - sqlite3
    - ssh
    - state
    - status
    - statuspage
    - supervisord
    - sys
    - sysctl
    - sysfs
    - syslog_ng
    - system
    - telegram
    - telemetry
    - temp
    - test
    - textfsm
    - timezone
    - uptime
    - user
    - vault
    - vbox_guest
    - virtualenv
    - vsphere
    - xfs
    - zabbix
    - zenoss

Function: “list_functions”
Purpose: To get list of loaded functions

Function: “doc”
Argument: “module.function”
Purpose: To get the documentation of an appropriate function.

root@mrcissp-master-1:/# salt Router1 sys.doc net.arp
net.arp:

    NAPALM returns a list of dictionaries with details of the ARP entries.

    :param interface: interface name to filter on
    :param ipaddr: IP address to filter on
    :param macaddr: MAC address to filter on
    :return: List of the entries in the ARP table

    CLI Example:

        salt '*' net.arp
        salt '*' net.arp macaddr='5c:5e:ab:da:3c:f0'

    Example output:

        [
            {
                'interface' : 'MgmtEth0/RSP0/CPU0/0',
                'mac'       : '5c:5e:ab:da:3c:f0',
                'ip'        : '172.17.17.1',
                'age'       : 1454496274.84
            },
            {
                'interface': 'MgmtEth0/RSP0/CPU0/0',
                'mac'       : '66:0e:94:96:e0:ff',
                'ip'        : '172.17.17.2',
                'age'       : 1435641582.49
            }
        ]

Targeting Minions

In this post, we will take a look at the common targeting techniques – that can be used over Minions.

Targeting using Minion ID

root@mrcissp-master-1:/# salt Router1 test.ping
Router1:
    True
root@mrcissp-master-1:/# salt wlc1 test.ping
wlc1:
    True
root@mrcissp-master-1:/#

Targeting using List of Minion ID

root@mrcissp-master-1:/# salt -L wlc1,Router1 test.ping
Router1:
    True
wlc1:
    True
root@mrcissp-master-1:/#

Targeting using Grains

e.g. we need to know the software version of all IOS routers in our network.

root@mrcissp-master-1:/# salt -C 'G@os:ios' napalm.call 'cli' ['show version']
Router1:
    ----------
    comment:
    out:
        ----------
        show version:
            Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
            Technical Support: http://www.cisco.com/techsupport
            Copyright (c) 1986-2016 by Cisco Systems, Inc.
            Compiled Tue 22-Mar-16 16:19 by prod_rel_team


            ROM: Bootstrap program is IOSv

            R1 uptime is 1 minute
            System returned to ROM by reload
            System restarted at 05:47:13 UTC Mon Nov 25 2019
            System image file is "flash0:/vios-adventerprisek9-m"
            Last reload reason: Unknown reason



            This product contains cryptographic features and is subject to United
            States and local country laws governing import, export, transfer and
            use. Delivery of Cisco cryptographic products does not imply
            third-party authority to import, export, distribute or use encryption.
            Importers, exporters, distributors and users are responsible for
            compliance with U.S. and local country laws. By using this product you
            agree to comply with applicable laws and regulations. If you are unable
            to comply with U.S. and local laws, return this product immediately.

            A summary of U.S. laws governing Cisco cryptographic products may be found at:
            http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

            If you require further assistance please contact us by sending email to
            export@cisco.com.

            Cisco IOSv (revision 1.0) with  with 460017K/62464K bytes of memory.
            Processor board ID 97277GPG1FLKXDX5WL1G0
            4 Gigabit Ethernet interfaces
            DRAM configuration is 72 bits wide with parity disabled.
            256K bytes of non-volatile configuration memory.
            2097152K bytes of ATA System CompactFlash 0 (Read/Write)
            0K bytes of ATA CompactFlash 1 (Read/Write)
            1024K bytes of ATA CompactFlash 2 (Read/Write)
            0K bytes of ATA CompactFlash 3 (Read/Write)



            Configuration register is 0x0
    result:
        True
root@mrcissp-master-1:/#

Targeting using Pillars

e.g. we need to know the software version of all WLC in our network. Since, WLCs are managed by NAPALM hence appropriate grains are not collected for OS type. Therefore, we cannot Target all WLC’s using grains as discussed above. To do this, we can be sure that all the WLC’s in our network must be managed by “netmiko” proxy pillar. Hence, we can target using Pillar.

root@mrcissp-master-1:/# salt -I 'proxy:device_type:cisco_wlc' netmiko.send_command 'show sysinfo'
wlc1:

    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 8.9.111.0
    RTOS Version..................................... 8.9.111.0
    Bootloader Version............................... 8.5.1.85
    Emergency Image Version.......................... 8.9.111.0

    OUI File Last Update Time........................ Tue Feb 06 10:44:07 UTC 2018
    r,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc
    Build Type....................................... DATA + WPS

    System Name...................................... Cisco-0c0c.9da2.b501
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
    IP Address....................................... 192.168.241.2
    IPv6 Address..................................... ::
    System Up Time................................... 0 days 2 hrs 0 mins 1 secs
    System Timezone Location.........................
    System Stats Realtime Interval................... 5
    System Stats Normal Interval..................... 180

    Configured Country............................... US  - United States

    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 1
    Number of Active Clients......................... 0

    OUI Classification Failure Count................. 0

    Memory Current Usage............................. 52
    Memory Average Usage............................. 52
    CPU Current Usage................................ 0
    CPU Average Usage................................ 1

    Flash Type....................................... Compact Flash Card
    Flash Size....................................... 1073741824

    Burned-in MAC Address............................ 0C:0C:9D:A2:B5:01
    Maximum number of APs supported.................. 200
    System Nas-Id....................................
    WLC MIC Certificate Types........................ SHA1
    Licensing Type................................... RTU
    vWLC config...................................... Small

Compound Targeting

e.g. we need to know the software version of all IOS routers of model IOSv.

root@mrcissp-master-1:/# salt -C 'G@os:ios and G@model:IOSv' napalm.call 'cli' ['show version']
Router1:
    ----------
    comment:
    out:
        ----------
        show version:
            Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
            Technical Support: http://www.cisco.com/techsupport
            Copyright (c) 1986-2016 by Cisco Systems, Inc.
            Compiled Tue 22-Mar-16 16:19 by prod_rel_team


            ROM: Bootstrap program is IOSv

            R1 uptime is 15 minutes
            System returned to ROM by reload
            System restarted at 05:47:13 UTC Mon Nov 25 2019
            System image file is "flash0:/vios-adventerprisek9-m"
            Last reload reason: Unknown reason



            This product contains cryptographic features and is subject to United
            States and local country laws governing import, export, transfer and
            use. Delivery of Cisco cryptographic products does not imply
            third-party authority to import, export, distribute or use encryption.
            Importers, exporters, distributors and users are responsible for
            compliance with U.S. and local country laws. By using this product you
            agree to comply with applicable laws and regulations. If you are unable
            to comply with U.S. and local laws, return this product immediately.

            A summary of U.S. laws governing Cisco cryptographic products may be found at:
            http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

            If you require further assistance please contact us by sending email to
            export@cisco.com.

            Cisco IOSv (revision 1.0) with  with 460017K/62464K bytes of memory.
            Processor board ID 97277GPG1FLKXDX5WL1G0
            4 Gigabit Ethernet interfaces
            DRAM configuration is 72 bits wide with parity disabled.
            256K bytes of non-volatile configuration memory.
            2097152K bytes of ATA System CompactFlash 0 (Read/Write)
            0K bytes of ATA CompactFlash 1 (Read/Write)
            1024K bytes of ATA CompactFlash 2 (Read/Write)
            0K bytes of ATA CompactFlash 3 (Read/Write)



            Configuration register is 0x0
    result:
        True

Salt Nomenclature

Disclaimer: – I am not an expert in Saltstack. I have been spending some good time to understand and unwrap bits of it primarily focused on Network Automation use-cases. This note was written by me (Gaurav Agrawal) in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.

In the previous post we looked at the Installation & configuration of basic necessary steps required to start with Salt. In this post, we will try to unwrap some of the key salt nomenclature used. This is a very next step on Network automation using salt.

Pillar

Pillar is used to organize the configuration data. e.g. NTP server details, DNS server details, Syslog server details, interface details etc.

Since, most of the network device available today – don’t support of native minion agent on the device – hence we need to create a proxy minion which can SSH to the device and get the required information. By default Cisco IOS device are supported by “NAPALM” proxy and other different OS types such as Cisco AirOS are supported by “netmiko” proxy.

Below example demonstrate to configure pillar for “NAPALM” & “NETMIKO” proxy.

Configuring pillar for NAPALM proxy i.e. router.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/router.sls
proxy:
  proxytype: napalm
  driver: ios
  host: 192.168.200.1
  username: mrcissp
  passwd: Nvidia@123

Refer to NAPALM proxy module for more details.

Configuring NETMIKO pillar i.e. wlc.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/wlc.sls
proxy:
  proxytype: netmiko
  device_type: cisco_wlc
  username: mrcissp
  password: Nvidia@123
  ip: 192.168.241.2
root@mrcissp-master-1:/#

Refer to NETMIKO proxy module for more details.

Grains

Grains represents static data(i.e. information which is very unlikely to change or does not change often) collected from devices. To collect all the grains from Minions/Proxy-minion use command [salt ‘*’ grains.items]. Below are the grains discovered on the running Minion i.e. “mrcissp-minion-1“.

root@mrcissp-master-1:/# salt '*' grains.items
mrcissp-minion-1:
    ----------
    SSDs:
    biosreleasedate:
        07/29/2019
    biosversion:
        6.00
    cpu_flags:
        - fpu
        - vme
        - de
        - pse
        - tsc
        - msr
        - pae
        - mce
        - cx8
        - apic
        - sep
        - mtrr
        - pge
        - mca
        - cmov
        - pat
        - pse36
        - clflush
        - mmx
        - fxsr
        - sse
        - sse2
        - ss
        - ht
        - syscall
        - nx
        - pdpe1gb
        - rdtscp
        - lm
        - constant_tsc
        - arch_perfmon
        - nopl
        - xtopology
        - tsc_reliable
        - nonstop_tsc
        - cpuid
        - pni
        - pclmulqdq
        - vmx
        - ssse3
        - fma
        - cx16
        - pcid
        - sse4_1
        - sse4_2
        - x2apic
        - movbe
        - popcnt
        - aes
        - xsave
        - avx
        - f16c
        - rdrand
        - hypervisor
        - lahf_lm
        - 3dnowprefetch
        - cpuid_fault
        - pti
        - ssbd
        - ibrs
        - ibpb
        - stibp
        - tpr_shadow
        - vnmi
        - ept
        - vpid
        - fsgsbase
        - smep
        - arat
        - flush_l1d
        - arch_capabilities
    cpu_model:
        Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
    cpuarch:
        x86_64
    disks:
        - loop1
        - sdb
        - loop6
        - loop4
        - sr0
        - loop2
        - loop0
        - loop7
        - sda
        - loop5
        - loop3
    dns:
        ----------
        domain:
        ip4_nameservers:
            - 8.8.8.8
        ip6_nameservers:
        nameservers:
            - 8.8.8.8
        options:
        search:
        sortlist:
    domain:
    fqdn:
        mrcissp-minion-1
    fqdn_ip4:
        - 127.0.1.1
    fqdn_ip6:
    fqdns:
    gid:
        0
    gpus:
    groupname:
        root
    host:
        mrcissp-minion-1
    hwaddr_interfaces:
        ----------
        eth0:
            2a:ed:fc:79:7f:6f
    id:
        mrcissp-minion-1
    init:
        unknown
    ip4_interfaces:
        ----------
        eth0:
            - 192.168.100.3
        lo:
            - 127.0.0.1
    ip6_interfaces:
        ----------
        eth0:
            - fe80::28ed:fcff:fe79:7f6f
        lo:
            - ::1
    ip_interfaces:
        ----------
        eth0:
            - 192.168.100.3
            - fe80::28ed:fcff:fe79:7f6f
        lo:
            - 127.0.0.1
            - ::1
    ipv4:
        - 127.0.0.1
        - 192.168.100.3
    ipv6:
        - ::1
        - fe80::28ed:fcff:fe79:7f6f
    kernel:
        Linux
    kernelrelease:
        4.15.0-55-generic
    kernelversion:
        #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019
    locale_info:
        ----------
        defaultencoding:
            None
        defaultlanguage:
            None
        detectedencoding:
            ANSI_X3.4-1968
        timezone:
            unknown
    localhost:
        mrcissp-minion-1
    lsb_distrib_codename:
        bionic
    lsb_distrib_description:
        Ubuntu 18.04.3 LTS
    lsb_distrib_id:
        Ubuntu
    lsb_distrib_release:
        18.04
    machine_id:
        578962dbb63ae45b159330245dd26e77
    manufacturer:
        VMware, Inc.
    master:
        192.168.100.2
    mdadm:
    mem_total:
        3944
    nodename:
        mrcissp-minion-1
    num_cpus:
        4
    num_gpus:
        0
    os:
        Ubuntu
    os_family:
        Debian
    osarch:
        amd64
    oscodename:
        bionic
    osfinger:
        Ubuntu-18.04
    osfullname:
        Ubuntu
    osmajorrelease:
        18
    osrelease:
        18.04
    osrelease_info:
        - 18
        - 4
    path:
        /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    pid:
        4538
    productname:
        VMware Virtual Platform
    ps:
        ps -efHww
    pythonexecutable:
        /usr/bin/python
    pythonpath:
        - /usr/local/bin
        - /usr/lib/python2.7
        - /usr/lib/python2.7/plat-x86_64-linux-gnu
        - /usr/lib/python2.7/lib-tk
        - /usr/lib/python2.7/lib-old
        - /usr/lib/python2.7/lib-dynload
        - /usr/local/lib/python2.7/dist-packages
        - /usr/lib/python2.7/dist-packages
    pythonversion:
        - 2
        - 7
        - 15
        - final
        - 0
    saltpath:
        /usr/local/lib/python2.7/dist-packages/salt
    saltversion:
        2019.2.2
    saltversioninfo:
        - 2019
        - 2
        - 2
        - 0
    serialnumber:
        VMware-56 4d e4 6c d3 e5 53 d5-0c 20 c1 55 a4 0e b9 4e
    server_id:
        822305722
    shell:
        /bin/sh
    swap_total:
        924
    systemd:
        ----------
        features:
            +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid
        version:
            237
    uid:
        0
    username:
        root
    uuid:
        564de46c-d3e5-53d5-0c20-c155a40eb94e
    virtual:
        VMware
    virtual_subtype:
        Docker
    zfs_feature_flags:
        False
    zfs_support:
        False
    zmqversion:
        4.3.2

Additional Master configuration

File Roots

Primarily it is used to isolate the environment e.g. we have a test environment, development environment, production environment served by common master.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment. 

file_roots:
  base:
    - /etc/salt/pillar
    - /etc/salt/states
    - /etc/salt/reactors
    - /etc/salt/templates
Pillar Roots

Used to map environment with the appropriate directories of pillar “sls” files.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment.

pillar_roots:
  base:
    - /etc/salt/pillar

Proxy configuration on a Minion

As the proxy minion is a subset of the regular minion, it inherits the same configuration options, as discussed in the minion configuration documentation. But there are additional configuration required for SSH based proxies to work properly.
Navigate to “Minion” proxy configuration file i.e. “nano /etc/salt/proxy” & add following details.

master: 192.168.100.2
pki_dir: /etc/salt/pki/proxy
cachedir: /var/cache/salt/proxy
multiprocessing: False
mine_enabled: True

Note: Multiprocessing is set to FALSE because in our example we are using SSH based proxies to connect with Router R1 and WLC. In case if we have to use SALT for REST based API for NX-OS, we must set this to TRUE. 

Pillar Top File

A very important configuration – Objective of pillar “top.sls” file is to tell a Minion ID to use which SLS file defined in Master.

Note: The top file is another SLS file named top.sls found under one of the paths defined in the file_roots.

  • “ntp_config.sls” could be assigned to all the minion_id’s
  • “syslog_config.sls” could be assigned to all the minion_id’s
  • However, “ap_config” must be assigned to only WLC specific minion_id’s
  • Similarly, “bgp_config” must be assigned to only Router specific minion_id’s

Navigate to “Master” top file i.e. “nano /etc/salt/pillar/top.sls” & add following details. In our test bed – we are referring to “base” environment e.g. Router* represents minion_id’s starting with keyword “Router

base:
  Router*:
    - router
  wlc*:
    - wlc

Starting “salt-proxy”

To start a salt-proxy – use below command

salt-proxy –proxyid=<proxy_minion_id> -l debug 
root@mrcissp-minion-1:/# salt-proxy --proxyid=Router1 -d
root@mrcissp-minion-1:/# salt-proxy --proxyid=wlc1 -d

Once, proxy minion’s are started – we are required to accept their respective key’s

root@mrcissp-master-1:/# salt-key
Accepted Keys:
mrcissp-minion-1
Denied Keys:
Unaccepted Keys:
Router1
wlc1
Rejected Keys:
root@mrcissp-master-1:/# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
Router1
wlc1
Proceed? [n/Y] Y
Key for minion Router1 accepted.
Key for minion wlc1 accepted.
root@mrcissp-master-1:/# salt-key
Accepted Keys:
Router1
mrcissp-minion-1
wlc1
Denied Keys:
Unaccepted Keys:
Rejected Keys:

Verification

Verify the connectivity between Master & proxy Minion. To do this, use below command

root@mrcissp-master-1:/# salt '*' test.ping
Router1:
    True
wlc1:
    True
mrcissp-minion-1:
    True
root@mrcissp-master-1:/#

Please remember :- In our case, “Router1” minion is managing R1 with “napalm” proxy. “wlc1” minion is managed by “netmiko” proxy.

Installation and Configuration of Salt with Docker in GNS3

Disclaimer: – I am not an expert in Saltstack. I have been spending some good time to understand and unwrap bits of it primarily focused on Network Automation use-cases. This note was written by me (Gaurav Agrawal) in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.

This blog would demonstrate our first step to start Network Automation using salt. At the end of this section – one would be familiar on “how to start a basic salt environment”.

Below topics will be discussed in this section.

  1. Crafting “Salt-Master” & “Salt-Minion” docker container.
  2. GNS3 topology preparation
  3. Master Configuration
  4. Minion Configuration
  5. Proxy configuration
  6. Verification

Crafting Docker image for Salt-master and Salt-minion

I am sure – you must be thinking why do I need to build a docker container? – Well, we will demonstrate this lab in GNS3 & by default required containers are not available on GNS3 website marketplace. Hence, we need to create one to fulfill following objective i.e. “Faster, Scalable, efficient”

  1. Changes made within an “Ubuntu Hosts” are not persistent if GNS3 application is reloaded. Hence, every time we must install “salt-master” and “salt-minion” and other respective dependencies. Therefore, it would be a good idea to create an image which will have all its dependencies installed as soon as we create a container.
  2. Traditional methodology is not scalable i.e. imagine a situation if we got a requirement to import 3,5,10…so on containers in one project. Adding the same dependency at each container would be an inefficient use of resources and time-consuming process.

Hence, we decided to build a docker container for “Salt-Master” and “Salt-Minion”.

The only prerequisite for this is to have GNS3 VM installed & running in our local machine. Post-installation it would look like this.

  1. Click on “OK” and select “shell” using UP/DOWN arrow key. This will bring to “GNS3 VM” shell.
  2. Enter “pwd” to determine the present working directory
  3. Enter “sudo su –“ to login as “root” user.
  4. Navigate to the above working directory – In our case i.e. /home/gns3
  5. Ensure that you have internet access to GNS3 VM. Try “ping google.com”. If not, please check VM network adapter settings and add the appropriate “NAT” adapter to the VM.
  6. Create a Dockerfile: Master_Dockerfile with “nano Master_Dockerfile” command. Add below commands –
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y nmap
RUN apt-get update && apt-get install net-tools
RUN apt-get update && apt-get install nano
RUN apt-get install yum -y
RUN apt-get install wget
RUN apt-get update && apt-get install iputils-ping -y
RUN DEBIAN_FRONTEND=noninteractive apt install -y tzdata
ENV TZ=Europe/Minsk
ENV ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get install salt-master -y
RUN apt-get install salt-api -y
RUN apt-get update
RUN apt-get install systemd -y
RUN apt-get install less
RUN apt-get install git -y
RUN apt-get install python3-pip -y
RUN apt-get install python-pip -y
RUN apt-get update
RUN pip install napalm
RUN pip install --upgrade pip

7. save and exit.
8. Next step is to build this Docker container from the respective Docker file. Please execute below command

Docker build -f Master_Dockerfile -t mrcissp-master .

9. Similarly, Create a Dockerfile: Minion_Dockerfile with “nano Minion_Dockerfile” command and add below commands –

FROM ubuntu:18.04
RUN apt-get update && apt-get install -y nmap
RUN apt-get update && apt-get install net-tools
RUN apt-get update && apt-get install nano
RUN apt-get install yum -y
RUN apt-get install wget
RUN apt-get update && apt-get install iputils-ping -y
RUN DEBIAN_FRONTEND=noninteractive apt install -y tzdata
ENV TZ=Europe/Minsk
ENV ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get install salt-minion -y
RUN apt-get install salt-api -y
RUN apt-get update
RUN apt-get install systemd -y
RUN apt-get install less
RUN apt-get install git -y
RUN apt-get install python3-pip -y
RUN apt-get install python-pip -y
RUN apt-get update
RUN pip install napalm
RUN pip install --upgrade pip

10. Kindly save and exit.
11. Again build a Docker container with the respective Docker file. Refer below command

Docker build -f Minion_Dockerfile -t mrcissp-minion .

Importing these custom build containers to GNS3

Follow below steps to import these containers to GNS3 applications.

  1. Navigate to Edit -> Preference -> Docker -> Docker Container -> New

2. Click on “Next”

3. Select the appropriate build i.e. “mrcissp-master:latest” for Master & “mrcissp-minion:latest” for Minion from the drop down menu.

4. Click on Next.
5. Repeat this for the Minion Build. This is how the application window looks like

6. Click on “Apply”

Creating First GNS3 topology

To start our first project with Salt :- below GNS3 topology have been considered for demonstration.

Note: By default the changes made to the docker container files will not be persistent to GNS3 if it reloads. Hence, to maintain persistency below configuration change would be require in our Hosts i.e. “mrcissp-master-1” and “mrcissp-minion-1“.  

  1. Right click on mrcissp-master-1/mrcissp-minion-1, select “configure
  2. From the available tab select “Advanced” and add the below mentioned directory.
/etc
/home
/var

3. Click on Apply

R1 Configuration

!
service password-encryption
!
hostname R1
!
ip domain name mrcissplab.com
ip name-server 8.8.8.8
!
username mrcissp privilege 15 password 7 0525100625454F29485744
!
interface Loopback0
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address dhcp
!
interface GigabitEthernet0/2
 ip address 192.168.240.1 255.255.255.0
!
router ospf 1
 network 192.168.100.0 0.0.0.255 area 0
 network 192.168.200.0 0.0.0.255 area 0
 network 192.168.240.0 0.0.0.255 area 0
!
ip ssh version 2
!
line vty 0 4
 login local
 transport input ssh
!

Switch Configuration

hostname Switch
!
username mrcissp privilege 15 password 0 mrcissp@123
!
ip domain-name mrcissplab.com
ip name-server 8.8.8.8
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 241
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
!
interface GigabitEthernet0/0
 no switchport
 ip address 192.168.240.2 255.255.255.0
 negotiation auto
!
Vlan 241
Name MGMT_WLC
!
interface Vlan241
 ip address 192.168.241.1 255.255.255.0
!
router ospf 1
 network 192.168.240.0 0.0.0.255 area 0
 network 192.168.241.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 192.168.240.1
ip ssh version 2
!
line vty 0 4
 login local
 transport input ssh
!

Salt Master Configuration

The Salt system is amazingly simple and easy to configure, the two components of the Salt system each have a respective configuration file. The salt-master is configured via the master configuration file i.e. /etc/salt/master
Identify the Salt-Master IP address.  i.e. 192.168.100.2

root@mrcissp-master-1:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.2  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::44d:85ff:fe50:8fa3  prefixlen 64  scopeid 0x20<link>
        ether 06:4d:85:50:8f:a3  txqueuelen 1000  (Ethernet)
        RX packets 46  bytes 7327 (7.3 KB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 12  bytes 936 (936.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Execute “nano /etc/salt/master” & add the IP address to which salt-master will be listening to.

# How often, in seconds, to send keepalives after the first one. Default -1 to
# use OS defaults, typically 75 seconds on Linux, see
# /proc/sys/net/ipv4/tcp_keepalive_intvl.
#tcp_keepalive_intvl: -1

interface: 192.168.100.2

Start salt-master using command “salt-master -d” – where “-d” denotes to run this command in background on “shell terminal”. Also, execute “salt-key” command to verify if Master can hear any minion. Since, we don’t have any minion running as of now. Hence, we don’t see any minion key coming to this Master for authentication.

root@mrcissp-master-1:/# salt-master -d
root@mrcissp-master-1:/# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

Note: To see details of Public and Private key on Master. Please use “salt-key -F” command.

root@mrcissp-master-1:/# salt-key -F
Local Keys:
master.pem:  1d:a2:06:00:47:c3:e8:93:dc:97:53:a8:07:bb:0d:c2:41:0b:d8:7d:70:ce:9f:32:62:9b:98:11:30:2e:23:cb
master.pub:  88:13:60:51:ef:ee:7a:58:1a:2c:63:a0:08:f4:06:82:9f:df:81:2e:75:7b:fb:96:43:be:6d:bf:bb:e9:6b:07

Salt Minion Configuration

The salt-minion is configured via the minion configuration file i.e. /etc/salt/minion.

Execute “nano /etc/salt/minion” & add the IP address of salt-master used by this Minion

######    Miscellaneous  settings     ######
############################################
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
#event_match_type: startswith
master: 192.168.100.2

Start salt-minion using command “salt-minion -d” – where “-d” denotes to run this command in background on “shell terminal”.

root@mrcissp-minion-1:/# salt-minion -d
/usr/local/lib/python2.7/dist-packages/salt/scripts.py:198: DeprecationWarning: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date.  Salt will drop support for Python 2.7 in the Sodium release or later.
root@mrcissp-minion-1:/#

Execute “salt-key” command to verify if Master can hear any minion now. As we can see – Minion with minion ID “mrcissp-minion-1” is seen at master but it’s keys are not accepted by Master.

root@mrcissp-master-1:/# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
mrcissp-minion-1
Rejected Keys:
root@mrcissp-master-1:/#

To accept key from respective minion – execute “salt-key -A “minion_id”. We can observe that – authentication key for mrcissp-minion-1 has been accepted.

root@mrcissp-master-1:/# salt-key -A mrcissp-minion-1
The following keys are going to be accepted:
Unaccepted Keys:
mrcissp-minion-1
Proceed? [n/Y] Y
Key for minion mrcissp-minion-1 accepted.
root@mrcissp-master-1:/#

Verify the connectivity b/w Master & Minion

Next step is to verify the connectivity between Master & Minion. To do this, use below command

root@mrcissp-master-1:/# salt '*' test.ping
mrcissp-minion-1:
    True
root@mrcissp-master-1:/#

True: means – Master can communicate with minion
False: means – Master cannot communicate with minion.

Refer to my next blog to understand important nomenclature used in Salt.