Disclaimer: – I am not an expert in Saltstack. I have been spending some good time to understand and unwrap bits of it primarily focused on Network Automation use-cases. This note was written by me (Gaurav Agrawal) in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.
In the previous post we looked at the Installation & configuration of basic necessary steps required to start with Salt. In this post, we will try to unwrap some of the key salt nomenclature used. This is a very next step on Network automation using salt.
Pillar
Pillar is used to organize the configuration data. e.g. NTP server details, DNS server details, Syslog server details, interface details etc.
Since, most of the network device available today – don’t support of native minion agent on the device – hence we need to create a proxy minion which can SSH to the device and get the required information. By default Cisco IOS device are supported by “NAPALM” proxy and other different OS types such as Cisco AirOS are supported by “netmiko” proxy.
Below example demonstrate to configure pillar for “NAPALM” & “NETMIKO” proxy.
Configuring pillar for NAPALM proxy i.e. router.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/router.sls proxy: proxytype: napalm driver: ios host: 192.168.200.1 username: mrcissp passwd: Nvidia@123
Refer to NAPALM proxy module for more details.
Configuring NETMIKO pillar i.e. wlc.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/wlc.sls proxy: proxytype: netmiko device_type: cisco_wlc username: mrcissp password: Nvidia@123 ip: 192.168.241.2 root@mrcissp-master-1:/#
Refer to NETMIKO proxy module for more details.
Grains
Grains represents static data(i.e. information which is very unlikely to change or does not change often) collected from devices. To collect all the grains from Minions/Proxy-minion use command [salt ‘*’ grains.items]. Below are the grains discovered on the running Minion i.e. “mrcissp-minion-1“.
root@mrcissp-master-1:/# salt '*' grains.items
mrcissp-minion-1:
----------
SSDs:
biosreleasedate:
07/29/2019
biosversion:
6.00
cpu_flags:
- fpu
- vme
- de
- pse
- tsc
- msr
- pae
- mce
- cx8
- apic
- sep
- mtrr
- pge
- mca
- cmov
- pat
- pse36
- clflush
- mmx
- fxsr
- sse
- sse2
- ss
- ht
- syscall
- nx
- pdpe1gb
- rdtscp
- lm
- constant_tsc
- arch_perfmon
- nopl
- xtopology
- tsc_reliable
- nonstop_tsc
- cpuid
- pni
- pclmulqdq
- vmx
- ssse3
- fma
- cx16
- pcid
- sse4_1
- sse4_2
- x2apic
- movbe
- popcnt
- aes
- xsave
- avx
- f16c
- rdrand
- hypervisor
- lahf_lm
- 3dnowprefetch
- cpuid_fault
- pti
- ssbd
- ibrs
- ibpb
- stibp
- tpr_shadow
- vnmi
- ept
- vpid
- fsgsbase
- smep
- arat
- flush_l1d
- arch_capabilities
cpu_model:
Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
cpuarch:
x86_64
disks:
- loop1
- sdb
- loop6
- loop4
- sr0
- loop2
- loop0
- loop7
- sda
- loop5
- loop3
dns:
----------
domain:
ip4_nameservers:
- 8.8.8.8
ip6_nameservers:
nameservers:
- 8.8.8.8
options:
search:
sortlist:
domain:
fqdn:
mrcissp-minion-1
fqdn_ip4:
- 127.0.1.1
fqdn_ip6:
fqdns:
gid:
0
gpus:
groupname:
root
host:
mrcissp-minion-1
hwaddr_interfaces:
----------
eth0:
2a:ed:fc:79:7f:6f
id:
mrcissp-minion-1
init:
unknown
ip4_interfaces:
----------
eth0:
- 192.168.100.3
lo:
- 127.0.0.1
ip6_interfaces:
----------
eth0:
- fe80::28ed:fcff:fe79:7f6f
lo:
- ::1
ip_interfaces:
----------
eth0:
- 192.168.100.3
- fe80::28ed:fcff:fe79:7f6f
lo:
- 127.0.0.1
- ::1
ipv4:
- 127.0.0.1
- 192.168.100.3
ipv6:
- ::1
- fe80::28ed:fcff:fe79:7f6f
kernel:
Linux
kernelrelease:
4.15.0-55-generic
kernelversion:
#60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019
locale_info:
----------
defaultencoding:
None
defaultlanguage:
None
detectedencoding:
ANSI_X3.4-1968
timezone:
unknown
localhost:
mrcissp-minion-1
lsb_distrib_codename:
bionic
lsb_distrib_description:
Ubuntu 18.04.3 LTS
lsb_distrib_id:
Ubuntu
lsb_distrib_release:
18.04
machine_id:
578962dbb63ae45b159330245dd26e77
manufacturer:
VMware, Inc.
master:
192.168.100.2
mdadm:
mem_total:
3944
nodename:
mrcissp-minion-1
num_cpus:
4
num_gpus:
0
os:
Ubuntu
os_family:
Debian
osarch:
amd64
oscodename:
bionic
osfinger:
Ubuntu-18.04
osfullname:
Ubuntu
osmajorrelease:
18
osrelease:
18.04
osrelease_info:
- 18
- 4
path:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pid:
4538
productname:
VMware Virtual Platform
ps:
ps -efHww
pythonexecutable:
/usr/bin/python
pythonpath:
- /usr/local/bin
- /usr/lib/python2.7
- /usr/lib/python2.7/plat-x86_64-linux-gnu
- /usr/lib/python2.7/lib-tk
- /usr/lib/python2.7/lib-old
- /usr/lib/python2.7/lib-dynload
- /usr/local/lib/python2.7/dist-packages
- /usr/lib/python2.7/dist-packages
pythonversion:
- 2
- 7
- 15
- final
- 0
saltpath:
/usr/local/lib/python2.7/dist-packages/salt
saltversion:
2019.2.2
saltversioninfo:
- 2019
- 2
- 2
- 0
serialnumber:
VMware-56 4d e4 6c d3 e5 53 d5-0c 20 c1 55 a4 0e b9 4e
server_id:
822305722
shell:
/bin/sh
swap_total:
924
systemd:
----------
features:
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid
version:
237
uid:
0
username:
root
uuid:
564de46c-d3e5-53d5-0c20-c155a40eb94e
virtual:
VMware
virtual_subtype:
Docker
zfs_feature_flags:
False
zfs_support:
False
zmqversion:
4.3.2
Additional Master configuration
File Roots
Primarily it is used to isolate the environment e.g. we have a test environment, development environment, production environment served by common master.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment.
file_roots:
base:
- /etc/salt/pillar
- /etc/salt/states
- /etc/salt/reactors
- /etc/salt/templates
Pillar Roots
Used to map environment with the appropriate directories of pillar “sls” files.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment.
pillar_roots:
base:
- /etc/salt/pillar
Proxy configuration on a Minion
As the proxy minion is a subset of the regular minion, it inherits the same configuration options, as discussed in the minion configuration documentation. But there are additional configuration required for SSH based proxies to work properly.
Navigate to “Minion” proxy configuration file i.e. “nano /etc/salt/proxy” & add following details.
master: 192.168.100.2 pki_dir: /etc/salt/pki/proxy cachedir: /var/cache/salt/proxy multiprocessing: False mine_enabled: True
Note: Multiprocessing is set to FALSE because in our example we are using SSH based proxies to connect with Router R1 and WLC. In case if we have to use SALT for REST based API for NX-OS, we must set this to TRUE.
Pillar Top File
A very important configuration – Objective of pillar “top.sls” file is to tell a Minion ID to use which SLS file defined in Master.
Note: The top file is another SLS file named top.sls found under one of the paths defined in the file_roots.
- “ntp_config.sls” could be assigned to all the minion_id’s
- “syslog_config.sls” could be assigned to all the minion_id’s
- However, “ap_config” must be assigned to only WLC specific minion_id’s
- Similarly, “bgp_config” must be assigned to only Router specific minion_id’s
Navigate to “Master” top file i.e. “nano /etc/salt/pillar/top.sls” & add following details. In our test bed – we are referring to “base” environment e.g. Router* represents minion_id’s starting with keyword “Router”
base:
Router*:
- router
wlc*:
- wlc
Starting “salt-proxy”
To start a salt-proxy – use below command
salt-proxy –proxyid=<proxy_minion_id> -l debug
root@mrcissp-minion-1:/# salt-proxy --proxyid=Router1 -d root@mrcissp-minion-1:/# salt-proxy --proxyid=wlc1 -d
Once, proxy minion’s are started – we are required to accept their respective key’s
root@mrcissp-master-1:/# salt-key Accepted Keys: mrcissp-minion-1 Denied Keys: Unaccepted Keys: Router1 wlc1 Rejected Keys: root@mrcissp-master-1:/# salt-key -A The following keys are going to be accepted: Unaccepted Keys: Router1 wlc1 Proceed? [n/Y] Y Key for minion Router1 accepted. Key for minion wlc1 accepted. root@mrcissp-master-1:/# salt-key Accepted Keys: Router1 mrcissp-minion-1 wlc1 Denied Keys: Unaccepted Keys: Rejected Keys:
Verification
Verify the connectivity between Master & proxy Minion. To do this, use below command
root@mrcissp-master-1:/# salt '*' test.ping
Router1:
True
wlc1:
True
mrcissp-minion-1:
True
root@mrcissp-master-1:/#
Please remember :- In our case, “Router1” minion is managing R1 with “napalm” proxy. “wlc1” minion is managed by “netmiko” proxy.
Pingback: Let's get practical – A real Use-case of Saltstack – mrcissp