Salt Nomenclature

Disclaimer: – I am not an expert in Saltstack. I have been spending some good time to understand and unwrap bits of it primarily focused on Network Automation use-cases. This note was written by me (Gaurav Agrawal) in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.

In the previous post we looked at the Installation & configuration of basic necessary steps required to start with Salt. In this post, we will try to unwrap some of the key salt nomenclature used. This is a very next step on Network automation using salt.

Pillar

Pillar is used to organize the configuration data. e.g. NTP server details, DNS server details, Syslog server details, interface details etc.

Since, most of the network device available today – don’t support of native minion agent on the device – hence we need to create a proxy minion which can SSH to the device and get the required information. By default Cisco IOS device are supported by “NAPALM” proxy and other different OS types such as Cisco AirOS are supported by “netmiko” proxy.

Below example demonstrate to configure pillar for “NAPALM” & “NETMIKO” proxy.

Configuring pillar for NAPALM proxy i.e. router.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/router.sls
proxy:
  proxytype: napalm
  driver: ios
  host: 192.168.200.1
  username: mrcissp
  passwd: Nvidia@123

Refer to NAPALM proxy module for more details.

Configuring NETMIKO pillar i.e. wlc.sls
root@mrcissp-master-1:/# cat /etc/salt/pillar/wlc.sls
proxy:
  proxytype: netmiko
  device_type: cisco_wlc
  username: mrcissp
  password: Nvidia@123
  ip: 192.168.241.2
root@mrcissp-master-1:/#

Refer to NETMIKO proxy module for more details.

Grains

Grains represents static data(i.e. information which is very unlikely to change or does not change often) collected from devices. To collect all the grains from Minions/Proxy-minion use command [salt ‘*’ grains.items]. Below are the grains discovered on the running Minion i.e. “mrcissp-minion-1“.

root@mrcissp-master-1:/# salt '*' grains.items
mrcissp-minion-1:
    ----------
    SSDs:
    biosreleasedate:
        07/29/2019
    biosversion:
        6.00
    cpu_flags:
        - fpu
        - vme
        - de
        - pse
        - tsc
        - msr
        - pae
        - mce
        - cx8
        - apic
        - sep
        - mtrr
        - pge
        - mca
        - cmov
        - pat
        - pse36
        - clflush
        - mmx
        - fxsr
        - sse
        - sse2
        - ss
        - ht
        - syscall
        - nx
        - pdpe1gb
        - rdtscp
        - lm
        - constant_tsc
        - arch_perfmon
        - nopl
        - xtopology
        - tsc_reliable
        - nonstop_tsc
        - cpuid
        - pni
        - pclmulqdq
        - vmx
        - ssse3
        - fma
        - cx16
        - pcid
        - sse4_1
        - sse4_2
        - x2apic
        - movbe
        - popcnt
        - aes
        - xsave
        - avx
        - f16c
        - rdrand
        - hypervisor
        - lahf_lm
        - 3dnowprefetch
        - cpuid_fault
        - pti
        - ssbd
        - ibrs
        - ibpb
        - stibp
        - tpr_shadow
        - vnmi
        - ept
        - vpid
        - fsgsbase
        - smep
        - arat
        - flush_l1d
        - arch_capabilities
    cpu_model:
        Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
    cpuarch:
        x86_64
    disks:
        - loop1
        - sdb
        - loop6
        - loop4
        - sr0
        - loop2
        - loop0
        - loop7
        - sda
        - loop5
        - loop3
    dns:
        ----------
        domain:
        ip4_nameservers:
            - 8.8.8.8
        ip6_nameservers:
        nameservers:
            - 8.8.8.8
        options:
        search:
        sortlist:
    domain:
    fqdn:
        mrcissp-minion-1
    fqdn_ip4:
        - 127.0.1.1
    fqdn_ip6:
    fqdns:
    gid:
        0
    gpus:
    groupname:
        root
    host:
        mrcissp-minion-1
    hwaddr_interfaces:
        ----------
        eth0:
            2a:ed:fc:79:7f:6f
    id:
        mrcissp-minion-1
    init:
        unknown
    ip4_interfaces:
        ----------
        eth0:
            - 192.168.100.3
        lo:
            - 127.0.0.1
    ip6_interfaces:
        ----------
        eth0:
            - fe80::28ed:fcff:fe79:7f6f
        lo:
            - ::1
    ip_interfaces:
        ----------
        eth0:
            - 192.168.100.3
            - fe80::28ed:fcff:fe79:7f6f
        lo:
            - 127.0.0.1
            - ::1
    ipv4:
        - 127.0.0.1
        - 192.168.100.3
    ipv6:
        - ::1
        - fe80::28ed:fcff:fe79:7f6f
    kernel:
        Linux
    kernelrelease:
        4.15.0-55-generic
    kernelversion:
        #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019
    locale_info:
        ----------
        defaultencoding:
            None
        defaultlanguage:
            None
        detectedencoding:
            ANSI_X3.4-1968
        timezone:
            unknown
    localhost:
        mrcissp-minion-1
    lsb_distrib_codename:
        bionic
    lsb_distrib_description:
        Ubuntu 18.04.3 LTS
    lsb_distrib_id:
        Ubuntu
    lsb_distrib_release:
        18.04
    machine_id:
        578962dbb63ae45b159330245dd26e77
    manufacturer:
        VMware, Inc.
    master:
        192.168.100.2
    mdadm:
    mem_total:
        3944
    nodename:
        mrcissp-minion-1
    num_cpus:
        4
    num_gpus:
        0
    os:
        Ubuntu
    os_family:
        Debian
    osarch:
        amd64
    oscodename:
        bionic
    osfinger:
        Ubuntu-18.04
    osfullname:
        Ubuntu
    osmajorrelease:
        18
    osrelease:
        18.04
    osrelease_info:
        - 18
        - 4
    path:
        /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    pid:
        4538
    productname:
        VMware Virtual Platform
    ps:
        ps -efHww
    pythonexecutable:
        /usr/bin/python
    pythonpath:
        - /usr/local/bin
        - /usr/lib/python2.7
        - /usr/lib/python2.7/plat-x86_64-linux-gnu
        - /usr/lib/python2.7/lib-tk
        - /usr/lib/python2.7/lib-old
        - /usr/lib/python2.7/lib-dynload
        - /usr/local/lib/python2.7/dist-packages
        - /usr/lib/python2.7/dist-packages
    pythonversion:
        - 2
        - 7
        - 15
        - final
        - 0
    saltpath:
        /usr/local/lib/python2.7/dist-packages/salt
    saltversion:
        2019.2.2
    saltversioninfo:
        - 2019
        - 2
        - 2
        - 0
    serialnumber:
        VMware-56 4d e4 6c d3 e5 53 d5-0c 20 c1 55 a4 0e b9 4e
    server_id:
        822305722
    shell:
        /bin/sh
    swap_total:
        924
    systemd:
        ----------
        features:
            +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid
        version:
            237
    uid:
        0
    username:
        root
    uuid:
        564de46c-d3e5-53d5-0c20-c155a40eb94e
    virtual:
        VMware
    virtual_subtype:
        Docker
    zfs_feature_flags:
        False
    zfs_support:
        False
    zmqversion:
        4.3.2

Additional Master configuration

File Roots

Primarily it is used to isolate the environment e.g. we have a test environment, development environment, production environment served by common master.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment. 

file_roots:
  base:
    - /etc/salt/pillar
    - /etc/salt/states
    - /etc/salt/reactors
    - /etc/salt/templates
Pillar Roots

Used to map environment with the appropriate directories of pillar “sls” files.
Navigate to “Master” configuration file i.e. “nano /etc/salt/master” & add following details. In our test bed – we are referring to “base” environment.

pillar_roots:
  base:
    - /etc/salt/pillar

Proxy configuration on a Minion

As the proxy minion is a subset of the regular minion, it inherits the same configuration options, as discussed in the minion configuration documentation. But there are additional configuration required for SSH based proxies to work properly.
Navigate to “Minion” proxy configuration file i.e. “nano /etc/salt/proxy” & add following details.

master: 192.168.100.2
pki_dir: /etc/salt/pki/proxy
cachedir: /var/cache/salt/proxy
multiprocessing: False
mine_enabled: True

Note: Multiprocessing is set to FALSE because in our example we are using SSH based proxies to connect with Router R1 and WLC. In case if we have to use SALT for REST based API for NX-OS, we must set this to TRUE. 

Pillar Top File

A very important configuration – Objective of pillar “top.sls” file is to tell a Minion ID to use which SLS file defined in Master.

Note: The top file is another SLS file named top.sls found under one of the paths defined in the file_roots.

  • “ntp_config.sls” could be assigned to all the minion_id’s
  • “syslog_config.sls” could be assigned to all the minion_id’s
  • However, “ap_config” must be assigned to only WLC specific minion_id’s
  • Similarly, “bgp_config” must be assigned to only Router specific minion_id’s

Navigate to “Master” top file i.e. “nano /etc/salt/pillar/top.sls” & add following details. In our test bed – we are referring to “base” environment e.g. Router* represents minion_id’s starting with keyword “Router

base:
  Router*:
    - router
  wlc*:
    - wlc

Starting “salt-proxy”

To start a salt-proxy – use below command

salt-proxy –proxyid=<proxy_minion_id> -l debug 
root@mrcissp-minion-1:/# salt-proxy --proxyid=Router1 -d
root@mrcissp-minion-1:/# salt-proxy --proxyid=wlc1 -d

Once, proxy minion’s are started – we are required to accept their respective key’s

root@mrcissp-master-1:/# salt-key
Accepted Keys:
mrcissp-minion-1
Denied Keys:
Unaccepted Keys:
Router1
wlc1
Rejected Keys:
root@mrcissp-master-1:/# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
Router1
wlc1
Proceed? [n/Y] Y
Key for minion Router1 accepted.
Key for minion wlc1 accepted.
root@mrcissp-master-1:/# salt-key
Accepted Keys:
Router1
mrcissp-minion-1
wlc1
Denied Keys:
Unaccepted Keys:
Rejected Keys:

Verification

Verify the connectivity between Master & proxy Minion. To do this, use below command

root@mrcissp-master-1:/# salt '*' test.ping
Router1:
    True
wlc1:
    True
mrcissp-minion-1:
    True
root@mrcissp-master-1:/#

Please remember :- In our case, “Router1” minion is managing R1 with “napalm” proxy. “wlc1” minion is managed by “netmiko” proxy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.