SaltStack automation

SaltStack installation on Cumulus Linux

Installing SaltStack can be a pain as there is some initial installation and configuration needed before Salt can actually be used. This post shows how you can install and operate Salt on a Cumulus Linux switch without ever needing to log into the switch directly. The operations shown below can easily be expanded to install many switches at once.

Ready the hardware for SaltStack installation

If you have not done so already, this video gives a simple demonstration on how to install Cumulus Linux onto a switch.

A fresh install of Cumulus Linux sets up the user ‘cumulus’ with a default password of ‘CumulusLinux!’. This combination can be used to temporarily set the sudoers file to allow the cumulus user to run any command without a password. This should be changed back after the setup.

The following script will ssh to the switch and edit the sudoers file:

#!/usr/bin/expect
set timeout 5
set username [lindex $argv 0]
set host [lindex $argv 1]
set password [lindex $argv 2]
spawn ssh -q ${username}@${host}
expect "assword"
send "$password\r"
expect "${username}@"
send "sudo sed -i '$ a cumulus ALL=(ALL) NOPASSWD:ALL' /etc/sudoers\r"
expect "*password*"
send "$password\r"
expect "${username}@"
send "exit\r"
interact

For the script to run you will need to install the expect package:

$ sudo apt-get install expect

You can now run the script, in our case:

$ ./sudoEdit.sh cumulus 192.168.1.169 CumulusLinux!
spawn ssh -q cumulus@192.168.1.169
cumulus@192.168.1.169's password: 

Welcome to Cumulus (R) Linux (R)

For support and online technical documentation, visit
http://www.cumulusnetworks.com/support

The registered trademark Linux (R) is used pursuant to a sublicense from LMI,
the exclusive licensee of Linus Torvalds, owner of the mark on a world-wide
basis.
Last login: Mon Mar  6 15:55:51 2017 from 192.168.1.3


*****************************************************************
This installation of Cumulus Linux is not licensed.  The front
panel ports will not operate.  To obtain a license, contact
Cumulus Networks: http://cumulusnetworks.com/
*****************************************************************


cumulus@cumulus:~$ sudo sed -i '$ a cumulus ALL=(ALL) NOPASSWD:ALL' /etc/sudoers
[sudo] password for cumulus: 
cumulus@cumulus:~$ exit
logout

Installing SaltStack

Now the cumulus user can sudo without the need of a password. We can now add the Salt repos and install the binaries. At this stage we have not setup ssh keys for the cumulus user. So pass ssh passwords on the command line we can use the sshpass command:

$ sudo apt-get install sshpass

Now we add the salt repos and install:

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "$ a deb http://ftp.us.debian.org/debian/ jessie main contrib non-free" /etc/apt/sources.list'

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "$ a deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main" /etc/apt/sources.list'

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'wget -O - https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -'
--2017-03-06 16:22:23--  https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub
Resolving repo.saltstack.com (repo.saltstack.com)... 198.199.77.106, 2604:a880:400:d0::2:e001
Connecting to repo.saltstack.com (repo.saltstack.com)|198.199.77.106|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1727 (1.7K)
Saving to: ‘STDOUT’

     0K .                                                     100% 39.4M=0s

2017-03-06 16:22:24 (39.4 MB/s) - written to stdout [1727/1727]

OK

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo apt-get update'

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo apt-get install salt-minion'
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  dctrl-tools libpgm-5.1-0 libsodium13 libzmq3 python-apt python-apt-common
  python-chardet python-concurrent.futures python-crypto python-dateutil
  python-jinja2 python-msgpack python-pycurl python-requests python-systemd
  python-tornado python-urllib3 python-yaml python-zmq salt-common
Suggested packages:
  debtags python-apt-dbg python-gtk2 python-vte python-apt-doc
  python-crypto-dbg python-crypto-doc python-jinja2-doc libcurl4-gnutls-dev
  python-pycurl-dbg python-pycurl-doc python-augeas
Recommended packages:
  iso-codes python-ndg-httpsclient python-openssl python-pyasn1 python-mysqldb
  python-croniter debconf-utils
The following NEW packages will be installed:
  dctrl-tools libpgm-5.1-0 libsodium13 libzmq3 python-apt python-apt-common
  python-chardet python-concurrent.futures python-crypto python-dateutil
  python-jinja2 python-msgpack python-pycurl python-requests python-systemd
  python-tornado python-urllib3 python-yaml python-zmq salt-common salt-minion
0 upgraded, 21 newly installed, 0 to remove and 43 not upgraded.
Need to get 6,900 kB of archives.
After this operation, 31.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Configure Salt on the switch

We can now test that the salt minion is running:

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo systemctl status salt-minion.service'
? salt-minion.service - The Salt Minion
   Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled)
   Active: active (running) since Mon 2017-03-06 16:27:26 UTC; 1min 18s ago
 Main PID: 12975 (salt-minion)
   CGroup: /system.slice/salt-minion.service
           ??12975 /usr/bin/python /usr/bin/salt-minion
           ??12984 /usr/bin/python /usr/bin/salt-minion
           ??12992 /usr/bin/python /usr/bin/salt-minion

Mar 06 16:27:26 cumulus systemd[1]: Started The Salt Minion.
Mar 06 16:28:09 cumulus salt-minion[12975]: [ERROR   ] Error while bringing up minion for multi-master. Is master at salt responding?

Whilst the service is up it does not know where the salt master is. You can either set this up in DNS so that ‘salt’ resolves to the salt master or you can edit the minion config:

$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "s/#master: salt/master: 192.168.1.3/g" /etc/salt/minion'

Once this is done restart your minion and your master should see the new minion:

$ sudo salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
cumulus
Rejected Keys:

You can then need to accept the keys on the master:

$ sudo salt-key -a cumulus
The following keys are going to be accepted:
Unaccepted Keys:
cumulus
Proceed? [n/Y] y
Key for minion cumulus accepted.

Testing you minion

You can now test your minion:

$ sudo salt 'cumulus' test.ping
cumulus:
    True

$ sudo salt 'cumulus' cmd.run 'uptime'
cumulus:
     16:35:58 up  1:42,  1 user,  load average: 0.07, 0.37, 0.43

Leave a Reply

Your email address will not be published.
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>