Installing SaltStack can be a pain as there is some initial installation and configuration needed before Salt can actually be used. This post shows how you can install and operate Salt on a Cumulus Linux switch without ever needing to log into the switch directly. The operations shown below can easily be expanded to install many switches at once.
Ready the hardware for SaltStack installation
If you have not done so already, this video gives a simple demonstration on how to install Cumulus Linux onto a switch.
A fresh install of Cumulus Linux sets up the user ‘cumulus’ with a default password of ‘CumulusLinux!’. This combination can be used to temporarily set the sudoers file to allow the cumulus user to run any command without a password. This should be changed back after the setup.
The following script will ssh to the switch and edit the sudoers file:
#!/usr/bin/expect set timeout 5 set username [lindex $argv 0] set host [lindex $argv 1] set password [lindex $argv 2] spawn ssh -q ${username}@${host} expect "assword" send "$password\r" expect "${username}@" send "sudo sed -i '$ a cumulus ALL=(ALL) NOPASSWD:ALL' /etc/sudoers\r" expect "*password*" send "$password\r" expect "${username}@" send "exit\r" interact
For the script to run you will need to install the expect package:
$ sudo apt-get install expect
You can now run the script, in our case:
$ ./sudoEdit.sh cumulus 192.168.1.169 CumulusLinux! spawn ssh -q cumulus@192.168.1.169 cumulus@192.168.1.169's password: Welcome to Cumulus (R) Linux (R) For support and online technical documentation, visit http://www.cumulusnetworks.com/support The registered trademark Linux (R) is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a world-wide basis. Last login: Mon Mar 6 15:55:51 2017 from 192.168.1.3 ***************************************************************** This installation of Cumulus Linux is not licensed. The front panel ports will not operate. To obtain a license, contact Cumulus Networks: http://cumulusnetworks.com/ ***************************************************************** cumulus@cumulus:~$ sudo sed -i '$ a cumulus ALL=(ALL) NOPASSWD:ALL' /etc/sudoers [sudo] password for cumulus: cumulus@cumulus:~$ exit logout
Installing SaltStack
Now the cumulus user can sudo without the need of a password. We can now add the Salt repos and install the binaries. At this stage we have not setup ssh keys for the cumulus user. So pass ssh passwords on the command line we can use the sshpass command:
$ sudo apt-get install sshpass
Now we add the salt repos and install:
$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "$ a deb http://ftp.us.debian.org/debian/ jessie main contrib non-free" /etc/apt/sources.list' $ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "$ a deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main" /etc/apt/sources.list' $ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'wget -O - https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -' --2017-03-06 16:22:23-- https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub Resolving repo.saltstack.com (repo.saltstack.com)... 198.199.77.106, 2604:a880:400:d0::2:e001 Connecting to repo.saltstack.com (repo.saltstack.com)|198.199.77.106|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1727 (1.7K) Saving to: ‘STDOUT’ 0K . 100% 39.4M=0s 2017-03-06 16:22:24 (39.4 MB/s) - written to stdout [1727/1727] OK $ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo apt-get update' $ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo apt-get install salt-minion' Reading package lists... Building dependency tree... Reading state information... The following extra packages will be installed: dctrl-tools libpgm-5.1-0 libsodium13 libzmq3 python-apt python-apt-common python-chardet python-concurrent.futures python-crypto python-dateutil python-jinja2 python-msgpack python-pycurl python-requests python-systemd python-tornado python-urllib3 python-yaml python-zmq salt-common Suggested packages: debtags python-apt-dbg python-gtk2 python-vte python-apt-doc python-crypto-dbg python-crypto-doc python-jinja2-doc libcurl4-gnutls-dev python-pycurl-dbg python-pycurl-doc python-augeas Recommended packages: iso-codes python-ndg-httpsclient python-openssl python-pyasn1 python-mysqldb python-croniter debconf-utils The following NEW packages will be installed: dctrl-tools libpgm-5.1-0 libsodium13 libzmq3 python-apt python-apt-common python-chardet python-concurrent.futures python-crypto python-dateutil python-jinja2 python-msgpack python-pycurl python-requests python-systemd python-tornado python-urllib3 python-yaml python-zmq salt-common salt-minion 0 upgraded, 21 newly installed, 0 to remove and 43 not upgraded. Need to get 6,900 kB of archives. After this operation, 31.0 MB of additional disk space will be used. Do you want to continue? [Y/n]
Configure Salt on the switch
We can now test that the salt minion is running:
$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo systemctl status salt-minion.service' ? salt-minion.service - The Salt Minion Loaded: loaded (/lib/systemd/system/salt-minion.service; enabled) Active: active (running) since Mon 2017-03-06 16:27:26 UTC; 1min 18s ago Main PID: 12975 (salt-minion) CGroup: /system.slice/salt-minion.service ??12975 /usr/bin/python /usr/bin/salt-minion ??12984 /usr/bin/python /usr/bin/salt-minion ??12992 /usr/bin/python /usr/bin/salt-minion Mar 06 16:27:26 cumulus systemd[1]: Started The Salt Minion. Mar 06 16:28:09 cumulus salt-minion[12975]: [ERROR ] Error while bringing up minion for multi-master. Is master at salt responding?
Whilst the service is up it does not know where the salt master is. You can either set this up in DNS so that ‘salt’ resolves to the salt master or you can edit the minion config:
$ sshpass -p 'CumulusLinux!' ssh 192.168.1.169 -lcumulus 'sudo sed -i "s/#master: salt/master: 192.168.1.3/g" /etc/salt/minion'
Once this is done restart your minion and your master should see the new minion:
$ sudo salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: cumulus Rejected Keys:
You can then need to accept the keys on the master:
$ sudo salt-key -a cumulus The following keys are going to be accepted: Unaccepted Keys: cumulus Proceed? [n/Y] y Key for minion cumulus accepted.
Testing you minion
You can now test your minion:
$ sudo salt 'cumulus' test.ping cumulus: True $ sudo salt 'cumulus' cmd.run 'uptime' cumulus: 16:35:58 up 1:42, 1 user, load average: 0.07, 0.37, 0.43