Do you think IIT Guwahati certified course can help you in your career?
Introduction
You know that the salt minions are the servers that run your applications and services. How about a secure channel of communication with the minions? SSH is well-known for its use in network management, encrypted file transfers, and safe machine-to-machine automation. SSH was added to Salt as an alternative method of communicating with minions.
This article will teach us about Salt SSH, how to configure it using the Roster file, how to access the keys, and how to debug if a problem arises.
Salt SSH
Salt uses salt-minion to execute commands in a remote system. This is its typical behavior. Sometimes, the remote system can only be accessed via the SSH protocol. In these cases, Salt offers the option of connecting to the remote system solely via the SSH protocol and executing the command via the SSH layer.
Salt SSH is straightforward to set up. The only configuration required is to enter the remote system details into a particular Roster file. Usually, this roster file is found in /etc/salt/roster. The roster file will contain all of the information about the remote system and how to connect to it. Once the roster files are configured, all Salt commands are executed via salt-ssh rather than the salt command.
Installing Salt SSH
Salt SSH is installed as a Linux package on the Salt Master:
Salt-call pkg.install salt-ssh
On the managed system, no installation is required. It only requires SSH to be enabled.
Roster File
A roster file contains one or more than one target, each with its Salt ID. The Salt SSH Roster System was created specifically for it. This is intended to be a pluggable system. The roster system's sole purpose is to collect data about the remote system. The roster file is a YAML-based configuration file that contains remote system information in the form of targets. These targets are a type of data structure with a set of attributes.
All the other attributes supported by the roster file are optional. They are as follows −
port − the SSH port number.
sudo − whether to execute the command via sudo.
sudo_user − sudo user name.
tty − true if sudo has been enabled.
priv − private key.
timeout − timeout for an SSH connection.
minion_opts − dictionary of minion opts.
thin_dir − target system's storage directory for salt components.
cmd_umask − umask to force the salt-call command.
The following is a sample roster file:
web1:
host: 192.167.52.1 # The IP address or DNS hostname
user: ninja # Remote executions will be executed as user ninja
passwd: codingninjas # The password to use for login; if omitted, keys are used
sudo: True # Whether to sudo to root, not enabled by default
web2:
host: 192.167.52.2
Deploy SSH Keys
Salt SSH will create a default public/private key pair for SSH logins. The path will be /etc/salt/pki/master/ssh/salt-ssh.rsa by default. The ssh-copy-id command, as shown below, can be used to deploy this key to the remote system.
To run a salt command, change the salt cli command to salt-ssh, as shown below:
salt-ssh '*' test.ping
Raw Shell Command
Salt SSH includes a command-line option (-r) that allows you to execute a raw command in the remote system, bypassing the salt module and functions.
salt-ssh '*' -r 'ls'
Running Salt SSH as Non-Root User
Salt reads all configurations from /etc/salt/ by default. If you run Salt SSH as a regular user, you must modify some paths, or you will receive "Permission denied" messages. You must change two parameters: pki_dir and cachedir. Those should point to a full path that the user can write to.
It is not recommended to change /etc/salt for this purpose. Make a private copy of /etc/salt for the user and execute the command with the -c /new/config/path option.
Define CLI Options with Saltfile
If you frequently pass CLI options to salt-ssh, you can generate a Saltfile to use these options automatically. This is common if you manage multiple salt projects on the same server.
So you can use cd into a directory containing a Saltfile containing the following YAML:
One standard method for debugging salt-ssh is to use the salt-shipped tarball and call salt-call directly.
Just run salt-ssh with the -ltrace flag and look for a line comprising the string SALT_RGV to find the location of the salt-call. This file contains the salt-call command, which salt-ssh attempted to run.
To get a better idea of what's happening on the target system, remove the -l quiet, --metadata, and --output json options from this command.
Frequently Asked Questions
How does salt SSH function?
Salt SSH allows you to run commands or states without installing the salt-minion package. During execution, Salt SSH will use SSH to copy required files to the target system's /tmp folder, then run commands, and finally clean up temporary Salt files.
Does Salt make use of SSH?
Salt allows you to connect to a remote system using only the SSH protocol and execute commands through the SSH layer.
How does Salt SSH get configured?
Salt SSH gets its settings from a primary configuration file. This file is usually found in /etc/salt/master. If you want to use a customized configuration file, the Salt SSH -c option allows you to specify a directory to search for a configuration file named master.
How do I troubleshoot Salt SSH?
One standard method for debugging salt-ssh is to use a salt-shipped tarball and call salt-call directly. Try to run salt-ssh with the -ltrace flag and look for a line comprising the string SALT ARGV to find the location of the salt-call.
Conclusion
This article has taught us about Salt SSH, configuring it using the Roster file, accessing the keys, and debugging if a problem arises.
Go through the articles below to get a good grasp of this domain:
34+ registered 
