2015-10-06 23:36:54 +00:00
|
|
|
.. _salt-ssh:
|
|
|
|
|
|
2013-09-09 04:39:42 +00:00
|
|
|
========
|
|
|
|
|
Salt SSH
|
|
|
|
|
========
|
|
|
|
|
|
2015-09-01 02:00:30 +00:00
|
|
|
.. raw:: html
|
|
|
|
|
:file: index.html
|
2013-09-09 04:39:42 +00:00
|
|
|
|
2015-09-01 02:00:30 +00:00
|
|
|
Getting Started
|
|
|
|
|
===============
|
2013-09-09 04:39:42 +00:00
|
|
|
|
2016-02-01 03:10:02 +00:00
|
|
|
Salt SSH is very easy to use, simply set up a basic :ref:`roster <ssh-roster>` file of the
|
2013-09-09 04:39:42 +00:00
|
|
|
systems to connect to and run ``salt-ssh`` commands in a similar way as
|
|
|
|
|
standard ``salt`` commands.
|
|
|
|
|
|
2015-09-01 02:00:30 +00:00
|
|
|
- Salt ssh is considered production ready in version 2014.7.0
|
|
|
|
|
- Python is required on the remote system (unless using the ``-r`` option to send raw ssh commands)
|
|
|
|
|
- On many systems, the ``salt-ssh`` executable will be in its own package, usually named
|
|
|
|
|
``salt-ssh``
|
2016-11-24 14:51:50 +00:00
|
|
|
- The Salt SSH system does not supersede the standard Salt communication
|
2015-09-01 02:00:30 +00:00
|
|
|
systems, it simply offers an SSH-based alternative that does not require
|
|
|
|
|
ZeroMQ and a remote agent. Be aware that since all communication with Salt SSH is
|
|
|
|
|
executed via SSH it is substantially slower than standard Salt with ZeroMQ.
|
|
|
|
|
- At the moment fileserver operations must be wrapped to ensure that the
|
|
|
|
|
relevant files are delivered with the ``salt-ssh`` commands.
|
|
|
|
|
The state module is an exception, which compiles the state run on the
|
|
|
|
|
master, and in the process finds all the references to ``salt://`` paths and
|
|
|
|
|
copies those files down in the same tarball as the state run.
|
|
|
|
|
However, needed fileserver wrappers are still under development.
|
2014-02-15 23:07:49 +00:00
|
|
|
|
2013-09-09 04:39:42 +00:00
|
|
|
Salt SSH Roster
|
|
|
|
|
===============
|
|
|
|
|
|
|
|
|
|
The roster system in Salt allows for remote minions to be easily defined.
|
|
|
|
|
|
|
|
|
|
.. note::
|
2016-02-01 03:10:02 +00:00
|
|
|
See the :ref:`SSH roster docs <ssh-roster>` for more details.
|
2013-09-09 04:39:42 +00:00
|
|
|
|
|
|
|
|
Simply create the roster file, the default location is `/etc/salt/roster`:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
web1: 192.168.42.1
|
|
|
|
|
|
2013-09-10 11:41:53 +00:00
|
|
|
This is a very basic roster file where a Salt ID is being assigned to an IP
|
2013-09-09 04:39:42 +00:00
|
|
|
address. A more elaborate roster can be created:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
web1:
|
2013-09-10 11:41:53 +00:00
|
|
|
host: 192.168.42.1 # The IP addr or DNS hostname
|
|
|
|
|
user: fred # Remote executions will be executed as user fred
|
|
|
|
|
passwd: foobarbaz # The password to use for login, if omitted, keys are used
|
|
|
|
|
sudo: True # Whether to sudo to root, not enabled by default
|
2013-09-09 04:39:42 +00:00
|
|
|
web2:
|
|
|
|
|
host: 192.168.42.2
|
2014-12-11 15:51:43 +00:00
|
|
|
|
2014-08-21 08:19:10 +00:00
|
|
|
.. note::
|
|
|
|
|
sudo works only if NOPASSWD is set for user in /etc/sudoers:
|
2014-12-11 15:51:43 +00:00
|
|
|
``fred ALL=(ALL) NOPASSWD: ALL``
|
2013-09-09 04:39:42 +00:00
|
|
|
|
2015-09-26 14:55:00 +00:00
|
|
|
Deploy ssh key for salt-ssh
|
|
|
|
|
===========================
|
|
|
|
|
|
|
|
|
|
By default, salt-ssh will generate key pairs for ssh, the default path will be
|
2017-07-14 17:57:58 +00:00
|
|
|
``/etc/salt/pki/master/ssh/salt-ssh.rsa``. The key generation happens when you run
|
|
|
|
|
``salt-ssh`` for the first time.
|
2015-09-26 14:55:00 +00:00
|
|
|
|
2015-09-28 19:11:58 +00:00
|
|
|
You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to your servers.
|
2015-09-26 14:55:00 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
2015-10-03 22:01:19 +00:00
|
|
|
ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub user@server.demo.com
|
2015-09-26 14:55:00 +00:00
|
|
|
|
2015-10-06 23:36:54 +00:00
|
|
|
One could also create a simple shell script, named salt-ssh-copy-id.sh as follows:
|
2015-09-26 14:55:00 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
#!/bin/bash
|
|
|
|
|
if [ -z $1 ]; then
|
|
|
|
|
echo $0 user@host.com
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
2015-10-03 22:01:19 +00:00
|
|
|
ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub $1
|
2015-09-26 14:55:00 +00:00
|
|
|
|
|
|
|
|
|
2015-09-28 19:11:58 +00:00
|
|
|
.. note::
|
2015-10-06 23:36:54 +00:00
|
|
|
Be certain to chmod +x salt-ssh-copy-id.sh.
|
2015-09-26 14:55:00 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
./salt-ssh-copy-id.sh user@server1.host.com
|
|
|
|
|
./salt-ssh-copy-id.sh user@server2.host.com
|
|
|
|
|
|
2015-09-28 19:11:58 +00:00
|
|
|
Once keys are successfully deployed, salt-ssh can be used to control them.
|
2015-09-26 14:55:00 +00:00
|
|
|
|
2016-02-18 20:14:47 +00:00
|
|
|
Alternatively ssh agent forwarding can be used by setting the priv to agent-forwarding.
|
2015-09-26 14:55:00 +00:00
|
|
|
|
2013-09-09 04:39:42 +00:00
|
|
|
Calling Salt SSH
|
|
|
|
|
================
|
|
|
|
|
|
[develop] Merge forward from 2016.3 to develop (#33193)
* Add run_on_start docs to schedule.rst (#32958)
Fixes #22580
* Backport #33021 manually to 2015.5 (#33044)
* Saltfile with pillar tests (#33045)
* add file.managed with pillar data tests
* do not require git for other tests
* Fix minor document error of test.assertion (#33067)
* test pillar.items output (#33060)
* File and User test fixes for 2015.5 on Fedora23 (#33055)
* Fix file_test.test_symlink on 2015.5
* Fix failing user present test
* add test for installing package while using salt-call --local (#33025)
* add test for installing package while using salt-call --local
* fix pylint
* ssh docs: install py-2.6 for RHEL 5
* Bugfix: Restore boolean values from the repo configuration
* Add test data for repos
* Add repo config test
* Bugfix (follow-up): setting priority requires non-positive integer
* modules.npm: do not log npm --version at info level (#33084)
* salt-cloud: fix ipv6-only virtual machines (#32865)
* salt-cloud: fix ipv6-only virtual machines
* fix hostname for rsync fallback in scp_file function
* use 4 spaces instead of 2
* remove global variable, use direct socket call instead
* Use saltstack repo in buildpackage.py on CentOS 5 (#33080)
* Lower display of msgpack failure msg to debug (#33078)
Closes #33074
* cloud.query needs to define mapper.opts (#33098)
* clarify docs that map is designed to be run once. is not stateful (#33102)
* Moved _finger_fail method to parent class.
Method _finger_fail method from SAuth to AsyncAuth class to make method available
in both class and fix an issue where _finger_Fail is called inside AsyncAuth.
* Fix 33058 (#33099)
* Fix servermanager module
- Added check for 2008 version of windows
- Added Import-Module ServerManager to _pshell_json.
Apparently this needs to run each time we issue a
servermanager command.
* Fix list_available
* salt.utils.gitfs: fix formatting for warning messages (#33064)
* salt.utils.gitfs: fix formatting for warning messages
When git_pillar support was added to salt.utils.gitfs, the
recommendation globals had string formatting placeholders added to them,
but the locations where these values are referenced do not call
``.format()`` to properly replace them. This commit fixes that
oversight.
* Remove more gitfs and master-specific wording from log messages
* Add a check that the cmdline of the found proc matches (#33129)
* Doc mock decorators (#33132)
* Add mock function for mocking decorators
* Mock the stdlib user module because importing it will open the repl
* Fix broken parsing of usermgmt.conf on OpenBSD (#33135)
When creating a new user, if a group of the same name already exists,
the usermgmt.conf file is consulted to determine the primary group.
It's in these cases that the parsing bug is triggered.
This code change addresses several of the existing issues:
- The previous split statement explicitly specified a single space.
Since a config line may have any number of spaces and/or tabs
surrounding the entries, the resulting array's elements may be
incorrect.
- According to the man pages for usermgmt.conf, the "group" config
entry accpets a single parameter -- so we shouldn't iterate.
- The "val[1]" was returning the 2nd letter of each word and not the
second word on the config line as intended.
* Move salt-ssh thin dir location to /var/tmp (#33130)
* Move salt-ssh thin dir location to /var/tmp
Closes #32771
* Remove performance penelty language
* If cache_jobs: True is set, populate the local job cache when running salt-call (#33100)
* If cache_jobs: True is set, populate the local job cache
Fixes #32834
Allows a masterless minion to query the job cache.
* Refactor cache_jobs functionality to be DRY
* Skipping salt-call --local test
* Back-port #31769 to 2015.8 (#33139)
* Handle empty acl_name in linux_acl state
Calls to setfacl interpret an empty group or user name to mean to be the
owner of the file they're operating on. For example, for a directory
owned by group 'admin', the ACL 'default:group::rwx' is equivalent to
'default:group:admin:rwx'.
The output of the getfacl execution module returns ACLs in the format of
'group:admin:rwx' instead of 'group::rwx'. This commit changes the
acl.present state to look for the owner of the file if the acl_name
paremeter is empty.
* Fix acl.present/acl.absent changing default ACLs
The behaviour of the acl.present and acl.absent is to check the data
structure returned by getfacl contains a key by the name of acl_type.
However, this data structure does not contain any default ACLs if none
exist, so this check will fail. We omit the check if a default ACL was
passed into the state functions.
Unfortunately, the call to modfacl may fail if the user passes in an
acl_type such as 'default:random'. In this case the state will appear to
succeed, but do nothing.
This fixes the state module to allow setting default ACLs on files which
have none.
* Fix regression in 2016.3 HEAD when version is specified (#33146)
Resolves #33013.
* Hash fileclients by opts (#33142)
* Hash fileclients by opts
There was an issue whereby the cache of the fileclient was being overwritten
by dueling minion instances in multimaster mode. This protects them by hashing
by the id of opts.
Closes #25040
* Silly typo!
* Remove tests which do not test any actual functionality or are too tightly coupled to the implementation
* Strip ldap fqdn (#33127)
* Add option to strip off domain names on computer names that come from LDAP/AD
* Add strip_domains option for ldap.
* Add documentation for auth.ldap.minion_stripdomains.
* [2015.5] Update to latest bootstrap script v2016.05.10 (#33155)
* [2015.8] Update to latest bootstrap script v2016.05.10 (#33156)
* [2016.3] Update to latest bootstrap script v2016.05.10 (#33157)
* add 2015.5.11 release notes (#33160)
* add 2015.8.9 release notes (#33161)
* Pip fix (#33180)
* fix pip!!
* make it work with old pip as well
* Added resiliency
* Don't need to check, just get the right name
* [2015.5] Update to latest bootstrap script v2016.05.11 (#33185)
2016-05-12 14:53:39 +00:00
|
|
|
.. note:: ``salt-ssh`` on RHEL/CentOS 5
|
|
|
|
|
|
|
|
|
|
The ``salt-ssh`` command requires at least python 2.6, which is not
|
|
|
|
|
installed by default on RHEL/CentOS 5. An easy workaround in this
|
|
|
|
|
situation is to use the ``-r`` option to run a raw shell command that
|
|
|
|
|
installs python26:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
salt-ssh centos-5-minion -r 'yum -y install epel-release ; yum -y install python26'
|
|
|
|
|
|
2017-03-29 15:47:03 +00:00
|
|
|
.. note:: ``salt-ssh`` on systems with Python 3.x
|
|
|
|
|
|
2017-06-14 17:36:06 +00:00
|
|
|
Salt, before the 2017.7.0 release, does not support Python 3.x which is the
|
2017-03-29 15:47:03 +00:00
|
|
|
default on for example the popular 16.04 LTS release of Ubuntu. An easy
|
|
|
|
|
workaround for this scenario is to use the ``-r`` option similar to the
|
|
|
|
|
example above:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
salt-ssh ubuntu-1604-minion -r 'apt update ; apt install -y python-minimal'
|
|
|
|
|
|
2014-05-30 17:56:54 +00:00
|
|
|
The ``salt-ssh`` command can be easily executed in the same way as a salt
|
2013-09-09 04:39:42 +00:00
|
|
|
command:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
2019-03-25 17:09:48 +00:00
|
|
|
salt-ssh '*' test.version
|
2013-09-09 04:39:42 +00:00
|
|
|
|
|
|
|
|
Commands with ``salt-ssh`` follow the same syntax as the ``salt`` command.
|
|
|
|
|
|
|
|
|
|
The standard salt functions are available! The output is the same as ``salt``
|
2014-12-11 15:51:43 +00:00
|
|
|
and many of the same flags are available. Please see
|
2013-09-29 05:16:13 +00:00
|
|
|
http://docs.saltstack.com/ref/cli/salt-ssh.html for all of the available
|
|
|
|
|
options.
|
2013-09-09 04:39:42 +00:00
|
|
|
|
|
|
|
|
Raw Shell Calls
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
By default ``salt-ssh`` runs Salt execution modules on the remote system,
|
|
|
|
|
but ``salt-ssh`` can also execute raw shell commands:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
salt-ssh '*' -r 'ifconfig'
|
|
|
|
|
|
|
|
|
|
States Via Salt SSH
|
|
|
|
|
===================
|
|
|
|
|
|
|
|
|
|
The Salt State system can also be used with ``salt-ssh``. The state system
|
|
|
|
|
abstracts the same interface to the user in ``salt-ssh`` as it does when using
|
|
|
|
|
standard ``salt``. The intent is that Salt Formulas defined for standard
|
2013-10-03 18:51:49 +00:00
|
|
|
``salt`` will work seamlessly with ``salt-ssh`` and vice-versa.
|
2013-09-09 04:39:42 +00:00
|
|
|
|
|
|
|
|
The standard Salt States walkthroughs function by simply replacing ``salt``
|
|
|
|
|
commands with ``salt-ssh``.
|
|
|
|
|
|
2013-09-20 12:01:20 +00:00
|
|
|
Targeting with Salt SSH
|
|
|
|
|
=======================
|
2013-09-09 04:39:42 +00:00
|
|
|
|
|
|
|
|
Due to the fact that the targeting approach differs in salt-ssh, only glob
|
|
|
|
|
and regex targets are supported as of this writing, the remaining target
|
|
|
|
|
systems still need to be implemented.
|
2013-11-03 08:35:21 +00:00
|
|
|
|
2015-01-12 00:54:30 +00:00
|
|
|
.. note::
|
|
|
|
|
By default, Grains are settable through ``salt-ssh``. By
|
2016-02-01 03:10:02 +00:00
|
|
|
default, these grains will *not* be persisted across reboots.
|
2015-01-12 00:54:30 +00:00
|
|
|
|
2016-12-15 22:36:44 +00:00
|
|
|
See the "thin_dir" setting in :ref:`Roster documentation <ssh-roster>`
|
2015-01-12 00:54:30 +00:00
|
|
|
for more details.
|
|
|
|
|
|
2014-03-11 17:59:07 +00:00
|
|
|
Configuring Salt SSH
|
|
|
|
|
====================
|
|
|
|
|
|
|
|
|
|
Salt SSH takes its configuration from a master configuration file. Normally, this
|
|
|
|
|
file is in ``/etc/salt/master``. If one wishes to use a customized configuration file,
|
2014-12-11 15:51:43 +00:00
|
|
|
the ``-c`` option to Salt SSH facilitates passing in a directory to look inside for a
|
2014-03-11 17:59:07 +00:00
|
|
|
configuration file named ``master``.
|
|
|
|
|
|
2015-05-04 20:48:19 +00:00
|
|
|
Minion Config
|
2016-12-15 22:36:44 +00:00
|
|
|
-------------
|
2015-05-04 20:48:19 +00:00
|
|
|
|
2015-05-06 17:35:14 +00:00
|
|
|
.. versionadded:: 2015.5.1
|
2015-05-05 18:44:50 +00:00
|
|
|
|
2015-05-04 20:48:19 +00:00
|
|
|
Minion config options can be defined globally using the master configuration
|
|
|
|
|
option ``ssh_minion_opts``. It can also be defined on a per-minion basis with
|
|
|
|
|
the ``minion_opts`` entry in the roster.
|
|
|
|
|
|
2013-11-03 08:35:21 +00:00
|
|
|
Running Salt SSH as non-root user
|
|
|
|
|
=================================
|
|
|
|
|
|
|
|
|
|
By default, Salt read all the configuration from /etc/salt/. If you are running
|
|
|
|
|
Salt SSH with a regular user you have to modify some paths or you will get
|
|
|
|
|
"Permission denied" messages. You have to modify two parameters: ``pki_dir``
|
|
|
|
|
and ``cachedir``. Those should point to a full path writable for the user.
|
|
|
|
|
|
2016-11-24 14:51:50 +00:00
|
|
|
It's recommended not to modify /etc/salt for this purpose. Create a private copy
|
2013-11-03 08:35:21 +00:00
|
|
|
of /etc/salt for the user and run the command with ``-c /new/config/path``.
|
|
|
|
|
|
2014-05-08 01:53:27 +00:00
|
|
|
Define CLI Options with Saltfile
|
|
|
|
|
================================
|
|
|
|
|
|
|
|
|
|
If you are commonly passing in CLI options to ``salt-ssh``, you can create
|
|
|
|
|
a ``Saltfile`` to automatically use these options. This is common if you're
|
|
|
|
|
managing several different salt projects on the same server.
|
|
|
|
|
|
2015-03-19 05:35:04 +00:00
|
|
|
So you can ``cd`` into a directory that has a ``Saltfile`` with the following
|
2015-01-13 06:50:29 +00:00
|
|
|
YAML contents:
|
2014-05-08 01:53:27 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
salt-ssh:
|
|
|
|
|
config_dir: path/to/config/dir
|
2018-07-09 12:55:24 +00:00
|
|
|
ssh_log_file: salt-ssh.log
|
2016-01-26 07:36:13 +00:00
|
|
|
ssh_max_procs: 30
|
|
|
|
|
ssh_wipe: True
|
2014-05-08 01:53:27 +00:00
|
|
|
|
|
|
|
|
Instead of having to call
|
2019-03-25 17:09:48 +00:00
|
|
|
``salt-ssh --config-dir=path/to/config/dir --max-procs=30 --wipe \* test.version`` you
|
|
|
|
|
can call ``salt-ssh \* test.version``.
|
2014-05-08 01:53:27 +00:00
|
|
|
|
2015-01-13 06:50:29 +00:00
|
|
|
Boolean-style options should be specified in their YAML representation.
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
The option keys specified must match the destination attributes for the
|
|
|
|
|
options specified in the parser
|
|
|
|
|
:py:class:`salt.utils.parsers.SaltSSHOptionParser`. For example, in the
|
|
|
|
|
case of the ``--wipe`` command line option, its ``dest`` is configured to
|
2016-01-26 07:36:13 +00:00
|
|
|
be ``ssh_wipe`` and thus this is what should be configured in the
|
2015-01-13 06:50:29 +00:00
|
|
|
``Saltfile``. Using the names of flags for this option, being ``wipe:
|
2015-03-19 05:35:04 +00:00
|
|
|
True`` or ``w: True``, will not work.
|
2015-12-29 22:22:03 +00:00
|
|
|
|
2016-07-21 17:09:28 +00:00
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
For the `Saltfile` to be automatically detected it needs to be named
|
|
|
|
|
`Saltfile` with a capital `S` and be readable by the user running
|
|
|
|
|
salt-ssh.
|
|
|
|
|
|
2017-02-16 10:39:22 +00:00
|
|
|
At last you can create ``~/.salt/Saltfile`` and ``salt-ssh``
|
|
|
|
|
will automatically load it by default.
|
|
|
|
|
|
2015-12-29 22:22:03 +00:00
|
|
|
Debugging salt-ssh
|
|
|
|
|
==================
|
|
|
|
|
|
|
|
|
|
One common approach for debugging ``salt-ssh`` is to simply use the tarball that salt
|
|
|
|
|
ships to the remote machine and call ``salt-call`` directly.
|
|
|
|
|
|
2016-01-08 09:33:39 +00:00
|
|
|
To determine the location of ``salt-call``, simply run ``salt-ssh`` with the ``-ltrace``
|
2015-12-29 22:22:03 +00:00
|
|
|
flag and look for a line containing the string, ``SALT_ARGV``. This contains the ``salt-call``
|
|
|
|
|
command that ``salt-ssh`` attempted to execute.
|
|
|
|
|
|
|
|
|
|
It is recommended that one modify this command a bit by removing the ``-l quiet``,
|
2016-11-23 21:53:17 +00:00
|
|
|
``--metadata`` and ``--output json`` to get a better idea of what's going on the target system.
|
2016-02-01 03:10:02 +00:00
|
|
|
|
|
|
|
|
.. toctree::
|
|
|
|
|
|
|
|
|
|
roster
|
