Salt SSH

Execute salt commands and states over ssh without installing a salt-minion.

Getting Started

Salt SSH is very easy to use, simply set up a basic roster file of the systems to connect to and run salt-ssh commands in a similar way as standard salt commands.

  • Salt ssh is considered production ready in version 2014.7.0
  • Python is required on the remote system (unless using the -r option to send raw ssh commands)
  • On many systems, the salt-ssh executable will be in its own package, usually named salt-ssh
  • The Salt SSH system does not supercede the standard Salt communication systems, it simply offers an SSH-based alternative that does not require ZeroMQ and a remote agent. Be aware that since all communication with Salt SSH is executed via SSH it is substantially slower than standard Salt with ZeroMQ.
  • 目前文件服务操作必须包装成相关文件传递给 salt-ssh 命令。state模块是一个例外,它将在master上编译为state运行,并在这过程中发现所有 salt:// 路径的引用,然后当state运行时拷贝那些文件到同样的tar包。但是,所需的文件服务包装器仍然在开发中。

Salt SSH Roster



See the SSH roster docs for more details.

简单的创建下roster文件,默认的本地路径是 /etc/salt/roster:


这是一个非常基本的roster文件,指定了Salt ID及IP地址. 更为复杂的roster如下:

  host: # The IP addr or DNS hostname
  user: fred         # Remote executions will be executed as user fred
  passwd: foobarbaz  # The password to use for login, if omitted, keys are used
  sudo: True         # Whether to sudo to root, not enabled by default


sudo works only if NOPASSWD is set for user in /etc/sudoers: fred ALL=(ALL) NOPASSWD: ALL

Deploy ssh key for salt-ssh

By default, salt-ssh will generate key pairs for ssh, the default path will be /etc/salt/pki/master/ssh/salt-ssh.rsa

You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to your servers.

ssh-copy-id -i /etc/salt/pki/master/ssh/

One could also create a simple shell script, named as follows:

if [ -z $1 ]; then
   echo $0
   exit 0
ssh-copy-id -i /etc/salt/pki/master/ssh/ $1


Be certain to chmod +x


Once keys are successfully deployed, salt-ssh can be used to control them.

Alternatively ssh agent forwarding can be used by setting the priv to agent-forwarding.

调用Salt SSH

The salt-ssh command can be easily executed in the same way as a salt command:

salt-ssh '*'

salt-ssh 命令的语法和 salt 命令类似.

Salt标准函数可以直接执行! 其输出也和 salt 命令一样,也有一些参数可以指定,可以访问 获取这些参数选项.


默认情况下 salt-ssh 可以直接在远程系统上运行Salt执行模块. 通过 salt-ssh 也可以直接执行原始shell命令:

salt-ssh '*' -r 'ifconfig'

通过Salt SSH进行状态管理

salt-ssh 也可以直接使用Salt状态管理系统. 状态管理系统在 salt-ssh 中抽象为和 salt 同样的接口,这样就保证了通过 salt-ssh 及vice-versa可以直接使用标准的 salt Formulase而无需做修改.

Salt状态管理演练可以直接将 salt 命令直接替换为 salt-ssh 即可使用.

Salt SSH Target

由于salt-ssh中的target与salt几乎不一致,当前只支持glob及正则target, 其他的target系统也会不断的加入进来.


By default, Grains are settable through salt-ssh. By default, these grains will not be persisted across reboots.

See the "thin_dir" setting in Roster documentation for more details.

配置Salt SSH

Salt SSH从master配置文件提取自己的配置。通常情况下,配置文件位于 /etc/salt/master。如果想使用一个自定义的配置文件,传递 -c 选项给Salt SSH指定一个查找目录,包含文件名 master

Minion Config

2015.5.1 新版功能.

Minion config options can be defined globally using the master configuration option ssh_minion_opts. It can also be defined on a per-minion basis with the minion_opts entry in the roster.

用非root用户运行Salt SSH

默认情况下,salt从/etc/salt/读取所有配置。如果你使用普通用户运行Salt SSH,必须修改一些路径,否则你会收到"Permission denied"信息。你必须修改两个参数: pki_dircachedir。应该指向一个对于用户可写的绝对路径。

不建议直接修改 /etc/salt。为用户创建一份/etc/salt的私有拷贝并且运行命令行加上``-c /new/config/path``。


如果您通常通过CLI中的选项"salt-ssh" ,你可以创建一个"Saltfile" 自动使用这些选项。如果你在同一台服务器上管理多个不同的salt项目,这是常见的。

So you can cd into a directory that has a Saltfile with the following YAML contents:

  config_dir: path/to/config/dir
  ssh_max_procs: 30
  ssh_wipe: True

Instead of having to call salt-ssh --config-dir=path/to/config/dir --max-procs=30 --wipe \* you can call salt-ssh \*

Boolean-style options should be specified in their YAML representation.


The option keys specified must match the destination attributes for the options specified in the parser salt.utils.parsers.SaltSSHOptionParser. For example, in the case of the --wipe command line option, its dest is configured to be ssh_wipe and thus this is what should be configured in the Saltfile. Using the names of flags for this option, being wipe: True or w: True, will not work.

Debugging salt-ssh

One common approach for debugging salt-ssh is to simply use the tarball that salt ships to the remote machine and call salt-call directly.

To determine the location of salt-call, simply run salt-ssh with the -ltrace flag and look for a line containing the string, SALT_ARGV. This contains the salt-call command that salt-ssh attempted to execute.

It is recommended that one modify this command a bit by removing the -l quiet, --metadata and --output json to get a better idea of what's going on on the target system.