Salt SSH¶

Getting Started¶

Salt SSH is very easy to use, simply set up a basic roster file of the systems to connect to and run salt-ssh commands in a similar way as standard salt commands.

• Salt ssh is considered production ready in version 2014.7.0
• Python is required on the remote system (unless using the -r option to send raw ssh commands)
• On many systems, the salt-ssh executable will be in its own package, usually named salt-ssh
• The Salt SSH system does not supercede the standard Salt communication systems, it simply offers an SSH-based alternative that does not require ZeroMQ and a remote agent. Be aware that since all communication with Salt SSH is executed via SSH it is substantially slower than standard Salt with ZeroMQ.

• 目前文件服务操作必须包装成相关文件传递给 salt-ssh 命令。state模块是一个例外，它将在master上编译为state运行，并在这过程中发现所有 salt:// 路径的引用，然后当state运行时拷贝那些文件到同样的tar包。但是，所需的文件服务包装器仍然在开发中。

Salt SSH Roster¶

Salt中的roster系统将使指定远程的minions操作变得简单.

简单的创建下roster文件，默认的本地路径是 /etc/salt/roster:

web1: 192.168.42.1

这是一个非常基本的roster文件，指定了Salt ID及IP地址. 更为复杂的roster如下:

web1:
  host: 192.168.42.1 # The IP addr or DNS hostname
  user: fred         # Remote executions will be executed as user fred
  passwd: foobarbaz  # The password to use for login, if omitted, keys are used
  sudo: True         # Whether to sudo to root, not enabled by default
web2:
  host: 192.168.42.2

Deploy ssh key for salt-ssh¶

By default, salt-ssh will generate key pairs for ssh, the default path will be /etc/salt/pki/master/ssh/salt-ssh.rsa

You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to your servers.

ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub user@server.demo.com

One could also create a simple shell script, named salt-ssh-copy-id.sh as follows:

#!/bin/bash
if [ -z $1 ]; then
   echo $0 user@host.com
   exit 0
fi
ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub $1

./salt-ssh-copy-id.sh user@server1.host.com
./salt-ssh-copy-id.sh user@server2.host.com

Once keys are successfully deployed, salt-ssh can be used to control them.

Alternatively ssh agent forwarding can be used by setting the priv to agent-forwarding.

调用Salt SSH¶

The salt-ssh command can be easily executed in the same way as a salt command:

salt-ssh '*' test.ping

salt-ssh 命令的语法和 salt 命令类似.

Salt标准函数可以直接执行！ 其输出也和 salt 命令一样，也有一些参数可以指定，可以访问 http://docs.saltstack.com/ref/cli/salt-ssh.html 获取这些参数选项.

salt-ssh '*' -r 'ifconfig'

通过Salt SSH进行状态管理¶

salt-ssh 也可以直接使用Salt状态管理系统. 状态管理系统在 salt-ssh 中抽象为和 salt 同样的接口，这样就保证了通过 salt-ssh 及vice-versa可以直接使用标准的 salt Formulase而无需做修改.

Salt状态管理演练可以直接将 salt 命令直接替换为 salt-ssh 即可使用.

Salt SSH Target¶

由于salt-ssh中的target与salt几乎不一致，当前只支持glob及正则target, 其他的target系统也会不断的加入进来.

配置Salt SSH¶

Salt SSH从master配置文件提取自己的配置。通常情况下，配置文件位于 /etc/salt/master。如果想使用一个自定义的配置文件，传递 -c 选项给Salt SSH指定一个查找目录，包含文件名 master。

用非root用户运行Salt SSH¶

默认情况下，salt从/etc/salt/读取所有配置。如果你使用普通用户运行Salt SSH，必须修改一些路径，否则你会收到"Permission denied"信息。你必须修改两个参数: pki_dir 和 cachedir。应该指向一个对于用户可写的绝对路径。

不建议直接修改 /etc/salt。为用户创建一份/etc/salt的私有拷贝并且运行命令行加上``-c /new/config/path``。

利用Saltfile定义CLI选项¶

如果您通常通过CLI中的选项"salt-ssh" ，你可以创建一个"Saltfile" 自动使用这些选项。如果你在同一台服务器上管理多个不同的salt项目,这是常见的。

So you can cd into a directory that has a Saltfile with the following YAML contents:

salt-ssh:
  config_dir: path/to/config/dir
  ssh_max_procs: 30
  ssh_wipe: True

Instead of having to call salt-ssh --config-dir=path/to/config/dir --max-procs=30 --wipe \* test.ping you can call salt-ssh \* test.ping.

Boolean-style options should be specified in their YAML representation.

Debugging salt-ssh¶

One common approach for debugging salt-ssh is to simply use the tarball that salt ships to the remote machine and call salt-call directly.

To determine the location of salt-call, simply run salt-ssh with the -ltrace flag and look for a line containing the string, SALT_ARGV. This contains the salt-call command that salt-ssh attempted to execute.

It is recommended that one modify this command a bit by removing the -l quiet, --metadata and --output json to get a better idea of what's going on on the target system.