Salt-ssh via sshconfig roster
Oct 24, 2017
3 minute read

Overview

salt-ssh allows the use of salt modules and states without the need to run a master or masterless configuration on a server. It’s also a nice tool when you have to connect and thing commands across multiple instances.

Recently a friend of mine got his PR #42103 merged upstream into the Salt project. This enables the sshconfig roster for salt-ssh so users can leverage an existing ssh config for targeting salt minions without needing a roster file. Unfortunately it hasn’t landed in an official release of salt-ssh but below I’ll cover how to install salt-ssh from the git develop branch on a FreeBSD 11.1 machine. Similar steps will work for a Linux install by substituting of the pkgng calls to align with the Linux distros package manager (apt, yum, etc.).

Setup

Install the required pkgng packages to get python and virtualenv:

$ su -  # We need to be root here
$ pkg install python27 py27-virtualenv git
$ exit  # Go back to normal user

Create a virtualenv with python2.7 interpreter, activate it, and install the pip dependencies:

$ mkdir ~/.virtualenvs
$ virtualenv -p python2.7 ~/.virtualenvs/salt-ssh
$ . ~/.virtualenvs/salt-ssh/bin/activate
(salt-ssh)$ pip install jinja2 markupsafe msgpack-python pyyaml tornado

Note: Assumption that the user’s default shell its /bin/sh

Since the sshconfig roster has yet to land into the release we’ll need to install it from source into the virtualenv. At the time of writting this the commit ID was 33bf0e1 of the develop branch in salt:

(salt-ssh)$ git clone https://github.com/saltstack/salt.git
(salt-ssh)$ cd salt
(salt-ssh)$ python setup.py --ssh-packaging install

The last thing required is creating the salt directory structure so that salt-ssh could run as a normal user instead of root:

(salt-ssh)$ mkdir -p ~/salt-ssh/etc/salt
(salt-ssh)$ mkdir -p ~/salt-ssh/var/log/salt
(salt-ssh)$ cat << EOF > ~/salt-ssh/Saltfile
salt-ssh:
  config_dir: etc/salt/
EOF
(salt-ssh)$ cat << EOF > ~/salt-ssh/etc/salt/master
root_dir: .
EOF

Note: The above config might be overkill but this is due to issues with logging and cache dir overrides not working in the Saltfile in 33bf0e1

My example ~/.ssh/config looks like:

Host salty
    HostName 192.168.0.10
    User rob
    Protocol 2
    IdentityFile ~/.ssh/id_rsa
Host salty2
    HostName 192.168.0.20
    User rob
    Protocol 2
    IdentityFile ~/.ssh/id_rsa

With the new sshconfig roster just start targeting minions based on the Host in ~/.ssh/config:

(salt-ssh)$ salt-ssh --roster=sshconfig '*' test.ping

salty:
    True

salty2:
    True

Giddy up! salt-ssh is now ready to go and do my bidding against my minions!

Issues

Python Missing From Target

The hosts that you are targeting with salt-ssh need to have python installed. If they don’t you’ll receive an error like this:

ERROR: salt requires python 2.6 or newer on target hosts, must have same major version as origin host

#(salt-ssh)# Wrong IdentityFile salt-ssh by default will generate its own private key and store it in <config_dir>/etc/salt/pki/master/ssh/id_rsa. If you do not want to use this key then just be explicit about which key you’d like to use in your ~/.ssh/config (like I was above).