SaltStack - Salt through SSH


Salt executes commands in a remote system by using salt-minion. This is the normal behavior. In some scenarios, the remote system can be accessed only by the SSH protocol. For these scenarios, Salt provides an option to connect the remote system using the SSH protocol only and execute the command through the SSH layer.

Salt SSH is very easy to configure. The only needed configuration is to specify the remote system details in a special file called as the Roster file. This roster file is normally located in /etc/salt/roster. The roster file will have all the information regarding the remote system and how can we connect to it. Once the roster files are configured, all the Salt commands are executed using the salt-ssh instead of the salt command.

Roster File

The Roster System is designed specifically for Salt SSH. This is designed as a pluggable system. The sole purpose of the roster system is to gather information about the remote system. The roster file is a YAML based configuration file containing remote system information as targets. These targets are a special data structure with a predefined set of attributes. A roster file contains one or more targets and each target is identified by a Salt ID.

The basic structure of the roster file is as follows −

<Salt ID>:
   host: <host name>
   user: <user name>
   passwd: <password of the user>

All the other attributes supported by the roster file is optional. They are as follows −

  • port − SSH port number.

  • sudo − whether to run the command via sudo.

  • sudo_user − sudo user name.

  • tty − true if sudo is enabled.

  • priv − private key.

  • timeout − timeout for an SSH connection.

  • minion_opts − dictionary of minion opts.

  • thin_dir − target system's storage directory for salt components.

  • cmd_umask − umask to force for the salt-call command.

The sample roster file is as follows −

   user: webuser
   passwd: secret
   sudo: True   

Deploy SSH Keys

Salt SSH will generate a default public/private key pairs for SSH logins. The default path will be /etc/salt/pki/master/ssh/salt-ssh.rsa. This key can be deployed to the remote system using the ssh-copy-id command as shown below.

ssh-copy-id -i /etc/salt/pki/master/ssh/

Execute Command

Executing a salt command is as simple as changing the salt cli command into salt-ssh as shown below.

salt-ssh '*'

Raw Shell Command

Salt SSH provides an option (-r) to execute a raw command in the remote system bypassing the salt module and functions.

salt-ssh '*' -r 'ls'

Targeting with Salt SSH

Targeting the remote system in Salt SSH supports only glob and regex targets. Since Salt SSH is a separate module, it provides only limited options as of now and will provide more features in the near future.