Managing network gear and "dumb" devices using

SaltStack Proxy Minions1

C. R. Oldham Platform Engineer SaltStack

Where's (the)

Waldo?

Self-aggrandizement

• North Central Association, Director of IT • Marvell Semiconductor, Compute Environment Manager • HopeKids, Executive Director • SaltStack, Platform Engineer

• Keyboard + Monitor Give it to C. R.

2

➮

What is Salt?

• Salt is more than just configuration management, it makes up a unified system control platform.

• Complete infrastructure control • A foundation API for communication • Remote execution, job management, state discovery • Control and view all aspects from one source, one medium • Salt is Simplicity • Salt is designed to be simple • Easy to set up, use, understand, and extend • Diving in is the right way to learn

3

Founded on Remote Execution

• The foundation of Salt is remote execution. Salt's unique remote execution system enables extremely fast and reliable remote control of systems

• Remote Execution allows for server commands to be sent around an infrastructure

• ZeroMQ topology enables powerful and high speed communication

• Commands can be executed quickly and in parallel across large numbers of nodes to execute commands and gather information

4

Not Just for Large Infrastructure• Salt can scale up or down as

far as you need to go • Home networks • "Micro" networks – Arduino, Raspberry Pi,

BeagleBone/BeagleBoard • "Dumb" devices – Switches, Routers – Coffee Makers – Sprinkler Systems

5

• Remote Services • Google Apps • Heroku • Gondor.IO • Anything with a REST api

Remote Execution Examples

salt -G 'os:Ubuntu' pkg.upgrade !

salt '*' pkg.install openssl refresh=True !

salt '*' service.restart apache !

salt '*' shadow.set_password root '$1$UY...

6

State Examples/webroot/web: file.directory: - user: www-data - group: www-data - dir_mode: 2755 - file_mode: '0755' - makedirs: True

7

thorium_proj: git.latest: - rev: develop - name: git@github.com:saltstack/thorium - user: www-data - target: {{ thorium.venv.base }} - force: False - identity:deploy.key - require: - file: /webroot/web/.ssh/deploy.key !/webroot/web/.ssh/deploy.key:

file.managed: - user: www-data - group: www-data - dir_mode: 0770 - mode: 0600 - source: salt://deploy.key - makedirs: True - replace: False

Minion - to - Master Communication

• Each minion runs a salt-minion process – Python runtime, average RSS 30 MB – Minions connect to master – Master controls minions

8

• What if devices we want to control can't spare 30 MB?

• Enter the PROXY MINION

What exactly IS a PROXY MINION??!

A process forked from a regular salt-minion that has the sole purpose of talking to a device that

cannot run a minion.

9

GRU == salt-master Minion == salt-minion

Minions == proxy-minionCar ==

Car == proxied device

Where we are going eventually...

salt datacenter-network state.highstate

11

Woohoo!!

Aren't there other tools?

• Web interface • ssh

• The CLI tool that shall remain nameless

Persistent Connection

• Batch-load • Check • Commit

!

• Ephemeral-connection oriented tools drop changes on disconnect. (oops)

• Bootstrapping ssh connections over and over can be slow • Needed a persistent connection to overcome

13

Better Image15

salt-master salt-minion

device

🍴

proxy-minion

HOWTO

• interface package (/srv/salt/_proxy or site-packages/salt/proxy)

• execution modules (/srv/salt/_modules or site-packages/salt/modules)

• grains (/srv/salt/_grains or site-packages/salt/grains)

16

Interface package

• Python package that handles heavy-lifting for connection • Needs a class Proxyconn!– __init__!– proxytype!– id!– ping!– shutdown

17

Execution Modules

• Some "just work" • Some don't make sense • Some need lots of love • __proxyenabled__

18

Caveat Emptor

• Process Management • Logging • No Masterless • Lots of things broken

19

C. R. Oldham Platform Engineer

SaltStack

20https://joind.in/11037

cr@saltstack.com https://github.com/cro http://ncbt.org cro

Email: GitHub:

Blog: IRC: