closed and you can’t install custom software. Salt in networking: theoretical approaches 8 Salt SSH Salt SSH requires Python on the remote target, and uploads an archive on execution. Equally impossible on typical gear. X X
are simple processes able to run anywhere, as long as: 1) Can connect to the Master. 2) Can connect to the network device (via the channel / API of choice - e.g., SSH / NETCONF / HTTP / gRPC, etc.)
include: • Running as system services ◦ On a single server ◦ Distributed on various servers • (Docker) containers ◦ E.g., managed by Kubernetes • Services running in a cloud ◦ See, for example, salt-cloud
imply a process always running in the background. That means, whenever you execute a command, Salt is instantly available to run the command. But also means: - A process always keeping memory busy. - Typically each proxy requires around 100-120MB. - Due to a memory leak, when using any SSH-based Proxies, the memory usage can spike to over 1GB (for every Proxy Minion). - One Proxy Minion service per device. - System services management, monitoring, etc. Not always beneficial, sometimes you just need a one-off command every X weeks / months.
automate the management and configuration of network devices at scale, without running (Proxy) Minions. Using salt-sproxy, you can continue to benefit from the scalability, flexibility and extensibility of Salt, while you don't have to manage thousands of (Proxy) Minion services. However, you are able to use both salt-sproxy and your (Proxy) Minions at the same time.
example, as a file: Getting started with salt-sproxy: Setup example (1) 18 https://salt-sproxy.readthedocs.io/en/latest/quick_start.html router1: driver: junos router2: driver: iosxr spine1: driver: junos leaf1: driver: eos fw1: driver: panos host: fw1.firewall.as1234.net /etc/salt/roster
from the Roster file: Getting started with salt-sproxy: Setup example (2) 19 roster: file proxy: proxytype: napalm username: <username> password: <password> /etc/salt/master https://salt-sproxy.readthedocs.io/en/latest/quick_start.html
from the Roster file: Getting started with salt-sproxy: Setup example (2) 20 roster: file proxy: proxytype: napalm username: <username> password: <password> /etc/salt/master https://salt-sproxy.readthedocs.io/en/latest/quick_start.html There are different flavours of Roster sources, including NetBox, Pillar (i.e., retrieve data from HTTP APIs, MySQL / PostgreSQL databases, etc.). File is the easiest to understand and demo.
from the Roster file: Getting started with salt-sproxy: Setup example (2) 21 roster: file proxy: proxytype: napalm username: <username> password: <password> /etc/salt/master https://salt-sproxy.readthedocs.io/en/latest/quick_start.html You can choose between a variety of Proxy Modules natively available in Salt. If none available for your use case, developing a new Proxy Module in your own environment is easy and straighforward.
specific file (i.e., information that we maintain ourselves) as SLS files , to build the list of devices. But there can be plenty of other sources where to load this data from, see https://docs.saltstack.com/en/latest/ref/pillar/all/index.html, examples include: - HTTP API - Postgres / MySQL database - Etcd, Consul, Redis, Mongo, etc. - CSV file :-( Getting started with salt-sproxy: Alternative setup 24 https://salt-sproxy.readthedocs.io/en/latest/roster.html
load the list of devices from NetBox: Getting started with salt-sproxy: Alternative setup - NetBox 25 https://salt-sproxy.readthedocs.io/en/latest/examples/netbox.html roster: netbox netbox: url: https://netbox.live/ token: <token> /etc/salt/master
be used in combination with salt-sproxy to invoke commands over HTTP, without running Proxy Minions. Enable the API: Using salt-sproxy via the Salt REST API 26 https://salt-sproxy.readthedocs.io/en/latest/salt_api.html rest_cherrypy: port: 8080 ssl_crt: /path/to/crt ssl_key: /path/to/key /etc/salt/master
install (compared to the typical Salt setup). - Say goodbye to the burden of managing hundreds of system services for the Proxy Minion processes. - You can run it locally, on your own computer. - Integrates easily with your existing Salt environment (if you have), by installing salt-sproxy on your Salt Master. - Reuse your existing extension modules, templates, Pillars, States, etc., you may have already developed in your environment, transparently. - Can continue to leverage the event-driven automation and orchestration methodologies. - REST API, see also Using the Salt REST API documentation. - Python programming made a breeze - might go well with the ISalt package.
Arista EOS, and Linux: vmx1, vmx2, vmx3, eos-spine1, eos-spine2, eos-leaf1, eos-leaf2. - 3 Docker containers running Ubuntu: srv1, srv2, and srv3. - One Docker container for Salt Master + Salt SProxy - A few Docker containers running Proxy Minions (one Proxy Minion per device we manage) - vmx1 - vmx2 - eos-spine1 - eos-spine2 Using salt-sproxy, we can manage both devices that have a Proxy Minion running, as well as devices without.
true vmx3: grains: role: router eos-leaf1: grains: role: leaf eos-leaf2: grains: role: leaf {%- for i in [1,2,3] %} srv{{ i }}: grains: role: hypervisor {%- endfor %} /etc/salt/master /etc/salt/roster The Roster file is Salt SLS format (Jinja + YAML)
mirceaulinic
jumtech
amacbee
ks91
oracle4engineer
visional_engineering_and_design
makikub
yoshidashingo
minorun365
hamadakoji
staffrecruiter
sarafernandez
baasie
destraynor
speakerdeck
techseoconnect
kristinabergwall1
reverentgeek
tammyeverts
tenderlove
mfonobong
aleyda
pwiseman
![[email protected]](https://files.speakerdeck.com/presentations/1953959b11d3450e831630d3dfff8a0a/slide_42.jpg){kind=link}