Managing remote servers with salt-ssh

I love using Salt to configure and manage servers at scale. Typically, a Salt master server manages an army of servers which are on the same private network. A salt-minion daemon runs on each client server and communicates with the master. Sometimes you need to manage a server which is outside of your internal network, such as a marketing web server running on a service like AWS LightSail, Linode, or Digital Ocean. That’s when salt-ssh comes in handy.

Master Configuration

On most distributions, you will need to install package salt-ssh on the master server, even if you have salt-master installed.

Edit /etc/salt/roster and add the host config as shown below. We’ll use the master’s default ssh key, which is stored in /etc/salt/pki/master/ssh/ You can specify a custom key pair in another path by adding option priv in the roster file.

some-host-name:
  host: 203.0.113.1
  user: salt
  sudo: True
  tty: True

Client Configuration

The client does NOT need to have a minion installed, so I will use the term “client” instead of “minion.” This is one of the strengths of salt-ssh. You do need to add a user that can connect via SSH between the master and client. Run the following commands as a superuser:

useradd salt
sudo -u salt mkdir /home/salt/.ssh
sudo -u salt vi /home/salt/.ssh/authorized_keys
# Paste in public key
sudo -u salt chmod -R og-rwx /home/salt/.ssh/

You also need to give the user permission to run sudo commands without a password:

usermod -G wheel salt
visudo -f /etc/sudoers.d/salt

Enter the following line, and save the file:

salt ALL=(ALL) NOPASSWD:ALL

Testing

Test basic connectivity:

ssh -i /etc/salt/pki/master/ssh/salt-ssh.rsa salt@18.216.140.168

Test sudo access:

ssh -i /etc/salt/pki/master/ssh/salt-ssh.rsa salt@18.216.140.168 sudo ls -l /root/

Next Steps

Add the client to the Topfile, using the hostname that you specified in the roster file. Now, you should be able to apply Salt states. Note that you might need to use some more sophisticated matching within the topfile if some of your default states assume that the host is on an internal network. You should expect salt-ssh to run more slowly than when running a minion on the client.

References

  1. https://docs.saltstack.com/en/latest/topics/ssh/
  2. https://www.linode.com/docs/applications/configuration-management/configure-and-use-salt-ssh/

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.