Managing remote Unix and Windows machines via SSH

New in version 2020.7.0.

Using salt-sproxy, besides regular Minions, regular Proxy Minions, and standalone Proxy Minions (managed by salt-sproxy itself), you can also manage arbitrary machines via SSH, in the same way as you’d normally do through salt-ssh. In fact, this is actually done through the SSH Proxy Module shipped together with this package, which in turn invokes salt-ssh internals. While salt-ssh has been part of the Salt suite for years, it has always been decoupled from the rest. One of the evident implications is that you manage some devices by running salt, and others by running salt-ssh. salt-sproxy aims to abstract that away, and provide a single, uniform methodology for managing whatever flavours of Salt you want, through the same command and offering the same features.

In essence, using the SSH Proxy Module, salt-sproxy spins up a temporary Proxy Minion locally, which means you can use it to manage arbitrary machines over SSH, and you can continue using the usual Targeting mechanisms, or execute Salt commands over the REST API (see also salt-sapi).

Important

As this feature depends on two external modules, provides with salt-sproxy, you will need to make sure your installation is aware of those. You ave multiple options here:

• Execute passing the --sync-proxy and --sync-executors on the command line.
• Set sync_proxy: true and sync_executors: true in the Master config file.
• Configure the file_roots on the Master, as detailed in The Proxy Runner, then execute salt-run saltutil.sync_all (or saltutil.sync_proxymodules + saltutil.sync_executors, if you only want the SSH code, ignorning anything else). See also Salt SProxy Best Practices.

Pillar

The configuration is aligned to the general Proxy Minion standards: put the connection details and credentials under the proxy key in the Proxy config or Pillar.

host

The IP address or the hostname of the remove machine to manage.

port

Integer, the port number to use when establishing he connection (defaults to 22).

user

The username required for authentication.

passwd

The password used for authentication.

priv

Absolute path to the private SSH key used for authentication.

priv_passwd

The SSH private key password.

timeout: 30

The SSH timeout. Defaults to 30 seconds.

sudo: False

Execute commands as sudo.

tty: False

Connect over tty.

sudo_user

The username that should execute the commands as sudo.

remote_port_forwards

Enable remote port forwarding. Example: 8888:my.company.server:443. Multiple remote port forwardings are supported, using comma-separated values, e.g., 8888:my.company.server:443,9999:my.company.server:80.

identities_only: False

Execute SSH with -o IdentitiesOnly=yes. This option is intended for situations where ssh-agent offers many different identities and allow ssh to ignore those identities and use the only one specified in options.

ignore_host_keys: False

By default ssh host keys are honored and connections will ask for approval. Use this option to disable StrictHostKeyChecking.

no_host_keys: False

Fully ignores ssh host keys which by default are honored and connections would ask for approval. Useful if the host key of a remote server has changed and would still error with ignore_host_keys.

winrm: False

Flag that tells Salt to connect to a Windows machine. This option requires the saltwinshell to be installed.

For example, let’s say you put the following in the Pillar:

/srv/salt/pillar/ssh.sls

proxy:
  proxytype: ssh
  host: srv.example.com
  user: test
  passwd: test

/srv/salt/pillar/top.sls

base:
  srv:
    - ssh

Assuming that your configuration is correct, you can then start executing Salt commands as usual, to manage the remote machine:

$ salt-sproxy 'srv' pkg.install ack
srv:
    ----------
    ack:
        ----------
        new:
            2.24-1
        old:
    libfile-next-perl:
        ----------
        new:
            1.16-2
        old:
    libgdbm-compat4:
        ----------
        new:
            1.18.1-4
        old:
    libgdbm6:
        ----------
        new:
            1.18.1-4
        old:
    libperl5.28:
        ----------
        new:
            5.28.1-6
        old:
    perl:
        ----------
        new:
            5.28.1-6
        old:
    perl-modules-5.28:
        ----------
        new:
            5.28.1-6
        old:

$ salt-sproxy 'srv' state.apply
srv:
----------
          ID: vim
    Function: pkg.installed
      Result: True
     Comment: All specified packages are already installed
     Started: 16:38:22.981459
    Duration: 57.998 ms
     Changes:
----------
          ID: ack
    Function: pkg.installed
      Result: True
     Comment: All specified packages are already installed
     Started: 16:38:23.039783
    Duration: 42.267 ms
     Changes:

Summary for sproxy
------------
Succeeded: 2
Failed:    0
------------
Total states run:     2
Total run time: 100.265 ms