Arista#

Welcome to the Arista native minion installation guide. This installation guide explains the process for installing a Salt native minion on Arista UNIX systems. This guide is intended for system administrators with the general knowledge and experience required in the field.

Browse the repo for Arista packages

Arista Python3

What are Salt native minions?

Salt can target network-connected devices through Salt proxy minions. Proxy minions are a Salt feature that enables controlling devices that, for whatever reason, cannot run the standard salt-minion service. Examples include network gear that has an API but runs a proprietary OS, devices with limited CPU or memory, or devices that could run a minion but, for security reasons, will not.

Salt native minions are packaged to run directly on specific devices, removing the need for proxy minions running elsewhere on a network. Native minions have several advantages, such as:

  • Performance boosts: With native minions, Salt doesn’t need to rely on constant SSH connections across the network. There is also less burden on the servers running multiple proxy minions.

  • Higher availability: For servers running multiple proxy minions, server issues can cause connection problems to all proxy minions being managed by the server. Native minions remove this potential point of failure.

  • Improved scalability: When adding devices to a network that are supported by native minions, you aren’t required to deploy proxy minions on separate infrastructure. This reduces the burden of horizontally or vertically scaling infrastructure dedicated to proxy minions.

Note

For an overview of how Salt works, see Salt system architecture.

Before you start#

Before installing the Arista native minion:

  • Check that your network device and firmware are supported. See Arista for more information.
  • Ensure that ports 4505 and 4506 are open on the applicable Arista switches or routers.

Salt uses ports 4505 and 4506 for outbound communication from the master to the minions. The Arista native minion uses a direct connection to the Arista switch or router and uses the Management Interface on the switch/router for communication. For that reason, ports 4505 and 4506 need to be open on the appropriate Management Interfaces.

Installation#

Arista network devices run Arista EOS, which includes the Arista CLI. When connecting to an Arista network device, you start at the OS-level. Arista has a mode called Arista CLI privileged mode in which you can enter a Bash shell if needed. The command enable enters privileged mode. With this in mind, this guide assumes all commands are entered into the Arista CLI.

Minion SWIX package installation#

To install the SWIX package:

  1. Download, verify, and transfer the Arista installation files from repo.saltproject.io. The Arista native minion package is SWIX file.

    Note

    If installing on a virtual machine, consult the documentation for your hypervisor as the commands might differ slightly.

  2. Once the Arista native minion is available in the flash directory, enter privileged mode and copy the SWIX extension, replacing the placeholder text with the correct file name:

    copy arista-native-minion-filename.swix extension:
    
  3. View the extensions detail by running the following command:

    show extensions detail
    

    This command returns an output similar to the following example:

            Name: salt-|arista-version|.64.swix
         Version: |arista-version|
         Release: 1
        Presence: available
          Status: not installed
          Vendor:
         Summary: Self contained Salt Minion binary
        Packages:
      Total size: 0 bytes
     Description:
     Self contained Python |arista-python-version| Salt Minion 64-bit binary
    
  4. Install the SWIX package, replacing the placeholder text with the correct file name:

    extension arista-native-minion-filename.swix
    
  5. View the extensions detail again to verify that the status, package, and file size has changed:

    show extensions detail
    

    This command returns an output similar to the following example:

            Name: salt-3005.64.swix
         Version: 3005
         Release: 1
        Presence: available
          Status: installed
          Vendor:
         Summary: Self contained Salt Minion binary
        Packages: salt-3005.x86_64.rpm 3005/1
      Total size: 222446843 bytes
     Description:
     Self contained Python |arista-python-version| Salt Minion 64-bit binary
    
  6. Run the following commands:

    bash
    sudo su
    
  7. Edit the /etc/salt/minion file to update the minion configuration with your environment’s specific details, such as the master’s IP address, the minion ID, etc.

  8. (Optional): If your router does not have the ability to use Reverse DNS lookup to obtain the Fully Qualified Domain Name (fqdn) for an IP Address, you’ll need to change the enable_fqdns_grains setting in the configuration file to False instead. For example:

    enable_fqdns_grains: True
    

    Note

    This setting needs to be changed because all IP addresses are processed with underlying calls to socket.gethostbyaddr. These calls can take up to 5 seconds to be released after reaching socket.timeout. During that time, there is no fqdn for that IP address. Although calls to socket.gethostbyaddr are processed asynchronously, the calls still add 5 seconds every time grains are generated if an IP does not resolve.

  9. Verify that Salt is running:

    ps -ef | grep salt
    

    If the minion is installed correctly and is disabled, the output is similar to the following:

    * salt-minion.service - The Salt Minion
       Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
       Active: inactive (dead)
         Docs: man:salt-minion(1)
               file:///usr/share/doc/salt/html/contents.html
               https://docs.saltproject.io/en/latest/contents.html
    
  10. Start the Arista native minion as a daemon and check its status with the following command:

    systemctl start salt-minion
    

    The output should be similar to the following:

    * salt-minion.service - The Salt Minion
       Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
       Active: active (running) since Wed 2020-09-02 16:22:11 UTC; 4s ago
         Docs: man:salt-minion(1)
               file:///usr/share/doc/salt/html/contents.html
               https://docs.saltproject.io/en/latest/contents.html
     Main PID: 4259 (salt-minion)
       Memory: 81.7M (limit: 250.0M)
       CGroup: /system.slice/salt-minion.service
               |-4259 /bin/bash /usr/bin/salt-minion
               |-4267 /opt/saltstack/salt/run/run minion
               |-4268 /opt/saltstack/salt/run/run minion
               |-4273 /opt/saltstack/salt/run/run minion KeepAlive MultiMinionProcessManager MinionProcessManager
               |-4275 /opt/saltstack/salt/run/run minion KeepAlive MultiprocessingLoggingQueue
    

    Note

    Alternatively, you can check whether Salt is running with the command: ps -ef | grep salt.

  11. Once the Arista native minion has been started and is running, you can use the command salt-key to verify the master has received a request for the minion key.

  12. On the master, accept the minion’s key with the following command, replacing the placeholder test with the correct minion name:

    salt-key -y -a your-minion-name
    
  13. After waiting a small period of time, verify the connectivity between the master and minion using simple commands. For example, try running the following commands:

    salt your-minion-name test.versions
    salt your-minion-name grains.items
    salt your-minion-name cmd.run ‘ls -alrt /’
    

    If the key is accepted and the binding process is complete, you might see an output similar to the following example:

     salt-master# salt arista-423 test.versions
     arista64-423:
         Salt Version:
                 Salt: 3005
    
         Dependency Versions:
                     cffi: 1.14.2
                 cherrypy: Not Installed
                 dateutil: Not Installed
                docker-py: Not Installed
                    gitdb: Not Installed
                gitpython: Not Installed
                   Jinja2: 2.11.2
                  libgit2: Not Installed
                 M2Crypto: 0.36.0
                     Mako: Not Installed
             msgpack-pure: Not Installed
           msgpack-python: 1.0.0
             mysql-python: Not Installed
                pycparser: 2.14
                 pycrypto: Not Installed
             pycryptodome: 3.9.8
                   pygit2: Not Installed
                   Python: |arista-python-version|
             python-gnupg: Not Installed
                   PyYAML: 5.3.1
                    PyZMQ: 19.0.2
                    smmap: Not Installed
                  timelib: Not Installed
                  Tornado: 4.5.3
                      ZMQ: 4.3.2
    
          System Versions:
                     dist: centos 7 Core
                   locale: utf-8
                  machine: x86_64
                  release: 4.9.122.Ar-15352225.4232F
                   system: Linux
                  version: CentOS Linux 7 Core
    

Enabling Arista eAPI access for the minion#

The Arista native minion uses the pyeapi library to communicate with the Arista device. The pyeapi library is provided and installed by default with the Arista native minion. However, it is not installed by default with the standard Salt minion package.

Note

This document makes a distinction between a proxy minion connecting remotely to an Arista device and a standard minion making a remote connection. In general, the Arista native minion behaves more like the proxy minion. The native minion has its own Salt keys, can be targeted with grains, and can report back.

To enable eAPI access:

  1. Turn on the Arista API using the following commands:

    arista # config
    arista(config) # management API http-commands
    arista(config-mgmt-api-http-cmds) # protocol unix-socket
    arista(config-mgmt-api-http-cmds) # no shutdown
    arista(config-mgmt-api-http-cmds)
    arista(config-mgmt-api-http-cmds) # exit
    arista(config) # exit
    arista # write
    
  2. Open the minion configuration file at /etc/salt/minion and add the following section:

    pyeapi:
      username: <name of admin or eAPI user>
      password: <password of admin or eAPI user>
      transport: socket
      enablepwd: <password for enable mode, optional>
    
  3. Restart the salt-minion service on the device with the following command:

    sudo systemctl restart salt-minion
    
  4. Connect the Arista native minion to its master and ensure its key has has been accepted, as explained in Minion SWIX package installation.

  5. Run the following command, replacing the placeholder text with the minion ID for the Arista native minion:

    salt arista-minion-ID test.ping
    
  6. If this command returns a value of True, you can execute eAPI commands in the shell. For example:

    salt-master# salt arista64-423 pyeapi.get_config
    arista64-423:
        - ! Command: show running-config
        - ! device: veos64-423 (vEOS, EOS-4.23.2F)
        - !
        - ! boot system flash:/vEOS-lab.swi
        - !
        - transceiver qsfp default-mode 4x10G
        - !
        - hostname veos64-423
        - ip name-server vrf default 8.8.8.8
        - !
        - spanning-tree mode mstp
        - !
        - no aaa root
        - !
        - username admin role network-admin secret sha512 $6$jm1wk44bKE2rRHfP$fc.OCS7/jqgNgHPymxo370c1XgoaS6V894tff02YIlgV2B.7kGczXpgpa0HDQs3tn.5eBcmIpwNiNszXqfSEf.
        - !
        - interface Ethernet1
        - !
        - interface Ethernet2
        - !
        - interface Ethernet3
        - !
        - interface Management1
        -    ip address 10.0.2.63/24
        - !
        - no ip routing
        - !
        - ip route 0.0.0.0/0 10.0.2.2
        - !
        - management api http-commands
        -    protocol unix-socket
        -    no shutdown
        - !
        - end
    
    salt-master#
    

For more documentation on the capabilities of pyeapi, see the Salt Arista pyeapi module documentation.

Configure the Napalm module#

The napalm library is provided and installed by default with the Arista native minion. However, it is not installed by default with the standard Salt minion package.

To configure the native minion to use the napalm module:

  1. Open the minion configuration file at /etc/salt/minion and add the following section:

    napalm:
      username: <name of admin or user>
      password: <password of admin or user>
      host: localhost
      driver: eos
      provider: napalm_netacl
    
  2. Restart the salt-minion service on the device with the following command:

    sudo systemctl restart salt-minion
    
  3. Connect the Arista native minion to its master and ensure its key has has been accepted, as explained in Minion SWIX package installation.

  4. Run the following command to test that the module is configured correctly:

    salt veos-420 napalm.alive
    

    This command should have an output similar to the following:

    veos-420:
       ----------
       comment:
       out:
          ----------
          is_alive:
              True
    
       result:
           True
    

See Salt Proxy Napalm module documentation for more information about this module.

Minion SWIX package removal#

Removing the SWIX pack is similar to installation. The main difference is that the prefix no is prepended to certain commands.

Note

For more information, see the Arista documentation on extensions removal.

To remove the SWIX package:

  1. Run the following command:

    show extensions detail
    

    The output should be similar to the following example:

            Name: salt-3005.64.swix
         Version: 3005
         Release: 1
        Presence: available
          Status: installed
          Vendor:
         Summary: Self contained Salt Minion binary
        Packages: salt-3005.x86_64.rpm 3005/1
      Total size: 222446843 bytes
     Description:
     Self contained Python 3005 Salt Minion 64-bit binary
    
  2. Remove the SWIX package by running the following command, replacing the placeholder file with the correct file name:

    no extension arista-native-minion-filename.swix
    
  3. View the extensions detail again to verify that the status, package, and file size has changed by running the following command:

    show extensions detail
    

    This command returns an output similar to the following example:

            Name: salt-3005.64.swix
         Version: 3005
         Release: 1
        Presence: available
          Status: not installed
          Vendor:
         Summary: Self contained Salt Minion binary
        Packages:
      Total size: 0 bytes
     Description:
     Self contained Python 3005 Salt Minion 64-bit binary
    

Post-installation#

This reference section includes additional resources for porting the salt-minion service to Arista devices.

Starting and stopping the Arista native minion#

After installation, you can disable (start) and enable (stop) the Arista native minion using the following commands:

systemctl stop salt-minion

To restart the Arista native minion, use the following command:

systemctl start salt-minion

Dependencies and known issues#

The Arista native minion is a self-contained binary that includes Salt 3005 with pyeapi and other Naplam dependencies that internally use Python 3.7.10. All Python 3 utf-8 considerations are handled internally leveraging Python PEP 538 and 540 and hence can function in locales which only support ‘C’ and POSIX without issue.

Note

The 64-bit Arista native minion uses Python Python 3.7.10.

Since the Arista native minion is a self contained binary, there are no external dependencies to be considered.

Note

The deprecations are warnings of functionality that will be removed in Python 3.9. These deprecations do not affect current functionality and will be resolved in future versions of Salt.

The issue with the napalm grains also occurs on standard minions. It will be resolved in a future release of Salt.