Juniper#

Welcome to the Juniper native minion installation guide. This installation guide explains the process for installing a Salt native minion on Juniper network devices. This guide is intended for system administrators with the general knowledge and experience required in the field, such as administering network devices running Junos OS.

Browse the repo for Juniper packages

Juniper Python3

What are Salt native minions?

Salt can target network-connected devices through Salt proxy minions. Proxy minions are a Salt feature that enables controlling devices that, for whatever reason, cannot run the standard salt-minion service. Examples include network gear that has an API but runs a proprietary OS, devices with limited CPU or memory, or devices that could run a minion but, for security reasons, will not.

Salt native minions are packaged to run directly on specific devices, removing the need for proxy minions running elsewhere on a network. Native minions have several advantages, such as:

  • Performance boosts: With native minions, Salt doesn’t need to rely on constant SSH connections across the network. There is also less burden on the servers running multiple proxy minions.

  • Higher availability: For servers running multiple proxy minions, server issues can cause connection problems to all proxy minions being managed by the server. Native minions remove this potential point of failure.

  • Improved scalability: When adding devices to a network that are supported by native minions, you aren’t required to deploy proxy minions on separate infrastructure. This reduces the burden of horizontally or vertically scaling infrastructure dedicated to proxy minions.

Note

For an overview of how Salt works, see Salt system architecture.

Before you start#

Before installing the Juniper native minion:

  • Check that your network device and firmware are supported. See Juniper for more information.
  • Ensure that ports 4505 and 4506 are open on the applicable Juniper switches or routers.

Salt uses ports 4505 and 4506 for outbound communication from the master to the minions. The Juniper native minion uses a direct connection to the Juniper switch or router and uses the Management Interface on the switch/router for communication. For that reason, ports 4505 and 4506 need to be open on the appropriate Management Interfaces.

Installation#

Juniper network devices run Junos OS, which includes the Junos CLI. When connecting to a Juniper network device, you start at the OS-level. To run commands within Junos OS command-line interface (CLI), you need to first run the CLI command.

Shell pre-configuration#

Before you can install the Juniper native minion, you need to set up your shell pre-configuration:

  1. Run the following command within the shell:

    mkdir -p /var/local/salt/etc
    
  2. Save the following configuration in /var/local/salt/etc/proxy:

    master: <ip of salt master>
    proxy:
      proxytype: junos
      host: localhost
    
    beacons:
      junos_rre_keys:
        -  interval:
             43200
    
    ping_interval: 2
    
    loop_interval: 1
    
    enable_fqdns_grains: False
    

Note

You may also use the standard configuration commands for Salt if needed.

Proxy pre-configuration#

The beacons portion of the configuration is needed on routing platforms with dual Routing Engines. The beacon configuration ensures the following directories and files are copied to the backup Routing Engine:

Directory Description
/var/local/salt/etc/pki The directory where the master and minion keys reside. If the Routing Engine master changes, the master still recognizes the new Routing Engine due to configuration existing by both Routing Engines.
/var/local/salt/etc/proxy Copying this file to the backup Routing Engine ensures that the same configuration exists in both Routing Engines without additional steps needed on the network device.

The interval property is defined in a measurement of seconds, dictating how often files are copied to the backup Routing Engine.

Note

When the Juniper native minion is installed, log rotation for the native minion log file /var/log/salt/proxy is automatically installed, with:

  • A limit of 7 compressed files.
  • Log rotation if the log file exceeds 200 KB.

CLI pre-configuration#

To configure your CLI:

  1. Run the following commands within the CLI at the edit prompt:

    edit
    set system services ssh root-login allow
    set system services netconf ssh
    set system extensions providers saltstack license-type customer deployment-scope commercial
    
  2. To confirm these commands were successful, run:

    show system extensions providers
    

    This command provides an expected output of:

    saltstack {
      license-type customer deployment-scope commercial;
    }
    
  3. If the command was successful, commit the changes with:

    commit
    

Juniper native minion installation and configuration#

To install and configure the Juniper native minion:

  1. Download, verify, and transfer the Juniper installation files from repo.saltproject.io. The Juniper is a tarball.

  2. Run the following commands within the CLI at the edit prompt:

    run request system software add /var/tmp/<salt-native-minion>.tgz
    exit
    
  3. Edit the /var/local/salt/etc/salt/proxy file to update the minion configuration with your environment’s specific details, such as the master’s IP address, the minion ID, etc.

  4. (Optional): If your router does not have the ability to use Reverse DNS lookup to obtain the Fully Qualified Domain Name (fqdn) for an IP Address, you’ll need to change the enable_fqdns_grains setting in the configuration file to False instead. For example:

    enable_fqdns_grains: True
    

    Note

    This setting needs to be changed because all IP addresses are processed with underlying calls to socket.gethostbyaddr. These calls can take up to 5 seconds to be released after reaching socket.timeout. During that time, there is no fqdn for that IP address. Although calls to socket.gethostbyaddr are processed asynchronously, the calls still add 5 seconds every time grains are generated if an IP does not resolve.

  5. In the /var/local/salt/etc/salt/proxy configuration file, change the following settings to:

    ping_interval: 2
    loop_interval: 1
    

Installing the Juniper native minion:

  • Creates /var/db/scripts/commit/salt.slax
  • Creates /var/db/scripts/event/salt_event.py
  • Creates /var/db/scripts/op/salt_dualrengine.slax
  • Creates /var/db/scripts/event/salt_log.slax
  • Creates a backup in the /config/SaltBackup directory * This backup is referenced during native minion upgrades
  • Configures: * saltstack super-user * Event-options SALT_POLICY and salt_event.py event script * salt.slax commit script * Copies above scripts to the other dual routing engine, if it exists * Configures log rotation of /var/log/salt/proxy automatically

Enabling and starting Salt as a service#

The next step in the installation process is to enable and start Salt as a service on the Juniper native minion:

  1. Run the following commands within the CLI at the edit prompt:

    set system extensions extension-service application file salt-junos arguments minion daemonize
    
  2. To confirm these commands were successful, run:

    show system extensions extension-service
    

    This command provides an expected output of:

    application {
      file salt-junos {
        arguments minion;
        daemonize;
      }
    }
    
  3. If the command was successful, commit the changes with:

    commit
    

Verifying the installation#

A running native minion will typically have three processes running salt-junos. To check the initial health of the new installation:

  1. Run the following command within the CLI at the edit prompt:

    show system processes extensive| match salt
    

    This command provides a similar output to:

    57858 - I 0:00.00 /var/run/scripts/jet/salt-junos minion
    57859 - I 0:00.49 /var/run/scripts/jet/salt-junos minion
    57861 - S 0:39.39 /var/run/scripts/jet/salt-junos minion
    
  2. To retrieve the local native minion version, run the following within the CLI:

    show version | match salt
    

    Depending on the version output, the resulting output is similar to the following format:

     Salt Minion 3005 for JUNOS [20210827-213932]
    
  3. To see the super-user created by, and used to manage, the native minion:

    show configuration system login user saltstack
    

Post-installation#

Once the key for the Juniper network device has been accepted by your master, Salt can be used to manage the native minion. To validate that Salt is managing the minion, run some basic Salt commands to retrieve baseline information:

salt <juniper-target> test.ping
salt <juniper-target> test.version

Note

To use the Junos Automation Enhancements, you must install the software bundle that contains Enhanced Automation. See Running Junos OS with Enhanced Automation.

Starting and stopping the Juniper native minion#

After installation, you can disable (start) and enable (stop) the Juniper native minion using the following commands from the edit prompt:

deactivate system extensions extension-service application file salt-junos
commit

To restart the Juniper native minion, use the following commands from the edit prompt:

activate system extensions extension-service application file salt-junos
commit

Additional references#

For Junos OS specific modules that can be used against Junos native minions from a master, refer to the following:

Additional documentation endpoints for reference: