Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

How to Install Salt for Junos OS

You can use Salt version 3001 (Sodium) or later to manage devices running Junos OS. The Salt master can manage devices running Junos OS through a Salt proxy minion, which can run on either the Salt master or a separate server. You must have one proxy minion per managed device, and each proxy minion requires approximately 40 MB to 100 MB of RAM.

The general installation process is:

  1. On each device running Junos OS:

    • Enable NETCONF over SSH.

    • Configure the user account and authentication method that Salt will use to connect to the device.

  2. On the Salt master:

    • Install Salt and its dependencies.

    • Define the proxy configuration for each managed device.

    • Start the salt-master process.

  3. On each Junos proxy minion server:

    • Install Junos PyEZ and the jxmlease and yamlordereddictloader Python modules.

    • Install Salt and its dependencies, if the server is separate from the Salt master.

    • Start the Junos proxy minion process for each managed device.

  4. On the Salt master, accept the keys for each Junos proxy minion.

  5. (Optional) Enable the Junos syslog engine (for Salt).

The following sections provide details for each part of the installation process for a server running Ubuntu 18.04. If you are running a different operating system, use the commands appropriate for your OS. We recommend using Python 3.

Configure the Device Running Junos OS

The Junos proxy minion accesses the NETCONF server on devices running Junos OS using the SSH protocol and standard SSH authentication mechanisms. To establish an SSHv2 connection with a device running Junos OS, you must ensure that the following requirements are met:

  • The NETCONF service over SSH is enabled on each device where a NETCONF session will be established.

  • The client application has a user account and can log in to each device where a NETCONF session will be established.

  • The login account used by the client application has an SSH public/private key pair or a text-based password configured.

  • The client application can access the public/private keys or text-based password.

If you are using SSH keys to authenticate with the device running Junos OS and the keys do not already exist, generate the public and private SSH key pair for the desired user on the proxy minion server, and provide any required or desired options, for example:

To configure the device running Junos OS:

  1. Configure the NETCONF-over-SSH service.
  2. Configure the user account and authentication method that Salt will use to connect to the device. For example:
  3. Commit the configuration.
  4. Verify that the password or SSH key works by logging in to the device from the proxy minion server using the configured username and authentication method.
  5. Repeat this process for each managed device running Junos OS.

For information about enabling NETCONF on a device running Junos OS and satisfying the requirements for establishing an SSH session, see the NETCONF XML Management Protocol Developer Guide.

See Also

Set Up the Salt Master

The Salt master is the main control server that manages one or more nodes, or minions. SaltStack recommends installing a Salt master on a dedicated management server or virtual machine (VM). You must install Salt Release 3001 (Sodium) or later to manage devices running Junos OS.

To install and configure a Salt master:

  1. Install the Salt dependencies and Salt master on the Salt master server.

    To install a Salt master, either manually install the packages and dependencies for your platform or run the Salt bootstrap script.

    For example, to use the bootstrap script to install the Python 3 packages for a Salt master, issue the following commands:

  2. Customize the Salt master configuration file, which is typically located at /etc/salt/master, for your environments.
    Note:

    For detailed information about customizing the Salt master configuration file, see https://docs.saltstack.com/en/latest/ref/configuration/master.html.

  3. Create the necessary directory structure as defined in the Salt master configuration file.
  4. Define the proxy configuration by creating a pillar file for each managed device that specifies proxytype: junos, the hostname or IP address of the corresponding managed device running Junos OS, and the appropriate connection and authentication parameters for that device.

    See salt.proxy.junos for more information about the proxy configuration.

    Note:

    For information about securely storing sensitive data in Salt, see https://docs.saltstack.com/en/latest/topics/best_practices.html#storing-secure-data.

  5. Create the pillar top file, and for each managed device, define a proxy minion name and map it to the pillar file containing the proxy configuration for that device.

    In the following example, the Junos proxy minion identified as 'router1' is mapped to the router1-proxy.sls file.

  6. Start the salt-master process, if it is not already running.
    Note:

    To start the process in debug mode for troubleshooting purposes, use sudo salt-master -l debug.

Set Up the Junos Proxy Minion Server

You must install the following software on a proxy minion server that will manage devices running Junos OS:

  • Salt software

  • Juniper Network’s Junos PyEZ library

  • jxmlease and yamlordereddictloader Python modules

The Junos proxy minion uses the Junos PyEZ library to connect to the device’s NETCONF server and perform management tasks.

Note:

If you run the Salt master and Junos proxy minions on the same server, the minion hostname in this section will be identical to the Salt master hostname in the previous section.

To set up a Junos proxy minion on either the Salt master server or a separate server:

  1. Install the Python package manager for the same Python version that Salt uses.
  2. Install Junos PyEZ (junos-eznc) under the same Python version that Salt uses.

    For platform-specific requirements, prerequisite software, and installation instructions, see:

  3. Install the jxmlease and yamlordereddictloader Python modules under the same Python version that Salt uses.
  4. If the proxy minion server is separate from the Salt master server, install Salt and its dependencies on the server.

    To install Salt, either manually install the packages and dependencies for your platform or run the Salt bootstrap script.

    For example, to use the bootstrap script to install the Python 3 packages for Salt, issue the following commands:

  5. Configure the master parameter in the /etc/salt/proxy file with the Salt master’s hostname or IP address, which enables the proxy minion process to find the Salt master.

    If the salt-master and proxy minion processes run on the same server, you can specify localhost instead.

  6. Start the Junos proxy minion process for each device running Junos OS, and include the -d option to run it as a daemon.

    The proxy IDs should be the same as those defined in the pillar top file on the Salt master.

    Note:

    If you encounter an AttributeError: 'module' object has no attribute 'SSL_ST_INIT' error when starting the proxy process, you might need to update the OpenSSL package on your platform.

    Note:

    To start the process in debug mode for troubleshooting purposes, use sudo salt-proxy --proxyid=router1 -l debug.

The proxy minion connects to the Salt master and sends its public key. The Salt master must accept the key before the Salt master and proxy minion can communicate.

Authorize the Proxy Minion Keys on the Salt Master

Salt uses public keys for authentication with the Salt master process. By default, the Salt master does not authorize any minion or proxy minion keys. You must accept the keys before you can manage the corresponding devices.

You can accept the keys manually, as described in this section. Alternatively, if you know that the incoming keys do not pose a security threat, for example, if the salt-master and salt-proxy processes run on the same server, you can include the auto_accept: True option in the Salt master configuration file to accept all incoming keys automatically. For security purposes, this option is disabled by default.

To list and accept the pending keys:

  1. View the proxy minions’ public key status.
  2. Accept the key for each Junos proxy minion.
    Tip:

    Use the -A option to accept all pending keys, for example, sudo salt-key -A.

Verify the Connection to the Managed Device

After accepting the keys on the Salt master, call the test.ping execution function to ping the proxy minion over the message bus and verify that the minion is up and communicating. You can specify a target minion or use '*' to ping all minions.

The following example pings the device running Junos OS that is associated with the Junos proxy minion router1.

The following example pings all minions that the Salt master manages:

The following example uses the junos.cli function to issue the show version command on the specified device running Junos OS:

Note:

If you encounter the error 'junos' __virtual__ returned False: The junos or dependent module could not be loaded: junos-eznc or jxmlease or yamlordereddictloader or proxy could not be loaded, the Junos proxy minion server might not have Junos PyEZ or the jxmlease or yamlordereddictloader modules installed, or the Junos proxy minion process might not be running or it can’t authenticate with the device.

(Optional) Configure the Junos Syslog Engine

The Junos syslog engine (for Salt) can be used for event-based state management of devices running Junos OS. When you enable the Junos syslog engine, it listens for syslog events, extracts the event information, translates it to Salt format, and publishes it on the Salt event bus. To enable the Junos syslog engine, you must configure the Junos syslog engine on the Salt master, and you must also configure the device running Junos OS to send syslog events to the configured port on the Salt server.

Note:

The Junos syslog engine can also run on the proxy minion server.

To enable the Junos syslog engine on the Salt master:

  1. Install the Python package manager for the same Python version that Salt uses.
  2. Install the pyparsing and twisted Python modules for the same Python version that Salt uses.
  3. Configure the Junos syslog engine under the engines section in the Salt master configuration file, and configure the port on which the engine listens for events.
  4. (Optional) Configure the topic parameter to specify the fields that appear after jnpr/syslog/ in the event’s topic title when it is published to the event bus.
  5. (Optional) Configure the daemon parameter to instruct the engine to only subscribe to and publish the events that are generated by specific Junos OS processes.
  6. Restart the Salt master process to apply the new configuration.

To configure the device running Junos OS to send syslog events to the host on which the Junos syslog engine is running:

  1. Configure the hostname or IP address of the server on which the Junos syslog engine is running, and configure the port on which it is listening.

  2. Configure the types of events to send.

    • To send all events, configure any any to indicate all facilities and all message severity levels.

    • To send only specific events, configure the facility and message severity level of the events to capture, for example:

  3. Commit the configuration.

See Also

Related Documentation