How To: Install Salt Minion on an Arista Switch that uses a Management VRF

Recently, as a part of network automation at $dayjob, I have been provisioning Salt across our network footprint. One particular problem I’ve run into is that we use a dedicated management VRF on all of our devices.

This was an issue because by default, commands ran on bash on the Arista software run in the default VRF, and in that state we can’t communicate with our management IP networks. There just isn’t a route to the management networks on the default routing table.

Our Salt server only has a Management VRF IP address, and we did not want to configure a proxy to make the Salt master reachable outside the Management VRF.

I had previously had no experience with management VRFs on Linux, and there were no articles that were particularly helpful in helping me to run commands specifically in the management VRF of an Arista switch, within the context of the Bash/Linux shell.

If you find yourself in this same situation, you’ll want to do the following, assuming you were able to get Salt Minion installed on the switch already.

1. Start a root bash shell on the switch
2. Identify your VRFs on the switch using the command “ip netns list” For us, this produced the following output:

bash-4.2# ip netns list
ns-MGMT
default

3. Edit the default systemd salt-minion service file to tell it to start within the ns-MGMT VRF. For us, this was located at /usr/lib/systemd/system/salt-minion.service

Change the following line:

ExecStart=opt/saltstack/salt/run/run minion

To:

ExecStart=/usr/sbin/ip netns exec ns-MGMT /opt/saltstack/salt/run/run minion

4. Restart the salt minion service, and you should now see the keys “unaccepted” but seen on your Salt master

That’s it! You’re now ready to use Salt on your Arista device. Continue to follow the Salt install guide for Arista devices and configure your Salt master.