SaltStack Support

Configuring the HPE OneView Proxy Minion

Overview 

SaltStack Enterprise ships with support for controlling Hewlett-Packard Enterprise hardware via the OneView API. This document covers enabling this integration to work with your infrastructure.

The integration takes the form of a "proxy" Salt Minion–a process that looks and acts like a minion to a Salt Master, but does not control a specific server. Instead it controls a different kind of device that cannot run a regular Salt Minion. Salt ships with proxy modules for a number of different devices including network equipment and REST APIs.

These instructions assume that you have a SaltStack Enterprise license and that your Salt Master has the SaltStack Enterprise API Extensions installed. See the appendix at the end of this document for further instructions should the Salt Master that will control the proxy minion is not connected to SaltStack Enterprise.

 

Configuration 

First, select a machine that will run the OneView proxy. This can be the same machine as your Salt Master, or another machine in your infrastructure. Whatever machine is selected needs to have network access to the OneView API endpoint (typically HTTPS on port 443), the Salt Master (ZeroMQ protocol on ports 4505 and 4506 or TCP Transport on port 443), and the SaltStack Enterprise server (also HTTPS on port 443 if so configured).

In /etc/salt/proxy you must have at least a directive indicating where the Salt Master is located, as in this example:

master: salt-master.internal.corporate.net
The other required proxy configuration can be accomplished through Salt's Pillar mechanism, or in the proxy's configuration file on the machine. The configuration format is the same for both mechanisms.

The proxy requires the following keys in the configuration:

  • proxymodule: should always have the value hpeov
  • host: The IP address or domain name of the OneView instance
  • username: A valid OneView username
  • password: Password corresponding to the OneView username
  • sse_url: URL for the SaltStack Enterprise server
  • sse_username: A valid SaltStack Enterprise user
  • sse_password: Password for the SSE user

Other valid configuration options are:

  • domain: Active Directory domain for when the OneView user is part of AD.
  • port: TCP port for OneView instance if other than 443

An example configuration block for /etc/salt/proxy would be:

proxy:
  proxymodule: hpeov
  host: oneview.internal.corporate.net
  username: oneview_user
  password: supersekrit
  sse_url: https://saltstackenterprise.internal.corporate.net
  sse_username: restricted_user
  sse_password: evenmoresekrit
This same block could be placed in a pillar file, and could then be referenced in the Salt Master's pillar top file like so:
base:
  'oneview':
    - proxyconfig
This would tell Salt that the minion named oneview should get the values found in /srv/pillar/proxyconfig.sls, assuming pillar locations are left at their defaults.

The sse_username and sse_password parameters are for a user in SaltStack Enterprise. A connection to SSE is made at startup as this user to verify licensing. This user can be an extremely limited-rights user. If desired, a SaltStack Enterprise role can be setup that contains a single permissions entry. The LICENSE.READ permission was created specifically for this purpose.

Next, ensure the proxy minion host has the following libraries for Python version 2.7.5+ installed:

  • hpOneView, version 3.3.0
  • amqp, version 1.4.9

 

Startup 

Start the proxy minion on that machine with

salt-proxy -l debug --proxyid=<desired minion name>
BASH

On the Salt Master, verify that a key has been requested by the proxy, and accept that key if it is correct:

# salt-key
[...]
minion2
minion3
<desired minion name>
[...]

# salt-key -a <desired minion name>
BASH

Then attempt to ping the proxy. Test.ping makes a full connection to the OneView API and verifies that it is responding.

# salt <desired minion name> test.ping
<desired minion name>:
    True
Next verify that you can retrieve server names from the API:
# salt <desired minion name> hpeov.get_server_names
<desired minion name>:
    - Server01
    - Blade02
    - [...]
After you have verified that the proxy minion is responding, you can stop salt-proxy with ^C and restart it by configuring a systemd unit or other init.d script.

Documentation 

Documentation for valid execution module functions can be retrieved with:

# salt <desired minion name> sys.doc hpeov
Documentation for valid state functions can be retrieved with:
# salt <desired minion name> sys.doc state.hpeov

State-Change Message Bus Bridge 

Activity in a OneView environment is communicated over an event bus called the State-Change Message Bus. This integration contains a Salt engine that bridges the SCMB to the Salt event bus so Salt reactors can be written to perform Salt operations in respond to changes in hardware.

To activate the engine, add the following to /etc/salt/proxy:

engines:
  - hpeov
Events from OneView will then show up on the Salt event bus with the tag salt/engines/hpeov.

Running the integration on Salt Masters without the SSE API Extensions installed 

Attached to this Knowledge Base article is a Salt Package (spm). Use Salt's spm tool to install this on the Salt Master to which the OneView Proxy Minion will be connected. On startup, the proxy minion will retrieve the files that it needs. Ensure that the additional required Python libraries (see top of this article) are installed on this machine also.