top of page
  • Akmod

Heist, Salt, and Idem: Revolutionizing Instance Bootstrapping

Updated: Jun 8, 2023

Managing servers or virtual machines (VMs) at scale presents one of the most significant challenges in modern DevOps. To address this, potent solutions such as Salt, a powerful configuration management tool, and Idem, a state execution and orchestration tool, have stepped onto the stage. Yet, the continuous evolution of these tools brings about even more refined solutions. This blog post will shed light on the promising evolution of Salt-SSH, known as Heist, and how it collaborates with Heist-Salt and Idem/Idem-AWS. Excitingly, these powerful tools are on the brink of enabling effortless bootstrapping of Salt minions on Amazon EC2 instances.

The Evolution: Heist

Heist, represents the next stage in the evolution of Salt-SSH. Built on the back of asynchronous libraries like asyncssh, Heist seeks to offer a streamlined and efficient way of sending Salt commands over SSH, which reduces the need for full Salt Minion or Master installations. Heist is more than just a tool for issuing commands - it also enables bootstrapping of Salt on its targets to establish a persistent master or minion.

The term "Heist" was originally coined as a play on the Heisenberg principle (The first iteration of the project was just called "heis"), reflecting the "now you see it, now you don't" nature of the deployment process. After executing commands via a binary on the target, Heist leaves no trace, akin to a perfect heist. This efficient and unobtrusive approach adds a new dimension to system management.

Bridging the Gap: Heist-Salt

Heist-Salt acts as a plugin bridging Heist and Salt, allowing Heist to bootstrap Salt minions. By combining the robust remote system management capabilities of Salt with the agile execution of Heist, Heist-Salt facilitates efficient control over distributed systems.

Heist-Salt extends Heist's functionality by adding "heist managers" for deploying salt minion, master, and proxy. Built on the pluggable Pop paradigm, Heist encourages the creation of additional heist managers beyond those provided by Heist-Salt. This potential paves the way for bootstrapping practically any service using Heist.

Efficient Management: Idem and Idem-AWS

Idem brings innovation to state execution, enabling users to define and achieve desired system states with ease and extensibility. Its sister plugin, Idem-AWS, compliments Idem by providing declarative management of AWS resources, including EC2 instances.

Idem's ability to deploy and manage instances across multiple clouds opens up new possibilities for user scripts. Once integrated with Heist, Idem could provide fine-tuned management of Salt agents on EC2 instances. Thus, Idem manages cloud resources and connections, while Salt takes care of packages and files directly on the instance.

Heist in Action: Bootstrapping Salt Minions on EC2 Instances

The forthcoming integration of Heist, Heist-Salt, and Idem/Idem-AWS promises an automated, efficient bootstrapping process of Salt minions on EC2 instances. This procedure is defined within the EC2 instance creation itself, using the 'bootstrap' parameter:

   # ... other instance parameters
    - bootstrap:
      - heist_manager: salt.minion

For more advanced use cases, you can gain granular control over the bootstrapping process using all available connection options:

   # ... other instance parameters
    - bootstrap:
      - instance_id: ...  # An AWS EC2 Instance ID.
      - username: ...  # The instance OS username to use in the connection. Defaults to ec2-user.
      - host: ...  # The public IP address or DNS name of the instance. Defaults to autodetect.
      - port: ...  # The port to connect to on the host. Defaults to 22.
      - ssh_public_key: ...  # A public SSH key or path to send to the instance.
      - ssh_private_key: ...  # A private SSH key or path to send to the instance.
      - availability_zone: ...  # The Availability Zone in which the EC2 instance was launched.
      - heist_manager: salt.minion  # The Heist manager to use to bootstrap the instance.
      - artifact_version: ...  # The version of the Heist manager's artifact to upload to the instance. Defaults to latest.
      - kwargs: ...  # All extra kwargs are used in asyncssh.SSHClientConnectionOptions.

This granular control allows for fine-tuning and customization, making it highly adaptable for various use cases. Whether you need to configure different connection credentials, manage different versions of Heist artifacts, or verify SSH connections, these options provide the flexibility needed to create a reliable, automated, and efficient bootstrapping process.

The Future: Seamless Integration and Extensibility

Heist and Heist-Salt are currently undergoing a major refactor to enable seamless integration with Idem. Once this process is completed, it will also be clearer how to create Heist plugins to extend the bootstrap process to other services.

This upcoming integration will enable Idem-AWS and EC2 instances to serve as templates for integrating Heist bootstrapping into other Idem plugins, such as Idem-GCP and Idem-Azure. This advance will open new possibilities for efficient, automated management of distributed cloud resources across multiple platforms.

As DevOps continues to evolve, tools like Heist, Heist-Salt, and Idem are leading the way towards more efficient, streamlined processes. We eagerly anticipate the changes on the horizon and look forward to seeing how these tools shape the future of server and VM management.


bottom of page