SaltStack
saltstack特点
- 基于python开发的C/S架构配置管理工具
- 底层使用ZeroMQ消息队列pub/sub方式通信
- 使用SSL证书签发的方式进行认证管理,传输采用AES加密
SaltStack有四大功能,分别是:
- 远程执行
- 配置管理/状态管理
云管理(cloud) - 事件驱动
- SaltStack可以通过远程执行实现批量管理,并且通过描述状态来达到实现某些功能的目的。
SaltStack四大运行方式:
- local本地运行
- Master/Minion传统方式
- Syndic分布式
- Salt ssh
SaltStack安装
环境说明
角色 | ip地址 | 需要安装的应用 |
---|---|---|
控制端(master) | 192.168.47.115 | salt-master salt-minion |
被控端(minion) | 192.168.47.120 | salt-minion |
在控制端安装、配置salt-master、salt-minion
#关闭防火墙和selinux
[root@master ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@master ~]# sed -i s/SELINUX=enforing/SELINUX=disabled/g /etc/selinux/config
[root@master ~]# setenforce 0
#配置salt仓库
[root@master ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@master ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 8 PY3
baseurl=https://repo.saltproject.io/py3/redhat/8/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
#安装saltstack
[root@master ~]# yum -y install salt-master salt-minion
[root@master ~]# cd /etc/salt/
[root@master salt]# ls
cloud cloud.deploy.d cloud.profiles.d master minion pki proxy.d
cloud.conf.d cloud.maps.d cloud.providers.d master.d minion.d proxy roster
[root@master salt]# vim minion
16 #master: salt
17 master: 192.168.47.115 #加入
#启动salt-master与salt-minion
[root@master ~]# systemctl enable --now salt-master salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-master.service → /usr/lib/systemd/system/salt-master.service.
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
#4505和4506都是salt-master的端口号,4505是publish_port 4506是ret_port
[root@master ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
在被控制端安装、配置salt-minion
#关闭防火墙
[root@minion ~]# systemctl disable --now firewalld
[root@minion ~]# sed -i s/SELINUX=enforing/SELINUX=disabled/g /etc/selinux/config
[root@minion ~]# setenforce 0
#下载所需仓库
[root@minion ~]# rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@minion ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[salt-latest-repo]
name=Salt repo for RHEL/CentOS 8 PY3
baseurl=https://repo.saltproject.io/py3/redhat/8/x86_64/latest
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
#安装salt-minion
[root@minion ~]# yum -y install salt-minion
#修改配置文件,加入master主机ip
[root@minion ~]# sed -i '/^#master:/a master: 192.168.47.115' /etc/salt/minion
[root@minion ~]# sed -n '/^master/p' /etc/salt/minion
master: 192.168.47.115
#开启salt-minion
[root@minion ~]# systemctl enable --now salt-minion
Created symlink /etc/systemd/system/multi-user.target.wants/salt-minion.service → /usr/lib/systemd/system/salt-minion.service.
salt-key常用选项
//salt-key常用选项
-L //列出所有公钥信息
-a minion //接受指定minion等待认证的key
-A //接受所有minion等待认证的key
-r minion //拒绝指定minion等待认证的key
-R //拒绝所有minion等待认证的key
-f minion //显示指定key的指纹信息
-F //显示所有key的指纹信息
-d minion //删除指定minion的key
-D //删除所有minion的key
-y //自动回答yes
//查看当前证书情况
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
master
minion
Rejected Keys:
//接受指定minion的新证书
[root@master ~]# salt-key -ya minion
The following keys are going to be accepted:
Unaccepted Keys:
minion
Key for minion minion accepted.
[root@master ~]# salt-key -L
Accepted Keys:
minion
Denied Keys:
Unaccepted Keys:
master
Rejected Keys:
//接受所有minion的新证书
[root@master ~]# salt-key -yA
The following keys are going to be accepted:
Unaccepted Keys:
master
Key for minion master accepted.
[root@master ~]# salt-key -L
Accepted Keys:
master
minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
SaltStack远程执行
//测试指定受控端minion主机是否存活
[root@master ~]# salt 'minion' test.ping
minion:
True
//测试指定受控端所有主机是否存活
[root@master ~]# salt '*' test.ping
minion:
True
master:
True