SaltStack之salt-ssh

1. salt-ssh介绍

salt-ssh可以让我们不需要在受控机上安装salt-minion客户端也能够实现管理操作。

1.1 salt-ssh的特点

远程系统需要Python支持，除非使用-r选项发送原始ssh命令
salt-ssh是一个软件包，需安装之后才能使用，命令本身也是salt-ssh
salt-ssh不会取代标准的Salt通信系统，它只是提供了一个基于SSH的替代方案，不需要ZeroMQ和agent
请注意，由于所有与Salt SSH的通信都是通过SSH执行的，因此它比使用ZeroMQ的标准Salt慢得多

1.2 salt-ssh远程管理的方式

salt-ssh有两种方式实现远程管理，一种是在配置文件中记录所有客户端的信息，诸如 IP 地址、端口号、用户名、密码以及是否支持sudo等；另一种是使用密钥实现远程管理，不需要输入密码。

2. salt-ssh管理
   在 master 上安装 salt-ssh

[root@master ~]# yum -y install salt-ssh

2 通过使用用户名密码的SSH实现远程管理

修改配置文件，添加受控机信息

[root@master salt]# cat roster 
# Sample salt-ssh config file
#web1:
#  host: 192.168.230.1 # The IP addr or DNS hostname
#  user: fred         # Remote executions will be executed as user fred
#  passwd: foobarbaz  # The password to use for login, if omitted, keys are used
#  sudo: True         # Whether to sudo to root, not enabled by default
#web2:
#  host: 192.168.230.2
node1:  #添加 
  host: 192.168.230.131  #添加
  user: root   # 添加
  passwd: 1    # 添加
[root@master salt]# pwd
/etc/salt
[root@master ~]# salt-ssh 'node1' test.ping
node1:
    True

[root@master ~]# salt-ssh -r 'node1' "yum -y install python3"```

[root@master ~]# cat test.sh 
#!/bin/bash
while read line;do
        cat >> abc << EOF
node$(echo $line | awk '{print $1}'):
  host: $(echo $line | awk '{print $2}')
  user: root
  passwd: 1
EOF
done < host.info



[root@master ~]# cat host.info 
1 192.168.230.132
2 192.168.230.133
3 192.168.230.134


[root@master ~]# chmod +x test.sh 
[root@master ~]# ./test.sh 
[root@master ~]# cat abc
node1:
  host: 192.168.230.132
  user: root
  passwd: 1
node2:
  host: 192.168.230.133
  user: root
  passwd: 1
node3:
  host: 192.168.230.134
  user: root
  passwd: 1
//此文件删除将会不通
[root@master ~]# cd .ssh/
[root@master .ssh]# ls
known_hosts
[root@master .ssh]# rm -rf known_hosts 
[root@master ~]# salt-ssh '*' test.ping
vm1:
    ----------
    retcode:
        254
    stderr:
    stdout:
        The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
        The authenticity of host '192.168.230.132 (192.168.230.132)' can't be established.
        ECDSA key fingerprint is SHA256:Nz8CAwwL3HRh/Lvqejqa+eiV3A09xGYYfG2A/W8wRPs.
        ECDSA key fingerprint is MD5:8c:b3:22:14:7a:8a:bc:34:f9:9d:3c:3a:07:8a:96:20.
        Are you sure you want to continue connecting (yes/no)?

从上面的信息可以看出，第一次访问时需要输入 yes/no ，但是 saltstack 是不支持交互式操作的，所以为了解决这个问题，我们需要对其进行设置，让系统不进行主机验证。

[root@master ~]# vim ~/.ssh/config
[root@master ~]# cat ~/.ssh/config
trictHostKeyChecking no
[root@master salt]# salt-ssh 'node1' test.ping
node1:
    True

2.2 通过密钥

[root@master ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3hAolp1oeZtCoySP1QLqeTA9DtEAzLANFR8JvZbdOaQ root@master
The key's randomart image is:
+---[RSA 3072]----+
|X+*+..           |
|.Bo+o* o.        |
|++=o%+=+..       |
|.***=+Eo+.       |
|.oo+. o S.       |
|  .  . . o       |
|        . .      |
|                 |
|                 |
+----[SHA256]-----+

[root@master .ssh]# ls
config  id_rsa  id_rsa.pub  known_hosts

[root@master .ssh]# ssh-copy-id root@192.168.230.132
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.230.132 (192.168.230.132)' can't be established.
ECDSA key fingerprint is SHA256:neSVD6BycCgJCBinl8cOsZDqS8uBg3V1J7xImc1D+Tg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.235.172's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.230.132'"
and check to make sure that only the key(s) you wanted were added.

//测试远程
[root@master .ssh]# ssh root@192.168.230.132 'date'
2021年 11月 28日 星期日 12:35:41 CST

//删除账户密码
[root@master ~]# vim /etc/salt/roster 
[root@master ~]# cat /etc/salt/roster 
# Sample salt-ssh config file
#web1:
#  host: 192.168.230.1 # The IP addr or DNS hostname
#  user: fred         # Remote executions will be executed as user fred
#  passwd: foobarbaz  # The password to use for login, if omitted, keys are used
#  sudo: True         # Whether to sudo to root, not enabled by default
#web2:
#  host: 192.168.230.2

node1:
  host: 192.168.230.132


[root@master .ssh]# cat known_hosts 
192.168.230.132 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/1aKSxVYylsWSVsOFnaOsqr8LSO2SheTtfwtZJg2q9I8j/zL2UGQnplNHAAHjh54UfnIv3dzNP8mPTYWVvLak=

[root@master .ssh]# salt-ssh '*' test.ping
Permission denied for host node1, do you want to deploy the salt-ssh key? (password required):
[Y/n] Y
Password for root@node1: 
node1:
    True

2.2 通过salt-ssh初始化系统安装salt-minion

[root@master ~]# yum -y install salt-ssh

[root@master ~]# salt-ssh '*' test.ping
node1:
    True

[root@master yum]# pwd
/srv/salt/base/init/yum
[root@master yum]# cat main.sls 
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
    - user: root
    - group: root
    - mode: '0644'
{% endif %}

/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
    - user: root
    - group: root
    - mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
  file.managed:
    - source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
    - user: root
    - group: root
    - mode: '0644'
[root@master yum]# cd files/
[root@master files]# ls
centos-7.repo  centos-8.repo  epel-7.repo  epel-8.repo  salt-7.repo  salt-8.repo

//修改epel8的key
[root@master files]# vim epel-8.repo 
......
enabled=1
gpgcheck=1
countme=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-8 #添加此行
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 #添加注释
·····················

//执行安装minion
[root@master salt-minion]# pwd
/srv/salt/base/init/salt-minion
[root@master salt-minion]# cat main.sls 
include:
  - init.yum.main
salt-minion:
  pkg.installed
/etc/salt/minion:
  file.managed:
    - source: salt://init/salt-minion/files/minion.j2
    - user: root
    - group: root
    - mode: '0644'
    - template: jinja
    - require:
      - pkg: salt-minion
salt-minion.service:
  service.running:
    - enable: true
    - reload: true
    - watch:
      - file: /etc/salt/minion
    
[root@master files]# pwd
/srv/salt/base/init/salt-minion/files
[root@master files]# vim minion.j2 
.......
#master: salt
master: {{ pillar['master_ip'] }}  #定义成变量
......

//在pillar定义变量
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls 
master_ip:192.168.230.131
[root@master base]# cat top.sls 
base:
  '*':
    - salt-minion

//执行
[root@master files]# salt-ssh '*' state.sls init.salt-minion.main
//安装完后可把ssh密钥删除，使用salt命令执行
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# rm -rf authorized_keys 
[root@localhost .ssh]# pwd
/root/.ssh

//安装minion后，主机名为localhost，shiyong-L查看时显示的会是IP
[root@master files]# salt-key -L
Accepted Keys:
node1
node2
Denied Keys:
Unaccepted Keys:
192.168.230.132
Rejected Keys: