1. salt-ssh介绍
salt-ssh可以让我们不需要在受控机上安装salt-minion客户端也能够实现管理操作。
1.1 salt-ssh的特点
远程系统需要Python支持,除非使用-r选项发送原始ssh命令
salt-ssh是一个软件包,需安装之后才能使用,命令本身也是salt-ssh
salt-ssh不会取代标准的Salt通信系统,它只是提供了一个基于SSH的替代方案,不需要ZeroMQ和agent
请注意,由于所有与Salt SSH的通信都是通过SSH执行的,因此它比使用ZeroMQ的标准Salt慢得多
1.2 salt-ssh远程管理的方式
salt-ssh有两种方式实现远程管理,一种是在配置文件中记录所有客户端的信息,诸如 IP 地址、端口号、用户名、密码以及是否支持sudo等;另一种是使用密钥实现远程管理,不需要输入密码。
- salt-ssh管理
在 master 上安装 salt-ssh
[root@master ~]# yum -y install salt-ssh
2 通过使用用户名密码的SSH实现远程管理
修改配置文件,添加受控机信息
[root@master salt]# cat roster
# Sample salt-ssh config file
#web1:
# host: 192.168.230.1 # The IP addr or DNS hostname
# user: fred # Remote executions will be executed as user fred
# passwd: foobarbaz # The password to use for login, if omitted, keys are used
# sudo: True # Whether to sudo to root, not enabled by default
#web2:
# host: 192.168.230.2
node1: #添加
host: 192.168.230.131 #添加
user: root # 添加
passwd: 1 # 添加
[root@master salt]# pwd
/etc/salt
[root@master ~]# salt-ssh 'node1' test.ping
node1:
True
[root@master ~]# salt-ssh -r 'node1' "yum -y install python3"```
[root@master ~]# cat test.sh
#!/bin/bash
while read line;do
cat >> abc << EOF
node$(echo $line | awk '{print $1}'):
host: $(echo $line | awk '{print $2}')
user: root
passwd: 1
EOF
done < host.info
[root@master ~]# cat host.info
1 192.168.230.132
2 192.168.230.133
3 192.168.230.134
[root@master ~]# chmod +x test.sh
[root@master ~]# ./test.sh
[root@master ~]# cat abc
node1:
host: 192.168.230.132
user: root
passwd: 1
node2:
host: 192.168.230.133
user: root
passwd: 1
node3:
host: 192.168.230.134
user: root
passwd: 1
//此文件删除将会不通
[root@master ~]# cd .ssh/
[root@master .ssh]# ls
known_hosts
[root@master .ssh]# rm -rf known_hosts
[root@master ~]# salt-ssh '*' test.ping
vm1:
----------
retcode:
254
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
The authenticity of host '192.168.230.132 (192.168.230.132)' can't be established.
ECDSA key fingerprint is SHA256:Nz8CAwwL3HRh/Lvqejqa+eiV3A09xGYYfG2A/W8wRPs.
ECDSA key fingerprint is MD5:8c:b3:22:14:7a:8a:bc:34:f9:9d:3c:3a:07:8a:96:20.
Are you sure you want to continue connecting (yes/no)?
从上面的信息可以看出,第一次访问时需要输入 yes/no ,但是 saltstack 是不支持交互式操作的,所以为了解决这个问题,我们需要对其进行设置,让系统不进行主机验证。
[root@master ~]# vim ~/.ssh/config
[root@master ~]# cat ~/.ssh/config
trictHostKeyChecking no
[root@master salt]# salt-ssh 'node1' test.ping
node1:
True
2.2 通过密钥
[root@master ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3hAolp1oeZtCoySP1QLqeTA9DtEAzLANFR8JvZbdOaQ root@master
The key's randomart image is:
+---[RSA 3072]----+
|X+*+.. |
|.Bo+o* o. |
|++=o%+=+.. |
|.***=+Eo+. |
|.oo+. o S. |
| . . . o |
| . . |
| |
| |
+----[SHA256]-----+
[root@master .ssh]# ls
config id_rsa id_rsa.pub known_hosts
[root@master .ssh]# ssh-copy-id root@192.168.230.132
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.230.132 (192.168.230.132)' can't be established.
ECDSA key fingerprint is SHA256:neSVD6BycCgJCBinl8cOsZDqS8uBg3V1J7xImc1D+Tg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.235.172's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.230.132'"
and check to make sure that only the key(s) you wanted were added.
//测试远程
[root@master .ssh]# ssh root@192.168.230.132 'date'
2021年 11月 28日 星期日 12:35:41 CST
//删除账户密码
[root@master ~]# vim /etc/salt/roster
[root@master ~]# cat /etc/salt/roster
# Sample salt-ssh config file
#web1:
# host: 192.168.230.1 # The IP addr or DNS hostname
# user: fred # Remote executions will be executed as user fred
# passwd: foobarbaz # The password to use for login, if omitted, keys are used
# sudo: True # Whether to sudo to root, not enabled by default
#web2:
# host: 192.168.230.2
node1:
host: 192.168.230.132
[root@master .ssh]# cat known_hosts
192.168.230.132 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/1aKSxVYylsWSVsOFnaOsqr8LSO2SheTtfwtZJg2q9I8j/zL2UGQnplNHAAHjh54UfnIv3dzNP8mPTYWVvLak=
[root@master .ssh]# salt-ssh '*' test.ping
Permission denied for host node1, do you want to deploy the salt-ssh key? (password required):
[Y/n] Y
Password for root@node1:
node1:
True
2.2 通过salt-ssh初始化系统安装salt-minion
[root@master ~]# yum -y install salt-ssh
[root@master ~]# salt-ssh '*' test.ping
node1:
True
[root@master yum]# pwd
/srv/salt/base/init/yum
[root@master yum]# cat main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
[root@master yum]# cd files/
[root@master files]# ls
centos-7.repo centos-8.repo epel-7.repo epel-8.repo salt-7.repo salt-8.repo
//修改epel8的key
[root@master files]# vim epel-8.repo
......
enabled=1
gpgcheck=1
countme=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-8 #添加此行
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 #添加注释
·····················
//执行安装minion
[root@master salt-minion]# pwd
/srv/salt/base/init/salt-minion
[root@master salt-minion]# cat main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
- require:
- pkg: salt-minion
salt-minion.service:
service.running:
- enable: true
- reload: true
- watch:
- file: /etc/salt/minion
[root@master files]# pwd
/srv/salt/base/init/salt-minion/files
[root@master files]# vim minion.j2
.......
#master: salt
master: {{ pillar['master_ip'] }} #定义成变量
......
//在pillar定义变量
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls
master_ip:192.168.230.131
[root@master base]# cat top.sls
base:
'*':
- salt-minion
//执行
[root@master files]# salt-ssh '*' state.sls init.salt-minion.main
//安装完后可把ssh密钥删除,使用salt命令执行
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# rm -rf authorized_keys
[root@localhost .ssh]# pwd
/root/.ssh
//安装minion后,主机名为localhost,shiyong-L查看时显示的会是IP
[root@master files]# salt-key -L
Accepted Keys:
node1
node2
Denied Keys:
Unaccepted Keys:
192.168.230.132
Rejected Keys: