SaltStack简介
Salt使用server-agent(服务代理模型)通信模型,服务端组件被称为Salt master, agent 被称为 Salt minion.Salt master主要负责向Salt minions发送命令,然后聚合并显示这些命令结果。一个Salt master可以管理多个minion系统。Salt server与Salt minion通信的链接由Salt minion发起,这也意味着Salt minion上不需要打开任何传入端口(从而减少攻击)。Salt server使用端口4505和4506,必须打开端口才能接受到访问链接。
命令行发布消息
salt集群搭建完成后, 检查集群是否可以正常使用。
# test.ping
$ salt '*' test.ping
192.168.47.141:
True
192.168.47.139:
True
# 发布消息,查看minion节点磁盘资源使用情况
$ salt '*' cmd.run 'df -h'
192.168.47.141:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 18G 4.8G 13G 27% /
devtmpfs 3.8G 0 3.8G 0% /dev
tmpfs 3.9G 60K 3.9G 1% /dev/shm
tmpfs 3.9G 13M 3.8G 1% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 297M 157M 140M 53% /boot
tmpfs 781M 24K 781M 1% /run/user/0
192.168.47.139:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 18G 4.8G 13G 27% /
devtmpfs 3.8G 0 3.8G 0% /dev
tmpfs 3.9G 60K 3.9G 1% /dev/shm
tmpfs 3.9G 13M 3.8G 1% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 297M 157M 140M 53% /boot
tmpfs 781M 4.0K 781M 1% /run/user/42
tmpfs 781M 32K 781M 1% /run/user/0
# 查看指定机器的资源使用情况
$ salt '192.168.47.141' cmd.run 'df -h'
192.168.47.141:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 18G 4.8G 13G 27% /
devtmpfs 3.8G 0 3.8G 0% /dev
tmpfs 3.9G 80K 3.9G 1% /dev/shm
tmpfs 3.9G 13M 3.8G 1% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 297M 157M 140M 53% /boot
tmpfs 781M 24K 781M 1% /run/user/0
Salt-api
SaltStack官方提供REST API格式的salt-api接口,使得salt与第3方系统集成变得简单。
Salt-api的安装
- 在Salt Master的主机上进行如下配置。
# 安装salt-api, 需要依赖的cherrypy会被自动补装
yum install -y salt-api
# 安装PyOpenSSL包
yum install -y pyOpenSSL
# 使用create_self_signed_cert()执行函数**生成自签名证书**
# 若salt-call命令没有找到,首先安装salt-minion,salt-call依赖于salt-minion
$ yum install salt-minion
$ salt-call --local tls.create_self_signed_cert
local:
Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."
# 编辑主配置文件创建至少一个外部身份验证用户或者组(我理解的给第三方应用提供认证的)
# 按照参考的博客走的
# 打开include加载子配置文件,方便管理
$ vim /etc/salt/master default_include: master.d/*.conf
# 配置api配置文件,将上面生成的证书写到配置文件中
$ cat /etc/salt/master.d/api.conf
rest_cherrypy:
host: 192.168.47.142
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/certs/localhost.key
# 创建认证用户,并且设置密码
$ useradd -M -s /sbin/nologin saltapi
$ echo 'saltapi' | passwd --stdin saltapi
Changing password for user saltapi.
passwd: all authentication tokens updated successfully.
# 创建认证配置文件
$ cat /etc/salt/master.d/auth.conf
external_auth:
pam:
saltapi:
- .*
- '@wheel'
- '@runner'
- '@jobs'
# 重启salt-master和salt-api
$ systemctl restart salt-master
$ systemctl start salt-api
- 验证接口是否可以正常使用
# 查看salt-api监听端口
$ netstat -anlutp | grep 8000
tcp 0 0 192.168.47.142:8000 0.0.0.0:* LISTEN 80073/python
# 验证login登录,获取token字符串
$ curl -sSk https://192.168.47.142:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=saltapi -d eauth=pam
return:
- eauth: pam
expire: 1597765638.167416
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1597722438.167414
token: 98e969009ebda0bfb43cba7998afe88fc61a66ea
user: saltapi
# 通过api执行test.ping测试连通性
$ curl -sSk https://192.168.47.142:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 98e969009ebda0bfb43cba7998afe88fc61a66ea' -d client=local -d tgt='*' -d fun=test.ping
return:
- 192.168.47.139: true
192.168.47.141: true
# 通过api执行cmd.run
$ curl -sSk https://192.168.47.142:8000 -A 'Accept: application/x-yaml' -H 'X-Auth-Token: 98e969009ebda0bfb43cba7998afe88fc61a66ea' -d client=local -d tgt='*' -d fun='cmd.run' -d arg='df -h'
{"return": [{"192.168.47.139": "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 18G 4.8G 13G 27% /\ndevtmpfs 3.8G 0 3.8G 0% /dev\ntmpfs 3.9G 140K 3.9G 1% /dev/shm\ntmpfs 3.9G 13M 3.8G 1% /run\ntmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup\n/dev/sda1 297M 157M 140M 53% /boot\ntmpfs 781M 4.0K 781M 1% /run/user/42\ntmpfs 781M 32K 781M 1% /run/user/0", "192.168.47.141": "Filesystem Size Used Avail Use% Mounted on\n/dev/sda3 18G 4.8G 13G 27% /\ndevtmpfs 3.8G 0 3.8G 0% /dev\ntmpfs 3.9G 120K 3.9G 1% /dev/shm\ntmpfs 3.9G 13M 3.8G 1% /run\ntmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup\n/dev/sda1 297M 157M 140M 53% /boot\ntmpfs 781M 28K 781M 1% /run/user/0"}]}
# 通过api获取grains信息
$ curl -sSk https://192.168.47.142:8000/minions/192.168.47.141 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 98e969009ebda0bfb43cba7998afe88fc61a66ea'
return:
- 192.168.47.141:
SSDs: []
biosreleasedate: 07/29/2019
...
# 使用json格式
$ curl -sSk https://192.168.47.142:8000/minions/192.168.47.141 -H 'Accept: application/json' -H 'X-Auth-Token: 98e969009ebda0bfb43cba7998afe88fc61a66ea'
{"return": [{"192.168.47.141": {"biosversion": "6.00", "kernel": "Linux", "domain": "localdomain", "uid": 0, ..."pythonexecutable": "/usr/bin/python"}}]}
Salt-api的使用