centOS7 部署saltstack

最新推荐文章于 2022-10-28 18:13:01 发布

王三俗

最新推荐文章于 2022-10-28 18:13:01 发布

阅读量536

点赞数

文章标签： python3 saltstack

本文链接：https://blog.csdn.net/wangbinaaa/article/details/103138944

版权

安装python3

1.下载并解压python3.7.2

wget https://www.python.org/ftp/python/3.7.2/Python-3.7.2.tgz

   cp Python-3.7.2.tgz /opt
   cd /opt/
   tar zxvf Python-3.7.2.tgz

2.安装python3并设置为默认

./configure 
make
make install

这时候会有一些报错，是缺少依赖的原因

yum install zlib* -y
yum install libffi-devel -y
make install

设置python3为默认 python2.7为python2

mv  /usr/bin/python /usr/bin/python2
ln -s /usr/local/bin/python3.7 /usr/bin/python
sudo ln -s /usr/bin/python2.7 /usr/bin/python2

修改yum依赖的python版本

vim /usr/bin/yum # 修改Yum,使yum依然有效，yum依靠老版本的python
#!/usr/bin/python 修改为#!/usr/bin/python2
修改完/usr/bin/yum 依然还有问题，可以尝试修改/usr/libexec/urlgrabber-ext-down的文件python抬头

检查修改是否生效

which python
which python2

都不报错后更新yum

yum update

安装salt

1.yum安装salt python3版本

yum install -y https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
yum clean expire-cache

2.（可选）安装mariaDB，用于存储salt命令执行结果和job id

yum -y install mariadb mariadb-devel mariadb-server wget  python-devel gcc c++ make openssl openssl-devel passwd libffi libffi-devel

3.安装salt

yum install salt-master salt-minion salt-ssh salt-syndic salt-cloud salt-api

4.安装 salt-api

# 创建证书
[root@centos7 ~]# cd /etc/pki/tls/certs/
# 生成自签名证书，用于ssl
[root@centos7 certs]# make testcert     
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.key
Generating RSA private key, 2048 bit long modulus
...................................................................+++
..+++
e is 65537 (0x10001)
Enter pass phrase:       # 输入加密密语，4到8191个字符
Verifying - Enter pass phrase:   # 确认加密密语
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key:     # 再次输入密语
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN      # 选填，可不填写直接回车
State or Province Name (full name) []:Shanghai  # 选填，可不填写直接回车
Locality Name (eg, city) [Default City]:Shanghai  # 选填，可不填写直接回车
Organization Name (eg, company) [Default Company Ltd]: # 选填，可不填写直接回车
Organizational Unit Name (eg, section) []: # 选填，可不填写直接回车
Common Name (eg, your name or your server's hostname) []: # 选填，可不填写直接回车
Email Address []: # 选填，可不填写直接回车
[root@centos7 certs]# cd ../private/
# 解密key文件，生成无密码的key文件, 过程中需要输入key密码，该密码为之前生成证书时设置的密码
[root@centos7 private]# openssl rsa -in localhost.key -out localhost_nopass.key
Enter pass phrase for localhost.key:
writing RSA key
[root@centos7 private]# ls
localhost.key  localhost_nopass.key
# 备注
    如果make testcert出现错误，则删除/etc/pki/tls/private/localhost.key文件，然后再make testcert
# 创建用户（用于salt-api认证）
useradd -M -s /sbin/nologin saltapi && echo "password"|/usr/bin/passwd saltapi --stdin

5.安装 pip 、openssl、cherry

 # 单独安装pip的方式
    wget https://bootstrap.pypa.io/get-pip.py
    python get-pip.py

# 升级下pip
    pip install --upgrade pip

# pip 安装salt-api所需软件，最新版本中默认yum已经安装，无需安装
    pip install pyOpenSSL
    pip install cherrypy

6. 修改salt-api 配置文件

# 添加配置文件,可以把eauth.conf和api.conf合二为一为api.conf
[root@centos7 ~]# mkdir -p /etc/salt/master.d/        
# 这个目录默认不存在，需要手动创建，在/etc/salt/master主配置文件中有指定，类似include
[root@centos7 ~]# vim /etc/salt/master.d/eauth.conf   
# 处于安全因素，一般只给特定模块的使用权限，这里给saltapi用户所有模块的使用权限       
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
        
[root@centos7 ~]# vim /etc/salt/master.d/api.conf 
rest_cherrypy:
  port: 8000                       #  salt-api 监听端口
  ssl_crt: /etc/pki/tls/certs/localhost.crt          # ssl认证的证书
  ssl_key: /etc/pki/tls/private/localhost_nopass.key
 
# 备注：
    注意所有的缩进都是两个空格，要注意':'后面都有一个空格
　　

# salt-api 配置文件详解
port : 必须填写，salt-api启动的端口
host ：默认启动于0.0.0.0，可以不填写
debug : 默认为False，True开启后，会输出debug日志
log_access_file : HTTP访问日志的路径，在2016.11.0版本添加的
log_error_file : HTTP错误日志路径，在2016.11.0版本添加的
ssl_crt : SSL证书的绝对路径
ssl_key: SSK证书的私钥绝对路径
ssl_chain : 在使用PyOpenSSL时可选参数，将证书出递给' Context.load_verify_locations '
disable_ssl : 禁用SSL标识。认证证书将会被送进clear
webhook_disable_auth : False
webhook_url : /hook
thread_pool : 100
socket_queue_size : 30
expire_responses : True
max_request_body_size : 1048576
collect_stats : False
stats_disable_auth : False
更多详细参数请见：https://github.com/saltstack/salt/blob/develop/salt/netapi/rest_cherrypy/app.py
# 启动
systemctl start salt-master
systemctl start salt-minion
systemctl start salt-api

7.打开服务器端口

# 查询端口是否打开
firewall-cmd --query-port=8000/tcp
# 打开端口
firewall-cmd --add-port=8000/tcp --permanent
# Reload
firewall-cmd --reload
# 确认端口打开
firewall-cmd --query-port=8000/tcp

8.minion端启动

yum install epel-release -y
yum install salt-minion -y
vim /etc/salt/minion
# yum install salt-ssh
# yum install salt-syndic

master: 172.16.60.129
user: root
id: minion-61
注意格式严格

systemctl restart salt-minion.service
systemctl status salt-minion.service
systemctl enable salt-master

然后操作master端

salt-key -L

显示

Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion-61
Rejected Keys:

接受61后再查看

salt-key -a minion-61
salt-key -L

显示

Accepted Keys:
minion-61
Denied Keys:
Unaccepted Keys:
Rejected Keys:

再次执行curl salt命令

[root@bogon ~]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 2d1b28d1d169b11243ec980d92023775bf6ae1df' -d client=local  -d tgt='*' -d fun=test.ping
return:
- minion-61: true

开始使用

1.salt-api 使用

未完待续

王三俗

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
centOS7 部署saltstack

安装python31.下载并解压python3.7.2wget https://www.python.org/ftp/python/3.7.2/Python-3.7.2.tgz cp Python-3.7.2.tgz /opt cd /opt/ tar zxvf Python-3.7.2.tgz 2.安装python3并设置为默认./configure makem...
复制链接

扫一扫