一、salt-ssh简介
salt-ssh可以独立运行的,不需要minion端。
[root@server3 ~]# systemctl stop salt-minion
[root@server4 ~]# systemctl stop salt-minion
salt-ssh 用的是sshpass进行密码交互的。
以串行模式工作,性能下降。
安装salt-ssh:
[root@server2 ~]# yum install -y salt-ssh
二、salt-ssh配置
[root@server2 salt]# pwd
/etc/salt
[root@server2 salt]# cat roster
server4:
host: 172.25.60.4
user: root
passwd: redhat
[root@server2 salt]# salt-ssh server4 test.ping -i # -i会自动应答
server4:
True
或者忽略key的检测:
[root@server2 ~]# cat ~/.ssh/config
StrictHostKeyChecking no
[root@server2 ~]# salt-ssh server4 test.ping
server4:
True
三、salt-syndic简介
如果大家知道zabbix proxy的话那就很容易理解了,syndic其实就是个代理,隔离master与minion。
Syndic必须要运行在master上,再连接到另一个topmaster上。
Topmaster 下发的状态需要通过syndic来传递给下级master,minion传递给master的数据也是由syndic传递给topmaster。
topmaster并不知道有多少个minion。
syndic与topmaster的file_roots和pillar_roots的目录要保持一致。
四、salt-syndic配置
server5作为topmaster,server2作为syndic
[root@server5 ~]# vim /etc/yum.repos.d/salt-latest.repo
[salt-latest]
name=SaltStack Latest Release Channel for RHEL/Centos $releasever
baseurl=https://repo.saltstack.com/yum/redhat/7/$basearch/latest
failovermethod=priority
enabled=1 # 表示启用这个源
gpgcheck=0 # 表示对从这个源下载的rpm包不进行校验
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key
[root@server5 ~]# yum install salt-master -y
[root@server2 ~]# yum install -y salt-syndic
root@server2 ~]# systemctl start salt-syndic
[root@server5 ~]# vim /etc/salt/master # 作为顶级master
order_masters: True
[root@server5 ~]# systemctl start salt-master
[root@server5 ~]# systemctl enable salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.
[root@server2 ~]# vim /etc/salt/master
syndic_master: 172.25.60.5
[root@server2 ~]# systemctl restart salt-master
[root@server5 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server2
Rejected Keys:
[root@server5 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server2
Proceed? [n/Y] Y
Key for minion server2 accepted.
[root@server5 ~]# salt-key -L
Accepted Keys:
server2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@server5 ~]# salt '*' test.ping
server4:
True
server3:
True
五、salt-api简介
SaltStack 官方提供有REST API格式的 salt-api 项目,将使Salt与第三方系统集成变得尤为简单。
官方提供了三种api模块:
rest_cherrypy
rest_tornado
rest_wsgi
官方链接:
https://docs.saltstack.com/en/latest/ref/netapi/all/index.html#all-netapi-modules
安装salt-api
[root@server2 ~]# yum install -y salt-api python-cherrypy
生成证书
[root@server2 private]# pwd
/etc/pki/tls/private
[root@server2 private]# openssl genrsa 2048 > localhost.key
Generating RSA private key, 2048 bit long modulus
..............+++
........................+++
e is 65537 (0x10001)
[root@server2 private]# ls
localhost.key
[root@server2 ~]# cd /etc/pki/tls/certs/
[root@server2 certs]# make testcert # 填写相关信息
[root@server2 certs]# ls # 生成localhost.crt
ca-bundle.crt localhost.crt Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
激活rest_cherrypy模块
[root@server2 master.d]# pwd
/etc/salt/master.d
[root@server2 master.d]# cat tls.conf
rest_cherrypy:
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/private/localhost.key
创建用户认证文件
[root@server2 master.d]# cat auth.conf
external_auth:
pam:
saltapi:
- .*
- '@wheel'
- '@runner'
- '@jobs'
[root@server2 master.d]# useradd -s /sbin/nologin saltapi
[root@server2 master.d]# passwd saltapi
Changing password for user saltapi.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server2 master.d]# systemctl restart salt-master
[root@server2 master.d]# systemctl start salt-api
[root@server2 master.d]# netstat -antlpe|grep :8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 0 436701 25111/salt-api
tcp 0 0 127.0.0.1:43556 127.0.0.1:8000 TIME_WAIT 0 0
获取认证token
[root@server2 master.d]# curl -sSk https://localhost:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=redhat -d eauth=pam
return:
- eauth: pam
expire: 1589764243.542194
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1589721043.542193
token: 65b8495460d3eeed0a4fd86174b812cc3b55ee71
user: saltapi
[root@server2 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 65b8495460d3eeed0a4fd86174b812cc3b55ee71' -d client=local -d tgt='*' -d fun=test.ping
return:
- server3: true
server4: true
[root@server2 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 65b8495460d3eeed0a4fd86174b812cc3b55ee71' -d client=local -d tgt='*' -d fun=state.sls -d arg=keepalived