一、API
- 利用api接口来实现SaltStack推送,管理集群是非常方便的手段,下面我们尝试利用API来实现Salt的功能
-
在server1上安装salt api
[root@server1 _modules]# yum install -y salt-api-2018.3.3-1.el7.noarch.rpm
-
配置自签名证书
[root@server1 private]# pwd /etc/pki/tls/private [root@server1 private]# openssl genrsa 1024 [root@server1 private]# openssl genrsa 1024 > localhost.key localhost.key [root@server1 private]# cd .. [root@server1 tls]# cd certs [root@server1 certs]# make testcert
-
cd /etc/salt
vim master #发现只支持以.conf结尾的文件
-
编辑api.conf和auth.conf
[root@server1 certs]# cd /etc/salt/master.d/ [root@server1 master.d]# vim api.conf rest_cherrypy: port: 8000 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/private/localhost.key [root@server1 master.d]# vim auth.conf external_auth: pam: saltapi: - .*
-
创建用户并设置密码
[root@server1 master.d]# useradd saltapi [root@server1 master.d]# passwd saltapi ##设置密码我这里设置的是westos
-
打开salt-api,重启salt-master,并查看是否监听8000端口
[root@server1 master.d]# systemctl start salt-api [root@server1 master.d]# systemctl restart salt-master [root@server1 master.d]# netstat -antlp | grep 8000
-
验证服务并获得token
[root@server1 master.d]# curl -sSk https://localhost:8000/login -d username=saltapi -d password=westos -d eauth=pam {"return": [{"perms": [".*"], "start": 1553939157.266992, "token": "197b97778d768a8e135518e5b9e7043ef591b9d0", "expire": 1553982357.266994, "user": "saltapi", "
-
利用token号测试四台minion是否通
[root@server1 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 197b97778d768a8e135518e5b9e7043ef591b9d0' -d client=local -d tgt='*' -d fun=test.ping
-
调用api,给server3推送nginx服务
[root@server1 master.d]# curl -sSk https://localhost:8000 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 197b97778d768a8e135518e5b9e7043ef591b9d0' -d client=local -d tgt='server3' -d fun=state.sls -d arg='nginx.service'
二、ssh模块
[root@server1 ~]# yum install salt-ssh -y
[root@server1 ~]# cd /etc/salt/
[root@server1 salt]# vim roster
server2:
host: 172.25.19.2
server3:
host: 172.25.19.3
[root@server1 salt]# salt-ssh '*' test.ping -i ##-i则是默认选择yes
Permission denied for host server2, do you want to deploy the salt-ssh key? (password required):
[Y/n] y
Password for root@server2:
Password for root@server3:
server2:
True
server3:
True
三、syndic
-
将server4从salt-minion中分离出来,单独做一个Topmaster
[root@server1 ~]# salt-key -L Accepted Keys: server1 server2 server3 server4 Denied Keys: Unaccepted Keys: Rejected Keys: [root@server1 ~]# salt-key -d server4 The following keys are going to be deleted: Accepted Keys: server4 Proceed? [N/y] y Key for minion server4 deleted. [root@server1 ~]# salt-key -L Accepted Keys: server1 server2 server3 Denied Keys: Unaccepted Keys: Rejected Keys: [root@server4 ~]# systemctl stop salt-minion [root@server4 ~]# systemctl disable salt-minion [root@server4 ~]# yum install salt-master -y [root@server4 ~]# vim /etc/salt/master 1054 order_masters: True [root@server4 ~]# systemctl start salt-master [root@server1 ~]# yum install -y salt-syndic [root@server1 ~]# systemctl start salt-syndic [root@server1 ~]# vim /etc/salt/master 1057 syndic_master: 172.25.19.4 [root@server1 ~]# systemctl restart salt-master
-
将server1的钥匙传给server4
[root@server4 ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: server1 Rejected Keys: [root@server4 ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: server1 Proceed? [n/Y] Y Key for minion server1 accepted. [root@server4 ~]# salt-key -L Accepted Keys: server1 Denied Keys: Unaccepted Keys: Rejected Keys:
-
测试
server4没有连接salt-master,但是却可以ping通,是因为server1和server4相连,而server4是一个最顶端的master[root@server4 ~]# salt '*' test.ping server2: True server3: True server1: True 推送成功 [root@server4 ~]# salt server2 state.sls httpd.service
四、自定义模块
[root@server1 ~]# mkdir /srv/salt/_modules
[root@server1 ~]# cd /srv/salt/_modules
[root@server1 _modules]# vim my_disk.py
[root@server1 _modules]# cat my_disk.py
def df():
cmd = 'df -h'
return __salt__['cmd.run'](cmd)
[root@server1 _modules]# salt server3 saltutil.sync_modules
server3:
- modules.my_disk
[root@server3 ~]# cd /var/cache/salt/
[root@server3 salt]# tree minion/
[root@server1 _modules]# salt server3 my_disk.df