1. saltstack简介

Saltstack是一个新的基础设施管理工具。目前处于快速发展阶段,可以看做是强化的Func+弱化的Puppet的组合。间接的反映出了saltstack的两大功能:远程执行和配置管理。
SaltStack 保持了输入、输出、配置文件的一致性,所有文件均使用YAML格式。主要负责配置管理和远程执行(在远程主机运行预定义或任意的命令,也叫远程执行,这是 Salt的核心功能。接下来的链接展示了模块(module)和返回器(returner),这是远程执行的关键所在。)
Salt是基于python写的经典C/S框架的自动化部署平台。由Master和Minion构成,通过ZeroMQ进行通信。
Master与Minion认证

  1. minion 在第一次启动时,会在/etc/salt/pki/minion/(该路径在/etc/salt/minion里面设置)下自动生成 minion.pem(private key)和minion.pub(public key),然后将minion.pub发送给master。
  2. master 在接收到minion的public key后,通过salt-key命令accept minion public key,这样在master的/etc/salt/pki/master/minions下的将会存放以minion id命名的public key, 然后master就能对minion发送指令了。
    Master与Minion的连接
    Saltstack master启动后默认监听4505和4506两个端口。4505(publish_port)为salt的消息发布系统,4506(ret_port) 为salt客户端与服务端通信的端口。如果使用lsof查看4505端口,会发现所有的Minion在4505端口持续保持在ESTABLISHED。

2. salt的安装及配置

master端

安装

  1. 安装EPEL源
    rpm -ivh http://dl.fedoraproject.org/pub/epel/6Server/x86_64/epel-release-6-8.noarch.rpm

  2. 安装api及ui界面

    yum install python
    yum install salt-master salt-api python-halite

如果执行yum就报如下错误:
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

编辑/etc/yum.repos.d/epel.repo,把基础的恢复,镜像的地址注释掉
#baseurl
mirrorlist
改成
baseurl
#mirrorlist

配置

salt-master主配置文件
#vim /etc/salt/master
主要关心如下参数:
注释掉的为默认值,注意冒号后有空格,否则会报错。

#绑定的IP:
interface: 0.0.0.0
# The tcp port used by the publisher:
#publish_port: 4505
#The user under which the salt master will run.
#user: root
#可单独设置,默认遵从于操作系统设置
#max_open_files: 100000
#The number of worker threads to start. These threads are used to manage
#return calls made from minions to the master. If the master seems to be
#running slowly, increase the number of threads. This setting can not be
#set lower than 3.
worker_threads: 5
#The port used by the communication interface. The ret (return) port is the
#interface used for the file server, authentication, job returns, etc.
#ret_port: 4506
#pidfile: /var/run/salt-master.pid
#Directory used to store public key data:
#pki_dir: /etc/salt/pki/master
#Directory to store job and cache data:
#cachedir: /var/cache/salt/master
#Set the default timeout for the salt command and api. The default is 5
#seconds.
#timeout: 5
#Set the directory used to hold unix sockets:
#sock_dir: /var/run/salt/master
#Include a config file from some other path:
#include: /etc/salt/extra_config
#Enable auto_accept, this setting will automatically accept all incoming
#public keys from the minions. Note that this is insecure.
#auto_accept: False
#If the autosign_file is specified, incoming keys specified in the
#autosign_file will be automatically accepted. This is insecure. Regular
#expressions as well as globing lines are supported.
#autosign_file: /etc/salt/autosign.conf
#Works like autosign_file, but instead allows you to specify minion IDs for
#which keys will automatically be rejected. Will override both membership in
#the autosign_file and the auto_accept setting.
#autoreject_file: /etc/salt/autoreject.conf
#Allow minions to push files to the master. This is disabled by default, for
#security purposes.
#file_recv: False
#####File Server settings #####
##########################################
#Salt runs a lightweight file server written in zeromq to deliver files to
#minions. This file server is built into the master daemon and does not
#require a dedicated port.
#log_file: /var/log/salt/master
#The level of messages to send to the console.
#One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
#log_level: warning
#The level of messages to send to the log file.
#One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
#If using 'log_granular_levels' this must be set to the highest desired level.
#log_level_logfile: warning
#The date and time format used in log messages. Allowed date/time formating
#log_datefmt: '%H:%M:%S'
#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
#####Node Groups #####
##########################################
#Node groups allow for logical groupings of minion nodes. A group consists of a group name and a compound target.
#分组管理,注意group1前有两个空格
#nodegroups:
#group1: '[email protected],bar.domain.com,baz.domain.com and bl*.domain.com'
#group2: 'G@os:Debian and foo.domain.com'

启停

#/etc/init.d/salt-master start|stop|restart|status

#service salt-master start|stop|restart|status
#salt-minion -l debug 查看salt客户端详细信息
启动后会开启如下参数:
#netstat -antlp | grep 4505 确保消息发布端口正常
#netstat -antlp | grep 4506 确保客户端与服务端通信端口正常

minion端

安装

  1. 安装EPEL源
    #rpm -ivh http://dl.fedoraproject.org/pub/epel/6Server/x86_64/epel-release-6-8.noarch.rpm
  2. yum install salt-minion -y

配置

salt-minion主配置文件
# vim /etc/salt/minion
主要关心如下参数:
注释掉的为默认值,注意冒号后有空格,否则会报错。

#Per default the minion will automatically include all config files
#from minion.d/.conf (minion.d is a directory in the same directory
#as the main minion config file).
#default_include: minion.d/
.conf
#Set the location of the salt master server. If the master server cannot be
#resolved, then the minion will fail to start.
master: 127.0.0.1
#Set the port used by the master reply and authentication server.
#master_port: 4506
#The user to run salt.
#user: root
#Specify the location of the daemon process ID file.
#pidfile: /var/run/salt-minion.pid
#Explicitly declare the id for this minion to use.
id: 192.168.10.110

启停

# /etc/init.d/salt-minion start|stop|restart|status

# service salt-minion start|stop|restart|status
# salt-minion -l debug 查看salt客户端详细信息