saltstack的安装及配置

---

1. saltstack简介

Saltstack是一个新的基础设施管理工具。目前处于快速发展阶段，可以看做是强化的Func+弱化的Puppet的组合。间接的反映出了saltstack的两大功能：远程执行和配置管理。
SaltStack 保持了输入、输出、配置文件的一致性，所有文件均使用YAML格式。主要负责配置管理和远程执行（在远程主机运行预定义或任意的命令，也叫远程执行，这是 Salt的核心功能。接下来的链接展示了模块（module）和返回器（returner），这是远程执行的关键所在。）
Salt是基于python写的经典C/S框架的自动化部署平台。由Master和Minion构成，通过ZeroMQ进行通信。
Master与Minion认证

1. minion 在第一次启动时，会在/etc/salt/pki/minion/（该路径在/etc/salt/minion里面设置）下自动生成 minion.pem(private key)和minion.pub(public key)，然后将minion.pub发送给master。
2. master 在接收到minion的public key后，通过salt-key命令accept minion public key，这样在master的/etc/salt/pki/master/minions下的将会存放以minion id命名的public key, 然后master就能对minion发送指令了。
   Master与Minion的连接
   Saltstack master启动后默认监听4505和4506两个端口。4505(publish_port)为salt的消息发布系统，4506(ret_port) 为salt客户端与服务端通信的端口。如果使用lsof查看4505端口，会发现所有的Minion在4505端口持续保持在ESTABLISHED。

---

2. salt的安装及配置

master端

安装

1. 安装EPEL源
   rpm -ivh http://dl.fedoraproject.org/pub/epel/6Server/x86_64/epel-release-6-8.noarch.rpm

2. 安装api及ui界面

   yum install python
   yum install salt-master salt-api python-halite

如果执行yum就报如下错误：
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

编辑/etc/yum.repos.d/epel.repo，把基础的恢复，镜像的地址注释掉
#baseurl
mirrorlist
改成
baseurl
#mirrorlist

配置

salt-master主配置文件
#vim /etc/salt/master
主要关心如下参数：
注释掉的为默认值，注意冒号后有空格，否则会报错。

#绑定的IP:
interface: 0.0.0.0
# The tcp port used by the publisher:
#publish_port: 4505
#The user under which the salt master will run.
#user: root
#可单独设置，默认遵从于操作系统设置
#max_open_files: 100000
#The number of worker threads to start. These threads are used to manage
#return calls made from minions to the master. If the master seems to be
#running slowly, increase the number of threads. This setting can not be
#set lower than 3.
worker_threads: 5
#The port used by the communication interface. The ret (return) port is the
#interface used for the file server, authentication, job returns, etc.
#ret_port: 4506
#pidfile: /var/run/salt-master.pid
#Directory used to store public key data:
#pki_dir: /etc/salt/pki/master
#Directory to store job and cache data:
#cachedir: /var/cache/salt/master
#Set the default timeout for the salt command and api. The default is 5
#seconds.
#timeout: 5
#Set the directory used to hold unix sockets:
#sock_dir: /var/run/salt/master
#Include a config file from some other path:
#include: /etc/salt/extra_config
#Enable auto_accept, this setting will automatically accept all incoming
#public keys from the minions. Note that this is insecure.
#auto_accept: False
#If the autosign_file is specified, incoming keys specified in the
#autosign_file will be automatically accepted. This is insecure. Regular
#expressions as well as globing lines are supported.
#autosign_file: /etc/salt/autosign.conf
#Works like autosign_file, but instead allows you to specify minion IDs for
#which keys will automatically be rejected. Will override both membership in
#the autosign_file and the auto_accept setting.
#autoreject_file: /etc/salt/autoreject.conf
#Allow minions to push files to the master. This is disabled by default, for
#security purposes.
#file_recv: False
#####File Server settings #####
##########################################
#Salt runs a lightweight file server written in zeromq to deliver files to
#minions. This file server is built into the master daemon and does not
#require a dedicated port.
#log_file: /var/log/salt/master
#The level of messages to send to the console.
#One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
#log_level: warning
#The level of messages to send to the log file.
#One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
#If using 'log_granular_levels' this must be set to the highest desired level.
#log_level_logfile: warning
#The date and time format used in log messages. Allowed date/time formating
#log_datefmt: '%H:%M:%S'
#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
#####Node Groups #####
##########################################
#Node groups allow for logical groupings of minion nodes. A group consists of a group name and a compound target.
#分组管理，注意group1前有两个空格
#nodegroups:
#group1: '[email protected],bar.domain.com,baz.domain.com and bl*.domain.com'
#group2: 'G@os:Debian and foo.domain.com'

启停

#/etc/init.d/salt-master start|stop|restart|status
或
#service salt-master start|stop|restart|status
#salt-minion -l debug 查看salt客户端详细信息
启动后会开启如下参数：
#netstat -antlp | grep 4505 确保消息发布端口正常
#netstat -antlp | grep 4506 确保客户端与服务端通信端口正常

minion端

安装

1. 安装EPEL源
   #rpm -ivh http://dl.fedoraproject.org/pub/epel/6Server/x86_64/epel-release-6-8.noarch.rpm
2. yum install salt-minion -y

配置

salt-minion主配置文件
# vim /etc/salt/minion
主要关心如下参数：
注释掉的为默认值，注意冒号后有空格，否则会报错。

#Per default the minion will automatically include all config files
#from minion.d/.conf (minion.d is a directory in the same directory
#as the main minion config file).
#default_include: minion.d/.conf
#Set the location of the salt master server. If the master server cannot be
#resolved, then the minion will fail to start.
master: 127.0.0.1
#Set the port used by the master reply and authentication server.
#master_port: 4506
#The user to run salt.
#user: root
#Specify the location of the daemon process ID file.
#pidfile: /var/run/salt-minion.pid
#Explicitly declare the id for this minion to use.
id: 192.168.10.110

启停

# /etc/init.d/salt-minion start|stop|restart|status
或
# service salt-minion start|stop|restart|status
# salt-minion -l debug 查看salt客户端详细信息