[root@localhost ~]# vi /etc/salt/minion
....
#master: salt
file_client: local
file_roots:
base:
- /srv/salt/base
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
[root@localhost ~]# systemctl disable --now salt-minion
[root@localhost ~]# systemctl status salt-minion
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
masterless模式执行模块或状态时需要使用salt-call命令,而不再是salt或者salt-ssh。需要注意的是要使用salt-call的–local选项。
[root@localhost ~]# salt-call --local cmd.run 'ls /root'
local:
anaconda-ks.cfg
[root@localhost ~]# salt-call --local cmd.run 'uptime'
local:
17:36:43 up 4:17, 2 users, load average: 0.00, 0.01, 0.05
启动apache服务
[root@localhost base]# pwd
/srv/salt/base
[root@localhost base]# mkdir apache
[root@localhost base]# cd apache/
[root@localhost apache]# vi init.sls
apache-install:
pkg.installed:
- name: httpd
apache-service:
service.running:
- name: httpd
- enable: True
[root@localhost base]# salt-call --local state.sls apache.init
local:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: All specified packages are already installed
Started: 17:46:52.566857
Duration: 634.107 ms
Changes:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is in the desired stat
Started: 17:46:53.201923
Duration: 174.672 ms
Changes:
----------
httpd:
True
Summary for local
------------
Succeeded: 2 (changed=1)
Failed: 0
------------
Total states run: 2
Total run time: 808.779 ms
用node01和node02当maser,node03当minion
[root@node01 ~]# yum -y install salt-master
已加载插件:product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
base | 3.6 kB 00:00:00
epel | 5.3 kB 00:00:00
extras | 2.9 kB 00:00:00
[root@node02 ~]# yum -y install salt-master
已加载插件:product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
base | 3.6 kB 00:00:00
epel | 5.3 kB 00:00:00
extras | 2.9 kB 00:00:00
salt-latest | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
[root@node03 ~]# yum -y install salt-minion
已加载插件:product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
在node03上修改配置文件.重启minion
[root@node03 ~]# tail /etc/salt/minion
master:
- 192.168.100.131
- 192.168.100.132
master_type: failover
[root@node03 ~]# systemctl restart salt-minion
在master上接受等待的key
[root@node01 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node03
Rejected Keys:
[root@node01 ~]# salt-key -Ay
The following keys are going to be accepted:
Unaccepted Keys:
node03
Key for minion node03 accepted.
[root@node01 ~]# salt-key -L
Accepted Keys:
node03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
测试连通性
[root@node01 ~]# salt '*' test.ping
node03:
True
在node01的master上开启master_sign_pubkey
[root@node01 ~]# vi /etc/salt/master
..此处省略
master_sign_pubkey: True
···此处省略
然后在/etc/salt/pki/上就有master_sign.pem和master_sign.pub
[root@node01 pki]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── master_sign.pem
│ ├── master_sign.pub
│ ├── minions
│ │ └── node03
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ └── minions_rejected
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
然后将node01的/etc/salt/pki/master/master_sign.pem和/etc/salt/pki/master/master_sign.pub 和/etc/salt/pki/master/master_sign.pub 传到node02上面去
[root@node01 pki]# scp /etc/salt/pki/master/master_sign.pem [email protected]:/etc/salt/pki/master/
[root@node01 pki]# scp /etc/salt/pki/master/master_sign.pub [email protected]:/etc/salt/pki/master/
[root@node01 pki]# scp /etc/salt/master [email protected]:/etc/salt/master
然后在node02上重启服务,查看已经传过来了
[root@node02 pki]# systemctl restart salt-master
[root@node02 pki]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── master_sign.pem
│ ├── master_sign.pub
│ ├── minions
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ │ └── node03
│ └── minions_rejected
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
然后将node01的/etc/salt/pki/master/master_sign.pub 传到minionnode03上面去
[root@node01 pki]# scp /etc/salt/pki/master/master_sign.pub [email protected]:/etc/salt/pki/minion/
[root@node03 ~]# tree /etc/salt/minion
/etc/salt/minion [error opening dir]
0 directories, 0 files
[root@node03 ~]# tree /etc/salt/pki/minion/
/etc/salt/pki/minion/
├── master_sign.pub
├── minion_master.pub
├── minion.pem
└── minion.pub
然后设置node03的配置文件,重启服务
[root@node03 ~]# tail /etc/salt/minion
#event_match_type: startswith
master:
verify_master_pubkey_sign: True
alway_verify_signature: True
[root@node03 ~]# systemctl restart salt-minion
在node03测试一下
[root@node03 ~]# salt-minion -l debug
/usr/lib/python2.7/site-packages/salt/scripts.py:212: DeprecationWarning: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won’t be maintained after that date. Salt will drop support for Python 2.7 in the Sodium release or later.
[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Including configuration from ‘/etc/salt/minion.d/_schedule.conf’
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: node03
[DEBUG ] Configuration file path: /etc/salt/minion
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[INFO ] Setting up the Salt Minion “node03”
[INFO ] An instance is already running. Exiting the Salt Minion
[INFO ] Shutting down the Salt Minion
[DEBUG ] Stopping the multiprocessing logging queue listener
[DEBUG ] closing multiprocessing queue
[DEBUG ] joining multiprocessing queue thread
[DEBUG ] Stopped the multiprocessing logging queue listener
The Salt Minion is shutdown.
然后进行测试,当在node上ping通的时候。node01就ping不通
[root@node02 pki]# salt ‘’ test.ping
node03:
True
[root@node01 pki]# salt '’ test.ping
node03:
Minion did not return. [No response]
当我把node02的服务停了之后,node01就能ping通
[root@node02 pki]# systemctl stop salt-master
[root@node01 pki]# salt ‘*’ test.ping
node03:
True
### 3.salt-syndic部署
### 3.1 环境说明
| 主机ip |角色 |安装应用|
|--|--|--|
| 192.168.100.131| master |salt-master|
|192.168.100.133|syndic|salt-master salt-syndic|
|192.168.100.134|minion|salt-minion|
### 3.2 安装软件
在syndic上安装salt-master和salt-syndic
[root@node02 ~]# yum -y install salt-master salt-syndic
已加载插件:product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
正在解决依赖关系
–> 正在检查事务
—> 软件包 salt-master.noarch.0.3000-1.el7 将被 安装
—> 软件包 salt-syndic.noarch.0.3000-1.el7 将被 安装
–> 解决依赖关系完成
依赖关系解决
正在安装:
salt-master noarch 3000-1.el7 salt-latest 3.0 M
salt-syndic noarch 3000-1.el7 salt-latest 19 k
安装 2 软件包
在minion上安装salt-minion
[root@localhost ~]# yum -y install salt-minion
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
### 3.3 配置master
在master的配置文件将order_master的值设为True
[root@node01 ~]# vim /etc/salt/master
…此处省略N行
order_masters: True
### 3.4配置syndic
在syndic的配置文件上将syndic_master的值设为master的IP
[root@node02 ~]# vi /etc/salt/master
…此处省略N行
syndic_master: 192.168.100.131
### 3.5配置minion
在minion上将master指向syndic所在主机
[root@node03 salt]# tail -1 /etc/salt/minion
master: 192.168.100.133
### 3.6在syndic上接受minion主机的key
[root@node02 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node03
Rejected Keys:
[root@node02 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
node03
Proceed? [n/Y] Y
Key for minion node03 accepted.
[root@node02 ~]# salt-key -L
Accepted Keys:
node03
Denied Keys:
Unaccepted Keys:
Rejected Keys:
### 3.7 在master上接受syndic主机的key
[root@node01 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node02
Rejected Keys:
[root@node01 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
node02
Proceed? [n/Y] y
Key for minion node02 accepted.
[root@node01 ~]# salt-key -L
Accepted Keys:
node02
Denied Keys:
Unaccepted Keys:
Rejected Keys:
### 3.8 在master上去ping一下
发现master进行的ping的时候是minion端进行答应,而不是syndic
[root@node01 ~]# salt ‘*’ test.ping
node03:
True