saltstack安装
1. 安装
1.安装步骤 找到对应的源
加入salt的源
[root@10-8-58-159 ~]# yum install -y https://repo.saltstack.com/py3/redhat/salt-py3-repo-3001-1.el8.noarch.rpm
Last metadata expiration check: 0:00:43 ago on Mon 28 Feb 2022 05:14:16 PM HKT.
salt-py3-repo-3001-1.el8.noarch.rpm 3.1 kB/s | 9.9 kB 00:03
Dependencies resolved.
===============================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================================
Installing:
salt-py3-repo noarch 3001-1.el8 @commandline 9.9 k
Transaction Summary
===============================================================================================================================================================================================================================================================
Install 1 Package
Total size: 9.9 k
Installed size: 3.6 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : salt-py3-repo-3001-1.el8.noarch 1/1
Verifying : salt-py3-repo-3001-1.el8.noarch 1/1
Installed:
salt-py3-repo-3001-1.el8.noarch
Complete!
2. 安装对应的master和node
salt对应的的master 、 minion架构
安装master
[root@10-8-58-159 ~]# yum install -y salt-master
SaltStack 3001 Release Channel for Python 3 RHEL/Centos 8 64 kB/s | 224 kB 00:03
Last metadata expiration check: 0:00:01 ago on Mon 28 Feb 2022 05:15:12 PM HKT.
Dependencies resolved.
===============================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================================
Installing:
salt-master noarch 3001.8-1.el8 salt-py3-3001 3.1 M
Installing dependencies:
libsodium x86_64 1.0.18-2.el8 epel 162 k
libunwind x86_64 1.3.1-3.el8 epel 75 k
openpgm x86_64 5.2.122-21.el8 epel 180 k
python3-distro noarch 1.4.0-2.module_el8.5.0+761+faacb0fb AppStream 37 k
python3-m2crypto x86_64 0.35.2-5.el8 epel 303 k
python3-msgpack x86_64 0.6.2-1.el8 epel 92 k
python3-psutil x86_64 5.4.3-11.el8 AppStream 373 k
python3-pycurl x86_64 7.43.0.2-4.el8 AppStream 227 k
python3-zmq x86_64 19.0.0-1.el8 epel 418 k
salt noarch 3001.8-1.el8 salt-py3-3001 10 M
zeromq x86_64 4.3.4-2.el8 epel 479 k
Transaction Summary
===============================================================================================================================================================================================================================================================
Install 12 Packages
Total download size: 16 M
Installed size: 58 M
Downloading Packages:
(1/12): python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch.rpm 65 kB/s | 37 kB 00:00
(2/12): python3-pycurl-7.43.0.2-4.el8.x86_64.rpm 206 kB/s | 227 kB 00:01
(3/12): libsodium-1.0.18-2.el8.x86_64.rpm 170 kB/s | 162 kB 00:00
(4/12): python3-psutil-5.4.3-11.el8.x86_64.rpm 236 kB/s | 373 kB 00:01
(5/12): libunwind-1.3.1-3.el8.x86_64.rpm 84 kB/s | 75 kB 00:00
(6/12): openpgm-5.2.122-21.el8.x86_64.rpm 145 kB/s | 180 kB 00:01
(7/12): python3-m2crypto-0.35.2-5.el8.x86_64.rpm 229 kB/s | 303 kB 00:01
(8/12): python3-msgpack-0.6.2-1.el8.x86_64.rpm 99 kB/s | 92 kB 00:00
(9/12): python3-zmq-19.0.0-1.el8.x86_64.rpm 216 kB/s | 418 kB 00:01
(10/12): zeromq-4.3.4-2.el8.x86_64.rpm 233 kB/s | 479 kB 00:02
(11/12): salt-master-3001.8-1.el8.noarch.rpm 1.4 MB/s | 3.1 MB 00:02
(12/12): salt-3001.8-1.el8.noarch.rpm 2.4 MB/s | 10 MB 00:04
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.2 MB/s | 16 MB 00:07
warning: /var/cache/dnf/salt-py3-3001-cdd7dac9cf71697d/packages/salt-3001.8-1.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID de57bfbe: NOKEY
SaltStack 3001 Release Channel for Python 3 RHEL/Centos 8 1.7 MB/s | 1.7 kB 00:00
Importing GPG key 0xDE57BFBE:
Userid : "SaltStack Packaging Team "
Fingerprint: 754A 1A7A E731 F165 D5E6 D4BD 0E08 A149 DE57 BFBE
From : /etc/pki/rpm-gpg/saltstack-signing-key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-msgpack-0.6.2-1.el8.x86_64 1/12
Installing : python3-m2crypto-0.35.2-5.el8.x86_64 2/12
Installing : openpgm-5.2.122-21.el8.x86_64 3/12
Installing : libunwind-1.3.1-3.el8.x86_64 4/12
Installing : libsodium-1.0.18-2.el8.x86_64 5/12
Installing : zeromq-4.3.4-2.el8.x86_64 6/12
Installing : python3-zmq-19.0.0-1.el8.x86_64 7/12
Installing : python3-pycurl-7.43.0.2-4.el8.x86_64 8/12
Installing : python3-psutil-5.4.3-11.el8.x86_64 9/12
Installing : python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch 10/12
Installing : salt-3001.8-1.el8.noarch 11/12
Installing : salt-master-3001.8-1.el8.noarch 12/12
Running scriptlet: salt-master-3001.8-1.el8.noarch 12/12
Verifying : python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch 1/12
Verifying : python3-psutil-5.4.3-11.el8.x86_64 2/12
Verifying : python3-pycurl-7.43.0.2-4.el8.x86_64 3/12
Verifying : libsodium-1.0.18-2.el8.x86_64 4/12
Verifying : libunwind-1.3.1-3.el8.x86_64 5/12
Verifying : openpgm-5.2.122-21.el8.x86_64 6/12
Verifying : python3-m2crypto-0.35.2-5.el8.x86_64 7/12
Verifying : python3-msgpack-0.6.2-1.el8.x86_64 8/12
Verifying : python3-zmq-19.0.0-1.el8.x86_64 9/12
Verifying : zeromq-4.3.4-2.el8.x86_64 10/12
Verifying : salt-3001.8-1.el8.noarch 11/12
Verifying : salt-master-3001.8-1.el8.noarch 12/12
Installed:
libsodium-1.0.18-2.el8.x86_64 libunwind-1.3.1-3.el8.x86_64 openpgm-5.2.122-21.el8.x86_64 python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch python3-m2crypto-0.35.2-5.el8.x86_64 python3-msgpack-0.6.2-1.el8.x86_64
python3-psutil-5.4.3-11.el8.x86_64 python3-pycurl-7.43.0.2-4.el8.x86_64 python3-zmq-19.0.0-1.el8.x86_64 salt-3001.8-1.el8.noarch salt-master-3001.8-1.el8.noarch zeromq-4.3.4-2.el8.x86_64
Complete!
安装salt-minion
[root@10-8-58-159 ~]# yum install -y salt-minion
Last metadata expiration check: 0:00:17 ago on Mon 28 Feb 2022 05:15:12 PM HKT.
Dependencies resolved.
===============================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================================
Installing:
salt-minion noarch 3001.8-1.el8 salt-py3-3001 43 k
Transaction Summary
===============================================================================================================================================================================================================================================================
Install 1 Package
Total download size: 43 k
Installed size: 72 k
Downloading Packages:
salt-minion-3001.8-1.el8.noarch.rpm 30 kB/s | 43 kB 00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 30 kB/s | 43 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : salt-minion-3001.8-1.el8.noarch 1/1
Running scriptlet: salt-minion-3001.8-1.el8.noarch 1/1
Verifying : salt-minion-3001.8-1.el8.noarch 1/1
Installed:
salt-minion-3001.8-1.el8.noarch
Complete!
3. 更改配置文件
minion设置唯一标识加入master节点中。
vim /etc/salt/minion
# Set the location of the salt master server. If the master server cannot be
# resolved, then the minion will fail to start.
master: 127.0.0.1
---
# Explicitly declare the id for this minion to use, if left commented the id
# will be the hostname as returned by the python call: socket.getfqdn()
# Since salt uses detached ids it is possible to run multiple minions on the
# same machine but with different ids, this can be useful for salt compute
# clusters.
id: minion-01
4. 设置服务启动
systemctl start salt-master
systemctl start salt-minion
5. 同意key
[root@10-8-58-159 ~]# systemctl status salt-minion.service -l
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-02-28 17:19:37 HKT; 14s ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Main PID: 54987 (salt-minion)
Tasks: 8 (limit: 24787)
Memory: 70.2M
CGroup: /system.slice/salt-minion.service
├─54987 /usr/bin/python3.6 /usr/bin/salt-minion
├─54991 /usr/bin/python3.6 /usr/bin/salt-minion
└─54993 /usr/bin/python3.6 /usr/bin/salt-minion
Feb 28 17:19:36 10-8-58-159 systemd[1]: Starting The Salt Minion...
Feb 28 17:19:37 10-8-58-159 systemd[1]: Started The Salt Minion.
Feb 28 17:19:37 10-8-58-159 salt-minion[54987]: [ERROR ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate
Feb 28 17:19:47 10-8-58-159 salt-minion[54987]: [ERROR ] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate
[root@10-8-58-159 ~]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion-01
Rejected Keys:
[root@10-8-58-159 ~]# salt-key -a minion-01
The following keys are going to be accepted:
Unaccepted Keys:
minion-01
Proceed? [n/Y] y
Key for minion minion-01 accepted.
[root@10-8-58-159 ~]# salt-key
Accepted Keys:
minion-01
Denied Keys:
Unaccepted Keys:
Rejected Keys:
6. 远程命令执行
[root@10-8-58-159 ~]# salt '*' test.ping
minion-01:
True
[root@10-8-58-159 ~]# salt '*' test.ping
minion-01:
True
2. salt的网络端口
salt master、minion 模型是需要与master进行连接的, 这些连接建立是从minion开始主动到master的。salt-master提供了两个服务。
4505:
事件发布订阅端口,常量访问链接。
4506:
数据有效负载和返回,文件服务或返回数据,仅连接为了提供数据。
1. 基础master配置
端口配置
/etc/salt/master.d/network.conf
# The network interface to bind to
interface: 192.0.2.20
# The Request/Reply port
ret_port: 4506
# The port minions bind to for commands, aka the publish port
publish_port: 4505
worker线程数配置:
如果集群有几千个minions,你的minion可能已经失速,master对于job的返回可能已经超时了。这可能意味着minions失败了,但是它不意味着master没有足够的进行去执行他。
默认限制5个worker,最低限制为3个worker。建议一个worker能够200minions,worker数不要超过机器1.5倍的cpu数。
/etc/salt/master.d/thread_options.conf
worker_threads: 5
3. 基础的minion配置
-
salt-minion 默认使用dns或者hostname 配置
-
默认配置文件
/etc/salt/minion、/etc/salt/minion.d/as.conf -
默认minion默认应该根据需要去设置
链接master
/etc/salt/minion.d/master.config
master: 192.0.2.20
声明minion id
/etc/salt/minion.d/id.conf
id: rebel_1
4. Salt key exchange
-
RSA
-
AES
1. salt-key
RSA key是salt主要的认证加密模型,所有的salt daemons都会有特有的RSA key。这个minions和master生成RSA key 当他们用于pki认证。
对互联网开放的master被视为安全漏洞。
在master机器使用salt-key命令接受minion的key,只有接受了key的minion才会纳入master的控制,salt-key的常用参数:
-A 接受所有的key
-a 接受指定的key
-D 删除所有的key
-d 删除指定的key
-L 显示管理中的key,默认参数
5. 基本参数
salt命令过滤minion的常用参数:
无 通配符过滤minion的ID,示例:salt '*' test.ping
-L 列表指定1个或多个minion的ID,示例:salt -L 'minion-01,minion-02' test.ping
-E 正则表达式过滤minion的ID,示例:salt -E 'minion-0[1-3]' test.ping
-G 通配符过滤minion的grains,grains是每个minion收集的系统信息,也可以自定义(需要开篇单讲),示例:salt -G 'os:centos' test.ping
-P 正则表达式过滤minion的grains
-I 通配符过滤minion的pillar,pillar是给每个minion自定义的变量(需要开篇单讲)
-J 正则表达式过滤minion的pillar
-C 组合使用上述参数,示例:salt -C '*02 and G@os:centos' test.ping
上述命令中的test.ping和cmd.run表示模块及其方法,可以在命令行通过sys模块查看各个模块和方法的说明:
注意:
sys.list_modules:是命令行可以用的。
sys.list_state_modules:是state (文件sls)中可以使用的。
sys.list_modules 列出命令行可用模块,示例:salt 'minion-01' sys.list_modules
sys.list_functions 列出命令行模块的所有方法,示例:salt 'minion-01' sys.list_functions cmd
sys.doc 显示命令行的模块或方法的说明,示例:salt 'minion-01' sys.doc cmd.run
sys.list_state_modules 列出state可用的模块
sys.list_state_functions 列出state模块的所有方法
sys.state_doc 显示state的模块或方法的说明
[root@10-8-58-159 ~]# salt ‘minion-01’ sys.doc cmd.run
cmd.run:
Execute the passed command and return the output as a string
:param str cmd: The command to run. ex: ls -lart /home
:param str cwd: The directory from which to execute the command. Defaults
to the home directory of the user specified by runas (or the user
under which Salt is running if runas is not specified).
:param str stdin: A string of standard input can be specified for the
command to be run using the stdin parameter. This can be useful in
cases where sensitive information must be read from standard input.
:param str runas: Specify an alternate user to run the command. The default
behavior is to run as the user under which Salt is running.
Warning:
For versions 2018.3.3 and above on macosx while using runas,
on linux while using run, to pass special characters to the
command you need to escape the characters on the shell.
Example:
cmd.run ‘echo ‘’‘h=“baz”’’’’ runas=macuser
:param str group: Group to run command as. Not currently supported
on Windows.
:param str password: Windows only. Required when specifying runas. This
parameter will be ignored on non-Windows platforms.
New in version 2016.3.0
:param str shell: Specify an alternate shell. Defaults to the system’s
default shell.
:param bool python_shell: If False, let python handle the positional
arguments. Set to True to use shell features, such as pipes or
redirection.
:param bool bg: If True, run command in background and do not await or
deliver its results
New in version 2016.3.0
:param dict env: Environment variables to be set prior to execution.
Note:
When passing environment variables on the CLI, they should be
passed as the string representation of a dictionary.
salt myminion cmd.run ‘some command’ env=’{“FOO”: “bar”}’
:param bool clean_env: Attempt to clean out all other shell environment
variables and set only those provided in the ‘env’ argument to this
function.
:param str prepend_path: P A T H s e g m e n t t o p r e p e n d ( t r a i l i n g ′ : ′ n o t n e c e s s a r y ) t o PATH segment to prepend (trailing ':' not necessary) to PATH segment to prepend (trailing ′:′ not necessary) to PATH
New in version 2018.3.0
:param str template: If this setting is applied then the named templating
engine will be used to render the downloaded file. Currently jinja,
mako, and wempy are supported.
:param bool rstrip: Strip all whitespace off the end of output before it is
returned.
:param str umask: The umask (in octal) to use when running the command.
:param str output_encoding: Control the encoding used to decode the
command’s output.
Note:
This should not need to be used in most cases. By default, Salt
will try to use the encoding detected from the system locale, and
will fall back to UTF-8 if this fails. This should only need to be
used in cases where the output of the command is encoded in
something other than the system locale or UTF-8.
To see the encoding Salt has detected from the system locale, check
the locale line in the output of :py:func:test.versions_report .
New in version 2018.3.0
:param str output_loglevel: Control the loglevel at which the output from
the command is logged to the minion log.
Note:
The command being run will still be logged at the debug
loglevel regardless, unless quiet is used for this value.
:param bool ignore_retcode: If the exit code of the command is nonzero,
this is treated as an error condition, and the output from the command
will be logged to the minion log. However, there are some cases where
programs use the return code for signaling and a nonzero exit code
doesn’t necessarily mean failure. Pass this argument as True to
skip logging the output if the command has a nonzero exit code.
:param bool hide_output: If True, suppress stdout and stderr in the
return data.
Note:
This is separate from output_loglevel, which only handles how
Salt logs to the minion log.
New in version 2018.3.0
:param int timeout: A timeout in seconds for the executed process to return.
:param bool use_vt: Use VT utils (saltstack) to stream the command output
more interactively to the console and the logs. This is experimental.
:param bool encoded_cmd: Specify if the supplied command is encoded.
Only applies to shell ‘powershell’.
:param bool raise_err: If True and the command has a nonzero exit code,
a CommandExecutionError exception will be raised.
Warning:
This function does not process commands through a shell
unless the python_shell flag is set to True. This means that any
shell-specific functionality such as ‘echo’ or the use of pipes,
redirection or &&, should either be migrated to cmd.shell or
have the python_shell=True flag set here.
The use of python_shell=True means that the shell will accept any input
including potentially malicious commands such as ‘good_command;rm -rf /’.
Be absolutely certain that you have sanitized your input prior to using
python_shell=True
:param list success_retcodes: This parameter will be allow a list of
non-zero return codes that should be considered a success. If the
return code returned from the run matches any in the provided list,
the return code will be overridden with zero.
New in version 2019.2.0
:param bool stdin_raw_newlines: False
If True, Salt will not automatically convert the characters \\n
present in the stdin value to newlines.
New in version 2019.2.0
CLI Example:
salt ‘*’ cmd.run “ls -l | awk ‘/foo/{print \$2}’”
The template arg can be set to ‘jinja’ or another supported template
engine to render the command arguments before execution.
For example:
salt ‘*’ cmd.run template=jinja “ls -l /tmp/{{grains.id}} | awk ‘/foo/{print \$2}’”
Specify an alternate shell with the shell parameter:
salt ‘*’ cmd.run "Get-ChildItem C:\ " shell=‘powershell’
A string of standard input can be specified for the command to be run using
the stdin parameter. This can be useful in cases where sensitive
information must be read from standard input.
salt ‘*’ cmd.run “grep f” stdin=‘one\ntwo\nthree\nfour\nfive\n’
If an equal sign (=) appears in an argument to a Salt command it is
interpreted as a keyword argument in the format key=val. That
processing can be bypassed in order to pass an equal sign through to the
remote shell command by manually specifying the kwarg:
salt ‘*’ cmd.run cmd=‘sed -e s/=/:/g’
