环境搭建
实验环境
主master:4核8G IP:10.0.0.10
syndic节点(可选):2核4G IP10.0.0.20
minion节点: 10.0.0.30
salt可以运行在任何满足一下条件的unix系操作系统中.
Python 2.7 >= 2.7 <3.0
msgpack-python - High-performance message interchange format
YAML - Python YAML bindings
Jinja2 - parsing Salt States (configurable in the master settings)
MarkupSafe - Implements a XML/HTML/XHTML Markup safe string for Python
apache-libcloud - Python lib for interacting with many of the popular cloud - - service providers using a unified API
Requests - HTTP library
Tornado - Web framework and asynchronous networking library
futures - Backport of the concurrent.futures package from Python 3.2
基于所选择的传输方式, ZeroMQ(默认) or RAET, dependencies vary:
ZeroMQ:
ZeroMQ >= 3.2.0
pyzmq >= 2.2.0 - ZeroMQ Python bindings
PyCrypto - The Python cryptography toolkit
RAET:
libnacl - Python bindings to libsodium
ioflo - The flo programming interface raet and salt-raet is built on
RAET - The worlds most awesome UDP protocol
1)配置软件仓库
官方文档地址:https://docs.saltstack.com/en/latest/
最新发行版:Stable release: 2019.2.0
安装版本:【最后支持centos/redhat 5的版本】
从公网获取安装包:
# yum install https://repo.saltstack.com/yum/redhat/salt-repo-2016.11-2.el7.noarch.rpm
# yum clean all && yum makecache
2)安装salt-master
# yum install salt-master
启动salt-master并设定开机启动:
# systemctl start salt-master
# systemctl enable salt-master
3)安装salt-syndic
安装salt-syndic(同时需要安装master):
# yum install salt-syndic salt-master
修改syndic节点的配置文件:/etc/salt/master
order_masters: True
syndic_master: 10.0.0.10
启动salt-syndic并设定开机启动:
# systemctl start salt-master salt-syndic
# systemctl enable salt-master salt-syndic
4)安装salt-minion
安装salt-minion
# yum install salt-minion
配置minion节点 /etc/salt/minion:
master: [master或者syndic节点的ip地址]
id: [minion的id名,此处将成为minion的key认证到master或syndic节点]
启动salt-minion并设定开机启动
# systemctl start minion
# systemctl enable salt-minion
window安装salt-minion
5)安装salt-api
基于需要开放的管理节点安装
安装salt-api,和其他一些依赖组件
# yum install salt-api python-cherrypy pyOpenSSL salt-minion
本地生成自签名证书,生产也可购买证书
# salt-call --local tls.create_self_signed_cert
1.配置API配置文件
# vi /etc/salt/master.d/rest_api.conf
rest_cherrypy:
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/certs/localhost.key
2.配置API账号 测试账号paic
# useradd -M -s /sbin/nologin/ paic
# echo "xxxxx" | passwd paic --stdin
3.配置API账号认证权限
# vi /etc/salt/master.d/eauth.conf
external_auth:
pam:
paic:
- .*
- '@wheel'
- '@runner'
- '@jobs'
重启salt-master使api配置生效,启动salt-api并设定开机启动
# systemctl restart salt-master
# systemctl start salt-api
# systemctl enable salt-api
获取token验证:
curl -X GET -k https://10.0.0.10:8000/ -d username='paic' -d password='xxxxx' -d eauth='pam' |python -mjson.tool
获取token之后,默认的有效期是12小时:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 146 100 37 1805 457 --:--:-- --:--:-- --:--:-- 1825
{
"clients": [
"local",
"local_async",
"local_batch",
"local_subset",
"runner",
"runner_async",
"ssh",
"wheel",
"wheel_async"
],
"return": "Welcome"
}
1.第一条salt命令 test.ping
检查当前所有接管节点的通信情况:
# salt '*' test.ping
vm-000054.cs1cloud.internal:
True
vm-000055.cs1cloud.internal:
True
vm-000055.cs1cloud.internal:
True
WIN-OVVCLTITFUC.cs1cloud.internal:
True
vm-000096.cs1cloud.internal:
Minion did not return. [Not connected]
vm-000034.cs1cloud.internal:
Minion did not return. [Not connected]
vm-000100.cs1cloud.internal:
Minion did not return. [Not connected]
OOPS~你有三个节点挂了,找找minion节点的原因吧。
2.salt-key
master 和 minion 的key的认证过程
minion:
安装好minion之后,启动时将在/etc/salt/目录下产生一个minion_id,如果在minion的配置文件中设置好master的
IP地址之后再启动,将会在/etc/salt/pki/minion/下产生minion的公钥和私钥 (minion.pem minion.pub)
如果经过master端认证之后除了公钥,私钥外,在这个目录下,还会产生一个master端的公钥(minion_master.pub)
master:
安装好master后,启动时将会在/etc/salt/pki/master/这个目录下产生master.pem master.pub这两个文件,当minion端
启动连上来之后会在/etc/salt/pki/master/minions_pre/下产生minion端的主机名(即minion的id),当认证之后minions_pre
下的主机名消失,则会在/etc/salt/pki/master/minions/目录下产生minion的主机名(即minion的id),则代表认证成功
如果客户端要该主机名该怎么办?(看似简单,有时候在生产环境经常碰到,而且容易出错!关键理解原理之后,so easy!!!)
1, 首先在master端删除要修改的对应的主机名
`# salt-key -d minion的主机名 -y`
2,在minion端
`# cd /etc/salt && rm -rf minion_id pki/ `
(虽然后面删除pki这个目录,重启minion还能生成,但是其实不用这么麻烦,直接删除master的公钥即可,# rm -f pki/minion_master.pub )
注意修改主机名时,一定要把对应的ip地址改过来!
查看当前机器认证的key
# salt-key -L
2.cmd.run
salt可以在master端通过cmd模块对minion节点执行特定的命令,格式为
# salt 'key-name' cmd.run 'command'
可以通过正则表达式匹配key-name,或者使用-L 列表的参数
salt -L 'key-name1,key-name2,key-name3' cmd.run 'command'
也可以通过Grain的模块根据机器信息匹配,例如我们匹配一下操作系统为CentOS的服务器,查看他们的时间同步情况。
# salt -G 'os:centos' cmd.run 'ntpq -p'
终极杀招,通过复合条件匹配:
# salt -C 'webserv* and G@os:Debian or E@db*' cmd.run 'command'
3.state.sls
state模块根据各自应用场景不同,可以预先写好的playbook,通过state模块执行批量操作。
整理了saltstack官方推荐的几个states模块开发的项目。
https://github.com/blast-hardcheese/blast-salt-states
https://github.com/kevingranade/kevingranade-salt-state
https://github.com/uggedal/states
https://github.com/mattmcclean/salt-openstack/tree/master/salt
https://github.com/rentalita/ubuntu-setup/
https://github.com/brutasse/states
https://github.com/bclermont/states
https://github.com/pcrews/salt-data