saltstack 部署

Posted minger_lcm

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了saltstack 部署相关的知识,希望对你有一定的参考价值。

 

SaltStack支持多种操作系统,如CentOS、RedHat、Debian、Ubuntu、FreeBSD、Solaris、Fedora、SuSe、Gentoo、MAC OS X、Archlinux等,

以及Windows(仅支持Minion)。

 

环境:centos6

server:192.168.0.74 

client :192.168.0.78

设置iptables,关闭selinux

[[email protected]192 salt]# iptables -F
[[email protected]-server-192 salt]# setenforce 0

 

server client都先安装这个

一、准备安装saltstack

yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm centos6 用的
yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm   
server : yum install salt-master yum install salt-minion -y
client : yum install salt-minion -y

安装tree

yum install tree -y

 

启动salt-master

centos7

systemctl start salt-master

 centos6

service salt-master start

 

salt 配置文件  master是master配置 minion是minion配置

[[email protected] ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── pki
│   ├── master
│   └── minion
├── proxy
├── proxy.d
└── roster

 

 

修改服务器hostname

[[email protected] salt]# cat /etc/hostname 
salt-server-192.168.0.74
[[email protected] salt]# hostname salt-server-192.168.0.74

[[email protected]-server-192 ~]#

 

 

二.Salt Minion配置

 

[[email protected] salt]# vim /etc/salt/minion

:set nu 

:16 
 16 #master: salt  //默认salt 这里可以是ip地址 或者服务器主机名

//去掉注释
master:192.168.0.74

:103
103 #id:   //  (客户端的id。默认不设置会取客户端服务器的主机名)

 

如果不修改id 默认拿服务器hostname做minion-id

启动salt-minion

centos7

[[email protected]192 ~]# systemctl start salt-minion

 centos6

[[email protected]192 ~]# service  salt-minion start

 

启动minion会多了minion_id 不建议改这个id 如果要改先把这个minion_id删了,改好重启再生成一个新的minion_id.

[[email protected]192 salt]# ll
total 128
-rw-r-----. 1 root root  2624 Oct  5 00:02 cloud
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.conf.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.deploy.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.maps.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.profiles.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.providers.d
-rw-r-----. 1 root root 49323 Oct  5 00:02 master
drwxr-xr-x. 2 root root     6 Oct  5 06:29 master.d
-rw-r-----. 1 root root 35312 Nov 17 23:56 minion
drwxr-xr-x. 2 root root     6 Oct  5 06:29 minion.d
-rw-r--r--. 1 root root    24 Nov 18 00:01 minion_id
drwxr-xr-x. 4 root root    32 Nov 14 23:10 pki
-rw-r-----. 1 root root 28002 Oct  5 00:02 proxy
drwxr-xr-x. 2 root root     6 Oct  5 06:29 proxy.d
-rw-r-----. 1 root root   344 Oct  5 00:02 roster



[[email protected]-server-192 salt]# cat minion_id 
salt-server-192.168.0.74

 

在192.168.0.78 修改minion配置,并启动minion

vim /etc/salt

16 master: 192.168.0.74

 

三.SaltStack认证

Salt的数据传输是通过AES加密的,Master和Minion之间在通信之前,需要进行认证。通过认证的方式保证安全性,完成一次认证后,Master就可以自由的控制Minon来完成各项工作了。

  • 1.minion在第一次启动时,会在/etc/salt/pki/minion/ 下自动生成minion.pem(私钥)和minion.pub(公钥),然后将minion.pub发送给master.
  • 2.master在第一次启动时,会在/etc/salt/pki/master下自动生成master.pem(私钥)和master.pub(公钥).在接受到minion的public key后,通过salt-key命令accept minion public key,这样在master的/etc/salt/pki/master/minions下将会存放以minion id命名的public key,客户端会保存一份master的public key,在/etc/salt/pki/minion_master.pub
  • 3.通过以上两个步骤的验证,master就能对minion发送指令 

 

 

 Master端Key认证

[[email protected]192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── minion_id
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre
│   │   │   ├── salt-minion-192.168.0.78
│   │   │   └── salt-server-192.168.0.74
│   │   └── minions_rejected
│   └── minion
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

salt-key常用命令:

-a ACCEPT, --accept=ACCEPT Accept the following key
-A, --accept-all    Accept all pending keys
-r REJECT, --reject=REJECT Reject the specified public key
-R, --reject-all    Reject all pending keys
-d DELETE, --delete=DELETE Delete the named key
-D, --delete-all    Delete all keys

-L 查看所有主机列表

 

显示所有key

[[email protected]192 salt]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion-192.168.0.78
salt-server-192.168.0.74
Rejected Keys:

把key设置允许  -a  key的名字

[[email protected]192 salt]# salt-key -a salt-server-192.168.0.74
[[email protected]-server-192 salt]# salt-key 
Accepted Keys:
salt-server-192.168.0.74
Denied Keys:
Unaccepted Keys:
salt-minion-192.168.0.78
Rejected Keys:

//也可以这样
[[email protected]192 salt]# salt-key -a salt-server*

-A 同意允许所有key

[[email protected]192 salt]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
salt-minion-192.168.0.78
Proceed? [n/Y] Y
Key for minion salt-minion-192.168.0.78 accepted.

[[email protected]-server-192 salt]# salt-key
Accepted Keys:
salt-minion-192.168.0.78
salt-server-192.168.0.74
Denied Keys:
Unaccepted Keys:
Rejected Keys:

 允许之后公钥移动到minions目录下

[[email protected]192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│   └── _schedule.conf
├── minion_id
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions
│   │   │   ├── salt-minion-192.168.0.78
│   │   │   └── salt-server-192.168.0.74
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre
│   │   └── minions_rejected
│   └── minion
│       ├── minion_master.pub
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

192.168.0.78上

[[email protected]192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│   └── _schedule.conf
├── minion_id
├── pki
│   ├── master
│   └── minion
│       ├── minion_master.pub
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

 

以上是关于saltstack 部署的主要内容,如果未能解决你的问题,请参考以下文章

saltstack详解+部署apache服务

SaltStack部署及使用实践

saltstack安装部署以及简单实用

SaltStack部署

SaltStack部署

saltstack 安装部署