安装
1、准备
修改hosts
vim /etc/hosts
192.168.3.201 salt.wolf.com
192.168.3.49 slave01.wolf.com slave01
192.168.3.52 slave02.wolf.com slave02
修改主机名
2、安装
服务器端
yum install -y epel-release
yum install -y salt-master salt-minion
客户端
yum install -y epel-release
yum install -y salt-minion
3、修改配置文件
客户端修改
# vim /etc/salt/minion //在第16行添加,冒号后有一个空格
master: 服务器ip
4、启动
启动服务
/etc/init.d/salt-master start
/etc/init.d/salt-minion start
[root@node1 ~]# /etc/init.d/salt-masterstart
Starting salt-master daemon: [ OK ]
[root@node1 ~]# /etc/init.d/salt-minionstart
Starting salt-minion daemon: [ OK ]
a) SaltStack是基于python进行开发,server端监听的是4505以及4506两个端口
b) SaltStack master启动后默认监听4505和4506两个端口。4505(publish_port)为saltstack的消息发布系统,4506(ret_port)为saltstack客户端与服务端通信的端口。
c) 如果使用lsof 查看4505端口,会发现所有的minion在4505端口持续保持在ESTABLISHED状态。
[root@salt master]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 8580 root 12u IPv4 42596 0t0 TCP *:4505 (LISTEN)
salt-mast 8580 root 14u IPv4 44141 0t0 TCP salt.wolf.com:4505->slave01.wolf.com:57918 (ESTABLISHED)
salt-mast 8580 root 15u IPv4 44253 0t0 TCP salt.wolf.com:4505->salt.wolf.com:56966 (ESTABLISHED)
salt-mast 8580 root 16u IPv4 44331 0t0 TCP salt.wolf.com:4505->slave02.wolf.com:50854 (ESTABLISHED)
salt-mini 9006 root 24u IPv4 44252 0t0 TCP salt.wolf.com:56966->salt.wolf.com:4505 (ESTABLISHED)
[root@master ~]# rpm -ql salt-master
/etc/rc.d/init.d/salt-master # salt-master服务器启动脚本
/etc/salt/master # salt master配置文件
/usr/bin/salt # salt master核心操作命令
/usr/bin/salt-cp # salt文件传输命令
/usr/bin/salt-key # salt证书管理命令
/usr/bin/salt-master # salt master服务命令
/usr/bin/salt-run # salt master runner命令
/usr/bin/salt-unity
/usr/share/man/man1/salt-cp.1.gz
/usr/share/man/man1/salt-key.1.gz
/usr/share/man/man1/salt-master.1.gz
/usr/share/man/man1/salt-run.1.gz
/usr/share/man/man1/salt-unity.1.gz
/usr/share/man/man7/salt.7.gz
[root@salt salt]# tree
.
├── master
├── minion
├── minion.d
│ └── _schedule.conf
├── minion_id
└── pki
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ │ ├── salt.wolf.com
│ │ ├── slave01.wolf.com
│ │ └── slave02.wolf.com
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ └── minions_rejected
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
9 directories, 12 files
5、log配置
Master下修改直接生效
默认log /var/log/salt/
[root@salt ~]# cd /var/log/salt/
[root@salt salt]# ls
master minion
[root@salt salt]# cat master
[root@salt salt]# cat minion
默认目录主配置文件如下
##########################################
# The location of the master log file
# The master log can be sent to a regularfile, local path name, or network
# location. Remote logging works best whenconfigured to use rsyslogd(8) (e.g.:
# ``file:///dev/log``), with rsyslogd(8)configured for network logging. The URI
# format is:<file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
#log_file: /var/log/salt/master
#log_file: file:///dev/log
#log_file: udp://loghost:10514
#log_file: /var/log/salt/master
#key_logfile: /var/log/salt/key
# The level of messages to send to theconsole.
# One of 'garbage', 'trace', 'debug',info', 'warning', 'error', 'critical'.
#
# The following log levels are consideredINSECURE and may log sensitive data:
# ['garbage', 'trace', 'debug']
#
log_level: debug 修改为debug模式
重启看启动过程
/etc/init.d/salt-masterrestart
[root@salt ~]# tail-f /var/log/salt/master
2017-06-1206:19:42,826 [salt.utils.verify][WARNING ][27356] Insecure loggingconfiguration detected! Sensitive data may be logged.
2017-06-1206:19:42,826 [salt.cli.daemons ][INFO ][27356] Setting up the Salt Master
2017-06-12 06:19:43,376 [salt.crypt ][DEBUG ][27356] Loaded master key:/etc/salt/pki/master/master.pem
2017-06-12 06:19:43,383 [salt.daemons.masterapi ][INFO ][27356] Preparing the root key for localcommunication
2017-06-12 06:19:43,384 [salt.daemons.masterapi ][DEBUG ][27356] Removing stale keyfile:/var/cache/salt/master/.root_key
2017-06-12 06:19:43,397 [salt.utils.process ][DEBUG ][27364] Created pidfile:/var/run/salt-master.pid
2017-06-12 06:19:43,398 [salt.cli.daemons ][INFO ][27364] The salt master is starting up
2017-06-12 06:19:43,407 [salt.utils.lazy ][DEBUG ][27364] LazyLoaded roots.envs
2017-06-12 06:19:43,424 [salt.utils.lazy ][DEBUG ][27364] Could not LazyLoad roots.init
2017-06-12 06:19:43,429 [salt.master ][INFO ][27364] salt-master is starting as user'root'
2017-06-12 06:19:43,429 [salt.master ][INFO ][27364] Current values for max open filessoft/hard setting: 1024/4096
2017-06-12 06:19:43,429 [salt.master ][INFO ][27364] The value for the 'max_open_files'setting, 100000, is higher than what the user running salt is allowed to raiseto, 4096. Defaulting to 4096.
2017-06-1206:19:43,429 [salt.master ][INFO ][27364] Raising max open files value to4096
2017-06-1206:19:43,429 [salt.master ][INFO ][27364] New values for max open filessoft/hard
六、命令讲解
1、salt-key
salt-key –help
[root@salt salt]# salt-key --help
Usage: salt-key [options]
Salt key is used to manage Saltauthentication keys
Options:
--version showprogram's version number and exit
--versions-report showprogram's dependencies version number and exit
-h,--help show this help messageand exit
--saltfile=SALTFILE Specify thepath to a Saltfile. If not passed, one
will be searched for inthe current working directory
-cCONFIG_DIR, --config-dir=CONFIG_DIR
Pass in an alternativeconfiguration directory.
Default: /etc/salt
-uUSER, --user=USER Specify user to runsalt-key
--hard-crash Raise anyoriginal exception rather than exiting
gracefully Default:False
-q,--quiet Suppress output
-y, --yes Answer Yes to all questionspresented, defaults to 加上yes
False
--rotate-aes-key=ROTATE_AES_KEY
Setting this to Falseprevents the master from
refreshing the keysession when keys are deleted or
rejected, this lowersthe security of the key
deletion/rejectionoperation. Default is True.
Logging Options:
Logging options which override any settings defined on the
configuration files.
--log-file=LOG_FILE
Log file path. Default:/var/log/salt/key.
--log-file-level=LOG_LEVEL_LOGFILE
Logfile logging loglevel. One of 'all', 'garbage',
'trace', 'debug','info', 'warning', 'error',
'critical', 'quiet'.Default: 'warning'.
Output Options:
Configure your preferred output format
--out=OUTPUT, --output=OUTPUT
Print the output fromthe 'salt-key' command using the
specified outputter.The builtins are 'key', 'yaml',
'overstatestage','newline_values_only', 'txt', 'raw',
'no_return','virt_query', 'compact', 'json',
'highstate', 'nested','quiet', 'pprint'.
--out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT
Print the outputindented by the provided value in
spaces. Negative valuesdisables indentation. Only
applicable inoutputters that support indentation.
--out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
Write the output to thespecified file
--out-file-append, --output-file-append
Append the output tothe specified file
--no-color, --no-colour
Disable all colored output
--force-color, --force-colour
Force colored output
--state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
Override the configuredstate_output value for minion
output. One of full,terse, mixed, changes or filter.
Default: full.
Actions:
-l ARG, --list=ARG List the public keys. The args"pre", "un", and
"unaccepted"will list unaccepted/unsigned keys. "acc"
or"accepted" will list accepted/signed keys. "rej" or
"rejected"will list rejected keys. "den" or "denied"
will list denied keys.Finally, "all" will list all
keys.
-L, --list-all List allpublic keys. (Deprecated: use "--list all") 列出所有key请求
-a ACCEPT, --accept=ACCEPT 允许一个客户端
Acceptthe specified public key (use --include-all to
match rejected keys in addition to pendingkeys).
Globs aresupported.
-A, --accept-all Accept all pending keys 允许所有客户端
-r REJECT, --reject=REJECT 拒绝
Reject the specified public key (use--include-all to
matchaccepted keys in addition to pending keys).
Globs aresupported.
-R, --reject-all Reject all pending keys 拒绝所有
--include-all Include non-pending keys whenaccepting/rejecting
-p PRINT, --print=PRINT
Print the specifiedpublic key
-P, --print-all Print allpublic keys
-d DELETE, --delete=DELETE 删除一个
Deletethe specified key. Globs are supported.
-D, --delete-all Delete all keys 删除所有
-f FINGER, --finger=FINGER
Print the specifiedkey's fingerprint
-F, --finger-all Print all keys' fingerprints
KeyGeneration Options:
--gen-keys=GEN_KEYS
Set a name to generatea keypair for use with salt
--gen-keys-dir=GEN_KEYS_DIR
Set the directory tosave the generated keypair, only
works with"gen_keys_dir" option; default=.
--keysize=KEYSIZE Set thekeysize for the generated key, only works with
the"--gen-keys" option, the key size must be 2048 or
higher, otherwise itwill be rounded up to 2048; ;
default=2048
--gen-signature Create asignature file of the masters public-key
namedmaster_pubkey_signature. The signature can be
send to a minion in themasters auth-reply and enables
the minion to verifythe masters public-key
cryptographically. Thisrequires a new signing-key-
pair which can beauto-created with the --auto-create
parameter
--priv=PRIV Theprivate-key file to create a signature with
--signature-path=SIGNATURE_PATH
The path where thesignature file should be written
--pub=PUB The public-keyfile to create a signature for
--auto-create Auto-create asigning key-pair if it does not yet
exist
You can find additional help about salt-keyissuing "man salt-key" or on
[root@salt ~]# salt-key -a nginx
The following keys are going to beaccepted:
Unaccepted Keys:
nginx
Proceed? [n/Y] y
Key for minion nginx accepted.
[root@salt ~]# salt-key -A nginx -y
The following keys are going to beaccepted:
Unaccepted Keys:
node1
slave02.wolf.com
Key for minion node1 accepted.
Key for minion slave02.wolf.com accepted.
2、批量ping
[root@salt ~]# salt '*' test.ping
nginx:
True
node1:
True
slave02.wolf.com:
True
3、加入的主机
[root@salt ~]# salt-key
Accepted Keys:
nginx
node1
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@salt ~]#
[root@salt ~]# salt-key -L
Accepted Keys:
nginx
node1
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
4、实际操作修改主机名
当别的项目送过来的机器,需要修改主机名加入salt进行管理
a、 先修改主机名
b、 然后清空文件
[root@slave01 salt]# ls
minion minion.d minion_id pki
[root@slave01 salt]# cat minion_id
nginx[root@slave01 salt]# >minion_id
[root@slave01 salt]#/etc/init.d/salt-minion restart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
[root@slave01 salt]#
C、在到服务器端查看
[root@salt ~]# salt-key -L
Accepted Keys:
nginx
node1
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
slave01.wolf.com
Rejected Keys:
[root@salt ~]#
先从服务器上删除,然后客户端操作
[root@salt salt]# salt-key
Accepted Keys:
nginx
node1
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
slave01.wolf.com
Rejected Keys:
[root@salt salt]# salt-key -d node1
The following keys are going to be deleted:
Accepted Keys:
node1
Proceed? [N/y] y
Key for minion node1 deleted.
[root@salt salt]# salt-key -d nginx
The following keys are going to be deleted:
Accepted Keys:
nginx
Proceed? [N/y] y
Key for minion nginx deleted.
再重启,查看正常了
[root@salt salt]# /etc/init.d/salt-masterrestart
[root@salt salt]# /etc/init.d/salt-minionrestart
[root@salt salt]# salt-key
Accepted Keys:
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
salt.wolf.com
slave01.wolf.com
Rejected Keys:
重新加入主机
[root@salt salt]# salt-key
Accepted Keys:
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
salt.wolf.com
slave01.wolf.com
Rejected Keys:
[root@salt salt]# salt-key -A nginx -y
The following keys are going to beaccepted:
Unaccepted Keys:
salt.wolf.com
slave01.wolf.com
Key for minion node1 accepted.
Key for minion salt.wolf.com accepted.
Key for minion slave01.wolf.com accepted.
[root@salt salt]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@salt salt]# salt '*' test.ping
slave01.wolf.com:
True
salt.wolf.com:
True
slave02.wolf.com:
True
5、彻底删除
[root@salt salt]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@salt salt]# pwd
/etc/salt
[root@salt salt]# ls
master minion minion.d minion_id pki
[root@salt salt]# rm -rf minion_id pki/
[root@salt salt]# /etc/init.d/sa
salt-master salt-minion sandbox saslauthd
[root@salt salt]# /etc/init.d/sa
salt-master salt-minion sandbox saslauthd
[root@salt salt]# /etc/init.d/salt-minionrestart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
[root@salt salt]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@salt salt]# /etc/init.d/salt-masterrestart
[root@salt salt]# /etc/init.d/salt-minionrestart
Stopping salt-minion daemon: [FAILED]
Starting salt-minion daemon: [ OK ]
[root@salt salt]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Rejected Keys:
[root@salt salt]# salt-key -A salt.wolf.com-y
The following keys are going to beaccepted:
Unaccepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Key for minion salt.wolf.com accepted.
Key for minion slave01.wolf.com accepted.
Key for minion slave02.wolf.com accepted.
6、总结一下老主机重新加入问题
a、客户端需要清除
/etc/salt/minion_id
b、删除这个目录
/etc/salt/pki
重启客户端
master上剔掉
salt-key –d 主机名 -y
c、 缓存问题
缓存位置/etc/salt/pki/下有几个目录
[root@salt master]# ls
master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected
[root@salt salt]# cd pki
[root@salt pki]# ls
master minion
[root@salt pki]# cd master/
[root@salt master]# ls
master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected
[root@salt master]# tree
.
├── master.pem
├── master.pub
├── minions 放已认证的key
│ ├── salt.wolf.com
│ ├── slave01.wolf.com
│ └── slave02.wolf.com
├── minions_autosign
├── minions_denied 拒绝的主机key
├── minions_pre 未认证的
└── minions_rejected
5 directories, 5 files
已认证的key
[root@salt master]# cd minions
[root@salt minions]# ls
salt.wolf.com slave01.wolf.com slave02.wolf.com
识别每个目录的作用,手动实验查看目录作用
[root@salt master]# ls
master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected
[root@salt master]# ll minions
total 12
-rw-r--r-- 1 root root 451 Jun 12 07:52salt.wolf.com
-rw-r--r-- 1 root root 451 Jun 12 07:52slave01.wolf.com
-rw-r--r-- 1 root root 451 Jun 12 07:52slave02.wolf.com
[root@salt master]# cpminions/salt.wolf.com minions_autosign/
[root@salt master]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@salt master]# cpminions/salt.wolf.com minions_denied/
[root@salt master]# salt-ke
-bash: salt-ke: command not found
[root@salt master]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
salt.wolf.com
Unaccepted Keys:
Rejected Keys:
[root@salt master]# cpminions/salt.wolf.com minions_pre
[root@salt master]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
salt.wolf.com
Unaccepted Keys:
salt.wolf.com
Rejected Keys:
[root@salt master]# cpminions/salt.wolf.com minions_rejected/
[root@salt master]# salt-key
Accepted Keys:
salt.wolf.com
slave01.wolf.com
slave02.wolf.com
Denied Keys:
salt.wolf.com
Unaccepted Keys:
salt.wolf.com
Rejected Keys:
salt.wolf.com