安装EPEL源:(mast和minion都需要安装) [root@c02 src]# wget http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm [root@c02 src]# rpm -ihv epel-release-6-8.noarch.rpm 安装rpmforge 在redhat6和centos 6的epel源上没有python-jinja2 salt-master:10.100.0.74 salt-minion:10.100.0.61 [root@salt-master ~]# yum install slat-master [root@salt-master ~]# chkconfig salt-master on [root@salt-master ~]# chkconfig --list|grep salt-master salt-master 0:off 1:off 2:on 3:on 4:on 5:on 6:off salt-minion端 [root@salt-minion ~]# yum install salt-minion -y [root@salt-minion ~]# chkconfig salt-minion on [root@salt-minion ~]# chkconfig --list |grep salt-minion salt-minion 0:off 1:off 2:on 3:on 4:on 5:on 6:off 查看salt-master的相关文件: [root@salt-master ~]# rpm -ql salt-master /etc/rc.d/init.d/salt-master /etc/salt/master /usr/bin/salt /usr/bin/salt-cp /usr/bin/salt-key /usr/bin/salt-master /usr/bin/salt-run /usr/bin/salt-unity /usr/share/man/man1/salt-cp.1.gz /usr/share/man/man1/salt-key.1.gz /usr/share/man/man1/salt-master.1.gz /usr/share/man/man1/salt-run.1.gz /usr/share/man/man1/salt-unity.1.gz /usr/share/man/man7/salt.7.gz 配份原始配置文件: [root@salt-master ~]# cp /etc/salt/master /etc/salt/master.bak 去掉下面几行的# [root@salt-master ~]# egrep -v "^#|^$" /etc/salt/master file_roots: base: - /srv/salt/ pillar_roots: #注意前面有个空格,不然会报错! base: - /srv/pillar [root@salt-master ~]# /etc/init.d/salt-master start Starting salt-master daemon: [ OK ] 查看salt-minion的相关文件: [root@salt-minion ~]# rpm -ql salt-minion /etc/rc.d/init.d/salt-minion /etc/salt/minion /usr/bin/salt-call /usr/bin/salt-minion /usr/share/man/man1/salt-call.1.gz /usr/share/man/man1/salt-minion.1.gz 配份原始文件: [root@salt-minion ~]# cp /etc/salt/minion /etc/salt/minion.bk 在/etc/salt/minion的16行去掉#改为master的IP或主机名 [root@salt-minion ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.100.0.74 salt-master [root@salt-minion ~]# egrep -v "^#|^$" /etc/salt/minion master: salt-master [root@salt-minion ~]# /etc/init.d/salt-minion start Starting salt-minion daemon: [ OK ] master端: 显示所有minion认证信息: [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion Rejected Keys: 接受salt-minion认证信息 [root@salt-master ~]# salt-key -a salt-minion The following keys are going to be accepted: Unaccepted Keys: salt-minion Proceed? [n/Y] y Key for minion salt-minion accepted. [root@salt-master ~]# salt-key -L Accepted Keys: salt-minion Denied Keys: Unaccepted Keys: Rejected Keys: #salt-key -A #接受所有Unaccepted状态的minion认证信息 拒绝认证某客户端服务器: [root@salt-master ~]# salt-key -d salt-minion The following keys are going to be deleted: Accepted Keys: salt-minion Proceed? [N/y] y Key for minion salt-minion deleted. [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: Rejected Keys: 拒绝所有: [root@salt-master ~]# salt-key -D 删除某个minion认证后,后新加入进来: 1:minion端,停掉salt-minion:/etc/init.d/salt-minion stop 2:同在minion端删除/etc/salt/pki目录,重新启动salt-minion [root@salt-minion ~]# tree /etc/salt/ /etc/salt/ ├── minion ├── minion.bk ├── minion.d │ └── _schedule.conf ├── minion_id └── pki └── minion ├── minion_master.pub ├── minion.pem └── minion.pub 3 directories, 7 files [root@salt-minion ~]# /etc/init.d/salt-minion stop Stopping salt-minion daemon: [ OK ] [root@salt-minion ~]# rm -rf /etc/salt/pki/ [root@salt-minion ~]# /etc/init.d/salt-minion start Starting salt-minion daemon: [ OK ] 查看所有minion认证信息: [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion Rejected Keys: #可以看到salt-minion又处于Unaccepted Keys中 [root@salt-master ~]# salt-key -a salt-minion -y The following keys are going to be accepted: Unaccepted Keys: salt-minion Key for minion salt-minion accepted. [root@salt-master ~]# salt-key -L Accepted Keys: salt-minion Denied Keys: Unaccepted Keys: Rejected Keys: 文件分发: [root@salt-master salt]# salt-cp '*' /etc/hosts / {'salt-minion': {'/hosts': True}} #上面这种方法不见义使用
检测通讯是否正常,也可以指定其中一个: [root@salt-master minions]# salt '*' test.ping salt-minion: True DB: True [root@salt-master minions]# salt 'DB' test.ping DB: True 远程执行命令: [root@salt-master ~]# salt "DB" cmd.run 'df -h' DB: Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 8.3G 7.7G 254M 97% / tmpfs 939M 12K 939M 1% /dev/shm /dev/vda1 477M 38M 414M 9% /boot /dev/vdb1 50G 6.6G 41G 15% /data [root@salt-master ~]# salt "*" cmd.run 'df -h' DB: Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 8.3G 7.7G 254M 97% / tmpfs 939M 12K 939M 1% /dev/shm /dev/vda1 477M 38M 414M 9% /boot /dev/vdb1 50G 6.6G 41G 15% /data salt-minion: Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_c01-lv_root 8.3G 4.2G 3.8G 53% / tmpfs 498M 12K 498M 1% /dev/shm /dev/vda1 477M 33M 419M 8% /boot 注意这里的*必须是在master上已经被接受的客户端 Master与Minion认证 1.minion 在第一次启动时,会在/etc/salt/pki/minion/(该路径在/etc/salt/minion里面设置)下自动生成 minion.pem(private key)和minion.pub(public key),然后将minion.pub发送给master。 2.master 在接收到minion的public key后,通过salt-key命令accept minion public key,这样在master的/etc/salt/pki/master/minions下的将会存放以minion id命名的public key, 然后master就能对minion发送指令了。 Master与Minion的连接(也就是端口并防火墙的设置) saltstack master默认监听4505和4506两个端口.其中4505(publish_port)为salt客户端与 服务端通信的端口.如果使用lsof查看4505端口持续保持在ESTABLISHED [root@salt-master ~]# lsof -i:4505 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME salt-mast 3106 root 12u IPv4 26824 0t0 TCP *:4505 (LISTEN) salt-mast 3106 root 14u IPv4 29676 0t0 TCP salt-master:4505->salt-minion:40948 (ESTABLISHED) salt-mast 3106 root 15u IPv4 75603 0t0 TCP salt-master:4505->DB:46810 (ESTABLISHED) Denied Keys: [root@salt-master ~]# salt * test.ping salt-minion: True DB: True DB: True [root@salt-master ~]# salt-key -L Accepted Keys: DB salt-minion Denied Keys: DB Unaccepted Keys: #Rejected Keys: 删除/etc/salt/pki/master/minions_denied/DB就可以了如下: [root@salt-master master]# pwd /etc/salt/pki/master [root@salt-master master]# tree . ├── master.pem ├── master.pub ├── minions │ ├── DB │ └── salt-minion ├── minions_autosign ├── minions_denied │ └── DB ├── minions_pre └── minions_rejected 5 directories, 5 files [root@salt-master master]# rm minions_denied/DB rm: remove regular file `minions_denied/DB'? y [root@salt-master master]# tree . ├── master.pem ├── master.pub ├── minions │ ├── DB │ └── salt-minion ├── minions_autosign ├── minions_denied ├── minions_pre └── minions_rejected 5 directories, 4 files [root@salt-master master]# salt salt salt-cp salt-key salt-master salt-run salt-unity [root@salt-master master]# salt-key -L Accepted Keys: DB salt-minion Denied Keys: Unaccepted Keys: Rejected Keys: Saltstack 防火墙配置 (1) 在主控端添加TCP 4505,TCP 4506 的规则,而在被控端无须配置防火墙,原理是被控端直接与主控端的zeromp建立链接。 接收 广播道任务信息并执行,具体操作是添加两条iptables规则: -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT spacer.gif部署要求:两台机器网络互通,最好关闭防火墙。关闭selinux. 注意:一般这些端口都是监听在内网的端口,所以对于防火墙的公网的端口不需要打开