192.168.1.65 super65.cn master
192.168.1.66 super66.cn minion
saltstack使用SSL签证的方式进行安全认证。
minion上线后先与master端联系,把自己的pub key发过去,这时master端通过salt-key -L命令就会看到minion的key,接受该minion-key后,也就是master与minion已经互信
master端:
查看证书签证情况:
[root@super65 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
super66
Rejected Keys:
签证所有没有接受的证书:
[root@super65 ~]# salt-key -A -y
The following keys are going to be accepted:
Unaccepted Keys:
super66
Key for minion super66 accepted.
查看签证后的情况:
[root@super65 ~]# salt-key -L
Accepted Keys:
super66
Denied Keys:
Unaccepted Keys:
Rejected Keys:
salt-key的更多参数使用-h查看:
其中:
-a 可以指定只签证某些机器 (支持正则匹配)
检查通信是否正常:
[root@super65 ~]# salt 'super66' test.ping
super66:
True
master端:
查看证书相关的文件:
[root@super65 master]# pwd
/etc/salt/pki/master
[root@super65 master]# ll
total 28
-r-------- 1 root root 1675 Sep 17 09:19 master.pem (自己的公钥)
-rw-r--r-- 1 root root 451 Sep 17 09:19 master.pub (自己的私钥)
drwxr-xr-x 2 root root 4096 Sep 17 09:32 minions (已经认证的key)
drwxr-xr-x 2 root root 4096 Sep 17 09:19 minions_autosign
drwxr-xr-x 2 root root 4096 Sep 17 09:19 minions_denied
drwxr-xr-x 2 root root 4096 Sep 17 09:32 minions_pre (没有认证的key)
drwxr-xr-x 2 root root 4096 Sep 17 09:19 minions_rejected
minion端:
查看证书相关文件:
minion第一次启动的时候会在/etc/salt/pki/minion下生成秘钥文件
[root@super66 minion]# pwd
/etc/salt/pki/minion
[root@super66 minion]# ll
total 12
-rw-r--r-- 1 root root 451 Sep 17 09:32 minion_master.pub (认证后master把公钥发到这里)
-r-------- 1 root root 1679 Sep 17 09:17 minion.pem (自己的公钥)
-rw-r--r-- 1 root root 451 Sep 17 09:17 minion.pub (自己的私钥)
minion和master端保持长连接:
[root@super66 ~]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mini 5124 root 24u IPv4 30622 0t0 TCP super66.cn:39243->super65.cn:4505 (ESTABLISHED)