SaltStack支持多种操作系统,如CentOS、RedHat、Debian、Ubuntu、FreeBSD、Solaris、Fedora、SuSe、Gentoo、MAC OS X、Archlinux等,
以及Windows(仅支持Minion)。
环境:centos6
server:192.168.0.74
client :192.168.0.78
设置iptables,关闭selinux
[root@salt-server-192 salt]# iptables -F [root@salt-server-192 salt]# setenforce 0
server client都先安装这个
一、准备安装saltstack
yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm centos6 用的yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm server : yum install salt-master yum install salt-minion -y client : yum install salt-minion -y
安装tree
yum install tree -y
启动salt-master
centos7
systemctl start salt-master
centos6
service salt-master start
salt 配置文件 master是master配置 minion是minion配置
[root@localhost ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── pki
│ ├── master
│ └── minion
├── proxy
├── proxy.d
└── roster
修改服务器hostname
[root@localhost salt]# cat /etc/hostname salt-server-192.168.0.74 [root@localhost salt]# hostname salt-server-192.168.0.74 [root@salt-server-192 ~]#
二.Salt Minion配置
[root@localhost salt]# vim /etc/salt/minion :set nu :16 16 #master: salt //默认salt 这里可以是ip地址 或者服务器主机名 //去掉注释 master:192.168.0.74 :103 103 #id: // (客户端的id。默认不设置会取客户端服务器的主机名)
如果不修改id 默认拿服务器hostname做minion-id
启动salt-minion
centos7
[root@salt-server-192 ~]# systemctl start salt-minion
centos6
[root@salt-server-192 ~]# service salt-minion start
启动minion会多了minion_id 不建议改这个id 如果要改先把这个minion_id删了,改好重启再生成一个新的minion_id.
[root@salt-server-192 salt]# ll total 128 -rw-r-----. 1 root root 2624 Oct 5 00:02 cloud drwxr-xr-x. 2 root root 6 Oct 5 06:29 cloud.conf.d drwxr-xr-x. 2 root root 6 Oct 5 06:29 cloud.deploy.d drwxr-xr-x. 2 root root 6 Oct 5 06:29 cloud.maps.d drwxr-xr-x. 2 root root 6 Oct 5 06:29 cloud.profiles.d drwxr-xr-x. 2 root root 6 Oct 5 06:29 cloud.providers.d -rw-r-----. 1 root root 49323 Oct 5 00:02 master drwxr-xr-x. 2 root root 6 Oct 5 06:29 master.d -rw-r-----. 1 root root 35312 Nov 17 23:56 minion drwxr-xr-x. 2 root root 6 Oct 5 06:29 minion.d -rw-r--r--. 1 root root 24 Nov 18 00:01 minion_id drwxr-xr-x. 4 root root 32 Nov 14 23:10 pki -rw-r-----. 1 root root 28002 Oct 5 00:02 proxy drwxr-xr-x. 2 root root 6 Oct 5 06:29 proxy.d -rw-r-----. 1 root root 344 Oct 5 00:02 roster [root@salt-server-192 salt]# cat minion_id salt-server-192.168.0.74
在192.168.0.78 修改minion配置,并启动minion
vim /etc/salt 16 master: 192.168.0.74
三.SaltStack认证
Salt的数据传输是通过AES加密的,Master和Minion之间在通信之前,需要进行认证。通过认证的方式保证安全性,完成一次认证后,Master就可以自由的控制Minon来完成各项工作了。
- 1.minion在第一次启动时,会在/etc/salt/pki/minion/ 下自动生成minion.pem(私钥)和minion.pub(公钥),然后将minion.pub发送给master.
- 2.master在第一次启动时,会在/etc/salt/pki/master下自动生成master.pem(私钥)和master.pub(公钥).在接受到minion的public key后,通过salt-key命令accept minion public key,这样在master的/etc/salt/pki/master/minions下将会存放以minion id命名的public key,客户端会保存一份master的public key,在/etc/salt/pki/minion_master.pub
- 3.通过以上两个步骤的验证,master就能对minion发送指令
Master端Key认证
[root@salt-server-192 salt]# tree . ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── minion_id ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre │ │ │ ├── salt-minion-192.168.0.78 │ │ │ └── salt-server-192.168.0.74 │ │ └── minions_rejected │ └── minion │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster
salt-key常用命令:
-a ACCEPT, --accept=ACCEPT Accept the following key
-A, --accept-all Accept all pending keys
-r REJECT, --reject=REJECT Reject the specified public key
-R, --reject-all Reject all pending keys
-d DELETE, --delete=DELETE Delete the named key
-D, --delete-all Delete all keys
-L 查看所有主机列表
显示所有key
[root@salt-server-192 salt]# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion-192.168.0.78 salt-server-192.168.0.74 Rejected Keys:
把key设置允许 -a key的名字
[root@salt-server-192 salt]# salt-key -a salt-server-192.168.0.74 [root@salt-server-192 salt]# salt-key Accepted Keys: salt-server-192.168.0.74 Denied Keys: Unaccepted Keys: salt-minion-192.168.0.78 Rejected Keys: //也可以这样 [root@salt-server-192 salt]# salt-key -a salt-server*
-A 同意允许所有key
[root@salt-server-192 salt]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: salt-minion-192.168.0.78 Proceed? [n/Y] Y Key for minion salt-minion-192.168.0.78 accepted. [root@salt-server-192 salt]# salt-key Accepted Keys: salt-minion-192.168.0.78 salt-server-192.168.0.74 Denied Keys: Unaccepted Keys: Rejected Keys:
允许之后公钥移动到minions目录下
[root@salt-server-192 salt]# tree . ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d │ └── _schedule.conf ├── minion_id ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions │ │ │ ├── salt-minion-192.168.0.78 │ │ │ └── salt-server-192.168.0.74 │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre │ │ └── minions_rejected │ └── minion │ ├── minion_master.pub │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster
192.168.0.78上
[root@salt-minion-192 salt]# tree . ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d │ └── _schedule.conf ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion_master.pub │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster