首页 > 其他 > 详细

Saltstack学习(一)

时间:2019-08-30 20:41:18      阅读:77      评论:0      收藏:0      [点我收藏+]

一、Saltstack的基本概述

SaltStack是一个异构平台基础设施管理工具,具有远程执行、配置管理、云管理, 只需要花费数分钟即可运行起来,扩展性组以支撑管理上万台服务器,速度快,服务器之间秒级通讯数秒钟即可完成数据传递。

1.1、saltstack三大功能

  • 远程执行
  • 配置管理(状态)
  • 云管理

1.2、saltstack四种运行方式

  • local本地运行
  • master/minion方式
  • Syndic分布式
  • Salt  SSH

1.3、saltstack学习网址

二、saltstack安装

2.1、配置yum源

centos7:yum install -y https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
centos6:yum install -y  https://repo.saltstack.com/yum/redhat/salt-repo-latest.el6.noarch.rpm 
sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-latest.repo
yum makecache

2.1、安装master并启动服务

[root@salt-master ~]# yum install salt-master -y
[root@salt-master ~]# systemctl enable salt-master
[root@salt-master ~]# systemctl start salt-master
[root@salt-master ~]# rpm -qa|grep salt-master
salt-master-2019.2.0-1.el7.noarch
[root@salt-master ~]# rpm -ql salt-master
/etc/salt/master
/etc/salt/master.d
/etc/salt/pki/master
/usr/bin/salt
/usr/bin/salt-cp
/usr/bin/salt-key
/usr/bin/salt-master
/usr/bin/salt-run
/usr/bin/salt-unity
/usr/lib/systemd/system/salt-master.service
/usr/share/man/man1/salt-cp.1.gz
/usr/share/man/man1/salt-key.1.gz
/usr/share/man/man1/salt-master.1.gz
/usr/share/man/man1/salt-run.1.gz
/usr/share/man/man1/salt-unity.1.gz
/usr/share/man/man1/salt.1.gz
/usr/share/man/man7/salt.7.gz

2.3、安装minion指向master的网络地址(主机名或ip地址)

[root@salt-minion1-c7 ~]# yum install salt-minion -y
[root@salt-minion1-c7 ~]# sed -i ‘s/#master: salt/master: 10.0.0.11/g‘ /etc/salt/minion
[root@salt-minion1-c7 ~]# systemctl enable salt-minion
[root@salt-minion1-c7 ~]# systemctl start salt-minion

#启动发生异常查看日志
/var/log/salt/master
/var/log/salt/minion

对于centos6启动:

[root@salt-minion4-c6 yum.repos.d]# /etc/init.d/salt-minion start
Starting salt-minion:root:salt-minion4-c6 daemon: OK
[root@salt-minion4-c6 yum.repos.d]# chkconfig salt-minion on
[root@salt-minion4-c6 yum.repos.d]# chkconfig --list|grep salt
salt-minion    	0:off	1:off	2:on	3:on	4:on	5:on	6:off

2.4、saltstack的认证方式

Salt的数据传输是通过AES加密,Master和Minion之间在通信之前,需要进行认证。

1)minion在第一次启动时, 会在/etc/salt/pki/minion/下自动生成minion.pem(private key)和minion.pub(public key)然后将minion.pub发送给master

2)master在第一次启动时, 会在/etc/salt/pki/master下自动生成master.pem和master.pub会接收到minion的public key

3)master通过salt-key命令接收minion public key, 则会在master的/etc/salt/pki/master/minions目录下存放以minion id命名的public key同时minion会保存一份master public key在/etc/salt/pki/minion_master.pub

#在minion上查看
[root@salt-minion1-c7 ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── minion_id
├── pki
│   ├── master
│   └── minion
│       ├── minion.pem   #minion的私钥
│       └── minion.pub   #minion的公钥
├── proxy
├── proxy.d
└── roster

#在master查看
[root@salt-master ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre    #minion传送过来的公钥
│   │   │   ├── salt-minion1-c7
│   │   │   ├── salt-minion2-c7
│   │   │   ├── salt-minion3-c7
│   │   │   └── salt-minion4-c6
│   │   └── minions_rejected
│   └── minion
├── proxy
├── proxy.d
└── roster

16 directories, 11 files
[root@salt-master ~]# cat /etc/salt/pki/master/minions_pre/salt-minion1-c7 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWS46MVCSFG/acTB+5t7
q6Y+rCBRwjwg5YmyKhTF1C61U2Uy/ROhQ2kt3fZlx95UzXKDideqR9R7WdK/fQuF
E/UUbDh6afDsMq1YgF33cao1HDhdHiwE7V+em4ihuKsMuZGygn5p5ivgKtbLcD7M
OVPMijdnYVX2hP5A0ClD2Ed0Ipezw+ubs859Ztyw3TwpW4cXv+U4GXCtfkLfzUJM
5l40IFmdvxUiMnjYuHNxrrVpq5cub2fIMhSTSyoZJaqHc3AJqLnUPzXhTRHLuh1r
+ne/bT1iVA3w+XiQC0EM1uwpFo57CRr4dTw6/UAoQWZ0phPEjCFPZSsvWWTWRJNq
4QIDAQAB
-----END PUBLIC KEY-----

#master通过salt-key认证
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion1-c7
salt-minion2-c7
salt-minion3-c7
salt-minion4-c6
Rejected Keys:
[root@salt-master ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
salt-minion1-c7
salt-minion2-c7
salt-minion3-c7
salt-minion4-c6
Proceed? [n/Y] Y
Key for minion salt-minion1-c7 accepted.
Key for minion salt-minion2-c7 accepted.
Key for minion salt-minion3-c7 accepted.
Key for minion salt-minion4-c6 accepted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
salt-minion1-c7
salt-minion2-c7
salt-minion3-c7
salt-minion4-c6
Denied Keys:
Unaccepted Keys:
Rejected Keys:

#在minion端查看
[root@salt-minion1-c7 ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│   └── _schedule.conf
├── minion_id
├── pki
│   ├── master
│   └── minion
│   ├── minion_master.pub   #master的公钥
│   ├── minion.pem
│   └── minion.pub
├── proxy
├── proxy.d
└── roster

#在master上查看
[root@salt-master ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions   #minion的公钥路径由minions_pre变为minions
│   │   │   ├── salt-minion1-c7
│   │   │   ├── salt-minion2-c7
│   │   │   ├── salt-minion3-c7
│   │   │   └── salt-minion4-c6
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre
│   │   └── minions_rejected
│   └── minion
├── proxy
├── proxy.d
└── roster

salt-key命令使用

[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion1-c7
salt-minion2-c7
salt-minion3-c7
salt-minion4-c6
Rejected Keys:

#salt-key的常用参数
-L  #查看KEY状态
-A  #允许所有
-D  #删除所有
-a  #认证指定的key
-d  #删除指定的key(可以重启minion重新认证)
-r  #注销掉指定key(该状态为未被认证),配置参数--include-accepted,--include-denied

#在master端/etc/salt/master配置
auto_accept: True   #如果对Minion信任,可以配置master自动接受请求

#添加指定minion的key
salt-key  -a salt1-minion.example.com -y
#添加所有minion的key
salt-key  -A  -y
#删除指定的key
salt-key -d salt1-minion.example.com -y
#删除所有的key
salt-key -D -y
#拒绝指定minion的key
salt-key -r salt-minion4-c6 --include-accepted

Saltstack学习(一)

原文:https://www.cnblogs.com/hujinzhong/p/11436650.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!