SaltStack是一个异构平台基础设施管理工具,具有远程执行、配置管理、云管理, 只需要花费数分钟即可运行起来,扩展性组以支撑管理上万台服务器,速度快,服务器之间秒级通讯数秒钟即可完成数据传递。
centos7:yum install -y https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm centos6:yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest.el6.noarch.rpm sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-latest.repo yum makecache
[root@salt-master ~]# yum install salt-master -y [root@salt-master ~]# systemctl enable salt-master [root@salt-master ~]# systemctl start salt-master [root@salt-master ~]# rpm -qa|grep salt-master salt-master-2019.2.0-1.el7.noarch [root@salt-master ~]# rpm -ql salt-master /etc/salt/master /etc/salt/master.d /etc/salt/pki/master /usr/bin/salt /usr/bin/salt-cp /usr/bin/salt-key /usr/bin/salt-master /usr/bin/salt-run /usr/bin/salt-unity /usr/lib/systemd/system/salt-master.service /usr/share/man/man1/salt-cp.1.gz /usr/share/man/man1/salt-key.1.gz /usr/share/man/man1/salt-master.1.gz /usr/share/man/man1/salt-run.1.gz /usr/share/man/man1/salt-unity.1.gz /usr/share/man/man1/salt.1.gz /usr/share/man/man7/salt.7.gz
[root@salt-minion1-c7 ~]# yum install salt-minion -y [root@salt-minion1-c7 ~]# sed -i ‘s/#master: salt/master: 10.0.0.11/g‘ /etc/salt/minion [root@salt-minion1-c7 ~]# systemctl enable salt-minion [root@salt-minion1-c7 ~]# systemctl start salt-minion #启动发生异常查看日志 /var/log/salt/master /var/log/salt/minion
对于centos6启动:
[root@salt-minion4-c6 yum.repos.d]# /etc/init.d/salt-minion start Starting salt-minion:root:salt-minion4-c6 daemon: OK [root@salt-minion4-c6 yum.repos.d]# chkconfig salt-minion on [root@salt-minion4-c6 yum.repos.d]# chkconfig --list|grep salt salt-minion 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Salt的数据传输是通过AES加密,Master和Minion之间在通信之前,需要进行认证。
1)minion在第一次启动时, 会在/etc/salt/pki/minion/下自动生成minion.pem(private key)和minion.pub(public key)然后将minion.pub发送给master
2)master在第一次启动时, 会在/etc/salt/pki/master下自动生成master.pem和master.pub会接收到minion的public key
3)master通过salt-key命令接收minion public key, 则会在master的/etc/salt/pki/master/minions目录下存放以minion id命名的public key同时minion会保存一份master public key在/etc/salt/pki/minion_master.pub
#在minion上查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion.pem #minion的私钥 │ └── minion.pub #minion的公钥 ├── proxy ├── proxy.d └── roster #在master查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre #minion传送过来的公钥 │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster 16 directories, 11 files [root@salt-master ~]# cat /etc/salt/pki/master/minions_pre/salt-minion1-c7 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWS46MVCSFG/acTB+5t7 q6Y+rCBRwjwg5YmyKhTF1C61U2Uy/ROhQ2kt3fZlx95UzXKDideqR9R7WdK/fQuF E/UUbDh6afDsMq1YgF33cao1HDhdHiwE7V+em4ihuKsMuZGygn5p5ivgKtbLcD7M OVPMijdnYVX2hP5A0ClD2Ed0Ipezw+ubs859Ztyw3TwpW4cXv+U4GXCtfkLfzUJM 5l40IFmdvxUiMnjYuHNxrrVpq5cub2fIMhSTSyoZJaqHc3AJqLnUPzXhTRHLuh1r +ne/bT1iVA3w+XiQC0EM1uwpFo57CRr4dTw6/UAoQWZ0phPEjCFPZSsvWWTWRJNq 4QIDAQAB -----END PUBLIC KEY----- #master通过salt-key认证 [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: [root@salt-master ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Proceed? [n/Y] Y Key for minion salt-minion1-c7 accepted. Key for minion salt-minion2-c7 accepted. Key for minion salt-minion3-c7 accepted. Key for minion salt-minion4-c6 accepted. [root@salt-master ~]# salt-key -L Accepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Denied Keys: Unaccepted Keys: Rejected Keys: #在minion端查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d │ └── _schedule.conf ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion_master.pub #master的公钥 │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster #在master上查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions #minion的公钥路径由minions_pre变为minions │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster
salt-key命令使用
[root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: #salt-key的常用参数 -L #查看KEY状态 -A #允许所有 -D #删除所有 -a #认证指定的key -d #删除指定的key(可以重启minion重新认证) -r #注销掉指定key(该状态为未被认证),配置参数--include-accepted,--include-denied #在master端/etc/salt/master配置 auto_accept: True #如果对Minion信任,可以配置master自动接受请求 #添加指定minion的key salt-key -a salt1-minion.example.com -y #添加所有minion的key salt-key -A -y #删除指定的key salt-key -d salt1-minion.example.com -y #删除所有的key salt-key -D -y #拒绝指定minion的key salt-key -r salt-minion4-c6 --include-accepted
原文:https://www.cnblogs.com/hujinzhong/p/11436650.html