saltstack安装及基本命令 爱被打了一巴掌 2022-06-14 05:52 201阅读 0赞 # 安装 # ### 1、准备 ### 修改hosts vim /etc/hosts 192.168.3.201 salt.wolf.com 192.168.3.49 slave01.wolf.com slave01 192.168.3.52 slave02.wolf.com slave02 修改主机名 ### 2、安装 ### 服务器端 yum install -y epel-release yum install -y salt-master salt-minion 客户端 yum install -y epel-release yum install -y salt-minion ### 3、修改配置文件 ### 客户端修改 \# vim /etc/salt/minion //在第16行添加,冒号后有一个空格 master: 服务器ip ### 4、启动 ### 启动服务 /etc/init.d/salt-master start /etc/init.d/salt-minion start \[root@node1 ~\]\# /etc/init.d/salt-masterstart Starting salt-master daemon: \[ OK \] \[root@node1 ~\]\# /etc/init.d/salt-minionstart Starting salt-minion daemon: \[ OK \] a) SaltStack是基于python进行开发,server端监听的是4505以及4506两个端口 b) SaltStack master启动后默认监听4505和4506两个端口。4505(publish\_port)为saltstack的消息发布系统,4506(ret\_port)为saltstack客户端与服务端通信的端口。 c) 如果使用lsof 查看4505端口,会发现所有的minion在4505端口持续保持在ESTABLISHED状态。 \[root@salt master\]\# lsof -i :4505 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME salt-mast 8580 root 12u IPv4 42596 0t0 TCP \*:4505 (LISTEN) salt-mast 8580 root 14u IPv4 44141 0t0 TCP salt.wolf.com:4505->slave01.wolf.com:57918 (ESTABLISHED) salt-mast 8580 root 15u IPv4 44253 0t0 TCP salt.wolf.com:4505->salt.wolf.com:56966 (ESTABLISHED) salt-mast 8580 root 16u IPv4 44331 0t0 TCP salt.wolf.com:4505->slave02.wolf.com:50854 (ESTABLISHED) salt-mini 9006 root 24u IPv4 44252 0t0 TCP salt.wolf.com:56966->salt.wolf.com:4505 (ESTABLISHED) \[root@master ~\]\# rpm -ql salt-master /etc/rc.d/init.d/salt-master \# salt-master服务器启动脚本 /etc/salt/master \# salt master配置文件 /usr/bin/salt \# salt master核心操作命令 /usr/bin/salt-cp \# salt文件传输命令 /usr/bin/salt-key \# salt证书管理命令 /usr/bin/salt-master \# salt master服务命令 /usr/bin/salt-run \# salt master runner命令 /usr/bin/salt-unity /usr/share/man/man1/salt-cp.1.gz /usr/share/man/man1/salt-key.1.gz /usr/share/man/man1/salt-master.1.gz /usr/share/man/man1/salt-run.1.gz /usr/share/man/man1/salt-unity.1.gz /usr/share/man/man7/salt.7.gz \[root@salt salt\]\# tree . ├── master ├── minion ├── minion.d │ └── \_schedule.conf ├── minion\_id └── pki ├── master │ ├── master.pem │ ├── master.pub │ ├── minions │ │ ├── salt.wolf.com │ │ ├── slave01.wolf.com │ │ └── slave02.wolf.com │ ├── minions\_autosign │ ├── minions\_denied │ ├── minions\_pre │ └── minions\_rejected └── minion ├── minion\_master.pub ├── minion.pem └── minion.pub 9 directories, 12 files ### 5、log配置 ### Master下修改直接生效 默认log /var/log/salt/ \[root@salt ~\]\# cd /var/log/salt/ \[root@salt salt\]\# ls master minion \[root@salt salt\]\# cat master \[root@salt salt\]\# cat minion 默认目录主配置文件如下 \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# The location of the master log file \# The master log can be sent to a regularfile, local path name, or network \# location. Remote logging works best whenconfigured to use rsyslogd(8) (e.g.: \# \`\`file:///dev/log\`\`), with rsyslogd(8)configured for network logging. The URI \# format is:<file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility> \#log\_file: /var/log/salt/master \#log\_file: file:///dev/log \#log\_file: udp://loghost:10514 \#log\_file: /var/log/salt/master \#key\_logfile: /var/log/salt/key \# The level of messages to send to theconsole. \# One of 'garbage', 'trace', 'debug',info', 'warning', 'error', 'critical'. \# \# The following log levels are consideredINSECURE and may log sensitive data: \# \['garbage', 'trace', 'debug'\] \# log\_level: debug 修改为debug模式 重启看启动过程 /etc/init.d/salt-masterrestart \[root@salt ~\]\# tail-f /var/log/salt/master 2017-06-1206:19:42,826 \[salt.utils.verify\]\[WARNING \]\[27356\] Insecure loggingconfiguration detected! Sensitive data may be logged. 2017-06-1206:19:42,826 \[salt.cli.daemons \]\[INFO \]\[27356\] Setting up the Salt Master 2017-06-12 06:19:43,376 \[salt.crypt \]\[DEBUG \]\[27356\] Loaded master key:/etc/salt/pki/master/master.pem 2017-06-12 06:19:43,383 \[salt.daemons.masterapi \]\[INFO \]\[27356\] Preparing the root key for localcommunication 2017-06-12 06:19:43,384 \[salt.daemons.masterapi \]\[DEBUG \]\[27356\] Removing stale keyfile:/var/cache/salt/master/.root\_key 2017-06-12 06:19:43,397 \[salt.utils.process \]\[DEBUG \]\[27364\] Created pidfile:/var/run/salt-master.pid 2017-06-12 06:19:43,398 \[salt.cli.daemons \]\[INFO \]\[27364\] The salt master is starting up 2017-06-12 06:19:43,407 \[salt.utils.lazy \]\[DEBUG \]\[27364\] LazyLoaded roots.envs 2017-06-12 06:19:43,424 \[salt.utils.lazy \]\[DEBUG \]\[27364\] Could not LazyLoad roots.init 2017-06-12 06:19:43,429 \[salt.master \]\[INFO \]\[27364\] salt-master is starting as user'root' 2017-06-12 06:19:43,429 \[salt.master \]\[INFO \]\[27364\] Current values for max open filessoft/hard setting: 1024/4096 2017-06-12 06:19:43,429 \[salt.master \]\[INFO \]\[27364\] The value for the 'max\_open\_files'setting, 100000, is higher than what the user running salt is allowed to raiseto, 4096. Defaulting to 4096. 2017-06-1206:19:43,429 \[salt.master \]\[INFO \]\[27364\] Raising max open files value to4096 2017-06-1206:19:43,429 \[salt.master \]\[INFO \]\[27364\] New values for max open filessoft/hard # 六、命令讲解 # ### 1、salt-key ### salt-key –help \[root@salt salt\]\# salt-key --help Usage: salt-key \[options\] Salt key is used to manage Saltauthentication keys Options: --version showprogram's version number and exit --versions-report showprogram's dependencies version number and exit -h,--help show this help messageand exit --saltfile=SALTFILE Specify thepath to a Saltfile. If not passed, one will be searched for inthe current working directory -cCONFIG\_DIR, --config-dir=CONFIG\_DIR Pass in an alternativeconfiguration directory. Default: /etc/salt -uUSER, --user=USER Specify user to runsalt-key --hard-crash Raise anyoriginal exception rather than exiting gracefully Default:False -q,--quiet Suppress output \-y, --yes Answer Yes to all questionspresented, defaults to 加上yes False --rotate-aes-key=ROTATE\_AES\_KEY Setting this to Falseprevents the master from refreshing the keysession when keys are deleted or rejected, this lowersthe security of the key deletion/rejectionoperation. Default is True. Logging Options: Logging options which override any settings defined on the configuration files. --log-file=LOG\_FILE Log file path. Default:/var/log/salt/key. --log-file-level=LOG\_LEVEL\_LOGFILE Logfile logging loglevel. One of 'all', 'garbage', 'trace', 'debug','info', 'warning', 'error', 'critical', 'quiet'.Default: 'warning'. Output Options: Configure your preferred output format --out=OUTPUT, --output=OUTPUT Print the output fromthe 'salt-key' command using the specified outputter.The builtins are 'key', 'yaml', 'overstatestage','newline\_values\_only', 'txt', 'raw', 'no\_return','virt\_query', 'compact', 'json', 'highstate', 'nested','quiet', 'pprint'. --out-indent=OUTPUT\_INDENT, --output-indent=OUTPUT\_INDENT Print the outputindented by the provided value in spaces. Negative valuesdisables indentation. Only applicable inoutputters that support indentation. --out-file=OUTPUT\_FILE, --output-file=OUTPUT\_FILE Write the output to thespecified file --out-file-append, --output-file-append Append the output tothe specified file --no-color, --no-colour Disable all colored output --force-color, --force-colour Force colored output --state-output=STATE\_OUTPUT, --state\_output=STATE\_OUTPUT Override the configuredstate\_output value for minion output. One of full,terse, mixed, changes or filter. Default: full. Actions: \-l ARG, --list=ARG List the public keys. The args"pre", "un", and "unaccepted"will list unaccepted/unsigned keys. "acc" or"accepted" will list accepted/signed keys. "rej" or "rejected"will list rejected keys. "den" or "denied" will list denied keys.Finally, "all" will list all keys. \-L, --list-all List allpublic keys. (Deprecated: use "--list all") 列出所有key请求 \-a ACCEPT, --accept=ACCEPT 允许一个客户端 Acceptthe specified public key (use --include-all to match rejected keys in addition to pendingkeys). Globs aresupported. \-A, --accept-all Accept all pending keys 允许所有客户端 \-r REJECT, --reject=REJECT 拒绝 Reject the specified public key (use--include-all to matchaccepted keys in addition to pending keys). Globs aresupported. -R, --reject-all Reject all pending keys 拒绝所有 --include-all Include non-pending keys whenaccepting/rejecting -p PRINT, --print=PRINT Print the specifiedpublic key -P, --print-all Print allpublic keys \-d DELETE, --delete=DELETE 删除一个 Deletethe specified key. Globs are supported. -D, --delete-all Delete all keys 删除所有 -f FINGER, --finger=FINGER Print the specifiedkey's fingerprint -F, --finger-all Print all keys' fingerprints KeyGeneration Options: --gen-keys=GEN\_KEYS Set a name to generatea keypair for use with salt --gen-keys-dir=GEN\_KEYS\_DIR Set the directory tosave the generated keypair, only works with"gen\_keys\_dir" option; default=. --keysize=KEYSIZE Set thekeysize for the generated key, only works with the"--gen-keys" option, the key size must be 2048 or higher, otherwise itwill be rounded up to 2048; ; default=2048 --gen-signature Create asignature file of the masters public-key namedmaster\_pubkey\_signature. The signature can be send to a minion in themasters auth-reply and enables the minion to verifythe masters public-key cryptographically. Thisrequires a new signing-key- pair which can beauto-created with the --auto-create parameter --priv=PRIV Theprivate-key file to create a signature with --signature-path=SIGNATURE\_PATH The path where thesignature file should be written --pub=PUB The public-keyfile to create a signature for --auto-create Auto-create asigning key-pair if it does not yet exist You can find additional help about salt-keyissuing "man salt-key" or on [http://docs.saltstack.org][http_docs.saltstack.org] \[root@salt ~\]\# salt-key -a nginx The following keys are going to beaccepted: Unaccepted Keys: nginx Proceed? \[n/Y\] y Key for minion nginx accepted. \[root@salt ~\]\# salt-key -A nginx -y The following keys are going to beaccepted: Unaccepted Keys: node1 slave02.wolf.com Key for minion node1 accepted. Key for minion slave02.wolf.com accepted. ### 2、批量ping ### \[root@salt ~\]\# salt '\*' test.ping nginx: True node1: True slave02.wolf.com: True ### 3、加入的主机 ### \[root@salt ~\]\# salt-key Accepted Keys: nginx node1 slave02.wolf.com Denied Keys: Unaccepted Keys: Rejected Keys: \[root@salt ~\]\# \[root@salt ~\]\# salt-key -L Accepted Keys: nginx node1 slave02.wolf.com Denied Keys: Unaccepted Keys: Rejected Keys: ### 4、实际操作修改主机名 ### 当别的项目送过来的机器,需要修改主机名加入salt进行管理 a、 先修改主机名 b、 然后清空文件 \[root@slave01 salt\]\# ls minion minion.d minion\_id pki \[root@slave01 salt\]\# cat minion\_id nginx\[root@slave01 salt\]\# >minion\_id \[root@slave01 salt\]\#/etc/init.d/salt-minion restart Stopping salt-minion daemon: \[ OK \] Starting salt-minion daemon: \[ OK \] \[root@slave01 salt\]\# C、在到服务器端查看 \[root@salt ~\]\# salt-key -L Accepted Keys: nginx node1 slave02.wolf.com Denied Keys: Unaccepted Keys: slave01.wolf.com Rejected Keys: \[root@salt ~\]\# 先从服务器上删除,然后客户端操作 \[root@salt salt\]\# salt-key Accepted Keys: nginx node1 slave02.wolf.com Denied Keys: Unaccepted Keys: slave01.wolf.com Rejected Keys: \[root@salt salt\]\# salt-key -d node1 The following keys are going to be deleted: Accepted Keys: node1 Proceed? \[N/y\] y Key for minion node1 deleted. \[root@salt salt\]\# salt-key -d nginx The following keys are going to be deleted: Accepted Keys: nginx Proceed? \[N/y\] y Key for minion nginx deleted. 再重启,查看正常了 \[root@salt salt\]\# /etc/init.d/salt-masterrestart \[root@salt salt\]\# /etc/init.d/salt-minionrestart \[root@salt salt\]\# salt-key Accepted Keys: slave02.wolf.com Denied Keys: Unaccepted Keys: salt.wolf.com slave01.wolf.com Rejected Keys: 重新加入主机 \[root@salt salt\]\# salt-key Accepted Keys: slave02.wolf.com Denied Keys: Unaccepted Keys: salt.wolf.com slave01.wolf.com Rejected Keys: \[root@salt salt\]\# salt-key -A nginx -y The following keys are going to beaccepted: Unaccepted Keys: salt.wolf.com slave01.wolf.com Key for minion node1 accepted. Key for minion salt.wolf.com accepted. Key for minion slave01.wolf.com accepted. \[root@salt salt\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: Unaccepted Keys: Rejected Keys: \[root@salt salt\]\# salt '\*' test.ping slave01.wolf.com: True salt.wolf.com: True slave02.wolf.com: True ### 5、彻底删除 ### \[root@salt salt\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: Unaccepted Keys: Rejected Keys: \[root@salt salt\]\# pwd /etc/salt \[root@salt salt\]\# ls master minion minion.d minion\_id pki \[root@salt salt\]\# rm -rf minion\_id pki/ \[root@salt salt\]\# /etc/init.d/sa salt-master salt-minion sandbox saslauthd \[root@salt salt\]\# /etc/init.d/sa salt-master salt-minion sandbox saslauthd \[root@salt salt\]\# /etc/init.d/salt-minionrestart Stopping salt-minion daemon: \[ OK \] Starting salt-minion daemon: \[ OK \] \[root@salt salt\]\# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: Rejected Keys: \[root@salt salt\]\# /etc/init.d/salt-masterrestart \[root@salt salt\]\# /etc/init.d/salt-minionrestart Stopping salt-minion daemon: \[FAILED\] Starting salt-minion daemon: \[ OK \] \[root@salt salt\]\# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Rejected Keys: \[root@salt salt\]\# salt-key -A salt.wolf.com-y The following keys are going to beaccepted: Unaccepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Key for minion salt.wolf.com accepted. Key for minion slave01.wolf.com accepted. Key for minion slave02.wolf.com accepted. ### 6、总结一下老主机重新加入问题 ### a、客户端需要清除 /etc/salt/minion\_id b、删除这个目录 /etc/salt/pki 重启客户端 master上剔掉 salt-key –d 主机名 -y c、 缓存问题 缓存位置/etc/salt/pki/下有几个目录 \[root@salt master\]\# ls master.pem master.pub minions minions\_autosign minions\_denied minions\_pre minions\_rejected \[root@salt salt\]\# cd pki \[root@salt pki\]\# ls master minion \[root@salt pki\]\# cd master/ \[root@salt master\]\# ls master.pem master.pub minions minions\_autosign minions\_denied minions\_pre minions\_rejected \[root@salt master\]\# tree . ├── master.pem ├── master.pub ├── minions 放已认证的key │ ├── salt.wolf.com │ ├── slave01.wolf.com │ └── slave02.wolf.com ├── minions\_autosign ├── minions\_denied 拒绝的主机key ├── minions\_pre 未认证的 └── minions\_rejected 5 directories, 5 files 已认证的key \[root@salt master\]\# cd minions \[root@salt minions\]\# ls salt.wolf.com slave01.wolf.com slave02.wolf.com 识别每个目录的作用,手动实验查看目录作用 \[root@salt master\]\# ls master.pem master.pub minions minions\_autosign minions\_denied minions\_pre minions\_rejected \[root@salt master\]\# ll minions total 12 \-rw-r--r-- 1 root root 451 Jun 12 07:52salt.wolf.com \-rw-r--r-- 1 root root 451 Jun 12 07:52slave01.wolf.com \-rw-r--r-- 1 root root 451 Jun 12 07:52slave02.wolf.com \[root@salt master\]\# cpminions/salt.wolf.com minions\_autosign/ \[root@salt master\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: Unaccepted Keys: Rejected Keys: \[root@salt master\]\# cpminions/salt.wolf.com minions\_denied/ \[root@salt master\]\# salt-ke \-bash: salt-ke: command not found \[root@salt master\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: salt.wolf.com Unaccepted Keys: Rejected Keys: \[root@salt master\]\# cpminions/salt.wolf.com minions\_pre \[root@salt master\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: salt.wolf.com Unaccepted Keys: salt.wolf.com Rejected Keys: \[root@salt master\]\# cpminions/salt.wolf.com minions\_rejected/ \[root@salt master\]\# salt-key Accepted Keys: salt.wolf.com slave01.wolf.com slave02.wolf.com Denied Keys: salt.wolf.com Unaccepted Keys: salt.wolf.com Rejected Keys: salt.wolf.com [http_docs.saltstack.org]: http://docs.saltstack.org/
还没有评论,来说两句吧...