项目,VM1: saltstack-node1.example.com,VM2: saltstack-node2.example.com
安装角色,master && minion,minion
IP(eth0),10.0.0.21,10.0.0.22
网关(eth0),10.0.0.2,10.0.0.2
DNS,8.8.8.8, 114.114.114.114,8.8.8.8, 114.114.114.114
系统版本,CentOS release 6.7 (Final),CentOS release 6.7 (Final)
内核版本,2.6.32-573.el6.x86_64,2.6.32-573.el6.x86_64
防火墙,关,关
selinux,关,关
hostname
cat /etc/redhat-release
uname -r
/etc/init.d/iptables status
getenforce
ifconfig eth0 |awk -F "[ :]+" ‘NR==2 {print $4}‘
route -n
cat /etc/resolv.conf
两台机器同时做好内网DNS的解析。
cat >/etc/hosts<<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.21 saltstack-node1.example.com
10.0.0.22 saltstack-node2.example.com
EOF
两台机器先安装epel源:
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
同时安装master和minion端。
yum install -y salt-master salt-minion
rpm -qa salt-master salt-minion
安装后启动服务。
/etc/init.d/salt-master start
chkconfig salt-master on
chkconfig --list salt-master
/etc/init.d/salt-minion start
chkconfig salt-minion on
chkconfig --list salt-minion
只安装minion端。
yum install -y salt-minion
rpm -qa salt-minion
安装后启动服务。
/etc/init.d/salt-minion start
chkconfig salt-minion on
chkconfig --list salt-minion
[root@saltstack-node1 ~]# cd /etc/salt/
[root@saltstack-node1 salt]# ll#检查,会自动生成如下文件
总用量 72
-rw-r----- 1 root root 29543 2016-03-23 06:24 master#master端主配置文件
-rw-r----- 1 root root 26365 2016-03-23 06:24 minion#minion端主配置文件
drwxr-xr-x 2 root root 4096 2016-08-04 12:42 minion.d
-rw-r--r-- 1 root root 27 2016-08-04 12:42 minion_id#minion端的ID
drwxr-xr-x 4 root root 4096 2016-08-04 12:42 pki#存放密钥的目录
[root@saltstack-node1 salt]# cat minion_id #主机的FQDN名,每个minion端都有
saltstack-node1.example.com
[root@saltstack-node2 ~]# cd /etc/salt/
[root@saltstack-node2 salt]# ll#检查,会自动生成如下的文件
总用量 40
-rw-r----- 1 root root 26365 2016-03-23 06:24 minion#minion端主配置文件
drwxr-xr-x 2 root root 4096 2016-08-04 12:42 minion.d
-rw-r--r-- 1 root root 27 2016-08-04 12:42 minion_id#minion端的ID
drwxr-xr-x 3 root root 4096 2016-08-04 12:42 pki#存放密钥的目录
[root@saltstack-node2 salt]# cat minion_id #主机的FQDN名,每个minion端都有
saltstack-node2.example.com
minion端必须经过master端的认证,才能被管理。※
~ saltstack-node2
[root@saltstack-node2 ~]# cd /etc/salt/
[root@saltstack-node2 salt]# vim minion
master: saltstack-node1.example.com
#指定master端是谁,可写FQDN或IP地址,第16行
[root@saltstack-node2 salt]# /etc/init.d/salt-minion restart
#重启服务,修改了这一步,还不够,还需要master端认证才行(即相互交换公钥)
[root@saltstack-node2 salt]# cd pki/minion/
[root@saltstack-node2 minion]# ll
-r-------- 1 root root 1679 2016-08-04 13:26 minion.pem#minion的私钥
-rw-r--r-- 1 root root 451 2016-08-04 13:26 minion.pub#minion的公钥
#重启服务后,会自动生成一对密钥,认证时,公钥会发给master端,minion端也会接收master端的公钥
~ saltstack-node1
[root@saltstack-node1 ~]# cd /etc/salt/pki/master/
[root@saltstack-node1 master]# ll
-r-------- 1 root root 1675 2016-08-04 12:40 master.pem#master的私钥
-rw-r--r-- 1 root root 451 2016-08-04 12:40 master.pub#master的公钥
drwxr-xr-x 2 root root 4096 2016-08-04 13:39 minions#存放所有的minion端公钥
drwxr-xr-x 2 root root 4096 2016-08-04 12:40 minions_autosign
drwxr-xr-x 2 root root 4096 2016-08-04 12:40 minions_denied
drwxr-xr-x 2 root root 4096 2016-08-04 13:39 minions_pre
drwxr-xr-x 2 root root 4096 2016-08-04 12:40 minions_rejected
~ saltstack-node1master端认证mirror端,必须要接受mirror端,才能管理它
[root@saltstack-node1 ~]# cd /etc/salt/pki/master/
[root@saltstack-node1 master]# salt-key #可以看到,只有一个minion端,但还未接受
Accepted Keys:
Denied Keys:
Unaccepted Keys:
saltstack-node2.example.com
Rejected Keys:
[root@saltstack-node1 master]# salt-key -a saltstack-node2.example.com
# -a添加特定的minion端
The following keys are going to be accepted:
Unaccepted Keys:
saltstack-node2.example.com
Proceed? [n/Y] Y#输入Y同意
Key for minion saltstack-node2.example.com accepted.
[root@saltstack-node1 master]# salt-key #再查看,接受minion端了
Accepted Keys:
saltstack-node2.example.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
认证的过程,即相互交换公钥的过程。
~ 查看minion端公钥的内容
[root@saltstack-node1 ~]# cd /etc/salt/pki/master/
[root@saltstack-node1 master]# cat minions/saltstack-node2.example.com
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA062YmAq9L3OXZytSosco
OOFLBTjhbpJTInwLmNQCU+8+o6ataFaKavNnbOlVmm/3TuZ/So5EGWekaxgtAnFQ
uRbv2k+l358uPHQ3X5mf2Hr2d1lI1hMEmBDz+X/zf7TD4KQ/0k3UdMe0DktniBYQ
J7L4F4Jw4xqDe0fsv6Z3QrzOQeadvD8ItGtE/oDJ1g5158Fw4yaLU0ixNfMBak8R
dA1Cw9hxAy4OYXMr+7meld0lEI2WinnLy3bw2fGiw50MFnw8YVFlOWTJ30mqy5kO
GaJ/70RxyQ3adPeSeNNYiqEwhw7YtJGygcQsfzhYL9aLDX7HTXuwxpM0g3Jmn18V
jQIDAQAB
-----END PUBLIC KEY-----
#可以发现,它们的内容是一样的
[root@saltstack-node2 ~]# cd /etc/salt/pki/minion/
[root@saltstack-node2 minion]# cat minion.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA062YmAq9L3OXZytSosco
OOFLBTjhbpJTInwLmNQCU+8+o6ataFaKavNnbOlVmm/3TuZ/So5EGWekaxgtAnFQ
uRbv2k+l358uPHQ3X5mf2Hr2d1lI1hMEmBDz+X/zf7TD4KQ/0k3UdMe0DktniBYQ
J7L4F4Jw4xqDe0fsv6Z3QrzOQeadvD8ItGtE/oDJ1g5158Fw4yaLU0ixNfMBak8R
dA1Cw9hxAy4OYXMr+7meld0lEI2WinnLy3bw2fGiw50MFnw8YVFlOWTJ30mqy5kO
GaJ/70RxyQ3adPeSeNNYiqEwhw7YtJGygcQsfzhYL9aLDX7HTXuwxpM0g3Jmn18V
jQIDAQAB
-----END PUBLIC KEY-----
~ 查看master端公钥的内容
[root@saltstack-node2 ~]# cd /etc/salt/pki/minion/
[root@saltstack-node2 minion]# cat minion_master.pub #注意名字的变化
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxQv0en2AJhWq/1dh67Kz
3zuH1G307x0vyJqCg3v7CaNwbKgot4+Aiq+gYBYFQ3uDvoJSYF0bfE5l0ht+s7s8
p2p7nrrWDQfyd9ph5HL4xtXQIltPhdONRsNZbahmB4C4KkHQ5MUSdG1zXaqVBHWk
1nlwtwUd/3A2iOiMtNOx2mhuSTPb1DlPfKcl2uNDbEBc4YLMcofh7HDW5Z7MNMMz
ijuOkilaMQcVDCY2PEI+iwrFzPaV5H6YuztFGiF/pHpsIlVFDN4C+QPInQs6ACQq
CsHGoUHHePCAqVPtA0F2DsW6iFvNvksFjclzJniVjEpmENwapnB8YogHBZrxYWim
5wIDAQAB
-----END PUBLIC KEY-----
[root@saltstack-node1 ~]# cd /etc/salt/pki/master/
[root@saltstack-node1 master]# cat master.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxQv0en2AJhWq/1dh67Kz
3zuH1G307x0vyJqCg3v7CaNwbKgot4+Aiq+gYBYFQ3uDvoJSYF0bfE5l0ht+s7s8
p2p7nrrWDQfyd9ph5HL4xtXQIltPhdONRsNZbahmB4C4KkHQ5MUSdG1zXaqVBHWk
1nlwtwUd/3A2iOiMtNOx2mhuSTPb1DlPfKcl2uNDbEBc4YLMcofh7HDW5Z7MNMMz
ijuOkilaMQcVDCY2PEI+iwrFzPaV5H6YuztFGiF/pHpsIlVFDN4C+QPInQs6ACQq
CsHGoUHHePCAqVPtA0F2DsW6iFvNvksFjclzJniVjEpmENwapnB8YogHBZrxYWim
5wIDAQAB
-----END PUBLIC KEY-----
同理,我们还可以再把node1的minion端加进来,即自己(master)给自己(minion)认证也是可以的。这样我们就有两个minion端和一个master端。※
结果如下:
[root@saltstack-node1 ~]# salt-key #有两个minion端
Accepted Keys:
saltstack-node1.example.com
saltstack-node2.example.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@saltstack-node1 ~]# salt-key --help#查命令的帮助
-a ACCEPT, --accept=ACCEPT#接受指定的minion端
-A, --accept-all Accept all pending keys#接受所有的minion端
-r REJECT, --reject=REJECT#拒绝指定的minion端
-R, --reject-all Reject all pending keys#拒绝所有的minion端
-d DELETE, --delete=DELETE#删除指定的minion端
-D, --delete-all Delete all keys#删除所有的minion端
-L, --list-all List all public keys.#列出所有的minion端(salt-key)
-P, --print-all Print all public keys#打印所有的公钥
[root@saltstack-node1 ~]# salt ‘*‘ test.ping
返回true,代表master能管理minion
salt是一个固定的关键字
*代表要执行命令的目标,*代表匹配所有
test是一个模块
.ping代表引用test模块里的一个方法
官方解释:salt.modules.test.ping()
Used to make sure the minion is up and responding. Not an ICMP ping.
[root@saltstack-node1 ~]# salt ‘*‘ cmd.run ‘df -h‘
#在所有的minion端执行命令
cmd是一个模块
.run代表引用cmd模块里的一个方法
‘df -h‘代表Linux里的shell命令,命令要用单引号引起来
Execute the passed command(被传递的命令) and return the output as a string
执行一个被传递过去的命令,并以字符串的形式返回输出
cmd.run,这个模块的功能非常强大,可以执行所有的linux命令,在生产环境中,慎用!
[root@saltstack-node1 ~]# salt ‘*‘ cmd.run ‘ifconfig eth0|grep "inet addr:"‘
#查看所有minion端的ip
[root@saltstack-node1 ~]# salt ‘saltstack-node1.example.com‘ cmd.run ‘uptime‘
#指定固定的管理目标(minion),这里写的是minion_id
[root@saltstack-node1 ~]# cd /etc/salt/
[root@saltstack-node1 salt]# vim master#指定base的文件根路径
#直接搜索【file_root】,把注释行去掉,注意写法,多少个空格是固定好的!
#两个空格为一个级别
file_roots:
base:
- /srv/salt
[root@saltstack-node1 salt]# /etc/init.d/salt-master restart#修改后要重启
[root@saltstack-node1 salt]# mkdir -p /srv/salt/#创建base的文件根路径
[root@saltstack-node1 salt]# cd /srv/salt/
[root@saltstack-node1 salt]# vim top.sls #指定状态描述文件【apache】
base:
‘*‘:#对所有的minion端生效
- apache#文件名,可以不写后缀sls
[root@saltstack-node1 salt]# vim apache.sls #状态描述文件【apache】的内容
apache-service:#ID名称
pkg.installed:#分别是模块.方法
- names:#指定包名,下面指定两个,注意有s
- httpd#安装httpd包
- httpd-devel#安装httpd-devel包
[root@saltstack-node1 salt]# salt ‘*‘ state.highstate#远程安装httpd包
saltstack-node1.example.com:
----------
ID: apache-service#ID名称
Function: pkg.installed#功能:模块.方法
Name: httpd#第1个软件包
Result: True#安装成功
Comment: Package httpd is already installed.
Started: 17:37:28.053740
Duration: 559.351 ms
Changes:
----------
ID: apache-service#ID名称
Function: pkg.installed#功能:模块.方法
Name: httpd-devel#第2个软件包
Result: True#安装成功
Comment: Package httpd-devel is already installed.
Started: 17:37:28.613244
Duration: 0.504 ms
Changes:
Summary
------------
Succeeded: 2#成功,两个
Failed: 0#失败,无
------------
Total states run: 2
saltstack-node2.example.com:
----------
ID: apache-service
Function: pkg.installed
Name: httpd
Result: True
Comment: Package httpd is already installed.
Started: 17:37:38.054029
Duration: 551.308 ms
Changes:
----------
ID: apache-service
Function: pkg.installed
Name: httpd-devel
Result: True
Comment: Package httpd-devel is already installed.
Started: 17:37:38.605549
Duration: 0.42 ms
Changes:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
[root@saltstack-node1 salt]# rpm -qa httpd*#检查是否成功安装
httpd-2.2.15-54.el6.centos.x86_64
httpd-devel-2.2.15-54.el6.centos.x86_64
httpd-tools-2.2.15-54.el6.centos.x86_64
[root@saltstack-node2 ~]# rpm -qa httpd*#检查是否成功安装
httpd-devel-2.2.15-54.el6.centos.x86_64
httpd-tools-2.2.15-54.el6.centos.x86_64
httpd-2.2.15-54.el6.centos.x86_64
安装好软件包后,我们可以监控软件的运行状态,强制指定软件必须运行。
[root@saltstack-node1 salt]# cd /srv/salt/
[root@saltstack-node1 salt]# cat apache.sls#修改
apache-service:
pkg.installed:
- names:
- httpd
- httpd-devel
service.running:
- name: httpd
- enable: True
[root@saltstack-node1 salt]# salt ‘*‘ state.highstate#远程执行
#只看关键部分
saltstack-node2.example.com:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 17:53:42.105291
Duration: 171.491 ms
Changes:
----------
httpd:
True
[root@saltstack-node1 salt]# netstat -tunlp|grep 80
tcp 0 0 :::80 :::* LISTEN 32449/httpd
#所有的minion端全部启动apache
[root@saltstack-node2 ~]# netstat -tunlp |grep 80
tcp 0 0 :::80 :::* LISTEN 3661/httpd
本文出自 “陈发哥007” 博客,请务必保留此出处http://chenfage.blog.51cto.com/8804946/1834884
原文地址:http://chenfage.blog.51cto.com/8804946/1834884
