码迷,mamicode.com
首页 > 其他好文 > 详细

saltstack 部署

时间:2018-05-15 01:38:07      阅读:183      评论:0      收藏:0      [点我收藏+]

标签:mini   service   provider   use   目录   enforce   显示   cte   工作   

 

SaltStack支持多种操作系统,如CentOS、RedHat、Debian、Ubuntu、FreeBSD、Solaris、Fedora、SuSe、Gentoo、MAC OS X、Archlinux等,

以及Windows(仅支持Minion)。

 

环境:centos6

server:192.168.0.74 

client :192.168.0.78

设置iptables,关闭selinux

[root@salt-server-192 salt]# iptables -F
[root@salt-server-192 salt]# setenforce 0

 

server client都先安装这个

一、准备安装saltstack

yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm centos6 用的
yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm   
server : yum install salt-master yum install salt-minion -y
client : yum install salt-minion -y

安装tree

yum install tree -y

 

启动salt-master

centos7

systemctl start salt-master

 centos6

service salt-master start

 

salt 配置文件  master是master配置 minion是minion配置

[root@localhost ~]# tree /etc/salt/
/etc/salt/
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── pki
│   ├── master
│   └── minion
├── proxy
├── proxy.d
└── roster

 

 

修改服务器hostname

[root@localhost salt]# cat /etc/hostname 
salt-server-192.168.0.74
[root@localhost salt]# hostname salt-server-192.168.0.74

[root@salt-server-192 ~]#

 

 

二.Salt Minion配置

 

[root@localhost salt]# vim /etc/salt/minion

:set nu 

:16 
 16 #master: salt  //默认salt 这里可以是ip地址 或者服务器主机名

//去掉注释
master:192.168.0.74

:103
103 #id:   //  (客户端的id。默认不设置会取客户端服务器的主机名)

 

如果不修改id 默认拿服务器hostname做minion-id

启动salt-minion

centos7

[root@salt-server-192 ~]# systemctl start salt-minion

 centos6

[root@salt-server-192 ~]# service  salt-minion start

 

启动minion会多了minion_id 不建议改这个id 如果要改先把这个minion_id删了,改好重启再生成一个新的minion_id.

[root@salt-server-192 salt]# ll
total 128
-rw-r-----. 1 root root  2624 Oct  5 00:02 cloud
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.conf.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.deploy.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.maps.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.profiles.d
drwxr-xr-x. 2 root root     6 Oct  5 06:29 cloud.providers.d
-rw-r-----. 1 root root 49323 Oct  5 00:02 master
drwxr-xr-x. 2 root root     6 Oct  5 06:29 master.d
-rw-r-----. 1 root root 35312 Nov 17 23:56 minion
drwxr-xr-x. 2 root root     6 Oct  5 06:29 minion.d
-rw-r--r--. 1 root root    24 Nov 18 00:01 minion_id
drwxr-xr-x. 4 root root    32 Nov 14 23:10 pki
-rw-r-----. 1 root root 28002 Oct  5 00:02 proxy
drwxr-xr-x. 2 root root     6 Oct  5 06:29 proxy.d
-rw-r-----. 1 root root   344 Oct  5 00:02 roster



[root@salt-server-192 salt]# cat minion_id 
salt-server-192.168.0.74

 

在192.168.0.78 修改minion配置,并启动minion

vim /etc/salt

16 master: 192.168.0.74

 

三.SaltStack认证

Salt的数据传输是通过AES加密的,Master和Minion之间在通信之前,需要进行认证。通过认证的方式保证安全性,完成一次认证后,Master就可以自由的控制Minon来完成各项工作了。

  • 1.minion在第一次启动时,会在/etc/salt/pki/minion/ 下自动生成minion.pem(私钥)和minion.pub(公钥),然后将minion.pub发送给master.
  • 2.master在第一次启动时,会在/etc/salt/pki/master下自动生成master.pem(私钥)和master.pub(公钥).在接受到minion的public key后,通过salt-key命令accept minion public key,这样在master的/etc/salt/pki/master/minions下将会存放以minion id命名的public key,客户端会保存一份master的public key,在/etc/salt/pki/minion_master.pub
  • 3.通过以上两个步骤的验证,master就能对minion发送指令 

 

 

 Master端Key认证

[root@salt-server-192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
├── minion_id
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre
│   │   │   ├── salt-minion-192.168.0.78
│   │   │   └── salt-server-192.168.0.74
│   │   └── minions_rejected
│   └── minion
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

salt-key常用命令:

-a ACCEPT, --accept=ACCEPT Accept the following key
-A, --accept-all    Accept all pending keys
-r REJECT, --reject=REJECT Reject the specified public key
-R, --reject-all    Reject all pending keys
-d DELETE, --delete=DELETE Delete the named key
-D, --delete-all    Delete all keys

-L 查看所有主机列表

 

显示所有key

[root@salt-server-192 salt]# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion-192.168.0.78
salt-server-192.168.0.74
Rejected Keys:

把key设置允许  -a  key的名字

[root@salt-server-192 salt]# salt-key -a salt-server-192.168.0.74
[root@salt-server-192 salt]# salt-key 
Accepted Keys:
salt-server-192.168.0.74
Denied Keys:
Unaccepted Keys:
salt-minion-192.168.0.78
Rejected Keys:

//也可以这样
[root@salt-server-192 salt]# salt-key -a salt-server*

-A 同意允许所有key

[root@salt-server-192 salt]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
salt-minion-192.168.0.78
Proceed? [n/Y] Y
Key for minion salt-minion-192.168.0.78 accepted.

[root@salt-server-192 salt]# salt-key
Accepted Keys:
salt-minion-192.168.0.78
salt-server-192.168.0.74
Denied Keys:
Unaccepted Keys:
Rejected Keys:

 允许之后公钥移动到minions目录下

[root@salt-server-192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│   └── _schedule.conf
├── minion_id
├── pki
│   ├── master
│   │   ├── master.pem
│   │   ├── master.pub
│   │   ├── minions
│   │   │   ├── salt-minion-192.168.0.78
│   │   │   └── salt-server-192.168.0.74
│   │   ├── minions_autosign
│   │   ├── minions_denied
│   │   ├── minions_pre
│   │   └── minions_rejected
│   └── minion
│       ├── minion_master.pub
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

192.168.0.78上

[root@salt-minion-192 salt]# tree
.
├── cloud
├── cloud.conf.d
├── cloud.deploy.d
├── cloud.maps.d
├── cloud.profiles.d
├── cloud.providers.d
├── master
├── master.d
├── minion
├── minion.d
│   └── _schedule.conf
├── minion_id
├── pki
│   ├── master
│   └── minion
│       ├── minion_master.pub
│       ├── minion.pem
│       └── minion.pub
├── proxy
├── proxy.d
└── roster

 

saltstack 部署

标签:mini   service   provider   use   目录   enforce   显示   cte   工作   

原文地址:https://www.cnblogs.com/mingerlcm/p/7854179.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!