1. Saltstack overview
1.1 Introduction to Saltstack
SaltStack is a centralized management platform for server infrastructure, with configuration management, remote execution, monitoring and other functions. SaltStack is based on Python language implementation, combined with lightweight message queue (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, python -msgpack and PyYAML etc.) build. By deploying the SaltStack environment, we can execute commands in batches on thousands of servers, configure centralized management, distribute files, collect server data, operating system foundation, and software package management according to different business characteristics.
1.2 Saltstack service architecture
In the saltstack architecture, the server is called Master and the client is called Minion.
Both the Master and Minion sides run in daemon mode
1.3 Salt port
After installing the salt, start the configuration. Salt-master listens on two ports by default:
- 4505 publish_port provides remote command sending function
- 4506 ret_port provides authentication, file service, result collection and other functions
2. rpm package download
Download link>> https://repo.saltstack.com/yum/redhat/
3. Experimental environment
| Host type | IP | App to install |
|---|---|---|
| Control machine | 192.168.153.135 | salt、salt-cloud、salt-master、salt-minion、salt-ssh、salt-syndic |
| Controlled machine | 192.168.153.136 | salt-minion |
Both hosts close the firewall and selinux
4. Install the saltstack console software on the control machine
4.1 Install the repo package
rpm -ivh salt-repo-latest-2.el7.noarch.rpm
4.2 Clear yum cache
yum clean all
4.3 Install the required software packages on the master side
yum -y install salt salt-cloud salt-master salt-minion salt-ssh salt-syndic
4.4 Modify the minion configuration file of the master
sed -i '/^#master:/a master: 192.168.153.135' /etc/salt/minion
#Remember: "master:" add a space after the colon, and then write the IP
4.5 Start the salt-master and salt-minion of the master, and set the startup to start automatically
systemctl start salt-master
systemctl start salt-minion
systemctl enable salt-master
systemctl enable salt-minion
5. Install the salt-minion client on the controlled machine
5.1 Install the repo package
rpm -ivh salt-repo-latest-2.el7.noarch.rpm
5.2 Clear yum cache
yum clean all
5.3 Install the required software packages on the master side
yum -y install salt-minion
5.4 Modify the minion configuration file of the master
sed -i '/^#master:/a master: 192.168.153.135' /etc/salt/minion
#Remember: "master:" add a space after the colon, and then write the IP
5.5 Start the salt-minion of the controlled end and set it to start automatically
systemctl start salt-minion
systemctl enable salt-minion
6. The master accepts all minion keys waiting for authentication
salt-key -yA
7. Introduction to saltstack configuration file
The saltstack configuration file is in the /etc/salt directory
| Configuration file | Description |
|---|---|
| /etc/salt/master | Host (control side) configuration file |
| /etc/salt/minion | Controlled side configuration file |
The default configuration of the configuration file /etc/salt/master can work very well, so there is no need to modify this configuration file.
Configuration file /etc/salt/minion common configuration parameters
- master: set the IP of the master
- id: Set the unique identifier of the controlled end machine, which can be ip or host name or a meaningful word from the
configuration file. Link to detailed introduction of the configuration file >> https://www.cnblogs.com/shawhe/p/ 10826498.html
8. Saltstack authentication mechanism
The saltstack main control end relies on openssl certificate to communicate with the controlled end host. After the controlled end is started, it will send a public key certificate file to the control end, and use the salt-key command to manage the certificate on the control end.
The authentication process of salt-minion and salt-master:
- When minion is started for the first time, it will automatically generate a pair of keys under /etc/salt/pki/minion/, and then send the public key to the master
- After the master receives the public key of the minion, it accepts the public key through the salt-key command. At this time, the master's /etc/salt/pki/master/minions directory will store the public key named after minion_id, and then the master can send control commands to minion
salt-key常用选项
-L //列出所有公钥信息
-a minion //接受指定minion等待认证的key
-A //接受所有minion等待认证的key
-r minion //拒绝指定minion等待认证的key
-R //拒绝所有minion等待认证的key
-f minion //显示指定key的指纹信息
-F //显示所有key的指纹信息
-d minion //删除指定minion的key
-D //删除所有minion的key
-y //自动回答yes
View current certificate status
[root@host-135 master]# salt-key -L
Accepted Keys:
host-135
host-136
Denied Keys:
Unaccepted Keys:
Rejected Keys:
9. The saltstack module
9.1 List all salt sys modules
salt 'host-136' sys.list_modules
9.2 The ping method under the test module tests whether the specified host is alive
[root@host-135 master]# salt 'host-136' test.ping
host-136:
True
[root@host-135 master]# salt '*' test.ping
host-136:
True
host-135:
True
9.3 pkg module
Install nginx service
salt 'host-136' pkg.install "nginx"
Query nginx service version
salt 'host-136' pkg.version "nginx"
Uninstall nginx service
salt 'host-136' pkg.remove "nginx"
9.4 service module
Open nginx service
salt 'host-136' service.start "nginx"
Query nginx service status
salt 'host-136' service.status "nginx"
Stop nginx service
salt 'host-136' service.stop "nginx"
9.5 cmd super module, all shell commands can be executed
salt 'host-136' cmd.run 'ps -ef|grep python'