Table of contents
3. Saltstack communication mechanism
4. Connect authentication master and minion
1. Introduction to saltstack
1 Introduction
Saltstack is a configuration management system (client and server) capable of maintaining a predefined state of remote nodes.
Saltstack is a distributed remote execution system used to execute commands and query data on remote nodes.
Saltstack is a sharp tool for operation and maintenance personnel to improve work efficiency and standardize business configuration and operation.
2. The core functions of Salt
①Make commands sent to the remote system parallel instead of serial
②Use a secure encrypted protocol
③Use the smallest and fastest network load
④Provide a simple programming interface
Salt also introduces a more detailed domain control system for remote execution, Systems can be targeted not only by hostname, but also by system properties.
3. Saltstack communication mechanism
SaltStack adopts the C/S mode, and the minion and the master communicate through the ZeroMQ message queue, and listen to port 4505 by default.
The second network service run by the Salt Master is the ZeroMQ REP system, which listens to port 4506 by default.
2. Saltstack deployment
1. Deployment environment
| CPU name | IP address | Serve |
| PC1 | 192.168.30.11 | salt-master |
| PC2 | 192.168.3.12 | salt-minion |
2. Configure yum source
sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo3. Install master and minion
PC1执行:
yum install -y salt-master
#安装master端
systemctl enable --now salt-master
#开机自启并启动master服务
PC2执行:
yum install -y salt-minion
#安装minion端
systemctl enable --now salt-minion.service
#开机自启并启动minion服务4. Connect authentication master and minion
Authentication principle:
①When the minion starts for the first time, it will automatically generate a pair of keys under /etc/salt/pki/minion/, and then send the public key to the master
② After the master receives the public key of the minion, it accepts the public key through the salt-key command. At this time, the /etc/salt/pki/master/minions directory of the master will store the public key named after the minion id, and then the master can send control commands to the minion
PC1执行:
lsof -i:4506
#查看4506端口端口状态如下,有监听但是无建立连接的。
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 101552 root 43u IPv4 162865 0t0 TCP *:4506 (LISTEN)
lsof -i:4505
#查看4505端口端口状态如下,有监听但是无建立连接的。
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 101546 root 35u IPv4 154229 0t0 TCP *:4505 (LISTEN)
PC2执行:
rpm -qc salt-minion
#查找minion配置文件位置
vim /etc/salt/minion
#打开配置文件修改第16行内容,去掉注释加上自己的master地址然后保存退出
.
.
master: 192.168.30.11
.
.
systemctl restart salt-minion.service
#重启minion服务使得配置生效
PC1执行:
lsof -i:4506
#查看4506端口状态如下,一个服务监听端口,一个master与pc2建立连接的端口。
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 101552 root 43u IPv4 162865 0t0 TCP *:4506 (LISTEN)
salt-mast 101552 root 51u IPv4 219147 0t0 TCP pc1:4506->192.168.30.12:57896 (ESTABLISHED)
lsof -i:4505
#查看4505端口端口状态如下,minion还在等待master端执行命令允许minion连接。
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 101546 root 35u IPv4 154229 0t0 TCP *:4505 (LISTEN)
PC1执行:
使用salt-key命令加参数,配置master允许minion连接
-L 列出所有公钥信息
-a minion地址 接受指定minion等待认证的key
-A 接受所有minion等待认证的key
-r minion地址 拒绝指定minion等待认证的key
-R 拒绝所有minion等待认证的key
-f minion地址 显示指定key的指纹信息
-F 显示所有key的指纹信息
-d minion地址 删除指定minion的key
-D 删除所有minion的key
-y 自动回答yes
#查看有哪些主机等待连接
salt-key -A
#允许所有主机连接,具体看下图1操作
lsof -i :4505
#查看客户端是否与master建立连接了,下图2
3. Salt operation
1. Execution format
salt [options] '<target>' <function> [arguments]
#执行格式
target:指定哪些minion,默认的规则是使用glob匹配minion id # salt '*' test.ping
targets也可以使用正则表达式 # salt -E 'server[1-3]' test.ping
targets也可以指定列表 # salt -L 'server2,server3' test.ping
funcation:module提供的功能,Salt内置了大量有效的functions
arguments:通过空格来界定参数
# 常用target参数
-E 正则匹配
-L 列表匹配
-S CIDR匹配网段
-G grains匹配
--grain-pcre grains加正则匹配
-N 组匹配
-R 范围匹配
-C 综合匹配(指定多个匹配)
-I pillar值匹配
# 常用的options
--version 查看saltstack的版本号
--versions-report 查看saltstack以及依赖包的版本号
-h 查看帮助信息
-c CONFIG_DIR 指定配置文件目录(默认为/etc/salt/)
-t TIMEOUT 指定超时时间(默认是5s)
--async 异步执行
-v verbose模式,详细显示执行过程
--username=USERNAME 指定外部认证用户名
--password=PASSWORD 指定外部认证密码
--log-file=LOG_FILE 指定日志记录文件2. Practical demonstration
1、连通性测试
salt '*' test.ping
#测试所有minion与master的连通性
salt 'pc2' test.ping
##测试pc2主机minion与master的连通性
2、安装软件
salt 'node1' pkg.install httpd
3、卸载软件
salt 'node1' pkg.remove httpd
4、测试各种模块
salt '*' test.echo 'hello'
salt '*' network.ping baidu.com
# 使用ping命令测试到某主机的连通性
salt '*' network.connect baidu.com 80
# #测试minion至某一台服务器的网络是否连通
salt '*' network.get_hostname
# 获取主机名
salt '*' network.active_tcp
# 返回所有活动的tcp连接
salt '*' network.ip_addrs
# 返回一个IPv4的地址列表
alt '*' network.get_fqdn
# 查看主机的fqdn(完全限定域名)