SaltStack automated operation and maintenance --SaltStack Profile, SaltStack deployment environment, the secret key authentication process

A, SaltStack Profile

SaltStack server infrastructure is a centralized management platform, with configuration management, remote execution, monitoring and other functions.
SaltStack is a distributed remote execution system, we can configure centralized management in the tens of millions remote node depending on the business, distribution of documents, data collection server, operating system foundation and package management.

1.1 SaltStack components

SaltStack using C / S mode, Salt Master is the server side, Salt Minions that client.

• Salt Master: Center Management System. This system is used to send commands and configuration to Salt minion running on the managed system.
• Salt Minions: The management of the system. The system operates Salt minion, it receives commands and configuration from Salt master.

1.2 SaltStack principle

By ZeroMQ message queue for communication between master and minion. After the minion master line after first contact end, his own pub key to the past, when the master terminal by salt-key -L command will see the minion of the key, to accept the minion-key, is the master and minion has trust . master can send any instructions cause minion executed, such as cmd.run, when we execute salt '*' cmd.run 'uptime' of, and task matching minion sent up to the master, minion execution module function, and returns the result.master port monitor 4505 and 4506, 4505 corresponds to ZMQ PUB system, used to send messages, corresponding to the REP system 4506 is to receive the message.

• Command is sent to the remote system, and is not transmitted in parallel serial
• Use secure encryption protocol
• It provides a simple programming interface
• More detailed areas of the control system to remotely execute, so that the system can become the target of more than a host name, but also through the System Properties

ZeroMQ
ZeroMQ is based multithreaded network message queue library, its socket type connection processing frame, even abstract details of the underlying routing, across multiple transport protocols to provide sockets.
ZeroMQ network communication is a new layer, between the application layer and the transport layer (in accordance with the TCP / IP division), which is a scalable layers, may be run in parallel, distributed across the system dispersion.

1.3 SaltStack advantage

• Using python language, fairly lightweight
• Communication layer using PUB-SUB pattern achieved ZeroMQ, makes it very fast
• Open source, you can write your own modules by python

Two, SaltStack deployment and secret key certification process

Host Configuration

Host (ip)	service
Physical machine (172.25.2.250)
server1（172.25.2.1）	salt-master
server2（172.25.2.2）	salt-minion
server3（172.25.2.3）	salt-minion

2.1 SaltStack deployment

1, create saltstack source of yum
On the physical machineThe directory-related packages I have found saltstack, and copied to the default httpd service distribution directory, and create a third-party repositories.

On server1, Pointing to the preparation of documents, and Sent to server2 and server3。

2、On server1Installation salt-master: yum install salt-masterAnd start the service.

3, and install lsof net-tools, monitoring ports 4505 and 4506.

• 4505: (publish_port) is saltstack news publishing system
• 4506: (ret_port) to saltstack client and server communication port.

4、On server2 and server3Installation salt-minion:yum install -y salt-minion
更改/etc/salt/minion文件，写入masterip，开启服务:systemctl start salt-minion

• 这里要指向salt-master服务器，可以是IP，也可以是域名，也可以是主机名，不过主机名就要写/etc/hosts了，如果用的是内部DNS服务器的话可以用主机名或者域名的形式。

5、此时，我们可以 在master端（server1）上，查看到所有minion-key：salt-key -L，并接受：salt-key -A

salt-key -L              ##查看所有minion-key
salt-key -a <key-name>   ##接受某个minion-key
salt-key -d <key-name>   ##删除某个minion-key
salt-key -A              ##接受所有的minion-key
salt-key -D              ##删除所有的minion-key

第一次客户端的证书在未验证Unaccepted Keys:的下面,通过此证书的验证,再次查看出现在了Accepted Keys:下面表示已经通过了验证，可以建立通信了

6、此时，端口4505和4506，已经监控到了server2和server3

查看进程,安装python-setproctitle，查看python端口情况，每个进程的功能是啥

2.2 SaltStack秘钥认证过程

• md5sum命令用于生成和校验文件的md5值。md5sum逐位对文件内容进行校验。与文件名无关，也就是文件内容相同，其md5值相同。 在网络传输、设备之间转存、复制大文件等时，可能会出现传输前后数据不一致的情况。那么校验文件的完整性是很重要的。

当初始化安装 minion 启动服务后

• minion端会在/etc/salt/pki/minion下自动生成公钥、私钥和在/etc/salt/的一个ID值，，然后将公钥发送给master，minion服务会将以ID值命名的公钥发送给 master ,直到接受为止;
• master通过salt-key -a认证完毕后，会将minion 端发送来的，以ID值命名的公钥存放在 /etc/salt/pki/master/minions 目录中，此时认证通信已完成;
• After the authentication is complete master, it will send its public key to Minion, and stored as /etc/salt/pki/minion/minion_master.pub

. 1, Minion side generatedKeys to：/etc/salt/pki/minion/minion

2, master end certification Public KeyStored in: /etc/salt/pki/master/minions/




This explains, first secretary generated key pair after the minion is enabled with the service and sends the public key to the master terminal, the master authentication is completed, the public minion sends stored in the /etc/salt/pki/master/minionsdirectory

3、master own public key ：/etc/salt/pki/master/

4、minion master public key end put ... in/etc/salt/pki/minion/

This explains, after the master authentication is completed, will send its public key to the minion, and stored as /etc/salt/pki/minion/minion_master.pub

5、minion_idThe default is stored in the minion end of /etc/salt/

if, minion end key pair mismatch occurs, resulting in the master display terminal denied keys in the list can not be certified. Well,First delete the id in the master terminal, and then delete minion end of key documents (minion_master.pub, minion.pem, minion.pub), and finally restart the service