rpm_快速安装saltstake

安装EPEL源:(mast和minion都需要安装)
[root@c02 src]# wget http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@c02 src]# rpm -ihv epel-release-6-8.noarch.rpm
安装rpmforge
在redhat6和centos 6的epel源上没有python-jinja2

salt-master:10.100.0.74
salt-minion:10.100.0.61

[root@salt-master ~]# yum install slat-master
[root@salt-master ~]# chkconfig salt-master on
[root@salt-master ~]# chkconfig --list|grep salt-master
salt-master    	0:off	1:off	2:on	3:on	4:on	5:on	6:off

salt-minion端
[root@salt-minion ~]# yum install salt-minion -y
[root@salt-minion ~]# chkconfig salt-minion on
[root@salt-minion ~]# chkconfig --list |grep salt-minion
salt-minion    	0:off	1:off	2:on	3:on	4:on	5:on	6:off

查看salt-master的相关文件:
[root@salt-master ~]# rpm -ql salt-master
/etc/rc.d/init.d/salt-master
/etc/salt/master
/usr/bin/salt
/usr/bin/salt-cp
/usr/bin/salt-key
/usr/bin/salt-master
/usr/bin/salt-run
/usr/bin/salt-unity
/usr/share/man/man1/salt-cp.1.gz
/usr/share/man/man1/salt-key.1.gz
/usr/share/man/man1/salt-master.1.gz
/usr/share/man/man1/salt-run.1.gz
/usr/share/man/man1/salt-unity.1.gz
/usr/share/man/man7/salt.7.gz
配份原始配置文件:
[root@salt-master ~]# cp /etc/salt/master /etc/salt/master.bak
去掉下面几行的#
[root@salt-master ~]# egrep -v "^#|^$" /etc/salt/master
 file_roots:
   base:
     - /srv/salt/
 pillar_roots: #注意前面有个空格,不然会报错!
  base:
    - /srv/pillar
[root@salt-master ~]# /etc/init.d/salt-master start
Starting salt-master daemon:                               [  OK  ]

查看salt-minion的相关文件:
[root@salt-minion ~]# rpm -ql salt-minion
/etc/rc.d/init.d/salt-minion
/etc/salt/minion
/usr/bin/salt-call
/usr/bin/salt-minion
/usr/share/man/man1/salt-call.1.gz
/usr/share/man/man1/salt-minion.1.gz

配份原始文件:
[root@salt-minion ~]# cp /etc/salt/minion /etc/salt/minion.bk
在/etc/salt/minion的16行去掉#改为master的IP或主机名
[root@salt-minion ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.100.0.74 salt-master
[root@salt-minion ~]# egrep -v "^#|^$" /etc/salt/minion
master: salt-master
[root@salt-minion ~]# /etc/init.d/salt-minion start
Starting salt-minion daemon:                               [  OK  ]

master端:
显示所有minion认证信息:
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion
Rejected Keys:
接受salt-minion认证信息
[root@salt-master ~]# salt-key -a salt-minion
The following keys are going to be accepted:
Unaccepted Keys:
salt-minion
Proceed? [n/Y] y
Key for minion salt-minion accepted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
salt-minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:
#salt-key -A   #接受所有Unaccepted状态的minion认证信息

拒绝认证某客户端服务器:
[root@salt-master ~]# salt-key -d salt-minion
The following keys are going to be deleted:
Accepted Keys:
salt-minion
Proceed? [N/y] y
Key for minion salt-minion deleted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:
拒绝所有:
[root@salt-master ~]# salt-key -D
删除某个minion认证后,后新加入进来:
1:minion端,停掉salt-minion:/etc/init.d/salt-minion stop
2:同在minion端删除/etc/salt/pki目录,重新启动salt-minion
[root@salt-minion ~]# tree /etc/salt/
/etc/salt/
├── minion
├── minion.bk
├── minion.d
│   └── _schedule.conf
├── minion_id
└── pki
    └── minion
        ├── minion_master.pub
        ├── minion.pem
        └── minion.pub

3 directories, 7 files
[root@salt-minion ~]# /etc/init.d/salt-minion stop
Stopping salt-minion daemon:                               [  OK  ]
[root@salt-minion ~]# rm -rf /etc/salt/pki/
[root@salt-minion ~]# /etc/init.d/salt-minion start
Starting salt-minion daemon:                               [  OK  ]
查看所有minion认证信息:
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
salt-minion
Rejected Keys:
#可以看到salt-minion又处于Unaccepted Keys中
[root@salt-master ~]# salt-key -a salt-minion -y
The following keys are going to be accepted:
Unaccepted Keys:
salt-minion
Key for minion salt-minion accepted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
salt-minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:

文件分发:
[root@salt-master salt]# salt-cp '*' /etc/hosts /
{'salt-minion': {'/hosts': True}}
#上面这种方法不见义使用

检测通讯是否正常,也可以指定其中一个:
[root@salt-master minions]# salt '*' test.ping
salt-minion:
    True
DB:
    True
[root@salt-master minions]# salt 'DB' test.ping
DB:
    True
远程执行命令:
[root@salt-master ~]# salt "DB" cmd.run 'df -h'
DB:
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
                          8.3G  7.7G  254M  97% /
    tmpfs                 939M   12K  939M   1% /dev/shm
    /dev/vda1             477M   38M  414M   9% /boot
    /dev/vdb1              50G  6.6G   41G  15% /data
[root@salt-master ~]# salt "*" cmd.run 'df -h'
DB:
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
                          8.3G  7.7G  254M  97% /
    tmpfs                 939M   12K  939M   1% /dev/shm
    /dev/vda1             477M   38M  414M   9% /boot
    /dev/vdb1              50G  6.6G   41G  15% /data
salt-minion:
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/mapper/vg_c01-lv_root
                          8.3G  4.2G  3.8G  53% /
    tmpfs                 498M   12K  498M   1% /dev/shm
    /dev/vda1             477M   33M  419M   8% /boot
注意这里的*必须是在master上已经被接受的客户端
Master与Minion认证

1.minion 在第一次启动时，会在/etc/salt/pki/minion/（该路径在/etc/salt/minion里面设置）下自动生成 minion.pem(private key)和minion.pub(public key)，然后将minion.pub发送给master。

2.master 在接收到minion的public key后，通过salt-key命令accept minion public key，这样在master的/etc/salt/pki/master/minions下的将会存放以minion id命名的public key, 然后master就能对minion发送指令了。

Master与Minion的连接(也就是端口并防火墙的设置)
saltstack master默认监听4505和4506两个端口.其中4505(publish_port)为salt客户端与
服务端通信的端口.如果使用lsof查看4505端口持续保持在ESTABLISHED
[root@salt-master ~]# lsof -i:4505
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 3106 root   12u  IPv4  26824      0t0  TCP *:4505 (LISTEN)
salt-mast 3106 root   14u  IPv4  29676      0t0  TCP salt-master:4505->salt-minion:40948 (ESTABLISHED)
salt-mast 3106 root   15u  IPv4  75603      0t0  TCP salt-master:4505->DB:46810 (ESTABLISHED)

Denied Keys:
[root@salt-master ~]# salt \* test.ping
salt-minion:
    True
DB:
    True
DB:
    True
[root@salt-master ~]# salt-key -L
Accepted Keys:
DB
salt-minion
Denied Keys:
DB
Unaccepted Keys:
#Rejected Keys: 删除/etc/salt/pki/master/minions_denied/DB就可以了如下:

[root@salt-master master]# pwd
/etc/salt/pki/master
[root@salt-master master]# tree
.
├── master.pem
├── master.pub
├── minions
│   ├── DB
│   └── salt-minion
├── minions_autosign
├── minions_denied
│   └── DB
├── minions_pre
└── minions_rejected

5 directories, 5 files
[root@salt-master master]# rm minions_denied/DB
rm: remove regular file `minions_denied/DB'? y
[root@salt-master master]# tree
.
├── master.pem
├── master.pub
├── minions
│   ├── DB
│   └── salt-minion
├── minions_autosign
├── minions_denied
├── minions_pre
└── minions_rejected

5 directories, 4 files
[root@salt-master master]# salt
salt         salt-cp      salt-key     salt-master  salt-run     salt-unity
[root@salt-master master]# salt-key -L
Accepted Keys:
DB
salt-minion
Denied Keys:
Unaccepted Keys:
Rejected Keys:

 Saltstack 防火墙配置

  (1) 在主控端添加TCP 4505,TCP 4506 的规则，而在被控端无须配置防火墙，原理是被控端直接与主控端的zeromp建立链接。 接收

广播道任务信息并执行，具体操作是添加两条iptables规则：

-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT

-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

spacer.gif部署要求：两台机器网络互通，最好关闭防火墙。关闭selinux.

注意:一般这些端口都是监听在内网的端口,所以对于防火墙的公网的端口不需要打开