安装

1、准备

修改hosts

vim /etc/hosts

192.168.3.201 salt.wolf.com

192.168.3.49 slave01.wolf.com slave01

192.168.3.52 slave02.wolf.com slave02

修改主机名

2、安装

服务器端

yum install -y epel-release

yum install -y salt-master salt-minion

客户端

yum install -y epel-release

yum install -y salt-minion
3、修改配置文件

客户端修改

vim /etc/salt/minion //在第16行添加，冒号后有一个空格

master: 服务器ip

4、启动

启动服务

/etc/init.d/salt-master start

/etc/init.d/salt-minion start

[root@node1 ~]# /etc/init.d/salt-masterstart

Starting salt-master daemon: [ OK ]

[root@node1 ~]# /etc/init.d/salt-minionstart

Starting salt-minion daemon: [ OK ]

a) SaltStack是基于python进行开发，server端监听的是4505以及4506两个端口

b) SaltStack master启动后默认监听4505和4506两个端口。4505（publish_port）为saltstack的消息发布系统，4506（ret_port）为saltstack客户端与服务端通信的端口。

c) 如果使用lsof 查看4505端口，会发现所有的minion在4505端口持续保持在ESTABLISHED状态。

[root@salt master]# lsof -i :4505

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

salt-mast 8580 root 12u IPv4 42596 0t0 TCP *:4505 (LISTEN)

salt-mast 8580 root 14u IPv4 44141 0t0 TCP salt.wolf.com:4505->slave01.wolf.com:57918 (ESTABLISHED)

salt-mast 8580 root 15u IPv4 44253 0t0 TCP salt.wolf.com:4505->salt.wolf.com:56966 (ESTABLISHED)

salt-mast 8580 root 16u IPv4 44331 0t0 TCP salt.wolf.com:4505->slave02.wolf.com:50854 (ESTABLISHED)

salt-mini 9006 root 24u IPv4 44252 0t0 TCP salt.wolf.com:56966->salt.wolf.com:4505 (ESTABLISHED)

[root@master ~]# rpm -ql salt-master

/etc/rc.d/init.d/salt-master # salt-master服务器启动脚本

/etc/salt/master # salt master配置文件

/usr/bin/salt # salt master核心操作命令

/usr/bin/salt-cp # salt文件传输命令

/usr/bin/salt-key # salt证书管理命令

/usr/bin/salt-master # salt master服务命令

/usr/bin/salt-run # salt master runner命令

/usr/bin/salt-unity

/usr/share/man/man1/salt-cp.1.gz

/usr/share/man/man1/salt-key.1.gz

/usr/share/man/man1/salt-master.1.gz

/usr/share/man/man1/salt-run.1.gz

/usr/share/man/man1/salt-unity.1.gz

/usr/share/man/man7/salt.7.gz

[root@salt salt]# tree

.

├── master

├── minion

├── minion.d

│ └── _schedule.conf

├── minion_id

└── pki

├── master

│ ├── master.pem

│ ├── master.pub

│ ├── minions

│ │ ├── salt.wolf.com

│ │ ├── slave01.wolf.com

│ │ └── slave02.wolf.com

│ ├── minions_autosign

│ ├── minions_denied

│ ├── minions_pre

│ └── minions_rejected

└── minion

├── minion_master.pub

├── minion.pem

└── minion.pub

9 directories, 12 files
5、log配置

Master下修改直接生效

默认log /var/log/salt/

[root@salt ~]# cd /var/log/salt/

[root@salt salt]# ls

master minion

[root@salt salt]# cat master

[root@salt salt]# cat minion

默认目录主配置文件如下

The location of the master log file

The master log can be sent to a regularfile, local path name, or network

location. Remote logging works best whenconfigured to use rsyslogd(8) (e.g.:

file:///dev/log), with rsyslogd(8)configured for network logging. The URI

format is:://:/

log_file: /var/log/salt/master

log_file: file:///dev/log

log_file: udp://loghost:10514

log_file: /var/log/salt/master

key_logfile: /var/log/salt/key

The level of messages to send to theconsole.

One of 'garbage', 'trace', 'debug',info', 'warning', 'error', 'critical'.

The following log levels are consideredINSECURE and may log sensitive data:

['garbage', 'trace', 'debug']

log_level: debug 修改为debug模式

重启看启动过程

/etc/init.d/salt-masterrestart

[root@salt ~]# tail-f /var/log/salt/master

2017-06-1206:19:42,826 salt.utils.verify[27356] Insecure loggingconfiguration detected! Sensitive data may be logged.

2017-06-1206:19:42,826 salt.cli.daemons [27356] Setting up the Salt Master

2017-06-12 06:19:43,376 salt.crypt [27356] Loaded master key:/etc/salt/pki/master/master.pem

2017-06-12 06:19:43,383 salt.daemons.masterapi [27356] Preparing the root key for localcommunication

2017-06-12 06:19:43,384 salt.daemons.masterapi [27356] Removing stale keyfile:/var/cache/salt/master/.root_key

2017-06-12 06:19:43,397 salt.utils.process [27364] Created pidfile:/var/run/salt-master.pid

2017-06-12 06:19:43,398 salt.cli.daemons [27364] The salt master is starting up

2017-06-12 06:19:43,407 salt.utils.lazy [27364] LazyLoaded roots.envs

2017-06-12 06:19:43,424 salt.utils.lazy [27364] Could not LazyLoad roots.init

2017-06-12 06:19:43,429 salt.master [27364] salt-master is starting as user'root'

2017-06-12 06:19:43,429 salt.master [27364] Current values for max open filessoft/hard setting: 1024/4096

2017-06-12 06:19:43,429 salt.master [27364] The value for the 'max_open_files'setting, 100000, is higher than what the user running salt is allowed to raiseto, 4096. Defaulting to 4096.

2017-06-1206:19:43,429 salt.master [27364] Raising max open files value to4096

2017-06-1206:19:43,429 salt.master [27364] New values for max open filessoft/hard

六、命令讲解
1、salt-key

salt-key –help

[root@salt salt]# salt-key --help

Usage: salt-key [options]

Salt key is used to manage Saltauthentication keys

Options:

--version showprogram's version number and exit

--versions-report showprogram's dependencies version number and exit

-h,--help show this help messageand exit

--saltfile=SALTFILE Specify thepath to a Saltfile. If not passed, one

will be searched for inthe current working directory

-cCONFIG_DIR, --config-dir=CONFIG_DIR

Pass in an alternativeconfiguration directory.

Default: /etc/salt

-uUSER, --user=USER Specify user to runsalt-key

--hard-crash Raise anyoriginal exception rather than exiting

gracefully Default:False

-q,--quiet Suppress output

-y, --yes Answer Yes to all questionspresented, defaults to 加上yes

False

--rotate-aes-key=ROTATE_AES_KEY

Setting this to Falseprevents the master from

refreshing the keysession when keys are deleted or

rejected, this lowersthe security of the key

deletion/rejectionoperation. Default is True.

Logging Options:

Logging options which override any settings defined on the

configuration files.

--log-file=LOG_FILE

Log file path. Default:/var/log/salt/key.

--log-file-level=LOG_LEVEL_LOGFILE

Logfile logging loglevel. One of 'all', 'garbage',

'trace', 'debug','info', 'warning', 'error',

'critical', 'quiet'.Default: 'warning'.

Output Options:

Configure your preferred output format

--out=OUTPUT, --output=OUTPUT

Print the output fromthe 'salt-key' command using the

specified outputter.The builtins are 'key', 'yaml',

'overstatestage','newline_values_only', 'txt', 'raw',

'no_return','virt_query', 'compact', 'json',

'highstate', 'nested','quiet', 'pprint'.

--out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT

Print the outputindented by the provided value in

spaces. Negative valuesdisables indentation. Only

applicable inoutputters that support indentation.

--out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE

Write the output to thespecified file

--out-file-append, --output-file-append

Append the output tothe specified file

--no-color, --no-colour

Disable all colored output

--force-color, --force-colour

Force colored output

--state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT

Override the configuredstate_output value for minion

output. One of full,terse, mixed, changes or filter.

Default: full.

Actions:

-l ARG, --list=ARG List the public keys. The args"pre", "un", and

"unaccepted"will list unaccepted/unsigned keys. "acc"

or"accepted" will list accepted/signed keys. "rej" or

"rejected"will list rejected keys. "den" or "denied"

will list denied keys.Finally, "all" will list all

keys.

-L, --list-all List allpublic keys. (Deprecated: use "--list all") 列出所有key请求

-a ACCEPT, --accept=ACCEPT 允许一个客户端

Acceptthe specified public key (use --include-all to

match rejected keys in addition to pendingkeys).

Globs aresupported.

-A, --accept-all Accept all pending keys 允许所有客户端

-r REJECT, --reject=REJECT 拒绝

Reject the specified public key (use--include-all to

matchaccepted keys in addition to pending keys).

Globs aresupported.

-R, --reject-all Reject all pending keys 拒绝所有

--include-all Include non-pending keys whenaccepting/rejecting

-p PRINT, --print=PRINT

Print the specifiedpublic key

-P, --print-all Print allpublic keys

-d DELETE, --delete=DELETE 删除一个

Deletethe specified key. Globs are supported.

-D, --delete-all Delete all keys 删除所有

-f FINGER, --finger=FINGER

Print the specifiedkey's fingerprint

-F, --finger-all Print all keys' fingerprints

KeyGeneration Options:

--gen-keys=GEN_KEYS

Set a name to generatea keypair for use with salt

--gen-keys-dir=GEN_KEYS_DIR

Set the directory tosave the generated keypair, only

works with"gen_keys_dir" option; default=.

--keysize=KEYSIZE Set thekeysize for the generated key, only works with

the"--gen-keys" option, the key size must be 2048 or

higher, otherwise itwill be rounded up to 2048; ;

default=2048

--gen-signature Create asignature file of the masters public-key

namedmaster_pubkey_signature. The signature can be

send to a minion in themasters auth-reply and enables

the minion to verifythe masters public-key

cryptographically. Thisrequires a new signing-key-

pair which can beauto-created with the --auto-create

parameter

--priv=PRIV Theprivate-key file to create a signature with

--signature-path=SIGNATURE_PATH

The path where thesignature file should be written

--pub=PUB The public-keyfile to create a signature for

--auto-create Auto-create asigning key-pair if it does not yet

exist

You can find additional help about salt-keyissuing "man salt-key" or on

http://docs.saltstack.org

[root@salt ~]# salt-key -a nginx

The following keys are going to beaccepted:

Unaccepted Keys:

nginx

Proceed? [n/Y] y

Key for minion nginx accepted.

[root@salt ~]# salt-key -A nginx -y

The following keys are going to beaccepted:

Unaccepted Keys:

node1

slave02.wolf.com

Key for minion node1 accepted.

Key for minion slave02.wolf.com accepted.

2、批量ping

[root@salt ~]# salt '*' test.ping

nginx:

True

node1:

True

slave02.wolf.com:

True

3、加入的主机

[root@salt ~]# salt-key

Accepted Keys:

nginx

node1

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@salt ~]#

[root@salt ~]# salt-key -L

Accepted Keys:

nginx

node1

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

Rejected Keys:

4、实际操作修改主机名

当别的项目送过来的机器，需要修改主机名加入salt进行管理

a、 先修改主机名

b、 然后清空文件

[root@slave01 salt]# ls

minion minion.d minion_id pki

[root@slave01 salt]# cat minion_id

nginx[root@slave01 salt]# >minion_id

[root@slave01 salt]#/etc/init.d/salt-minion restart

Stopping salt-minion daemon: [ OK ]

Starting salt-minion daemon: [ OK ]

[root@slave01 salt]#

C、在到服务器端查看

[root@salt ~]# salt-key -L

Accepted Keys:

nginx

node1

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

slave01.wolf.com

Rejected Keys:

[root@salt ~]#

先从服务器上删除，然后客户端操作

[root@salt salt]# salt-key

Accepted Keys:

nginx

node1

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

slave01.wolf.com

Rejected Keys:

[root@salt salt]# salt-key -d node1

The following keys are going to be deleted:

Accepted Keys:

node1

Proceed? [N/y] y

Key for minion node1 deleted.

[root@salt salt]# salt-key -d nginx

The following keys are going to be deleted:

Accepted Keys:

nginx

Proceed? [N/y] y

Key for minion nginx deleted.

再重启，查看正常了

[root@salt salt]# /etc/init.d/salt-masterrestart

[root@salt salt]# /etc/init.d/salt-minionrestart

[root@salt salt]# salt-key

Accepted Keys:

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

salt.wolf.com

slave01.wolf.com

Rejected Keys:

重新加入主机

[root@salt salt]# salt-key

Accepted Keys:

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

salt.wolf.com

slave01.wolf.com

Rejected Keys:

[root@salt salt]# salt-key -A nginx -y

The following keys are going to beaccepted:

Unaccepted Keys:

salt.wolf.com

slave01.wolf.com

Key for minion node1 accepted.

Key for minion salt.wolf.com accepted.

Key for minion slave01.wolf.com accepted.

[root@salt salt]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@salt salt]# salt '*' test.ping

slave01.wolf.com:

True

salt.wolf.com:

True

slave02.wolf.com:

True

5、彻底删除

[root@salt salt]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@salt salt]# pwd

/etc/salt

[root@salt salt]# ls

master minion minion.d minion_id pki

[root@salt salt]# rm -rf minion_id pki/

[root@salt salt]# /etc/init.d/sa

salt-master salt-minion sandbox saslauthd

[root@salt salt]# /etc/init.d/sa

salt-master salt-minion sandbox saslauthd

[root@salt salt]# /etc/init.d/salt-minionrestart

Stopping salt-minion daemon: [ OK ]

Starting salt-minion daemon: [ OK ]

[root@salt salt]# salt-key

Accepted Keys:

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@salt salt]# /etc/init.d/salt-masterrestart

[root@salt salt]# /etc/init.d/salt-minionrestart

Stopping salt-minion daemon: [FAILED]

Starting salt-minion daemon: [ OK ]

[root@salt salt]# salt-key

Accepted Keys:

Denied Keys:

Unaccepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Rejected Keys:

[root@salt salt]# salt-key -A salt.wolf.com-y

The following keys are going to beaccepted:

Unaccepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Key for minion salt.wolf.com accepted.

Key for minion slave01.wolf.com accepted.

Key for minion slave02.wolf.com accepted.
6、总结一下老主机重新加入问题

a、客户端需要清除

/etc/salt/minion_id

b、删除这个目录

/etc/salt/pki

重启客户端

master上剔掉

salt-key –d 主机名 -y

c、 缓存问题

缓存位置/etc/salt/pki/下有几个目录

[root@salt master]# ls

master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected

[root@salt salt]# cd pki

[root@salt pki]# ls

master minion

[root@salt pki]# cd master/

[root@salt master]# ls

master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected

[root@salt master]# tree

.

├── master.pem

├── master.pub

├── minions 放已认证的key

│ ├── salt.wolf.com

│ ├── slave01.wolf.com

│ └── slave02.wolf.com

├── minions_autosign

├── minions_denied 拒绝的主机key

├── minions_pre 未认证的

└── minions_rejected

5 directories, 5 files

已认证的key

[root@salt master]# cd minions

[root@salt minions]# ls

salt.wolf.com slave01.wolf.com slave02.wolf.com

识别每个目录的作用，手动实验查看目录作用

[root@salt master]# ls

master.pem master.pub minions minions_autosign minions_denied minions_pre minions_rejected

[root@salt master]# ll minions

total 12

-rw-r--r-- 1 root root 451 Jun 12 07:52salt.wolf.com

-rw-r--r-- 1 root root 451 Jun 12 07:52slave01.wolf.com

-rw-r--r-- 1 root root 451 Jun 12 07:52slave02.wolf.com

[root@salt master]# cpminions/salt.wolf.com minions_autosign/

[root@salt master]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[root@salt master]# cpminions/salt.wolf.com minions_denied/

[root@salt master]# salt-ke

-bash: salt-ke: command not found

[root@salt master]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

salt.wolf.com

Unaccepted Keys:

Rejected Keys:

[root@salt master]# cpminions/salt.wolf.com minions_pre

[root@salt master]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

salt.wolf.com

Unaccepted Keys:

salt.wolf.com

Rejected Keys:

[root@salt master]# cpminions/salt.wolf.com minions_rejected/

[root@salt master]# salt-key

Accepted Keys:

salt.wolf.com

slave01.wolf.com

slave02.wolf.com

Denied Keys:

salt.wolf.com

Unaccepted Keys:

salt.wolf.com

Rejected Keys:

salt.wolf.com