通过使用salt-ssh,可以在master端部署没有安装salt-minion的主机
当前环境:server3作为salt-master,server4端为安装salt-minion或者salt-minion服务未开启。
(本文所有主机ip均为172.25.17网段,主机名和ip相对应。比如172.25.17.3对应server3,并且所有salt包和python包需要自行下载并配置到yum源中)
salt-ssh实现:
1.在server3端安装salt-ssh服务:
[root@server3 _modules]# yum install salt-ssh -y
编辑配置文件:
[root@server3 _modules]# cd /etc/
[root@server3 etc]# vim salt/roster
设定主机:
1 # Sample salt-ssh config file
2 #web1:
3 # host: 192.168.42.1 # The IP addr or DNS hostname
4 # user: fred # Remote executions will be executed as user fred
5 # passwd: foobarbaz # The password to use for login, if omitted, keys are used
6 # sudo: True # Whether to sudo to root, not enabled by default
7 #web2:
8 # host: 192.168.42.2
9
10 server4:
11 host: 172.25.17.4
12 user: root
13 passwd: westos
2.检测:
[root@server3 etc]# salt-ssh server4 test.ping
server4:
----------
retcode:
254
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
The authenticity of host '172.25.17.4 (172.25.17.4)' can't be established.
RSA key fingerprint is 6e:f8:7e:5b:80:43:1e:b1:0b:07:67:83:03:44:79:c4.
Are you sure you want to continue connecting (yes/no)?
[root@server3 etc]# salt-ssh server4 test.ping -i
server4:
True
控制server4执行指令df -h:
[root@server3 etc]# salt-ssh server4 cmd.run 'df -h'
server4:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 1.1G 17G 7% /
tmpfs 499M 16K 499M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
salt-api实现
1.在server3端安装salt-api:
[root@server3 etc]# yum install salt-api -y
2.进入/etc/pki/tls/private/目录生成localhost.key:
[root@server3 etc]# cd /etc/pki/tls/private/
[root@server3 private]# openssl genrsa 1024 > localhost.key
Generating RSA private key, 1024 bit long modulus
..++++++
...............++++++
e is 65537 (0x10001)
进入/etc/pki/tls/certs目录生成https:
[root@server3 private]# cd ..
[root@server3 tls]# cd certs/
[root@server3 certs]# make testcert
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server3
Email Address []:root@localhost
[root@server3 certs]# ls
ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile renew-dummy-cert
3.在/etc/salt/master.d目录下新建文件api.conf和auth.conf:
[root@server3 _modules]# cd /etc/salt/master.d/
[root@server3 master.d]# ls
api.conf auth.conf -d -H
api.conf:
1 rest_cherrypy:
2 port: 8000
3 ssl_crt: /etc/pki/tls/certs/localhost.crt
4 ssl_key: /etc/pki/tls/private/localhost.key
auth,conf:
1 external_auth:
2 pam:
3 saltapi:
4 - '.*'
5 - '@wheel'
6 - '@runner'
7 - '@jobs'
新建用户saltapi并设置密码为westos:
[root@server3 salt]# useradd saltapi
[root@server3 master.d]# passwd saltapi
Changing password for user saltapi.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
4.重新开启slat-master服务(restart可能会出错)并开启salt-api服务:
[root@server3 salt]# /etc/init.d/salt-master stop
Stopping salt-master daemon: [ OK ]
[root@server3 salt]# /etc/init.d/salt-master status
salt-master is stopped
[root@server3 salt]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
[root@server3 salt]# /etc/init.d/salt-api start
Starting salt-api daemon: [ OK ]
查看端口8000:
[root@server3 master.d]# netstat -antlp |grep :8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 13203/salt-api -d
tcp 0 0 127.0.0.1:44602 127.0.0.1:8000 TIME_WAIT -
5.获取token:
[root@server3 master.d]# curl -sSk https://localhost:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=westos -d eauth=pam
return:
- eauth: pam
expire: 1534627922.797075
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1534584722.7970741
token: 1a6719e657e628375d29bf9a01c1d978ef390157
user: saltapi
访问到minoon端:
[root@server3 master.d]# curl -sSk https://localhost:8000 -H 'Accept:application/x-yaml' -H 'X-Auth-Token:1a6719e657e628375d29bf9a01c1d978ef390157' -d client=local -d tgt='*' -d fun=test.ping
return:
- server3: true
server5: true