SaltStack安装及API开启

1. 环境

1.1 操作系统

CentOS7最小化安装

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"

# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

1.2 节点

本例中共涉及到三台服务器

  1. 10.10.2.231:主机名node1,作为master节点
  2. 10.10.2.232:主机名node2,作为minion节点
  3. 10.10.2.233:主机名node3,作为minion节点

2. 准备YUM源

以下步骤需要在每个节点上执行

# rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub

# curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo

第一步如果报错,执行

# wget https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
# rpm --import SALTSTACK-GPG-KEY.pub

3. 安装Salt-Master

master节点执行:

# yum install -y salt-master

4. 安装Salt-Minion

minion节点执行:

# yum install -y salt-minion

修改/etc/salt/minionmaster的值(注意master前面的#记得去掉)

master: 10.10.2.231

5. 启动Salt-Master

master节点执行:

# systemctl start salt-master
# systemctl enable salt-master

6. 启动Salt-Minion

minion节点执行:

# systemctl start salt-minion
# systemctl enable salt-minion

7. 在Salt-Master添加Salt-Minion认证

master节点执行:

关闭防火墙或开放4505、4506端口

关闭防火墙

# systemctl stop firewalld && systemctl disable firewalld

开放45054506端口

# firewall-cmd --zone=public --add-port=4505/tcp --permanent
# firewall-cmd --zone=public --add-port=4506/tcp --permanent
# firewall-cmd --reload

添加Salt-Minion认证

# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
node2
node3
Proceed? [n/Y] Y
Key for minion node2 accepted.
Key for minion node3 accepted.

8. 测试安装结果

master节点执行:

# salt '*' test.ping
node2:
  True
node3:
  True

# salt '*' cmd.run 'ls /root'
node3:
 anaconda-ks.cfg
node2:
 anaconda-ks.cfg

安装成功

9. 开启Salt-Api

master节点执行:

  1. 安装Salt-ApiSalt-Minion(安装Salt-Minion是为了通过salt-call命令制作证书)

    # yum install -y salt-api

  2. 制作自签名证书

    # salt-call --local tls.create_self_signed_cert

    如果报错'tls' __virtual__ returned False: PyOpenSSL version 0.10 or later must be installed before this module can be used.尝试执行yum install -y pyOpenSSL如果错误依然存在则尝试:

    # pip3 install --upgrade pip
    # pip3 install --upgrade setuptools-rust
    # pip3 install --upgrade PyOpenSSL

    如果网络不通或缓慢导致报错,每个命令结尾增加 -i https://opentuna.cn/pypi/web/simple以使用清华源(提醒某位胡姓读者)

  3. 修改Salt-Master配置文件(YML格式,两个空格,提醒某位胡姓读者),开启ReatApi

    # vi /etc/salt/master.d/api.conf
    rest_cherrypy:
      host: 10.10.2.231
      port: 8000
      ssl_crt: /etc/pki/tls/certs/localhost.crt
      ssl_key: /etc/pki/tls/certs/localhost.key

    • hostSalt-Master节点的IP地址
    • port可自定义为自己想要的端口

  4. Salt-Api创建系统用户并设置密码

    # useradd -M -s /sbin/nologin saltapi
    # passwd saltapi
    更改用户 saltapi 的密码 。
    新的 密码:
    重新输入新的 密码:
    passwd:所有的身份验证令牌已经成功更新。

  5. Salt-Api配置认证信息(YML格式,两个空格,提醒某位胡姓读者)

    # vi /etc/salt/master.d/auth.conf

    external_auth:
      pam:
        saltapi:
          - .*
          - '@wheel'
          - '@runner'
          - '@jobs'

  6. 重启Salt-MasterSalt-Api

    # systemctl restart salt-master
    # systemctl restart salt-api
    # systemctl enable salt-api

  7. 关闭防火墙或开放8000端口

    关闭防火墙

    # systemctl stop firewalld && systemctl disable firewalld

    开放8000端口

    # firewall-cmd --zone=public --add-port=8000/tcp --permanent
    # firewall-cmd --reload

  8. 测试结果

    # curl -k https://10.10.2.231:8000/login -d username='saltapi' -d password='saltapi' -d eauth='pam'
    {"return": [{"token": "16bc53ab66f8cc072b7f14e61838ab75198c3742", "expire": 1639086007.9837725, "start": 1639042807.9837713, "user": "saltapi", "eauth": "pam", "perms": [".*", "@wheel", "@runner", "@jobs"]}]}
    # curl -k https://10.10.2.231:8000 -H "X-Auth-Token: 16bc53ab66f8cc072b7f14e61838ab75198c3742" -d client='local' -d tgt='*' -d fun='test.ping'

posted @ 2021-12-09 17:46  柚子苹果果  阅读(225)  评论(0编辑  收藏  举报