SaltStack 笔记

目录

安装

参考:

  1. https://docs.saltproject.io/en/latest/topics/installation/index.html
  2. https://repo.saltproject.io/#rhel

rpm 安装。

下载地址清单:

  1. salt
  2. salt-master
  3. salt-api
  4. salt-minion

下载完 rpm 包后使用 rpm -i 安装。

这里是一键安装(后面的内容不需要看了):
(注意其中的两个IP地址换成salt-master的地址)

#!/bin/bash
# install-salt-master.sh
if [ ! $1 ]; then
  echo "Usage: sh $0 <MasterIP>"
  exit 1
fi

ip=$1

yum install -y PyYAML m2crypto python-crypto python-jinja2 python-msgpack python-requests python-zmq systemd-python python-cherrypy pyOpenSSL

rpm -i salt-2015.5.10-2.el7.noarch.rpm
rpm -i salt-master-2015.5.10-2.el7.noarch.rpm
rpm -i salt-minion-2015.5.10-2.el7.noarch.rpm
rpm -i salt-api-2015.5.10-2.el7.noarch.rpm

salt-call --local tls.create_self_signed_cert
sed -i 's/#default_include/default_include/' /etc/salt/master
mkdir /etc/salt/master.d
touch /etc/salt/master.d/api.conf
echo "rest_cherrypy:
  host: $ip
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key
" > /etc/salt/master.d/api.conf
useradd -M -s /sbin/nologin saltapi
echo 'saltapi' | passwd --stdin saltapi
touch /etc/salt/master.d/auth.conf
echo 'external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'
' > /etc/salt/master.d/auth.conf

echo "$ip salt" >> /etc/hosts

systemctl enable salt-master
systemctl enable salt-api
systemctl enable salt-minion
systemctl restart salt-master
systemctl restart salt-api
systemctl restart salt-minion

curl -sSk https://$ip:8000/login \
     -H 'Accept: application/x-yaml' \
     -d username=saltapi \
     -d password=saltapi \
     -d eauth=pam

另附上salt-mminion节点安装:

#!/bin/bash
# install-salt-minion.sh
if [ ! $1 ]; then
  echo "sh $0 <MasterIP>"
  exit 1
fi

ip=$1

yum install -y PyYAML m2crypto python-crypto python-jinja2 python-msgpack python-requests python-zmq systemd-python

rpm -i salt-minion-2015.5.10-2.el7.noarch.rpm
rpm -i salt-2015.5.10-2.el7.noarch.rpm

echo "$ip salt" >> /etc/hosts

systemctl enable salt-minion
systemctl restart salt-minion

--------------------------如果用上面的脚本一键安装完成,后面的内容不需要看了--------------------------

salt-api

注意:

  1. salt-api必须使用https
  2. salt-api服务重启后原token失效

参考:

  1. 自签名证书:

    # salt-call --local tls.create_self_signed_cert
local:
    Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

    如果报错:

    'tls' __virtual__ returned False: PyOpenSSL version 0.10 or later must be installed before this module can be used.

    解: pip install PyOpenSSL

  2. 配置 master 加载子配置:

    # vim /etc/salt/master
default_include: master.d/*.conf

  3. 配置 salt-api:

    # vim /etc/salt/master.d/api.conf
rest_cherrypy:
  host: 192.168.1.30
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

  4. 创建认证用户并设置密码:

    useradd -M -s /sbin/nologin saltapi
echo 'saltapi' | passwd --stdin saltapi

  5. 创建认证配置文件:

    # vim /etc/salt/master.d/auth.conf
external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'

  6. 重启 salt-master 和启动 salt-api:

    # systemctl restart salt-master
# systemctl start salt-api

  7. 测试 login 登录,获取 token:

    # curl -sSk https://192.168.1.30:8000/login \
     -H 'Accept: application/x-yaml' \
     -d username=saltapi \
     -d password=saltapi \
     -d eauth=pam
--------------------------------
return:
- eauth: pam
  expire: 1558663247.869537
  perms:
  - .*
  - '@wheel'
  - '@runner'
  - '@jobs'
  start: 1558620047.869536
  token: e8330f642a3addd853c723d63844d29a12de9484
  user: saltapi
posted @ 2022-02-02 20:44  Coodyzのblog  阅读(70)  评论(0编辑  收藏  举报