Salt安装

pre

master 192.168.23.50

client 192.168.20.208

 个人观点puppet最大缺点就是默认情况下Agent每隔30分钟向master同步状态，master主动推送功能比较薄弱(2.7版本），ansible基于SSH服务执行，如果服务器过多不建议使用，他是使用轮训的方式。Salt基于消息队列。性能相当好，适合大量生产环境。

SaltStack 与 Ansible 选择 SaltStack事件驱动(1) – 监视事件

第一 添加RPM源

#1.Run the following commands to install the SaltStack repository and key:
#sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm  -y

sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest.el7.noarch.rpm -y #201912

sudo yum install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el6.noarch.rpm-y
#yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm -y
#yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm -y

#2.Run sudo yum clean expire-cache
yum clean expire-cache

#3.Install the salt-minion, salt-master, or other Salt components:
sudo yum install salt-master -y
sudo yum install salt-minion -y
sudo yum install salt-ssh -y
sudo yum install salt-syndic -y
sudo yum install salt-cloud -y
sudo yum install salt-api -y



##ios old
#7系列
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
#6系列
rpm -ivh http://mirrors.aliyun.com/epel/6/x86_64/epel-release-6-8.noarch.rpm
#rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
#7系列
rpm -ivh http://mirrors.aliyun.com/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
#5系列
wget http://mirrors.sohu.com/fedora-epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm -ivh epel-release-5-4.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL #导入密钥
yum info salt

第二 on master

useradd salt
yum install salt-master -y

vi /etc/salt/master
# The address of the interface to bind to
interface: masterip #前面要有两个空格
# The tcp port used by the publisher
　　publish_port: 4505#前面要有两个空格
#自动认证
auto_accept: True
# The user to run the salt-master as. Salt will update all permissions to
# allow the specified user to run the master. If the modified files cause
# conflicts set verify_env to False.
user: root
# interface used for the file server, authentication, job returnes, etc.
　　ret_port: 4506#前面要有两个空格


systemctl restart salt-master
systemctl  enable salt-master

cat  /etc/salt/master | grep -v ^# |sort -u

#cento6
/sbin/chkconfig --add nginx
/sbin/chkconfig  --level  345 nginx  on

第三 client

useradd salt
yum install salt-minion -y

vi /etc/salt/minion #修改配置请见下面的非交互 
#编辑11行：#master： salt
master： masterip
master: 192.168.23.50

103 id: ad_admin

# Overwrite the default tcp ports used by the minion when in tcp mode
tcp_pub_port: 4510
tcp_pull_port: 4511

cp /etc/salt/minion  .
#非交互
sed  's/#master: salt/master:  192.168.30.88/' -i /etc/salt/minion 
sed  's/#master: salt/master:  172.16.200.13/' -i /etc/salt/minion 
sed 's/#id:/id: you_name/' -i /etc/salt/minion 
sed 's/#tcp_pub_port: 4510/tcp_pub_port: 4510/' -i /etc/salt/minion 
sed 's/#tcp_pull_port: 4511/tcp_pull_port: 4511/' -i /etc/salt/minion 


systemctl restart salt-minion
 systemctl enable  salt-minion

CentOS5.6配置salt节点minion
http://zhoulg.blog.51cto.com/48455/1140186

salt-ssh批量安装minion

  yum install salt-ssh  
  可以用key   --key-deploy        Set this flag to attempt to deploy the authorized ssh

但是必先   Are you sure you want to continue connecting (yes/no)?  

saltstack之ssh批量安装minion

Salt-ssh批量自动安装被控端minion

SaltStack使用salt-ssh模式-第十一篇

防火墙规则

注意 这个才是对的 比较 安全的 在主控端添加(所有 minion)TCP 4505,TCP 4506 的规则，而在被控端无须配置防火墙，原理是被控端直接与主控端的zeromp建立链接接收

1.on master

#salt-master服务需要监听4045和4046端口，因此需要开放这两个端口 一般加这个就行了 小伙伴今天又加反了 哈哈
iptables -I INPUT -s minion_ip -p tcp -m multiport --dports 4505,4506 -j ACCEPT

 #Allow Salt to communicate with Master on the loopback interface
iptables -A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT

2.on minion

iptables -I INPUT -s 192.168.30.94 -p tcp -m multiport --dports 4510,4511 -j ACCEPT

#这个平时一般为了删除而查看 哈哈
iptables -L -n --line-number |grep 21 # //--line-number可以显示规则序号，在删除的时候比较方
iptables -D INPUT 3 # //删除input的第3条规则
iptables -R INPUT 3 -j DROP # //将规则3改成DROP

##官方的写得有点开放 不太好 
为SALT开启防火墙配置
http://docs.saltstack.cn/topics/tutorials/firewall.html
http://yango.iteye.com/blog/2264641

RHEL 6 / CENTOS 6
一些Linux发行版带有的``lokkit``命令行软件可以很简单的通过命令行打开iptables防火墙的端口。只是需要小心不要太粗心而关闭了ssh端口。

lokkit范例：
lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp

#iptables 
iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT


MASTER端白名单

# Allow Minions from these networks
iptables -I INPUT -s 192.168.1.0/22 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
-I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Allow Salt to communicate with Master on the loopback interface
-A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
# Reject everything else
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT

配置key

在master端通过salt-key -L查看Keys如下：
[root@vm1 test]# salt-key -L
Accepted Keys:
Unaccepted Keys:
test1
Rejected Keys:
[root@vm1 test]# salt-key -A
Key for minion test1 accepted.

[root@vm1 test]# salt 'test1' test.ping 
test1:
True

显示所有minion的认证信息
salt-key  -L

接受所有 Unaccepted Keys 状态的minion的认证信息
salt-key  -A

# 接受192.168.30.100的认证信息，不需要手动验证
salt-key -a 192.168.30.100 -y


# 拒绝认证192.168.0.100
salt-key -d 192.168.0.100
 
#删除单个  有时minion 挂掉 是因为key 重名了 
salt-key  -d prod-web01 然后重启minion

# 拒绝所有 Unaccepted Keys 状态的minion
salt-key -D

常用命令

1)检查master与minion的连接状态：salt '*' test.ping or salt 'test1' test.ping
2)远程执行命令：salt '*' cmd.run 'ls /root'
test1:
anaconda-ks.cfg
bootstrap-salt.sh
install.log
install.log.syslog
vm2

3)从master上传文件至minion：
salt-cp nodeid source_file target_file
例子：salt-cp 'vm01' /root/test/bootstrap-salt.sh /root
4)master同步命令：
salt '*' state.highstate

To have the Minion start automatically at boot time:
chkconfig salt-minion on
#7
systemctl enable salt-minion.service
to start the Minion:
#7
systemctl start salt-minion.service

https://docs.saltstack.com/en/latest/topics/installation/rhel.html

#所有内置模块
http://docs.saltstack.com/ref/modules/all/index.html
http://wiki.saltstack.cn/modules/all
常用内置模块
[root@vm3 ~]# salt 'vm0' pkg.install w3m
vm0:
———-
gpg-pubkey:
———-
new:
217521f6-45e8a532,e8562897-459f07a4
old:
217521f6-45e8a532
w3m:
———-
new:
0.5.1-18.el5

分组相关
salt -N direct  test.ping
salt -L sdkredis,sdklog,ad_web,inlandgw,ad_admin,da  test.ping
 

遇到问题

2017
[root@da ~]# /etc/init.d/salt-master restart 
Stopping salt-master daemon:                               [FAILED]
Starting salt-master daemon: WARNING: Unable to bind socket 1.2.22.3:4505, error: [Errno 99] Cannot assign requested address; Is there another salt-master running?
The salt master is shutdown. The ports are not available to bind
                                                           [FAILED]

打开blind ip 
# The address of the interface to bind to:
interface: 0.0.0.0


问题1
[root@localhost soft]# yum install python-jinja2
Loaded plugins: fastestmirror, security
Determining fastest mirrors
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

编辑/etc/yum.repos.d/epel.repo和/etc/yum.repos.d/epel-testing.repo
将mirrorlist注释，将baseurl打开

问题2：
file /usr/lib64/python2.6/zipfile.pyo from install of python-libs-2.6.6-64.el6.x86_64 conflicts with file from package python-2.6.6-29.el6_2.2.x86_64
64 conflicts with file from package python-2.6.6-36.el6.x86_64
Error Summary 

升级下python版本
yum update python or yum install python

问题其一
minion 有这些log 加上 salt-key -L 为空 
017-08-04 16:35:57,645 [salt.utils.parsers            ][WARNING ][5761] Minion received a SIGTERM. Exiting.

记录配置 master ip on master 好搞笑 各种搞错了 笨蛋

[root@ ~]# cat  /etc/salt/minion    |  grep -v   \^# | grep -v \^$
master:  10.10.1.25
master_port: 4506
id: ad_web
tcp_pub_port: 4510
tcp_pull_port: 4511


问题其二 
To repair this issue, delete the public key for this minion on the Salt Master and restart this minion.
Or restart the Salt Master in open mode to clean out the keys. The Salt Minion will now exit.

原因：
大概的意思就是，minion端拿到的key与master端的不符，验证无法通过。
解决方法是删除minion端的key，再重新与master进行连接和认证。

on master上删除key
/etc/salt/pki/master/minions

如果实在不行 就把minion的也删除了
解决方法是删除minion端的key，再重新与master进行连接和认证

minion_master.pub

trouble shooting

一开始添加的是7 的源 ，导致不成功,后面一看 居然是6
--> 完成依赖关系计算
错误：Package: python-babel-0.9.6-8.el7.noarch (salt-latest)
          Requires: python(abi) = 2.7
          已安装: python-2.6.6-66.el6_8.x86_64 (@base)
              python(abi) = 2.6
          Available: python34-3.4.8-1.el6.i686 (epel)
              python(abi) = 3.4
错误：Package: python-msgpack-0.4.6-1.el7.x86_64 (salt-latest)
          Requires: libpython2.7.so.1.0()(64bit)


rm  /etc/yum.repos.d/salt-latest.repo

参考

学习Salt源码智慧之Python信号量

saltstack学习—快速安装

官方文档install

SaltStack之初窥门径

https://repo.saltstack.com/#rhel https://docs.saltstack.com/en/latest/

install

总的文档

configure

SaltStack installation on Centos 7

更加详细的配置 Configuring the Salt Master http://docs.saltstack.com/ref/configuration/master.html

Configuring the Salt Minion http://docs.saltstack.com/ref/configuration/minion.html

Saltstack系列3：Saltstack常用模块及API http://www.cnblogs.com/MacoLee/p/5753640.html

CentOS7.2系统环境中安装saltstack详细配置过程讲解

Python自动化运维 ，这个不错，从用fabric 批量 salt开始呢 http://opython.com/?cat=4 http://blog.sina.com.cn/s/blog_7f1737720101ebzg.html

深入SaltStack(转) http://blog.sina.com.cn/s/blog_7f1737720101ebz9.html

http://blog.halfss.com/blog/2013/06/15/saltxiang-guan-shi-yong/

Salt stack first sls 文件 http://blog.csdn.net/qingchn/article/details/8752004

Salt实战之自动安装部署MooseFS http://blog.csdn.net/shanliangliuxing/article/details/8986731

Centos 6.4安装SaltStack 有酷酷的防火墙写法

参考资料 salt的安装部署 http://zhengbin.blog.51cto.com/2989505/1229884

salt基础命令 http://zhengbin.blog.51cto.com/2989505/1229891

salt-minion,salt-master,multi master http://www.cnblogs.com/taosim/articles/3598919.html