This is the 18th day of my participation in the August Challenge

A lifelong learner, practitioner and sharer committed to the path of technology, a busy and occasionally lazy original blogger, an occasionally boring and occasionally humorous teenager.

Welcome to dig friends wechat search “Jie Ge’s IT journey” attention!

Saltstack centralized management platform installation

Introduction to Saltstack

SaltStack (www.saltstack.com/) is a centralized server infrastructure management platform with configuration management, remote execution, monitoring, and other functions. A simplified version of Puppet (puppetlabs.com/) and an enhanced version of func (fedorahosted.org/func/) Ansible.

SaltStack is implemented in Python language, combining lightweight Message queue (ZeroMQ) with Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, Python-MsgPack and PyYAML, etc.). Has the following features:

  • Simple and convenient deployment;
  • Supports most UNIX/Linux and Windows environments;
  • Centralized master-slave management;
  • Simple configuration, powerful function, strong scalability;
  • The master terminal (Master) and the controlled terminal (Minion) are certificate-based, safe and reliable.
  • Supports apis and custom modules that can be easily extended through Python.

By deploying SaltStack environment, we can be in the tens of thousands of servers do batch command, centralized management, distribution according to the features of the different business configuration file, the foundation of the acquisition data server, operating system and package management, etc., is SaltStack operations staff configuration and improve work efficiency, standardization of business operation. At present, Saltstack has become mature, with a good user base and community activity. At the same time, many sub-projects are officially opened, which can be obtained by visiting github.com/saltstack.

SaltStack supports multiple operating systems, such as CentOS, RedHat, Debian, Ubuntu, FreeBSD, Solaris, Fedora, SuSe, Gentoo, MAC OS X, and Archlinux. And Windows (Minion only).

Official document: docs.saltstack.com China SaltStack user group: www.saltstack.cn

Two, Saltstack installation

The installation of different role services in Saltstack is very simple. It is recommended to use yum source to implement the deployment. The following steps are briefly described.

2.1 Service Environment description

To demonstrate this, deploy a group of service function servers, operating system version is CentOS Release 6.5, from Python 2.6.6. The related server information is shown in the table.

role ID IP Groupsnmode
master saltstack_master.test.com 192.168.1.182
minion saltstack_web1group_1 192.168.1.183 web1group
minion saltstack_web1group_2 192.168.1.184 web1group

Modify the hosts file on the master server and the host name on the Master/Minion host.

[root@saltstack-master salt]# vim /etc/hosts 192.168.1.182 saltstack_master.test.com 192.168.1.183 Saltstack_web1group1_1 192.168.1.184 saltstack_web1group1_2 [root@saltstack-master salt]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=saltstack_master.test.com [root@saltstack_web1group_1 ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=saltstack_web1group1_1 [root@saltstack_web1group_2 ~]# vim /etc/sysconfig/network NETWORKING=yes  HOSTNAME=saltstack_web1group1_2Copy the code

Mount the CD-ROM and install EPEL. Because Saltstack is not supported by the software package of the YUM source on the RHEL official website, install EPEL as the default YUM source for deploying Saltstack.

[root@saltstack-master ~]# mount /dev/cdrom /mnt
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@saltstack-master ~]# rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-6.noarch.rpm
Retrieving https://mirrors.aliyun.com/epel/epel-release-latest-6.noarch.rpm
warning: /var/tmp/rpm-tmp.ZGqN4N: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
Copy the code

2.2 Installing the Saltstack on the active Server

[root@saltstack-master ~]# yum -y install salt-master
Complete!
[root@saltstack-master ~]# chkconfig salt-master on
[root@saltstack-master ~]# service salt-master start
Starting salt-master daemon:                               [确定]
Copy the code

2.3 Installing the Saltstack on the Server

[root@saltstack_web1group_1 ~]# yum -y install salt-minion [root@saltstack_web1group_1 ~]# chkconfig salt-minion on [root@saltstack_web1group_1 ~]# service salt-minion start Starting salt-minion daemon: [root@saltstack_web1group_2 ~]# yum -y install salt-minion [root@saltstack_web1group_2 ~]# chkconfig salt-minion on [root@saltstack_web1group_2 ~]# start salt-minion daemon:Copy the code

2.4 SaltStack Firewall Configuration

By default, the SaltStack Master listens on ports 4505 and 4506.

4505: Publish port saltStack;

4506: Ret Port is the port on which the SaltStack is controlled to communicate with the server.

If you use lsof to view port 4505, you will find that all minions remain in ESTABLISHED state on port 4505.

Add TCP 4505 and TCP 4506 rules on the master controller, and no firewall is required on the master controller. The principle is that the master controller directly establishes a long connection with ZeromQ on the master controller, receives the broadcast task information and executes it. Add two iptables rules:

[root@saltstack-master ~]# iptables -I INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
[root@saltstack-master ~]# iptables -I INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
Copy the code

Update SaltStack configuration and installation verification

The Saltstack has two roles: Master (master terminal) and Minion (controlled terminal). After the installation, modify the configuration files of the two roles.

2.5 Master Master Configuration

[root@saltstack-master ~]# vim /etc/salt/master 15 interface: 192.168.1.182 406 file_roots: # specify Saltstack file root location 407 base: 408 - /srv/salt/ [root@saltstack-master ~]# service salt-master restart Stopping salt-master daemon: [confirm] Starting salt-master daemon:Copy the code

2.6 Minion Controller Configuration

[root@saltstack_web1group_1 ~]# vim /etc/salt/minion 17 master: 192.168.1.182 Saltstack_web1group_1 # [root@saltstack_web1group_1 ~]# service salt-minion restart Stopping salt-minion daemon [root@saltstack_web1group_2 ~]# vim /etc/salt/minion 17 master: 192.168.1.182 18 id: saltstack_web1group_1 [root@saltstack_web1group_2 ~]# service salt-minion restart Stopping salt-minion daemon: [confirm] Starting salt-minion daemon:Copy the code

Saltstack Master Minion configuration file

The Master configuration is to modify the Master configuration file under /etc/salt. The following are common configurations on the Master side. Interface: specifies the address of bind (default: 0.0.0.0) publish_port: specifies the publish port (default: 4505) ret_port: specifies the return port corresponding to master_port in the minion configuration file (default: 4506) User: specifies the user who runs the master process. If you want to change the user name, you need to change the permission of some directories (root by default). Timeout: Specifies the timeout period. Keep_jobs: by default,minion returns the result to the master. The master cache is cached to the local cachedir ⺲ directory. This parameter specifies how long the minion cache is used to view previous results, which occupies disk space (24 hours by default) If the number of jobs is large (more than 5000), you are advised to use another way to store jobs. Disable this option (default: True) file_recv: specifies whether to allow minion to send files to master (default: Flase) file_roots: specifies file The default value is file_roots: base: - / SRV /salt. Pillar_roots: specifies the pillar. The default value is pillar_roots: base: - / SRV /pillar log_level: specifies the log level. The supported log levels are 'garbage', 'trace', 'debug', 'info', 'warning', and 'error'. 'Critical' (default: 'warning')Copy the code

Minion common configurations Master: specify the master host (default: salt) master_port: specify the port to which authentication and execution results are sent to the master. This corresponds to ret_port in the master configuration component (default: 4506). Id: specifies the id of the minion. Salt specifies the id of the minion. User: Specifies the user who runs the minion. Minion Whether to cache execution results (default: False) Backup_mode: Specifies the backup indicator if a component changes during a component operation (file.managed or file.recurse). The current value is minion. Backups are recorded in cachedir/file_backups⺲ and are named with the original component name and timestamp (Disabled by default). Providers: yumPKg5 renderer: specifies the providers of the configuration management system (default :yaml_jinja) file_client: Loglevel: specifies the loglevel (default: warning) tcp_keepalive: specifies the loglevel (default: warning). Check whether the minion keeps keepalive with the master. Zeromq3 earlier has a Keepalive bug, which causes the minion to reconnect to the master in some cases if the connection is abnormal. Upgrade to ZeromQ 3 or later if possible (default: True)Copy the code

If /etc/salt/master is not configured with auto_accept: If True, you need to run the salt-key command to authenticate the certificate. The operation is as follows: salt-key -l # Displays the id of the controlled end that is authenticated or unauthenticated. Accept Keys indicates the authenticated list, and Unaccepted Keys indicates the unauthenticated list. Salt-key -d # Delete all authentication host ID certificates salt-key -d id # Delete single ID certificate salt-key -a # Accept all ID certificate requests salt-key -a id # Accept single ID certificate requests [root@saltstack-master salt]# salt-key -a slaver.test.com [root@saltstack-master salt]# salt-key -a master.test.com [root@saltstack-master salt]# salt-key Accepted Keys: saltstack_web1group_1 saltstack_web1group_2 Denied Keys: Unaccepted Keys: Rejected Keys:Copy the code

Authentication Process (Key)

Master/Minion data is transmitted using the AES encryption algorithm, and SALT supports automatic authentication

Send the public key to the master

[root@saltstack-master salt]# CD /etc/salt/pki/master/ [root@saltstack-master master]# Tree. ├── master ├── Bass Exercises ── Bass Exercises ── Bass Exercises ── Bass Exercises ── Bass Exercises ── Bass Exercises ── Bass Exercises ├── Minions_pre - tempo 5 Directories, 4 filesCopy the code

Verifying installation Results

Using the ping method of the test module, you can check whether the trust relationship between the specified controlled device and the main control device is established and whether the connectivity is normal. You can detect all the controlled devices using ‘*’ instead of ‘saltstack_web1group_1’.

[root@saltstack-master salt]# salt 'saltstack_web1group_1' test.ping
saltstack_web1group_1:
    True
[root@saltstack-master salt]# salt 'saltstack_web1group_2' test.ping
saltstack_web1group_2:
    True
[root@saltstack-master salt]# salt '*' test.ping
saltstack_web1group_1:
    True
saltstack_web1group_2:
    True
Copy the code

In this paper, to the end.


Original is not easy, if you think this article is useful to you, please kindly like, comment or forward this article, because this will be my power to output more high-quality articles, thank you!

By the way, please give me some free attention! In case you get lost and don’t find me next time.

See you next time!