Saltstack Server Basic Installation

Salt Introduction

Salt is a basic platform management tool

Salt is a configuration management system that can maintain a predefined state of a remote node

Salt is a distributed remote execution system used to execute commands and query data on remote nodes

Salt core Functions

Sending a command to a remote system is parallel rather than serial

Protocols that use secure encryption

Use the smallest and fastest network load

Provides a simple programming interface

Salt kinda

Saltstack is written in Python that is equivalent to a device that is lightweight

Saltstack communication is implemented using ZEROMQ to make it fast

Saltstack is open source through Python can write the module itself

Salt Port Description

Salt-master starts two ports when booting

4505: Publish a private port for a salt message

4506: Port for client-to-server communication

Because Saltstack is a service model based on the C/s architecture, it can be simply understood that if we want to use saltstack we need to introduce and maintain a set of C/S architecture in the existing environment. In the Saltstack architecture, where the server is called Master, the client is known as Minion, and we understand the traditional C/s architecture in which the client sends the request to the server side, the server receives the request and the processing completes before returning to the user. In the Saltstack architecture, there is not only the traditional C/S architecture service mode, but also the publish and subscribe (pub/sub) mode in message queue. This makes the Saltstack application scenario richer. At present, in the actual environment, Saltstack's C/s architecture is generally used for configuration management.

Both the master and minion are running in daemon mode, listening to the ret_port defined in the config file (accepting

Minion request) and Publish_port (Publish message) ports. When the Minion runtime is automatically connected to the configuration file defined in the

Master address Ret_port port for connection authentication. The default client request ID is the value taken by Socket.getfqdn (), or it can be

Minion Modify the ID value of the Minion before starting .

Reference Technical website

http://docs.saltstack.cn/

http://www.saltstack.cn/

Environment description

Role Host name IP

Salt-server hzbj-salt-020 192.168.56.20

Tomcat-a hzbj-tomcat-021 192.168.56.21

Tomcat-b hzbj-tomcat-022 192.168.56.22

One installation Epel

Since the current Rhel official Yum Source does not have a Saltstack installation package, install Epel as the default source for deployment Saltstack first

[Email protected]020 ~]# RPM-UVH http://mirrors.yun-idc.com/epel/6server/x86_64/ epel-release-6-8.noarch.rpm

Second installation Saltstack master server

[[Email protected]020 ~]# yum-y install salt-master[[email protected]-salt-020 ~]# Chkconfig salt-Master on[[email protected]-salt-020 ~]# Service salt-master start

Three controlled side mount (Minion end)

[[Email protected]021 ~]# yum-y install salt-minion[[email protected]-tomcat-021 ~]# Chkconfig salt-minion On[[email protected]-tomcat-021 ~]# Service salt-minion start

Quad Saltstack firewall configuration

If the server opens a firewall that requires the Enable port to add the TCP 4505 4506 rule on the host side, and the controller does not need to configure the firewall, the principle is

The controlled side directly with the zeromq of the main terminal to establish a long link, receive broadcast to the task information and execution, the specific operation is to add two iptables rules

[Email protected]020New4505 -J Accept[[email protected]-salt-020  New4506 -j ACCEPT

Five Saltstack configuration and installation verification

Saltstack is divided into two roles, one for Master (master) and the other for Minion (controlled side), and after installation, two types of

The configuration file for the role is modified, as specified below.

A) Master master control side Configuration

To update the main control-key configuration:

[Email protected]020 ~]# vim/etc/salt/master #绑定Master通信IPinterface192.168. 56.20 #自动认证 You can also choose not to open auto_accept:true# specify Saltstack file root location file_roots:     Base :       -/srv/salt

b) Restart the Saltstack server

[Email protected]020 ~]# Service salt-master restart

c) Minion controlled end configuration

#/etc/salt/192.168. 56.20 #修改被控端主句识别id, it is recommended to configure ID:HZBJ-tomcat-021    Other hosts using the operating system hostname

d) Restart the Minion end

Service Salt-minion Restart

e) Verifying the installation results

Through the test module ping method, you can confirm whether the specified device and the host Terminal trust relationship and connectivity is normal, detect all the controlled end of the "*" to replace

[Email protected]020'*'  test.pinghzbj-tomcat-021:    truehzbj-tomcat-022:    True

Six master and Minion certification processes
(1), Minion at the first boot, the/etc/salt/pki/minion/(the path in the/etc/salt/minion set) under the automatic generation of MINION.PEM (private key) and Minion.pub (public key),

Then send the minion.pub to master.
(2), master after receiving the public key minion, through the Salt-key command accept Minion public key, so that the/etc/salt/pki/master/in the master Minions will be stored with Minion ID

Named public key, then Master will be able to send instructions to the Minion.

Seven master connection to the Minion
(1), Saltstack master boot after the default monitoring of 4505 and 45,062 ports. 4505 (Publish_port) is Saltstack's message publishing system, 4506 (Ret_port) communicates with the server for the Saltstack client

The port. If you use Lsof to view Port 4505, you will find that all minion remain in the established state at Port 4505.

Tip When/etc/salt/master is not configured for auto_accept:true, it is necessary to use the Salt-key command to perform certificate authentication operations, specifically worrying about the following:

• Salt-key-l, showing an already or uncertified controlled end id,accepted Keys is a certified list, unaccepted keys is an uncertified list;
• salt-key-d, remove all authentication host ID certificates
• salt-key-d ID, deleting a single ID certificate
• Salt-key-a, accept all ID certificate requests
• Salt-key-a ID, accepting a single ID certificate request

Saltstack Server Basic Installation