Shulou(Shulou.com)06/02 Report--

Summary

Saltstack is a batch management tool based on Cramp S architecture developed by Python. The bottom layer uses dynamic connection bus (ZeroMQ message queue pub/sub communication) and ssl certificate issuance for authentication management, so that it can be used for allocation, remote execution, configuration management and so on. Easy deployment, can be run in a few minutes, good scalability, easy to manage tens of thousands of servers, fast enough to communicate with each other in seconds. ZeroMQ, which is known as the fastest message queue in the world, makes saltstack manage a large number of servers very quickly, confirm its identity by RSA Key, encrypt its transmission by AES, and ensure its security.

Saltstack is developed in Python and is a very easy-to-use and lightweight management tool. It is composed of Master and Minion and communicates through ZeroMQ.

SaltStack is implemented in Python language, combined with lightweight message queuing (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, python-msgpack and PyYAML, etc.). It has the following characteristics:

(1) simple and convenient deployment

(2) support most UNIX/Linux and Windows environments

(3) Master-slave centralized management

(4) simple configuration, powerful function and strong expansibility

(5) the main control terminal (master) and controlled terminal (minion) are safe and reliable based on certificate authentication.

(6) support API and custom modules, which can be easily extended through Python.

The master end of Saltstack listens to ports 4505 and 4506, 4505 is the message publishing system of salt, and 4506 is the port of communication between the salt client and the server; the salt client program does not listen on the port. After the client starts, it will actively connect to the Mastermind to register, and then keep the TCP connection all the time. Master controls the client through this TCP connection. If the connection is disconnected, there is nothing master can do to the client. Of course, if the client checks that it is disconnected, it will connect to the master side regularly.

Core function

1. Make commands sent to the remote system in parallel rather than serial

2. Use secure encryption protocols

3. Use the smallest and fastest network load

4. Provide a simple programming interface

Architecture

Saltstack is based on the Cmax S service model, in which the server is called Master and the client is called Minion. In the traditional Cpact S mode, the client sends a request to the server, and the server receives the request from the client and then returns to the client after processing. In the saltstack architecture, there is not only the traditional Cpact S service model, but also the publish and subscribe (pub/sub) service model in the message queue. At present, we generally use its Cramp S architecture for batch management.

1) Master: control center, salt command operation and resource status management

2) Minion: the client machine to be managed will actively connect to the material end and get the resource status from the Masterside

3) Information, synchronous resource management information

4) States: instruction set for configuration management

5) Modules: an instruction module used on the command line and in the configuration file, which can be run on the command line

6) variables on the Grains:minion side, static

7) variables on the Pillar:minion side, which are more private dynamically, can be synchronized with minions definitions through configuration files.

8) highstate: permanently add status for the minion, read from the sls configuration file. That is, synchronous status configuration

9) salt_schedule: client configuration is automatically maintained

Saltstack installation

There are four ways to install. Here is a brief introduction to SaltStack deployment on CentOS6.8 through a case study.

(1) yum installation (using saltstack source) this method is recommended, which is simple and rough. Note that if the saltstack source is not configured, please configure the saltstack source first.

Version 7:

Rpm-- import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub

Version 6:

Rpm-- import https://repo.saltstack.com/yum/redhat/6/x86_64/latest/SALTSTACK-GPG-KEY.pub

Save the following file to / etc/yum.repos.d/saltstack.repo:

Version 7 and 6:

[saltstack-repo] name=SaltStack repo for RHEL/CentOS $releaseverbaseurl= https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latestenabled=1gpgcheck=1gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub

After installing the saltstack source, use the yum command to check if it is added to the source list.

Yum repolist

Master side installation:

Yum-y install salt-master

Minon side installation:

Yum-y install salt-minion

Configure and start Saltstack

The configuration of Salt is very simple. The default master configuration works in most cases. The only thing that needs to be changed is minion, setting the address of master in the minion configuration file.

The configuration fileswill be installed to / etc/salt and are named after the respective components,/etc/salt/master, and / etc/salt/minion.

MASTER configuration

The default Salt master listens on ports 4505 and 4506 of all Nic interfaces (0.0.0.0). If you need to specify a listening IP, modify it as follows through the "interface" directive in the / etc/salt/master configuration file:

-# interface: 0.0.0.0 + interface: 10.0.0.1 # this is the address that the server listens to. Auto_accept: True # here is to automatically accept the key sent by the client. If there are many servers, you need to enable this function. MINION configuration

Although Salt Minion has many configuration options, configuring Minion is very simple. The default configuration Minion attempts to connect to the master named DNS "salt". If minion resolves to the correct address, there is no need for configuration.

If the DNS name "salt" does not resolve to the correct local Master address, you need to modify the "master" directive in the / etc/salt/minion configuration file as follows:

-# master: salt+ master: 10.0.0.1 # change it to your master server address id: web01 # it is recommended to change it to the hostname to make it easier for masters to distinguish # add the following at the end of the configuration file and automatically synchronize the master configuration every 5 minutes, which is equivalent to executing salt-call state.highstate on the client or salt'* 'state.highstateschedule on the server:

Highstate:

Function: state.highstate

Minutes: 5

After updating the configuration, you need to restart Salt minion for the configuration to take effect.

Run Saltstack1. Start master in the foreground (specify the-d parameter if you want to start it in daemon mode): salt-master2. Minion is launched in the foreground (specify the-d parameter if you want to start in daemon mode): salt-minion

Is there something wrong with the operation?

The easiest way to troubleshoot Salt is to run master and minion in the foreground and set log level to ``debug``

Salt-master-log-level=debug

Run as a normal (non-root) user:

To run Salt as a different user, see: conf_master: `user` parameter in the master configuration file.

Additionally, ownership, and permissions need to be set suchthat the desired user can read from and write to the following directories (andtheir subdirectories, where applicable):

/ etc/salt

/ var/cache/salt

/ var/log/salt

/ var/run/salt

More information on how to run salt with unprivileged users can be found here.

Salt-key Certificate Management:

Master certificate storage path: / etc/salt/pki/master/minions

Note: if you are careful, you will find that lowercase letters are for a single object, and uppercase is for all. For example,-l shows a single key,-L shows that all key;-an accept the specified key, while-An accepts all key.

Saltstack authentication principle:

1) when minion starts for the first time, it automatically generates minion.pem (private key) and minion.pub (public key) under / etc/salt/pki/minion/ (the path is set in / etc/salt/minion), and then sends minion.pub to master.

2) after receiving the publickey of minion, master uses the salt-key command accept minion publickey, so that the publickey named minion id will be stored under / etc/salt/pki/master/minions of master, and then master can send instructions to minion.

Salt-key-L # queries all received certificates

Salt-key-a # receives a single certificate

Salt-key-A # accepts all certificates

Salt-key-d # Delete a single certificate

Salt-key-D # Delete all certificates

Salt's communication between Master and Minion is encrypted by AES. This ensures that the commands sent to minions will not be tampered with, and the communication authentication between Master and Minion is managed by trusted accepted key.

Before sending to Minion, you need to make sure that the key of minion has been accepted by Master. Running the command ``salt- key`` will list all keys known to Salt Master.

[root@master ~] # salt-key-LUnaccepted Keys:alphabravocharliedeltaAccepted Keys: [root@master ~] # salt-key-A-y [root@master ~] # salt-key-LUnaccepted Keys:Accepted Keys:alphabravocharliedelta

Send test.ping instruction

[root@moban ~] # salt'* 'test.pingmoban2: Truemoban1: True

Limited to the length of space, please move here to download and check, thank you!

Download address: http://down.51cto.com/data/2306388

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.