Saltstack基础 - 02安装与配置
SaltStack基础 - 02安装与配置
一、安装
1.1 完成系统初始化,安装yum源
初始化: 修改主机名、网络配置、关闭防火墙、关闭SELinux
### repo文件从官网处进行查询: https://repo.saltproject.io/#rhel
[root@cl-server ~]# rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
[root@cl-server ~]# curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo
[root@cl-server salt]# yum -y install https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
[root@cl-server salt]# sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-latest.repo
[root@cl-server salt]# cat /etc/yum.repos.d/salt-latest.repo
[salt-latest]
name=SaltStack Latest Release Channel for RHEL/Centos $releasever
baseurl=https://mirrors.aliyun.com/saltstack/yum/redhat/7/$basearch/latest
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key
1.2 安装salt master
[root@cl-server ~]# yum install salt-master
[root@cl-server ~]# systemctl start salt-master
[root@cl-server ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 959/sshd
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 1875/python3
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 1881/python3
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 957/rsyslogd
[root@cl-server ~]# salt-master --version
salt-master 3003.1
1.3 安装salt minion
[root@cl-node03 ~]# yum install salt-minion
### 修改/etc/salt/minion, 连接salt-master; 配置id, 指定minion的被管理名称
[root@cl-node03 ~]# vi /etc/salt/minion
master: 192.168.234.6
id: minion-192-168-234-13
[root@cl-node03 ~]# systemctl start salt-minion
[root@cl-server ~]# netstat -ano | grep 4506
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 192.168.234.6:4506 192.168.234.13:28418 ESTABLISHED off (0.00/0/0)
[root@cl-server ~]# netstat -ano | grep 4505
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 192.168.234.6:4505 192.168.234.13:38363 ESTABLISHED keepalive (164.53/0/0)
1.4 命令
[root@cl-server salt]# salt
salt salt-cp salt-master salt-proxy salt-unity
salt-call salt-key salt-minion salt-run
二、Master与Minion认证
2.1 认证原理
- Salt 在 master 和 minion 数据交换过程中使用 AES 加密, 为了保证发送给 minion 的指令不会被篡改,master 和 minion 之间认证采用信任的接受(trusted, accepted )的 key。
- minion在第一次启动时,会在/etc/salt/pki/minion/下自动生成 minion.pem(private key)和 minion.pub(public key),然后将 minion.pub发送给master。
- master在接收到 minion 的public key后,通过salt-key命令接受 minion 的 public key。
- 这样在master的 /etc/salt/pki/master/minions下的将会存放以 minion id 命名的 public key,然后 master 就能对minion发送指令了。
2.2 key 管理
[root@cl-server system]# salt-key -L ### 查看当前的Key 信息
Accepted Keys:
cl-node01
cl-node02
cl-node03
cl-server
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@cl-server ~]# salt-key -a cl-node01 ### 接受salt-minion1 认证请求,接受后,在客户端的 /etc/salt/pki/minion 目录下面会多出一个minion_master.pub 文件
[root@cl-server ~]# salt-key -A ### 接受所有的minion认证请求
[root@cl-server ~]# salt-key -d cl-server ### 删除已存在的minion
The following keys are going to be deleted:
Accepted Keys: cl-server
Proceed? [N/y] y
Key for minion cl-server deleted.
[root@cl-server ~]# salt-key -D ### 删除所有的minion
[root@cl-server ~]# salt-key -A
The key glob '*' does not match any unaccepted keys.
2.3 配置自动接受minion认证请求
auto_accept: True //当该项配置成True时表示自动认证,就不需要手动运行salt-key命令进行证书信任
2.4 测试认证结果
[root@cl-server ~]# salt '*' test.ping
cl-node01:
True
cl-node02:
True
cl-server:
True
cl-node03:
True
三、salt命令
### salt执行命令格式
[root@cl-server ~]# salt
Usage: salt [options] '' [arguments]
target: 执行salt命令的目标,可以使用正则表达式
function: 方法,由module提供
arguments: function的参数
3.1 输出汇总信息: --summary
[root@cl-server ~]# salt --summary '*' cmd.run 'uptime'
cl-node02:
13:59:48 up 2:12, 1 user, load average: 0.00, 0.01, 0.05
cl-node01:
13:59:48 up 3:19, 1 user, load average: 0.05, 0.03, 0.05
cl-node03:
Minion did not return. [Not connected]
-------------------------------------------
Summary
-------------------------------------------
# of minions targeted: 3
# of minions returned: 2
# of minions that did not return: 1
# of minions with errors: 0
-------------------------------------------
ERROR: Minions returned with non-zero exit code
3.2 控制输出格式: json / yaml
[root@cl-server ~]# salt 'cl-node02' cmd.run_all 'hostname'
cl-node02:
----------
pid:
2730
retcode:
0
stderr:
stdout:
cl-node02
[root@cl-server ~]# salt --out=json 'cl-node02' cmd.run_all 'hostname'
{
"cl-node02": {
"pid": 2708,
"retcode": 0,
"stderr": "",
"stdout": "cl-node02"
}
}
[root@cl-server ~]# salt --out=yaml 'cl-node02' cmd.run_all 'hostname'
cl-node02:
pid: 2725
retcode: 0
stderr: ''
stdout: cl-node02
3.3 异步执行
[root@cl-server ~]# salt --async cl-node01 cmd.run "echo 'test'"
Executed command with job ID: 20211217073240073240
[root@cl-server ~]# salt-run jobs.lookup_jid 20211217073240073240
cl-node01:
test
[root@cl-server ~]# salt -v cl-node01 test.ping
Executing job with jid 20211217073355435318
-------------------------------------------
cl-node01:
True
四、主机清单target
4.1 正则表达式
[root@cl-server ~]# salt -E 'cl-node*' test.ping
[root@cl-server ~]# salt '*' test.ping
[root@cl-server ~]# salt '*.example.net' test.ping
[root@cl-server ~]# salt '*.example.*' test.ping
[root@cl-server ~]# salt 'web?.example.net' test.ping
[root@cl-server ~]# salt 'web[1-5]' test.ping
[root@cl-server ~]# salt 'web[1,3]' test.ping
[root@cl-server ~]# salt 'web-[x-z]' test.ping
4.2 列表
[root@cl-server ~]# salt -L cl-node02,cl-nodo03 test.ping
4.3 Grains匹配
[root@cl-server ~]# salt -G 'os:CentOS' test.ping
### os:CentOS(默认存在)是Grains的键值对,数据以yaml保存在minion上,可在minion端直接编辑/etc/salt/grains,yaml格式。
### 或者在master端执行salt '*' grains.setval key "{'sub-key': 'val', 'sub-key2': 'val2'}" 。
### 具体文档(命令salt * sys.doc grains查看文档)
4.4 复合匹配
[root@cl-server ~]# salt -C 'G@os:CentOS or L@cl-node01' test.ping
[root@cl-server ~]# salt -C 'cl-node02 or L@cl-node01' test.ping
[root@cl-server ~]# salt -C 'G@os:CentOS or L@cl-node01' test.ping
4.5 组匹配
[root@cl-server ~]# cd /etc/salt/master.d/
[root@cl-server master.d]# vi nodegroups.conf
[root@cl-server master.d]# cat nodegroups.conf
nodegroups:
webserver: 'L@cl-node01,cl-node02'
dbserver: 'cl-node03'
centos: 'G@os:CentOS'
multi: 'G@os:CentOS and G@hello:world'
### L@ 指定的是以逗号分隔的多个minionId
### G@ 表示匹配grain信息,G@os:CentOS表示grains os项内有CentOS值
### and连接了两个G@,表示grains os的值有CentOS,hello的值有world的并集
[root@cl-server master.d]# salt -N webserver test.ping
4.6 Pillar值匹配
### 在/etc/salt/master 设置 pillar_roots, 数据以yaml形式存在于Master上
[root@cl-server ~]# cd /application/salt/pillar/
[root@cl-server pillar]# cat lvsserver.sls
lvsserver: lvsserver
[root@cl-server pillar]# vi top.sls
base:
'cl-node01':
- lvsserver
[root@cl-server ~]# salt '*' saltutil.refresh_pillar
[root@cl-server ~]# salt -I 'lvsserver:lvsserver' test.ping
4.7 CIDR IP匹配
[root@cl-server ~]# salt -S '192.168.234.0/24' test.ping
五、配置文件
5.1 master配置文件组成
[root@cl-server salt]# grep '^####' master
##### Primary configuration settings #####
##########################################
##### Large-scale tuning settings #####
##########################################
##### Security settings #####
##########################################
##### Salt-SSH Configuration #####
##########################################
##### Master Module Management #####
##########################################
##### State System settings #####
##########################################
##### File Server settings #####
##########################################
##### Pillar settings #####
##########################################
###### Reactor Settings #####
###########################################
##### Syndic settings #####
##########################################
##### Peer Publish settings #####
##########################################
##### Mine settings #####
#####################################
##### Logging settings #####
##########################################
##### Node Groups ######
##########################################
##### Range Cluster settings #####
##########################################
##### Windows Software Repo settings #####
###########################################
##### Windows Software Repo settings - Pre 2015.8 #####
########################################################
##### Returner settings ######
############################################
###### Miscellaneous settings ######
############################################
###### Keepalive settings ######
############################################
##### NetAPI settings #####
############################################
5.1 设置sls文件主目录
file_roots:
base:
- /application/salt
5.2 限制系统账户操作权限
- salt 扩展认证 PAM,可以利用PAM 认证机制对系统账户做出功能操作上的限制。依赖的模块salt.states.external_auth。
- 认证用户不允许使用root。
[root@cl-server salt]# vi /etc/salt/master
external_auth: pam: salt: - '*' ### salt 用户可以管理所有主机,使用所有salt功能 adminx: - test.* ### adminx 用户可以管理所有主机,使用test模块的所有方法 soupman: - 'L@cl-node01,cl-node02': - test.ping ### soupman 用户可以管理特定主机,使用test.ping方法 [soupman@cl-server ~]$ salt -a pam cl-node01 test.ping username: soupman password: cl-node01: True
[soupman@cl-server ~]$ salt -a pam cl-node02 cmd.run 'ip a' username: soupman password: Authorization error occurred.
六、salt其他命令
6.1 salt-run
[root@cl-server salt]# salt-run manage.up ### 查看存活的minion
- cl-node01
[root@cl-server salt]# salt-run manage.down ### 查看下线的minion
- cl-node02
- cl-node03
[root@cl-server salt]# salt-run manage.status ### 查看所有minion的状态
down:
- cl-node02
- cl-node03
up:
- cl-node01
[root@cl-server salt]# salt-run manage.versions ### 查看master和minion的salt版本
Master:
3003.1
Minion offline:
----------
cl-node02:
False
cl-node03:
False
Minion requires update:
----------
cl-node01:
3000.9
[root@cl-server salt]#
七、SaltStack 服务进程
7.1 salt-master 进程关系
1 -> 957(ProcessManager) -> 1688(ZeroMQPubServerChannel, 端口4505) / 1772(ReqServer_ProcessManager) -> 1773(MWorker-Queue,端口4506)
[root@cl-server fd]# ps -ef | grep salt
root 957 1 0 10:15 ? 00:00:03 /usr/bin/python3 /usr/bin/salt-master ProcessManager
root 1310 957 0 10:15 ? 00:00:00 /usr/bin/python3 /usr/bin/salt-master MultiprocessingLoggingQueue
root 1688 957 0 10:15 ? 00:00:00 /usr/bin/python3 /usr/bin/salt-master ZeroMQPubServerChannel
root 1712 957 0 10:15 ? 00:00:00 /usr/bin/python3 /usr/bin/salt-master EventPublisher
root 1769 957 0 10:15 ? 00:00:05 /usr/bin/python3 /usr/bin/salt-master Maintenance
root 1772 957 0 10:15 ? 00:00:00 /usr/bin/python3 /usr/bin/salt-master ReqServer_ProcessManager
root 1773 1772 5 10:15 ? 00:01:12 /usr/bin/python3 /usr/bin/salt-master MWorkerQueue
root 1780 1772 0 10:15 ? 00:00:02 /usr/bin/python3 /usr/bin/salt-master MWorker-0
root 1783 1772 0 10:15 ? 00:00:02 /usr/bin/python3 /usr/bin/salt-master MWorker-1
root 1790 1772 0 10:15 ? 00:00:02 /usr/bin/python3 /usr/bin/salt-master MWorker-2
root 1791 1772 0 10:15 ? 00:00:02 /usr/bin/python3 /usr/bin/salt-master MWorker-3
root 1799 957 0 10:15 ? 00:00:00 /usr/bin/python3 /usr/bin/salt-master FileserverUpdate
root 1801 1772 0 10:15 ? 00:00:02 /usr/bin/python3 /usr/bin/salt-master MWorker-4
root 5506 4971 0 10:37 pts/0 00:00:00 grep --color=auto salt
[root@cl-server fd]# netstat -anop | grep salt
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 1688/salt-master Ze off (0.00/0/0)
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 1773/salt-master MW off (0.00/0/0)
tcp 0 0 192.168.234.6:4505 192.168.234.11:38677 ESTABLISHED 1688/salt-master Ze keepalive (28.60/0/0)
udp 0 0 192.168.234.6:43893 114.114.114.114:53 ESTABLISHED 1769/salt-master Ma off (0.00/0/0)
unix 2 [ ACC ] STREAM LISTENING 29195 1712/salt-master Ev /var/run/salt/master/master_event_pub.ipc
unix 2 [ ACC ] STREAM LISTENING 29197 1712/salt-master Ev /var/run/salt/master/master_event_pull.ipc
unix 2 [ ACC ] STREAM LISTENING 29240 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 2 [ ACC ] STREAM LISTENING 30560 1688/salt-master Ze /var/run/salt/master/publish_pull.ipc
unix 3 [ ] STREAM CONNECTED 51752 1801/salt-master MW
unix 3 [ ] STREAM CONNECTED 50468 1712/salt-master Ev /var/run/salt/master/master_event_pull.ipc
unix 3 [ ] STREAM CONNECTED 55813 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 3 [ ] STREAM CONNECTED 50700 1712/salt-master Ev /var/run/salt/master/master_event_pull.ipc
unix 3 [ ] STREAM CONNECTED 49504 1712/salt-master Ev /var/run/salt/master/master_event_pull.ipc
unix 3 [ ] STREAM CONNECTED 49501 1783/salt-master MW
unix 3 [ ] STREAM CONNECTED 51753 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 3 [ ] STREAM CONNECTED 49507 1783/salt-master MW
unix 3 [ ] STREAM CONNECTED 50699 1783/salt-master MW
unix 3 [ ] STREAM CONNECTED 55812 1780/salt-master MW
unix 3 [ ] STREAM CONNECTED 28143 957/salt-master Pro
unix 3 [ ] STREAM CONNECTED 49502 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 3 [ ] STREAM CONNECTED 53702 1790/salt-master MW
unix 3 [ ] STREAM CONNECTED 55814 1791/salt-master MW
unix 3 [ ] STREAM CONNECTED 53703 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 3 [ ] STREAM CONNECTED 55815 1773/salt-master MW /var/run/salt/master/workers.ipc
unix 3 [ ] STREAM CONNECTED 50465 1783/salt-master MW
7.2 进程开启文件
[root@cl-server fd]# cd /proc/1773/fd [root@cl-server fd]# netstat -anp | grep 1773 tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 1773/salt-master MW unix 2 [ ACC ] STREAM LISTENING 29240 1773/salt-master MW /var/run/salt/master/workers.ipc unix 3 [ ] STREAM CONNECTED 55813 1773/salt-master MW /var/run/salt/master/workers.ipc unix 3 [ ] STREAM CONNECTED 51753 1773/salt-master MW /var/run/salt/master/workers.ipc unix 3 [ ] STREAM CONNECTED 49502 1773/salt-master MW /var/run/salt/master/workers.ipc unix 3 [ ] STREAM CONNECTED 53703 1773/salt-master MW /var/run/salt/master/workers.ipc unix 3 [ ] STREAM CONNECTED 55815 1773/salt-master MW /var/run/salt/master/workers.ipc [root@cl-server fd]# ls -l 总用量 0 lr-x------ 1 root root 64 12月 31 10:27 0 -> /dev/null lrwx------ 1 root root 64 12月 31 10:27 1 -> socket:[28143] lr-x------ 1 root root 64 12月 31 10:27 10 -> pipe:[30844] lr-x------ 1 root root 64 12月 31 10:27 11 -> pipe:[32067] lr-x------ 1 root root 64 12月 31 10:27 12 -> /dev/null l-wx------ 1 root root 64 12月 31 10:27 13 -> pipe:[32127] lr-x------ 1 root root 64 12月 31 10:27 14 -> /dev/null l-wx------ 1 root root 64 12月 31 10:27 15 -> pipe:[32129] lrwx------ 1 root root 64 12月 31 10:27 16 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 17 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 18 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 19 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 2 -> socket:[28143] lrwx------ 1 root root 64 12月 31 10:27 20 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 21 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 22 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 23 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 24 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 25 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 26 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 27 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 28 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 12月 31 10:27 29 -> anon_inode:[eventfd] lr-x------ 1 root root 64 12月 31 10:27 3 -> pipe:[29773] lrwx------ 1 root root 64 12月 31 10:27 30 -> anon_inode:[eventfd] lrwx------ 1 root root 64 12月 31 10:27 31 -> socket:[29239] lrwx------ 1 root root 64 12月 31 10:27 32 -> socket:[29240] lrwx------ 1 root root 64 12月 31 10:27 33 -> socket:[51753] lrwx------ 1 root root 64 12月 31 10:27 34 -> socket:[49502] lrwx------ 1 root root 64 12月 31 10:27 35 -> socket:[53703] lrwx------ 1 root root 64 12月 31 10:27 36 -> socket:[55813] lrwx------ 1 root root 64 12月 31 10:27 37 -> socket:[55815] l-wx------ 1 root root 64 12月 31 10:27 4 -> pipe:[29773] lr-x------ 1 root root 64 12月 31 10:27 5 -> pipe:[29777] l-wx------ 1 root root 64 12月 31 10:27 6 -> /var/log/salt/master lrwx------ 1 root root 64 12月 31 10:27 7 -> /tmp/pymp-p6rz02nb/pym-957-rm8h8v0f (deleted) lrwx------ 1 root root 64 12月 31 10:27 8 -> /tmp/pymp-p6rz02nb/pym-957-rm8h8v0f (deleted) lr-x------ 1 root root 64 12月 31 10:27 9 -> pipe:[29184]
7.3 salt-minion 服务进程
1 -> 1590 -> 1593 -> 1595
[root@cl-server ~]# salt 'cl-node01' test.ping
cl-node01:
True
[root@cl-node01 salt]# ps -ef | grep salt
root 1590 1 0 14:21 ? 00:00:00 /usr/bin/python /usr/bin/salt-minion
root 1593 1590 0 14:21 ? 00:00:02 /usr/bin/python /usr/bin/salt-minion
root 1595 1593 0 14:21 ? 00:00:00 /usr/bin/python /usr/bin/salt-minion
八、SaltStack 执行日志
### 在/etc/salt/master 配置日志级别: DEBUG
[root@cl-server salt]# salt 'cl-node01' test.ping
[DEBUG ] Configuration file path: /etc/salt/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Including configuration from '/etc/salt/master.d/nodegroups.conf'
[DEBUG ] Reading configuration from /etc/salt/master.d/nodegroups.conf
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: cl-server
[DEBUG ] Missing configuration file: /root/.saltrc
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Using pkg_resources to load entry points
[DEBUG ] Using pkg_resources to load entry points
[DEBUG ] Using pkg_resources to load entry points
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'cl-server_master', 'tcp://127.0.0.1:4506', 'clear')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://127.0.0.1:4506
[DEBUG ] Trying to connect to: tcp://127.0.0.1:4506
[DEBUG ] Closing AsyncZeroMQReqChannel instance
[DEBUG ] LazyLoaded local_cache.get_load
[DEBUG ] Reading minion list from /var/cache/salt/master/jobs/77/84b34b8baca85917ea60328c66ec0d1cfdafeaf23ecbeb07cb65f480e4514e/.minions.p
[DEBUG ] get_iter_returns for jid 20211201064734174035 sent to {'cl-node01'} will timeout at 14:47:39.200122
[DEBUG ] jid 20211201064734174035 return from cl-node01
[DEBUG ] return event: {'cl-node01': {'ret': True, 'retcode': 0, 'jid': '20211201064734174035'}}
[DEBUG ] Using pkg_resources to load entry points
[DEBUG ] LazyLoaded nested.output
cl-node01:
True
[DEBUG ] jid 20211201064734174035 found all minions {'cl-node01'}
[DEBUG ] Closing IPCMessageSubscriber instance
### salt-master执行日志
[root@cl-server ~]# tailf /var/log/salt/master
2021-12-01 14:47:34,079 [salt.utils.verify:588 ][WARNING ][7288] Insecure logging configuration detected! Sensitive data may be logged.
2021-12-01 14:47:34,079 [salt.config :1913][DEBUG ][7288] Reading configuration from /etc/salt/master
2021-12-01 14:47:34,080 [salt.config :2076][DEBUG ][7288] Including configuration from '/etc/salt/master.d/nodegroups.conf'
2021-12-01 14:47:34,081 [salt.config :1913][DEBUG ][7288] Reading configuration from /etc/salt/master.d/nodegroups.conf
2021-12-01 14:47:34,081 [salt.config :3504][DEBUG ][7288] Using cached minion ID from /etc/salt/minion_id: cl-server
2021-12-01 14:47:34,083 [salt.config :2035][DEBUG ][7288] Missing configuration file: /root/.saltrc
2021-12-01 14:47:34,086 [salt.utils.event :311 ][DEBUG ][7288] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
2021-12-01 14:47:34,086 [salt.utils.event :312 ][DEBUG ][7288] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
2021-12-01 14:47:34,086 [salt.utils.entrypoints:56 ][DEBUG ][7288] Using pkg_resources to load entry points
2021-12-01 14:47:34,099 [salt.utils.entrypoints:56 ][DEBUG ][7288] Using pkg_resources to load entry points
2021-12-01 14:47:34,132 [salt.utils.entrypoints:56 ][DEBUG ][7288] Using pkg_resources to load entry points
2021-12-01 14:47:34,165 [salt.transport.zeromq:162 ][DEBUG ][7288] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'cl-server_master', 'tcp://127.0.0.1:4506', 'clear')
2021-12-01 14:47:34,165 [salt.transport.zeromq:261 ][DEBUG ][7288] Connecting the Minion to the Master URI (for the return server): tcp://127.0.0.1:4506
2021-12-01 14:47:34,166 [salt.transport.zeromq:1305][DEBUG ][7288] Trying to connect to: tcp://127.0.0.1:4506
2021-12-01 14:47:34,173 [salt.utils.lazy :102 ][DEBUG ][5382] LazyLoaded local_cache.prep_jid
2021-12-01 14:47:34,178 [salt.utils.event :805 ][DEBUG ][5382] Sending event: tag = 20211201064734174035; data = {'minions': ['cl-node01'], '_stamp': '2021-12-01T06:47:34.178267'}
2021-12-01 14:47:34,179 [salt.utils.event :805 ][DEBUG ][5382] Sending event: tag = salt/job/20211201064734174035/new;
data = {'jid': '20211201064734174035', 'tgt_type': 'glob', 'tgt': 'cl-node01', 'user': 'root', 'fun': 'test.ping', 'arg': [], 'minions': ['cl-node01'], 'missing': [], '_stamp': '2021-12-01T06:47:34.179657'}
2021-12-01 14:47:34,182 [salt.loaded.int.returner.local_cache:256 ][DEBUG ][5382] Adding minions for job 20211201064734174035: ['cl-node01']
2021-12-01 14:47:34,182 [salt.master :2492][INFO ][5382] User root Published command test.ping with jid 20211201064734174035
2021-12-01 14:47:34,182 [salt.master :2499][DEBUG ][5382] Published command details
{'fun': 'test.ping', 'arg': [], 'tgt': 'cl-node01', 'jid': '20211201064734174035', 'ret': '', 'tgt_type': 'glob', 'user': 'root'}
2021-12-01 14:47:34,183 [salt.transport.zeromq:1151][DEBUG ][5382] Signing data packet
2021-12-01 14:47:34,183 [salt.crypt :210 ][DEBUG ][5382] salt.crypt.get_rsa_key: Loading private key
2021-12-01 14:47:34,183 [salt.crypt :235 ][DEBUG ][5382] salt.crypt.sign_message: Signing message.
2021-12-01 14:47:34,185 [salt.transport.zeromq:1173][DEBUG ][5382] Sending payload to publish daemon. jid=20211201064734174035 size=452
2021-12-01 14:47:34,192 [salt.transport.zeromq:1124][DEBUG ][5382] Connecting to pub server: ipc:///var/run/salt/master/publish_pull.ipc
2021-12-01 14:47:34,193 [salt.transport.zeromq:1178][DEBUG ][5382] Sent payload to publish daemon.
2021-12-01 14:47:34,194 [salt.transport.zeromq:1021][DEBUG ][5364] Publish daemon received payload. size=452
2021-12-01 14:47:34,195 [salt.transport.zeromq:1019][DEBUG ][5364] Publish daemon getting data from puller ipc:///var/run/salt/master/publish_pull.ipc
2021-12-01 14:47:34,196 [salt.transport.zeromq:288 ][DEBUG ][7288] Closing AsyncZeroMQReqChannel instance
2021-12-01 14:47:34,198 [salt.utils.lazy :102 ][DEBUG ][7288] LazyLoaded local_cache.get_load
2021-12-01 14:47:34,199 [salt.loaded.int.returner.local_cache:324 ][DEBUG ][7288] Reading minion list from
/var/cache/salt/master/jobs/77/84b34b8baca85917ea60328c66ec0d1cfdafeaf23ecbeb07cb65f480e4514e/.minions.p
2021-12-01 14:47:34,200 [salt.client :1185][DEBUG ][7288] get_iter_returns for jid 20211201064734174035 sent to {'cl-node01'} will timeout at 14:47:39.200122
2021-12-01 14:47:34,291 [salt.utils.lazy :102 ][DEBUG ][5379] LazyLoaded local_cache.prep_jid
2021-12-01 14:47:34,293 [salt.utils.job :88 ][INFO ][5379] Got return from cl-node01 for job 20211201064734174035
2021-12-01 14:47:34,296 [salt.utils.event :805 ][DEBUG ][5379] Sending event: tag = salt/job/20211201064734174035/ret/cl-node01;
data = {'fun_args': [], 'jid': '20211201064734174035', 'return': True, 'retcode': 0, 'success': True, 'cmd': '_return', 'fun': 'test.ping', 'id': 'cl-node01', '_stamp': '2021-12-01T06:47:34.295891'}
2021-12-01 14:47:34,297 [salt.client :1214][DEBUG ][7288] jid 20211201064734174035 return from cl-node01
2021-12-01 14:47:34,298 [salt.client :1655][DEBUG ][7288] return event: {'cl-node01': {'ret': True, 'retcode': 0, 'jid': '20211201064734174035'}}
2021-12-01 14:47:34,298 [salt.utils.entrypoints:56 ][DEBUG ][7288] Using pkg_resources to load entry points
2021-12-01 14:47:34,302 [salt.utils.lazy :102 ][DEBUG ][7288] LazyLoaded nested.output
2021-12-01 14:47:34,408 [salt.client :1223][DEBUG ][7288] jid 20211201064734174035 found all minions {'cl-node01'}
2021-12-01 14:47:34,408 [salt.transport.ipc:365 ][DEBUG ][7288] Closing IPCMessageSubscriber instance
### salt-minion 执行日志
[root@cl-node01 salt]# tailf /var/log/salt/minion
2021-12-01 14:47:34,190 [salt.minion :1491][INFO ][1593] User root Executing command test.ping with jid 20211201064734174035
2021-12-01 14:47:34,190 [salt.minion :1498][DEBUG ][1593] Command details
{u'tgt_type': u'glob', u'jid': u'20211201064734174035', u'tgt': u'cl-node01', u'ret': u'', u'user': u'root', u'arg': [], u'fun': u'test.ping'}
2021-12-01 14:47:34,194 [salt.utils.process:911 ][DEBUG ][1593] Subprocess ProcessPayload-Job-20211201064734174035 added
2021-12-01 14:47:34,198 [salt.minion :1491][INFO ][1593] User root Executing command test.ping with jid 20211201064734174035
2021-12-01 14:47:34,199 [salt.minion :1498][DEBUG ][1593] Command details
{u'tgt_type': u'glob', u'jid': u'20211201064734174035', u'tgt': u'cl-node01', u'ret': u'', u'user': u'root', u'arg': [], u'fun': u'test.ping'}
2021-12-01 14:47:34,254 [salt.utils.lazy :104 ][DEBUG ][2282] LazyLoaded jinja.render
2021-12-01 14:47:34,257 [salt.utils.lazy :104 ][DEBUG ][2282] LazyLoaded yaml.render
2021-12-01 14:47:34,259 [salt.minion :1621][INFO ][2282] Starting a new job 20211201064734174035 with PID 2282
2021-12-01 14:47:34,260 [salt.utils.lazy :107 ][DEBUG ][2282] Could not LazyLoad direct_call.allow_missing_func: 'direct_call.allow_missing_func' is not available.
2021-12-01 14:47:34,274 [salt.utils.lazy :104 ][DEBUG ][2282] LazyLoaded test.ping
2021-12-01 14:47:34,275 [salt.loaded.int.module.test:123 ][DEBUG ][2282] test.ping received for minion 'cl-node01'
2021-12-01 14:47:34,275 [salt.minion :815 ][DEBUG ][2282] Minion return retry timer set to 10 seconds (randomized)
2021-12-01 14:47:34,276 [salt.minion :1949][INFO ][2282] Returning information for job: 20211201064734174035
2021-12-01 14:47:34,276 [salt.transport.zeromq:139 ][DEBUG ][2282] Initializing new AsyncZeroMQReqChannel for (u'/etc/salt/pki/minion', u'cl-node01', u'tcp://192.168.234.6:4506', u'aes')
2021-12-01 14:47:34,277 [salt.crypt :464 ][DEBUG ][2282] Initializing new AsyncAuth for (u'/etc/salt/pki/minion', u'cl-node01', u'tcp://192.168.234.6:4506')
2021-12-01 14:47:34,278 [salt.transport.zeromq:210 ][DEBUG ][2282] Connecting the Minion to the Master URI (for the return server): tcp://192.168.234.6:4506
2021-12-01 14:47:34,278 [salt.transport.zeromq:1204][DEBUG ][2282] Trying to connect to: tcp://192.168.234.6:4506
2021-12-01 14:47:34,293 [salt.transport.zeromq:234 ][DEBUG ][2282] Closing AsyncZeroMQReqChannel instance
2021-12-01 14:47:34,294 [salt.minion :1799][DEBUG ][2282] minion return: {u'fun_args': [], u'jid': u'20211201064734174035', u'return': True, u'retcode': 0, u'success': True, u'fun': u'test.ping'}
2021-12-01 14:47:34,725 [salt.utils.process:920 ][DEBUG ][1593] Subprocess ProcessPayload-Job-20211201064734174035 cleaned up
九、salt-master 主从模式
1. 在备服务器上安装salt-master 2. 将主服务器上/etc/salt/pki/ 下的证书 拷贝的备服务器上 [root@cl-server master]# pwd /etc/salt/pki/master [root@cl-server master]# scp master.pem master.pub root@192.168.234.7:/etc/salt/pki/master/minions [root@cl-server minions]# pwd /etc/salt/pki/master/minions [root@cl-server minions]# scp cl-node02 cl-node03 root@192.168.234.7:/etc/salt/pki/master/minions 3. 在minion端配置master [root@cl-node01 ~]# vi /etc/salt/minion master: - cl-server - cl-backup 或 master: - 192.168.234.6 - 192.168.234.7 4. 启动salt-minion 注: master配置使用主机名称方式时,要保证主机名可解析,否则salt-minion启动报错 [root@cl-node01 ~]# vi /var/log/salt/minion 2021-12-06 14:30:33,414 [salt.utils.network:1878][ERROR ][5166] DNS lookup or connection check of 'cl-backup' failed. 2021-12-06 14:30:33,414 [salt.minion :161 ][ERROR ][5166] Master hostname: 'cl-backup' not found or not responsive. Retrying in 30 seconds [root@cl-node01 ~]# systemctl status salt-minion ● salt-minion.service - The Salt Minion Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled) Active: active (running) since 一 2021-12-06 14:29:31 CST; 1min 8s ago Docs: man:salt-minion(1) [root@cl-server ~]# salt cl-node01 cmd.run 'ip a' cl-node01: Minion did not return. [Not connected] ERROR: Minions returned with non-zero exit code
十、salt命令详解
[root@cl-server ~]# salt -h Usage: salt [options] '' [arguments] Salt allows for commands to be executed across a swath of remote systems in parallel, so they can be both controlled and queried with ease. Options: --version show program's version number and exit -V, --versions-report Show program's dependencies version number and exit. -h, --help show this help message and exit --saltfile=SALTFILE Specify the path to a Saltfile. If not passed, one will be searched for in the current working directory. -c CONFIG_DIR, --config-dir=CONFIG_DIR Pass in an alternative configuration directory. Default: '/etc/salt'. --module-executors=EXECUTOR_LIST Set an alternative list of executors to override the one set in minion config. --executor-opts=EXECUTOR_OPTS Set alternate executor options if supported by executor. Options set by minion config are used by default. -t TIMEOUT, --timeout=TIMEOUT Change the timeout, if applicable, for the running command (in seconds). Default: 5. --args-stdin Read additional options and/or arguments from stdin. Each entry is newline separated. --hard-crash Raise any original exception rather than exiting gracefully. Default: False. --no-parse=argname1,argname2,... Comma-separated list of named CLI arguments (i.e.argname=value) which should not be parsed as Python data types -s, --static Return the data from minions as a group after they all return. -p, --progress Display a progress graph. Requires "progressbar" python package. --failhard Stop batch execution upon first "bad" return. --async Run the salt command but don't wait for a reply. --subset=SUBSET Execute the routine on a random subset of the targeted minions. The minions will be verified that they have the named function before executing. -v, --verbose Turn on command verbosity, display jid and active job queries. --hide-timeout Hide minions that timeout. --show-jid Display jid without the additional output of --verbose. -b BATCH, --batch=BATCH, --batch-size=BATCH Execute the salt job in batch mode, pass either the number of minions to batch at a time, or the percentage of minions to have running. --batch-wait=BATCH_WAIT Wait the specified time in seconds after each job is done before freeing the slot in the batch for the next one. --batch-safe-limit=BATCH_SAFE_LIMIT Execute the salt job in batch mode if the job would have executed on more than this many minions. --batch-safe-size=BATCH_SAFE_SIZE Batch size to use for batch jobs created by batch-safe-limit. --return=RETURNER Set an alternative return method. By default salt will send the return data from the command back to the master, but the return data can be redirected into any number of systems, databases or applications. --return_config=RETURNER_CONF Set an alternative return method. By default salt will send the return data from the command back to the master, but the return data can be redirected into any number of systems, databases or applications. --return_kwargs=RETURNER_KWARGS Set any returner options at the command line. -d, --doc, --documentation Return the documentation for the specified module or for all modules if none are specified. --args-separator=ARGS_SEPARATOR Set the special argument used as a delimiter between command arguments of compound commands. This is useful when one wants to pass commas as arguments to some of the commands in a compound command. --summary Display summary information about a salt command. --metadata=METADATA Pass metadata into Salt, used to search jobs. --output-diff Report only those states that have changed. --config-dump Dump the master configuration values --preview-target Show the minions expected to match a target. Does not issue any command. Logging Options: Logging options which override any settings defined on the configuration files. -l LOG_LEVEL, --log-level=LOG_LEVEL Console logging log level. One of 'all', 'garbage', 'trace', 'debug', 'profile', 'info', 'warning','error', 'critical', 'quiet'. Default: 'warning'. --log-file=LOG_FILE Log file path. Default: '/var/log/salt/master'. --log-file-level=LOG_LEVEL_LOGFILE Logfile logging log level. One of 'all', 'garbage','trace', 'debug', 'profile', 'info', 'warning','error', 'critical', 'quiet'. Default: 'warning'. Target Options: Target selection options. -H, --hosts List all known hosts to currently visible or other specified rosters -E, --pcre Instead of using shell globs to evaluate the target servers, use pcre regular expressions. -L, --list Instead of using shell globs to evaluate the target servers, take a comma or whitespace delimited list of servers. -G, --grain Instead of using shell globs to evaluate the target use a grain value to identify targets, the syntax for the target is the grain key followed by a globexpression: "os:Arch*". -P, --grain-pcre Instead of using shell globs to evaluate the target use a grain value to identify targets, the syntax for the target is the grain key followed by a pcre regular expression: "os:Arch.*". -N, --nodegroup Instead of using shell globs to evaluate the target use one of the predefined nodegroups to identify a list of targets. -R, --range Instead of using shell globs to evaluate the target use a range expression to identify targets. Range expressions look like %cluster. -C, --compound The compound target option allows for multiple target types to be evaluated, allowing for greater granularity in target matching. The compound target is space delimited, targets other than globs are preceded with an identifier matching the specific targets argument type: salt 'G@os:RedHat and webser* or E@database.*'. -I, --pillar Instead of using shell globs to evaluate the target use a pillar value to identify targets, the syntax for the target is the pillar key followed by a glob expression: "role:production*". -J, --pillar-pcr Instead of using shell globs to evaluate the target use a pillar value to identify targets, the syntax for the target is the pillar key followed by a pcre regular expression: "role:prod.*". -S, --ipcidr Match based on Subnet (CIDR notation) or IP address. Additional Target Options: Additional options for minion targeting. --delimiter=DELIMITER Change the default delimiter for matching in multi-level data structures. Default: ':'. External Authentication: -a EAUTH, --auth=EAUTH, --eauth=EAUTH, --external-auth=EAUTH Specify an external authentication system to use. -T, --make-token Generate and save an authentication token for re-use. The token is generated and made available for the period defined in the Salt Master. --username=USERNAME Username for external authentication. --password=PASSWORD Password for external authentication. Output Options: Configure your preferred output format. --out=OUTPUT, --output=OUTPUT Print the output from the 'salt' command using the specified outputter. --out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT Print the output indented by the provided value in spaces. Negative values disables indentation. Only applicable in outputters that support indentation. --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE Write the output to the specified file. --out-file-append, --output-file-append Append the output to the specified file. --no-color, --no-colour Disable all colored output. --force-color, --force-colour Force colored output. --state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT Override the configured state_output value for minion output. One of 'full', 'terse', 'mixed', 'changes' or 'filter'. Default: 'none'. --state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE Override the configured state_verbose value for minion output. Set to True or False. Default: none. You can find additional help about salt issuing "man salt" or on http://docs.saltstack.com