LInux Enterprise Training Chapter: Configuration of saltstack Management System and Simple Applications (rpm Installation http, php)

Keywords: saltstack socket yum PHP

Introduction to saltstack

Saltstack is a C/S architecture configuration management tool based on Python. The bottom layer uses ZeroMQ message queue pub/sub mode to communicate, and uses SSL certificate issuance mode to manage authentication. Deployment is easy, it can run in a few minutes, scalability is good, it is easy to manage tens of thousands of servers, fast enough, communication between servers in seconds. ZeroMQ, known as the world's fastest message queue, enables SaltStack to perform various operations on thousands of machines quickly. It also uses RSA Key to confirm identity and AES to encrypt transmission, which guarantees security performance.

Basic principles:

The basic principle of SaltStack is to adopt C/S mode:

  • Server is Salt's master, Client is minion, and the communication between minion and maseter is through ZeroMQ message queue.
  • Minion starts for the first time, generates monion.pem and minion.key in the / etc/minion/pli/minion.d directory, and then sends minion.pub to master.
  • The maseter side sees the key of minion through the salt-key-L command. After accepting the key of minion, the master generates the pub key in the / etc/salt/minion.d/ directory, and they trust each other.
  • Both Master and Minion run in daemon mode, listening to ret_port (accept minion request) and publish_port (publish message) ports defined in the configuration file.
    • SaltStack master defaults to monitor 4505 and 4506 ports after startup. 4505 (publish_port) is the message publishing system of saltstack, 4506 (ret_port) is the port of communication between saltstack client and server. If you look at port 4505 with lsof, you will find that all minion s remain in ESTABLISHED status at port 4505.
  • ZMQ (hereinafter referred to as ZMQ) encapsulated Socket library transport layer message queue processing library makes Socket programming simpler, simpler and better performance, and can be flexible between multiple threads, kernels and host boxes. It is undoubtedly a promising layer of encapsulation on top of the "traditional" BSD Socket that people need more. ZMQ makes writing high-performance network applications extremely simple and interesting.
    • Similar to a series of socket interfaces, the difference between socket and socket is that ordinary sockets are end-to-end (1:1 relationship), while ZMQ can be N:M relationship. People know more about BSD sockets are point-to-point connections. Point-to-point connections need to explicitly establish connections, destroy connections, select protocols (TCP/UDP) and handle errors, while ZMQ shields this. Some details to make your network programming easier. ZMQ is used to communicate between node and node, which can be a host or a process.

II. EXPERIMENTAL ENVIRONMENT

  • Server1: 172.25.2.1/24 (salt-master,redhat6.5)
  • Server2: 172.25.2.2/24 (salt-minion,redhat6.5)
  • Physical host: 172.25.2.250/24 (providing yum source, redhat7.3)

Installation Pack Baidu Cloud Link:
Sal-master profile auspicious interpretation, feel that the blogger wrote a good >-<, not so good! Take a look.
saltstack official website

Three. Experiment

3.1 Add Installation Pack http Sharing to Physical Machine

1.//Import files to the publishing directory
[root@foundation2 saltstack]# cp -r rhel6/ /var/www/html/
[root@foundation2 saltstack]# cd /var/www/html/  
[root@foundation2 html]# ls
rhel6  rhel6.5  source7.0  source7.2
[root@foundation2 html]# ll
total 20
drwx------  3 root root 4096 Aug 17 05:20 rhel6
dr-xr-xr-x 12 root root 8192 Nov 12  2013 rhel6.5
dr-xr-xr-x 10 root root 4096 May  7  2014 source7.0
dr-xr-xr-x 10 root root 4096 Oct 30  2015 source7.2
[root@foundation2 html]# chmod 555 rhel6/ -R  //Modify authority
[root@foundation2 html]# ll
total 20
dr-xr-xr-x  3 root root 4096 Aug 17 05:20 rhel6
dr-xr-xr-x 12 root root 8192 Nov 12  2013 rhel6.5
dr-xr-xr-x 10 root root 4096 May  7  2014 source7.0
dr-xr-xr-x 10 root root 4096 Oct 30  2015 source7.2

2.//Virtual Machine Configuration yum Source
[root@server1 ~]# vim /etc/yum.repos.d/rhel-source.repo
[rhel-source]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=http://172.25.2.250/rhel6.5
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[salt]
name=saltstack
baseurl=http://172.25.2.250/rhel6
gpgcheck=0

3.2 Installation of salt-master

//server1: 
root@server1 salt]# yum install salt-master -y
[root@server1 salt]# /etc/init.d/salt-master start
Starting salt-master daemon:                               [  OK  ]

3.3 Install salt-minion

//server2: 
[root@server2 ~]# yum install salt-minion -y
[root@server2 ~]# cd /etc/salt/
[root@server2 salt]# vim minion
17 master: 172.25.2.1   //Specify master as server1
[root@server2 salt]# /etc/init.d/salt-minion start
Starting salt-minion:root:server2 daemon: OK

3.4 Exchange Public Key

//server1: 
[root@server1 salt]# salt-key -L  //Looking at the key, server2 is not allowed
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server2
Rejected Keys:
[root@server1 salt]# salt-key --help  //View command help
Usage: salt-key [options]

salt-key is used to manage Salt authentication keys

Options:
  --version             show program's version number and exit
  --versions-report     Show program's dependencies version number and exit.
  -h, --help            show this help message and exit
  --saltfile=SALTFILE   Specify the path to a Saltfile. If not passed, one
                        will be searched for in the current working directory.
  -c CONFIG_DIR, --config-dir=CONFIG_DIR
                        Pass in an alternative configuration directory.
                        Default: '/etc/salt'.
  -u USER, --user=USER  Specify user to run salt-key.
  --hard-crash          Raise any original exception rather than exiting
                        gracefully. Default: False.
  -q, --quiet           Suppress output.
  -y, --yes             Answer "Yes" to all questions presented. Default:
                        False.
  --rotate-aes-key=ROTATE_AES_KEY
                        Setting this to False prevents the master from
                        refreshing the key session when keys are deleted or
                        rejected, this lowers the security of the key
                        deletion/rejection operation. Default: True.

  Logging Options:
    Logging options which override any settings defined on the
    configuration files.

    --log-file=KEY_LOGFILE
                        Log file path. Default: '/var/log/salt/key'.
    --log-file-level=LOG_LEVEL_LOGFILE
                        Logfile logging log level. One of 'all', 'garbage',
                        'trace', 'debug', 'profile', 'info', 'warning',
                        'error', 'critical', 'quiet'. Default: 'warning'.

  External Authentication:
    --auth=EAUTH, --eauth=EAUTH, --external-auth=EAUTH
                        Specify an external authentication system to use.
    -T, --make-token    Generate and save an authentication token for re-use.
                        The token is generated and made available for the
                        period defined in the Salt Master.
    --username=USERNAME
                        Username for external authentication.
    --password=PASSWORD
                        Password for external authentication.

  Output Options:
    Configure your preferred output format.

    --out=OUTPUT, --output=OUTPUT
                        Print the output from the 'salt-key' command using the
                        specified outputter.
    --out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT
                        Print the output indented by the provided value in
                        spaces. Negative values disables indentation. Only
                        applicable in outputters that support indentation.
    --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Write the output to the specified file.
    --out-file-append, --output-file-append
                        Append the output to the specified file.
    --no-color, --no-colour
                        Disable all colored output.
    --force-color, --force-colour
                        Force colored output.
    --state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
                        Override the configured state_output value for minion
                        output. One of 'full', 'terse', 'mixed', 'changes' or
                        'filter'. Default: 'none'.
    --state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE
                        Override the configured state_verbose value for minion
                        output. Set to True or False. Default: none.

  Actions:
    -l ARG, --list=ARG  List the public keys. The args 'pre', 'un', and
                        'unaccepted' will list unaccepted/unsigned keys. 'acc'
                        or 'accepted' will list accepted/signed keys. 'rej' or
                        'rejected' will list rejected keys. 'den' or 'denied'
                        will list denied keys. Finally, 'all' will list all
                        keys.
    -L, --list-all      List all public keys. Deprecated: use "--list all".
    -a ACCEPT, --accept=ACCEPT
                        Accept the specified public key (use --include-
                        rejected and --include-denied to match rejected and
                        denied keys in addition to pending keys). Globs are
                        supported.
    -A, --accept-all    Accept all pending keys.
    -r REJECT, --reject=REJECT
                        Reject the specified public key. Use --include-
                        accepted and --include-denied to match accepted and
                        denied keys in addition to pending keys. Globs are
                        supported.
    -R, --reject-all    Reject all pending keys.
    --include-all       Include rejected/accepted keys when
                        accepting/rejecting. Deprecated: use "--include-
                        rejected" and "--include-accepted".
    --include-accepted  Include accepted keys when rejecting.
    --include-rejected  Include rejected keys when accepting.
    --include-denied    Include denied keys when accepting/rejecting.
    -p PRINT, --print=PRINT
                        Print the specified public key.
    -P, --print-all     Print all public keys.
    -d DELETE, --delete=DELETE
                        Delete the specified key. Globs are supported.
    -D, --delete-all    Delete all keys.
    -f FINGER, --finger=FINGER
                        Print the specified key's fingerprint.
    -F, --finger-all    Print all keys' fingerprints.

  Key Generation Options:
    --gen-keys=GEN_KEYS
                        Set a name to generate a keypair for use with salt.
    --gen-keys-dir=GEN_KEYS_DIR
                        Set the directory to save the generated keypair, only
                        works with "gen_keys_dir" option. Default: '.'.
    --keysize=KEYSIZE   Set the keysize for the generated key, only works with
                        the "--gen-keys" option, the key size must be 2048 or
                        higher, otherwise it will be rounded up to 2048.
                        Default: 2048.
    --gen-signature     Create a signature file of the masters public-key
                        named master_pubkey_signature. The signature can be
                        send to a minion in the masters auth-reply and enables
                        the minion to verify the masters public-key
                        cryptographically. This requires a new signing-key-
                        pair which can be auto-created with the --auto-create
                        parameter.
    --priv=PRIV         The private-key file to create a signature with.
    --signature-path=SIGNATURE_PATH
                        The path where the signature file should be written.
    --pub=PUB           The public-key file to create a signature for.
    --auto-create       Auto-create a signing key-pair if it does not yet
                        exist.

You can find additional help about salt-key issuing "man salt-key" or on
http://docs.saltstack.com
[root@server1 salt]# Salt-key-A//Allows all links
The following keys are going to be accepted:
Unaccepted Keys:
server2
Proceed? [n/Y] Y
Key for minion server2 accepted.
[root@server1 salt]# Sal-key-L// At this point the key exchange is successful
Accepted Keys:
server2
Denied Keys:
Unaccepted Keys:
Rejected Keys:


//salt-minion needs to be deleted from / etc/salyminion_id and reloaded when the host name is changed because the minion_id content is the host name generated at the first boot.

3.5 View Key

//server1:
[root@server1 salt]#  cd pki/master/
[root@server1 master]# md5sum master.pub 
660f7f951fc03b392355169fbb2a0119  master.pub  //secret key

//Server2:
[root@server2 salt]# cd pki/minion/
[root@server2 minion]#  md5sum minion_master.pub 
660f7f951fc03b392355169fbb2a0119  minion_master.pub

3.6 View Port Running

[root@server1 master]# lsof -i :4505
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1800 root   16u  IPv4  14512      0t0  TCP server1:4505 (LISTEN)
salt-mast 1800 root   18u  IPv4  17279      0t0  TCP server1:4505->server2:53946 (ESTABLISHED)

[root@server1 master]# lsof -i :4506
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1807 root   24u  IPv4  14523      0t0  TCP server1:4506 (LISTEN)


// View the python port process

[root@server1 master]# yum install python-setproctitle.x86_64 -y
[root@server1 master]# /etc/init.d/salt-master restart
Stoppingsalt-master daemon:                               [  OK  ]
Starting salt-master daemon:                               [  OK  ]

3.7 Testing salt Service

[root@server1 master]# salt '*' test.ping
server2:
    True
[root@server1 master]# salt '*' cmd.run hostname  //Execute the hostname command on all salt-minion hosts
server2:
    server2


// Run "df-h" on server 2

4. salt Management System Installs httpd and php with rpm

Three Rules of YAML Grammar in Saltstack

YAML grammar rule 1: indentation
YAML uses a fixed indentation style to represent data layer structure relationships, and Saltstack requires that each indentation level be composed of two spaces. You must not use the tab key.
Rule 2: Colon
YAML: mykey: my_value must have a space after each colon (no space is required at the end of the colon, and no space is required for templates representing file paths)
Rule 3: Short horizontal lines
To represent a list item, use a short bar with a space. Multiple items use the same indentation level as part of the same list.
eg: my_dictionary:
  • list_value_one
  • list_value_two
  • list_value_three

4.1 Open File System Server:

[root@server1 master]#  vim /etc/salt/master //Opening the base environment depends on the main entry file
 534 file_roots:
 535   base:
 536     - /srv/salt

4.2 Write deployment scripts and push

[root@server1 master]# ls /srv
[root@server1 master]# mkdir /srv/salt
[root@server1 master]# /etc/init.d/salt-master restart
[root@server1 master]# cd /srv/salt/
[root@server1 salt]# mkdir httpd   //Configure http and php in this directory
[root@server1 salt]# cd httpd
[root@server1 httpd]# vim apache.sls  //Deployment script
apache-install:
  pkg.installed:
    - pkgs:
      - httpd
      - php

//Test, execute push
[root@server1 httpd]# salt server2 state.sls httpd.apache test=true  


/ / push

4.3 Server2 View Installation

[root@server2 minion]# rpm -q httpd php  //Success
httpd-2.2.15-29.el6_4.x86_64
php-5.3.3-26.el6.x86_64

Posted by AndyBG on Fri, 11 Jan 2019 23:12:11 -0800