完全安装saltstack+web ui运维管理工具

本文章参考借鉴了以下博主:

 

https://www.cnblogs.com/xintiao-/p/10380656.html#autoid-0-0-0

https://blog.51cto.com/siliotto/1598102?xiangguantuijian&04

安装系统:Centos 7.2

连接网络配置yum源,如果需要离线安装,可以使用yumdownload命令

1.配置Yum源

# cd /etc/yum.repos.d/

# mkdir bak

# mv CentOS-*  bak 

# vi /etc/yum.repos.d/3000.9.repo


name=Salt repo for RHEL/CentOS 7 PY2
baseurl=https://repo.saltproject.io/yum/redhat/7/x86_64/archive/3000.9
skip_if_unavailable=True
failovermethod=priority
enabled=1
enabled_metadata=1
gpgcheck=1
gpgkey=https://repo.saltproject.io/yum/redhat/7/x86_64/archive/3000.9/SALTSTACK-GPG-KEY.pub, https://repo.saltproject.io/yum/redhat/7/x86_64/archive/3000.9/base/RPM-GPG-KEY-CentOS-7

# vi /etc/yum.repos.d/salt-latest.repo

[salt-latest]
name=SaltStack Latest Release Channel for RHEL/Centos $releasever
baseurl=https://repo.saltstack.com/yum/redhat/7/$basearch/latest
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key

# vi /etc/yum.repos.d/CentOS-Base.repo

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates 
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

1.1下载离线包的方法

# yum install yumdownloader*

使用yumdownloader命令,下载rpm离线包,注意该RPM包只设配当前系统,如有其他系统需要,需要自行安装虚拟机下载

                        [需要下载的包名]                     ​​​​​​​        [存放的路径名]

# yumdownloader salt-master --resolve --destdir=/root/salt-maste

# yumdownloader salt-minion --resolve --destdir=/root/salt-minion

# yumdownloader salt-api--resolve --destdir=/root/salt-api

# yumdownloader salt-ssh--resolve --destdir=/root/salt-ssh

# yumdownloader salt-syndic--resolve --destdir=/root/salt-syndic

下载完成后,复制到离线设备使用安装命令 

rpm  -ivh  *.rpm --nodeps --force

2. master 安装

在主控节点上安装 :salt-master,salt-ssh,salt-api。受控节点上安装:salt-minion

# 在线安装
yum install salt-master

# 修改salt-master配置,yum安装里面有很多配置,默认开启,也可以找到去除注释
vi /etc/salt/master
 
interface: 0.0.0.0 
publish_port: 4505 
worker_threads: 5 
ret_port: 4506

salt-master 服务的机器上需要开启防火墙端口:

 firewall-cmd --permanent --zone=public --add-port=4505-4506/tcp
 firewall-cmd --reload

master 启动 salt-master 服务:

systemctl start salt-master   //启动
systemctl enable salt-master    //开机自启
systemctl status salt-master    //状态

3.安装saltstack api设置

# yum安装salt-api
yum install salt-api

# 设置api接口
cd /etc/pki/tls/certs/
make testcert
---------------------------------------------------------
Enter pass phrase:    ===>  输入加密短语,这里我使用salt2017
Verifying - Enter pass phrase:    ===>  确认加密短语
Enter pass phrase for /etc/pki/tls/private/localhost.key:    ===>  再次输入相同的加密短语
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
解密key文件,生成无密码的key文件, 过程中需要输入key密码,该密码为之前生成证书时设置的密码
--------------------------------------------------------------------------------------

cd /etc/pki/tls/private/
openssl rsa -in localhost.key -out localhost_nopass.key

# 修改文件权限
chmod 755 /etc/pki/tls/certs/localhost.crt   
chmod 755 /etc/pki/tls/private/localhost.key
chmod 755 /etc/pki/tls/private/localhost_nopass.key

# 添加用户
 useradd -M -s /sbin/nologin saltapi
 passwd saltapi

4.安装saltstack web ui 

继续安装web界面,不急启动api

在github中下载界面源码

https://github.com/saltstack/halite/releases 建议选择下载v0.1.16 ,因为我下载17有问题,命令执行不了

安装解压web源码包

mkdir /var/www
cd /var/www
# 将文件halite-0.1.16.tar.gz 上传的/var/www
tar -zxvf  halite-0.1.16.tar.gz
mv halite-0.1.16 halite
cd /halite/halite
./genindex.py -C      #生成index文件

在master端添加配置文件

# vi /etc/salt/master.d/saltweb.conf
rest_cherrypy:
 host: 0.0.0.0
 port: 8081   #不能用8080,不然会占用web端口
 debug: true
 static: /ui/halite/halite
 app: /ui/halite/halite/index.html
 ssl_crt: /etc/pki/tls/certs/localhost.crt
 ssl_key: /etc/pki/tls/private/localhost_nopass.key
external_auth:
   pam:
     admin:
         - .*        # 用 点 号 ,用单引号会有问题
         - '@runner'
         - '@wheel'

解释配置文件,内容来源https://blog.51cto.com/siliotto/1598102?xiangguantuijian&04

halite:                          -- 表示开启halite
  level:                         -- 日志等级,默认是info
  server:                        -- 表示允许halite的webserver,支持cherrypy,paste,gevent,使用哪个填哪个
  host:                          -- 顾名思义监听地址
  port:                          -- 监听端口
  cors:                          -- 是否开启cors跨域请求共享
  tls:                           -- 是否使用TLS/SSL(https)加密访问
  certpath:                      -- CA颁发的证书文件
  keypath:                       -- 加密访问的私钥文件
  pempath:                       -- 拥有证书和私钥的文件

admin创建用户

# useradd admin
# passwd admin
重启服务
# systemctl restart salt-master
# systemctl restart salt-api

启动WEB也就是Salt-UI

# cd /var/www/halite/halite
# python server_bottle.py -d -C -l debug -s cherrypy &

# 重启master和api
systemctl restart salt-master
systemctl restart salt-api

后台的守护进程

start-stop-daemon --start --background --exec /var/www/halite/halite/server_bottle.py -- -d -C -l debug -s cherrypy

登录http://ip:8080/app

安装Minion

 登录另外一台服务器,安装Minon

# vi /etc/salt/minion

master: 192.168.6.101
id: 6.101-firewalld.com

#id;每个minion的id都是唯一的。minion启动后会用id值去master进行验证。

 启动 salt-minion 服务:

# systemctl start salt-minion 
# systemctl enable salt-minion
# systemctl status salt-minion

5.Master和Minion建立信任关系

master和minion安装配置完成后,如果master要管理minion,就要接收minion的key。任意minion的在master没有接受前,minion的公钥存放在/etc/salt/pki/master/minions_pre目录下,公钥文件以id命名。在Master上查看minion列表:

# salt-key -L                           //列出全部 minion表示minion还未被接受

 

# salt-key -A                                         //添加信任

#salt-key -A 6.101-firewalld.com            //接收单个minion

 

# salt-key -L //重新列出

 Master命令组成

#[命令]   [options]  [所有主机]    [模块]      [命令]

#salt  --summary       '*'           cmd.run      'python -V'

管理测试

#salt   '*'     cmd.run      'python -V'

 测试主机是否存活

[root@master ~]# salt--summary '*' test.ping

更多测试参考:https://www.cnblogs.com/xintiao-/p/10380656.html#autoid-0-0-0

web登录测试

[root@localhost halite]# salt -a pam \* test.ping
username: admin
password:

 登录http://IP:8080/app/console测试命令执行是否成功

测试执行test.echo模块

完毕!

版权声明:本文为m0_49220305原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。