salt 实战之简介

salt是一款功能强大的配置管理工具,采用CS模式,客户端和服务端使用高效的zmq进行通讯

0. salt 安装部署
1) 管理节点部署salt-master

# yum -y install salt-master

配置salt-master

syndic_master: 172.17.10.63  
interface: 172.23.6.216  
ipv6: False  
publish_port: 4505  
log_file: /var/log/salt/master  
log_level: info  
loop_interval: 180  
fileserver_backend:  
#  - git
   - roots
#gitfs_provider: gitpython
#gitfs_remotes:
#  - git@code.uappo.ucloudadmin.com:sid.cao/uappo_salt.git
file_roots:  
  base:
    - /data/uappo_salt
#pillar_roots:
#  base:
#    - /data/uappo_salt/pillar
job_cache: True  
keep_jobs: 1  
worker_threads: 5  
file_ignore_regex:  
  - '/\.svn($|/)'
  - '/\.git($|/)'
file_ignore_glob:  
  - '*.pyc'
  - '*.swp'

fileserver_backend: 有两种gitroots,不建议使用git,因为master每执行一个target都会运行git pull导致master所在的机器负载升高

2) 服务器上部署salt-minion

# yum -y install salt-minion

配置salt-minion
minion配置文件/etc/salt/minion

id: 172.23.105.37

master: 172.23.6.216  
master_port: 4506  
user: root  
pidfile: /var/run/salt-minion.pid  
log_file: /var/log/salt/minion  
log_level: warning  
loop_interval: 10  
ipv6: False  
retry_dns: 10  
rejected_retry: True  
renderer: yaml_jinja  
cache_jobs: True  
backup_mode: minion  

backup_mode: 文件备份模式,file.managedfile.recurse使用,将原文件备份至cachedir下面的file_backup,目前只有一种设置minion,默认关闭,此处还是要吐嘈一下salt的备份方式比较混乱

grains配置文件/etc/salt/grains

master: 172.23.6.216  
role: pnat  
region: yg  
inner_net: 10.10.0.0/16  

grains是可以在template中调用的机器一些信息,使用kv格式配置

1. 安装后启动
1) 启动master

# /etc/init.d/salt-master start

2) 启动minion

# /etc/init.d/salt-minion start

3) master和minion之间通讯通过key进行加密
列出master上的key

# salt-key -L

分四种,Accepted KeysDenied KeysUnaccepted KeysRejected Keys
在master上允许minion的key

# salt-key -a "172.23.105.37" -y

其中172.23.105.37是minion的id
4) minion的key更新操作
master上删除minion原有的key

# salt-key -d "172.23.105.37" -y

重启minion

# /etc/init.d/salt-minion restart

master上重新允许minion的key

# salt-key -a "172.23.105.37" -y

5) pycrypto版本过低导致minion启动失败
报错信息

2016-04-03 03:57:31,666 [salt.log.setup   ][ERROR   ][26055] An un-handled exception was caught by salt's global exception handler:  
NameError: global name 'AES' is not defined  
Traceback (most recent call last):  
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.6/site-packages/salt/scripts.py", line 227, in salt_call
    client.run()
  File "/usr/lib/python2.6/site-packages/salt/cli/call.py", line 59, in run
    caller = salt.cli.caller.Caller.factory(self.config)
  File "/usr/lib/python2.6/site-packages/salt/cli/caller.py", line 69, in factory
    return ZeroMQCaller(opts, **kwargs)
  File "/usr/lib/python2.6/site-packages/salt/cli/caller.py", line 92, in __init__
    self.minion = salt.minion.SMinion(opts)
  File "/usr/lib/python2.6/site-packages/salt/minion.py", line 322, in __init__
    self.gen_modules(initial_load=True)
  File "/usr/lib/python2.6/site-packages/salt/minion.py", line 334, in gen_modules
    self.opts['environment']
  File "/usr/lib/python2.6/site-packages/salt/pillar/__init__.py", line 83, in compile_pillar
    dictkey='pillar',
  File "/usr/lib/python2.6/site-packages/salt/transport/__init__.py", line 271, in crypted_transfer_decode_dictentry
    ret = self.sreq.send('aes', self.auth.crypticle.dumps(load), tries, timeout)
  File "/usr/lib/python2.6/site-packages/salt/crypt.py", line 835, in dumps
    return self.encrypt(self.PICKLE_PAD + self.serial.dumps(obj))
  File "/usr/lib/python2.6/site-packages/salt/crypt.py", line 803, in encrypt
    cypher = AES.new(aes_key, AES.MODE_CBC, iv_bytes)
NameError: global name 'AES' is not defined  

解决办法:通过pip更新,centos源里的python-crypto包版本过低

# pip install --upgrade pycrypto