- 远程系统需要Python支持,除非使用-r选项发送原始ssh命令
- salt-ssh是一个软件包,需安装之后才能使用,命令本身也是salt-ssh
- salt-ssh不会取代标准的Salt通信系统,它只是提供了一个基于SSH的替代方案,不需ZeroMQ和agent
请注意,由于所有与Salt SSH的通信都是通过SSH执行的,因此它比使用ZeroMQ的标准Salt慢得多
1.2 salt-ssh远程管理的方式salt-ssh有两种方式实现远程管理,一种是在配置文件中记录所有客户端的信息,诸如 IP 地址、端口号、用户名、密码以及是否支持sudo等;另一种是使用密钥实现远程管理,不需要输入密码。
二、salt-ssh管理在 master 上安装 salt-ssh
[root@master ~]# yum -y install salt-ssh2.1 通过使用用户名密码的SSH实现远程管理
修改配置文件,添加受控机信息
[root@master salt]# cat /etc/salt/roster # Sample salt-ssh config file #web1: # host: 192.168.42.1 # The IP addr or DNS hostname # user: fred # Remote executions will be executed as user fred # passwd: foobarbaz # The password to use for login, if omitted, keys are used # sudo: True # Whether to sudo to root, not enabled by default #web2: # host: 192.168.42.2 在配置文件里面写入以下内容: minion: host: 192.168.35.135 user: root passwd: runtime
测试连通性
[root@master salt]# salt-ssh -r 'minion' "yum -y install python3"
[root@master salt]# salt-ssh 'minion' test.ping
minion:
True
安装yum源
[root@master salt]# salt-ssh 'minion' state.sls init.yum.main
minion:
----------
ID: /etc/yum.repos.d/epel-8.repo
Function: file.managed
Result: True
Comment: File /etc/yum.repos.d/epel-8.repo updated
Started: 19:30:37.283904
Duration: 120.463 ms
Changes:
----------
diff:
New file
mode:
0644
----------
ID: /etc/yum.repos.d/salt-8.repo
Function: file.managed
Result: True
Comment: File /etc/yum.repos.d/salt-8.repo updated
Started: 19:30:37.283904
Duration: 20.564 ms
Changes:
----------
diff:
New file
mode:
0644
Summary for minion
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 124.267 ms
写脚本取出ip
//写一个测试的文件
[root@master ~]# cat test.sh
#!/bin/bash
while read line;do
cat >> abc << EOF
minion$(echo $line | awk '{print }'):
host: $(echo $line | awk '{print }')
user: root
passwd: 1
EOF
done < host.info
//值
[root@master ~]# cat host.info
1 192.168.35.135
2 192.168.35.136
3 192.168.35.137
//执行脚本之后生成的文件
[root@master ~]# cat abc
minion:
host: 192.168.35.135
user: root
passwd: 1
minion2:
host: 192.168.35.136
user: root
passwd: 1
minion3:
host: 192.168.35.137
user: root
passwd: 1
错误的测试通信方式
//把此文件删除将会不通
[root@master ~]# cd .ssh/
[root@master .ssh]# ls
known_hosts
[root@master .ssh]# rm -rf known_hosts
[root@master ~]# salt-ssh '*' test.ping
vm1:
----------
retcode:
254
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
The authenticity of host '192.168.35.135 (192.168.35.135)' can't be established.
ECDSA key fingerprint is SHA256:Nz8CAwwL3HRh/Lvqejqa+eiV3A09xGYYfG2A/W8wRPs.
ECDSA key fingerprint is MD5:8c:b3:22:14:7a:8a:bc:34:f9:9d:3c:3a:07:8a:96:20.
Are you sure you want to continue connecting (yes/no)?
从上面的信息可以看出,第一次访问时需要输入 yes/no ,但是 saltstack 是不支持交互式 *** 作的,所以为了解决这个问题,我们需要对其进行设置,让系统不进行主机验证。
[root@master ~]# vim ~/.ssh/config
[root@master ~]# cat ~/.ssh/config
trictHostKeyChecking no
[root@master salt]# salt-ssh 'minion' test.ping
minion:
True
2.2 免密登录的方式
使用密钥
//先生成公钥
[root@master .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NRcku2Pl+eGCeBClE/9ERAfy1XX9grqd7CfAwCfftVw root@master
The key's randomart image is:
+---[RSA 3072]----+
| . ++B.o.=|
| = * + +|
| .+ = =. .|
| ++.O..o E|
| S*+o+o.+ |
| +=o.oo. |
| . o=..o |
| .. =.. |
| ..o |
+----[SHA256]-----+
[root@master .ssh]# ls
config id_rsa id_rsa.pub known_hosts
[root@master .ssh]# ssh-copy-id root@192.168.35.135
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.35.135's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.35.135'"
and check to make sure that only the key(s) you wanted were added.
//测试是否能远程
[root@master .ssh]# ssh root@192.168.35.135 'date'
2021年 11月 28日 星期日 18:57:36 CST
//配置文件的账户密码删除
[root@master .ssh]# vim /etc/salt/roster
# Sample salt-ssh config file
#web1:
# host: 192.168.42.1 # The IP addr or DNS hostname
# user: fred # Remote executions will be executed as user fred
# passwd: foobarbaz # The password to use for login, if omitted, keys are used
# sudo: True # Whether to sudo to root, not enabled by default
#web2:
# host: 192.168.42.2
minion:
host: 192.168.35.135
//发现ping不通需要验证
[root@master .ssh]# salt-ssh 'minion' test.ping
Permission denied for host minion, do you want to deploy the salt-ssh key? (password required):
[Y/n] ^Z
[2]+ 已停止 salt-ssh 'minion' test.ping
//是因为它只认这个IP
[root@master .ssh]# cat known_hosts
192.168.35.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOjePUsQQ+ugIWCE26A/ay1lk3QAw+2GK+hR42ydcndpRpLVRc4QhQNq87yAWlTo+7+VHldjK02Yb0Bx6+GlXuI=
//再次测试,只需要第一次输入,后面都不用输入
[root@master .ssh]# salt-ssh '*' test.ping
Permission denied for host minion, do you want to deploy the salt-ssh key? (password required):
[Y/n] y
Password for root@minion:
minion:
True
2.3 通过salt-ssh初始化系统安装salt-minion
安装 salt-ssh
[root@master ~]# yum -y install salt-ssh
测试连通性
[root@master salt-minion]# salt-ssh '*' test.ping
minion:
True
执行状态命令,初始化系统,安装salt-minion
//yum源
[root@master yum]# pwd
/srv/salt/base/init/yum
[root@master yum]# cat main.sls
{% if grains['os'] == 'RedHat' %}
/etc/yum.repos.d/centos-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/centos-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
{% endif %}
/etc/yum.repos.d/epel-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/epel-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
/etc/yum.repos.d/salt-{{ grains['osrelease'] }}.repo:
file.managed:
- source: salt://init/yum/files/salt-{{ grains['osrelease'] }}.repo
- user: root
- group: root
- mode: '0644'
[root@master yum]# cd files/
[root@master files]# ls
centos-7.repo centos-8.repo epel-7.repo epel-8.repo salt-7.repo salt-8.repo
//修改epel8的key
[root@master files]# vim epel-8.repo
......
enabled=1
gpgcheck=1
countme=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-8 #添加此行
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 #添加注释
.......此处省略
//执行安装minion
[root@master salt-minion]# pwd
/srv/salt/base/init/salt-minion
[root@master salt-minion]# cat main.sls
include:
- init.yum.main
salt-minion:
pkg.installed
/etc/salt/minion:
file.managed:
- source: salt://init/salt-minion/files/minion.j2
- user: root
- group: root
- mode: '0644'
- template: jinja
- require:
- pkg: salt-minion
salt-minion.service:
service.running:
- enable: true
- reload: true
- watch:
- file: /etc/salt/minion
[root@master files]# pwd
/srv/salt/base/init/salt-minion/files
[root@master files]# vim minion.j2
.......
#master: salt
master: {{ pillar['master_ip'] }} #定义成变量
......
//在pillar定义变量
[root@master base]# pwd
/srv/pillar/base
[root@master base]# cat salt-minion.sls
master_ip:192.168.35.137
[root@master base]# cat top.sls
base:
'*':
- salt-minion
//执行
[root@master files]# salt-ssh '*' state.sls init.salt-minion.main
//安装完后可把ssh密钥删除,使用salt命令执行
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# rm -rf authorized_keys
[root@localhost .ssh]# pwd
/root/.ssh
//安装minion后,主机名为localhost,shiyong-L查看时显示的会是IP
[root@master files]# salt-key -L
Accepted Keys:
minion
minion2
Denied Keys:
Unaccepted Keys:
192.168.35.135 #IP
master
Rejected Keys:
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)