K8S|saltstack安装 centos|运维|linux

文章图片

文章图片

1. 安装 1.安装步骤找到对应的源
加入salt的源

[root@10-8-58-159 ~]# yum install -y https://repo.saltstack.com/py3/redhat/salt-py3-repo-3001-1.el8.noarch.rpm Last metadata expiration check: 0:00:43 ago on Mon 28 Feb 2022 05:14:16 PM HKT. salt-py3-repo-3001-1.el8.noarch.rpm3.1 kB/s | 9.9 kB00:03 Dependencies resolved. =============================================================================================================================================================================================================================================================== PackageArchitectureVersionRepositorySize =============================================================================================================================================================================================================================================================== Installing: salt-py3-reponoarch3001-1.el8@commandline9.9 kTransaction Summary =============================================================================================================================================================================================================================================================== Install1 PackageTotal size: 9.9 k Installed size: 3.6 k Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing:1/1 Installing: salt-py3-repo-3001-1.el8.noarch1/1 Verifying: salt-py3-repo-3001-1.el8.noarch1/1Installed: salt-py3-repo-3001-1.el8.noarchComplete!

2. 安装对应的master和node
salt对应的的master 、 minion架构
安装master

[root@10-8-58-159 ~]# yum install -y salt-master SaltStack 3001 Release Channel for Python 3 RHEL/Centos 864 kB/s | 224 kB00:03 Last metadata expiration check: 0:00:01 ago on Mon 28 Feb 2022 05:15:12 PM HKT. Dependencies resolved. =============================================================================================================================================================================================================================================================== PackageArchitectureVersionRepositorySize =============================================================================================================================================================================================================================================================== Installing: salt-masternoarch3001.8-1.el8salt-py3-30013.1 M Installing dependencies: libsodiumx86_641.0.18-2.el8epel162 k libunwindx86_641.3.1-3.el8epel75 k openpgmx86_645.2.122-21.el8epel180 k python3-distronoarch1.4.0-2.module_el8.5.0+761+faacb0fbAppStream37 k python3-m2cryptox86_640.35.2-5.el8epel303 k python3-msgpackx86_640.6.2-1.el8epel92 k python3-psutilx86_645.4.3-11.el8AppStream373 k python3-pycurlx86_647.43.0.2-4.el8AppStream227 k python3-zmqx86_6419.0.0-1.el8epel418 k saltnoarch3001.8-1.el8salt-py3-300110 M zeromqx86_644.3.4-2.el8epel479 kTransaction Summary =============================================================================================================================================================================================================================================================== Install12 PackagesTotal download size: 16 M Installed size: 58 M Downloading Packages: (1/12): python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch.rpm65 kB/s |37 kB00:00 (2/12): python3-pycurl-7.43.0.2-4.el8.x86_64.rpm206 kB/s | 227 kB00:01 (3/12): libsodium-1.0.18-2.el8.x86_64.rpm170 kB/s | 162 kB00:00 (4/12): python3-psutil-5.4.3-11.el8.x86_64.rpm236 kB/s | 373 kB00:01 (5/12): libunwind-1.3.1-3.el8.x86_64.rpm84 kB/s |75 kB00:00 (6/12): openpgm-5.2.122-21.el8.x86_64.rpm145 kB/s | 180 kB00:01 (7/12): python3-m2crypto-0.35.2-5.el8.x86_64.rpm229 kB/s | 303 kB00:01 (8/12): python3-msgpack-0.6.2-1.el8.x86_64.rpm99 kB/s |92 kB00:00 (9/12): python3-zmq-19.0.0-1.el8.x86_64.rpm216 kB/s | 418 kB00:01 (10/12): zeromq-4.3.4-2.el8.x86_64.rpm233 kB/s | 479 kB00:02 (11/12): salt-master-3001.8-1.el8.noarch.rpm1.4 MB/s | 3.1 MB00:02 (12/12): salt-3001.8-1.el8.noarch.rpm2.4 MB/s |10 MB00:04 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total2.2 MB/s |16 MB00:07 warning: /var/cache/dnf/salt-py3-3001-cdd7dac9cf71697d/packages/salt-3001.8-1.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID de57bfbe: NOKEY SaltStack 3001 Release Channel for Python 3 RHEL/Centos 81.7 MB/s | 1.7 kB00:00 Importing GPG key 0xDE57BFBE: Userid: "SaltStack Packaging Team " Fingerprint: 754A 1A7A E731 F165 D5E6 D4BD 0E08 A149 DE57 BFBE From: /etc/pki/rpm-gpg/saltstack-signing-key Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing:1/1 Installing: python3-msgpack-0.6.2-1.el8.x86_641/12 Installing: python3-m2crypto-0.35.2-5.el8.x86_642/12 Installing: openpgm-5.2.122-21.el8.x86_643/12 Installing: libunwind-1.3.1-3.el8.x86_644/12 Installing: libsodium-1.0.18-2.el8.x86_645/12 Installing: zeromq-4.3.4-2.el8.x86_646/12 Installing: python3-zmq-19.0.0-1.el8.x86_647/12 Installing: python3-pycurl-7.43.0.2-4.el8.x86_648/12 Installing: python3-psutil-5.4.3-11.el8.x86_649/12 Installing: python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch10/12 Installing: salt-3001.8-1.el8.noarch11/12 Installing: salt-master-3001.8-1.el8.noarch12/12 Running scriptlet: salt-master-3001.8-1.el8.noarch12/12 Verifying: python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarch1/12 Verifying: python3-psutil-5.4.3-11.el8.x86_642/12 Verifying: python3-pycurl-7.43.0.2-4.el8.x86_643/12 Verifying: libsodium-1.0.18-2.el8.x86_644/12 Verifying: libunwind-1.3.1-3.el8.x86_645/12 Verifying: openpgm-5.2.122-21.el8.x86_646/12 Verifying: python3-m2crypto-0.35.2-5.el8.x86_647/12 Verifying: python3-msgpack-0.6.2-1.el8.x86_648/12 Verifying: python3-zmq-19.0.0-1.el8.x86_649/12 Verifying: zeromq-4.3.4-2.el8.x86_6410/12 Verifying: salt-3001.8-1.el8.noarch11/12 Verifying: salt-master-3001.8-1.el8.noarch12/12Installed: libsodium-1.0.18-2.el8.x86_64libunwind-1.3.1-3.el8.x86_64openpgm-5.2.122-21.el8.x86_64python3-distro-1.4.0-2.module_el8.5.0+761+faacb0fb.noarchpython3-m2crypto-0.35.2-5.el8.x86_64python3-msgpack-0.6.2-1.el8.x86_64 python3-psutil-5.4.3-11.el8.x86_64python3-pycurl-7.43.0.2-4.el8.x86_64python3-zmq-19.0.0-1.el8.x86_64salt-3001.8-1.el8.noarchsalt-master-3001.8-1.el8.noarchzeromq-4.3.4-2.el8.x86_64Complete!

安装salt-minion

[root@10-8-58-159 ~]# yum install -y salt-minion Last metadata expiration check: 0:00:17 ago on Mon 28 Feb 2022 05:15:12 PM HKT. Dependencies resolved. =============================================================================================================================================================================================================================================================== PackageArchitectureVersionRepositorySize =============================================================================================================================================================================================================================================================== Installing: salt-minionnoarch3001.8-1.el8salt-py3-300143 kTransaction Summary =============================================================================================================================================================================================================================================================== Install1 PackageTotal download size: 43 k Installed size: 72 k Downloading Packages: salt-minion-3001.8-1.el8.noarch.rpm30 kB/s |43 kB00:01 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total30 kB/s |43 kB00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing:1/1 Installing: salt-minion-3001.8-1.el8.noarch1/1 Running scriptlet: salt-minion-3001.8-1.el8.noarch1/1 Verifying: salt-minion-3001.8-1.el8.noarch1/1Installed: salt-minion-3001.8-1.el8.noarchComplete!

3. 更改配置文件
minion设置唯一标识加入master节点中。

vim /etc/salt/minion# Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. master: 127.0.0.1 --- # Explicitly declare the id for this minion to use, if left commented the id # will be the hostname as returned by the python call: socket.getfqdn() # Since salt uses detached ids it is possible to run multiple minions on the # same machine but with different ids, this can be useful for salt compute # clusters. id: minion-01

4. 设置服务启动

systemctl start salt-mastersystemctl start salt-minion

5. 同意key

[root@10-8-58-159 ~]# systemctl status salt-minion.service-l ● salt-minion.service - The Salt Minion Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2022-02-28 17:19:37 HKT; 14s ago Docs: man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html Main PID: 54987 (salt-minion) Tasks: 8 (limit: 24787) Memory: 70.2M CGroup: /system.slice/salt-minion.service ├─54987 /usr/bin/python3.6 /usr/bin/salt-minion ├─54991 /usr/bin/python3.6 /usr/bin/salt-minion └─54993 /usr/bin/python3.6 /usr/bin/salt-minionFeb 28 17:19:36 10-8-58-159 systemd[1]: Starting The Salt Minion... Feb 28 17:19:37 10-8-58-159 systemd[1]: Started The Salt Minion. Feb 28 17:19:37 10-8-58-159 salt-minion[54987]: [ERROR] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate Feb 28 17:19:47 10-8-58-159 salt-minion[54987]: [ERROR] The Salt Master has cached the public key for this node, this salt minion will wait for 10 seconds before attempting to re-authenticate[root@10-8-58-159 ~]# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: minion-01 Rejected Keys:[root@10-8-58-159 ~]# salt-key-a minion-01 The following keys are going to be accepted: Unaccepted Keys: minion-01 Proceed? [n/Y] y Key for minion minion-01 accepted.[root@10-8-58-159 ~]# salt-key Accepted Keys: minion-01 Denied Keys: Unaccepted Keys: Rejected Keys:

6. 远程命令执行

[root@10-8-58-159 ~]# salt '*' test.ping minion-01: True [root@10-8-58-159 ~]# salt '*' test.ping minion-01: True

2. salt的网络端口 salt master、minion 模型是需要与master进行连接的，这些连接建立是从minion开始主动到master的。salt-master提供了两个服务。
4505：
事件发布订阅端口，常量访问链接。
4506：
数据有效负载和返回，文件服务或返回数据，仅连接为了提供数据。

文章图片

1. 基础master配置
端口配置

/etc/salt/master.d/network.conf # The network interface to bind to interface: 192.0.2.20# The Request/Reply port ret_port: 4506# The port minions bind to for commands, aka the publish port publish_port: 4505

worker线程数配置：
如果集群有几千个minions，你的minion可能已经失速，master对于job的返回可能已经超时了。这可能意味着minions失败了，但是它不意味着master没有足够的进行去执行他。
默认限制5个worker，最低限制为3个worker。建议一个worker能够200minions，worker数不要超过机器1.5倍的cpu数。

/etc/salt/master.d/thread_options.conf worker_threads: 5

3. 基础的minion配置

salt-minion 默认使用dns或者hostname 配置
默认配置文件/etc/salt/minion、/etc/salt/minion.d/ as .conf
默认minion默认应该根据需要去设置

链接master

/etc/salt/minion.d/master.config master: 192.0.2.20

声明minion id

/etc/salt/minion.d/id.conf id: rebel_1

4. Salt key exchange

文章图片

1. salt-key
RSA key是salt主要的认证加密模型，所有的salt daemons都会有特有的RSA key。这个minions和master生成RSA key 当他们用于pki认证。
对互联网开放的master被视为安全漏洞。
在master机器使用salt-key命令接受minion的key，只有接受了key的minion才会纳入master的控制，salt-key的常用参数：

-A 接受所有的key -a 接受指定的key -D 删除所有的key -d 删除指定的key -L 显示管理中的key，默认参数

5. 基本参数 salt命令过滤minion的常用参数：

无通配符过滤minion的ID，示例：salt '*' test.ping -L 列表指定1个或多个minion的ID，示例：salt -L 'minion-01,minion-02' test.ping -E 正则表达式过滤minion的ID，示例：salt -E 'minion-0[1-3]' test.ping -G 通配符过滤minion的grains，grains是每个minion收集的系统信息，也可以自定义（需要开篇单讲），示例：salt -G 'os:centos' test.ping -P 正则表达式过滤minion的grains -I 通配符过滤minion的pillar，pillar是给每个minion自定义的变量（需要开篇单讲） -J 正则表达式过滤minion的pillar -C 组合使用上述参数，示例：salt -C '*02 and G@os:centos' test.ping

上述命令中的test.ping和cmd.run表示模块及其方法，可以在命令行通过sys模块查看各个模块和方法的说明：
注意：
sys.list_modules：是命令行可以用的。
sys.list_state_modules:是state （文件sls）中可以使用的。

sys.list_modules 列出命令行可用模块，示例：salt 'minion-01' sys.list_modules sys.list_functions 列出命令行模块的所有方法，示例：salt 'minion-01' sys.list_functions cmd sys.doc 显示命令行的模块或方法的说明，示例：salt 'minion-01' sys.doc cmd.run sys.list_state_modules 列出state可用的模块 sys.list_state_functions 列出state模块的所有方法 sys.state_doc 显示state的模块或方法的说明

【K8S|saltstack安装】[root@10-8-58-159 ~]# salt ‘minion-01’ sys.doc cmd.run
cmd.run:
Execute the passed command and return the output as a string
:param str cmd: The command to run. ex: ls -lart /home
:param str cwd: The directory from which to execute the command. Defaults
to the home directory of the user specified by runas (or the user
under which Salt is running if runas is not specified).
:param str stdin: A string of standard input can be specified for the
command to be run using the stdin parameter. This can be useful in
cases where sensitive information must be read from standard input.
:param str runas: Specify an alternate user to run the command. The default
behavior is to run as the user under which Salt is running.
Warning:
For versions 2018.3.3 and above on macosx while using runas,
on linux while using run, to pass special characters to the
command you need to escape the characters on the shell.
Example:
cmd.run ‘echo ‘’‘h=“baz”’’’’ runas=macuser
:param str group: Group to run command as. Not currently supported
on Windows.
:param str password: Windows only. Required when specifying runas. This
parameter will be ignored on non-Windows platforms.
New in version 2016.3.0
:param str shell: Specify an alternate shell. Defaults to the system’s
default shell.
:param bool python_shell: If False, let python handle the positional
arguments. Set to True to use shell features, such as pipes or
redirection.
:param bool bg: If True, run command in background and do not await or
deliver its results
New in version 2016.3.0
:param dict env: Environment variables to be set prior to execution.
Note:
When passing environment variables on the CLI, they should be
passed as the string representation of a dictionary.
salt myminion cmd.run ‘some command’ env=’{“FOO”: “bar”}’
:param bool clean_env: Attempt to clean out all other shell environment
variables and set only those provided in the ‘env’ argument to this
function.
:param str prepend_path:P A T Hs e g m e n tt op r e p e n d( t r a i l i n g′ : ′n o tn e c e s s a r y )t oPATH segment to prepend (trailing ':' notnecessary) toPATH segment to prepend (trailing ′:′ notnecessary) to PATH
New in version 2018.3.0
:param str template: If this setting is applied then the named templating
engine will be used to render the downloaded file. Currently jinja,
mako, and wempy are supported.
:param bool rstrip: Strip all whitespace off the end of output before it is
returned.
:param str umask: The umask (in octal) to use when running the command.
:param str output_encoding: Control the encoding used to decode the
command’s output.
Note:
This should not need to be used in most cases. By default, Salt
will try to use the encoding detected from the system locale, and
will fall back to UTF-8 if this fails. This should only need to be
used in cases where the output of the command is encoded in
something other than the system locale or UTF-8.
To see the encoding Salt has detected from the system locale, check
the locale line in the output of :py:func:test.versions_report.
New in version 2018.3.0
:param str output_loglevel: Control the loglevel at which the output from
the command is logged to the minion log.
Note:
The command being run will still be logged at the debug
loglevel regardless, unless quiet is used for this value.
:param bool ignore_retcode: If the exit code of the command is nonzero,
this is treated as an error condition, and the output from the command
will be logged to the minion log. However, there are some cases where
programs use the return code for signaling and a nonzero exit code
doesn’t necessarily mean failure. Pass this argument as True to
skip logging the output if the command has a nonzero exit code.
:param bool hide_output: If True, suppress stdout and stderr in the
return data.
Note:
This is separate from output_loglevel, which only handles how
Salt logs to the minion log.
New in version 2018.3.0
:param int timeout: A timeout in seconds for the executed process to return.
:param bool use_vt: Use VT utils (saltstack) to stream the command output
more interactively to the console and the logs. This is experimental.
:param bool encoded_cmd: Specify if the supplied command is encoded.
Only applies to shell ‘powershell’.
:param bool raise_err: If True and the command has a nonzero exit code,
a CommandExecutionError exception will be raised.
Warning:
This function does not process commands through a shell
unless the python_shell flag is set to True. This means that any
shell-specific functionality such as ‘echo’ or the use of pipes,
redirection or &&, should either be migrated to cmd.shell or
have the python_shell=True flag set here.
The use of python_shell=True means that the shell will accept any input
including potentially malicious commands such as ‘good_command; rm -rf /’.
Be absolutely certain that you have sanitized your input prior to using
python_shell=True
:param list success_retcodes: This parameter will be allow a list of
non-zero return codes that should be considered a success.If the
return code returned from the run matches any in the provided list,
the return code will be overridden with zero.
New in version 2019.2.0
:param bool stdin_raw_newlines: False
If True, Salt will not automatically convert the characters \\n
present in the stdin value to newlines.
New in version 2019.2.0
CLI Example:
salt ‘*’ cmd.run “ls -l | awk ‘/foo/{print \$2}’”
The template arg can be set to ‘jinja’ or another supported template
engine to render the command arguments before execution.
For example:
salt ‘*’ cmd.run template=jinja “ls -l /tmp/{{grains.id}} | awk ‘/foo/{print \$2}’”
Specify an alternate shell with the shell parameter:
salt ‘*’ cmd.run "Get-ChildItem C:\ " shell=‘powershell’
A string of standard input can be specified for the command to be run using
the stdin parameter. This can be useful in cases where sensitive
information must be read from standard input.
salt ‘*’ cmd.run “grep f” stdin=‘one\ntwo\nthree\nfour\nfive\n’
If an equal sign (=) appears in an argument to a Salt command it is
interpreted as a keyword argument in the format key=val. That
processing can be bypassed in order to pass an equal sign through to the
remote shell command by manually specifying the kwarg:
salt ‘*’ cmd.run cmd=‘sed -e s/=/:/g’