Centos 6.4安装SaltStack

Saltstack简介

Saltstack是继 Puppet、Chef 之后新出现的服务器基础架构集中化管理平台,具备配置管理、远程执行、监控等功能。SaltStack基于Python语言实现,结合轻量级消息队列(ZeroMQ)与Python第三方模块(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack和PyYAML等)构建。此外,SaltStack 为开源软件,其源代码托管于GitHub上。用户可以参考其官方文档进行安装和使用。目前,SaltStack以其简单方便的部署、强大的功能和扩展性、多平台支持以及安全可靠的主从连接而受到越来越多的关注。

系统环境

系统我选择的是Centos 6.4 64bit,系统详细信息可以查看/proc/Centos-release文件

1
2
hadoop-master	192.168.186.128   #被监控端
hadoop-slave 192.168.186.129 #监控端master

Saltstack安装

安装可参考官方文档
官方文档说有两种方式,一种PIP安装,一种EPEL安装。一开始采用pip安装,配置过程可参考Python环境配置。但pip安装需要自己手配置/etc/下的salt目录以及master和minion配置文件,还有启动脚本也要手动配置到init.d目录下,嫌比较麻烦还是EPEL安装吧。

EPEL安装

从0.9.4版本开始,Salt已经在 EPEL 中可用。使用yum即可安装。Salt可以在所有主流的基于RHEL的发行版中使用。

开启EPEL

在你的系统中如果EPEL当前并不是enabled状态,你可以通过如下命令启用它.

1
[root@hadoop-slave ~]# rpm -Uvh http://ftp.linux.ncsu.edu/pub/epel/6/i386/epel-release-6-8.noarch.rpm

安装报错

1
2
3
4
[root@hadoop-slave ~]# yum -y install salt-master
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

解决办法,/etc/yum.repos.d下的 epel.repo文件修改mirrorlist注释掉改为baseurl

1
2
3
[root@hadoop-slave yum.repos.d]# yum clean all 
[root@hadoop-slave yum.repos.d]# yum makecache
[root@hadoop-slave yum.repos.d]# yum install salt-master -y

安装依赖

这步提示缺少python-jinja2,安装rpmforge就行了

1
2
3
4
[root@hadoop-slave ~]# wget http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
[root@hadoop-slave ~]# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
[root@hadoop-slave ~]# yum install python-jinja2
[root@hadoop-slave yum.repos.d]# yum install salt-master -y

提示需要python-six

1
2
3
4
[root@hadoop-slave ~]# wget ftp://ftp.ntua.gr/pub/linux/centos/6.7/extras/i386/Packages/python-six-1.7.3-1.el6.centos.noarch.rpm
[root@hadoop-slave ~]# rpm -ivh python-six-1.7.3-1.el6.centos.noarch.rpm
[root@hadoop-slave yum.repos.d]# yum install salt-master -y
`

ok了,安装master成功。

安装saltstack

Salt的master和minion包是分开的。机器只需要安装相应的包即可运行。通常情况下,会有一个master和多个minions。只需要一台安装master即可,其他的全部安装minion.
在hadoop-salve上安装salt-master和salt-minion,在hadoop-master上安装salt-minion

1
2
3
[root@hadoop-slave ~]# yum install salt-master -y
[root@hadoop-slave ~]# yum install salt-minion -y
[root@hadoop-master ~]# yum install salt-minion -y

saltstack配置

master端配置

打开配置文件修改interface,为master要监听的ip:192.168.186.129

1
2
3
[root@hadoop-slave ~]# vi /etc/salt/master
# The address of the interface to bind to:
interface: 192.168.186.129

minion端配置
1
2
3
[root@hadoop-slave ~]# vi /etc/salt/minion
# resolved, then the minion will fail to start.
master: 192.168.186.129
启动salt服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@hadoop-slave ~]# /etc/init.d/salt-master restart
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
[root@hadoop-slave ~]# /etc/init.d/salt-minion restart
Stopping salt-minion daemon: [FAILED]
Starting salt-minion daemon: [ OK ]
[root@hadoop-slave ~]# chkconfig salt-master on
[root@hadoop-slave ~]# chkconfig salt-minion on
[root@hadoop-slave ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
hadoop-slave
Rejected Keys:
[root@hadoop-slave ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
hadoop-slave
Proceed? [n/Y] y
Key for minion hadoop-slave accepted.
[root@hadoop-slave ~]# salt-key -L
Accepted Keys:
hadoop-slave
Denied Keys:
Unaccepted Keys:
Rejected Keys:
`
添加minion

再添加一个minion,注意要把master上的iptables关掉,不然监测不到新的minion。可以添加防火墙策略打开4505,4506端口,具体配置后文细说。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@hadoop-master ~]# vi /etc/salt/minion
# resolved, then the minion will fail to start.
master: 192.168.186.129
[root@hadoop-master ~]# /etc/init.d/salt-minion restart
Stopping salt-minion daemon: [ OK ]
Starting salt-minion daemon: [ OK ]
[root@hadoop-master ~]# chkconfig salt-minion on
[root@hadoop-slave ~]# salt-key -L
Accepted Keys:
hadoop-slave
Denied Keys:
Unaccepted Keys:
hadoop-master
Rejected Keys:
[root@hadoop-slave ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
hadoop-master
Proceed? [n/Y] y
Key for minion hadoop-master accepted.

ok,现在可以进行测试操作了

saltstack测试

1
2
3
4
5
[root@hadoop-slave ~]# salt "*" test.ping 
hadoop-master:
True
hadoop-slave:
True

防火墙配置

打开端口4505,4506,添加防火墙策略。lokkit或者修改配置文件

lokkit命令打开端口

一些Linux发行版带有的lokkit命令行软件可以很简单的通过命令行打开iptables防火墙的端口。只是需要小心不要太粗心而关闭了ssh端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[root@hadoop-slave ~]# lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp  #表示开通4505 4506端口,自动写入/etc/sysconfig/iptables
[root@hadoop-slave ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4505
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4506
8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@hadoop-slave ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4506 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

修改配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
[root@hadoop-slave ~]# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4506 -j ACCEPT
[root@hadoop-slave ~]# /etc/init.d/iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@hadoop-slave ~]# salt "*" test.ping
hadoop-slave:
True
hadoop-master:
True

用lokkit命令时会自动写入配置文件并重启生效;修改配置文件方法需要手动重启iptables服务

参考资料