saltstach工具：salt-ssh和salt-api

通过使用salt-ssh，可以在master端部署没有安装salt-minion的主机
当前环境：server3作为salt-master，server4端为安装salt-minion或者salt-minion服务未开启。
（本文所有主机ip均为172.25.17网段，主机名和ip相对应。比如172.25.17.3对应server3，并且所有salt包和python包需要自行下载并配置到yum源中）

salt-ssh实现：

1.在server3端安装salt-ssh服务：

[root@server3 _modules]# yum install salt-ssh -y

编辑配置文件：

[root@server3 _modules]# cd /etc/
[root@server3 etc]# vim salt/roster 

设定主机：

  1 # Sample salt-ssh config file
  2 #web1:
  3 #  host: 192.168.42.1 # The IP addr or DNS hostname
  4 #  user: fred         # Remote executions will be executed as user fred
  5 #  passwd: foobarbaz  # The password to use for login, if omitted, keys are used
  6 #  sudo: True         # Whether to sudo to root, not enabled by default
  7 #web2:
  8 #  host: 192.168.42.2
  9 
 10 server4:
 11   host: 172.25.17.4
 12   user: root
 13   passwd: westos

2.检测：

[root@server3 etc]# salt-ssh server4 test.ping
server4:
    ----------
    retcode:
        254
    stderr:
    stdout:
        The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
        The authenticity of host '172.25.17.4 (172.25.17.4)' can't be established.
        RSA key fingerprint is 6e:f8:7e:5b:80:43:1e:b1:0b:07:67:83:03:44:79:c4.
        Are you sure you want to continue connecting (yes/no)? 
[root@server3 etc]# salt-ssh server4 test.ping -i
server4:
    True

控制server4执行指令df -h:

[root@server3 etc]# salt-ssh server4 cmd.run 'df -h'
server4:
    Filesystem                    Size  Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root   19G  1.1G   17G   7% /
    tmpfs                         499M   16K  499M   1% /dev/shm
    /dev/vda1                     485M   33M  427M   8% /boot

salt-api实现

1.在server3端安装salt-api:

[root@server3 etc]# yum install salt-api -y

2.进入/etc/pki/tls/private/目录生成localhost.key：

[root@server3 etc]# cd /etc/pki/tls/private/
[root@server3 private]# openssl genrsa 1024 > localhost.key
Generating RSA private key, 1024 bit long modulus
..++++++
...............++++++
e is 65537 (0x10001)

进入/etc/pki/tls/certs目录生成https：

[root@server3 private]# cd ..
[root@server3 tls]# cd certs/
[root@server3 certs]# make testcert
umask 77 ; \
    /usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server3
Email Address []:root@localhost
[root@server3 certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  Makefile  renew-dummy-cert

3.在/etc/salt/master.d目录下新建文件api.conf和auth.conf：

[root@server3 _modules]# cd /etc/salt/master.d/
[root@server3 master.d]# ls
api.conf  auth.conf  -d  -H

api.conf：

  1 rest_cherrypy:
  2   port: 8000
  3   ssl_crt: /etc/pki/tls/certs/localhost.crt
  4   ssl_key: /etc/pki/tls/private/localhost.key

auth,conf:

  1 external_auth:
  2   pam:
  3     saltapi:
  4       - '.*'
  5       - '@wheel'
  6       - '@runner'
  7       - '@jobs'

新建用户saltapi并设置密码为westos：

[root@server3 salt]# useradd saltapi
[root@server3 master.d]# passwd saltapi
Changing password for user saltapi.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

4.重新开启slat-master服务（restart可能会出错）并开启salt-api服务：

[root@server3 salt]# /etc/init.d/salt-master stop
Stopping salt-master daemon:                               [  OK  ]
[root@server3 salt]# /etc/init.d/salt-master status
salt-master is stopped
[root@server3 salt]# /etc/init.d/salt-master start
Starting salt-master daemon:                               [  OK  ]
[root@server3 salt]# /etc/init.d/salt-api start
Starting salt-api daemon:                                  [  OK  ]

查看端口8000：

[root@server3 master.d]# netstat -antlp |grep :8000
tcp        0      0 0.0.0.0:8000                0.0.0.0:*                   LISTEN      13203/salt-api -d   
tcp        0      0 127.0.0.1:44602             127.0.0.1:8000              TIME_WAIT   -                   

5.获取token：

[root@server3 master.d]# curl -sSk https://localhost:8000/login -H 'Accept: application/x-yaml' -d username=saltapi -d password=westos -d eauth=pam
return:
- eauth: pam
  expire: 1534627922.797075
  perms:
  - .*
  - '@wheel'
  - '@runner'
  - '@jobs'
  start: 1534584722.7970741
  token: 1a6719e657e628375d29bf9a01c1d978ef390157
  user: saltapi

访问到minoon端：

[root@server3 master.d]# curl -sSk https://localhost:8000 -H 'Accept:application/x-yaml' -H 'X-Auth-Token:1a6719e657e628375d29bf9a01c1d978ef390157' -d client=local -d tgt='*' -d fun=test.ping
return:
- server3: true
  server5: true