Salt configuration
After successful installation of the necessary SaltStack packages, we proceed with the configuration.
Installation is described here .
Salt configuration
Salt configuration is very simple. The default configuration of the Wizard will work in most installations and the only requirement is to set the Minion to set the location of the Wizard in the configuration file.
')
The configuration files will be installed in / etc / salt and named after the respective components, / etc / salt / master and / etc / salt / minion .
Wizard Configuration
By default, the wizard listens on ports 4505 and 4506 on all interfaces (0.0.0.0). To pair Salt with a specific IP, override the “interface” parameter in / etc / salt / master
- #interface: 0.0.0.0 + interface: 10.0.0.1 After editing, restart the salt-master service . For details, see the wizard setup reference .
Minion Configuration
Although there are many configuration options, setting up Salt Minion is very simple. By default, it tries to connect using the DNS name “salt” .
If the Minion can correctly resolve the name, then no configuration is required. If the Minion cannot correctly resolve the name, then override the “master” parameter in the / etc / salt / minion configuration file:
- #master: salt + master: 10.0.0.1 After editing, restart the salt-minion service .
Salt launch
The wizard can be run in the background via the command line as a daemon:
# salt-master -d The wizard can also be run in debug mode, thus greatly increasing the output of commands:
# salt-master -l debug # salt-master --log-level=debug Run from unprivileged user
To run Salt from another user, set the user parameter to / etc / salt / master .
Additionally, you need to set the owner and rights so that the desired user has read / write permissions on the next. directories (and their subdirectories, where applicable):
/etc/salt /var/cache/salt /var/log/salt /var/run/salt # chown -R user /etc/salt /var/cache/salt /var/log/salt /var/run/salt Key authentication
Salt provides commands to authenticate your Salt Master and Salt-Minion before starting key exchange. Checking the key helps to avoid inadvertently connecting to the wrong Salt Master and helps prevent potential MiTM attacks when establishing the initial connection.
Fingerprint Master key
Print the master key fingerprint by running the following command on the Salt Master:
# salt-key -F master Local Keys: master.pem: 6c:a0:e8:b0:84:36:59:86:b6:49:c3:fb:87:a4:c4:e9 master.pub: d9:c6:e0:42:76:e5:82:f7:13:6a:65:ee:cb:f3:2e:aa Copy master.pu b thumbprint from the Local Keys section and set master_finger as the parameter in the Minion configuration file. Save and restart the salt-minion service .
Imprint Minion Key
Run the following command on each Salt minion to print the imprint of the minion's key:
# salt-call --local key.finger Compare this value with the value that is displayed when you run the command on Salt Master
# salt-key --finger <MINION_ID> Key management
Salt uses AES encryption for all communications between the Master and Minion. This ensures that the commands sent to the Minions can be tampered with and that the connection between the Master and the Minion is confirmed by trusted accepted keys.
Before a team can be sent to the Minion, its key must be passed to the Master. Run the salt-key command to list the keys known to the wizard:
# salt-key -L Accepted Keys: salt01.local Denied Keys: Unaccepted Keys: Rejected Keys: The salt-key command allows you to accept keys both individually and at once.
To accept all the keys that are pending:
# salt-key -A To accept a specific key:
# salt-key -a minion01.local → man by salt-key
Sending commands
The connection between the Master and Mignon can be checked by running the test.ping command:
# salt alpha test.ping alpha: True The connection between the Master and all Minions can be checked by running the command.
# salt '*' test.ping alpha: True bravo: True charlie: True delta: True Each Minion must send a True response, as shown above.
→ Source
Source: https://habr.com/ru/post/315056/
All Articles