saltstack使用

saltstack中salt-key的用法

介绍：

saltstack中master和minion是依靠证书来进行加密通信的。
在saltstack中salt-key命令是用来管理证书的

用法：

salt-key [options]

常用参数：

• -L, --list-all                    #显示已经或未认证的被控端id
• -a ACCEPT, --accept=ACCEPT        #接受单个id证书请求
• -A, --accept-all                  #接受所有id证书请求
• -r REJECT, --reject=REJECT        #拒绝指定的公钥
• -R, --reject-all                  #拒绝所有正在请求的公钥
• -d DELETE, --delete=DELETE        #删除指定的公钥
• -D, --delete-all                  #删除所有的公钥

证书状态

salt-key -L
Accepted Keys：  #已经接受的key
Denied Keys：    #拒绝的key
Unaccepted Keys：#未加入的key
Rejected Keys：#吊销的key

实例：

1.检查所有证书

[root@salt-master ~]# salt-key -L
Accepted Keys:
web1
web2
Denied Keys:
Unaccepted Keys:
Rejected Keys:

2.删除指定证书
-d

[root@salt-master ~]# salt-key -d web1 
The following keys are going to be deleted:
Accepted Keys:
web1
Proceed? [N/y] y
Key for minion web1 deleted.

删除所有证书

[root@salt-master ~]# salt-key -D 
The following keys are going to be deleted:
Accepted Keys:
web1
web2
Proceed? [N/y] y
Key for minion web1 deleted.
Key for minion web2 deleted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

3.接受单个证书
-a

[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
web1
web2
Rejected Keys:
[root@salt-master ~]# salt-key -a web1
The following keys are going to be accepted:
Unaccepted Keys:
web1
Proceed? [n/Y] y
Key for minion web1 accepted.
[root@salt-master ~]# salt-key -L
Accepted Keys:
web1
Denied Keys:
Unaccepted Keys:
web2
Rejected Keys:
[root@salt-master ~]# salt '*' test.ping
web1:
    True

接收所有证书

[root@salt-master ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
web2
Proceed? [n/Y] y
Key for minion web2 accepted.

4.拒绝单个证书认证
-r

[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
web1
web2
Rejected Keys:
[root@salt-master ~]# salt-key -r web1
The following keys are going to be rejected:
Unaccepted Keys:
web1
Proceed? [n/Y] y
Key for minion web1 rejected.
[root@salt-master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
web2
Rejected Keys:
web1

拒绝所有

[root@salt-master ~]# salt-key -R
The following keys are going to be rejected:
Unaccepted Keys:
web2
Proceed? [n/Y] y
Key for minion web2 rejected.

如果不想交互，加个-y就可以了

证书的所有文件都在salt-master中
注意保存

[root@salt-master master]# pwd
/etc/salt/pki/master
[root@salt-master master]# tree
.
├── master.pem
├── master.pub
├── minions
├── minions_autosign
├── minions_denied
├── minions_pre
└── minions_rejected
    ├── web1
    └── web2