| Table of Contents |
|---|
Required Hardware Spec.
...
Internal Ports (Backend Server 간): Trusted Network 구간
8000 : Salt-API Server - CH Server와 데이터 송수신.
9094 : Kapacitor - InfluxDB와 데이터 송수신.
Intermediate Ports (Agent ↔︎ Backend Server 간): Semi-Trusted Network 구간
| Warning |
|---|
아래 포트들은 모니터링 대상 호스트들(MO: Managed Objects)과의 통신에 사용됩니다. 아래 설정 예시와 같이 firewalld filter를 사용하거나, 혹은 tcp_wrappers 등을 사용하여 hosts.allow, hosts.deny 등에 ACL을 설정할 수 있습니다. |
4505-4506 : Salt-Master - Salt-Minion과 데이터 송수신.
8086 : InfluxDB - telegraf로부터 데이터 수신.
아래는 firewalld 설정 파일 예시이며,
| Status | ||||
|---|---|---|---|---|
|
| Code Block | ||
|---|---|---|
| ||
<!-- /etc/firewalld/zones/public.xml -->
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="443"/>
<rule family="ipv4">
<source address="xxx.xxx.xxx.0/24"/>
<port protocol="tcp" port="4505-4506"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="8000"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="8086"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="xxx.xxx.xxx.xxx"/>
<port protocol="tcp" port="9094"/>
<accept/>
</rule>
</zone> |
...
Setting InfluxDB and Kapacitor containers via Docker Compose
| Note |
|---|
[주의] CloudHub와의 호환성 유지 CloudHub는 위 InfluxDB와 Kapacitor의 임의의 버전에는 상하위 호환되지 않을 수 있습니다. 반드시 CloudHub Release(https://github.com/snetsystems/cloudhub/releases)페이지에서 설치할 CloudHub 버전과 호환되는 InfluxDB와 Kapacitor 버전을 확인한 후, 해당 버전으로 설치해야 합니다. 예> |
...
Setting SaltStack for master
| Warning |
|---|
[주의] |
...
SaltStack 저장소 등록
Code Block language bash $ yum install -y epel-release $ rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/archive/3001.4/SALTSTACK-GPG-KEY.pub $ curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/archive/3001.4.repo | sudo tee /etc/yum.repos.d/salt.repo $ yum clean expire-cache
Salt-Master, Salt-API, Salt-Minion 설치
Code Block language bash $ yum install -y salt-master salt-api salt-minion
Config 설정
Salt-Master의 Config 와 Salt-API의 Config 파일을 설정해야 합니다.
Salt-Master :
$ vim /etc/salt/master.d/master.conf
Host에 여러 Interface가 있을 경우 Salt-Minion과 연결 가능한 네트워크 Interface IP로 설정해야 합니다.Status colour Red title 주의
ex) interface: 61.254.65.58
아래 예와 같이 any(0.0.0.0)로 설정해도 master ↔︎ minion 간 통신은 문제가 없으나,
CloudHub UI에서 원하지 않는 IP로 표시될 수 있습니다.Code Block language yaml ## log_level ## # One of 'garbage', 'trace', 'debug', info', 'warning'(default), 'error', 'critical'. log_level: info ##### Primary configuration settings ##### ########################################## # The address of the interface to bind to: interface: 0.0.0.0 # The tcp port used by the publisher: publish_port: 4505 # Allow minions to push files to the master. This is disabled by default, for # security purposes. # file_recv: True ##### State System settings ##### ########################################## # The state system uses a "top" file to tell the minions what environment to # use and what modules to use. The state_top file is defined relative to the # root of the base environment as defined in "File Server settings" below. state_top: top.sls ##### File Server settings ##### ########################################## # Salt runs a lightweight file server written in zeromq to deliver files to # minions. This file server is built into the master daemon and does not # require a dedicated port. # The file server works on environments passed to the master, each environment # can have multiple root directories, the subdirectories in the multiple file # roots cannot match, otherwise the downloaded files will not be able to be # reliably ensured. A base environment is required to house the top file. file_roots: base: - /srv/salt/prod qa: - /srv/salt/qa - /srv/salt/prod dev: - /srv/salt/dev - /srv/salt/qa - /srv/salt/prod # File Server Backend # # Salt supports a modular fileserver backend system, this system allows # the salt master to link directly to third party systems to gather and # manage the files available to minions. Multiple backends can be # configured and will be searched for the requested file in the order in which # they are defined here. The default setting only enables the standard backend # "roots" which uses the "file_roots" option. fileserver_backend: - roots ##### Security settings ##### ########################################## # The external auth system uses the Salt auth modules to authenticate and # validate users to access areas of the Salt system. external_auth: pam: saltdev: - .* - '@runner' - '@wheel' - '@jobs' # Allow eauth users to specify the expiry time of the tokens they generate. # A boolean applies to all users or a dictionary of whitelisted eauth backends # and usernames may be given. token_expire_user_override: pam: - saltdev ##### API Server settings ##### ########################################## rest_cherrypy: port: 8000 disable_ssl: TrueSalt-Minion :
$ vim /etc/salt/minion.d/minion.confCode Block language yaml ## log_level ## # One of 'garbage', 'trace', 'debug', info', 'warning'(default), 'error', 'critical'. log_level: info master: <master ip address> id: <유일한 minion id 설정해야 하며, 생략 시, hostname = minion id>
계정 생성 및 패스워드 설정
아래 추가된 password는 추후 salt-api authentication을 위한pam_token를 발급 받는데 쓰이므로, 잘 기억해두어야 합니다.Code Block language bash $ useradd saltdev $ passwd <password> Changing password for user saltdev. New password:
서비스 시작
Code Block language bash $ systemctl enable salt-master $ systemctl start salt-master $ systemctl enable salt-api $ systemctl start salt-api $ systemctl enable salt-minion $ systemctl start salt-minion
...