Saltstack使用手冊
Saltstack參考資料:
https://docs.saltstack.com/en/latest/
http://blog.chinaunix.net/uid-10915175-id-4395273.html
http://www.saltstack.cn/kb/managing-firewall-with-salt/
https://docs.saltstack.com/en/getstarted/config/jinja.htm
https://repo.saltstack.com/yum/redhat/6/x86_64/2017.7/
首先,寫好HOSTS文件或者部署內網DNS進行解析:
cat /etc/hosts
192.168.99.2 saltstack-master.example.com
192.168.99.4 saltstack-node1.example.com
192.168.99.5 saltstack-node2.example.com
192.168.3.37 saltstack-node3.example.com
一、安裝部署Saltstack
1. 環境描述:
1. CentOS6.5 CentOS5.6
2. Saltstack版本:
1. salt-2017.7.1-1.el6.noarcn
3. 安裝官網Salt源:
1. cd /etc/yum.repos.d/
2. yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm
4. 部署Salt-master和Salt-minion
1. yum install salt-master
2. yum install salt-minion
5. 啓動服務
1. /etc/init.d/salt-master start
2. /etc/init.d/salt-minion start
二、salt-key命令介紹:{用於認證客戶端key}
salt-key -L 列出所有key,也就是minion端
新加入的主機,key未認證
認證KEY,使用-A參數
salt-key -d saltstack-master.example.com 刪除單個客戶端的key
測試已驗證通過的key,已經全部可以和master通信
-A:用來允許所有客戶端的key
-d:用來刪除已經接收的單個的key,也就是刪除單個的minion。
-D:用來刪除所有的key,也就是刪除所有的key
-r:用來拒絕單個的key,將其拉進黑名單中。
-R:用來拒絕所有的key,將其所有的都拉進黑名單中
三、Master配置文件和Minion配置文件解釋:
master:
interface : 192.168.0.1 要綁定的本地接口,必須是IP地址
publish_port : 4506 網絡端口設置發佈界面
user :root 運行slat使用的用戶
ret_port : 返回服務器使用的端口。
pidfile : /var/run/salt-master.pid
conf_file : /etc/salt/master 主配置文件路徑
pki_dir : /etc/salt/pki/master 存儲pki認證祕鑰的目錄
cachedir: /var/cache/salt/master 用於存儲緩存信息
verify_env: True 在啓動時驗證並設置配置目錄的權限
keep_jobs : 24 設置保留舊作業信息的小時數
sock_dir : /var/run/salt/master 設置用於創建主進程通信的Unix套接字的位置
log_file: /var/log/salt/master 定義master的log文件存放位置
minion:
master: 192.168.99.2 指定master的地址
max_event_size : 1048576 調整允許小事件總線上的大小,默認單位爲字節
pidfile: /var/run/salt-minion.pid 守護進程id存放的位置
conf_file:/etc/salt/minion minion配置文件路徑
cachedir: /var/cache/salt/master 用於緩存存儲信息
verify_env: True 在啓動時驗證並設置配置目錄的權限
return_retry_timer:5 返回嘗試的默認超時
tcp_pub_port 設置爲tcp時使用的發佈端口
log_file: /var/log/salt/minion 定義minion的log文件存放位置
tcp_keepalive_cnt : 1 設置zeromq TCP存活數
tcp_keepalive_intvl : 1 設置zeromq TCP存活時間間隔
Master配置文件:主要定義項目目錄
定義NODE組:
修改Minion配置文件
四、grains講解:
salt '*' grains.ls 查看客戶端支持的模塊
salt '*' grains.items 查看客戶端模塊的詳細信息
1.編輯grains文件:
vim /etc/salt/grains
grains:
roles:
- webserver
- memcache
2.匹配grains:
salt -G 'roles:webserver' test.ping
五、saltstack遠程執行
匹配規則:
salt '*' cmd.run 'df -h' 使用cmd模塊遠程執行shell命令
salt -C 'G@os:CentOS and dest' 使用-C參數,進行混合匹配
salt -N dest test.ping 使用-N參數,匹配組
salt -S 192.168.99.0/24 test.ping 使用 -S參數,匹配網段和IP
salt -L 'saltstack-node1.example.com,saltstack-node2.example.com' test.ping 使用-L參數,匹配列表
salt -E 'saltstack-(node1|node2).example.com' test.ping
salt 'saltstack-node[1-3].example.com' test.ping 使用-E參數, 基於正則匹配
salt 'saltstack-node1.example.com' sys.list_functions file 查看命令模塊
salt 'saltstack-node1.example.com' sys.doc cmd|grep run 查看幫助文檔
六、編寫sls文件,採用jiajia模板;
jinjia模板使用實例:https://docs.saltstack.com/en/latest/topics/jinja/index.html
1.backup:使用file.managed模塊實現, cmd.run模塊用於創建目錄
download_file_1:
file.managed:
- name: /etc/cron.d/backup
- source: salt://backup/files/backup.erb
- user: root
- group: root
- mode: 644
download_file_2:
file.managed:
- name: /etc/rsync_only_backup_remote.pwd
- source: salt://backup/files/rsync_only_backup_remote.pwd.erb
- user: root
- group: root
- mode: 600
cmd_mkdir:
cmd.run:
- names:
- mkdir -pv /opt/scripts/remote_backup_not_delete/
- unless: test -d /opt/scripts/remote_backup_not_delete/
- owner: root
- group: root
- mode: 600
download_file_3:
file.managed:
- name: /opt/scripts/remote_backup_not_delete/backup_to_remote.sh
- source: salt://backup/files/backup_to_remote.sh.erb
- user: root
- group: root
- mode: 755
download_file_4:
file.managed:
- name: /opt/scripts/remote_backup_not_delete/check_table.sh
- source: salt://backup/files/check_table.sh.erb
- user: root
- group: root
- mode: 755
執行結果: salt ‘saltstack-node1.example.com’ state.sls backup.backup backup.evn=backup
dns:使用file.managed
resolv.conf:
file.managed:
- name: /etc/resolv.conf
- source: salt://dns/files/resolv.conf.erb
- user: root
- group: root
- mode: 644
執行結果:salt ‘saltstack-node1.example.com’ state.sls dns.resolv_conf dns.evn=dns
iptables:使用for循環+if判斷+file.managed
{% for list in ['saltstack-node1.example.com','saltstack-node2.example.com'] %}
{% if list == grains['fqdn'] %}
downloads_file_iptables:
file.managed:
- name: /etc/sysconfig/iptables
- source: salt://auditd/files/{{ list }}_iptables.erb
- user: root
- group: root
- mode: 600
iptables_service:
service.running:
- name: iptables
- enable: True
- reload: True
- watch:
- downloads_file_iptables
downloads_file_crontab:
file.managed:
- name: /etc/cron.d/iptables
- source: salt://auditd/files/{{ list }}_cron.erb
- user: root
- group: root
- mode: 644
{% endif %}
{% endfor %}
{% for list in ['saltstack-master.example.com'] %}
{% if grains['fqdn'] == list %}
downloads_file_iptables:
file.managed:
- name: /etc/sysconfig/iptables
- source: salt://auditd/files/Standard
- user: root
- group: root
- mode: 600
iptables_service:
service.running:
- name: iptables
- enable: True
- reload: True
- watch:
- downloads_file_iptables
{% endif %}
{% endfor %}
返回結果:salt ‘saltstack-node1.example.com’ state.sls auditd.iptables auditd.evn=auditd
ntp:
ntp_file:
file.managed:
- name: /etc/cron.d/ntp
- source: salt://ntp/files/ntp.erb
- user: root
- group: root
- mode: 644
ntpd_service:
service.running:
- name: ntpd
- enable: True
- force-reload: True
- watch:
- ntp_file
返回結果: salt ‘saltstack-node1.example.com’ state.sls ntp.ntp ntp.evn=ntp
ssh:使用for循環列表,並判斷。使用service模塊啓動服務
{% for list in ['5.6','6.0','6.5'] %}
{% if grains['osrelease'] == list %}
downloads{{ list }}_file:
file.managed:
- name: /etc/ssh/sshd_config
- user: root
- group: root
- source: salt://ssh/files/sshd_config_{{ list }}.erb
- mode: 600
- template: jinja
- defaults:
sshd_service:
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: downloads{{ list }}_file
{% endif %}
{% endfor %}
返回結果:salt ‘saltstack-node1.example.com’ state.sls ssh.ssh ssh.evn=ssh
yum:
{% for list in ['5.6','6.0','6.5'] %}
{% if grains['osrelease'] == list %}
downloads_files:
file.managed:
- name: /etc/yum.repos.d/{{ grains['osrelease'] }}ctvonline.repo
- user: root
- group: root
- mode: 644
- source: salt://yum/files/centos{{ grains['osrelease'] }}_ctvonline.repo.erb
{% endif %}
{% endfor %}
返回結果:
profile:
bash-prompt-default:
file.managed:
- name: /etc/sysconfig/bash-prompt-default
- mode: 755
- user: root
- group: root
- source: salt://profile/files/bash-prompt-default.erb
bash-prompt-xterm:
file.managed:
- name: /etc/sysconfig/bash-prompt-xterm
- mode: 755
- user: root
- group: root
- source: salt://profile/files/bash-prompt-xterm.erb
snmp:
{% set options_version = "snmpd.options" %}
{% if grains['osrelease'] == '5.6' %}
downloads_files_snmp5:
file.managed:
- name: /etc/snmp/snmpd.conf
- user: root
- group: root
- mode: 644
- source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb
- watch_in:
- service: snmp_service
{% endif %}
{% if grains['osrelease'] == '6.5' %}
downloads_file_snmp6:
file.managed:
- name: /etc/snmp/snmpd.conf
- uesr: root
- group: root
- mode: 644
- source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb
- watch_in:
- service: snmp_service
{% endif %}
downloads_files_optios:
file.managed:
- name: /etc/sysconfig/{{ options_version }}
- user: root
- group: root
- mode: 755
- source: salt://snmp/files/{{ options_version }}_options.erb
snmp_service:
service.running:
- name: snmpd
- enable: True
- force-reload: True
返回結果:salt ‘saltstack-node1.example.com’ state.sls snmp.snmp snmp.evn=snmp
syslog:
{% if grains['osrelease'] == '6.5' %}
{% set service_file = "rsyslog" %}
{% set servers_version = "6" %}
{% endif %}
{% if grains['osrelease'] == '5.6' %}
{% set service_file = "syslog" %}
{% set servers_version = "5" %}
{% endif %}
{% if grains['osrelease'] == '4.0' %}
{% set service_file = "syslog" %}
{% set servers_version = "4" %}
{% endif %}
{% if grains['fqdn'] == 'saltstack-node1.example.com' %}
{% set mark = "server" %}
{% endif %}
{% if grains['fqdn'] == 'saltstack-node2.example.com' %}
{% set mark = "mail" %}
{% endif %}
{{ service_file }}.conf:
file.managed:
- name: /etc/{{ service_file }}.conf
- user: root
- group: root
- mode: 644
- source: salt://syslog/files/{{ service_file }}{{ grains['osrelease'] }}.conf.erb
rsyslog_service:
service.running:
- name: {{ service_file }}
- enable: True
- force-restart: True
- watch:
- {{ service_file }}.conf
文件改變,返回結果:salt ‘saltstack-node1.example.com’ state.sls syslog.syslog syslog.evn=syslog
模塊介紹:
pkg.install 管理程序包
service.running 管理服務狀態
file.managed 文件管理
處理狀態之間關係
require 我依賴某個狀態
require_in 我被某個狀態依賴
watch 我關注某個狀態
watch_in 我被某個狀態關注
七、salt-ssh模塊介紹:
yum install salt-ssh 安裝salt-ssh包
1.編輯 vim /etc/salt/roster
編輯寫入IP、用戶、端口、密碼,如果有sudo則開啓即可
2.調用salt-ssh
3. salt-ssh安裝程序包