24.1 自動化運維介紹
認識自動化運維:
傳統運維效率低,大多工作人爲完成
傳統運維工作繁瑣,容易出錯
傳統運維每日重複做相同的事情
傳統運維沒有標準化流程
傳統運維的腳本繁多,不能方便管理
自動化運維就是要解決上面所有問題
常見自動化運維工具:
Puppet (www.puppetlabs.com)基於 rubby 開發,c/s 架構,支持多平臺,可管理配置文件、用戶、cron 任務、軟件包、系統服務等。 分爲社區版(免費)和企業版(收費),企業版支持圖形化配置。
Saltstack(官網 https://saltstack.com,文檔docs.saltstack.com )基於 python 開發,c/s 架構,支持多平臺,比 puppet 輕量,在遠程執行命令時非常快捷,配置和使用比 puppet 容易,能實現 puppet 幾乎所有的功能。
Ansible (www.ansible.com )更加簡潔的自動化運維工具,不需要在客戶端上安裝 agent,基於 python 開發。可以實現批量操作系統配置、批量程序的部署、批量運行命令。
24.2 saltstack安裝
saltstack 介紹 https://docs.saltstack.com/en/latest/topics/index.html
——可以使用 salt-ssh 遠程執行,類似 ansible
——也支持 c/s 模式,下面我們將講述該種模式的使用,需要準備兩臺機器
——194.130爲服務端,194.132爲客戶端
1、設置 hostname 以及hosts,arslinux-01,arslinux-02
[root@arslinux-01 ~]# vim /etc/hosts 192.168.194.130 arslinux-01 192.168.194.132 arslinux-02
2、兩臺機器全部安裝 saltstack yum 源
[root@arslinux-01 ~]# yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm [root@arslinux-02 ~]# yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
3、130上安裝 salt-master salt-minion,132上安裝 salt-minion
[root@arslinux-01 ~]# yum install -y salt-master salt-minion [root@arslinux-02 ~]# yum install -y salt-minion
如果想哪臺機器作爲控制中心,那麼就在該機器安裝 salt-master,其他機器只安裝 salt-minion
24.3 啓動saltstack服務
1、130 上編輯配置文件
[root@arslinux-01 ~]# vim /etc/salt/minion master: arslinux-01
(冒號後的空格不能省略,否則會出錯)
2、啓動服務 salt-master,salt-minion
[root@arslinux-01 ~]# systemctl start salt-master [root@arslinux-01 ~]# systemctl start salt-minion [root@arslinux-01 ~]# ps aux|grep salt root 44172 0.3 1.3 389376 40932 ? Ss 22:23 0:03 /usr/bin/python /usr/bin/salt-master root 44181 0.0 0.6 306024 20072 ? S 22:23 0:00 /usr/bin/python /usr/bin/salt-master root 44188 0.0 1.1 469972 34380 ? Sl 22:23 0:00 /usr/bin/python /usr/bin/salt-master root 44192 0.0 1.1 388464 34144 ? S 22:23 0:00 /usr/bin/python /usr/bin/salt-master root 44193 0.7 1.9 417660 60528 ? S 22:23 0:08 /usr/bin/python /usr/bin/salt-master root 44194 0.0 1.1 389120 34820 ? S 22:23 0:00 /usr/bin/python /usr/bin/salt-master root 44195 0.0 1.1 765976 35248 ? Sl 22:23 0:00 /usr/bin/python /usr/bin/salt-master root 44203 0.3 1.5 487824 49356 ? Sl 22:23 0:04 /usr/bin/python /usr/bin/salt-master root 44204 0.3 1.5 487804 49320 ? Sl 22:23 0:04 /usr/bin/python /usr/bin/salt-master root 44205 0.3 1.5 487796 49184 ? Sl 22:23 0:04 /usr/bin/python /usr/bin/salt-master root 44207 0.3 1.5 487808 49192 ? Sl 22:23 0:04 /usr/bin/python /usr/bin/salt-master root 44208 0.3 1.5 487792 49316 ? Sl 22:23 0:04 /usr/bin/python /usr/bin/salt-master root 44210 0.2 1.1 463108 35224 ? Sl 22:23 0:02 /usr/bin/python /usr/bin/salt-master root 47603 14.0 0.7 314132 21716 ? Ss 22:43 0:00 /usr/bin/python /usr/bin/salt-minion root 47606 56.0 1.3 567764 42856 ? Sl 22:43 0:01 /usr/bin/python /usr/bin/salt-minion root 47614 0.3 0.6 403864 20176 ? S 22:43 0:00 /usr/bin/python /usr/bin/salt-minion root 47685 0.0 0.0 112724 988 pts/0 R+ 22:43 0:00 grep --color=auto salt
3、132 上編輯配置文件
[root@arslinux-02 ~]# vim /etc/salt/minion master: arslinux-01 [root@arslinux-02 ~]# systemctl start salt-minion
4、啓動服務 salt-minion
[root@arslinux-02 ~]# ps aux|grep salt root 14221 33.0 2.1 314028 21740 ? Ss 22:43 0:00 /usr/bin/python /usr/bin/salt-minion root 14224 55.5 3.9 466532 39152 ? Sl 22:43 0:01 /usr/bin/python /usr/bin/salt-minion root 14232 0.0 2.0 403760 20180 ? S 22:43 0:00 /usr/bin/python /usr/bin/salt-minion root 14294 0.0 0.0 112724 988 pts/1 R+ 22:43 0:00 grep --color=auto salt
服務端監聽 4505 和 4506 兩個端口,4505 爲消息發佈的端口,4506 爲和客戶端通信的端口
客戶端不需要監聽端口
錯誤:
啓動 satl-minion,查看不到進程,下面方法出現錯誤
[root@arslinux-01 ~]# /usr/bin/salt-minion start /usr/lib/python2.7/site-packages/salt/scripts.py:198: DeprecationWarning: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. Salt will drop support for Python 2.7 in the Sodium release or later. [ERROR ] Error parsing configuration file: /etc/salt/minion - conf should be a document, not <type 'unicode'>. [ERROR ] Error parsing configuration file: /etc/salt/minion - conf should be a document, not <type 'unicode'>.
最後發現是/etc/salt/minion 中 master: arslinux-01 中間的空格不能省略
24.4 saltstack配置認證
saltstack 配置認證的認識:
——master 端和 minion 端通信需要建立一個安全通道,傳輸過程需要加密,所以得配置認證,也是通過密鑰對來加密解密的
——minion 在第一次啓動時會在 /etc/salt/pki/minion/ 下生成 minion.pem 和 minion.pub,其中.pub爲公鑰,它會把公鑰傳輸給 master
——master 第一次啓動時也會在 /etc/salt/pki/master 下生成密鑰對,當 master 接收到 minion 傳過來的公鑰後,通過 salt-key 工具接受這個公鑰,一旦接受後就會在 /etc/salt/pki/master/minions/ 目錄裏存放剛剛接受的公鑰,同時客戶端也會接受 master 傳過去的公鑰,把它放在 /etc/salt/pki/minion 目錄下,並命名爲 minion_master.pub
以上過程需要藉助 salt-key 工具來實現
[root@arslinux-01 ~]# salt-key -a arslinux-02 The following keys are going to be accepted: Unaccepted Keys: arslinux-02 Proceed? [n/Y] y Key for minion arslinux-02 accepted. [root@arslinux-01 ~]# salt-key Accepted Keys: arslinux-02 Denied Keys: Unaccepted Keys: arslinux-01 Rejected Keys: [root@arslinux-01 ~]# ls /etc/salt/pki/master/minions/ arslinux-02 [root@arslinux-01 ~]# cat /etc/salt/pki/master/minions/arslinux-02 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33bNZQ/cEK8v20hVFbb6 WGMROxv9kGImHyn6OYNfJHFFpiJblgZheeqct0nrUW4TugLv7LI7a3+DXs2JkzqH Sh5Q06W1nj4Q0Qv9uGJqf75ZjCvapuCGRR8e79ETbXmhmAwXMmewK8UiWCRFe2/g nc/w/2rwk6QIpUsNYLCwPF0FLrdJJJDEcWp93UW0SZXHllkqubsBdHdqo8SZVK0H 30n2e3dzwwbVqgIV3AE9kp8qevuwq5sJ1XJLV0BcLroTfft4BODttS4AcaVyWmKK qNlal3oYYpjXRnJIcZzp5e5srQRjUzFzDKJfS1o6iFf76BuBRnp+eiIx37K05w3d SQIDAQAB -----END PUBLIC KEY-----[root@arslinux-01 ~]#
salt-key命令用法:
-a 後面跟主機名,認證指定主機
-A 認證所有主機
-r 跟主機名,拒絕指定主機
-R 拒絕所有主機
-d 跟主機名,刪除指定主機認證
-D 刪除全部主機認證
-y 省略掉交互,相當於直接按了y
實際操作:
[root@arslinux-01 ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: arslinux-01 Proceed? [n/Y] y Key for minion arslinux-01 accepted. [root@arslinux-01 ~]# !ls ls /etc/salt/pki/master/minions/ arslinux-01 arslinux-02 [root@arslinux-01 ~]# salt-key -D The following keys are going to be deleted: Accepted Keys: arslinux-01 arslinux-02 Proceed? [N/y] y Key for minion arslinux-01 deleted. Key for minion arslinux-02 deleted. [root@arslinux-01 ~]# ls /etc/salt/pki/master/minions/ [root@arslinux-01 ~]#
——刪除之後無法添加,需要重啓 minion,讓 master 去重新識別 minion
[root@arslinux-01 ~]# salt-key -A -y The key glob '*' does not match any unaccepted keys. [root@arslinux-01 ~]# systemctl restart salt-minion [root@arslinux-02 ~]# systemctl restart salt-minion [root@arslinux-01 ~]# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: arslinux-01 arslinux-02 Rejected Keys: [root@arslinux-01 ~]# salt-key -A -y The following keys are going to be accepted: Unaccepted Keys: arslinux-01 arslinux-02 Key for minion arslinux-01 accepted. Key for minion arslinux-02 accepted.
——只有在 Unaccepted keys 下的 keys 纔可以被 salt-key -r 或 salt-key -R 操作
[root@arslinux-01 ~]# salt-key -r arslinux-02 The key glob 'arslinux-02' does not match any unaccepted keys. [root@arslinux-01 ~]# systemctl restart salt-minion [root@arslinux-02 ~]# systemctl restart salt-minion [root@arslinux-01 ~]# salt-key Accepted Keys: Denied Keys: Unaccepted Keys: arslinux-01 arslinux-02 Rejected Keys: [root@arslinux-01 ~]# salt-key -r arslinux-02 The following keys are going to be rejected: Unaccepted Keys: arslinux-02 Proceed? [n/Y] y Key for minion arslinux-02 rejected.
24.5 saltstack遠程執行命令
[root@arslinux-01 ~]# salt-key Accepted Keys: arslinux-01 arslinux-02 Denied Keys: Unaccepted Keys: Rejected Keys:
salt '*' test.ping 測試對方機器是否存活
[root@arslinux-01 ~]# salt '*' test.ping arslinux-02: True arslinux-01: True [root@arslinux-01 ~]# salt 'arslinux-02' test.ping arslinux-02: True
這裏的 * 表示所有已經簽名的 minion 端,也可以指定一個,rest.ping 測試對方機器是否存活
salt '*' cmd.run "命令" 在所有簽名的 minion 端執行這個命令
[root@arslinux-01 ~]# salt '*' cmd.run 'ip addr' arslinux-02: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:14:4f:d9 brd ff:ff:ff:ff:ff:ff inet 192.168.194.132/24 brd 192.168.194.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::4c99:ed43:5757:e772/64 scope link noprefixroute valid_lft forever preferred_lft forever arslinux-01: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:24:ea:f2 brd ff:ff:ff:ff:ff:ff inet 192.168.194.130/24 brd 192.168.194.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet 192.168.194.150/24 brd 192.168.194.255 scope global secondary noprefixroute ens33:0 valid_lft forever preferred_lft forever inet6 fe80::c905:5e78:b916:41da/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:24:ea:fc brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global noprefixroute ens37 valid_lft forever preferred_lft forever inet6 fe80::f41:9da7:d8e3:10ba/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@arslinux-01 ~]# salt 'arslinux-02' cmd.run 'tail -1 /etc/passwd' arslinux-02: git:x:1001:1001::/home/git:/usr/bin/git-shell
說明: 這裏的*必須是在master上已經被接受過認證的客戶端,可以通過salt-key查到,通常是我們已經設定的id值。
關於這部分內容,它支持通配、列表以及正則。 比如兩臺客戶端 aming-01,aming-02, 那我們可以寫成 salt 'aming-*', salt 'aming-0[12]' salt -L 'aming-01,aming-02' salt -E 'aming-(01|02)' 等形式,使用列表,即多個機器用逗號分隔,而且需要加 -L,使用正則必須要帶 -E 選項。 它還支持 grains,加 -G選項,pillar 加 -I 選項,下面會介紹到
[root@arslinux-01 ~]# salt 'arslinux-*' cmd.run 'hostname' arslinux-01: arslinux-01 arslinux-02: arslinux-02 [root@arslinux-01 ~]# salt 'arslinux-0[12]' cmd.run 'hostname' arslinux-02: arslinux-02 arslinux-01: arslinux-01 [root@arslinux-01 ~]# salt -L 'arslinux-01,arslinux-02' cmd.run 'hostname' arslinux-02: arslinux-02 arslinux-01: arslinux-01 [root@arslinux-01 ~]# salt -E 'arslinux-[0-9]+' cmd.run 'hostname' arslinux-02: arslinux-02 arslinux-01: arslinux-01 [root@arslinux-01 ~]# salt -E 'arslinux-(01|02)' cmd.run 'hostname' arslinux-02: arslinux-02 arslinux-01: arslinux-01
24.6 grains
grains 是在 minion 啓動時收集到的一些信息,比如操作系統類型、網卡 ip、內核版本、cpu 架構等
salt '主機名' grains.ls 列出所有的grains項目名字
[root@arslinux-01 ~]# salt 'arslinux-01' grains.ls arslinux-01: - SSDs - biosreleasedate - biosversion - cpu_flags - cpu_model - cpuarch - disks - dns - domain - fqdn - fqdn_ip4 - fqdn_ip6 - fqdns - gid - gpus - groupname - host - hwaddr_interfaces - id - init - ip4_gw - ip4_interfaces - ip6_gw - ip6_interfaces - ip_gw - ip_interfaces - ipv4 - ipv6 - kernel - kernelrelease - kernelversion - locale_info - localhost - lsb_distrib_codename - lsb_distrib_id - machine_id - manufacturer - master - mdadm - mem_total - nodename - num_cpus - num_gpus - os - os_family - osarch - oscodename - osfinger - osfullname - osmajorrelease - osrelease - osrelease_info - path - pid - productname - ps - pythonexecutable - pythonpath - pythonversion - saltpath - saltversion - saltversioninfo - selinux - serialnumber - server_id - shell - swap_total - systemd - uid - username - uuid - virtual - zfs_feature_flags - zfs_support - zmqversion
salt 'arslinux-01' grains.items 列出所有grains項目以及值
[root@arslinux-01 ~]# salt 'arslinux-01' grains.items arslinux-01: ---------- SSDs: biosreleasedate: 07/02/2015 biosversion: 6.00 cpu_flags: - fpu - vme - de - pse - tsc - msr - pae - mce - cx8 - apic - sep - mtrr - pge - mca - cmov - pat - pse36 - clflush - dts - mmx - fxsr - sse - sse2 - ss - syscall - nx - pdpe1gb - rdtscp - lm - constant_tsc - arch_perfmon - pebs - bts - nopl - xtopology - tsc_reliable - nonstop_tsc - aperfmperf - eagerfpu - pni - pclmulqdq - ssse3 - fma - cx16 - pcid - sse4_1 - sse4_2 - x2apic - movbe - popcnt - tsc_deadline_timer - aes - xsave - avx - f16c - rdrand - hypervisor - lahf_lm - abm - 3dnowprefetch - epb - fsgsbase - tsc_adjust - bmi1 - avx2 - smep - bmi2 - invpcid - rdseed - adx - smap - xsaveopt - dtherm - arat - pln - pts - hwp - hwp_notify - hwp_act_window - hwp_epp cpu_model: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz cpuarch: x86_64 disks: - sda - sdb - sr0 - dm-0 dns: ---------- domain: ip4_nameservers: - 119.29.29.29 ip6_nameservers: nameservers: - 119.29.29.29 options: search: sortlist: domain: fqdn: arslinux-01 fqdn_ip4: - 192.168.194.130 fqdn_ip6: - fe80::c905:5e78:b916:41da - fe80::f41:9da7:d8e3:10ba fqdns: gid: 0 gpus: |_ ---------- model: SVGA II Adapter vendor: vmware groupname: root host: arslinux-01 hwaddr_interfaces: ---------- ens33: 00:0c:29:24:ea:f2 ens37: 00:0c:29:24:ea:fc lo: 00:00:00:00:00:00 id: arslinux-01 init: systemd ip4_gw: 192.168.194.2 ip4_interfaces: ---------- ens33: - 192.168.194.130 - 192.168.194.150 ens37: - 192.168.100.1 lo: - 127.0.0.1 ip6_gw: False ip6_interfaces: ---------- ens33: - fe80::c905:5e78:b916:41da - 192.168.194.150 ens37: - fe80::f41:9da7:d8e3:10ba lo: - ::1 ip_gw: True ip_interfaces: ---------- ens33: - 192.168.194.130 - fe80::c905:5e78:b916:41da - 192.168.194.150 ens37: - 192.168.100.1 - fe80::f41:9da7:d8e3:10ba lo: - 127.0.0.1 - ::1 ipv4: - 127.0.0.1 - 192.168.100.1 - 192.168.194.130 - 192.168.194.150 ipv6: - ::1 - fe80::f41:9da7:d8e3:10ba - fe80::c905:5e78:b916:41da kernel: Linux kernelrelease: 3.10.0-957.el7.x86_64 kernelversion: #1 SMP Thu Nov 8 23:39:32 UTC 2018 locale_info: ---------- defaultencoding: UTF-8 defaultlanguage: zh_CN detectedencoding: UTF-8 localhost: arslinux-01 lsb_distrib_codename: CentOS Linux 7 (Core) lsb_distrib_id: CentOS Linux machine_id: 0b3b2aee4c754c669d6ca09336428b22 manufacturer: VMware, Inc. master: arslinux-01 mdadm: mem_total: 2827 nodename: arslinux-01 num_cpus: 1 num_gpus: 1 os: CentOS os_family: RedHat osarch: x86_64 oscodename: CentOS Linux 7 (Core) osfinger: CentOS Linux-7 osfullname: CentOS Linux osmajorrelease: 7 osrelease: 7.6.1810 osrelease_info: - 7 - 6 - 1810 path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin pid: 4817 productname: VMware Virtual Platform ps: ps -efHww pythonexecutable: /usr/bin/python pythonpath: - /usr/bin - /usr/lib64/python27.zip - /usr/lib64/python2.7 - /usr/lib64/python2.7/plat-linux2 - /usr/lib64/python2.7/lib-tk - /usr/lib64/python2.7/lib-old - /usr/lib64/python2.7/lib-dynload - /usr/lib64/python2.7/site-packages - /usr/lib/python2.7/site-packages pythonversion: - 2 - 7 - 5 - final - 0 saltpath: /usr/lib/python2.7/site-packages/salt saltversion: 2019.2.0 saltversioninfo: - 2019 - 2 - 0 - 0 selinux: ---------- enabled: False enforced: Disabled serialnumber: VMware-56 4d 2d 5f 36 b3 f6 de-b7 99 1d 0c 81 24 ea f2 server_id: 858362777 shell: /bin/sh swap_total: 1952 systemd: ---------- features: +PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN version: 219 uid: 0 username: root uuid: 5f2d4d56-b336-def6-b799-1d0c8124eaf2 virtual: VMware zfs_feature_flags: False zfs_support: False zmqversion: 4.1.4
——grains 的信息並不是動態的,並不會實時變更,它是在 minion 啓動時收集到的。
——我們可以根據 grains 收集到的一些信息,做配置管理工作
自定義 grains 信息
1、在 minion 端的 /etc/salt/grains 裏添加兩行,重啓 salt-minion
[root@arslinux-02 ~]# vim /etc/salt/grains env: test role: nginx [root@arslinux-02 ~]# systemctl restart salt-minion
2、master 上獲取 grains
[root@arslinux-01 ~]# salt '*' grains.item role env arslinux-01: ---------- env: role: arslinux-02: ---------- env: test role: nginx
——可以藉助 grains 的一些屬性信息來執行
salt -G 鍵:值 具體操作 藉助 grains 信息執行
[root@arslinux-01 ~]# salt '*' grains.item role env arslinux-01: ---------- env: role: arslinux-02: ---------- env: test role: nginx
[root@arslinux-01 ~]# salt -G role:nginx cmd.run 'hostname' arslinux-02: arslinux-02 [root@arslinux-01 ~]# salt -G role:nginx cmd.run 'ifconfig' arslinux-02: ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.194.132 netmask 255.255.255.0 broadcast 192.168.194.255 inet6 fe80::4c99:ed43:5757:e772 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:14:4f:d9 txqueuelen 1000 (Ethernet) RX packets 7957 bytes 1228538 (1.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7860 bytes 1432289 (1.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 1019 bytes 89448 (87.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1019 bytes 89448 (87.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@arslinux-01 ~]# salt -G role:nginx test.ping arslinux-02: True
可以給同一類或同一組機器自定義 grains,然後通過 grains 對這些機器進行遠程操作
24.7 pillar
pillar 和 grains不一樣,是在 master 上定義的,並且是針對 minion 定義的一些信息。像一些比較重要的數據(密碼)可以存在 pillar 裏,還可以定義變量等
配置自定義 pillar
1、在配置文件 /etc/salt/master,找到 pillar_roots: 和之後共三行,取消註釋,重啓 salt-master
[root@arslinux-01 ~]# vim /etc/salt/master pillar_roots: base: - /srv/pillar [root@arslinux-01 ~]# systemctl restart salt-master
注意配置中的空格,base 前有2個空格,- 前有4個空格,不能省略
2、創建 /srv/pillar,並在目錄下創建 test.sls,內容爲 conf: /etc/123.conf,可以再創建個 test2.sls
[root@arslinux-01 ~]# mkdir /srv/pillar [root@arslinux-01 ~]# vi /srv/pillar/test.sls conf: /etc/123.conf [root@arslinux-01 ~]# vi /srv/pillar/test2.sls dir: /data/123 [root@arslinux-01 ~]# vi /srv/pillar/top.sls base: 'arslinux-02': - test - test2 //根據需要和實際可以定義多個
3、當更改完 pillar 配置文件後,我們可以通過刷新 pillar 配置來獲取新的 pillar 狀態,無需重啓 salt-master
[root@arslinux-01 ~]# salt '*' saltutil.refresh_pillar arslinux-01: True arslinux-02: True
4、驗證狀態
[root@arslinux-01 ~]# salt '*' pillar.item conf arslinux-01: ---------- conf: arslinux-02: ---------- conf: /etc/123.conf
[root@arslinux-01 ~]# salt '*' pillar.item conf dir arslinux-01: ---------- conf: dir: arslinux-02: ---------- conf: /etc/123.conf dir: /data/123
——當然,也可以將不同機器的參數寫到同一個 top.sls 中,例如:
base: 'arslinux-02': - test 'arslinux-01': - test2
[root@arslinux-01 ~]# salt '*' saltutil.refresh_pillar arslinux-02: True arslinux-01: True
[root@arslinux-01 ~]# salt '*' pillar.item conf dir arslinux-01: ---------- conf: dir: /data/123 arslinux-02: ---------- conf: /etc/123.conf dir:
可以看看和之前操作結果的差別
5、pillar 同樣可以用來作爲 salt 的匹配對象
salt -I '參數' test.ping
[root@arslinux-01 ~]# salt -I 'conf:/etc/123.conf' cmd.run 'w' arslinux-02: 23:21:44 up 1:16, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.194.1 22:06 24.00s 0.17s 0.17s -bash [root@arslinux-01 ~]# salt -I 'conf:/etc/123.conf' test.ping arslinux-02: True
24.8 安裝配置httpd
1、master 配置文件中找到 file_roots: 啓用其文件存放目錄
[root@arslinux-01 ~]# vim /etc/salt/master file_roots: base: - /srv/salt/
2、創建 /srv/salt/ 目錄並進入
[root@arslinux-01 ~]# mkdir /srv/salt/ [root@arslinux-01 ~]# cd !$ cd /srv/salt/
3、創建 top.sls,重啓 salt-master
[root@arslinux-01 salt]# vim top.sls base: '*': - httpd [root@arslinux-01 salt]# systemctl restart salt-master
意思是,在所有的客戶端上執行httpd模塊
4、創建 httpd.sls
[root@arslinux-01 salt]# vim httpd.sls httpd-service: pkg.installed: - names: - httpd - httpd-devel service.running: - name: httpd - enable: True
說明: httpd-service 是 id 的名字,自定義的。pkg.installed 爲包安裝函數,下面是要安裝的包的名字。service.running 也是一個函數,來保證指定的服務啓動,enable 表示開機啓動
5、執行安裝命令
[root@arslinux-01 salt]# salt 'arslinux-01' state.highstate
執行命令後,會到 /srv/salt/ 下去找 top.sls,然後其中根據提到的相關模塊,再去執行
整個過程靜默安裝
執行操作前,記得關閉佔用 80 端口的服務,不然會報錯,httpd 啓動不了
24.9 配置管理文件
1、master 上創建 test.sls
[root@arslinux-01 salt]# vim test.sls file_test: file.managed: - name: /tmp/arslinux - source: salt://test/123/ppp.txt - user: root - group: root - mode: 600
說明:第一行的 file_test 爲自定的名字,表示該配置段的名字,可以在別的配置段中引用它;file.managed 模塊可以定義參數;name 指在minion 端上創建的文件路徑、名稱;source指定文件從哪裏拷貝;這裏的 salt://test/123/1.txt 相當於是 /srv/salt/test/123/1.txt
2、創建 ppp.txt 文件
[root@arslinux-01 salt]# mkdir test [root@arslinux-01 salt]# mkdir test/123/ [root@arslinux-01 salt]# cp /etc/inittab test/123/ppp.txt
3、更改 top.sls
[root@arslinux-01 salt]# vim top.sls base: '*': - test
4、執行操作
[root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: file_test Function: file.managed Name: /tmp/arslinux Result: True Comment: File /tmp/arslinux updated Started: 22:43:37.846500 Duration: 167.482 ms Changes: ---------- diff: New file Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 167.482 ms
5、minion 端查看是否成功創建文件
[root@arslinux-02 ~]# ll /tmp/arslinux -rw------- 1 root root 511 8月 3 22:43 /tmp/arslinux
24.10 配置管理目錄
1、master 上創建 test_dir.sls
[root@arslinux-01 salt]# vim testdir.sls file_dir: file.recurse: - name: /tmp/testdir - source: salt://test/123 - user: root - file_mode: 640 - dir_mode: 750 - mkdir: True - clean: True
說明:clean,加上它之後,源刪除文件或目錄,目標(minion端)也會跟着刪除,否則不會刪除;其他參數都和之前管理文件類似
2、改 top.sls,可以直接增加
[root@arslinux-01 salt]# echo ' - testdir' >> top.sls [root@arslinux-01 salt]# cat top.sls base: '*': - test - testdir
3、執行操作
[root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: file_test Function: file.managed Name: /tmp/arslinux Result: True Comment: File /tmp/arslinux is in the correct state Started: 23:00:27.660586 Duration: 95.354 ms Changes: ---------- ID: file_dir Function: file.recurse Name: /tmp/testdir Result: True Comment: Recursively updated /tmp/testdir Started: 23:00:27.756271 Duration: 325.589 ms Changes: ---------- /tmp/testdir/ppp.txt: ---------- diff: New file mode: 0640 Summary for arslinux-02 ------------ Succeeded: 2 (changed=1) Failed: 0 ------------ Total states run: 2 Total run time: 420.943 ms
4、查看 minion 端是否成功創建及權限是否正確
[root@arslinux-02 ~]# ll /tmp/testdir/ 總用量 4 -rw-r----- 1 root root 511 8月 3 23:00 ppp.txt [root@arslinux-02 ~]# ll -d /tmp/testdir/ drwxr-x--- 2 root root 21 8月 3 23:00 /tmp/testdir/
5、如果在次執行 state.highstate 會報錯,因爲沒有了 /test/123/
[root@arslinux-01 salt]# cd test/ [root@arslinux-01 test]# mkdir abc [root@arslinux-01 test]# touch 123.txt [root@arslinux-01 test]# rm -rf 123 [root@arslinux-01 test]# ls 123.txt abc
[root@arslinux-01 test]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: file_test Function: file.managed Name: /tmp/arslinux Result: False Comment: Source file salt://test/123/ppp.txt not found in saltenv 'base' Started: 23:08:19.655224 Duration: 140.84 ms Changes: ---------- ID: file_dir Function: file.recurse Name: /tmp/testdir Result: False Comment: Recurse failed: none of the specified sources were found Started: 23:08:19.796420 Duration: 32.291 ms Changes: Summary for arslinux-02 ------------ Succeeded: 0 Failed: 2 ------------ Total states run: 2 Total run time: 173.131 ms
因爲刪除了 /test/123/ 因此基於這個目錄的操作會出錯
6、解決問題,將 top.sls 中 test 去除,不再引用它
[root@arslinux-01 salt]# vim top.sls base: '*': - testdir
7、創建 /srv/salt/test/123/
[root@arslinux-01 salt]# mkdir test/123/ [root@arslinux-01 salt]# mv test/abc test/123.txt test/123/
8、再操作
[root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: file_dir Function: file.recurse Name: /tmp/testdir Result: True Comment: Recursively updated /tmp/testdir Started: 23:16:26.961983 Duration: 420.045 ms Changes: ---------- /tmp/testdir/123.txt: ---------- diff: New file mode: 0640 removed: - /tmp/testdir/ppp.txt Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 420.045 ms
9、minion 端並沒有同步 abc 目錄,因爲 abc 爲空,如果想要同步,必須目錄不爲空
[root@arslinux-02 ~]# ll /tmp/testdir/ 總用量 0 -rw-r----- 1 root root 0 8月 3 23:16 123.txt
24.11 配置管理遠程命令
1、編輯 top.sls
[root@arslinux-01 salt]# vim top.sls base: '*': - shell_test
2、創建 shell_test.sls
[root@arslinux-01 salt]# vim shell_test.sls hell_test: cmd.script: - source: salt://test/1.sh - user: root
3、創建腳本 1.sh
[root@arslinux-01 salt]# vim test/1.sh #!/bin/bash touch /tmp/111.txt if [ ! -d /tmp/1233 ] then mkdir /tmp/1233 fi
4、執行操作
[root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: hell_test Function: cmd.script Result: True Comment: Command 'hell_test' run Started: 16:54:25.741342 Duration: 168.634 ms Changes: ---------- pid: 4413 retcode: 0 stderr: stdout: Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 168.634 ms
5、minion 端查看
[root@arslinux-02 ~]# ll /tmp/ 總用量 4 -rw-r--r-- 1 root root 0 8月 4 16:54 111.txt drwxr-xr-x 2 root root 6 8月 4 16:54 1233 -rw------- 1 root root 511 8月 3 22:43 arslinux
24.12 配置管理計劃任務
1、編輯 top.sls
[root@arslinux-01 salt]# vim top.sls base: '*': - cron_test
2、創建 cron_test
[root@arslinux-01 salt]# vim cron_test.sls cron_test: cron.present: - name: /bin/touch /tmp/12121212.txt - user: root - minute: '20' - hour: 17 - daymonth: '*' - month: '*' - dayweek: '*'
注意:*需要用單引號引起來。當然我們還可以使用file.managed模塊來管理cron,因爲系統的cron都是以配置文件的形式存在的
——想要刪除該cron,需要增加:
cron.absent:
- name: /bin/touch /tmp/111.txt
兩者不能共存,要想刪除一個 cron,那之前的 present 就得去掉
3、執行操作
[root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: cron_test Function: cron.present Name: /bin/touch /tmp/12121212.txt Result: True Comment: Cron /bin/touch /tmp/12121212.txt added to root's crontab Started: 17:16:36.800747 Duration: 543.17 ms Changes: ---------- root: /bin/touch /tmp/12121212.txt Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 543.170 ms
4、minion 端查看
[root@arslinux-02 ~]# date 2019年 08月 04日 星期日 17:18:11 CST [root@arslinux-02 ~]# ll /tmp/ 總用量 4 -rw-r--r-- 1 root root 0 8月 4 16:54 111.txt drwxr-xr-x 2 root root 6 8月 4 16:54 1233 -rw------- 1 root root 511 8月 3 22:43 arslinux [root@arslinux-02 ~]# crontab -l # Lines below here are managed by Salt, do not edit # SALT_CRON_IDENTIFIER:/bin/touch /tmp/12121212.txt 20 17 * * * /bin/touch /tmp/12121212.txt
5、17點20之後再查看 minion 端
[root@arslinux-02 ~]# ll /tmp/ 總用量 4 -rw-r--r-- 1 root root 0 8月 4 16:54 111.txt -rw-r--r-- 1 root root 0 8月 4 17:20 12121212.txt drwxr-xr-x 2 root root 6 8月 4 16:54 1233 -rw------- 1 root root 511 8月 3 22:43 arslinux
已經成功
6、添加之後不能擅自改動 minion 端的 crontab,否則 master 再次執行 salt 時會再添加一次
[root@arslinux-02 ~]# crontab -e crontab: installing new crontab [root@arslinux-02 ~]# crontab -l # SALT_CRON_IDENTIFIER:/bin/touch /tmp/12121212.txt 20 17 * * * /bin/touch /tmp/12121212.txt [root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: cron_test Function: cron.present Name: /bin/touch /tmp/12121212.txt Result: True Comment: Cron /bin/touch /tmp/12121212.txt added to root's crontab Started: 17:29:33.617502 Duration: 491.19 ms Changes: ---------- root: /bin/touch /tmp/12121212.txt Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 491.190 ms
[root@arslinux-02 ~]# crontab -l # SALT_CRON_IDENTIFIER:/bin/touch /tmp/12121212.txt 20 17 * * * /bin/touch /tmp/12121212.txt # Lines below here are managed by Salt, do not edit # SALT_CRON_IDENTIFIER:/bin/touch /tmp/12121212.txt 20 17 * * * /bin/touch /tmp/12121212.txt
——看到提示 # Lines below here are managed by Salt, do not edit
我們不能隨意改動它,否則就沒法刪除或者修改這個cron
7、先修改 minion 端 crontab 到正確狀態
[root@arslinux-02 ~]# crontab -e crontab: installing new crontab [root@arslinux-02 ~]# crontab -l # Lines below here are managed by Salt, do not edit # SALT_CRON_IDENTIFIER:/bin/touch /tmp/12121212.txt 20 17 * * * /bin/touch /tmp/12121212.txt
8、master 端執行刪除 crontab,使用 cron.absent: 模塊
[root@arslinux-01 salt]# vim cron_test.sls cron_test: cron.absent: - name: /bin/touch /tmp/12121212.txt [root@arslinux-01 salt]# salt 'arslinux-02' state.highstate arslinux-02: ---------- ID: cron_test Function: cron.absent Name: /bin/touch /tmp/12121212.txt Result: True Comment: Cron /bin/touch /tmp/12121212.txt removed from root's crontab Started: 17:34:42.720616 Duration: 437.822 ms Changes: ---------- root: /bin/touch /tmp/12121212.txt Summary for arslinux-02 ------------ Succeeded: 1 (changed=1) Failed: 0 ------------ Total states run: 1 Total run time: 437.822 ms
[root@arslinux-02 ~]# crontab -l # Lines below here are managed by Salt, do not edit
24.13 其他命令
cp.get_file 拷貝 master 上的文件到客戶端
cp.get_dir 拷貝 master 上的目錄到客戶端
[root@arslinux-01 salt]# cp /etc/passwd test/1.txt
[root@arslinux-01 salt]# salt '*' cp.get_file salt://test/1.txt /tmp/1234567.txt arslinux-02: /tmp/1234567.txt arslinux-01: /tmp/1234567.txt
[root@arslinux-01 salt]# salt '*' cp.get_dir salt://test/123/ /tmp/ arslinux-01: - /tmp//123/123.txt - /tmp//123/abc arslinux-02: - /tmp//123/123.txt - /tmp//123/abc
salt-rum manage.up 顯示存活的 minion
salt '*' cmd.script salt://腳本 命令行下執行 master 上的 shell 腳本
[root@arslinux-01 salt]# salt-run manage.up - arslinux-01 - arslinux-02
[root@arslinux-01 salt]# salt '*' cmd.script salt://test/1.sh arslinux-01: ---------- pid: 21621 retcode: 0 stderr: stdout: arslinux-02: ---------- pid: 7289 retcode: 0 stderr: stdout:
24.14 salt-ssh使用
salt-ssh 不需要對客戶端做認證,客戶端也不用安裝 salt-minion,它類似 pssh/expect
1、安裝 salt-ssh
[root@arslinux-01 ~]# yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm [root@arslinux-01 ~]# yum install -y salt-ssh
2、編輯配置文件 roster
[root@arslinux-01 ~]# vim /etc/salt/roster arslinux-01: host: 192.168.194.130 user: root passwd: xxxxxxx arslinux-02: host: 192.168.194.132 user: root passwd: xxxxxxx
3、測試能否登錄
[root@arslinux-01 ~]# salt-ssh --key-deploy '*' -r 'w' [ERROR ] Failed collecting tops for Python binary python3. arslinux-02: ---------- retcode: 0 stderr: stdout: [email protected]'s password: 19:25:46 up 2:42, 1 user, load average: 0.00, 0.06, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.194.1 16:44 1:50m 0.09s 0.09s -bash arslinux-01: ---------- retcode: 0 stderr: stdout: [email protected]'s password: 19:25:46 up 2:42, 1 user, load average: 0.45, 0.22, 0.17 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.194.1 16:44 10.00s 9.07s 0.04s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r w
[root@arslinux-01 ~]# date 2019年 08月 04日 星期日 19:27:10 CST [root@arslinux-01 ~]# ll /root/.ssh/authorized_keys -rw-r--r--. 1 root root 1191 8月 4 19:25 /root/.ssh/authorized_keys [root@arslinux-02 ~]# ll /root/.ssh/authorized_keys -rw-r--r--. 1 root root 1199 8月 4 19:25 /root/.ssh/authorized_keys
公鑰已經傳遞了過去
4、刪除 roster 中的密碼,再執行,可以登錄
[root@arslinux-01 ~]# salt-ssh --key-deploy '*' -r 'w' arslinux-02: ---------- retcode: 0 stderr: stdout: 19:30:23 up 2:47, 1 user, load average: 0.00, 0.03, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.194.1 16:44 1:27 0.10s 0.10s -bash arslinux-01: ---------- retcode: 0 stderr: stdout: 19:30:23 up 2:47, 1 user, load average: 0.25, 0.18, 0.16 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.194.1 16:44 7.00s 1.49s 0.02s /usr/bin/python /usr/bin/salt-ssh --key-deploy * -r w