文章目錄
1. saltstack簡介
官網安裝:http://repo.saltstack.com/
模塊-官網文檔:docs.saltstack.cn
- SaltStack是一個服務器基礎架構集中化管理平臺,具備配置管理、遠程執行、監控等功能,一般可以理解爲簡化版的puppet和加強版的func。SaltStack基於Python語言實現,結合輕量級消息隊列(ZeroMQ)與Python第三方模塊(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack和PyYAML等)構建。通過部署SaltStack環境,我們可以在成千上萬臺服務器上做到批量執行命令,根據不同業務特性進行配置集中化管理、分發文件、採集服務器數據、操作系統基礎及軟件包管理等,SaltStack是運維人員提高工作效率、規範業務配置與操作的利器。
特點
- 基於python開發的C/S架構配置管理工具
- 底層使用ZeroMQ消息隊列pub/sub方式通信
- 使用SSL證書籤發的方式進行認證管理,傳輸採用AES加密
服務架構
- 服務器端:Master
- 客戶端:Minion
功能
- 遠程執行
- 配置管理/狀態管理
- 雲管理(cloud)
- 事件驅動
運行方式
- local本地運行
- Master/Minion傳統方式
- Syndic分佈式
- Salt ssh
配置文件
- /etc/salt/master:主控端(控制端)配置文件
- /etc/salt/minion:受控端配置文件
2. 安裝與配置
master端:
server1:192.168.17.1
minion端:
server2:192.168.17.2
server3:192.168.17.3
2.1 minion端配置
- 配置軟件倉庫
vim /etc/yum.repos.d/salt-3000.repo
[salt-3000]
name=SaltStack 3000 Release Channel for Python 2 RHEL/Centos $releasever
baseurl=https://mirrors.aliyun.com/saltstack/yum/redhat/7/$basearch/3000
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key, file:///etc/pki/rpm-gpg/centos7-signing-key
- 安裝salt-minion
yum install -y salt-minion
- 設置對應的master端
vim /etc/salt/minion
16 master: 192.168.17.1
- 開啓服務
systemctl enable --now salt-minion
- 每次修改主機名後,都要刪除/etc/salt/minion_id此文件,並修改解析
2.2 master端配置
- 配置軟件倉庫
yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-3000.el7.noarch.rpm
sed -i "s/repo.saltstack.com/mirrors.aliyun.com\/saltstack/g" /etc/yum.repos.d/salt-latest.repo
cat /etc/yum.repos.d/salt-3000.repo
[salt-3000]
name=SaltStack 3000 Release Channel for Python 2 RHEL/Centos $releasever
baseurl=https://mirrors.aliyun.com/saltstack/yum/redhat/7/$basearch/3000
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key, file:///etc/pki/rpm-gpg/centos7-signing-key
- 安裝salt-master
yum install -y salt-master
- 開啓服務
systemctl enable --now salt-master
- 認證
salt-key -A
:接受所有minion等待認證的key
salt-key -L
:列出所有公鑰信息
-a minion#接受指定minion等待認證的key
-r minion#拒絕指定minion等待認證的key
-R#拒絕所有minion等待認證的key
2.3 遠程測試
- 查看端口及進程
yum install -y lsof#可以顯示監聽端口詳細信息
yum install -y python-setproctitle#可以顯示進程詳細信息
systemctl restart salt-master.service
- 測試
salt '*' test.ping
salt '*' cmd.run hostname
salt '*' cmd.run 'uname -a'
3. 遠程執行shell命令
salt 'server2' sys.doc pkg
:查看模塊文檔
- 測試httpd
#安裝httpd
salt server2 pkg.install httpd
#列出安裝包
salt server2 cmd.run 'rpm -q httpd'
##開啓服務
salt server2 service.start httpd
- 複製文件
echo server2 > index.html
salt-cp server2 index.html /var/www/html/
4. 編寫.sls文件
- 有apache.sls和apache目錄,先匹配apache.sls
- 調用時不加.sls後綴
mkdir -p /srv/salt/apache/files
- 關於httpd的不同書寫方式
執行 salt minion主機 state.sls apache.install
運行
#apache/install.sls
httpd:
pkg.installed
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- source: salt://apache/files/index.html#此文件內容一修改,運行時就會顯示有改變,因爲有md5sum碼
- name: /var/www/html/index.html
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
/var/www/html/index.html:
file.managed:
- source: salt://apache/files/index.html
httpd:
service.running
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- source: salt://apache/files/index.html
- name: /var/www/html/index.html
service.running:
- name: httpd
- 修改端口
cp /etc/httpd/conf/httpd.conf apache/files/
:複製模板文件
vim apache/files/httpd.conf
:修改端口檢測
salt server2 state.sls apache.install
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- source: salt://apache/files/index.html
- name: /var/www/html/index.html
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://apache/files/httpd.conf
#apache/install.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- source: salt://apache/files/httpd.conf
- name: /etc/httpd/conf/httpd.conf
service.running:
- name: httpd
- enable: true
- watch:
- file: apache
5. 編寫遠程執行模塊 _modules
-
mkdir /srv/salt/_modules
:創建模塊目錄 -
vim _modules/mydisk.py
:編寫模塊
def df():
return __salt__['cmd.run']('df -h')
salt server2 cmd.run df
salt server2 saltutil.sync_modules
:同步模塊
- 同步後可在minion主機的 /var/cache/salt/minion/extmods/modules/ 查看到
6. grains配置(存放在minion端)
-
Grains是SaltStack的一個組件,存放在SaltStack的minion端。
-
當salt-minion啓動時會把收集到的數據靜態存放在Grains當中,只有當minion重啓時纔會進行數據的更新。
-
由於grains是靜態數據,因此不推薦經常去修改它。
-
應用場景:
- 信息查詢,可用作CMDB
- 在target中使用,匹配minion
- 在state系統中使用,配置管理模塊。
-
master端查看信息
#列出每一項
salt server2 grains.ls
#查看每一項的具體值
salt server2 grains.items
#查看單項的值
salt server2 grains.item ipv4
salt server2 grains.item fqdn
6.1 minion端添加grains
server2
[root@server2 ~]# vim /etc/salt/minion
129 grains:
130 roles:
131 - apache
[root@server2 ~]# systemctl restart salt-minion
server3
[root@server3 ~]# vim /etc/salt/minion
129 grains:
130 roles:
131 - nginx
[root@server3 ~]# systemctl restart salt-minion.service
在master端查看
salt server2 grains.item roles
salt server3 grains.item roles
6.2 編寫grains模塊
- 編寫
mkdir /srv/salt/_grains
vim /srv/salt/_grains/mygrains.py
def my_grains():
grains = {
}
grains['salt'] = 'stack'
grains['hello'] = 'world'
return grains
- 同步grains模塊到minion端
salt '*' saltutil.sync_grains
可以在minion端查看到 /var/cache/salt/minion/files/base/_grains/mygrains.py
- 列出grains
salt '*' grains.item salt
salt '*' grains.item hello
6.3 grains匹配運用
- 在target中匹配minion
salt -G roles:apache cmd.run hostname
salt -G roles:nginx test.ping
salt -G salt:stack test.ping
salt -G hello:world test.ping
- top.sls文件匹配
mkdir -p /srv/salt/nginx/files/
[root@server1 salt]# ls nginx/files/
nginx-1.18.0.tar.gz
vim /srv/salt/top.sls
base:
'roles:apache':
- match: grain
- apache
'roles:nginx':
- match: grain
- nginx
vim /srv/salt/nginx/init.sls
nginx:
file.managed:
- source: salt://nginx/files/nginx-1.18.0.tar.gz
- name: /mnt/nginx-1.18.0.tar.gz
salt '*' state.highstate
:讀取所有環境的top.sls文件
7. nginx應用
cd /src/salt/
vim nginx/files/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
vim nginx/install.sls
nginx-install:
pkg.installed:
- pkgs:
- gcc
- pcre-devel
- openssl-devel
file.managed:
- source: salt://nginx/files/nginx-1.18.0.tar.gz
- name: /mnt/nginx-1.18.0.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.18.0.tar.gz && cd nginx-1.18.0 && ./configure --prefix=/usr/local/nginx --with-http_ssl_module &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
vim nginx/init.sls
include:
- nginx.install
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/files/nginx.conf
nginx-service:
user.present:
- name: nginx
- shell: /sbin/nologin
- home: /usr/local/nginx
- createhome: false
file.managed:
- source: salt://nginx/files/nginx.service
- name: /usr/lib/systemd/system/nginx.service
service.running:
- name: nginx
- enable: true
- reload: true
- watch:
- file: /usr/local/nginx/conf/nginx.conf
salt server3 state.sls nginx.install
scp server3:/usr/local/nginx/conf/nginx.conf nginx/files/
vim nginx/files/nginx.conf
user nginx;
salt server3 state.sls nginx
8. jinja模板
- 定義:
{% XXX %}
- 引用:
{ { XXX }}
8.1 示例1
vim test.sls
/mnt/testfile:
file.append:
{
% if grains['fqdn'] == 'server2' %}
- text: server2
{
% elif grains['fqdn'] == 'server3' %}
- text: server3
{
% endif %}
salt '*' state.sls test
- 查看實驗結果
8.2 apache結合jinja模板
cd /src/salt/
vim apache/init.sls
apache:
pkg.installed:
- pkgs:
- httpd
file.managed:
- source: salt://apache/files/httpd.conf
- name: /etc/httpd/conf/httpd.conf
- template: jinja
- context:
port: 80
bind: {
{
grains['ipv4'][-1] }}
service.running:
- name: httpd
- enable: true
- watch:
- file: apache
/var/www/html/index.html:
file.managed:
- source: salt://apache/files/index.html
- template: jinja
- context:
NAME: {
{
grains['ipv4'][-1] }}
vim apache/files/index.html
{
{
grains['os'] }} - {
{
grains['fqdn'] }}
{
{
NAME }}
vim apache/files/httpd.conf
Listen {
{
bind }}:{
{
port }}
salt server2 state.sls apache
- 在minion端查看實驗結果