|
|
XII saltstack
salt是一个新的基础平台管理工具,2011-02-20诞生,创造者Thoms SHatch,起名salt原因生活中常见、易记,使用saltstack.com原因这个域名没有被注册,Because salt goes everywhere;
部署简单,只需花费很短时间即可运行起来,扩展性足以支持管理上万台server;
速度很快,毫秒级通信,server间完成数据传递足够快;
用python语言开发;
工作方式:Master/Minion(ZeroMQ),Masterless,Salt-SSH(0.17+);
三大功能:remote execution;config management;cloud management;
项目地址:https://github.com/saltstack/salt
http://www.saltstack.cn/
salt底层基于ZeroMQ PUB-SUBpattern(publisher-subscriber),master/minion通信高效传递及扩展、异步;
saltstack社区致力于保持salt项目集中、友好、健康、开放;
在win平台上只能运行minion;
注:
salt-master-2015.5.10-2.el6.noarch(版本号以年月日命名,此处是5月第2次发行)
salt-minion-2015.5.10-2.el6.noarch
salt-2015.5.10-2.el6.noarch
zeromq3-3.2.5-1.el6.x86_64(rhel6默认zeromq是3系列,rhel5默认zeromq是2系列,若在rhel5上使用需要升级zeromq为3系统,因为2系列有bug会导致minion与master断开后无法重连)
master上可用的命令有:salt、salt-key、salt-cp、salt-master、salt-run、salt-unity;
minion上可用的命令有:salt-call、salt-minion;
master端的配置文件是/etc/salt/master,minion端的配置文件是/etc/salt/minion,常用的配置选项看以下内容,master端配置文件若改动不用重启即刻生效;
key密钥管理(salt数据采用AES加密,同时master&minion采用key管理;minion在配置中指定master地址,启动后会自动被master识别;minion只有先被masteraccepted接受过key之后,master才能管理minion,同时master的public key也会传到minion上,实现更安全的双向认证;keys默认存储在/etc/salt/pki/下;管理工具,master的salt-key wheel API);
salt数据系统(grains谷物和pillar柱子):
grains:salt0.7.0整合了puppetfacter,0.8.7加入grains用于取代facter,存储在minion端,用于保存minion端的数据信息,当minion启动时才加载grains信息,所以grains信息是静态的,grains可用于minion信息查询、target配置管理模板等;
pillar:salt0.9.8版本增加了pillar,存储在master端,存放需要提供给minion的信息,应用场景:敏感信息(每个minion只能访问master分配给自己的pillar信息)、变量(差异化的信息)、其它任何数据、可在target、state中使用);
grains VS pillar:
用途不同(grains用于存储minion的基本数据信息,这些信息是批量的不可变的;pillar用于存储master分配给minion的数据信息);
存储区域不同(grains的元数据存储在minion端;pillar的元数据存储在master端);
更新方式不同(grains是在minion启动时进行更新,也可通过saltutil.sync_grains进行刷新;pillar的元数据在master端,要用saltutil.refresh_pillar进行刷新,相较于grains,pillar效率更高、更灵活);
salt远程执行:
salt第一个版本0.6.0就确定了远程执行的功能,当前官方版本支持的远程执行模块数量超200个以上;
#salt [options] '<target>' <function> [arguments] #(target options有:-E(--pcre),-L(--list),-G(--grain),-I(--pillar),-N(--nodegroup),-C(--compound);target指定哪些minion要执行;function表示为模块名.方法,module.method,如cmd.run;自定义模块时,只需要关注业务处理逻辑即可)
常用的options有:
-b(--batch-size),此项很有用,可用于分批次的重启服务,若全部在一个时间重启,业务将停止;batch> -v(--verbose);
--show-jid;
target支持的matcher有:
globing通配符;
RE正则,-E;
list,-L,指定需要运行该指令的minion列表,列表中的元素用逗号分隔;
grain,-G,通过minion的grain信息来进行匹配;
pillar,-I,通过pillar来匹配需要运行指令的minion;
nodegroups,-N,分组,在master配置文件中配置,或在/etc/salt/master.d/*.conf中配置;
compound混搭,-C;
其中compound使用时:
G,grains glob(如G@os:Ubuntu);
E,pcre minion> P,grains pcre(如P@os:(RedHat|Fedora|CentOS));
L,list of minions,此处的or即和的意思,and为或的意思(如L@minion1.example,minion2.domain.comor bl*domain.com));
I,pillar glob(如I@pdata:foobar));
S,subnet/ipaddress(S@192.168.0/24or S@192.168.1.100);
R,range cluster(R@%foo.bar);
#salt '*' test.ping #(测试所有minion是否连通)
#salt '*' pkg.install httpd #(安装指定软件包)
#salt '*' cp.get_filesalt://apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf #(分发配置文件,方法一:cp.get_file方法默认的源文件是在/etc/salt/master主配置文件中的file_roots选项指定的位置/srv/salt/下找)
#salt-cp '*'/srv/salt/apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf #(分发配置文件,方法二:salt-cp源文件可在本地文件系统的任意位置)
#salt '*' service.start httpd #(启动指定服务)
#salt-run jobs.list_jobs #(查看运行过的任务)
#salt -v '*' test.ping #(显示当前任务的jid)
#salt '*' saltutil.running #(列出minion端正在执行哪些任务)
#salt-run jobs.lookup_jid <jid> #(根据jid,查看具体某项任务执行结果)
配置管理configuration management:
wikipedia组态管理,是一个建立系统工程的过程,用来建立与维持一个产品,让这个产品的效能、功能、所要求的物理特性,在它的生命周期中都能保持稳定与一致性;
salt0.8.8开始加入state system状态管理系统,0.9.3真正支持statesystem,在状态管理方面可与puppet、chef等竞争,这对salt有里程碑意义;
salt中对应的配置描述文件称为.sls(SaLt State);
YAML(Yet Another Markup Language-->YAML Ain't Markup Language):
salt默认使用YAML作为sls文件描述格式;
使用空白字符为文件缩排来表示结构,不能使用<TAB>;
注释用#号;
字符串平常不使用引号,若有需要可使用单引号或双引号,双引号中的特殊字符可用backslash反斜线\来进行转义;
用法:
列表(短杠-加+空白字符);
字典(key和value通过冒号:加+空白字符隔开);
多层结构(通过空格缩进来表示层级);
举例列表:
- jason
- bourne
等同于
['jason','bourne']
举例字典:
name: jason
site: http://www.saltstack.com/
等同于
{'name':'jason','site':'http://www.saltstack.com/'}
举例多层结构:
- jason:
-sites:
-blog: http://jason.org/
-github: http://github.com/jason/
等同于
[{'jason':[{'sites':[{'blog':'http://jason.org/'},{'github':'http://github.com/jason/'}]}]}]
jinja2:
salt默认使用jinja2模板系统来生成YAML,jinja2为python开发的模板引擎,功能类似于php的smarty、J2EE的Freemarker和velocity,它能完全支持unicode,并具有集成的沙箱执行环境,应用广泛,jinja2使用BSD授权;
http://jinja.pocoo.org/
用法:
变量表示为` foo `;
变量属性表示为` foo`.`bar `或{{ foo['bar'] }};
注释表示为{{# comment #}};
for语句:
{% for eachitem in items %}
` eachitem `
{% endfor %}
if语句:
{% if GFW %}
Welcome to China!
{% elif not Internet %}
Welcome to North Korea!
{% else %}
Freedom
{% endif %}
state tree:
top file,默认top.sls,配置管理入口文件,和pillar类似,指定minion需要完成哪些配置管理;
sls模块使用点分割,例如apache.install等同于salt://apache/install.sh或salt://apache/install/init.sls;
include/extend,sls文件之间可通过include和extend来引用和扩展;
sls中的id必须唯一,且在该id下同一类的状态管理模块只能有一个;
salt0.17.0增加了state_auto_order参数,默认值True,使state在没有requisites的情况下按从上到下的顺序依次执行;
requisites:
require,本state执行时需要先执行哪些state;
require_in,与require位置相反;
watch,除require功能外,也会监测依赖的state的状态,如果状态发生变化作出反应;
watch_in,与watch位置相反;
prereq,0.16.0新增的功能,会通过test=True接口检查所依赖的state的状态,如果状态发生变化,执行;
prereq_in,与prereq位置相反;
软件包状态管理模块:
模块名pkg,功能,管理软件包状态,会根据os的不同,选择对应的安装方式,例如rhel的yum,debian的apt-get;
基本用法:
pkg.installed(确保软件包已安装,如果没有安装进行安装);
pkg.latest(确保软件是最新版本,如果不是进行升级);
pkg.remove(确保软件包已卸载,如果之前已安装进行卸载);
pkg.purge(除remove外,也会删除其配置文件);
文件状态管理模块:
模块名file,功能,管理文件状态;
基本用法:
file.managed(保证文件存在且为对应的状态);
file.recurse(保证目录存在且为对应的状态);
file.absent(确保文件不存在,若存在则进行删除操作);
服务状态管理模块:
模块名service,功能,管理服务状态;
基本用法:
service.running(确保服务处于运行状态,如果没有运行则进行启动);
service.enabled(确保服务会开机自动启动);
service.disabled(确保服务不会开机自启);
service.dead(确保服务当前没有运行);
#salt '*' state.sls apache(运行指定服务的配置管理,打印出的内容中,绿色表示未变更,蓝色列出变更了哪些,红色为哪些执行失败);
#salt '*' state.highstate(运行所有服务配置管理);
#salt '*' state.highstate test=True(测试,会打印出当前状态,不会应用到各minion上);
注:
top.sls文件中定义的内容,只要能匹配到minion都会先后执行所有操作,而不是像iptables那样先匹配到就不匹配之后的内容;
*.sls配置文件中各级之间的空格要是2的倍数,例如一级顶格写,二级2个空格,3级4个空格,否则提示state.py in render_state sls之类的错误;
python八荣八耻:
以动手实践为荣,以只看不练不耻;
以打印日志为荣,以单步跟踪为耻;
以空格缩进为荣,以制表缩进为耻;
以单元测试为荣,以人工测试为耻;
以模块利用为荣,以复制粘贴为耻;
以多态应用为荣,以分支判断为耻;
以pythonic为荣,以冗余拖沓为耻;
以总结分享为荣,以跪求其解为耻。
salt高级应用(job管理、schedule、salt syndic、salt-ssh)
job管理:
jid,job> master在下发指令消息时会随带上产生的jid,minion在接收到指令开始执行时,会在本地的cachedir(/var/cache/salt/minion)下的proc/下产生以该jid命名的文件,这个文件用于在执行过程中master查看minion当前任务的执行情况,minion端把指令执行完毕将结果传给master后,删除proc/下的临时文件;
master将minion的执行结果存在本地/var/cache/salt/master/jobs/下,默认缓存24h,可通过keep_jobs调整保存多长时间;
#salt-run jobs.list_jobs
#salt '*' saltutil.running
#salt -v '*' service.status httpd
#salt -v '*' cmd.run 'sleep 30'
#salt-run jobs.lookup_jid <jid>
saltutil模块中的job管理方法有:
saltutil.running #(查看minion正在运行的jobs);
saltutil.find_job <jid> #(查看指定jid的job,minion正在运行的job);
saltutil.signal_job <jid><signal> #(给指定jid进行发送信号);
saltutil.term_job <jid> #(终止指定的jid进程,15);
saltutil.kill_job <jid> #(终止指定的jid进程,9);
salt-run命令中的job管理方法:
#salt-run jobs.active #(查看所有minion当前正在运行的job,在所有minion上运行saltutil.running);
#salt-run jobs.lookup_jid <jid> #(从master上的缓存中查询指定jid的运行结果);
#salt-run jobs.list_jobs #(列出当前master上缓存的所有job);
schedule:
salt0.12.0加入了schedule子系统,用于master/minion定期执行schedule中配置的任务;
schedule可配置在master配置文件或minion的配置文件或pillar中;
master端配置schedule运行runner;
minion端配置schedule为远程执行;
2014.1版本schedule系统并不会将运行结果发送给master或产生event;
schedule支持returner,可将schedule执行结果发送到指定的returner中;
#vim /srv/pillar/top.sls
base:
'*':
-schedule
#vim /srv/pillar/schedule.sls
schedule: #(此关键字只能有一个,不能在其它的.sls文件中再使用,所有任务计划都放在这一个下)
highstate: #(每30min执行一次state.highstate)
function: state.highstate
minutes: 30
uptime: #(每min查询一次loadaverage,并将结果输出到mysqlreturner中)
function: status.uptime
seconds: 60
returner: mysql
hello:
function: cmd.run
args:
- date >> /tmp/test.log
minutes: 1
#salt '*' saltutil.refresh_pillar
#salt '*' pillar.get schedule
salt syndic:
salt syndic是一个master,其维护master地址配置为syndicserver地址的minions;
salt syndic是一个minion,其配置文件中会配置syndic_master的地址,其上层的master称为MasterOfMaster;
syndic下的minions的key由syndic主机来进行accept,MasterOfMaster主机只维护其下的syndic和minions主机的key;
MasterOfMaster只传送指令给syndic,syndic并将其继续向下传送,syndic获取到minions的执行结果后将结果传给MasterOfMaster;
syndic自身需要配置file_roots,MasterOfMaster并不会传送文件到syndic上;
在syndic server上安装salt-master和salt-syndic,被syndic管理的minion要改/etc/salt/minion中master: syndic_server_IP;
MasterOfMaster端的配置(/etc/salt/master):
order_masters: True
syndic端的配置(/etc/salt/master):
syndic_master: MasterOfMaster_IP
#syndic_master_port: MasterOfMaster_PORT
#syndic_pidfile: /var/run/salt-syndic.pid
#syndic_log_file: /var/log/salt/syndic.log
salt-ssh:
salt0.17.0加入salt ssh传输系统;
salt ssh基于ssh,无需zeromq和agent,支持sudo;
salt ssh的最终目标是能够和标准的salt完成相同的功能;
当前salt ssh只支持target端的glob和re,当前salt ssh依然为alpha状态,尚不能完全替代标准的salt应用于生产环境中;
salt roster系统随salt ssh系统加入到salt代码中,主要为saltssh提供需要连接的主机和权限信息,默认/etc/salt/roster;
#vim /etc/salt/roster
minion1: #(<salt> host: 10.96.20.117 #(the IPaddress or DNS name or the remote host)
user: root #(the user tologin as)
passwd: chai #(the passwdto login with)
另optional parameters有:
port: #(the target system's ssh port number)
sudo: #(boolean to run command via sudo)
priv: #(file path to ssh private key,defaults to salt-ssh.rsa)
timeout: #(number of seconds to wait for response)
returner:
master给minion发送命令执行结果最终将返回给master,saltstack的returner接口允许将结果发送给任意系统,如系统的syslog、MySQL、event等
By default salt will send the return datafrom the command back to the master, but the return data can be redirected intoany number of systems, databases or applications.
#salt '*' test.ping --return syslog #(结果保存在minion-side的系统日志下)
#tail /var/log/messages
准备三台server,一台为master(10.96.20.113),另两台为minion(10.96.20.117,10.96.20.118)
主机名(master、minion1、minion2)、IP配置好(10.96.20.113、10.96.20.117、10.96.20.118)
master-side和minion-side:
[root@master ~]# uname -rm
2.6.32-431.el6.x86_64 x86_64
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server> [root@master ~]# yum -y install python-requests PyYAML python-crypto python-jinja2 #(先使用CentOS6-Base-163.repo或其它yum源安装好这几个包,再用epel源安装salt-master,因为epel源中缺少这几包导致安装会报如下错)
……
Error: Package:salt-2015.5.10-2.el6.noarch (epel)
Requires: python-crypto
Error: Package:salt-2015.5.10-2.el6.noarch (epel)
Requires: PyYAML
Error: Package:salt-2015.5.10-2.el6.noarch (epel)
Requires: python-requests
Error: Package:salt-2015.5.10-2.el6.noarch (epel)
Requires: python-jinja2
Youcould try using --skip-broken to work around the problem
Youcould try running: rpm -Va --nofiles --nodigest
master-side:
[root@master ~]# wget http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@master ~]# rpm -ivh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm:Header V3 RSA/SHA256 Signature, key> Preparing... ###########################################[100%]
1:epel-release ########################################### [100%]
[root@master ~]# yum -y install salt-master
Running Transaction
Installing : openpgm-5.1.118-3.el6.x86_64 1/6
Installing : zeromq3-3.2.5-1.el6.x86_64 2/6
Installing : python-zmq-14.3.1-1.el6.x86_64 3/6
Installing : python-msgpack-0.4.6-1.el6.x86_64 4/6
Installing : salt-2015.5.10-2.el6.noarch 5/6
Installing : salt-master-2015.5.10-2.el6.noarch 6/6
……
minion-side:
[root@minion1 ~]# wget http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@minion1 ~]# rpm -ivh epel-release-6-8.noarch.rpm
[root@minion1 ~]# yum -y install salt-minion
master-side:
[root@master ~]# vim /etc/salt/master #(master-side默认配置文件/etc/salt/master,可在启动时通过-c或--config-dir指定配置文件存放路径,默认会加载/etc/salt/master.d/*.conf文件,配置文件格式为YAML)
-----------------------file start--------------------
##### Primary configuration settings #####
##########################################
#default_include: master.d/*.conf
#interface: 0.0.0.0 #(bind监听的地址)
#ipv6: False
#publish_port: 4505 #(PUB,4505master向minion发送命令的port,而ret_port: 4506,用于接收minion返回的结果)
#user: root #(运行salt-master的用户)
#max_open_files: 100000 #(#ulimit -n;#vim/etc/security/limits.conf)
#worker_threads: 5
#ret_port: 4506
#pidfile: /var/run/salt-master.pid
#root_dir: /
#pki_dir: /etc/salt/pki/master
#cachedir: /var/cache/salt/master
#verify_env: True
#keep_jobs: 24 #(minion端执行命令的结果会返回到master端本地的cachedir指定路径下,默认缓存24h,会占用大量磁盘空间)
#timeout: 5 #(master向minion发送指令,在5s内minion向master返回结果,这时master的salt退出;若在5s内minion没返回结果,master上会执行find_job查找minion端proc的jid,以知道minion执行当前命令的情况,若minion正在执行master会继续等待5s再用find_job了解执行情况;若在第一次find_job时minion端proc就没当前执行的jid,master会直接退出;若minion规模庞大或网络状况不好建议增大该值)
#loop_interval: 60
#output: nested #(这几项是输出设置)
#show_timeout: True
#color: True
# strip_colors: False
#sock_dir: /var/run/salt/master
#job_cache: True #(master是否缓存执行结果,如果规模庞大超5000台server,False关闭,建议使用其它方式来存储jobs)
#minion_data_cache: True
#event_return: mysql
#event_return_queue: 0
# event_return_whitelist:
# -salt/master/a_tag
# -salt/master/another_tag
# event_return_blacklist:
# -salt/master/not_this_tag
# -salt/master/or_this_one
#max_event_size: 1048576
##### Security settings #####
##########################################
#open_mode: False #(公共使用,为安全禁用)
#auto_accept: False #(minion上发来key自动接收,测试环境可用,生产环境禁用)
# autosign_timeout: 120
#autosign_file: /etc/salt/autosign.conf
#autoreject_file: /etc/salt/autoreject.conf
#permissive_pki_access: False
#client_acl: #(访问控制,哪些用户执行指定的命令)
# larry:
# - test.ping
# - network.*
#client_acl_blacklist: #(访问控制,黑名单,指定用户不能执行设定的命令)
# users:
# - root
# - '^(?!sudo_).*$' # all non sudo users
# modules:
# - cmd
#sudo_acl: False
#external_auth: #(外部认证)
# pam:
# fred:
# - test.*
#token_expire: 43200
#file_recv: False #(是否允许minion传文件到master上)
#file_recv_max_size: 100
# sign_pub_messages: False
##### State System settings #####
##########################################
#state_top: top.sls #(管理的入口文件)
##### File Server settings #####
##########################################
#file_roots: #(指定file server目录)
# base:
# - /srv/salt
#hash_type: md5
#file_buffer_size: 1048576
#fileserver_backend: #(可将配置文件放在git上,与master同步)
# -git
# -roots
##### Pillar settings #####
##########################################
#pillar_roots: #(指定pillar目录)
# base:
# - /srv/pillar
#ext_pillar_first: False
#pillar_gitfs_ssl_verify: True
#pillar_opts: False
#pillar_safe_render_error: True
#pillar_source_merging_strategy: smart
##### Peer Publish settings #####
##########################################
#peer: #(指定的minion可控制另一minion)
# foo.example.com:
# - test.*
# - pkg.*
##### Logging settings #####
##########################################
#log_file: /var/log/salt/master
#key_logfile: /var/log/salt/key
#log_level: warning #(有garbage、trace、debug、info、warning、error、critical)
----------------------------fiel end-------------------------
[root@master ~]# service salt-master start
Starting salt-master daemon: [ OK ]
[root@master ~]# ps aux | grep salt
root 2876 0.0 0.8 143712 4076 pts/3 S+ Aug23 0:00 vim /etc/salt/master
root 3029 0.0 4.4 292768 21604 ? S 00:22 0:00 /usr/bin/python2.6/usr/bin/salt-master -d
root 3030 0.3 6.8 390944 33184 ? Sl 00:22 0:09 /usr/bin/python2.6/usr/bin/salt-master -d
……
[root@master ~]# netstat -tnulp | egrep '4505|4506'
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 3031/python2.6
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 3053/python2.6
minion-side:
[root@minion1 ~]# vim /etc/salt/minion
-------------------------file start-------------------------
##### Primary configuration settings #####
##########################################
#default_include: minion.d/*.conf
master: 10.96.20.113 #(指定master主机,默认为salt,若按默认salt此处不改,要在本地/etc/hosts中添加解析记录)
#ipv6: False
# retry_dns: 30 #(若上面指定的master处是域名,此处指定多长时间刷新)
#master_port: 4506 #(要与master主机上的ret_port保持一致,指定认证和执行结果发送到master的哪个port)
#user: root #(指定运行salt-minion的用户,由于安装包、启动服务等操作都需要root权限,为规范minion端要使用root)
#root_dir: /
#pki_dir: /etc/salt/pki/minion
#id: #(指定本minion的标识,salt内部使用id作为标识,此处不设置则默认是主机名,若此处id变了,master会认为是不同的主机)
#grains:
# roles:
# - webserver
# - memcache
# deployment: datacenter4
# cabinet: 13
# cab_u: 14-15
#cachedir: /var/cache/salt/minion
#cache_jobs: False #(minion端不缓存执行结果,会发送到master上)
#backup_mode: minion #(若更改文件对源文件进行备份,方便回滚操作;在文件操作时,如file.managed或file.recurse,如果文件发生变更,指定备份目标,备份在cachedir/file_backups/下,以原始文件名+时间戳命名)
##### Minion module management #####
##########################################
#providers: #(指定模块对应的providers,RHEL系列pkg对应的providers是yumpkg5)
# pkg: yumpkg5
##### State Management Settings #####
###########################################
#renderer: yaml_jinja #(指定配置管理系统中的渲染器,解析配置文件使用的模式)
##### File Directory Settings #####
##########################################
#file_client: remote #(指定file_client默认去哪里寻找文件,remote或local)
##### Logging settings #####
##########################################
#log_file: /var/log/salt/minion
#key_logfile: /var/log/salt/key
#log_level: warning
###### Keepalive settings ######
############################################
#tcp_keepalive: True #(minion是否与master保持keepalive检查,zeromq3以下版本有bug导致连接异常后minion无法重连master,建议升级到zeromq3以上版本)
------------------------------file end-------------------------
[root@minion1 ~]# service salt-minion start
Starting salt-minion daemon: [ OK ]
[root@minion1 ~]# ps aux | grep salt
root 2683 0.0 1.8 143256 4128 pts/4 S+ 00:23 0:00 vim /etc/salt/minion
root 2785 0.0 11.3 446960 25912 ? S 00:47 0:00 /usr/bin/python2.6/usr/bin/salt-minion -d
root 3149 0.0 0.3 103264 828 pts/3 S+ 01:10 0:00 grep salt
[root@minion2 ~]# service salt-minion start
Starting salt-minion daemon: [ OK ]
[root@minion2 ~]# ps aux | grep salt
root 59600 0.0 11.2 444852 25724? S 00:49 0:00 /usr/bin/python2.6 /usr/bin/salt-minion -d
root 59932 0.0 0.3 103252 828 pts/1 S+ 01:10 0:00 grep salt
master-side:
[root@master ~]# salt<TAB>
salt salt-cp salt-key salt-master salt-run salt-unity
[root@master ~]# salt-key -h
Usage: salt-key [options]
Options:
--version showprogram's version number and exit
--versions-report showprogram's dependencies version number and exit
……
Actions:
-l ARG, --list=ARG List the public keys. The args"pre", "un", and
"unaccepted"will list unaccepted/unsigned keys. "acc"
or "accepted"will list accepted/signed keys. "rej" or
"rejected"will list rejected keys. "den" or "denied"
will list denied keys.Finally, "all" will list all
keys.
-L, --list-all List all public keys. (Deprecated: use"--list all")
-a ACCEPT,--accept=ACCEPT
Accept the specifiedpublic key (use --include-all to
match rejected keys inaddition to pending keys).
Globs are supported.
-A, --accept-all Accept all pending keys
-r REJECT,--reject=REJECT
Reject the specifiedpublic key (use --include-all to
match accepted keys inaddition to pending keys).
Globs are supported.
-R, --reject-all Reject all pending keys
--include-all Includenon-pending keys when accepting/rejecting
-p PRINT, --print=PRINT
Print the specifiedpublic key
-P, --print-all Print allpublic keys
-d DELETE,--delete=DELETE
Delete the specifiedkey. Globs are supported.
-D, --delete-all Delete all keys
……
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion1
minion2
Rejected Keys:
[root@master ~]# salt-key -a minion1 -y #(接受指定minion的key,或使用#salt-key-A -y接受所有minion的key;-d删除指定minion的key,-D删除所有minion的key;-r,-R)
The following keys are going to beaccepted:
Unaccepted Keys:
minion1
Key for minion minion1 accepted.
[root@master ~]#salt-key -a minion2 -y
The following keys are going to beaccepted:
Unaccepted Keys:
minion2
Key for minion minion2 accepted.
[root@master ~]# salt-key -L
Accepted Keys:
minion1
minion2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@master ~]# tree /etc/salt/pki
/etc/salt/pki
└── master
├──master.pem
├──master.pub
├── minions
│ ├── minion1
│ └── minion2
├──minions_autosign
├──minions_denied
├──minions_pre
└──minions_rejected
minion-side:
[root@minion1 ~]# tree /etc/salt/pki
/etc/salt/pki
└── minion
├──minion_master.pub
├──minion.pem
└──minion.pub
[root@master ~]# salt -h
Usage: salt [options]'<target>' <function> [arguments]
[root@master ~]# salt'*' test.ping #(检测所有的minion是否存活)
minion2:
True
minion1:
True
[root@master ~]# salt 'minion1' test.ping
minion1:
True
[root@master ~]# salt '*' cmd.run 'echo "hello world"' #(1987-09-20中国发送的第一封E-mail内容为Across theGreate Wall we can reach every corner in the world)
minion1:
hello world
minion2:
hello world
[root@master ~]# salt '*' grains.items
……
[root@master ~]# salt '*' grains.get cpuarch
minion2:
x86_64
minion1:
x86_64
[root@master ~]# salt '*' grains.get os
minion1:
RedHat
minion2:
RedHat
[root@master ~]# salt '*' grains.get kernel
minion2:
Linux
minion1:
Linux
[root@master ~]# salt '*' grains.get ip_interfaces #(可使用get查询到grains.items中所有的信息)
minion2:
----------
eth0:
- 10.96.20.118
- fe80::20c:29ff:fe73:b31a
eth1:
lo:
- 127.0.0.1
- ::1
minion1:
----------
eth0:
- 10.96.20.117
- fe80::20c:29ff:fe15:e6bb
eth1:
lo:
- 127.0.0.1
- ::1
[root@master ~]# salt '*' grains.get hwaddr_interfaces
minion2:
----------
eth0:
00:0c:29:73:b3:1a
eth1:
00:0c:29:73:b3:24
lo:
00:00:00:00:00:00
minion1:
----------
eth0:
00:0c:29:15:e6:bb
eth1:
00:0c:29:15:e6:c5
lo:
00:00:00:00:00:00
[root@master ~]#salt '*' grains.get hwaddr_interfaces:eth0
minion1:
00:0c:29:15:e6:bb
minion2:
00:0c:29:73:b3:1a
[root@master ~]# salt '*' grains.get zmqversion
minion1:
3.2.5
minion2:
3.2.5
pillar的使用:
master-side:
[root@master ~]# mkdir -p /srv/pillar
[root@master ~]# salt '*' pillar.items
minion2:
----------
minion1:
----------
[root@master ~]# vim /srv/pillar/top.sls
base:
'*':
- packages
[root@master ~]# vim /srv/pillar/packages.sls
{% if grains['os'] =='RedHat' %}
apache: httpd
git: git
xxoo: fuck
{% elif grains['os'] =='Debian' %}
apache: apache2
git: git-core
{% endif %}
[root@master ~]# salt '*' pillar.get apache #(在未刷新时是查不到的)
minion1:
minion2:
[root@master ~]# salt '*' saltutil.refresh_pillar #(只有刷新后才能查到)
minion2:
True
minion1:
True
[root@master ~]# salt '*' pillar.get apache
minion2:
httpd
minion1:
httpd
[root@master ~]#salt '*' pillar.get xxoo
minion2:
fuck
minion1:
fuck
[root@master ~]# salt '*' pillar.get git
minion2:
git
minion1:
git
[root@master ~]# vim /srv/pillar/top.sls
base:
'*':
-packages
-system
[root@master ~]# vim /srv/pillar/system.sls
nofile: 102400
[root@master ~]# salt '*' saltutil.refresh_pillar
minion2:
True
minion1:
True
[root@master ~]# salt '*' pillar.get nofile
minion1:
102400
minion2:
102400
[root@master ~]# salt '*' pillar.items
minion2:
----------
apache:
httpd
git:
git
nofile:
102400
xxoo:
fuck
minion1:
----------
apache:
httpd
git:
git
nofile:
102400
xxoo:
fuck
举例(target支持的matcher):
globing:
[root@master ~]# salt '*' test.ping
minion1:
True
minion2:
True
[root@master ~]#salt 'minion*' test.ping #(匹配id中含有minion字串的minions)
minion2:
True
minion1:
True
[root@master ~]# salt 'minion[1-2]' test.ping #(匹配minion1到minon2的minions)
minion2:
True
minion1:
True
[root@master ~]# salt 'minion[1,2]' test.ping #(匹配minion1和minion2)
minion2:
True
minion1:
True
RE:
[root@master ~]# salt -E '.*' test.ping
minion1:
True
minion2:
True
[root@master ~]# salt -E 'minion(1|2)' test.ping
minion1:
True
minion2:
True
[root@master ~]# vim /srv/pillar/top.sls
base:
'minion(1|2)':
- match: pcre
-packages
[root@master ~]# salt '*' saltutil.refresh_pillar
minion1:
True
minion2:
True
[root@master ~]# salt '*' pillar.get apache
minion1:
httpd
minion2:
httpd
list:
[root@master ~]# salt -L 'minion1,minion2' test.ping
minion2:
True
minion1:
True
grains:
[root@master ~]#salt -G 'os:RedHat' test.ping
minion2:
True
minion1:
True
[root@master ~]# vim /srv/pillar/top.sls
base:
'os:RedHat':
- match: grain
-packages
[root@master ~]# salt '*' saltutil.refresh_pillar
minion1:
True
minion2:
True
pillar:
[root@master ~]# salt -I 'apache:httpd' test.ping
minion1:
True
minion2:
True
[root@master ~]# vim /srv/pillar/top.sls
base:
'minion(1|2)':
-match: pcre
-packages
- role
[root@master ~]# vim /srv/pillar/role.sls.
role: web
[root@master ~]# salt '*'saltutil.refresh_pillar
minion1:
True
minion2:
True
[root@master ~]# salt '*' pillar.get role
minion1:
web
minion2:
web
[root@master ~]# salt -I 'role:web'test.ping
minion1:
True
minion2:
True
node groups:
[root@master ~]# mkdir /etc/salt/master.d
[root@master ~]# vim /etc/salt/master.d/nodegroups.conf
nodegroups:
web-cluster: 'minion*'
db-cluster: 'minion*'
[root@master ~]# salt -N 'web-cluster' test.ping
minion1:
True
minion2:
True
[root@master ~]# salt -N 'db-cluster' test.ping
minion1:
True
minion2:
True
[root@master ~]# vim /srv/pillar/top.sls
base:
'web-cluster':
- match: nodegroup
-packages
-role
[root@master ~]# salt '*' saltutil.refresh_pillar
compound:
[root@master ~]# salt -C 'minion* and G@os:RedHat' test.ping
minion1:
True
minion2:
True
[root@master ~]# vim /srv/pillar/top.sls
base:
'G@os:RedHat and minion*':
- match: compound
-packages
-role
[root@master ~]# salt '*' saltutil.refresh_pillar
举例(分发文件):
[root@master ~]# salt '*' test.ping
minion2:
True
minion1:
True.
[root@master ~]# salt -v '*' pkg.install httpd
Executing job with jid 20160826024016671210
-------------------------------------------
minion2:
----------
minion1:
----------
[root@master ~]# mkdir -p/srv/salt/apache/files/etc/httpd/conf/
[root@master ~]# echo '# jason' >>/etc/httpd/conf/httpd.conf
[root@master ~]# cp/etc/httpd/conf/httpd.conf /srv/salt/apache/files/etc/httpd/conf/
[root@master ~]# salt '*' cp.get_file salt://apache/files/etc/httpd/conf/httpd.conf etc/httpd/conf/httpd.conf #(或用方法二,#salt-cp)
minion1:
/etc/httpd/conf/httpd.conf
minion2:
/etc/httpd/conf/httpd.conf
[root@master ~]# salt-cp '*' /srv/salt/apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf #(两种方式任选一)
{'minion1': {'/etc/httpd/conf/httpd.conf':True},
'minion2': {'/etc/httpd/conf/httpd.conf':True}}
[root@master ~]# salt '*' service.start httpd
minion1:
True
minion2:
True
[root@master ~]#salt -v '*' service.status httpd
Executing job with jid 20160826031234533015
-------------------------------------------
minion2:
True
minion1:
True
[root@master ~]#salt-run jobs.list_jobs
……
[root@master ~]# salt-run jobs.lookup_jid 20160826024930368134
minion1:
True
minion2:
True
[root@minion1 ~]# tail -2 /etc/httpd/conf/httpd.conf #(在minion端检测)
#</VirtualHost>
# jason
[root@minion1 ~]# netstat -tnlp | grep :80
tcp 0 0 :::80 :::* LISTEN 5424/httpd
举例(理解YAML):
[root@master ~]# vim parse_yaml.py
----------------script start----------------
#!/usr/bin/env python
#
import yaml
import sys
fd=open(sys.argv[1])
print yaml.load(fd)
----------------script end-----------------
[root@master ~]# chmod 755 parse_yaml.py
[root@master ~]# vim test.yaml
- name: jason
- gender: man
[root@master ~]# ./parse_yaml.py test.yaml
[{'name': 'jason'}, {'gender': 'man'}]
举例(通过配置安装httpd,层层深入理解salt的配置管理;注意*.sls配置文件中各级之间的空格要是2的倍数,例如一级顶格,二级2个空格,3级4个空格,否则提示state.py in render_state sls之类的错误):
[root@master ~]#vim /srv/salt/top.sls
base:
'*':
-apache
[root@master ~]# vim /srv/salt/apache/init.sls
include:
- apache.deploy
[root@master ~]# vim /srv/salt/apache/deploy.sls
apache:
pkg.installed:
- name: httpd
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source:salt://apache/files/etc/httpd/conf/httpd.conf
service.running:
- name: httpd
- enable: True
[root@master ~]# cp /etc/httpd/conf/httpd.conf /srv/salt/apache/files/etc/httpd/conf/
[root@master ~]# salt '*' state.highstate
……
Summary
------------
Succeeded: 3 (changed=1)
Failed: 0
------------
Total states run: 3
[root@master ~]# salt '*' service.status httpd
minion2:
True
minion1:
True
注:deploy.sls也可以写为:
apache:
pkg.installed: []
-name: httpd
/etc/httpd/conf/httpd.conf:
file.managed:
-source: salt://apache/files/etc/httpd/conf/httpd.conf
httpd:
service.running:
-enable: True
举例(上例仅简单实现了部署与分发配置文件,如果配置文件分发在软件包安装之前的话则最后服务启动后的配置将受影响;增加需求:配置文件分发执行前软件包必须已安装,避免先同步配置文件再安装软件会覆盖掉已分发的文件;增加监控,若软件包更新或配置文件发生变化,这两点要能被监控到,监控到发生变化了要重启服务):
[root@master ~]# vim /srv/salt/apache/deploy.sls
apache:
pkg.installed:
-name: httpd
file.managed:
-name: /etc/httpd/conf/httpd.conf
-source: salt://apache/files/etc/httpd/conf/httpd.conf
- require:
- pkg: apache
service.running:
-name: httpd
-enable: True
- watch:
- pkg: apache
- file: apache
[root@master ~]# echo '# chinese' >>/srv/salt/apache/files/etc/httpd/conf/httpd.conf
[root@master ~]# salt '*' state.sls apache
……
Summary
------------
Succeeded: 3 (changed=2)
Failed: 0
------------
Total states run: 3
注:deploy.sls也可写成以下两种方式:
apache:
pkg:
-installed
-name: httpd
/etc/httpd/conf/httpd.conf:
file:
-managed
-source: salt://apache/files/etc/httpd/conf/httpd.conf
-require:
- pkg: apache
httpd:
service:
-running
-enable: True
-watch:
- pkg: apache
- file: /etc/httpd/conf/httpd.conf
------------------------------------------------
或者是
------------------------------------------------
apache:
pkg.installed:
-name: httpd
- require_in: file
- watch_in:
- service: apache
file.managed:
-name: /etc/httpd/conf/httpd.conf
-source: salt://apache/files/etc/httpd/conf/httpd.conf
- watch_in:
- service: apache
service.running:
-name: httpd
-enable: True
举例(增加需求,利用jinja渲染,改各minion的httpd.conf中port为8080):
[root@master ~]# vim /srv/salt/apache/files/etc/httpd/conf/httpd.conf
Listen ` port `
[root@master ~]# vim /srv/salt/apache/deploy.sls
apache:
pkg:
-installed
-name: httpd
/etc/httpd/conf/httpd.conf:
file:
-managed
-source: salt://apache/files/etc/httpd/conf/httpd.conf
-require:
- pkg: apache
- template: jinja
- context:
port: 8080
httpd:
service:
-running
-enable: True
-watch:
- pkg: apache
- file: /etc/httpd/conf/httpd.conf
[root@master ~]# salt '*' cmd.run 'netstat -tnulp | grep httpd'
minion2:
tcp 0 0 :::80 :::* LISTEN 75368/httpd
minion1:
tcp 0 0 :::80 :::* LISTEN 7936/httpd
[root@master ~]# salt '*' state.highstate
……
[root@master ~]# salt '*' cmd.run 'netstat -tnulp | grep httpd'
minion2:
tcp 0 0 :::8080 :::* LISTEN 75837/httpd
minion1:
tcp 0 0 :::8080 :::* LISTEN 8352/httpd
举例(增加需求,各minion的httpd port号不一致;业务数据应独立存放,/srv/salt/apache/deploy.sls中仅存放业务处理逻辑,/srv/pillar/apache/pillar_deploy.sls中存放数据):
[root@master ~]# vim /srv/salt/apache/files/etc/httpd/conf/httpd.conf
Listen ` port `
[root@master ~]# vim /srv/salt/apache/deploy.sls
apache:
pkg:
-installed
-name: httpd
/etc/httpd/conf/httpd.conf:
file:
-managed
-source: salt://apache/files/etc/httpd/conf/httpd.conf
-require:
- pkg: apache
- template: jinja
- defaults:
port: {{ salt['pillar.get']('apache:port',80)}}
httpd:
service:
-running
-enable: True
-watch:
- pkg: apache
- file: /etc/httpd/conf/httpd.conf
[root@master ~]# vim /srv/pillar/top.sls #(top.sls文件中定义的内容,只要能匹配到minion都会先后执行所有操作,而不是像iptables那样先匹配到就不匹配之后的内容)
base:
'*':
- apache
[root@master ~]# mkdir /srv/pillar/apache
[root@master ~]# vim /srv/pillar/apache/init.sls
include:
- apache.pillar_deploy
[root@master ~]# vim /srv/pillar/apache/pillar_deploy.sls
apache:
{% if grains.id=='minion1' %}
port: 8081
{% elif grains.id=='minion2' %}
port: 8082
{% else %}
port: 80
{% endif %}
[root@master ~]# salt '*' saltutil.refresh_pillar
minion2:
True
minion1:
True
[root@master ~]# salt '*' pillar.getapache:port
minion2:
8082
minion1:
8081
[root@master ~]# salt '*' state.highstate #(若直接执行此命令则不需要执行刷新pillar操作,此命令会先刷新再执行)
[root@master ~]# salt '*' cmd.run 'netstat -tnulp | grep httpd'
minion2:
tcp 0 0 :::8082 :::* LISTEN 76024/httpd
minion1:
tcp 0 0 :::8081 :::* LISTEN 8564/httpd
注:deploy.sls,也可以将业务逻辑和数据放在一起:
apache:
pkg:
-installed
-name: httpd
/etc/httpd/conf/httpd.conf:
file:
-managed
-source: salt://apache/files/etc/httpd/conf/httpd.conf
-require:
- pkg: apache
- template: jinja
- context:
{% if grains['id']=='minion1' %}
port: 8081
{% elif grains['id']=='minion2' %}
port: 8082
{% else %}
port: 80
{% endif %}
httpd:
service:
-running
-enable: True
-watch:
- pkg: apache
- file: /etc/httpd/conf/httpd.conf
举例(模块带参数执行):
[root@master ~]# vim /srv/salt/top.sls
base:
'*':
-apache
'minion(1|2)*':
-match: pcre
-system
[root@master ~]# vim /srv/salt/system/init.sls
include:
-system.system
[root@master ~]# vim /srv/salt/system/system.sls
hello:
cmd.run:
-name: echo "hello world"
[root@master ~]# salt '*' state.highstate
举例(schedule):
[root@master ~]# vim /srv/pillar/top.sls
base:
'*':
- schedule
[root@master ~]# vim /srv/pillar/schedule.sls
schedule:
hello:
function: cmd.run
args:
- date >> /tmp/test.log
seconds: 30
[root@master ~]# salt '*' saltutil.refresh_pillar
minion1:
True
minion2:
True
[root@master ~]# salt '*' pillar.get schedule
……
[root@minion1 ~]# cat /tmp/test.log #(在minion端查看)
Mon Aug 29 02:34:41 PDT 2016
Mon Aug 29 02:35:11 PDT 2016
Mon Aug 29 02:35:41 PDT 2016
Mon Aug 29 02:36:11 PDT 2016
Mon Aug 29 02:36:41 PDT 2016
Mon Aug 29 02:37:11 PDT 2016
[root@minion2 ~]# cat /tmp/test.log
Mon Aug 29 02:34:08 PDT 2016
Mon Aug 29 02:34:38 PDT 2016
Mon Aug 29 02:35:08 PDT 2016
Mon Aug 29 02:35:38 PDT 2016
Mon Aug 29 02:36:08 PDT 2016
Mon Aug 29 02:36:38 PDT 2016
举例(salt-ssh):
[root@master ~]# yum -y install salt-ssh
[root@master ~]# vim /etc/salt/roster
minion1:
host: 10.96.20.117
user: root
passwd: chai
minion2:
host: 10.96.20.118
user: root
passwd: chai
[root@master ~]# service salt-master stop
Stopping salt-master daemon: [ OK ]
[root@master ~]# salt-ssh '*' test.ping #(有如下报错,解决办法:严格检查禁用或者先用ssh连接minion)
minion1:
----------
retcode:
254
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the-i flag:
The authenticity of host '10.96.20.117 (10.96.20.117)' can't beestablished.
RSA key fingerprint is 63:f5:2e:dc:96:64:54:72:8e:14:7e:ec:ef:b8:a1:0c.
Are you sure you want to continueconnecting (yes/no)?
minion2:
----------
retcode:
254
stderr:
stdout:
The host key needs to be accepted, to auto accept run salt-ssh with the-i flag:
The authenticity of host '10.96.20.118 (10.96.20.118)' can't beestablished.
RSA key fingerprint is 63:f5:2e:dc:96:64:54:72:8e:14:7e:ec:ef:b8:a1:0c.
Are you sure you want to continue connecting (yes/no)?
[root@master ~]# touch .ssh/config
[root@master ~]# vim .ssh/config
host 10.96.20.117
StrictHostKeyChecking no
host 10.96.20.118
StrictHostKeyChecking no
[root@master ~]# salt-ssh '*' test.ping
minion2:
True
minion1:
True
[root@master ~]# salt-ssh '*' -r 'df -h'
minion1:
----------
retcode:
0
stderr:
stdout:
root@10.96.20.117's password:
Filesystem > /dev/sda2 18G 4.9G 12G 30% /
tmpfs 112M 12K 112M 1% /dev/shm
/dev/sda1 291M 91M 185M 33% /boot
/dev/sr0 3.6G 3.6G 0 100% /mnt/cdrom
minion2:
----------
retcode:
0
stderr:
stdout:
root@10.96.20.118's password:
Filesystem > /dev/sda2 18G 4.3G 13G 26% /
tmpfs 112M 12K 112M 1% /dev/shm
/dev/sda1 291M 58M 219M 21% /boot
/dev/sr0 3.6G 3.6G 0 100% /mnt/cdrom
[root@master ~]# salt-ssh '*' -r 'ip ro li'
minion1:
----------
retcode:
0
stderr:
stdout:
root@10.96.20.117's password:
10.96.20.0/24 dev eth0 protokernel scope link src 10.96.20.117
default via 10.96.20.1 dev eth0
minion2:
----------
retcode:
0
stderr:
stdout:
root@10.96.20.118's password:
10.96.20.0/24 dev eth0 protokernel scope link src 10.96.20.118 metric 1
default via 10.96.20.1 dev eth0 proto static
举例(salt syndic):
masterofmaster:10.96.20.113,主机名master
syndic:10.96.20.114,主机名syndic
minion1:10.96.20.117,主机名minion1
minion2:10.96.20.118,主机名minion2
syndic-side:
[root@syndic ~]# cd /etc/yum.repos.d
[root@syndic yum.repos.d]# ll
total 20
-rw-r--r--. 1 root root 1856 Jul 19 00:28CentOS6-Base-163.repo
-rw-r--r--. 1 root root 957 Nov 4 2012 epel.repo
-rw-r--r--. 1 root root 1056 Nov 4 2012epel-testing.repo
-rw-r--r--. 1 root root 474 Mar 30 23:00 rhel-source.repo
[root@syndic yum.repos.d]# cd
[root@syndic ~]# yum -y install PyYAML python-requests python-jinja2 #(先用CentOS6-Base-163的yum源安装这几个依赖包)
[root@syndic ~]# yum -y install salt-master salt-syndic #(再用epel的yum源安装salt-master和salt-syndic)
……
Running Transaction
Installing : openpgm-5.1.118-3.el6.x86_64 1/8
Installing : zeromq3-3.2.5-1.el6.x86_64 2/8
Installing : python-zmq-14.3.1-1.el6.x86_64 3/8
Installing : python-crypto-2.0.1-22.el6.x86_64 4/8
Installing: python-msgpack-0.4.6-1.el6.x86_64 5/8
Installing : salt-2015.5.10-2.el6.noarch 6/8
Installing : salt-master-2015.5.10-2.el6.noarch 7/8
Installing : salt-syndic-2015.5.10-2.el6.noarch 8/8
……
[root@syndic ~]# vim /etc/salt/master
##### Syndic settings #####
##########################################
syndic_master:10.96.20.113
#syndic_master_port: 4506
#syndic_pidfile:/var/run/salt-syndic.pid
#syndic_log_file:syndic.log
[root@syndic ~]# service salt-master start
Starting salt-master daemon: [ OK ]
[root@syndic ~]# service salt-syndic start
Starting salt-syndic daemon: [ OK ]
masterofmaster-side:
[root@master ~]# vim /etc/salt/master
##### Syndic settings #####
##########################################
order_masters: True
[root@master ~]# salt-key -L
Accepted Keys:
minion1
minion2
Denied Keys:
Unaccepted Keys:
syndic
Rejected Keys:
[root@master ~]# salt-key -D -y
……
Key for minion minion1 deleted.
Key for minion minion2 deleted.
Key for minion syndic deleted.
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion1
minion2
syndic
Rejected Keys:
[root@master ~]# salt-key -a 'syndic' -y
The following keys are going to beaccepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]#salt-key -L
Accepted Keys:
syndic
Denied Keys:
Unaccepted Keys:
minion1
minion2
Rejected Keys:
minion{1,2}-side:
[root@minion1 ~]# service salt-minion stop
Stopping salt-minion daemon: [ OK ]
[root@minion1 ~]# vim /etc/salt/minion
master: 10.96.20.114
[root@minion1 ~]# rm -f /etc/salt/minion_id
[root@minion1 ~]# rm -rf /etc/salt/pki
[root@minion1 ~]# hostname
minion1
[root@minion1 ~]# service salt-minion start
Starting salt-minion daemon: [ OK ]
[root@minion2 ~]# service salt-minion stop
Stopping salt-minion daemon: [ OK ]
[root@minion2 ~]# vim /etc/salt/minion
master: 10.96.20.114
[root@minion2 ~]# rm -f /etc/salt/minion_id
[root@minion2 ~]# rm -rf /etc/salt/pki
[root@minion2 ~]# service salt-minion start
Starting salt-minion daemon: [ OK ]
syndic-side:
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
minion1
minion2
Rejected Keys:
[root@syndic ~]# salt-key -A -y
The following keys are going to beaccepted:
Unaccepted Keys:
minion1
minion2
Key for minion minion1 accepted.
Key for minion minion2 accepted.
masterofmaster上测试:
[root@master ~]# salt -v '*' test.ping
Executing job with jid 20160829193921851966
-------------------------------------------
minion2:
True
minion1:
True
#salt '*' MODULE.FUNCTION #(*匹配所有的minion,此命令禁用,生产环境复杂,容易出问题)
#salt '*' cmd.run 'PARAMETER' #(cmd.run超级命令,不建议使用)
#salt -v '*' test.ping #(-v可查看jid)
#salt '*' saltutil.running
#salt '*' saltutil.kill_job <jid>
#salt '*' saltutil.sync_grains
#salt '*' saltutil.refresh_pillar
[root@server1 ~]# salt-run manage.status #(经常用,在test.ping后列出当前minion的在线情况,up和down)
down:
up:
-minion1
-minion2
[root@server1 ~]# salt-run manage.down
[root@server1 ~]# salt-run manage.up
- minion1
- minion2
[root@server1 ~]# salt-run manage.versions #(查看版本,用于版本不一致时升级)
Master:
2015.5.10
Up to date:
----------
minion1:
2015.5.10
minion2:
2015.5.10
注:
主机名一定要能解析到master和所有minion(#hostname所得出的主机名,主机名最好为fqdn)
生产环境复杂,不要开启自动认证功能(auto_accept: False);
minion-side在每次启动时会在minion-side的/etc/salt/pki/minon/下生成minion.pem(private key)和minion.pub(public key),并将minion.pub发给master-side,经master-side认证(#salt-key-a MINION_ID)之后会放在master-side的/etc/salt/pki/master/minions/下(此目录下存放所有认证过的minion,以minion_id为文件名);同时minion-side的/etc/salt/pki/minion/下存放master-side的public key(文件名为minion_master.pub);以此双方实现互相认证;
minion-side与master-side的4505port保持长连接,如果断了会自动重连,所以执行操作很快;
file_roots中的base(默认/srv/salt/)定义的是基础环境,在其下按不同部门或业务,对应的创建不同的目录,规划好,例如/srv/salt/init/下放所有server都要执行的操作;
/srv/salt/top.sls(在/etc/salt/master中定义state_top:top.sls,定义在什么环境下,哪些server,该做什么事;The state system uses a "top" file to tell the minionswhat environment to use and what modules to use. The state_top file is definedrelative to the root of the base environment as defined in "File Serversettings" below.);
[root@server1 ~]# vim /srv/salt/init/pkg.sls
pkg.init:
pkg.installed:
- names:
- lrzsz
- tree
- mtr
- nmap
- MySQL-python
- sysstat
- iptraf
- ntp
- e2fsprogs-devel
- keyutils-libs-devel
- krb5-devel
- libselinux-devel
- libsepol-devel
- ncurses-devel
- openssl-devel
- zlib-devel
- OpenIPMI-tools
- ipmitool
- zlib-devel
- mysql
- lockdev
- minicom
- nmap
pkg.group_installed: #不可用
- names:
- Desktop Platform
- Desktop Platform Development
- Server Platform Development
- Development tools
- Compatibility libraries
[root@server1 ~]# vim /srv/salt/top.sls
base:
'*':
-init.pkg
#salt '*' state.sls init.pkg #(或使用#salt '*'state.highstate)
举例(将所有minion-side的执行结果导入到MySQL中):
https://docs.saltstack.com/en/latest/ref/returners/all/salt.returners.mysql.html
master-side:
[root@server1 ~]# yum -y install MySQL-python
[root@server1 ~]# salt '*' state.sls init.pkg #(让所有minion执行安装上面写的包)
[root@server1 ~]# vim /etc/salt/master #(master_job_cache,master上使用此项后就不需在minion-side配置如下mysql的相关信息,指让master-side收到minion-side的返回信息写入mysql中,有此项在执行命令时就不需输入--return mysql)
##### Returner settings ######
############################################
# Which returner(s) will be used for minion'sresult:
return: mysql
mysql.host:'10.96.20.113'
mysql.user: 'salt'
mysql.pass: 'salt'
mysql.db: 'salt'
mysql.port: 3306
master_job_cache: mysql
[root@server1 ~]# servicesalt-master restart
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
[root@server1 ~]# cat salt_returners_mysql.sql #(将如下信息导入到mysql中)
---------------------file start-------------------------
CREATE DATABASE `salt`
DEFAULT CHARACTER SET utf8
DEFAULT COLLATE utf8_general_ci;
USE `salt`;
--
-- Table structure for table `jids`
--
DROP TABLE IF EXISTS `jids`;
CREATE TABLE `jids` (
`jid` varchar(255) NOT NULL,
`load` mediumtext NOT NULL,
UNIQUE KEY `jid` (`jid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE INDEX jid ON jids(jid) USING BTREE;
--
-- Table structure for table `salt_returns`
--
DROP TABLE IF EXISTS `salt_returns`;
CREATE TABLE `salt_returns` (
`fun` varchar(50) NOT NULL,
`jid` varchar(255) NOT NULL,
`return` mediumtext NOT NULL,
`id` varchar(255) NOT NULL,
`success` varchar(10) NOT NULL,
`full_ret` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
KEY`id` (`id`),
KEY`jid` (`jid`),
KEY`fun` (`fun`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--
-- Table structure for table `salt_events`
--
DROP TABLE IF EXISTS `salt_events`;
CREATE TABLE `salt_events` (
`id` BIGINT NOT NULL AUTO_INCREMENT,
`tag` varchar(255) NOT NULL,
`data` mediumtext NOT NULL,
`alter_time` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
`master_id` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `tag` (`tag`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-----------------------------file end-------------------
[root@server1 ~]# mysql
mysql> create user 'salt'@'%'> Query OK, 0 rows affected (0.03 sec)
mysql> grant all on salt.* to'salt'@'%';
Query OK, 0 rows affected (0.02 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
测试:
[root@server1 ~]# salt '*' test.ping
minion2:
True
minion1:
True
举例(源码安装nginx):
[root@server1 ~]# mkdir -p /srv/salt/nginx/files
[root@server1 ~]# cd /srv/salt/nginx
[root@server1 nginx]# vim nginx.sls
include:
- init.pkg
nginx-source-install:
file.managed:
- name: /usr/local/src/nginx-1.8.0.tar.gz
- source: salt://nginx/files/nginx-1.8.0.tar.gz
- user: root
- group: root
- mode: 644
cmd.run:
- name: groupadd -r -g 108 nginx && useradd -r -g 108 -u 108 nginx&& cd /usr/local/src/ && tar xf nginx-1.8.0.tar.gz && cd nginx-1.8.0 && ./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre && make && make install
- unless: test -f /usr/sbin/nginx
require:
- file: nginx-source-install
[root@server1 nginx]# cp /usr/local/src/nginx-1.8.0.tar.gz files/
[root@server1 nginx]# cd ..
[root@server1 salt]# vim init/pkg.sls
pkg.init:
pkg.installed:
- names:
- lrzsz
- tree
- mtr
- nmap
- MySQL-python
- pcre-devel
[root@server1 salt]# vim top.sls
base:
'*':
-init.pkg
- nginx.nginx
[root@server1 salt]# salt '*' state.sls nginx.nginx test=True
[root@server1 salt]# salt '*' state.sls nginx.nginx
举例(安装jdk、tomcat):
test1(192.168.23.129,既有master也有minion);
test2(192.168.23.130,仅minion);
[root@test1 ~]# mkdir -p /srv/salt
[root@test1 ~]# cd /srv/salt
[root@test1 salt]# mkdir -p jdk/filestomcat/files
[root@test1 salt]# tree
.
├── jdk
│ └── files
└── tomcat
└── files
4 directories, 0 files
[root@test1 salt]# tree #(上传文件到/srv/salt/jdk/files/下和/srv/salt/tomcat/files/下)
.
├── jdk
│ └── files
│ └──jdk-8u111-linux-x64.gz
└── tomcat
└── files
└── apache-tomcat-8.5.6.tar.gz
4 directories, 2 files
[root@test1 salt]# vim tomcat/files/java.sh
export JAVA_HOME=/usr/local/jdk
export PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin
export> export TOMCAT_HOME=/usr/local/tomcat
export PATH=$PATH:$TOMCAT_HOME/bin
[root@test1 salt]# vim jdk/install.sls
#------------------file-start-----------------------
jdk-install:
file.managed:
- name: /usr/local/src/jdk-8u111-linux-x64.gz
- source: salt://jdk/files/jdk-8u111-linux-x64.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar xf jdk-8u111-linux-x64.gz -C /usr/local/ && ln -s /usr/local/jdk1.8.0_111 /usr/local/jdk && chown -Rroot:root /usr/local/jdk
- unless: test -d /usr/local/jdk
- require:
- file: jdk-install
#jdk-config:
# file.managed:
# - name: /etc/profile.d/java.sh
# - text:
# - export JAVA_HOME=/usr/local/jdk
# - export PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin
# - export> #-------------------------file-end-----------------------------------
[root@test1 salt]# vim tomcat/install.sls
#--------------------------file-start-----------------------------------
include:
-jdk.install
tomcat-install:
file.managed:
- name: /usr/local/src/apache-tomcat-8.5.6.tar.gz
- source: salt://tomcat/files/apache-tomcat-8.5.6.tar.gz
- user: root
- group: root
- mode: 755
cmd.run:
- name: cd /usr/local/src && tar xf apache-tomcat-8.5.6.tar.gz -C/usr/local && ln -s /usr/local/apache-tomcat-8.5.6 /usr/local/tomcat&& chown -R root:root /usr/local/tomcat
- unless: test -d /usr/local/tomcat
- require:
- file: tomcat-install
tomcat-config:
file.managed:
- name: /etc/profile.d/java.sh
- source: salt://tomcat/files/java.sh
- user: root
- group: root
- mode: 644
#tomcat-config:
# file.append:
# - name: /etc/profile.d/java.sh
# - text:
# - export TOMCAT_HOME=/usr/local/tomcat
# - export PATH=$PATH:$TOMCAT_HOME/bin
#-------------------------file-end----------------------------
[root@test1 salt]# vim top.sls
base:
'*':
-tomcat.install
[root@test1 salt]# salt '*' test.ping
test2:
True
test1:
True
[root@test1 salt]# salt-run manage.status
down:
up:
-test1
-test2
[root@test1 salt]# java -version
java version "1.5.0"
gij (GNU libgcj) version 4.4.7 20120313(Red Hat 4.4.7-17)
Copyright (C) 2007 Free SoftwareFoundation, Inc.
This is free software; see the source forcopying conditions. There is NO
warranty; not even for MERCHANTABILITY orFITNESS FOR A PARTICULAR PURPOSE.
[root@test1 salt]# rpm -qa | grep gcj
java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
libgcj-4.4.7-17.el6.x86_64
[root@test1 salt]# rpm -e --nodeps java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
[root@test2 ~]# rpm -e --nodeps java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
[root@test2 ~]# java -version
-bash: /usr/bin/java: No such file ordirectory
[root@test1 salt]# salt '*' state.highstate
……
[root@test1 ~]# java -version #(再次开一窗口检测)
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build25.111-b14, mixed mode)
[root@test2 ~]# java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build25.111-b14, mixed mode) |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-7-31 11:56:40
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡