saltstacks简介
saltstack是一个功能强大的自动化运维软件。
有三种模式
1)本地模式(local),不需要启动进程,只要配置文件就可以写出来
2)master minion 模式
3)代理模式(syndic)
4)ssh模式
master –> minion 模式:
master默认—->监听本地所有网络接口
长连接
发布订阅系统:4505端口
minion端只做订阅(pub推送、sub接收)
4506端口:专门用于接收minion端的返回值
1.自动安装httpd和php
Salt-master:server1 172.25.44.5
Salt-minion:server2 172.25.44.6
Salt-minion:server3 172.25.44.7
物理主机:
将rhel6 的软件包放在/var/www/html里面(chmod +x rhel6/ -R)
#配置yum源,server5和server6都要配
[root@server5 ~]# vim /etc/yum.repos.d/rhel-source.repo 1 [rhel-source]
2 name=Red Hat Enterprise Linux $releasever - $basearch - Source
3 baseurl=http://172.25.44.250/rhel6.5
4 enabled=1
5 gpgcheck=1
6 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
7
8 [salt]
9 name=saltstack
10 baseurl=http://172.25.44.250/rhel6
11 enabled=1
12 gpgcheck=0
[root@server5 ~]# yum install -y salt-master
[root@server5 salt]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
[root@server6 ~]# yum install -y salt-minion
[root@server6 ~]# cd /etc/salt/
[root@server6 salt]# vim minion #修改master:建立连接
16 master: 172.25.44.5
[root@server6 salt]# /etc/init.d/salt-minion start
Starting salt-minion:root:server6 daemon: OK
#交换公钥
[root@server5 salt]# salt-key -L #查看已经认证的minion主机
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server6
Rejected Keys:
[root@server5 salt]# salt-key -A #添加认证
The following keys are going to be accepted:
Unaccepted Keys:
server6
Proceed? [n/Y] Y
Key for minion server6 accepted.
[root@server5 salt]# salt-key -L #查看已经认证的minion主机
Accepted Keys:
server6
Denied Keys:
Unaccepted Keys:
Rejected Keys:
# 连接成功
# 检测salt服务:
[root@server5 salt]# salt server6 cmd.run 'df -h'
server6:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 971M 17G 6% /
tmpfs 246M 16K 246M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
# 查看公钥存放:
[root@server5 salt]# cd pki/
[root@server5 pki]# ls
master minion
[root@server5 pki]# ll
total 8
drwx------ 7 root root 4096 8月 17 09:35 master
drwxr-xr-x 2 root root 4096 2月 24 2017 minion
[root@server5 pki]# cd master/
[root@server5 master]# md5sum master.pub #相互交换公钥用来做加密解密
1a4c299c8e936142d4fdb117a80fba6b master.pub
[root@server6 salt]# cd pki/
[root@server6 pki]# ll
total 8
drwxr-xr-x 2 root root 4096 2月 24 2017 master
drwx------ 2 root root 4096 8月 17 09:41 minion
[root@server6 minion]# ls
minion_master.pub minion.pem minion.pub
[root@server6 minion]# md5sum minion_master.pub
1a4c299c8e936142d4fdb117a80fba6b minion_master.pub #同master的密钥
[root@server5 master]# ls
master.pem minions minions_denied minions_rejected
master.pub minions_autosign minions_pre
[root@server5 master]# cd minions
[root@server5 minions]# md5sum server6
d7bdadc7d13268fc80c64af4cd8f3c39 server6
[root@server5 minions]# netstat -antlp #出现4505端口
# 通过监控,可以看到连接,Servre5和server6有订阅的长连接
[root@server5 minions]# yum install -y lsof
[root@server5 minions]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1474 root 16u IPv4 14695 0t0 TCP *:4505 (LISTEN)
salt-mast 1474 root 18u IPv4 17632 0t0 TCP server5:4505->server6:59409 (ESTABLISHED)
[root@server5 minions]# lsof -i :4506
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1481 root 24u IPv4 14706 0t0 TCP *:4506 (LISTEN)
[root@server6 minion]# netstat -antlp
使用YAML语言来编写运维脚本
# apache 和 php 的安装脚本
[root@server5 salt]# vim master
534 file_roots:
535 base:
536 - /srv/salt
[root@server5 salt]# /etc/init.d/salt-master restart
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
[root@server5 salt]# mkdir /srv/salt/
[root@server5 salt]# cd /srv/salt/
[root@server5 salt]# ls
[root@server5 salt]# mkdir httpd
[root@server5 salt]# cd httpd/
[root@server5 httpd]# vim install.sls
1 apache-install:
2 pkg.installed:
3 - pkgs:
4 - httpd
5 - php
# 安装检测:
[root@server5 httpd]# salt server6 state.sls httpd.install
# 监测已经安装成功
[root@server6 salt]# rpm -q httpd
httpd-2.2.15-29.el6_4.x86_64
[root@server6 salt]# rpm -q php
php-5.3.3-26.el6.x86_64
#远程操作启动
[root@server5 httpd]# vim install.sls
1 apache-install:
2 pkg.installed:
3 - pkgs:
4 - httpd
5 - php
6 service.running:
7 - name: httpd
[root@server5 httpd]# salt server6 state.sls httpd.install
[root@server6 salt]# netstat -antlp #80端口出现,说明启动成功
# 控制开机自启动
[root@server6 salt]# chkconfig --list httpd
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@server5 httpd]# vim install.sls
[root@server5 httpd]# salt server6 state.sls httpd.install
[root@server6 salt]# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# 两种修改端口的方法
###第一种
[root@server5 httpd]# mkdir /srv/salt/httpd/files
[root@server6 salt]# scp /etc/httpd/conf/httpd.conf server5:/srv/salt/httpd/files
[root@server5 httpd]# vim install.sls
[root@server5 httpd]# salt server6 state.sls httpd.install
[root@server5 httpd]# cd files/
[root@server5 files]# vim httpd.conf
136 Listen 8080
[root@server5 files]# salt server6 state.sls httpd.instal
# 检测
[root@server6 salt]# netstat -antlp #查看端口已经改变
tcp 0 0 :::8080 :::* LISTEN 2053/httpd
#
###第二种
[root@server5 files]# cd ..
[root@server5 httpd]# vim files/httpd.conf
136 Listen 80
[root@server5 httpd]# vim install.sls
[root@server6 salt]# netstat -antlp #端口成功改变
tcp 0 0 :::80 :::* LISTEN 2053/httpd
2.原码编译nginx,server7与server6配置相同
[root@server7 ~]# yum install -y salt-minion
[root@server7 ~]# vim /etc/salt/minion
16 master: 172.25.44.5
[root@server7 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:server7 daemon: OK
[root@server5 nginx]# salt-key -L
Accepted Keys:
server6
Denied Keys:
Unaccepted Keys:
server7
Rejected Keys:
[root@server5 nginx]# salt-key -a server7
The following keys are going to be accepted:
Unaccepted Keys:
server7
Proceed? [n/Y] Y
Key for minion server7 accepted.
[root@server5 httpd]# cd ..
[root@server5 salt]# mkdir nginx
[root@server5 salt]# cd nginx/
[root@server5 nginx]# pwd
/srv/salt/nginx
[root@server5 nginx]# mkdir files
[root@server5 nginx]# cd files/
[root@server5 files]# ls
nginx-1.14.0.tar.gz
[root@server5 files]# cd ..
[root@server5 nginx]# vim install.sls #远程源码编译nginx
[root@server5 nginx]# salt server7 state.sls nginx.install #推送
[root@server7 mnt]# ps ax #可以查看到安装
[root@server5 nginx]# vim service.sls #远程启动nginx
[root@server5 nginx]# salt server7 state.sls nginx.service #推送
[root@server7 sbin]# netstat -antlp #查看端口,看是否启动成功
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4596/nginx
[root@server7 mnt]# scp /usr/local/nginx/conf/nginx.conf [email protected]:/srv/salt/nginx/files
[email protected]'s password:
nginx.conf 100% 2656 2.6KB/s 00:00
[root@server5 nginx]# cd files/
[root@server5 files]# ls
nginx nginx-1.14.0.tar.gz nginx.conf
[root@server5 nginx]# vim service.sls #控制进程
[root@server5 files]# vim nginx.conf
3 worker_processes 2; #进程数改为2
[root@server5 files]# salt server7 state.sls nginx.service
[root@server7 sbin]# ps ax #查看进程,有两个在运行
[root@server5 files]# vim nginx.conf #修改用户名和所在组
2 user nginx nginx
[root@server5 files]# cd ..
[root@server5 nginx]# cd ..
[root@server5 salt]# ls
httpd nginx
[root@server5 salt]# mkdir users
[root@server5 salt]# cd pkgs/
[root@server5 pkgs]# ls
[root@server5 pkgs]# vim make.sls #
[root@server5 pkgs]# cd ..
[root@server5 salt]# ls
httpd nginx pkgs users
[root@server5 salt]# cd users/
[root@server5 users]# vim nginx.sls # 创建nginx用户信息管理脚本
[root@server5 users]# cd ..
[root@server5 salt]# ls
httpd nginx pkgs users
[root@server5 salt]# cd nginx/
[root@server5 nginx]# ls
files install.sls service.sls
[root@server5 nginx]# vim install.sls
# 推送测试
[root@server7 sbin]# id nginx #用户成功建立
uid=800(nginx) gid=800(nginx) groups=800(nginx)
3.saltstack多节点推送实现haproxy负载均衡集群
[root@server6 salt]# cd /var/www/html/
[root@server6 html]# vim index.html
server6
[root@server5 salt]# yum install -y salt-minion
[root@server5 salt]# vim /etc/salt/minion
[root@server5 salt]# pwd
/etc/salt
[root@server5 salt]# ls
cloud cloud.maps.d master minion.d proxy
cloud.conf.d cloud.profiles.d master.d minion_id proxy.d
cloud.deploy.d cloud.providers.d minion pki roster
[root@server5 salt]# rm -fr minion_id
[root@server5 salt]# /etc/init.d/salt-minion restart
Stopping salt-minion:root:server5 daemon: OK
Starting salt-minion:root:server5 daemon: OK
[root@server5 salt]# salt-key -L
Accepted Keys:
server6
server7
Denied Keys:
Unaccepted Keys:
server5
Rejected Keys:
[root@server5 salt]# salt-key -a server5
The following keys are going to be accepted:
Unaccepted Keys:
server5
Proceed? [n/Y] Y
Key for minion server5 accepted.
[root@server5 salt]# salt-key -L
Accepted Keys:
server5
server6
server7
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@server5 nginx]# pwd
/srv/salt/nginx
[root@server5 nginx]# cd ..
[root@server5 salt]# ls
httpd nginx pkgs users
[root@server5 salt]# mkdir haproxy
[root@server5 salt]# cd haproxy/
[root@server5 haproxy]# vim install.sls
[root@server5 haproxy]# salt server5 state.sls haproxy.install #yum源有问题
[root@server5 haproxy]# vim /etc/yum.repos.d/rhel-source.repo
[root@server5 yum.repos.d]# yum clean all
[root@server5 yum.repos.d]# salt server5 state.sls haproxy.install
[root@server5 haproxy]# mkdir /srv/salt/haproxy/files/
[root@server5 haproxy]# cd /etc/haproxy/
[root@server5 haproxy]# pwd
/etc/haproxy
[root@server5 haproxy]# cp haproxy.cfg /srv/salt/haproxy/files/
[root@server5 haproxy]# pwd
/etc/haproxy
[root@server5 haproxy]# cd /srv/salt/haproxy/
[root@server5 haproxy]# cd files/
[root@server5 files]# vim haproxy.cfg
[root@server5 files]# /etc/init.d/haproxy start
Starting haproxy: [ OK ]
[root@server5 files]# salt server5 state.sls haproxy.install
[root@server5 files]# cd /srv/salt/
[root@server5 salt]# ls
haproxy httpd nginx pkgs users
[root@server5 salt]# vim top.sls
[root@server5 salt]# salt server? test.ping
server6:
True
server7:
True
server5:
True
[root@server5 salt]# salt server* test.ping
server7:
True
server6:
True
server5:
True
[root@server5 salt]# salt server[5,6,7] test.ping
server6:
True
server7:
True
server5:
True
[root@server5 salt]# salt server[5-7] test.ping
server5:
True
server7:
True
server6:
True
[root@server5 salt]# salt '*' test.ping
server6:
True
server7:
True
server5:
True
#实现了负载均衡
[root@server6 html]# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
[root@server5 salt]# salt '*' state.highstate #重新推送(高级推送)
####又实现负载均衡
#
[root@server6 html]# vim /etc/salt/minion
120 grains:
121 roles:
122 - apach
[root@server6 html]# /etc/init.d/salt-minion restart
Stopping salt-minion:root:server6 daemon: OK
Starting salt-minion:root:server6 daemon: OK
[root@server7 html]# cd /etc/salt/
[root@server7 salt]# vim grains
roles:
nginx
[root@server5 salt]# salt '*' grains.item roles
server6:
----------
roles:
- apache
server7:
----------
roles:
server5:
----------
roles:
[root@server5 salt]# salt server7 saltutil.sync_grains
[root@server5 salt]# salt '*' grains.item roles
server5:
----------
roles:
server7:
----------
roles:
nginx
server6:
----------
roles:
- apache
[root@server5 salt]# vim top.sls
1 base:
2 'server5':
3 - haproxy.install
4 'roles:apache':
5 - match: grain
6 - httpd.install
7 'roles:nginx':
8 - match: grain
9 - nginx.service
[root@server5 salt]# pwd
/srv/salt
[root@server5 salt]# ls
haproxy httpd nginx pkgs top.sls users
[root@server5 salt]# mkdir _grains
[root@server5 salt]# cd _grains/
[root@server5 _grains]# ls
[root@server5 _grains]# vim my_grains.py
1 #!/usr/bin/env python
2 def my_grains{}
3 grains = {}
4 grains['hello'] = 'world'
5 grains['salt'] = 'stack'
6 return grains
[root@server5 _grains]# salt server6 saltutil.sync_grains
server6:
- grains.my_grains
[root@server5 _grains]# salt server6 saltutil.sync_grains
server6:
- grains.my_grains
[root@server5 _grains]# salt server7 saltutil.sync_grains
server7:
- grains.my_grains
[root@server5 _grains]# salt '*' grains.item hello
server5:
----------
hello:
server6:
----------
hello:
world
server7:
----------
hello:
world
[root@server5 _grains]# salt '*' grains.item salt
server5:
----------
salt:
server6:
----------
salt:
stack
server7:
----------
salt:
stack
Grains很强大,但是其缺点是这些数据相对来说都是静态数据。如果有变化的数据如何
处理呢?这时我们就用到了pillar。pillar数据存储在master上。指定的minion只能
看到自己pillar数据,其他的minion看不到任何pillar数据,这一点与状态文件正好
相反。所有通过认证的minion都可以获取状态文件,但是每隔minion却都有自己的一套
pillar数据,而且每台minion的pillar都进行了加密,所以很适用于敏感数据。
[root@server5 _grains]# vim /etc/salt/master
694 pillar_roots:
695 base:
696 - /srv/pillar
[root@server5 _grains]# cd
[root@server5 ~]# mkdir /srv/pillar
[root@server5 ~]# cd /srv/pillar/
[root@server5 pillar]# ls
[root@server5 pillar]# pwd
/srv/pillar
[root@server5 pillar]# mkdir web
[root@server5 pillar]# cd web/
[root@server5 web]# ls
[root@server5 web]# pwd
/srv/pillar/web
[root@server5 web]# vim install.sls
1 {% if grains['fqdn'] == 'server6' %}
2 webserver: httpd
3 {% elif grains['fqdn'] == 'server7' %}
4 webserver: nginx
5 {% endif %}
[root@server5 web]# cd ..
[root@server5 pillar]# ls
web
[root@server5 pillar]# vim top.sls
1 base:
2 '*':
3 - web.install
[root@server5 pillar]# salt 'server6' pillar.items
server6:
----------
webserver:
httpd
[root@server5 pillar]# salt 'server7' pillar.items
server7:
----------
webserver:
nginx
[root@server5 web]# salt -S '172.25.44.0/24' test.ping
server6:
True
server7:
True
server5:
True
jinja模版
[root@server5 web]# cd .
[root@server5 web]# cd ..
[root@server5 pillar]# cd ..
[root@server5 srv]# cd salt/
[root@server5 salt]# cd httpd/
[root@server5 httpd]# ls
files install.sls
[root@server5 httpd]# vim install.sls
1 httpd:
2 pkg.installed
3
4 php:
5 pkg.installed
6
7 apache:
8 service.running:
9 - name: httpd
10 - enable: True
11 - reload: True
12 - watch:
13 - file: /etc/httpd/conf/httpd.conf
14
15 /etc/httpd/conf/httpd.conf:
16 file.managed:
17 - source: salt://httpd/files/httpd.conf
18 - mode: 644
19 - user: root
20 - template: jinja
21 - context:
22 bind: 172.25.44.6
23 port: 8080
[root@server5 httpd]# cd files/
[root@server5 files]# vim httpd.conf
136 Listen {{ port }}
[root@server5 httpd]# salt server6 state.sls httpd.install
#检测
[root@server6 salt]# vim /etc/httpd/conf/httpd.conf
136 Listen 8080
[root@server6 salt]# tree minion/
[root@server5 httpd]# vim files/httpd.conf
136 Listen {{ bind }}:{{ port }}
[root@server5 httpd]# salt server6 state.sls httpd.install
[root@server6 salt]# cat /etc/httpd/conf/httpd.conf | head -n 136 | tail -n 1
Listen 172.25.44.6:8080
[root@server5 httpd]# vim files/httpd.conf
1 {% from 'httpd/lib.sls' import port with context %}
[root@server5 httpd]# vim lib.sls
1 {% set port = 80 %}
[root@server6 salt]# cat /etc/httpd/conf/httpd.conf | head -n 137 | tail -n 1
Listen 172.25.44.6:80
[root@server5 httpd]# vim install.sls
1 httpd:
2 pkg.installed
3
4 php:
5 pkg.installed
6
7 apache:
8 service.running:
9 - name: httpd
10 - enable: True
11 - reload: True
12 - watch:
13 - file: /etc/httpd/conf/httpd.conf
14
15 /etc/httpd/conf/httpd.conf:
16 file.managed:
17 - source: salt://httpd/files/httpd.conf
18 - mode: 644
19 - user: root
20 - template: jinja
21 - context:
22 bind: {{ grains['ipv4'][-1]}}
23 port: 8080
24
25 service.running:
26 - name: httpd
27 - enable: True
28 - reload: True
29 - watch:
30 -file: apache-install
[root@server6 salt]# cat /etc/httpd/conf/httpd.conf | head -n 137 | tail -n 1
Listen 172.25.44.6:80
[root@server5 httpd]# cd /srv/pillar/web/
[root@server5 web]# vim install.sls
1 {% if grains['fqdn'] == 'server6' %}
2 webserver: httpd
3 bind: 172.25.44.6
4 port: 8080
5 {% elif grains['fqdn'] == 'server7' %}
6 webserver: nginx
7 {% endif %}
[root@server5 web]# cd /srv/salt/httpd/
[root@server5 httpd]# vim install.sls
[root@server5 httpd]# cd files/
[root@server5 files]# vim httpd.conf
137 Listen {{ pillar['bind']}}:{{pillar['port']}}
[root@server6 salt]# cat /etc/httpd/conf/httpd.conf | head -n 137 | tail -n 1
Listen 172.25.44.6:8080
[root@server5 files]# vim httpd.conf
137 Listen {{ bind }}:{{ port }}
[root@server5 httpd]# cd ..
[root@server5 httpd]# vim install.sls
1 httpd:
2 pkg.installed
3
4 php:
5 pkg.installed
6
7 apache:
8 service.running:
9 - name: httpd
10 - enable: True
11 - reload: True
12 - watch:
13 - file: /etc/httpd/conf/httpd.conf
14
15 /etc/httpd/conf/httpd.conf:
16 file.managed:
17 - source: salt://httpd/files/httpd.conf
18 - mode: 644
19 - user: root
20 - template: jinja
21 - context:
22 bind: {{ pillar['bind']}}
23 port: {{ pillar['port']}}
24
[root@server5 httpd]# salt server6 state.sls httpd.install
[root@server6 salt]# netstat -antlp
tcp 0 0 172.25.44.6:80 0.0.0.0:* LISTEN 4170/httpd
[root@server6 salt]# cat /etc/httpd/conf/httpd.conf | head -n 137 | tail -n 1
Listen 172.25.44.6:80