saltstack是基于python开发的一套C/S架构配置管理工具,它的底层使用ZeroMQ消息队列pub/sub方式通信,使用SSL证书签发的方式进行认证管理。ZeroMQ使SaltStack能快速在成千上万台机器上进行各种操作,之前已经介绍过了puppet mco的框架,比较类似。而且采用RSA Key方式确认身份,传输采用AES加密,使传输的安全性得到保障。
saltstack是基于C/S架构的服务模式,服务器端叫做Master,客户端叫作Minion,并且有消息队列中的发布与订阅(pub/sub)服务模式,minion与master之间通过ZeroMQ消息队列通信。Master和Minion端都以守护进程的模式运行,一直监听配置文件里面定义的ret_port也就是4506端口(接收minion请求)和publish_port也就是4505端口(ZMQ的发布消息)。当minion运行时会自动连接到配置文件里面定义的Master地址ret_port端口进行连接认证。
1.1、环境
server5 (master服务端) 172.25.24.5
server6(minion客户端) 172.25.24.6
1.2、SaltStack三种运行模式介绍
Local 本地
Master/Minion 传统运行方式(server端跟agent端)
Salt SSH SSH
1.3、SaltStack三大功能
●远程执行
●配置管理
●云管理
配置企业6的yum源:(master端和minion端都要配置)
[root@server5 ~]# cat /etc/yum.repos.d/rhel-source.repo
[rhel-source]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=http://172.25.24.250/rhel6.5
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[salt]
name=saltstack
baseurl=http://172.25.24.250/rhel6
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
安装与连接:
server5(master端)
[root@server5 ~]# yum install salt-master -y
root@server5 ~]# vim /etc/salt/master ##配置文件所在地
[root@server5 ~]# /etc/init.d/salt-master start
Starting salt-master daemon:
Server6(minion端):
[root@server6 ~]# yum install salt-minion -y
[root@server6 ~]# vim /etc/salt/minion ##如过域名解析了,可以使用域名
[root@server6 ~]# /etc/init.d/salt-minion start
Starting salt-minion:root:server6 daemon: OK
Server5:
[root@server5 ~]# salt-key -A ##寻找可以连接的minion端
The following keys are going to be accepted:
Unaccepted Keys:
server6
Proceed? [n/Y] Y ##是否连接
Key for minion server6 accepted.
[root@server5 ~]# salt-key -L ##查看已连接minion端
Accepted Keys:
server6
Denied Keys:
Unaccepted Keys:
Rejected Keys:
测试:
[root@server5 ~]# salt server6 test.ping ##查看server6是否正在连接
server6:
True
[root@server5 ~]# salt server6 cmd.run hostname ##查看server6的域名
server6:
server6
[root@server5 ~]# salt server6 cmd.run 'df -h' ##查看server6的挂载项
server6:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 977M 17G 6% /
tmpfs 499M 16K 499M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
模块的加载
[root@server5 ~]# yum list python-* ##查看本机yum源所有python模块
[root@server5 ~]# yum install -y python-setproctitle.x86_64
[root@server5 ~]# vim /etc/salt/master ##打开模块应用
/srv/salt 是模块生效的默认目录(没有就自己建立一个)
[root@server5 ~]# /etc/init.d/salt-master restart ##重启服务
Stopping salt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
自动化运维之一键安装httpd服务
root@server5 ~]# cd /srv/salt
[root@server5 salt]# mkdir httpd
[root@server5 salt]# cd httpd/
[root@server5 httpd]# vim install.sls ##文件名称可以随意,文件结尾必须sls结尾
[root@server5 httpd]# cat install.sls
apache-install: ##这是个名称,随便起
pkg.installed: ##安装模块,固定
- pkgs: ##要安装的软件
- httpd
- php
File.managed: ##文件模块
- name: /etc/httpd/conf/httpd.conf ##被监控主机需要更新的文件所在目录和名
- source: salt://httpd/files/httpd.conf ##监视主机文件所在目录和名称
- mode: 664 ##权限
- user: root ##用户 ,也可以自己拓展组
service.running: ##启动项目
- name: httpd ##名称
- enable: True ## 是否开启自启
- reload: True ##是否刷新
- watch: ##监控文件
- file: apache-install ##就是这个程序生成的文件
因为要一键部署httpd需要配置文件,所以server6的配置文件是需要从server5上推过去的,所以需要以下步骤。
Server6:
[root@server6 ~]# scp /etc/httpd/conf/httpd.conf root@172.25.24.5:/srv/salt/httpd/files
Server5:
建立存放文件的目录
[root@server5 httpd]# mkdir files
[root@server5 httpd]# ls
files install.sls
[root@server5 httpd]# cd files/
[root@server5 files]# ls
httpd.conf
[root@server5 files]# vim httpd.conf ##修改端口,这个文件是用来更新被检控项目文
测试:
可以通过推的过程详细的看出server5对server6所进行远程控制的时候都做了什么
[root@server5 httpd]# salt server6 state.sls httpd.instal ##这个state.sls 是模块的统称,httpd.install就是 在/srv/salt/httpd目录下的install模块
server6:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: The following packages were installed/updated: php
The following packages were already installed: httpd
Started: 10:52:18.789530
Duration: 6150.311 ms
Changes:
----------
php:
----------
new:
5.3.3-26.el6
old:
php-cli:
----------
new:
5.3.3-26.el6
old:
php-common:
----------
new:
5.3.3-26.el6
old:
----------
ID: apache-install
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf updated
Started: 10:52:24.942406
Duration: 137.993 ms
Changes:
----------
diff:
---
+++
@@ -133,7 +133,7 @@
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
-Listen 80
+Listen 8080
#
# Dynamic Shared Object (DSO) Support
mode:
0664
----------
ID: apache-install
Function: service.running
Name: httpd
Result: False
Comment: Service httpd has been enabled, and is dead
Started: 10:52:25.088413
Duration: 342.232 ms
Changes:
----------
httpd:
True
Summary for server6
------------
Succeeded: 2 (changed=3)
Failed: 1
------------
Total states run: 3
Total run time: 6.631 s
ERROR: Minions returned with non-zero exit code
第一次file文件没有生效,原因是因为httpd没有启动,只有在运行httpd之后才会生效,那么再来一次即可,当然你可以将整个httpd的部署分为几个部分依次执行也可以
[root@server5 httpd]# salt server6 state.sls httpd.install
server6:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 10:53:15.378538
Duration: 354.251 ms
Changes:
----------
ID: apache-install
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf is in the correct state
Started: 10:53:15.734489
Duration: 82.605 ms
Changes:
----------
ID: apache-install
Function: service.running
Name: httpd
Result: True
Comment: The service httpd is already running
Started: 10:53:15.817887
Duration: 24.5 ms
Changes:
Summary for server6
------------
Succeeded: 3
Failed: 0
------------
Total states run: 3
Total run time: 461.356 ms
OK,没有报错
Server6检测
[root@server6 ~]# netstat -antlp |grep 8080 ##查看改的端口是否成功,刷新更改成功
tcp 0 0 :::8080 :::* LISTEN 2324/httpd
[root@server6 ~]# chkconfig --list httpd ##是否开机自启。
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off