Saltstack使用手册
Saltstack参考资料:
https://docs.saltstack.com/en/latest/
http://blog.chinaunix.net/uid-10915175-id-4395273.html
http://www.saltstack.cn/kb/managing-firewall-with-salt/
https://docs.saltstack.com/en/getstarted/config/jinja.htm
https://repo.saltstack.com/yum/redhat/6/x86_64/2017.7/
首先,写好HOSTS文件或者部署内网DNS进行解析:
cat /etc/hosts
192.168.99.2 saltstack-master.example.com
192.168.99.4 saltstack-node1.example.com
192.168.99.5 saltstack-node2.example.com
192.168.3.37 saltstack-node3.example.com
一、安装部署Saltstack
1. 环境描述:
1. CentOS6.5 CentOS5.6
2. Saltstack版本:
1. salt-2017.7.1-1.el6.noarcn
3. 安装官网Salt源:
1. cd /etc/yum.repos.d/
2. yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm
4. 部署Salt-master和Salt-minion
1. yum install salt-master
2. yum install salt-minion
5. 启动服务
1. /etc/init.d/salt-master start
2. /etc/init.d/salt-minion start
二、salt-key命令介绍:{用于认证客户端key}
salt-key -L 列出所有key,也就是minion端
新加入的主机,key未认证
认证KEY,使用-A参数
salt-key -d saltstack-master.example.com 删除单个客户端的key
测试已验证通过的key,已经全部可以和master通信
-A:用来允许所有客户端的key
-d:用来删除已经接收的单个的key,也就是删除单个的minion。
-D:用来删除所有的key,也就是删除所有的key
-r:用来拒绝单个的key,将其拉进黑名单中。
-R:用来拒绝所有的key,将其所有的都拉进黑名单中
三、Master配置文件和Minion配置文件解释:
master:
interface : 192.168.0.1 要绑定的本地接口,必须是IP地址
publish_port : 4506 网络端口设置发布界面
user :root 运行slat使用的用户
ret_port : 返回服务器使用的端口。
pidfile : /var/run/salt-master.pid
conf_file : /etc/salt/master 主配置文件路径
pki_dir : /etc/salt/pki/master 存储pki认证秘钥的目录
cachedir: /var/cache/salt/master 用于存储缓存信息
verify_env: True 在启动时验证并设置配置目录的权限
keep_jobs : 24 设置保留旧作业信息的小时数
sock_dir : /var/run/salt/master 设置用于创建主进程通信的Unix套接字的位置
log_file: /var/log/salt/master 定义master的log文件存放位置
minion:
master: 192.168.99.2 指定master的地址
max_event_size : 1048576 调整允许小事件总线上的大小,默认单位为字节
pidfile: /var/run/salt-minion.pid 守护进程id存放的位置
conf_file:/etc/salt/minion minion配置文件路径
cachedir: /var/cache/salt/master 用于缓存存储信息
verify_env: True 在启动时验证并设置配置目录的权限
return_retry_timer:5 返回尝试的默认超时
tcp_pub_port 设置为tcp时使用的发布端口
log_file: /var/log/salt/minion 定义minion的log文件存放位置
tcp_keepalive_cnt : 1 设置zeromq TCP存活数
tcp_keepalive_intvl : 1 设置zeromq TCP存活时间间隔
Master配置文件:主要定义项目目录
定义NODE组:
修改Minion配置文件
四、grains讲解:
salt '*' grains.ls 查看客户端支持的模块
salt '*' grains.items 查看客户端模块的详细信息
1.编辑grains文件:
vim /etc/salt/grains
grains:
roles:
- webserver
- memcache
2.匹配grains:
salt -G 'roles:webserver' test.ping
五、saltstack远程执行
匹配规则:
salt '*' cmd.run 'df -h' 使用cmd模块远程执行shell命令
salt -C 'G@os:CentOS and dest' 使用-C参数,进行混合匹配
salt -N dest test.ping 使用-N参数,匹配组
salt -S 192.168.99.0/24 test.ping 使用 -S参数,匹配网段和IP
salt -L 'saltstack-node1.example.com,saltstack-node2.example.com' test.ping 使用-L参数,匹配列表
salt -E 'saltstack-(node1|node2).example.com' test.ping
salt 'saltstack-node[1-3].example.com' test.ping 使用-E参数, 基于正则匹配
salt 'saltstack-node1.example.com' sys.list_functions file 查看命令模块
salt 'saltstack-node1.example.com' sys.doc cmd|grep run 查看帮助文档
六、编写sls文件,采用jiajia模板;
jinjia模板使用实例:https://docs.saltstack.com/en/latest/topics/jinja/index.html
1.backup:使用file.managed模块实现, cmd.run模块用于创建目录
download_file_1:
file.managed:
- name: /etc/cron.d/backup
- source: salt://backup/files/backup.erb
- user: root
- group: root
- mode: 644
download_file_2:
file.managed:
- name: /etc/rsync_only_backup_remote.pwd
- source: salt://backup/files/rsync_only_backup_remote.pwd.erb
- user: root
- group: root
- mode: 600
cmd_mkdir:
cmd.run:
- names:
- mkdir -pv /opt/scripts/remote_backup_not_delete/
- unless: test -d /opt/scripts/remote_backup_not_delete/
- owner: root
- group: root
- mode: 600
download_file_3:
file.managed:
- name: /opt/scripts/remote_backup_not_delete/backup_to_remote.sh
- source: salt://backup/files/backup_to_remote.sh.erb
- user: root
- group: root
- mode: 755
download_file_4:
file.managed:
- name: /opt/scripts/remote_backup_not_delete/check_table.sh
- source: salt://backup/files/check_table.sh.erb
- user: root
- group: root
- mode: 755
执行结果: salt ‘saltstack-node1.example.com’ state.sls backup.backup backup.evn=backup
dns:使用file.managed
resolv.conf:
file.managed:
- name: /etc/resolv.conf
- source: salt://dns/files/resolv.conf.erb
- user: root
- group: root
- mode: 644
执行结果:salt ‘saltstack-node1.example.com’ state.sls dns.resolv_conf dns.evn=dns
iptables:使用for循环+if判断+file.managed
{% for list in ['saltstack-node1.example.com','saltstack-node2.example.com'] %}
{% if list == grains['fqdn'] %}
downloads_file_iptables:
file.managed:
- name: /etc/sysconfig/iptables
- source: salt://auditd/files/{{ list }}_iptables.erb
- user: root
- group: root
- mode: 600
iptables_service:
service.running:
- name: iptables
- enable: True
- reload: True
- watch:
- downloads_file_iptables
downloads_file_crontab:
file.managed:
- name: /etc/cron.d/iptables
- source: salt://auditd/files/{{ list }}_cron.erb
- user: root
- group: root
- mode: 644
{% endif %}
{% endfor %}
{% for list in ['saltstack-master.example.com'] %}
{% if grains['fqdn'] == list %}
downloads_file_iptables:
file.managed:
- name: /etc/sysconfig/iptables
- source: salt://auditd/files/Standard
- user: root
- group: root
- mode: 600
iptables_service:
service.running:
- name: iptables
- enable: True
- reload: True
- watch:
- downloads_file_iptables
{% endif %}
{% endfor %}
返回结果:salt ‘saltstack-node1.example.com’ state.sls auditd.iptables auditd.evn=auditd
ntp:
ntp_file:
file.managed:
- name: /etc/cron.d/ntp
- source: salt://ntp/files/ntp.erb
- user: root
- group: root
- mode: 644
ntpd_service:
service.running:
- name: ntpd
- enable: True
- force-reload: True
- watch:
- ntp_file
返回结果: salt ‘saltstack-node1.example.com’ state.sls ntp.ntp ntp.evn=ntp
ssh:使用for循环列表,并判断。使用service模块启动服务
{% for list in ['5.6','6.0','6.5'] %}
{% if grains['osrelease'] == list %}
downloads{{ list }}_file:
file.managed:
- name: /etc/ssh/sshd_config
- user: root
- group: root
- source: salt://ssh/files/sshd_config_{{ list }}.erb
- mode: 600
- template: jinja
- defaults:
sshd_service:
service.running:
- name: sshd
- enable: True
- reload: True
- watch:
- file: downloads{{ list }}_file
{% endif %}
{% endfor %}
返回结果:salt ‘saltstack-node1.example.com’ state.sls ssh.ssh ssh.evn=ssh
yum:
{% for list in ['5.6','6.0','6.5'] %}
{% if grains['osrelease'] == list %}
downloads_files:
file.managed:
- name: /etc/yum.repos.d/{{ grains['osrelease'] }}ctvonline.repo
- user: root
- group: root
- mode: 644
- source: salt://yum/files/centos{{ grains['osrelease'] }}_ctvonline.repo.erb
{% endif %}
{% endfor %}
返回结果:
profile:
bash-prompt-default:
file.managed:
- name: /etc/sysconfig/bash-prompt-default
- mode: 755
- user: root
- group: root
- source: salt://profile/files/bash-prompt-default.erb
bash-prompt-xterm:
file.managed:
- name: /etc/sysconfig/bash-prompt-xterm
- mode: 755
- user: root
- group: root
- source: salt://profile/files/bash-prompt-xterm.erb
snmp:
{% set options_version = "snmpd.options" %}
{% if grains['osrelease'] == '5.6' %}
downloads_files_snmp5:
file.managed:
- name: /etc/snmp/snmpd.conf
- user: root
- group: root
- mode: 644
- source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb
- watch_in:
- service: snmp_service
{% endif %}
{% if grains['osrelease'] == '6.5' %}
downloads_file_snmp6:
file.managed:
- name: /etc/snmp/snmpd.conf
- uesr: root
- group: root
- mode: 644
- source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb
- watch_in:
- service: snmp_service
{% endif %}
downloads_files_optios:
file.managed:
- name: /etc/sysconfig/{{ options_version }}
- user: root
- group: root
- mode: 755
- source: salt://snmp/files/{{ options_version }}_options.erb
snmp_service:
service.running:
- name: snmpd
- enable: True
- force-reload: True
返回结果:salt ‘saltstack-node1.example.com’ state.sls snmp.snmp snmp.evn=snmp
syslog:
{% if grains['osrelease'] == '6.5' %}
{% set service_file = "rsyslog" %}
{% set servers_version = "6" %}
{% endif %}
{% if grains['osrelease'] == '5.6' %}
{% set service_file = "syslog" %}
{% set servers_version = "5" %}
{% endif %}
{% if grains['osrelease'] == '4.0' %}
{% set service_file = "syslog" %}
{% set servers_version = "4" %}
{% endif %}
{% if grains['fqdn'] == 'saltstack-node1.example.com' %}
{% set mark = "server" %}
{% endif %}
{% if grains['fqdn'] == 'saltstack-node2.example.com' %}
{% set mark = "mail" %}
{% endif %}
{{ service_file }}.conf:
file.managed:
- name: /etc/{{ service_file }}.conf
- user: root
- group: root
- mode: 644
- source: salt://syslog/files/{{ service_file }}{{ grains['osrelease'] }}.conf.erb
rsyslog_service:
service.running:
- name: {{ service_file }}
- enable: True
- force-restart: True
- watch:
- {{ service_file }}.conf
文件改变,返回结果:salt ‘saltstack-node1.example.com’ state.sls syslog.syslog syslog.evn=syslog
模块介绍:
pkg.install 管理程序包
service.running 管理服务状态
file.managed 文件管理
处理状态之间关系
require 我依赖某个状态
require_in 我被某个状态依赖
watch 我关注某个状态
watch_in 我被某个状态关注
七、salt-ssh模块介绍:
yum install salt-ssh 安装salt-ssh包
1.编辑 vim /etc/salt/roster
编辑写入IP、用户、端口、密码,如果有sudo则开启即可
2.调用salt-ssh
3. salt-ssh安装程序包