SaltStack
一.SaltStack简介
SaltStack是一个服务器基础架构集中化管理平台,具备配置管理、远程执行、监控等功能,一般可以理解为简化版的puppet和加强版的func。SaltStack基于Python语言实现,结合轻量级消息队列(ZeroMQ)与Python第三方模块(Pyzmq、PyCrypto、Pyjinjia2、python-msgpack和PyYAML等)构建。通过部署SaltStack环境,我们可以在成千上万台服务器上做到批量执行命令,根据不同业务特性进行配置集中化管理、分发文件、采集服务器数据、操作系统基础及软件包管理等,SaltStack是运维人员提高工作效率、规范业务配置与操作的利器。
二.SaltStack部署
server1
软件仓库配置:
[westos:sla]
name= westos
baseurl=http://172.25.3.250/3000
gpgcheck=0
安装控制端:
yum install -y salt-master.noarch
systemctl enable --now salt-master.service
查看端口:
netstat -antlp
server2/3
安装salt-minion,并指向master:
yum install -y salt-minion.noarch
cd /etc/salt/
ls
vim minion
systemctl enable --now salt-minion.service
在sever1上,查看并加入管理:
salt-key -L
salt-key -A
salt-key -L
salt '*' test.ping
查看端口访问指向:
yum install -y lsof
lsof -i :4505
server1信息:
cd /etc/salt/pki/master/
[root@server1 master]# md5sum master.pub
f45df667be3d5d4e12de37943886204a master.pub
[root@server1 master]# cd minions
[root@server1 minions]# md5sum server2
3fd6c948c18c2f3b3e87afc34f1343f1 server2
server2/3信息:
cd /etc/salt/pki/minion/
ls
md5sum minion_master.pub
md5sum minion.pub
[root@server2 minion]# md5sum minion.pub
3fd6c948c18c2f3b3e87afc34f1343f1 minion.pub
[root@server2 minion]# md5sum minion_master.pub
f45df667be3d5d4e12de37943886204a minion_master.pub
查看进程名
yum install -y python-setproctitle.x86_64
systemctl restart salt-master.service
ps ax
三.远程执行模块
创建salt目录:
mkdir /srv/salt
master
mkdir /srv/salt/_modules
cd _modules/
vim my_disk.py
def df():
return __salt__['cmd.run']('df -h')
salt server2 saltutil.sync_modules
salt server2 my_disk.df
minion
yum install -y tree
cd /var/cache/salt/minion
tree minion/
四.apache自动安装配置
注:当salt目录下同时存在 apache/inin.sls 和apache.sls时,优先执行在上一级目录下的apache.sls。
mkdir /srv/salt/apache
vim init.sls
apache:
pkg.installed:
- pkgs:
- httpd
- php
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://apache/httpd.conf
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: apache
httpp 配置文件:
vim httpd.conf
五.nginx 自动化安装
创建目录
mkdir /srv/salt/nginx
vim init.sls
nginx自动化编译:
nginx-install:
pkg.installed:
- pkgs:
- gcc
- pcre-devel
- openssl-devel
file.managed:
- name: /mnt/nginx-1.20.1.tar.gz
- source: salt://nginx/nginx-1.20.1.tar.gz
cmd.run:
- name: cd /mnt && tar zxf nginx-1.20.1.tar.gz && cd nginx-1.20.1 && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-threads --with-file-aio &> /dev/null && make &> /dev/null && make install &> /dev/null
- creates: /usr/local/nginx
nginx配置:
vim nginx.conf
user nginx;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
nginx自动化启动:
vim service.sls
include:
- nginx
nginx-user:
user.present:
- name: nginx
- shell: /sbin/nologin
- home: /usr/local/nginx
- createhome: false
/usr/local/nginx/conf/nginx.conf:
file.managed:
- source: salt://nginx/nginx.conf
nginx-service:
file.managed:
- name: /usr/lib/systemd/system/nginx.service
- source: salt://nginx/nginx.service
service.running:
- name: nginx
- enable: true
nginx启动文件:
vim nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
放入:nginx-1.20.1.tar.gz 压缩包
运行:
salt server2 state.sls nginx.service
六.grains模块使用
1.grains默认模块调用
2.自定义grains使用
法一 minion内定义
server2
vim minion
grains:
roles: apache
systemctl restart salt-minion.service
server3
vim minion
grains:
roles: nginx
systemctl restart salt-minion.service
salt '*' grains.item roles
法二 创建grains文件,写入属性及value
server3:
vim grains
roles: nginx
salt '*' grains.item roles
法三 创建grains模块
server1
mkdir _grains
cd _grains/
ls
vim grains.py
salt '*' saltutil.sync_grains
salt '*' grains.item hello
[root@server1 salt]# cat _grains/grains.py
#!/usr/bin/env python
def grains():
grains = {}
grains['hello'] = 'world'
grains['salt'] = 'stack'
return grains
法四 grains结合自动化脚本使用
创建sls文件:
vim top.sls
[root@server1 salt]# cat top.sls
base:
'roles:apache':
- match: grain
- apache
'roles:nginx':
- match: grain
- nginx.service
测试对应服务主机名:
执行安装脚本:
salt '*' saltutil.sync_grains #同步脚本至受控端
salt '*' state.highstate #该命令直接调用top.sls
七.pillar模块
创建pillar目录:
mkdir pillar
定义模块规则:
[root@server1 srv]# cd pillar/
[root@server1 pillar]# ls
pkgs.sls top.sls
[root@server1 pillar]# cat top.sls
base:
'*':
- pkgs
[root@server1 pillar]# cat pkgs.sls
{% if grains['fqdn'] == 'server2' %}
port: 80
package: httpd
{% elif grains['fqdn'] == 'server3' %}
port: 8080
package: httpd
{% endif %}
查看pillar模块内容:
测试脚本:
vim test.sls
/mnt/test:
file.append:
{% if grains['fqdn'] == 'server2' %}
- text: server2
{% elif grains['fqdn'] == 'server3' %}
- text: server3
{% endif %}
执行:
salt '*' state.sls test
结果:
八.pillar+grains+jinja模块
实现httpd不同端口安装运行
1.直接在配置文件导入
自动化安装脚本内容:
apache:
pkg.installed:
- pkgs:
- {{ pillar['package'] }}
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://apache/httpd.conf
- template: jinja
httpd.conf 配置:
Listen {{ grains['ipv4'][-1] }}:{{ pillar['port'] }}
测试:
2.template导入
apache:
pkg.installed:
- pkgs:
- {{ pillar['package'] }}
service.running:
- name: httpd
- enable: true
- reload: true
- watch:
- file: /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf:
file.managed:
- source: salt://apache/httpd.conf
- template: jinja
- context:
http_port: {{ pillar['port'] }}
ip: {{ grains['ipv4'][-1] }}
httpd.conf
Listen {{ ip }}:{{ http_port }}
salt '*' state.sls apache