saltstack实践
环境说明:
salt-master:192.168.0.106(node1.xuejl.com)
salt-minion-1:192.168.0.105(node2.xuejl.com)
salt-minion-2:192.168.0.106(node1.xuejl.com)
在环境中存在两个minion客户端,其中node1.xuejl.com同时安装salt-minion和salt-master。
功能说明:
1、 修改/etc/profile用户登录日志的格式
2、 修改/etc/security/limits.conf修改的最大的连接的数量
3、 安装必要的软件
4、 修改/etc/sysctl.conf修改必要的内核参数
5、 安装keepalived
修改配置文件
file_roots:
base:
-/srv/salt/base
mkdir –p /srv/salt/base
mkdir /srv/salt/base/{etc,init,src}
其中etc存放的是一系列的配置文件,init存放的是初始化的sls文件,src存放的是安装包等源数据文件
cat >/srv/salt/etc/sysctl.conf <<EOF
# Kernel sysctl configuration file for RedHat Linux
#
# For binary values, 0 is disabled, 1 isenabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route =0
# Controls the System Request debuggingfunctionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will appendthe PID to the core filename.
# Useful for debugging multi-threadedapplications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of amesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message,in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size,in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of sharedmemory segments, in pages
kernel.shmall = 4294967296
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_forward=1
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_max_syn_backlog = 819200
vm.zone_reclaim_mode = 1
net.nf_conntrack_max = 52420
EOF
cat >/srv/salt/base/etc/limits.conf<<EOF
# /etc/security/limits.conf
#
#Each line describes a limit for a user inthe form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
# End of file
EOF
修改用户日志格式
cd /srv/salt/base/init
cat >log.sls <<EOF
user_log:
file.append:
-name: /etc/profile
-text:
- export HISTTIMEFORMAT="{\"TIME\":\"%F%T\",\"HOSTNAME\":\"$HOSTNAME\",\"LI\":\"$(who-u am i 2>/dev/null| awk '{print $NF}'|sed -e's/[()]//g')\",\"LU\":\"$(who am i|awk '{print$1}')\",\"NU\":\"${USER}\",\"CMD\":\""
- export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$/\"}/">>/var/log/command.log'
EOF
安装必要的软件包
cat >package.sls<<EOF
package:
pkg.installed:
-pkgs:
- lrzsz
- bind
- lsof
- telnet
- gcc
- gcc-c++
- httpd
- openssl-devel
EOF
修改系统内核参数
cat >sysctl.sls <<EOF
/etc/sysctl.conf:
file.managed:
-source: salt://etc/sysctl.conf
-user: root
-group: root
-mode: 644
EOF
修改系统的最大连接数
cat >ulimit.sls <<EOF
limit.conf:
file.managed:
-source: salt://etc/limits.conf
-user: root
-group: root
-mode: 644
-name: /etc/security/limits.conf
EOF
安装 keepalived
mkdir -p /srv/salt/base/init/keepalived
cd /srv/salt/base/init/keepalived
1、 安装
首先把下载好的keepalived的压缩包放到 /srv/salt/base/src下面去
cat >install_keepalived.sls <<EOF
install.keepalived:
file.managed:
-source: salt://src/keepalived-1.2.20.tar.gz
-user: root
-group: root
-name: /usr/local/src/keepalived-1.2.20.tar.gz
cmd.run:
-name: tar -zxvf /usr/local/src/keepalived-1.2.20.tar.gz
- name: cd /usr/local/src/keepalived-1.2.20&& ./configure --prefix=/usr/local/keepalived --sysconfdir=/etc && make&& make install
-name: cp /etc/keepalived/keepalived.conf /srv/salt/base/etc/keepalived.conf
EOF
cat >/srv/salt/base/etc/keepalived.conf<<EOF
! Configuration File for keepalived
global_defs {
notification_email {
#sysadmin@firewall.loc
}
#notification_email_from Alexandre.Cassen@firewall.loc
#smtp_server 192.168.200.1
# smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 2
weight -4
}
vrrp_instance VI_1 {
state {{ state1 }}
interface eth0
virtual_router_id {{ routerid }}
priority {{ priority }}
virtual_ro
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
{{ vip }}
}
track_script {
chk_haproxy
}
}
vrrp_instance VI_2 {
state {{ state2 }}
interface eth0
virtual_router_id {{ routerid1 }}
priority {{ priority1 }}
virtual_ro
advert_int 1
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
{{ vip2 }}
}
track_script {
chk_haproxy
}
}
EOF
设置keepalived的配置文件内容
cat >keepalived_conf_file.sls<<EOF
keepalived_conf_file:
file.managed:
-source: salt://etc/keepalived.conf
-mode: 644
-user: root
-group: root
-template: jinja
-defaults:
priority: {{ salt['pillar.get']('keepalived:priority') }}
priority1: {{ salt['pillar.get']('keepalived:priority1') }}
vip: {{ salt['pillar.get']('keepalived:vip') }}
vip2: {{ salt['pillar.get']('keepalived:vip2') }}
routerid: {{ salt['pillar.get']('keepalived:routerid') }}
routerid1: {{ salt['pillar.get']('keepalived:routerid1') }}
state2: {{ salt['pillar.get']('keepalived:state2') }}
state1: {{ salt['pillar.get']('keepalived:state1') }}
-name: /etc/keepalived/keepalived.conf
EOF
note:上面的配置文件采用了jiaja模板,此数据到时候会通过pillar来加载
设置keepalived的log(如果不进行设置的话,默认的keepalived的log日志会保存到/var/log/message中)
cat >keepalived_log.sls <<EOF
keepalived_log:
file.replace:
-pattern: KEEPALIVED_OPTIONS="-D"
-repl: KEEPALIVED_OPTIONS="-D -d -S 0"
-name: /etc/sysconfig/keepalived
EOF
设置日志的保存位置
cat >keepalived_rsyslog.sls <<EOF
keepalived_log_config:
file.append:
-name: /etc/rsyslog.conf
-text: "local0.* /var/log/keepalived.log"
cmd.run:
-name: /etc/init.d/rsyslog restart
EOF
创建了那么多的state文件如果一个一个执行的话会显得比较乱,所以在此处我们通过一个文件进行加载
cat > /srv/salt/base/init/env_init.sls<<EOF
include:
-init.hosts
-init.sysctl
-init.package
-init.ulimit
-init.install_keepalived
-init.keepalived.keepalived_rsyslog
-init.keepalived.keepalived_log
-init.keepalived.keepalived_conf_file
-init.log
到此文件已经全部进行加载了
之后为keepalived进行pillar的配置
cat /etc/salt/pillar
pillar_roots:
base:
-/srv/pillar
mkdir –p /srv/pillar/env_init
cd /srv/pillar/env_init
cat >keepalived.sls <<EOF
keepalived:
{%if grains['id'] == 'node1.xuejl.com' %}
state1: BACKUP
routerid: 51
priority: 100
vip: 192.168.0.253
state2: MASTER
routerid1: 151
priority1: 101
vip2: 192.168.0.254
{%elif grains['id'] == 'node2.xuejl.com' %}
state1: MASTER
routerid: 51
priority: 101
vip: 192.168.0.253
state2: BACKUP
routerid1: 151
priority1: 100
vip2: 192.168.0.254
{%else %}
port: 80
{%endif %}
在此处为keepalived的pillar信息,设置好之后对其进行加载
salt ‘*’ saltutil.refresh_pillar
刷新之后可以查看信定义的pillar信息
salt ‘*’pillar.items
同样pillar 信息通过一个文件进行加载
cat <init.sls <<EOF
include:
-env_init.keepalived
EOF
在此大概所有的我们所需的state文件已经编写好,此时我们只需要编写top.sls进行加载执行就好了
cat >/srv/salt/base/top.sls <<EOF
base:
'*':
-init.env_init
EOF
好了编写好了 进行执行
salt ‘*’ state.highstate
好了,这样子就执行了。
同样如果我们想实现类似于puppet的那样的结果,每30分钟就同步一次数据信息,可以编写pillar信息就行操作
schedule:
helloworld:
function: state.highstate
args:
- top
minutes: 30
这样子就可以了,之后加载然后对pillar进行刷新即可得到结果。