一、saltstack简介
Saltstack是一个基于
Python
开发的一套C/S
架构配置管理工具,底层使用ZeroMQ消息队列pub/sub方式通信,使用SSL证书签发的方式进行认证管理。部署轻松,在几分钟内可运行起来,扩展性好,很容易管理上万台服务器,速度够快,服务器之间秒级通讯。号称世界上最快的消息队列ZeroMQ使得SaltStack能够快速在成千上万台机器上进行各种操作,而且采用RSA Key
方式确认身份,传输采用AES
加密,这让安全性能到保障。
基本原理:
SaltStack的基本原理是采用C/S模式:
- Server端是Salt的master,Client端是minion,minion与maseter之间是通过ZeroMQ消息队列进行通信。
- minion第一次启动,会在/etc/minion/pli/minion.d目录下生成monion.pem和minion.key,然后将minion.pub发给master。
- maseter端通过salt-key-L命令就会看到minion的key,接受了minion的key以后,master在/etc/salt/minion.d/目录下生成pub key,两者互信。
- 在Master和Minion端都是以守护进程的模式运行,一直监听配置文件里面定义的ret_port(接受minion请求)和publish_port(发布消息)的端口。
- SaltStack master启动后默认监听4505和4506两个端口。4505(publish_port)为saltstack的消息发布系统,4506(ret_port)为saltstack客户端与服务端通信的端口。如果使用lsof 查看4505端口,会发现所有的minion在4505端口持续保持在ESTABLISHED状态。
- ZMQ (以下 ZeroMQ 简称 ZMQ),封装好的 socket library传输层消息队列处理库,让 Socket 编程更加简单、简洁和性能更高,可在多个线程、内核和主机盒之间弹性伸缩。它无疑是极具前景的、并且是人们更加需要的“传统”BSD 套接字之上的一层封装。ZMQ 让编写高性能网络应用程序极为简单和有趣。
- 类似于 Socket 的一系列接口,他跟 Socket 的区别是:普通的 socket 是端到端的(1:1的关系),而 ZMQ 却是可以N:M 的关系,人们对 BSD 套接字的了解较多的是点对点的连接,点对点连接需要显式地建立连接、销毁连接、选择协议(TCP/UDP)和处理错误等,而 ZMQ 屏蔽了这些细节,让你的网络编程更为简单。ZMQ 用于 node 与 node 间的通信,node 可以是主机或者是进程。
- 类似于 Socket 的一系列接口,他跟 Socket 的区别是:普通的 socket 是端到端的(1:1的关系),而 ZMQ 却是可以N:M 的关系,人们对 BSD 套接字的了解较多的是点对点的连接,点对点连接需要显式地建立连接、销毁连接、选择协议(TCP/UDP)和处理错误等,而 ZMQ 屏蔽了这些细节,让你的网络编程更为简单。ZMQ 用于 node 与 node 间的通信,node 可以是主机或者是进程。
二、实验环境
- Server1:172.25.2.1/24 (salt-master,redhat6.5)
- Server2:172.25.2.2/24 (salt-minion,redhat6.5)
- 物理主机:172.25.2.250/24 (提供yum源,redhat7.3)
安装包百度云链接:
salt-master配置文件祥解、感觉这个博主写的不错>-<,不如呀!点开看看
saltstack官网
三、实验
3.1在物理机中添加安装包http共享
1.//导入文件到发布目录
[root@foundation2 saltstack]# cp -r rhel6/ /var/www/html/
[root@foundation2 saltstack]# cd /var/www/html/
[root@foundation2 html]# ls
rhel6 rhel6.5 source7.0 source7.2
[root@foundation2 html]# ll
total 20
drwx------ 3 root root 4096 Aug 17 05:20 rhel6
dr-xr-xr-x 12 root root 8192 Nov 12 2013 rhel6.5
dr-xr-xr-x 10 root root 4096 May 7 2014 source7.0
dr-xr-xr-x 10 root root 4096 Oct 30 2015 source7.2
[root@foundation2 html]# chmod 555 rhel6/ -R //修改权限
[root@foundation2 html]# ll
total 20
dr-xr-xr-x 3 root root 4096 Aug 17 05:20 rhel6
dr-xr-xr-x 12 root root 8192 Nov 12 2013 rhel6.5
dr-xr-xr-x 10 root root 4096 May 7 2014 source7.0
dr-xr-xr-x 10 root root 4096 Oct 30 2015 source7.2
2.//虚拟机配置yum源
[root@server1 ~]# vim /etc/yum.repos.d/rhel-source.repo
[rhel-source]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=http://172.25.2.250/rhel6.5
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[salt]
name=saltstack
baseurl=http://172.25.2.250/rhel6
gpgcheck=0
3.2 安装salt-master
//server1:
root@server1 salt]# yum install salt-master -y
[root@server1 salt]# /etc/init.d/salt-master start
Starting salt-master daemon: [ OK ]
3.3 安装salt-minion
//server2:
[root@server2 ~]# yum install salt-minion -y
[root@server2 ~]# cd /etc/salt/
[root@server2 salt]# vim minion
17 master: 172.25.2.1 //指定master为server1
[root@server2 salt]# /etc/init.d/salt-minion start
Starting salt-minion:root:server2 daemon: OK
3.4 交换公钥
//server1:
[root@server1 salt]# salt-key -L //查看钥匙,这时server2未被允许
Accepted Keys:
Denied Keys:
Unaccepted Keys:
server2
Rejected Keys:
[root@server1 salt]# salt-key --help //查看命令帮助
Usage: salt-key [options]
salt-key is used to manage Salt authentication keys
Options:
--version show program's version number and exit
--versions-report Show program's dependencies version number and exit.
-h, --help show this help message and exit
--saltfile=SALTFILE Specify the path to a Saltfile. If not passed, one
will be searched for in the current working directory.
-c CONFIG_DIR, --config-dir=CONFIG_DIR
Pass in an alternative configuration directory.
Default: '/etc/salt'.
-u USER, --user=USER Specify user to run salt-key.
--hard-crash Raise any original exception rather than exiting
gracefully. Default: False.
-q, --quiet Suppress output.
-y, --yes Answer "Yes" to all questions presented. Default:
False.
--rotate-aes-key=ROTATE_AES_KEY
Setting this to False prevents the master from
refreshing the key session when keys are deleted or
rejected, this lowers the security of the key
deletion/rejection operation. Default: True.
Logging Options:
Logging options which override any settings defined on the
configuration files.
--log-file=KEY_LOGFILE
Log file path. Default: '/var/log/salt/key'.
--log-file-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of 'all', 'garbage',
'trace', 'debug', 'profile', 'info', 'warning',
'error', 'critical', 'quiet'. Default: 'warning'.
External Authentication:
--auth=EAUTH, --eauth=EAUTH, --external-auth=EAUTH
Specify an external authentication system to use.
-T, --make-token Generate and save an authentication token for re-use.
The token is generated and made available for the
period defined in the Salt Master.
--username=USERNAME
Username for external authentication.
--password=PASSWORD
Password for external authentication.
Output Options:
Configure your preferred output format.
--out=OUTPUT, --output=OUTPUT
Print the output from the 'salt-key' command using the
specified outputter.
--out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT
Print the output indented by the provided value in
spaces. Negative values disables indentation. Only
applicable in outputters that support indentation.
--out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
Write the output to the specified file.
--out-file-append, --output-file-append
Append the output to the specified file.
--no-color, --no-colour
Disable all colored output.
--force-color, --force-colour
Force colored output.
--state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
Override the configured state_output value for minion
output. One of 'full', 'terse', 'mixed', 'changes' or
'filter'. Default: 'none'.
--state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE
Override the configured state_verbose value for minion
output. Set to True or False. Default: none.
Actions:
-l ARG, --list=ARG List the public keys. The args 'pre', 'un', and
'unaccepted' will list unaccepted/unsigned keys. 'acc'
or 'accepted' will list accepted/signed keys. 'rej' or
'rejected' will list rejected keys. 'den' or 'denied'
will list denied keys. Finally, 'all' will list all
keys.
-L, --list-all List all public keys. Deprecated: use "--list all".
-a ACCEPT, --accept=ACCEPT
Accept the specified public key (use --include-
rejected and --include-denied to match rejected and
denied keys in addition to pending keys). Globs are
supported.
-A, --accept-all Accept all pending keys.
-r REJECT, --reject=REJECT
Reject the specified public key. Use --include-
accepted and --include-denied to match accepted and
denied keys in addition to pending keys. Globs are
supported.
-R, --reject-all Reject all pending keys.
--include-all Include rejected/accepted keys when
accepting/rejecting. Deprecated: use "--include-
rejected" and "--include-accepted".
--include-accepted Include accepted keys when rejecting.
--include-rejected Include rejected keys when accepting.
--include-denied Include denied keys when accepting/rejecting.
-p PRINT, --print=PRINT
Print the specified public key.
-P, --print-all Print all public keys.
-d DELETE, --delete=DELETE
Delete the specified key. Globs are supported.
-D, --delete-all Delete all keys.
-f FINGER, --finger=FINGER
Print the specified key's fingerprint.
-F, --finger-all Print all keys' fingerprints.
Key Generation Options:
--gen-keys=GEN_KEYS
Set a name to generate a keypair for use with salt.
--gen-keys-dir=GEN_KEYS_DIR
Set the directory to save the generated keypair, only
works with "gen_keys_dir" option. Default: '.'.
--keysize=KEYSIZE Set the keysize for the generated key, only works with
the "--gen-keys" option, the key size must be 2048 or
higher, otherwise it will be rounded up to 2048.
Default: 2048.
--gen-signature Create a signature file of the masters public-key
named master_pubkey_signature. The signature can be
send to a minion in the masters auth-reply and enables
the minion to verify the masters public-key
cryptographically. This requires a new signing-key-
pair which can be auto-created with the --auto-create
parameter.
--priv=PRIV The private-key file to create a signature with.
--signature-path=SIGNATURE_PATH
The path where the signature file should be written.
--pub=PUB The public-key file to create a signature for.
--auto-create Auto-create a signing key-pair if it does not yet
exist.
You can find additional help about salt-key issuing "man salt-key" or on
http://docs.saltstack.com
[root@server1 salt]# salt-key -A //允许所有链接
The following keys are going to be accepted:
Unaccepted Keys:
server2
Proceed? [n/Y] Y
Key for minion server2 accepted.
[root@server1 salt]# salt-key -L //此时密钥交换成功
Accepted Keys:
server2
Denied Keys:
Unaccepted Keys:
Rejected Keys:
//salt-minion的主机改名称时需要对/etc/salyminion_id删除,让其重新加载,因为minion_id 内容为第一次启动时生成的主机名
3.5 查看密钥
//server1:
[root@server1 salt]# cd pki/master/
[root@server1 master]# md5sum master.pub
660f7f951fc03b392355169fbb2a0119 master.pub //密钥
//Server2:
[root@server2 salt]# cd pki/minion/
[root@server2 minion]# md5sum minion_master.pub
660f7f951fc03b392355169fbb2a0119 minion_master.pub
3.6 查看端口运行情况
[root@server1 master]# lsof -i :4505
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1800 root 16u IPv4 14512 0t0 TCP server1:4505 (LISTEN)
salt-mast 1800 root 18u IPv4 17279 0t0 TCP server1:4505->server2:53946 (ESTABLISHED)
[root@server1 master]# lsof -i :4506
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
salt-mast 1807 root 24u IPv4 14523 0t0 TCP server1:4506 (LISTEN)
//查看python端口进程
[root@server1 master]# yum install python-setproctitle.x86_64 -y
[root@server1 master]# /etc/init.d/salt-master restart
Stoppingsalt-master daemon: [ OK ]
Starting salt-master daemon: [ OK ]
3.7 测试salt服务
[root@server1 master]# salt '*' test.ping
server2:
True
[root@server1 master]# salt '*' cmd.run hostname //在所有salt-minion主机上执行hostname命令
server2:
server2
//在server2上运行“df -h”
四、salt管理系统利用rpm安装httpd、php
Saltstack的YAML语法三大规则
YAML语法 规则一:缩进
YAML使用一个固定的缩进风格表示数据层结构关系,Saltstack需要每个缩进级别由两个空格组成。一定不能使用tab键
规则二:冒号
YAML: mykey: my_value 每个冒号后面一定要有一个空格(以冒号结尾不需要空格,表示文件路径的模版可以不需要空格)
规则三:短横线
想要表示列表项,使用一个短横杠加一个空格。多个项使用同样的缩进级别作为同一个列表的一部分。
eg: my_dictionary:
- list_value_one
- list_value_two
- list_value_three
4.1 开启文件系统服务器:
[root@server1 master]# vim /etc/salt/master //开启基础环境依赖于主的入口文件
534 file_roots:
535 base:
536 - /srv/salt
4.2 书写部署脚本、推送
//这里写的部署文件起名任意但必须以sls结尾
[root@server1 master]# ls /srv
[root@server1 master]# mkdir /srv/salt
[root@server1 master]# /etc/init.d/salt-master restart
[root@server1 master]# cd /srv/salt/
[root@server1 salt]# mkdir httpd //在此目录里配置http与php
[root@server1 salt]# cd httpd
[root@server1 httpd]# vim apache.sls //部署脚本
apache-install:
pkg.installed:
- pkgs:
- httpd
- php
//测试、执行推送
[root@server1 httpd]# salt server2 state.sls httpd.apache test=true
//推送
4.3 Server2查看安装
[root@server2 minion]# rpm -q httpd php //成功
httpd-2.2.15-29.el6_4.x86_64
php-5.3.3-26.el6.x86_64