SaltStack

saltstack

安装配置测试

salt-master

1
yum install -y salt-master

修改配置文件 /etc/salt/master

默认不用修改(KISS)

1
#interface: 0.0.0.0

启动 

1
service salt-master restart

查看端口

1
netstat -lntp|grep 4505

salt-minion

安装

1
yum install -y salt-minion

配置

/etc/salt/minion

1
master: 192.168.4.201

启动minion

1
service salt-minion start

查看端口

1
netstnt -lntp|grep 4506

salt master 为salt minion 授权

1
2
#salt-key -L 
salt-key -a test.*.com

测试

1
salt test.*.com test.ping

防火墙 master

1
2
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

规范

主机名

1
2
3
4
<app>-<001>-<sjc|fd|inner>-<11|12|201|204>-<ip>.*.com
kvmguest-002-inner-2-32.*.com
kvmguest-inner-192-168-2-32.*.com

/etc/hosts

1
2
127.0.0.1 localhost 
<ip> hostname

例子:

1
2
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.2.32  kvmguest-002-inner-2-32.*.com kvmguest-002-inner-2-32

远程命令 remote command

minon

1
2
3
4
5
6
salt '*' test.ping
salt 'myminion' sys.list_functions test
salt '*' sys.doc test.fib
salt '*' test.fib 30
salt '*' sys.doc test
salt '*' sys.list_functions sys
1
2
3
4
5
6
sudo salt '*' cmd.run_all 'echo HELLO'
sudo salt --out=nested '*' cmd.run_all 'echo HELLO'
salt --out=raw '*' cmd.run_all 'echo HELLO'
salt --out=json '*' cmd.run_all 'echo HELLO'
--out=yaml
--out=quiet

Targeting strings

1
2
3
4
5
6
salt '*' test.ping
sudo salt 'myminion' test.ping
sudo salt 'my*' test.ping
sudo salt 'my*mini*' test.ping
sudo salt '??minion' test.ping
sudo salt '[a-m]yminion' test.ping

Perl-compatible regular expression matching PCRE

1
2
3
4
5
6
7
salt -E 'myminion' test.ping
salt -E 'my' test.ping
salt -E 'my.*n' test.ping
salt -E '^myminion$' test.ping
salt -E '((my)|(your))minion' test.ping
salt -E 'myminion(s)?' test.ping
salt -E '(my)?minion' test.ping

List matching

1
2
salt -L 'myminion' test.ping
salt -L 'myminion,yourminion,theirminion' test.ping

Grains
Grains represent static data describing a minion.
Pillars
Pillar data is similar to grains except that it can be defined more dynamically and is
a secure store for data.

Grain and pillar matching

1
2
3
4
5
6
7
salt '*' grains.item os_family
salt '*' grains.item os
salt '*' grains.item osfinger
salt --grain 'os_family:RedHat' test.ping
salt -G 'os:Ubuntu' test.ping
salt -G 'os:u*' test.ping
salt '*' grains.items

设置变量

1
2
3
4
salt '*' grains.setval foo bar
salt '*' grains.item foo
salt '*' grains.setval baz '["larry", "moe", "curly"]'
salt '*' grains.delval baz
1
2
3
4
5
6
# cat /etc/salt/grains
baz:
- larry
- moe
- curly
foo: bar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
salt '*.baz.com' test.ping
  
salt -E 'web-(prod|dev)' test.ping
  
salt -L 'web-jonh, dborac-ether' test.ping
  
# By grains, target the RedHat and Debian systems
salt -G 'os:(RedHat|Debian)' test.ping
  
# By Pillar data, target human resources
salt -I 'deparment:HR' test.ping
  
# By IP/subnet, target the local network 
salt -S '192.16.0.0/24' test.ping

Compound matching

1
2
3
4
5
6
7
8
9
10
11
12
# By minion ID and grains
salt -C 'web-* and G@os:Ubuntu' test.ping
  
# By grains and Pillar data
salt -C 'G@cpuarch:x86_64 and I@office:32D' test.ping
salt -C '*minion and G@os:Ubuntu and not L@yourminion,theirminion'
test.ping
salt -C '* and not G@os_family:RedHat' test.ping
salt -C 'G@os:Ubuntu or G@os:Fedora' test.ping

组合

Letter Match Type Example
G Grains glob G@os:Ubuntu
E PCRE minion ID E@web\d+.(dev\ qa\ prod).loc
P Grains PCRE P@os:(RedHat\ Fedora\ CentOS)
L List of minions L@minion1.example.com, minion3.domain.com
I Pillar glob I@pdata:foobar
S Subnet/IP address S@192.168.1.0/24 or S@192.168.1.100
R Range cluster R@%foo.bar

Remote execution modules and functions

1
2
<module>.<function>
test.ping
1
salt '*' sys.list_modules

常用模块

用户管理

1
2
3
4
salt '*' sys.doc user.add
salt '*' user.add name <uid> <gid> <groups> <home> <shell>
salt '*' user.add larry
salt '*' user.info larry

安装包

1
2
3
4
5
salt '*' sys.doc pkg.install
salt '*' pkg.install httpd
salt '*' pkg.version nano
salt '*' pkg.list_pkgs --out=json
salt '*' pkg.remove htop

管理服务

1
2
salt '*' service.status httpd
salt '*' service.stop apache2

监控minion状态

1
2
3
4
salt '*' status.diskusage
salt '*' status.loadavg
salt '*' status.meminfo
salt '*' status.uptime

运行命令

1
2
3
4
5
salt '*' cmd.run 'echo Hello!'
salt '*' cmd.run_stderr 'echo Hello!'
salt '*' cmd.retcode 'echo Hello!'
salt '*' cmd.run_all 'echo Hello!'
cmd.script sh脚本

state

对基础服务的管理包括配置管理系统、用户账号管理、yum配置管理、hosts文件管理、时间同步管理、DNS配置管理。

配置管理系统

配置管理系统使用模块化设计,

每个服务一个模块,
将多个模块组织到一起形成角色(/srv/salt/roles/)。

所有模块放置到:/srv/salt下,
入口配置文件为:/srv/salt/top.sls。

模块使用的变量放置到:/srv/pillar,
入口配置文件:/srv/pillar/top.sls。

针对变量的作用域不同,将变量分为三级:

一级应用于模块(/srv/pillar/模块名),

一级应用于角色(/srv/pillar/roles/),

一级应用于主机节点(/srv/pillar/nodes)。

入口配置/srv/salt/top.sls,直接引用各种角色:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
base:  
  '*':  
    - roles.common  
  'admin.grid.mall.com':  
    - roles.admin  
  'ha.grid.mall.com':  
    - roles.ha  
  'web*.grid.mall.com':  
    - roles.web  
  'cache*.grid.mall.com':  
    - roles.cache  
  'mc*.grid.mall.com':  
    - roles.mc  
  'db*.grid.mall.com':  
    - roles.db  
  'search*.grid.mall.com':  
    - roles.search  
  'storage*'.grid.mall.com':  
    - roles.storage

变量入口配置文件/srv/pillar/top.sls:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
base:  
  '*':  
    - roles.common  
  # 引用角色级变量  
  # 模块级变量在角色级变量中引用  
  'admin.grid.mall.com':  
    - roles.admin  
  'ha.grid.mall.com':  
    - roles.ha  
  'web*.grid.mall.com':  
    - roles.web  
  'cache*.grid.mall.com':  
    - roles.cache  
  'mc*.grid.mall.com':  
    - roles.mc  
  'db*.grid.mall.com':  
    - roles.db  
  'search*.grid.mall.com':  
    - roles.search  
  'storage*'.grid.mall.com':  
    - roles.storage  
  # 引用节点级变量
  'ha1.grid.mall.com':  
    - nodes.ha1  
  'ha2.grid.mall.com':
    - nodes.ha2  
  'mc1.grid.mall.com':
    - nodes.mc1  
  'mc2.grid.mall.com':
    - nodes.mc2  
  'db1.grid.mall.com':
    - nodes.db1  
  'db2.grid.mall.com':
    - nodes.db2

用户账号管理
用户管理模块:/srv/salt/users

pillar和grains都可以用来获取变量

grains偏向于获取客户端相关信息,比如客户端硬件架构、cpu核数、操作系统版本等信息,相当于puppet的facter;

pillar用于定义用户变量,通过pillar变量的传递,使salt state模块易于重用,相当于puppet的hiera。

使用pillar变量之前需要执行salt ‘*’ saltutil.refresh_pillar命令使变量生效。

使用命令salt ‘admin.grid.mall.com’ pillar.item users获取users变量:

/srv/salt/users/user.sls用于管理用户

Saltstack:服务部署

API (http restful)

salt —versions-report

Specify an sls file

We can also specify an sls file. Sls files don’t normally use execution modules, and instead use state modules that are called automagically by Salt when it processes the state, although there is a special state module to call execution modules from within sls files. More on writing states in a minute:

Apply the states from the ssh.sls file on all minions.

Notice how we omit the .sls extension in the command line.

salt ‘*’ state.sls ssh

salt -N ‘logs_wpk’ state.highstate
salt kvmguest-001-sjc-13-33..com state.highstate
salt kvmguest-001-sjc-13-33..com state.sls base.zabbix

评论