V 9 saltstack (1)

salt是一个新的基础平台管理工具,2011-02-20诞生,创造者Thoms SHatch,起名salt原因生活中常见、易记,使用saltstack.com原因这个域名没有被注册,Because salt goes everywhere;

部署简单,只需花费很短时间即可运行起来,扩展性足以支持管理上万台server;

速度很快,毫秒级通信,server间完成数据传递足够快;

用python语言开发;

工作方式:Master/Minion(ZeroMQ),Masterless,Salt-SSH(0.17+);

三大功能:remote execution;config management;cloud management;

项目地址:https://github.com/saltstack/salt

http://www.saltstack.cn/

salt底层基于ZeroMQ PUB-SUBpattern(publisher-subscriber),master/minion通信高效传递及扩展、异步;

saltstack社区致力于保持salt项目集中、友好、健康、开放;

在win平台上只能运行minion;

注:

salt-master-2015.5.10-2.el6.noarch(版本号以年月日命名,此处是5月第2次发行)

salt-minion-2015.5.10-2.el6.noarch

salt-2015.5.10-2.el6.noarch

zeromq3-3.2.5-1.el6.x86_64(rhel6默认zeromq是3系列,rhel5默认zeromq是2系列,若在rhel5上使用需要升级zeromq为3系统,因为2系列有bug会导致minion与master断开后无法重连)

master上可用的命令有:salt、salt-key、salt-cp、salt-master、salt-run、salt-unity;

minion上可用的命令有:salt-call、salt-minion;

master端的配置文件是/etc/salt/master,minion端的配置文件是/etc/salt/minion,常用的配置选项看以下内容,master端配置文件若改动不用重启即刻生效;

key密钥管理(salt数据采用AES加密,同时master&minion采用key管理;minion在配置中指定master地址,启动后会自动被master识别;minion只有先被masteraccepted接受过key之后,master才能管理minion,同时master的public key也会传到minion上,实现更安全的双向认证;keys默认存储在/etc/salt/pki/下;管理工具,master的salt-key wheel API);

salt数据系统(grains谷物和pillar柱子):

grains:salt0.7.0整合了puppetfacter,0.8.7加入grains用于取代facter,存储在minion端,用于保存minion端的数据信息,当minion启动时才加载grains信息,所以grains信息是静态的,grains可用于minion信息查询、target配置管理模板等;

pillar:salt0.9.8版本增加了pillar,存储在master端,存放需要提供给minion的信息,应用场景:敏感信息(每个minion只能访问master分配给自己的pillar信息)、变量(差异化的信息)、其它任何数据、可在target、state中使用);

grains VS pillar:

用途不同(grains用于存储minion的基本数据信息,这些信息是批量的不可变的;pillar用于存储master分配给minion的数据信息);

存储区域不同(grains的元数据存储在minion端;pillar的元数据存储在master端);

更新方式不同(grains是在minion启动时进行更新,也可通过saltutil.sync_grains进行刷新;pillar的元数据在master端,要用saltutil.refresh_pillar进行刷新,相较于grains,pillar效率更高、更灵活);

salt远程执行:

salt第一个版本0.6.0就确定了远程执行的功能,当前官方版本支持的远程执行模块数量超200个以上;

#salt [options] ‘<target>‘ <function> [arguments]   #(target options有:-E(--pcre),-L(--list),-G(--grain),-I(--pillar),-N(--nodegroup),-C(--compound);target指定哪些minion要执行;function表示为模块名.方法,module.method,如cmd.run;自定义模块时,只需要关注业务处理逻辑即可)

常用的options有:

-b(--batch-size),此项很有用,可用于分批次的重启服务,若全部在一个时间重启,业务将停止;batch size会维护一个运行minions数目的窗口,第一次指定数目的minions运行,一旦有一个minion执行完成,则立即新增一个minion运行;

-v(--verbose);

--show-jid;

target支持的matcher有:

globing通配符;

RE正则,-E;

list,-L,指定需要运行该指令的minion列表,列表中的元素用逗号分隔;

grain,-G,通过minion的grain信息来进行匹配;

pillar,-I,通过pillar来匹配需要运行指令的minion;

nodegroups,-N,分组,在master配置文件中配置,或在/etc/salt/master.d/*.conf中配置;

compound混搭,-C;

其中compound使用时:

G,grains glob(如[email protected]:Ubuntu);

E,pcre minion id(如[email protected]\d+\.(dev|qa|prod)\.loc));

P,grains pcre(如[email protected]:(RedHat|Fedora|CentOS));

L,list of minions,此处的or即和的意思,and为或的意思(如[email protected],minion2.domain.comor bl*domain.com));

I,pillar glob(如[email protected]:foobar));

S,subnet/ipaddress([email protected]/24or [email protected]);

R,range cluster([email protected]%foo.bar);

#salt ‘*‘ test.ping   #(测试所有minion是否连通)

#salt ‘*‘ pkg.install httpd   #(安装指定软件包)

#salt ‘*‘ cp.get_filesalt://apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf   #(分发配置文件,方法一:cp.get_file方法默认的源文件是在/etc/salt/master主配置文件中的file_roots选项指定的位置/srv/salt/下找)

#salt-cp ‘*‘/srv/salt/apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf   #(分发配置文件,方法二:salt-cp源文件可在本地文件系统的任意位置)

#salt ‘*‘ service.start httpd   #(启动指定服务)

#salt-run jobs.list_jobs   #(查看运行过的任务)

#salt -v ‘*‘ test.ping   #(显示当前任务的jid)

#salt ‘*‘ saltutil.running   #(列出minion端正在执行哪些任务)

#salt-run jobs.lookup_jid <jid>   #(根据jid,查看具体某项任务执行结果)

配置管理configuration management:

wikipedia组态管理,是一个建立系统工程的过程,用来建立与维持一个产品,让这个产品的效能、功能、所要求的物理特性,在它的生命周期中都能保持稳定与一致性;

salt0.8.8开始加入state system状态管理系统,0.9.3真正支持statesystem,在状态管理方面可与puppet、chef等竞争,这对salt有里程碑意义;

salt中对应的配置描述文件称为.sls(SaLt State);

YAML(Yet Another Markup Language-->YAML Ain‘t Markup Language):

salt默认使用YAML作为sls文件描述格式;

使用空白字符为文件缩排来表示结构,不能使用<TAB>;

注释用#号;

字符串平常不使用引号,若有需要可使用单引号或双引号,双引号中的特殊字符可用backslash反斜线\来进行转义;

用法:

列表(短杠-加+空白字符);

字典(key和value通过冒号:加+空白字符隔开);

多层结构(通过空格缩进来表示层级);

举例列表:

- jason

- bourne

等同于

[‘jason‘,‘bourne‘]

举例字典:

name: jason

site: http://www.saltstack.com/

等同于

{‘name‘:‘jason‘,‘site‘:‘http://www.saltstack.com/‘}

举例多层结构:

- jason:

-sites:

-blog: http://jason.org/

-github: http://github.com/jason/

等同于

[{‘jason‘:[{‘sites‘:[{‘blog‘:‘http://jason.org/‘},{‘github‘:‘http://github.com/jason/‘}]}]}]

jinja2:

salt默认使用jinja2模板系统来生成YAML,jinja2为python开发的模板引擎,功能类似于php的smarty、J2EE的Freemarker和velocity,它能完全支持unicode,并具有集成的沙箱执行环境,应用广泛,jinja2使用BSD授权;

http://jinja.pocoo.org/

用法:

变量表示为{{ foo }};

变量属性表示为{{ foo.bar }}或{{ foo[‘bar‘] }};

注释表示为{{# comment #}};

for语句:

{% for eachitem in items %}

{{ eachitem }}

{% endfor %}

if语句:

{% if GFW %}

Welcome to China!

{% elif not Internet %}

Welcome to North Korea!

{% else %}

Freedom

{% endif %}

state tree:

top file,默认top.sls,配置管理入口文件,和pillar类似,指定minion需要完成哪些配置管理;

sls模块使用点分割,例如apache.install等同于salt://apache/install.sh或salt://apache/install/init.sls;

include/extend,sls文件之间可通过include和extend来引用和扩展;

sls中的id必须唯一,且在该id下同一类的状态管理模块只能有一个;

salt0.17.0增加了state_auto_order参数,默认值True,使state在没有requisites的情况下按从上到下的顺序依次执行;

requisites:

require,本state执行时需要先执行哪些state;

require_in,与require位置相反;

watch,除require功能外,也会监测依赖的state的状态,如果状态发生变化作出反应;

watch_in,与watch位置相反;

prereq,0.16.0新增的功能,会通过test=True接口检查所依赖的state的状态,如果状态发生变化,执行;

prereq_in,与prereq位置相反;

软件包状态管理模块:

模块名pkg,功能,管理软件包状态,会根据os的不同,选择对应的安装方式,例如rhel的yum,debian的apt-get;

基本用法:

pkg.installed(确保软件包已安装,如果没有安装进行安装);

pkg.latest(确保软件是最新版本,如果不是进行升级);

pkg.remove(确保软件包已卸载,如果之前已安装进行卸载);

pkg.purge(除remove外,也会删除其配置文件);

文件状态管理模块:

模块名file,功能,管理文件状态;

基本用法:

file.managed(保证文件存在且为对应的状态);

file.recurse(保证目录存在且为对应的状态);

file.absent(确保文件不存在,若存在则进行删除操作);

服务状态管理模块:

模块名service,功能,管理服务状态;

基本用法:

service.running(确保服务处于运行状态,如果没有运行则进行启动);

service.enabled(确保服务会开机自动启动);

service.disabled(确保服务不会开机自启);

service.dead(确保服务当前没有运行);

#salt ‘*‘ state.sls apache(运行指定服务的配置管理,打印出的内容中,绿色表示未变更,蓝色列出变更了哪些,红色为哪些执行失败);

#salt ‘*‘ state.highstate(运行所有服务配置管理);

#salt ‘*‘ state.highstate test=True(测试,会打印出当前状态,不会应用到各minion上);

注:

top.sls文件中定义的内容,只要能匹配到minion都会先后执行所有操作,而不是像iptables那样先匹配到就不匹配之后的内容;

*.sls配置文件中各级之间的空格要是2的倍数,例如一级顶格写,二级2个空格,3级4个空格,否则提示state.py in render_state sls之类的错误;

python八荣八耻:

以动手实践为荣,以只看不练不耻;

以打印日志为荣,以单步跟踪为耻;

以空格缩进为荣,以制表缩进为耻;

以单元测试为荣,以人工测试为耻;

以模块利用为荣,以复制粘贴为耻;

以多态应用为荣,以分支判断为耻;

以pythonic为荣,以冗余拖沓为耻;

以总结分享为荣,以跪求其解为耻。

salt高级应用(job管理、schedule、salt syndic、salt-ssh)

job管理:

jid,job id,格式为%Y%m%d%H%M%S%f;

master在下发指令消息时会随带上产生的jid,minion在接收到指令开始执行时,会在本地的cachedir(/var/cache/salt/minion)下的proc/下产生以该jid命名的文件,这个文件用于在执行过程中master查看minion当前任务的执行情况,minion端把指令执行完毕将结果传给master后,删除proc/下的临时文件;

master将minion的执行结果存在本地/var/cache/salt/master/jobs/下,默认缓存24h,可通过keep_jobs调整保存多长时间;

#salt-run jobs.list_jobs

#salt ‘*‘ saltutil.running

#salt -v ‘*‘ service.status httpd

#salt -v ‘*‘ cmd.run ‘sleep 30‘

#salt-run jobs.lookup_jid <jid>

saltutil模块中的job管理方法有:

saltutil.running   #(查看minion正在运行的jobs);

saltutil.find_job <jid>   #(查看指定jid的job,minion正在运行的job);

saltutil.signal_job <jid><signal>   #(给指定jid进行发送信号);

saltutil.term_job <jid>   #(终止指定的jid进程,15);

saltutil.kill_job <jid>   #(终止指定的jid进程,9);

salt-run命令中的job管理方法:

#salt-run jobs.active   #(查看所有minion当前正在运行的job,在所有minion上运行saltutil.running);

#salt-run jobs.lookup_jid <jid>   #(从master上的缓存中查询指定jid的运行结果);

#salt-run jobs.list_jobs   #(列出当前master上缓存的所有job);

schedule:

salt0.12.0加入了schedule子系统,用于master/minion定期执行schedule中配置的任务;

schedule可配置在master配置文件或minion的配置文件或pillar中;

master端配置schedule运行runner;

minion端配置schedule为远程执行;

2014.1版本schedule系统并不会将运行结果发送给master或产生event;

schedule支持returner,可将schedule执行结果发送到指定的returner中;

#vim /srv/pillar/top.sls

base:

‘*‘:

-schedule

#vim /srv/pillar/schedule.sls

schedule:  #(此关键字只能有一个,不能在其它的.sls文件中再使用,所有任务计划都放在这一个下)

highstate:   #(每30min执行一次state.highstate)

function: state.highstate

minutes: 30

uptime:   #(每min查询一次loadaverage,并将结果输出到mysqlreturner中)

function: status.uptime

seconds: 60

returner: mysql

hello:

function: cmd.run

args:

- date >> /tmp/test.log

minutes: 1

#salt ‘*‘ saltutil.refresh_pillar

#salt ‘*‘ pillar.get schedule

salt syndic:

salt syndic是一个master,其维护master地址配置为syndicserver地址的minions;

salt syndic是一个minion,其配置文件中会配置syndic_master的地址,其上层的master称为MasterOfMaster;

syndic下的minions的key由syndic主机来进行accept,MasterOfMaster主机只维护其下的syndic和minions主机的key;

MasterOfMaster只传送指令给syndic,syndic并将其继续向下传送,syndic获取到minions的执行结果后将结果传给MasterOfMaster;

syndic自身需要配置file_roots,MasterOfMaster并不会传送文件到syndic上;

在syndic server上安装salt-master和salt-syndic,被syndic管理的minion要改/etc/salt/minion中master: syndic_server_IP;

MasterOfMaster端的配置(/etc/salt/master):

order_masters: True

syndic端的配置(/etc/salt/master):

syndic_master: MasterOfMaster_IP

#syndic_master_port: MasterOfMaster_PORT

#syndic_pidfile: /var/run/salt-syndic.pid

#syndic_log_file: /var/log/salt/syndic.log

salt-ssh:

salt0.17.0加入salt ssh传输系统;

salt ssh基于ssh,无需zeromq和agent,支持sudo;

salt ssh的最终目标是能够和标准的salt完成相同的功能;

当前salt ssh只支持target端的glob和re,当前salt ssh依然为alpha状态,尚不能完全替代标准的salt应用于生产环境中;

salt roster系统随salt ssh系统加入到salt代码中,主要为saltssh提供需要连接的主机和权限信息,默认/etc/salt/roster;

#vim /etc/salt/roster

minion1:  #(<salt ID>,the id to reference the target system with)

host: 10.96.20.117   #(the IPaddress or DNS name or the remote host)

user: root   #(the user tologin as)

passwd: chai   #(the passwdto login with)

另optional parameters有:

port:  #(the target system‘s ssh port number)

sudo:  #(boolean to run command via sudo)

priv:  #(file path to ssh private key,defaults to salt-ssh.rsa)

timeout:  #(number of seconds to wait for response)

returner:

master给minion发送命令执行结果最终将返回给master,saltstack的returner接口允许将结果发送给任意系统,如系统的syslog、MySQL、event等

By default salt will send the return datafrom the command back to the master, but the return data can be redirected intoany number of systems, databases or applications.

#salt ‘*‘ test.ping --return syslog   #(结果保存在minion-side的系统日志下)

#tail /var/log/messages

准备三台server,一台为master(10.96.20.113),另两台为minion(10.96.20.117,10.96.20.118)

主机名(master、minion1、minion2)、IP配置好(10.96.20.113、10.96.20.117、10.96.20.118)

master-side和minion-side:

[[email protected] ~]# uname -rm

2.6.32-431.el6.x86_64 x86_64

[[email protected] ~]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 6.5(Santiago)

[[email protected] ~]# yum -y install python-requests PyYAML python-crypto python-jinja2   #(先使用CentOS6-Base-163.repo或其它yum源安装好这几个包,再用epel源安装salt-master,因为epel源中缺少这几包导致安装会报如下错)

……

Error: Package:salt-2015.5.10-2.el6.noarch (epel)

Requires: python-crypto

Error: Package:salt-2015.5.10-2.el6.noarch (epel)

Requires: PyYAML

Error: Package:salt-2015.5.10-2.el6.noarch (epel)

Requires: python-requests

Error: Package:salt-2015.5.10-2.el6.noarch (epel)

Requires: python-jinja2

Youcould try using --skip-broken to work around the problem

Youcould try running: rpm -Va --nofiles --nodigest

master-side:

[[email protected] ~]# wget http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

[[email protected] ~]# rpm -ivh epel-release-6-8.noarch.rpm

warning: epel-release-6-8.noarch.rpm:Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY

Preparing...                ###########################################[100%]

1:epel-release          ########################################### [100%]

[[email protected] ~]# yum -y install salt-master

Running Transaction

Installing : openpgm-5.1.118-3.el6.x86_64                                                                                    1/6

Installing : zeromq3-3.2.5-1.el6.x86_64                                                                                     2/6

Installing : python-zmq-14.3.1-1.el6.x86_64                                                                                  3/6

Installing : python-msgpack-0.4.6-1.el6.x86_64                                                                              4/6

Installing : salt-2015.5.10-2.el6.noarch                                                                                     5/6

Installing : salt-master-2015.5.10-2.el6.noarch                                                                             6/6

……

minion-side:

[[email protected] ~]# wget http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

[[email protected] ~]# rpm -ivh epel-release-6-8.noarch.rpm

[[email protected] ~]# yum -y install salt-minion

master-side:

[[email protected] ~]# vim /etc/salt/master   #(master-side默认配置文件/etc/salt/master,可在启动时通过-c或--config-dir指定配置文件存放路径,默认会加载/etc/salt/master.d/*.conf文件,配置文件格式为YAML)

-----------------------file start--------------------

##### Primary configuration settings #####

##########################################

#default_include: master.d/*.conf

#interface: 0.0.0.0   #(bind监听的地址)

#ipv6: False

#publish_port: 4505   #(PUB,4505master向minion发送命令的port,而ret_port: 4506,用于接收minion返回的结果)

#user: root   #(运行salt-master的用户)

#max_open_files: 100000   #(#ulimit -n;#vim/etc/security/limits.conf)

#worker_threads: 5

#ret_port: 4506

#pidfile: /var/run/salt-master.pid

#root_dir: /

#pki_dir: /etc/salt/pki/master

#cachedir: /var/cache/salt/master

#verify_env: True

#keep_jobs: 24   #(minion端执行命令的结果会返回到master端本地的cachedir指定路径下,默认缓存24h,会占用大量磁盘空间)

#timeout: 5   #(master向minion发送指令,在5s内minion向master返回结果,这时master的salt退出;若在5s内minion没返回结果,master上会执行find_job查找minion端proc的jid,以知道minion执行当前命令的情况,若minion正在执行master会继续等待5s再用find_job了解执行情况;若在第一次find_job时minion端proc就没当前执行的jid,master会直接退出;若minion规模庞大或网络状况不好建议增大该值)

#loop_interval: 60

#output: nested   #(这几项是输出设置)

#show_timeout: True

#color: True

# strip_colors: False

#sock_dir: /var/run/salt/master

#job_cache: True   #(master是否缓存执行结果,如果规模庞大超5000台server,False关闭,建议使用其它方式来存储jobs)

#minion_data_cache: True

#event_return: mysql

#event_return_queue: 0

# event_return_whitelist:

#   -salt/master/a_tag

#   -salt/master/another_tag

# event_return_blacklist:

#   -salt/master/not_this_tag

#   -salt/master/or_this_one

#max_event_size: 1048576

#####       Security settings       #####

##########################################

#open_mode: False   #(公共使用,为安全禁用)

#auto_accept: False   #(minion上发来key自动接收,测试环境可用,生产环境禁用)

# autosign_timeout: 120

#autosign_file: /etc/salt/autosign.conf

#autoreject_file: /etc/salt/autoreject.conf

#permissive_pki_access: False

#client_acl:   #(访问控制,哪些用户执行指定的命令)

# larry:

#   - test.ping

#   - network.*

#client_acl_blacklist:   #(访问控制,黑名单,指定用户不能执行设定的命令)

# users:

#   - root

#   - ‘^(?!sudo_).*$‘   #  all non sudo users

# modules:

#   - cmd

#sudo_acl: False

#external_auth:   #(外部认证)

# pam:

#   fred:

#     - test.*

#token_expire: 43200

#file_recv: False   #(是否允许minion传文件到master上)

#file_recv_max_size: 100

# sign_pub_messages: False

#####     State System settings     #####

##########################################

#state_top: top.sls   #(管理的入口文件)

#####     File Server settings      #####

##########################################

#file_roots:   #(指定file server目录)

# base:

#   - /srv/salt

#hash_type: md5

#file_buffer_size: 1048576

#fileserver_backend:   #(可将配置文件放在git上,与master同步)

#  -git

#  -roots

#####         Pillar settings        #####

##########################################

#pillar_roots:   #(指定pillar目录)

# base:

#   - /srv/pillar

#ext_pillar_first: False

#pillar_gitfs_ssl_verify: True

#pillar_opts: False

#pillar_safe_render_error: True

#pillar_source_merging_strategy: smart

#####     Peer Publish settings     #####

##########################################

#peer:  #(指定的minion可控制另一minion)

# foo.example.com:

#    - test.*

#   - pkg.*

#####         Logging settings       #####

##########################################

#log_file: /var/log/salt/master

#key_logfile: /var/log/salt/key

#log_level: warning   #(有garbage、trace、debug、info、warning、error、critical)

----------------------------fiel end-------------------------

[[email protected] ~]# service salt-master start

Starting salt-master daemon:                               [  OK  ]

[[email protected] ~]# ps aux | grep salt

root      2876  0.0  0.8 143712 4076 pts/3    S+   Aug23  0:00 vim /etc/salt/master

root      3029  0.0  4.4 292768 21604 ?        S   00:22   0:00 /usr/bin/python2.6/usr/bin/salt-master -d

root      3030  0.3  6.8 390944 33184 ?        Sl  00:22   0:09 /usr/bin/python2.6/usr/bin/salt-master -d

……

[[email protected] ~]# netstat -tnulp | egrep ‘4505|4506‘

tcp       0      0 0.0.0.0:4505                0.0.0.0:*                   LISTEN      3031/python2.6

tcp       0      0 0.0.0.0:4506                0.0.0.0:*                   LISTEN      3053/python2.6

minion-side:

[[email protected] ~]# vim /etc/salt/minion

-------------------------file start-------------------------

##### Primary configuration settings #####

##########################################

#default_include: minion.d/*.conf

master: 10.96.20.113   #(指定master主机,默认为salt,若按默认salt此处不改,要在本地/etc/hosts中添加解析记录)

#ipv6: False

# retry_dns: 30   #(若上面指定的master处是域名,此处指定多长时间刷新)

#master_port: 4506   #(要与master主机上的ret_port保持一致,指定认证和执行结果发送到master的哪个port)

#user: root   #(指定运行salt-minion的用户,由于安装包、启动服务等操作都需要root权限,为规范minion端要使用root)

#root_dir: /

#pki_dir: /etc/salt/pki/minion

#id:  #(指定本minion的标识,salt内部使用id作为标识,此处不设置则默认是主机名,若此处id变了,master会认为是不同的主机)

#grains:

# roles:

#   - webserver

#   - memcache

# deployment: datacenter4

# cabinet: 13

# cab_u: 14-15

#cachedir: /var/cache/salt/minion

#cache_jobs: False   #(minion端不缓存执行结果,会发送到master上)

#backup_mode: minion   #(若更改文件对源文件进行备份,方便回滚操作;在文件操作时,如file.managed或file.recurse,如果文件发生变更,指定备份目标,备份在cachedir/file_backups/下,以原始文件名+时间戳命名)

#####  Minion module management     #####

##########################################

#providers:   #(指定模块对应的providers,RHEL系列pkg对应的providers是yumpkg5)

# pkg: yumpkg5

#####   State Management Settings    #####

###########################################

#renderer: yaml_jinja   #(指定配置管理系统中的渲染器,解析配置文件使用的模式)

#####    File Directory Settings    #####

##########################################

#file_client: remote   #(指定file_client默认去哪里寻找文件,remote或local)

#####         Logging settings       #####

##########################################

#log_file: /var/log/salt/minion

#key_logfile: /var/log/salt/key

#log_level: warning

######     Keepalive settings        ######

############################################

#tcp_keepalive: True   #(minion是否与master保持keepalive检查,zeromq3以下版本有bug导致连接异常后minion无法重连master,建议升级到zeromq3以上版本)

------------------------------file end-------------------------

[[email protected] ~]# service salt-minion start

Starting salt-minion daemon:                               [  OK  ]

[[email protected] ~]# ps aux | grep salt

root      2683  0.0 1.8 143256  4128 pts/4    S+  00:23   0:00 vim /etc/salt/minion

root      2785  0.0 11.3 446960 25912 ?        S   00:47   0:00 /usr/bin/python2.6/usr/bin/salt-minion -d

root      3149  0.0  0.3 103264  828 pts/3    S+   01:10  0:00 grep salt

[[email protected] ~]# service salt-minion start

Starting salt-minion daemon:                               [  OK  ]

[[email protected] ~]# ps aux | grep salt

root     59600  0.0 11.2 444852 25724?        S    00:49  0:00 /usr/bin/python2.6 /usr/bin/salt-minion -d

root     59932  0.0  0.3 103252  828 pts/1    S+   01:10  0:00 grep salt

master-side:

[[email protected] ~]# salt<TAB>

salt         salt-cp      salt-key     salt-master  salt-run    salt-unity

[[email protected] ~]# salt-key -h

Usage: salt-key [options]

Options:

--version             showprogram‘s version number and exit

--versions-report     showprogram‘s dependencies version number and exit

……

Actions:

-l ARG, --list=ARG  List the public keys. The args"pre", "un", and

"unaccepted"will list unaccepted/unsigned keys. "acc"

or "accepted"will list accepted/signed keys. "rej" or

"rejected"will list rejected keys. "den" or "denied"

will list denied keys.Finally, "all" will list all

keys.

-L, --list-all      List all public keys. (Deprecated: use"--list all")

-a ACCEPT,--accept=ACCEPT

Accept the specifiedpublic key (use --include-all to

match rejected keys inaddition to pending keys).

Globs are supported.

-A, --accept-all    Accept all pending keys

-r REJECT,--reject=REJECT

Reject the specifiedpublic key (use --include-all to

match accepted keys inaddition to pending keys).

Globs are supported.

-R, --reject-all    Reject all pending keys

--include-all       Includenon-pending keys when accepting/rejecting

-p PRINT, --print=PRINT

Print the specifiedpublic key

-P, --print-all     Print allpublic keys

-d DELETE,--delete=DELETE

Delete the specifiedkey. Globs are supported.

-D, --delete-all    Delete all keys

……

[[email protected] ~]# salt-key -L

Accepted Keys:

Denied Keys:

Unaccepted Keys:

minion1

minion2

Rejected Keys:

[[email protected] ~]# salt-key -a minion1 -y   #(接受指定minion的key,或使用#salt-key-A -y接受所有minion的key;-d删除指定minion的key,-D删除所有minion的key;-r,-R)

The following keys are going to beaccepted:

Unaccepted Keys:

minion1

Key for minion minion1 accepted.

[[email protected] ~]#salt-key -a minion2 -y

The following keys are going to beaccepted:

Unaccepted Keys:

minion2

Key for minion minion2 accepted.

[[email protected] ~]# salt-key -L

Accepted Keys:

minion1

minion2

Denied Keys:

Unaccepted Keys:

Rejected Keys:

[[email protected] ~]# tree /etc/salt/pki

/etc/salt/pki

└── master

├──master.pem

├──master.pub

├── minions

│  ├── minion1

│  └── minion2

├──minions_autosign

├──minions_denied

├──minions_pre

└──minions_rejected

minion-side:

[[email protected] ~]# tree /etc/salt/pki

/etc/salt/pki

└── minion

├──minion_master.pub

├──minion.pem

└──minion.pub

[[email protected] ~]# salt -h

Usage: salt [options]‘<target>‘ <function> [arguments]

[[email protected] ~]# salt‘*‘ test.ping   #(检测所有的minion是否存活)

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘minion1‘ test.ping

minion1:

True

[[email protected] ~]# salt ‘*‘ cmd.run ‘echo "hello world"‘  #(1987-09-20中国发送的第一封E-mail内容为Across theGreate Wall we can reach every corner in the world)

minion1:

hello world

minion2:

hello world

[[email protected] ~]# salt ‘*‘ grains.items

……

[[email protected] ~]# salt ‘*‘ grains.get cpuarch

minion2:

x86_64

minion1:

x86_64

[[email protected] ~]# salt ‘*‘ grains.get os

minion1:

RedHat

minion2:

RedHat

[[email protected] ~]# salt ‘*‘ grains.get kernel

minion2:

Linux

minion1:

Linux

[[email protected] ~]# salt ‘*‘ grains.get ip_interfaces   #(可使用get查询到grains.items中所有的信息)

minion2:

----------

eth0:

- 10.96.20.118

- fe80::20c:29ff:fe73:b31a

eth1:

lo:

- 127.0.0.1

- ::1

minion1:

----------

eth0:

- 10.96.20.117

- fe80::20c:29ff:fe15:e6bb

eth1:

lo:

- 127.0.0.1

- ::1

[[email protected] ~]# salt ‘*‘ grains.get hwaddr_interfaces

minion2:

----------

eth0:

00:0c:29:73:b3:1a

eth1:

00:0c:29:73:b3:24

lo:

00:00:00:00:00:00

minion1:

----------

eth0:

00:0c:29:15:e6:bb

eth1:

00:0c:29:15:e6:c5

lo:

00:00:00:00:00:00

[[email protected] ~]#salt ‘*‘ grains.get hwaddr_interfaces:eth0

minion1:

00:0c:29:15:e6:bb

minion2:

00:0c:29:73:b3:1a

[[email protected] ~]# salt ‘*‘ grains.get zmqversion

minion1:

3.2.5

minion2:

3.2.5

pillar的使用:

master-side:

[[email protected] ~]# mkdir -p /srv/pillar

[[email protected] ~]# salt ‘*‘ pillar.items

minion2:

----------

minion1:

----------

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘*‘:

- packages

[[email protected] ~]# vim /srv/pillar/packages.sls

{% if grains[‘os‘] ==‘RedHat‘ %}

apache: httpd

git: git

xxoo: fuck

{% elif grains[‘os‘] ==‘Debian‘ %}

apache: apache2

git: git-core

{% endif %}

[[email protected] ~]# salt ‘*‘ pillar.get apache   #(在未刷新时是查不到的)

minion1:

minion2:

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar   #(只有刷新后才能查到)

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘*‘ pillar.get apache

minion2:

httpd

minion1:

httpd

[[email protected] ~]#salt ‘*‘ pillar.get xxoo

minion2:

fuck

minion1:

fuck

[[email protected] ~]# salt ‘*‘ pillar.get git

minion2:

git

minion1:

git

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘*‘:

-packages

-system

[[email protected] ~]# vim /srv/pillar/system.sls

nofile: 102400

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘*‘ pillar.get nofile

minion1:

102400

minion2:

102400

[[email protected] ~]# salt ‘*‘ pillar.items

minion2:

----------

apache:

httpd

git:

git

nofile:

102400

xxoo:

fuck

minion1:

----------

apache:

httpd

git:

git

nofile:

102400

xxoo:

fuck

举例(target支持的matcher):

globing:

[[email protected] ~]# salt ‘*‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]#salt ‘minion*‘ test.ping   #(匹配id中含有minion字串的minions)

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘minion[1-2]‘ test.ping   #(匹配minion1到minon2的minions)

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘minion[1,2]‘ test.ping   #(匹配minion1和minion2)

minion2:

True

minion1:

True

RE:

[[email protected] ~]# salt -E ‘.*‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# salt -E ‘minion(1|2)‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘minion(1|2)‘:

- match: pcre

-packages

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

minion1:

True

minion2:

True

[[email protected] ~]# salt ‘*‘ pillar.get apache

minion1:

httpd

minion2:

httpd

list:

[[email protected] ~]# salt -L ‘minion1,minion2‘ test.ping

minion2:

True

minion1:

True

grains:

[[email protected] ~]#salt -G ‘os:RedHat‘ test.ping

minion2:

True

minion1:

True

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘os:RedHat‘:

- match: grain

-packages

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

minion1:

True

minion2:

True

pillar:

[[email protected] ~]# salt -I ‘apache:httpd‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘minion(1|2)‘:

-match: pcre

-packages

- role

[[email protected] ~]# vim /srv/pillar/role.sls.

role: web

[[email protected] ~]# salt ‘*‘saltutil.refresh_pillar

minion1:

True

minion2:

True

[[email protected] ~]# salt ‘*‘ pillar.get role

minion1:

web

minion2:

web

[[email protected] ~]# salt -I ‘role:web‘test.ping

minion1:

True

minion2:

True

node groups:

[[email protected] ~]# mkdir /etc/salt/master.d

[[email protected] ~]# vim /etc/salt/master.d/nodegroups.conf

nodegroups:

web-cluster: ‘minion*‘

db-cluster: ‘minion*‘

[[email protected] ~]# salt -N ‘web-cluster‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# salt -N ‘db-cluster‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘web-cluster‘:

- match: nodegroup

-packages

-role

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

compound:

[[email protected] ~]# salt -C ‘minion* and [email protected]:RedHat‘ test.ping

minion1:

True

minion2:

True

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘[email protected]:RedHat and minion*‘:

- match: compound

-packages

-role

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

举例(分发文件):

[[email protected] ~]# salt ‘*‘ test.ping

minion2:

True

minion1:

True.

[[email protected] ~]# salt -v ‘*‘ pkg.install httpd

Executing job with jid 20160826024016671210

-------------------------------------------

minion2:

----------

minion1:

----------

[[email protected] ~]# mkdir -p/srv/salt/apache/files/etc/httpd/conf/

[[email protected] ~]# echo ‘# jason‘ >>/etc/httpd/conf/httpd.conf

[[email protected] ~]# cp/etc/httpd/conf/httpd.conf /srv/salt/apache/files/etc/httpd/conf/

[[email protected] ~]# salt ‘*‘ cp.get_file salt://apache/files/etc/httpd/conf/httpd.conf  etc/httpd/conf/httpd.conf   #(或用方法二,#salt-cp)

minion1:

/etc/httpd/conf/httpd.conf

minion2:

/etc/httpd/conf/httpd.conf

[[email protected] ~]# salt-cp ‘*‘ /srv/salt/apache/files/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf  #(两种方式任选一)

{‘minion1‘: {‘/etc/httpd/conf/httpd.conf‘:True},

‘minion2‘: {‘/etc/httpd/conf/httpd.conf‘:True}}

[[email protected] ~]# salt ‘*‘ service.start httpd

minion1:

True

minion2:

True

[[email protected] ~]#salt -v ‘*‘ service.status httpd

Executing job with jid 20160826031234533015

-------------------------------------------

minion2:

True

minion1:

True

[[email protected] ~]#salt-run jobs.list_jobs

……

[[email protected] ~]# salt-run jobs.lookup_jid 20160826024930368134

minion1:

True

minion2:

True

[[email protected] ~]# tail -2 /etc/httpd/conf/httpd.conf   #(在minion端检测)

#</VirtualHost>

# jason

[[email protected] ~]# netstat -tnlp | grep :80

tcp       0      0 :::80                       :::*                        LISTEN      5424/httpd

举例(理解YAML):

[[email protected] ~]# vim parse_yaml.py

----------------script start----------------

#!/usr/bin/env python

#

import yaml

import sys

fd=open(sys.argv[1])

print yaml.load(fd)

----------------script end-----------------

[[email protected] ~]# chmod 755 parse_yaml.py

[[email protected] ~]# vim test.yaml

- name: jason

- gender: man

[[email protected] ~]# ./parse_yaml.py test.yaml

[{‘name‘: ‘jason‘}, {‘gender‘: ‘man‘}]

举例(通过配置安装httpd,层层深入理解salt的配置管理;注意*.sls配置文件中各级之间的空格要是2的倍数,例如一级顶格,二级2个空格,3级4个空格,否则提示state.py in render_state sls之类的错误):

[[email protected] ~]#vim /srv/salt/top.sls

base:

‘*‘:

-apache

[[email protected] ~]# vim /srv/salt/apache/init.sls

include:

- apache.deploy

[[email protected] ~]# vim /srv/salt/apache/deploy.sls

apache:

pkg.installed:

- name: httpd

file.managed:

- name: /etc/httpd/conf/httpd.conf

- source:salt://apache/files/etc/httpd/conf/httpd.conf

service.running:

- name: httpd

- enable: True

[[email protected] ~]# cp /etc/httpd/conf/httpd.conf /srv/salt/apache/files/etc/httpd/conf/

[[email protected] ~]# salt ‘*‘ state.highstate

……

Summary

------------

Succeeded: 3 (changed=1)

Failed:   0

------------

Total states run:     3

[[email protected] ~]# salt ‘*‘ service.status httpd

minion2:

True

minion1:

True

注:deploy.sls也可以写为:

apache:

pkg.installed: []

-name: httpd

/etc/httpd/conf/httpd.conf:

file.managed:

-source: salt://apache/files/etc/httpd/conf/httpd.conf

httpd:

service.running:

-enable: True

举例(上例仅简单实现了部署与分发配置文件,如果配置文件分发在软件包安装之前的话则最后服务启动后的配置将受影响;增加需求:配置文件分发执行前软件包必须已安装,避免先同步配置文件再安装软件会覆盖掉已分发的文件;增加监控,若软件包更新或配置文件发生变化,这两点要能被监控到,监控到发生变化了要重启服务):

[[email protected] ~]# vim /srv/salt/apache/deploy.sls

apache:

pkg.installed:

-name: httpd

file.managed:

-name: /etc/httpd/conf/httpd.conf

-source: salt://apache/files/etc/httpd/conf/httpd.conf

- require:

- pkg: apache

service.running:

-name: httpd

-enable: True

- watch:

- pkg: apache

- file: apache

[[email protected] ~]# echo ‘# chinese‘ >>/srv/salt/apache/files/etc/httpd/conf/httpd.conf

[[email protected] ~]# salt ‘*‘ state.sls apache

……

Summary

------------

Succeeded: 3 (changed=2)

Failed:   0

------------

Total states run:     3

注:deploy.sls也可写成以下两种方式:

apache:

pkg:

-installed

-name: httpd

/etc/httpd/conf/httpd.conf:

file:

-managed

-source: salt://apache/files/etc/httpd/conf/httpd.conf

-require:

- pkg: apache

httpd:

service:

-running

-enable: True

-watch:

- pkg: apache

- file: /etc/httpd/conf/httpd.conf

------------------------------------------------

或者是

------------------------------------------------

apache:

pkg.installed:

-name: httpd

- require_in: file

- watch_in:

- service: apache

file.managed:

-name: /etc/httpd/conf/httpd.conf

-source: salt://apache/files/etc/httpd/conf/httpd.conf

- watch_in:

- service: apache

service.running:

-name: httpd

-enable: True

举例(增加需求,利用jinja渲染,改各minion的httpd.conf中port为8080):

[[email protected] ~]# vim /srv/salt/apache/files/etc/httpd/conf/httpd.conf

Listen {{ port }}

[[email protected] ~]# vim /srv/salt/apache/deploy.sls

apache:

pkg:

-installed

-name: httpd

/etc/httpd/conf/httpd.conf:

file:

-managed

-source: salt://apache/files/etc/httpd/conf/httpd.conf

-require:

- pkg: apache

- template: jinja

- context:

port: 8080

httpd:

service:

-running

-enable: True

-watch:

- pkg: apache

- file: /etc/httpd/conf/httpd.conf

[[email protected] ~]# salt ‘*‘ cmd.run ‘netstat -tnulp | grep httpd‘

minion2:

tcp        0      0 :::80                       :::*                        LISTEN      75368/httpd

minion1:

tcp        0      0 :::80                       :::*                        LISTEN      7936/httpd

[[email protected] ~]# salt ‘*‘ state.highstate

……

[[email protected] ~]# salt ‘*‘ cmd.run ‘netstat -tnulp | grep httpd‘

minion2:

tcp        0      0 :::8080                     :::*                        LISTEN      75837/httpd

minion1:

tcp        0      0 :::8080                     :::*                        LISTEN      8352/httpd

举例(增加需求,各minion的httpd port号不一致;业务数据应独立存放,/srv/salt/apache/deploy.sls中仅存放业务处理逻辑,/srv/pillar/apache/pillar_deploy.sls中存放数据):

[[email protected] ~]# vim /srv/salt/apache/files/etc/httpd/conf/httpd.conf

Listen {{ port }}

[[email protected] ~]# vim /srv/salt/apache/deploy.sls

apache:

pkg:

-installed

-name: httpd

/etc/httpd/conf/httpd.conf:

file:

-managed

-source: salt://apache/files/etc/httpd/conf/httpd.conf

-require:

- pkg: apache

- template: jinja

- defaults:

port: {{ salt[‘pillar.get‘](‘apache:port‘,80)}}

httpd:

service:

-running

-enable: True

-watch:

- pkg: apache

- file: /etc/httpd/conf/httpd.conf

[[email protected] ~]# vim /srv/pillar/top.sls   #(top.sls文件中定义的内容,只要能匹配到minion都会先后执行所有操作,而不是像iptables那样先匹配到就不匹配之后的内容)

base:

‘*‘:

- apache

[[email protected] ~]# mkdir /srv/pillar/apache

[[email protected] ~]# vim /srv/pillar/apache/init.sls

include:

- apache.pillar_deploy

[[email protected] ~]# vim /srv/pillar/apache/pillar_deploy.sls

apache:

{% if grains.id==‘minion1‘ %}

port: 8081

{% elif grains.id==‘minion2‘ %}

port: 8082

{% else %}

port: 80

{% endif %}

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

minion2:

True

minion1:

True

[[email protected] ~]# salt ‘*‘ pillar.getapache:port

minion2:

8082

minion1:

8081

[[email protected] ~]# salt ‘*‘ state.highstate   #(若直接执行此命令则不需要执行刷新pillar操作,此命令会先刷新再执行)

[[email protected] ~]# salt ‘*‘ cmd.run ‘netstat -tnulp | grep httpd‘

minion2:

tcp        0      0 :::8082                     :::*                        LISTEN      76024/httpd

minion1:

tcp        0      0 :::8081                     :::*                        LISTEN      8564/httpd

注:deploy.sls,也可以将业务逻辑和数据放在一起:

apache:

pkg:

-installed

-name: httpd

/etc/httpd/conf/httpd.conf:

file:

-managed

-source: salt://apache/files/etc/httpd/conf/httpd.conf

-require:

- pkg: apache

- template: jinja

- context:

{% if grains[‘id‘]==‘minion1‘ %}

port: 8081

{% elif grains[‘id‘]==‘minion2‘ %}

port: 8082

{% else %}

port: 80

{% endif %}

httpd:

service:

-running

-enable: True

-watch:

- pkg: apache

- file: /etc/httpd/conf/httpd.conf

举例(模块带参数执行):

[[email protected] ~]# vim /srv/salt/top.sls

base:

‘*‘:

-apache

‘minion(1|2)*‘:

-match: pcre

-system

[[email protected] ~]# vim /srv/salt/system/init.sls

include:

-system.system

[[email protected] ~]# vim /srv/salt/system/system.sls

hello:

cmd.run:

-name: echo "hello world"

[[email protected] ~]# salt ‘*‘ state.highstate

举例(schedule):

[[email protected] ~]# vim /srv/pillar/top.sls

base:

‘*‘:

- schedule

[[email protected] ~]# vim /srv/pillar/schedule.sls

schedule:

hello:

function: cmd.run

args:

- date >> /tmp/test.log

seconds: 30

[[email protected] ~]# salt ‘*‘ saltutil.refresh_pillar

minion1:

True

minion2:

True

[[email protected] ~]# salt ‘*‘ pillar.get schedule

……

[[email protected] ~]# cat /tmp/test.log   #(在minion端查看)

Mon Aug 29 02:34:41 PDT 2016

Mon Aug 29 02:35:11 PDT 2016

Mon Aug 29 02:35:41 PDT 2016

Mon Aug 29 02:36:11 PDT 2016

Mon Aug 29 02:36:41 PDT 2016

Mon Aug 29 02:37:11 PDT 2016

[[email protected] ~]# cat /tmp/test.log

Mon Aug 29 02:34:08 PDT 2016

Mon Aug 29 02:34:38 PDT 2016

Mon Aug 29 02:35:08 PDT 2016

Mon Aug 29 02:35:38 PDT 2016

Mon Aug 29 02:36:08 PDT 2016

Mon Aug 29 02:36:38 PDT 2016

举例(salt-ssh):

[[email protected] ~]# yum -y install salt-ssh

[[email protected] ~]# vim /etc/salt/roster

minion1:

host: 10.96.20.117

user: root

passwd: chai

minion2:

host: 10.96.20.118

user: root

passwd: chai

[[email protected] ~]# service salt-master stop

Stopping salt-master daemon:                               [  OK  ]

[[email protected] ~]# salt-ssh ‘*‘ test.ping   #(有如下报错,解决办法:严格检查禁用或者先用ssh连接minion)

minion1:

----------

retcode:

254

stderr:

stdout:

The host key needs to be accepted, to auto accept run salt-ssh with the-i flag:

The authenticity of host ‘10.96.20.117 (10.96.20.117)‘ can‘t beestablished.

RSA key fingerprint is 63:f5:2e:dc:96:64:54:72:8e:14:7e:ec:ef:b8:a1:0c.

Are you sure you want to continueconnecting (yes/no)?

minion2:

----------

retcode:

254

stderr:

stdout:

The host key needs to be accepted, to auto accept run salt-ssh with the-i flag:

The authenticity of host ‘10.96.20.118 (10.96.20.118)‘ can‘t beestablished.

RSA key fingerprint is 63:f5:2e:dc:96:64:54:72:8e:14:7e:ec:ef:b8:a1:0c.

Are you sure you want to continue connecting (yes/no)?

[[email protected] ~]# touch .ssh/config

[[email protected] ~]# vim .ssh/config

host 10.96.20.117

StrictHostKeyChecking no

host 10.96.20.118

StrictHostKeyChecking no

[[email protected] ~]# salt-ssh ‘*‘ test.ping

minion2:

True

minion1:

True

[[email protected] ~]# salt-ssh ‘*‘ -r ‘df -h‘

minion1:

----------

retcode:

0

stderr:

stdout:

[email protected]‘s password:

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda2        18G  4.9G  12G  30% /

tmpfs           112M   12K 112M   1% /dev/shm

/dev/sda1       291M   91M 185M  33% /boot

/dev/sr0        3.6G  3.6G    0 100% /mnt/cdrom

minion2:

----------

retcode:

0

stderr:

stdout:

[email protected]‘s password:

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda2        18G  4.3G  13G  26% /

tmpfs           112M   12K 112M   1% /dev/shm

/dev/sda1       291M   58M 219M  21% /boot

/dev/sr0        3.6G  3.6G    0 100% /mnt/cdrom

[[email protected] ~]# salt-ssh ‘*‘ -r ‘ip ro li‘

minion1:

----------

retcode:

0

stderr:

stdout:

[email protected]‘s password:

10.96.20.0/24 dev eth0  protokernel  scope link  src 10.96.20.117

default via 10.96.20.1 dev eth0

minion2:

----------

retcode:

0

stderr:

stdout:

[email protected]‘s password:

10.96.20.0/24 dev eth0  protokernel  scope link  src 10.96.20.118  metric 1

default via 10.96.20.1 dev eth0 proto static

举例(salt syndic):

masterofmaster:10.96.20.113,主机名master

syndic:10.96.20.114,主机名syndic

minion1:10.96.20.117,主机名minion1

minion2:10.96.20.118,主机名minion2

syndic-side:

[[email protected] ~]# cd /etc/yum.repos.d

[[email protected] yum.repos.d]# ll

total 20

-rw-r--r--. 1 root root 1856 Jul 19 00:28CentOS6-Base-163.repo

-rw-r--r--. 1 root root  957 Nov 4  2012 epel.repo

-rw-r--r--. 1 root root 1056 Nov  4  2012epel-testing.repo

-rw-r--r--. 1 root root  474 Mar 30 23:00 rhel-source.repo

[[email protected] yum.repos.d]# cd

[[email protected] ~]# yum -y install PyYAML python-requests python-jinja2   #(先用CentOS6-Base-163的yum源安装这几个依赖包)

[[email protected] ~]# yum -y install salt-master salt-syndic   #(再用epel的yum源安装salt-master和salt-syndic)

……

Running Transaction

Installing : openpgm-5.1.118-3.el6.x86_64                                                                                    1/8

Installing : zeromq3-3.2.5-1.el6.x86_64                                                                                      2/8

Installing : python-zmq-14.3.1-1.el6.x86_64                                                                                  3/8

Installing : python-crypto-2.0.1-22.el6.x86_64                                                                               4/8

Installing: python-msgpack-0.4.6-1.el6.x86_64                                                                               5/8

Installing : salt-2015.5.10-2.el6.noarch                                                                                     6/8

Installing : salt-master-2015.5.10-2.el6.noarch                                                                              7/8

Installing : salt-syndic-2015.5.10-2.el6.noarch                                                                              8/8

……

[[email protected] ~]# vim /etc/salt/master

#####          Syndic settings       #####

##########################################

syndic_master:10.96.20.113

#syndic_master_port: 4506

#syndic_pidfile:/var/run/salt-syndic.pid

#syndic_log_file:syndic.log

[[email protected] ~]# service salt-master start

Starting salt-master daemon:                               [  OK  ]

[[email protected] ~]# service salt-syndic start

Starting salt-syndic daemon:                               [  OK  ]

masterofmaster-side:

[[email protected] ~]# vim /etc/salt/master

#####          Syndic settings       #####

##########################################

order_masters: True

[[email protected] ~]# salt-key -L

Accepted Keys:

minion1

minion2

Denied Keys:

Unaccepted Keys:

syndic

Rejected Keys:

[[email protected] ~]# salt-key -D -y

……

Key for minion minion1 deleted.

Key for minion minion2 deleted.

Key for minion syndic deleted.

[[email protected] ~]# salt-key -L

Accepted Keys:

Denied Keys:

Unaccepted Keys:

minion1

minion2

syndic

Rejected Keys:

[[email protected] ~]# salt-key -a ‘syndic‘ -y

The following keys are going to beaccepted:

Unaccepted Keys:

syndic

Key for minion syndic accepted.

[[email protected] ~]#salt-key -L

Accepted Keys:

syndic

Denied Keys:

Unaccepted Keys:

minion1

minion2

Rejected Keys:

minion{1,2}-side:

[[email protected] ~]# service salt-minion stop

Stopping salt-minion daemon:                               [  OK  ]

[[email protected] ~]# vim /etc/salt/minion

master: 10.96.20.114

[[email protected] ~]# rm -f /etc/salt/minion_id

[[email protected] ~]# rm -rf /etc/salt/pki

[[email protected] ~]# hostname

minion1

[[email protected] ~]# service salt-minion start

Starting salt-minion daemon:                               [  OK  ]

[[email protected] ~]# service salt-minion stop

Stopping salt-minion daemon:                               [  OK  ]

[[email protected] ~]# vim /etc/salt/minion

master: 10.96.20.114

[[email protected] ~]# rm -f /etc/salt/minion_id

[[email protected] ~]# rm -rf /etc/salt/pki

[[email protected] ~]# service salt-minion start

Starting salt-minion daemon:                               [  OK  ]

syndic-side:

[[email protected] ~]# salt-key -L

Accepted Keys:

Denied Keys:

Unaccepted Keys:

minion1

minion2

Rejected Keys:

[[email protected] ~]# salt-key -A -y

The following keys are going to beaccepted:

Unaccepted Keys:

minion1

minion2

Key for minion minion1 accepted.

Key for minion minion2 accepted.

masterofmaster上测试:

[[email protected] ~]# salt -v ‘*‘ test.ping

Executing job with jid 20160829193921851966

-------------------------------------------

minion2:

True

minion1:

True

时间: 2024-10-12 02:49:22

V 9 saltstack (1)的相关文章

自动化运维系列之SaltStack批量部署Apache服务

自动化运维系列之SaltStack批量部署Apache服务 saltstack原理 SalStack由master和minion构成,master是服务端,表示一台服务器:minion是客户端,表示多台服务器.在Master上发送命令给符合条件的minion,Minion就会执行相应的命令.Master和Minion之间是通过ZeroMQ(消息队列)进行通信的. SaltStack的Master端的监听端口是4505和4506,4505端口是Master和Minion认证通信端口:4506端口是

Saltstack Automatic grouping

一.要点: 知道key验证存放的目录 key在验证是手动还自动 对不在线的主机的处理 minion_id的命名规范 二.使用的技术栈 saltstack 相关的库:salt.config,salt.client,salt.runner 使用redis 存放两个数据库,第一个为存为字典,用于存放minion_id与物理IP的对应,另一个存为集合,用于项目_业务命名的方式包含相应的主机 使用watchdog对目录变更监控,事件触发机制 三.完整代码 # coding:utf8 # Created b

Saltstack 学习笔记(一)

Salt简介: Salt(saltstack)是一个基础设施的自动化和配置管理工具,根据官方文档,salt是一个配置管理系统,能够维护远程节点到指定的状态(例如确保指定的包是安装的,并且指定的服务是正在运行的),并且能够分布式的在远程节点上执行命令和查询数据. 安装 本文是ubuntu 15.10作为测试,并且master和minion为同一台机器 sudo apt-get install python-software-properties sudo add-apt-repository pp

Saltstack自动部署Haproxy+keepalived+nginx+memcache+php(fastcgi)

二系列: 部署keepalived总的目录结构 [[email protected] salt]# tree /srv/salt/ /srv/salt/ ├── base │   ├── init │   │   ├── audit.sls │   │   ├── dns.sls │   │   ├── env_init.sls │   │   ├── epel.sls │   │   ├── files │   │   │   └── resolv.conf │   │   ├── histo

saltstack批量安装zabbix agent

1.准备zabbix agent的配置文件 由于没有啥特别要求,这里我选择yum安装zabbix22-agent [[email protected] init]# yum -y install zabbix22-agent [[email protected] zabbix]# cp zabbix_agentd.conf /etc/salt/states/init/files/ 2.创建zabbix_agent.sls [[email protected] ~]# vim /etc/salt/

saltstack 管理命令

salt相关的管理命令: salt-run manage.up # 查看存活的minion salt-run manage.down           # 查看死掉的minion salt-run manage.down removekeys=True     # 查看down掉的minion,并将其删除 salt-run manage.status             # 查看minion的相关状态 salt-run manage.versions # 查看salt的所有master和m

saltstack自动化运维

一.Saltstack架构 Saltstack基于C/S架构,服务端master:192.168.179.128和客户端minions :192.168.179.129 二.Saltstack的安装配置 1.master的安装 rpm -ivhhttp://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpmyum install salt-master默认配置文件位于/etc/salt/master ,默认不需要更改

Saltstack 安装

Saltstack 安装应用 master 192.168.20.156 minion 192.168.20.168 一.系统准备 [[email protected] ~]# uname -r 2.6.32-504.el6.x86_64 # salt --version salt 2016.3.3 (Boron) 1.设置关闭 selinux [[email protected] ~]# cat /etc/sysconfig/selinux |grep -v ^# SELINUX=disabl

saltstack知道这些就很好用了

[salt的目录结构] 环境是有默认的,不过可以更改配置/etc/salt/master文件中file_roots file_roots: base: - /data1/salt/base/ db: - /data1/salt/db/ dev: - /data1/salt/dev/ prod: - /data1/salt/prod/ [先掌握saltstack的SLS文件命名空间问题] 遵照以下规则: sls是扩展名 .sls是被省略的(如 zabbix.sls使用的时候 为 zabbix) 存