Saltstack参考资料: https://docs.saltstack.com/en/latest/ http://blog.chinaunix.net/uid-10915175-id-4395273.html http://www.saltstack.cn/kb/managing-firewall-with-salt/ https://docs.saltstack.com/en/getstarted/config/jinja.htm https://repo.saltstack.com/yum/redhat/6/x86_64/2017.7/ 首先,写好HOSTS文件或者部署内网DNS进行解析:
cat /etc/hosts 192.168.99.2 saltstack-master.example.com 192.168.99.4 saltstack-node1.example.com 192.168.99.5 saltstack-node2.example.com 192.168.3.37 saltstack-node3.example.com一、安装部署Saltstack
1. 环境描述: 1. CentOS6.5 CentOS5.6 2. Saltstack版本: 1. salt-2017.7.1-1.el6.noarcn 3. 安装官网Salt源: 1. cd /etc/yum.repos.d/ 2. yum install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el6.noarch.rpm 4. 部署Salt-master和Salt-minion 1. yum install salt-master 2. yum install salt-minion 5. 启动服务 1. /etc/init.d/salt-master start 2. /etc/init.d/salt-minion start二、salt-key命令介绍:{用于认证客户端key} salt-key -L 列出所有key,也就是minion端 新加入的主机,key未认证 认证KEY,使用-A参数 salt-key -d saltstack-master.example.com 删除单个客户端的key 测试已验证通过的key,已经全部可以和master通信
-A:用来允许所有客户端的key -d:用来删除已经接收的单个的key,也就是删除单个的minion。 -D:用来删除所有的key,也就是删除所有的key -r:用来拒绝单个的key,将其拉进黑名单中。 -R:用来拒绝所有的key,将其所有的都拉进黑名单中三、Master配置文件和Minion配置文件解释: master:
interface : 192.168.0.1 要绑定的本地接口,必须是IP地址 publish_port : 4506 网络端口设置发布界面 user :root 运行slat使用的用户 ret_port : 返回服务器使用的端口。 pidfile : /var/run/salt-master.pid conf_file : /etc/salt/master 主配置文件路径 pki_dir : /etc/salt/pki/master 存储pki认证秘钥的目录 cachedir: /var/cache/salt/master 用于存储缓存信息 verify_env: True 在启动时验证并设置配置目录的权限 keep_jobs : 24 设置保留旧作业信息的小时数 sock_dir : /var/run/salt/master 设置用于创建主进程通信的Unix套接字的位置 log_file: /var/log/salt/master 定义master的log文件存放位置minion:
master: 192.168.99.2 指定master的地址 max_event_size : 1048576 调整允许小事件总线上的大小,默认单位为字节 pidfile: /var/run/salt-minion.pid 守护进程id存放的位置 conf_file:/etc/salt/minion minion配置文件路径 cachedir: /var/cache/salt/master 用于缓存存储信息 verify_env: True 在启动时验证并设置配置目录的权限 return_retry_timer:5 返回尝试的默认超时 tcp_pub_port 设置为tcp时使用的发布端口 log_file: /var/log/salt/minion 定义minion的log文件存放位置 tcp_keepalive_cnt : 1 设置zeromq TCP存活数 tcp_keepalive_intvl : 1 设置zeromq TCP存活时间间隔Master配置文件:主要定义项目目录
定义NODE组:
修改Minion配置文件
四、grains讲解:
salt '*' grains.ls 查看客户端支持的模块 salt '*' grains.items 查看客户端模块的详细信息1.编辑grains文件: vim /etc/salt/grains grains: roles: - webserver - memcache
2.匹配grains:
salt -G 'roles:webserver' test.ping五、saltstack远程执行 匹配规则:
salt '*' cmd.run 'df -h' 使用cmd模块远程执行shell命令 salt -C 'G@os:CentOS and dest' 使用-C参数,进行混合匹配 salt -N dest test.ping 使用-N参数,匹配组 salt -S 192.168.99.0/24 test.ping 使用 -S参数,匹配网段和IP salt -L 'saltstack-node1.example.com,saltstack-node2.example.com' test.ping 使用-L参数,匹配列表 salt -E 'saltstack-(node1|node2).example.com' test.ping salt 'saltstack-node[1-3].example.com' test.ping 使用-E参数, 基于正则匹配 salt 'saltstack-node1.example.com' sys.list_functions file 查看命令模块 salt 'saltstack-node1.example.com' sys.doc cmd|grep run 查看帮助文档六、编写sls文件,采用jiajia模板; jinjia模板使用实例:https://docs.saltstack.com/en/latest/topics/jinja/index.html 1.backup:使用file.managed模块实现, cmd.run模块用于创建目录
download_file_1: file.managed: - name: /etc/cron.d/backup - source: salt://backup/files/backup.erb - user: root - group: root - mode: 644 download_file_2: file.managed: - name: /etc/rsync_only_backup_remote.pwd - source: salt://backup/files/rsync_only_backup_remote.pwd.erb - user: root - group: root - mode: 600 cmd_mkdir: cmd.run: - names: - mkdir -pv /opt/scripts/remote_backup_not_delete/ - unless: test -d /opt/scripts/remote_backup_not_delete/ - owner: root - group: root - mode: 600 download_file_3: file.managed: - name: /opt/scripts/remote_backup_not_delete/backup_to_remote.sh - source: salt://backup/files/backup_to_remote.sh.erb - user: root - group: root - mode: 755 download_file_4: file.managed: - name: /opt/scripts/remote_backup_not_delete/check_table.sh - source: salt://backup/files/check_table.sh.erb - user: root - group: root - mode: 755执行结果: salt ‘saltstack-node1.example.com’ state.sls backup.backup backup.evn=backup
dns:使用file.managed resolv.conf: file.managed: - name: /etc/resolv.conf - source: salt://dns/files/resolv.conf.erb - user: root - group: root - mode: 644执行结果:salt ‘saltstack-node1.example.com’ state.sls dns.resolv_conf dns.evn=dns iptables:使用for循环+if判断+file.managed
{% for list in ['saltstack-node1.example.com','saltstack-node2.example.com'] %} {% if list == grains['fqdn'] %} downloads_file_iptables: file.managed: - name: /etc/sysconfig/iptables - source: salt://auditd/files/{{ list }}_iptables.erb - user: root - group: root - mode: 600 iptables_service: service.running: - name: iptables - enable: True - reload: True - watch: - downloads_file_iptables downloads_file_crontab: file.managed: - name: /etc/cron.d/iptables - source: salt://auditd/files/{{ list }}_cron.erb - user: root - group: root - mode: 644 {% endif %} {% endfor %} {% for list in ['saltstack-master.example.com'] %} {% if grains['fqdn'] == list %} downloads_file_iptables: file.managed: - name: /etc/sysconfig/iptables - source: salt://auditd/files/Standard - user: root - group: root - mode: 600 iptables_service: service.running: - name: iptables - enable: True - reload: True - watch: - downloads_file_iptables {% endif %} {% endfor %}返回结果:salt ‘saltstack-node1.example.com’ state.sls auditd.iptables auditd.evn=auditd ntp:
ntp_file: file.managed: - name: /etc/cron.d/ntp - source: salt://ntp/files/ntp.erb - user: root - group: root - mode: 644 ntpd_service: service.running: - name: ntpd - enable: True - force-reload: True - watch: - ntp_file返回结果: salt ‘saltstack-node1.example.com’ state.sls ntp.ntp ntp.evn=ntp ssh:使用for循环列表,并判断。使用service模块启动服务
{% for list in ['5.6','6.0','6.5'] %} {% if grains['osrelease'] == list %} downloads{{ list }}_file: file.managed: - name: /etc/ssh/sshd_config - user: root - group: root - source: salt://ssh/files/sshd_config_{{ list }}.erb - mode: 600 - template: jinja - defaults: sshd_service: service.running: - name: sshd - enable: True - reload: True - watch: - file: downloads{{ list }}_file {% endif %} {% endfor %}返回结果:salt ‘saltstack-node1.example.com’ state.sls ssh.ssh ssh.evn=ssh yum:
{% for list in ['5.6','6.0','6.5'] %} {% if grains['osrelease'] == list %} downloads_files: file.managed: - name: /etc/yum.repos.d/{{ grains['osrelease'] }}ctvonline.repo - user: root - group: root - mode: 644 - source: salt://yum/files/centos{{ grains['osrelease'] }}_ctvonline.repo.erb {% endif %} {% endfor %}返回结果: profile:
bash-prompt-default: file.managed: - name: /etc/sysconfig/bash-prompt-default - mode: 755 - user: root - group: root - source: salt://profile/files/bash-prompt-default.erb bash-prompt-xterm: file.managed: - name: /etc/sysconfig/bash-prompt-xterm - mode: 755 - user: root - group: root - source: salt://profile/files/bash-prompt-xterm.erbsnmp:
{% set options_version = "snmpd.options" %} {% if grains['osrelease'] == '5.6' %} downloads_files_snmp5: file.managed: - name: /etc/snmp/snmpd.conf - user: root - group: root - mode: 644 - source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb - watch_in: - service: snmp_service {% endif %} {% if grains['osrelease'] == '6.5' %} downloads_file_snmp6: file.managed: - name: /etc/snmp/snmpd.conf - uesr: root - group: root - mode: 644 - source: salt://snmp/files/snmpd{{ grains['osrelease'] }}.conf.erb - watch_in: - service: snmp_service {% endif %} downloads_files_optios: file.managed: - name: /etc/sysconfig/{{ options_version }} - user: root - group: root - mode: 755 - source: salt://snmp/files/{{ options_version }}_options.erb snmp_service: service.running: - name: snmpd - enable: True - force-reload: True返回结果:salt ‘saltstack-node1.example.com’ state.sls snmp.snmp snmp.evn=snmp syslog:
{% if grains['osrelease'] == '6.5' %} {% set service_file = "rsyslog" %} {% set servers_version = "6" %} {% endif %} {% if grains['osrelease'] == '5.6' %} {% set service_file = "syslog" %} {% set servers_version = "5" %} {% endif %} {% if grains['osrelease'] == '4.0' %} {% set service_file = "syslog" %} {% set servers_version = "4" %} {% endif %} {% if grains['fqdn'] == 'saltstack-node1.example.com' %} {% set mark = "server" %} {% endif %} {% if grains['fqdn'] == 'saltstack-node2.example.com' %} {% set mark = "mail" %} {% endif %} {{ service_file }}.conf: file.managed: - name: /etc/{{ service_file }}.conf - user: root - group: root - mode: 644 - source: salt://syslog/files/{{ service_file }}{{ grains['osrelease'] }}.conf.erb rsyslog_service: service.running: - name: {{ service_file }} - enable: True - force-restart: True - watch: - {{ service_file }}.conf文件改变,返回结果:salt ‘saltstack-node1.example.com’ state.sls syslog.syslog syslog.evn=syslog 模块介绍:
pkg.install 管理程序包 service.running 管理服务状态 file.managed 文件管理 处理状态之间关系 require 我依赖某个状态 require_in 我被某个状态依赖 watch 我关注某个状态 watch_in 我被某个状态关注七、salt-ssh模块介绍:
yum install salt-ssh 安装salt-ssh包1.编辑 vim /etc/salt/roster 编辑写入IP、用户、端口、密码,如果有sudo则开启即可 2.调用salt-ssh 3. salt-ssh安装程序包
