第1章 Salt日常管理
1.1 使用include文件编写sls
参见:https://blog.leonshadow.cn/763482/2148.html#112_sls
生产实践:使用include方式拆分sls文件,include的路径为当前base目录为根目录。
1.2 salt-run使用
- 测试minion是否可以连接
[root@linux-node01 ~]# salt-run manage.status
down:
up:
- linux-node01
- linux-node02
- 查看salt软件版本
[root@linux-node01 ~]# salt-run manage.versions
Master:
2019.2.5
Up to date:
----------
linux-node01:
2019.2.5
linux-node02:
2019.2.5
1.3 编排预演test=True
# 标记将要做出的修改,但实际并不执行 [root@linux-node01 ~]# salt '*' state.highstate test=True
1.4 修改minion_id
[root@linux-node02 ~]# systemctl stop salt-minion [root@linux-node02 ~]# salt-key -d linux-node02 [root@linux-node02 ~]# > /etc/salt/minion_id [root@linux-node02 ~]# rm -f /etc/salt/pki/master/minions_pre/linux-node02 [root@linux-node02 ~]# vim /etc/salt/minion 112 #id: [root@linux-node02 ~]# systemctl start salt-minion
第2章 SaltStack其他管理方式
2.1 master使用ssh远程管理(无minion)
备注:官方文档:https://docs.saltstack.com/en/latest/topics/ssh/index.html
2.1.1 安装salt-ssh服务
[root@linux-node01 ~]# yum install -y salt-ssh
备注:此时仅需要salt-ssh即可,不需要salt-master和salt-minion。
2.1.2 编辑配置文件
[root@linux-node01 ~]# vim /etc/salt/roster linux-node01: host: 10.10.10.101 user: root passwd: 123456 port: 22 linux-node02: host: 10.10.10.102 user: root passwd: 123456 port: 22
2.1.3 运行批量管理命令
[root@linux-node01 ~]# salt-ssh '*' test.ping -i
linux-node02:
True
linux-node01:
True
[root@linux-node01 ~]# salt-ssh '*' -r 'w'
linux-node02:
----------
retcode:
0
stderr:
stdout:
[email protected]'s password:
13:30:24 up 5:24, 1 user, load average: 0.03, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.10.10.1 09:57 3:04 0.22s 0.22s -bash
linux-node01:
----------
retcode:
0
stderr:
stdout:
[email protected]'s password:
13:30:29 up 5:24, 2 users, load average: 0.07, 0.06, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.10.10.1 09:57 13.00s 2.35s 0.08s /usr/bin/python /usr/bin/salt-ssh * -r w
root pts/1 10.10.10.1 10:12 14:37 0.11s 0.11s -bash
2.1.4 命令详解
[root@linux-node01 ~]# salt-ssh --help
Usage: salt-ssh [options] '<target>' <function> [arguments]
Options:
--version show program's version number and exit
-V, --versions-report
Show program's dependencies version number and exit.
-h, --help show this help message and exit
--saltfile=SALTFILE Specify the path to a Saltfile. If not passed, one
will be searched for in the current working directory.
-c CONFIG_DIR, --config-dir=CONFIG_DIR
Pass in an alternative configuration directory.
Default: '/etc/salt'.
--hard-crash Raise any original exception rather than exiting
gracefully. Default: False.
--no-parse=argname1,argname2,...
Comma-separated list of named CLI arguments (i.e.
argname=value) which should not be parsed as Python
data types
-r, --raw, --raw-shell
Don't execute a salt routine on the targets, execute a
raw shell command.
--roster=ROSTER Define which roster system to use, this defines if a
database backend, scanner, or custom roster system is
used. Default: 'flat'.
--roster-file=ROSTER_FILE
Define an alternative location for the default roster
file location. The default roster file is called
roster and is found in the same directory as the
master config file.
--refresh, --refresh-cache
Force a refresh of the master side data cache of the
target's data. This is needed if a target's grains
have been changed and the auto refresh timeframe has
not been reached.
--max-procs=SSH_MAX_PROCS
Set the number of concurrent minions to communicate
with. This value defines how many processes are opened
up at a time to manage connections, the more running
processes the faster communication should be. Default:
25.
--extra-filerefs=EXTRA_FILEREFS
Pass in extra files to include in the state tarball.
--min-extra-modules=MIN_EXTRA_MODS
One or comma-separated list of extra Python modulesto
be included into Minimal Salt.
--thin-extra-modules=THIN_EXTRA_MODS
One or comma-separated list of extra Python modulesto
be included into Thin Salt.
-v, --verbose Turn on command verbosity, display jid.
-s, --static Return the data from minions as a group after they all
return.
-w, --wipe Remove the deployment of the salt files when done
executing.
-W, --rand-thin-dir Select a random temp dir to deploy on the remote
system. The dir will be cleaned after the execution.
-t, --regen-thin, --thin
Trigger a thin tarball regeneration. This is needed if
custom grains/modules/states have been added or
updated.
--python2-bin=PYTHON2_BIN
Path to a python2 binary which has salt installed.
--python3-bin=PYTHON3_BIN
Path to a python3 binary which has salt installed.
--jid=JID Pass a JID to be used instead of generating one.
Logging Options:
Logging options which override any settings defined on the
configuration files.
-l LOG_LEVEL, --log-level=LOG_LEVEL
Console logging log level. One of 'all', 'garbage',
'trace', 'debug', 'profile', 'info', 'warning',
'error', 'critical', 'quiet'. Default: 'warning'.
--log-file=SSH_LOG_FILE
Log file path. Default: '/var/log/salt/ssh'.
--log-file-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of 'all', 'garbage',
'trace', 'debug', 'profile', 'info', 'warning',
'error', 'critical', 'quiet'. Default: 'warning'.
Target Options:
Target selection options.
-H, --hosts List all known hosts to currently visible or other
specified rosters
-E, --pcre Instead of using shell globs to evaluate the target
servers, use pcre regular expressions.
-L, --list Instead of using shell globs to evaluate the target
servers, take a comma or whitespace delimited list of
servers.
-G, --grain Instead of using shell globs to evaluate the target
use a grain value to identify targets, the syntax for
the target is the grain key followed by a
globexpression: "os:Arch*".
-P, --grain-pcre Instead of using shell globs to evaluate the target
use a grain value to identify targets, the syntax for
the target is the grain key followed by a pcre regular
expression: "os:Arch.*".
-N, --nodegroup Instead of using shell globs to evaluate the target
use one of the predefined nodegroups to identify a
list of targets.
-R, --range Instead of using shell globs to evaluate the target
use a range expression to identify targets. Range
expressions look like %cluster.
Additional Target Options:
Additional options for minion targeting.
--delimiter=DELIMITER
Change the default delimiter for matching in multi-
level data structures. Default: ':'.
Output Options:
Configure your preferred output format.
--out=OUTPUT, --output=OUTPUT
Print the output from the 'salt-ssh' command using the
specified outputter.
--out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT
Print the output indented by the provided value in
spaces. Negative values disables indentation. Only
applicable in outputters that support indentation.
--out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
Write the output to the specified file.
--out-file-append, --output-file-append
Append the output to the specified file.
--no-color, --no-colour
Disable all colored output.
--force-color, --force-colour
Force colored output.
--state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
Override the configured state_output value for minion
output. One of 'full', 'terse', 'mixed', 'changes' or
'filter'. Default: 'none'.
--state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE
Override the configured state_verbose value for minion
output. Set to True or False. Default: none.
SSH Options:
Parameters for the SSH client.
--remote-port-forwards=SSH_REMOTE_PORT_FORWARDS
Setup remote port forwarding using the same syntax as
with the -R parameter of ssh. A comma separated list
of port forwarding definitions will be translated into
multiple -R parameters.
--ssh-option=SSH_OPTIONS
Equivalent to the -o ssh command option. Passes
options to the SSH client in the format used in the
client configuration file. Can be used multiple times.
Authentication Options:
Parameters affecting authentication.
--priv=SSH_PRIV Ssh private key file.
--priv-passwd=SSH_PRIV_PASSWD
Passphrase for ssh private key file.
-i, --ignore-host-keys
By default ssh host keys are honored and connections
will ask for approval. Use this option to disable
StrictHostKeyChecking.
--no-host-keys Removes all host key checking functionality from SSH
session.
--user=SSH_USER Set the default user to attempt to use when
authenticating.
--passwd=SSH_PASSWD
Set the default password to attempt to use when
authenticating.
--askpass Interactively ask for the SSH password with no echo -
avoids password in process args and stored in history.
--key-deploy Set this flag to attempt to deploy the authorized ssh
key with all minions. This combined with --passwd can
make initial deployment of keys very fast and easy.
--identities-only Use the only authentication identity files configured
in the ssh_config files. See IdentitiesOnly flag in
man ssh_config.
--sudo Run command via sudo.
--update-roster If hostname is not found in the roster, store the
informationinto the default roster file (flat).
Scan Roster Options:
Parameters affecting scan roster.
--scan-ports=SSH_SCAN_PORTS
Comma-separated list of ports to scan in the scan
roster.
--scan-timeout=SSH_SCAN_TIMEOUT
Scanning socket timeout for the scan roster.
You can find additional help about salt-ssh issuing "man salt-ssh" or on
http://docs.saltstack.com
2.1.5 运行原理
- Master端将要执行的命令打包发送给要执行的客户端
- 客户端在本地解包执行命令
- 客户端将执行命令后的结果发送给Master
备注:salt-ssh执行命令并不是每次通过SSH连接到客户端执行命令的。
2.2 minion本地管理(无Master)
备注:此时仅需要salt-minion服务即可,不需要salt-master。
2.2.1 安装minion服务
[root@linux-node02 ~]# yum install -y salt-minion
2.2.2 修改配置文件
[root@linux-node02 ~]# vim /etc/salt/minion 574 file_client: local # 添加以下内容 594 file_roots: 595 base: 596 - /srv/salt/base 597 dev: 598 - /srv/salt/dev 599 test: 600 - /srv/salt/test 601 prod: 602 - /srv/salt/prod
2.2.3 创建配置文件目录
[root@linux-node02 ~]# mkdir -p /srv/salt/{base,dev,test,prod}
2.2.4 关闭minion服务
[root@linux-node02 ~]# systemctl stop salt-minion
2.2.5 执行管理命令
[root@linux-node02 ~]# salt-call --local state.sls web.tomcat
local:
----------
ID: jdk-install
Function: pkg.installed
Name: java-1.8.0-openjdk
Result: True
Comment: All specified packages are already installed
Started: 10:19:08.534559
Duration: 1233.081 ms
Changes:
----------
ID: tomcat-group
Function: group.present
Name: java
Result: True
Comment: Group java is present and up to date
Started: 10:19:09.768458
Duration: 0.696 ms
Changes:
----------
ID: tomcat-user
Function: user.present
Name: java
Result: True
Comment: User java is present and up to date
Started: 10:19:09.770256
Duration: 1.212 ms
Changes:
----------
ID: tomcat-install
Function: file.managed
Name: /server/tools/apache-tomcat-8.5.43.tar.gz
Result: True
Comment: File /server/tools/apache-tomcat-8.5.43.tar.gz is in the correct state
Started: 10:19:09.773772
Duration: 693.251 ms
Changes:
----------
ID: tomcat-install
Function: cmd.run
Name: cd /server/tools/ && tar xf apache-tomcat-8.5.43.tar.gz && mv apache-tomcat-8.5.43 /home/java/tomcat-8.5.43
Result: True
Comment: unless condition is true
Started: 10:19:10.468042
Duration: 47.842 ms
Changes:
----------
ID: tomcat-security
Function: file.directory
Name: /home/java/tomcat-8.5.43
Result: True
Comment: The directory /home/java/tomcat-8.5.43 is in the correct state
Started: 10:19:10.516747
Duration: 108.957 ms
Changes:
Summary for local
------------
Succeeded: 6
Failed: 0
------------
Total states run: 6
Total run time: 2.085 s
2.3 API远程管理
API管理必须使用https协议,若无https需要先生成ssl证书并配置https。
2.3.1 安装salt-api服务
[root@linux-node01 ~]# yum install -y salt-api
2.3.2 生成自签名证书(可选)
[root@linux-node01 ~]# yum install -y salt-minion pyOpenSSL # salt-call命令在salt-minion包中 [root@linux-node01 ~]# salt-call --local tls.create_self_signed_cert local: Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."
2.3.3 创建服务用户和密码
[root@linux-node01 ~]# useradd -M -s /sbin/nologin saltapi [root@linux-node01 ~]# echo "123456" | passwd saltapi --stdin
2.3.4 编辑配置文件
[root@linux-node01 ~]# vim /etc/salt/master
12 default_include: master.d/*.conf
[root@linux-node01 ~]# vim /etc/salt/master.d/api.conf
rest_cherrypy:
host: 10.10.10.101
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/certs/localhost.key
[root@linux-node01 ~]# vim /etc/salt/master.d/auth.conf
external_auth:
pam:
saltapi: # Authorized user
- .* # to allow access to all
- '@wheel' # to allow access to all wheel modules
- '@runner' # to allow access to all runner modules
- '@jobs' # to allow access to the jobs runner and/or wheel module
2.3.5 重启master服务
[root@linux-node01 ~]# systemctl restart salt-master [root@linux-node01 ~]# systemctl restart salt-api
2.3.6 使用salt-api
2.3.6.1 获取用户token
[root@linux-node02 ~]# curl -sSk https://10.10.10.101:8000/login \
-H 'Accept: application/x-yaml' \
-d username=saltapi \
-d password=123456 \
-d eauth=pam
return:
- eauth: pam
expire: 1594924413.556822
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1594881213.556821
token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95
user: saltapi
2.3.6.2 执行模块
[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000 \
-H 'Accept: application/x-yaml' \
-H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95 '\
-d client=local \
-d tgt='*' \
-d fun=test.ping
return:
- linux-node02: true
linux-node01: true
2.3.6.3 执行模块加参数
[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000 \
-H 'Accept: application/x-yaml' \
-H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95 '\
-d client=local \
-d tgt='*' \
-d fun=cmd.run -d arg='uptime'
return:
- linux-node02: ' 17:18:40 up 49 min, 1 user, load average: 0.00, 0.01, 0.05'
linux-node01: ' 17:18:40 up 50 min, 1 user, load average: 0.40, 0.23, 0.13'
2.3.6.4 获取Grains
[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000/minions/linux-node02 \
-H 'Accept: application/x-yaml' \
-H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95'
return:
- linux-node02:
SSDs: []
biosreleasedate: 07/29/2019
biosversion: '6.00'
cpu_flags:
……
virtual: VMware
zfs_feature_flags: false
zfs_support: false
zmqversion: 4.1.4
我的微信
如果有技术上的问题可以扫一扫我的微信
