SaltStack介绍-日常管理(五)

第1章 Salt日常管理

1.1 使用include文件编写sls

参见:https://blog.leonshadow.cn/763482/2148.html#112_sls

生产实践:使用include方式拆分sls文件,include的路径为当前base目录为根目录。

1.2 salt-run使用

  • 测试minion是否可以连接
[root@linux-node01 ~]# salt-run manage.status
down:
up:
    - linux-node01
    - linux-node02
  • 查看salt软件版本
[root@linux-node01 ~]# salt-run manage.versions
Master:
    2019.2.5
Up to date:
    ----------
    linux-node01:
        2019.2.5
    linux-node02:
        2019.2.5

1.3 编排预演test=True

# 标记将要做出的修改,但实际并不执行
[root@linux-node01 ~]# salt '*' state.highstate test=True

1.4 修改minion_id

[root@linux-node02 ~]# systemctl stop salt-minion
[root@linux-node02 ~]# salt-key -d linux-node02
[root@linux-node02 ~]# > /etc/salt/minion_id
[root@linux-node02 ~]# rm -f /etc/salt/pki/master/minions_pre/linux-node02
[root@linux-node02 ~]# vim /etc/salt/minion
112 #id:
[root@linux-node02 ~]# systemctl start salt-minion

第2章 SaltStack其他管理方式

2.1 master使用ssh远程管理(无minion)

备注:官方文档:https://docs.saltstack.com/en/latest/topics/ssh/index.html

2.1.1 安装salt-ssh服务

[root@linux-node01 ~]# yum install -y salt-ssh

备注:此时仅需要salt-ssh即可,不需要salt-master和salt-minion。

2.1.2 编辑配置文件

[root@linux-node01 ~]# vim /etc/salt/roster
linux-node01:
  host: 10.10.10.101
  user: root
  passwd: 123456
  port: 22

linux-node02:
  host: 10.10.10.102
  user: root
  passwd: 123456
  port: 22

2.1.3 运行批量管理命令

[root@linux-node01 ~]# salt-ssh '*' test.ping -i
linux-node02:
    True
linux-node01:
    True

[root@linux-node01 ~]# salt-ssh '*' -r 'w'
linux-node02:
    ----------
    retcode:
        0
    stderr:
    stdout:
        [email protected]'s password: 
         13:30:24 up  5:24,  1 user,  load average: 0.03, 0.04, 0.05
        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
        root     pts/0    10.10.10.1       09:57    3:04   0.22s  0.22s -bash
linux-node01:
    ----------
    retcode:
        0
    stderr:
    stdout:
        [email protected]'s password: 
         13:30:29 up  5:24,  2 users,  load average: 0.07, 0.06, 0.06
        USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
        root     pts/0    10.10.10.1       09:57   13.00s  2.35s  0.08s /usr/bin/python /usr/bin/salt-ssh * -r w
        root     pts/1    10.10.10.1       10:12   14:37   0.11s  0.11s -bash

2.1.4 命令详解

[root@linux-node01 ~]# salt-ssh --help
Usage: salt-ssh [options] '<target>' <function> [arguments]

Options:
  --version             show program's version number and exit
  -V, --versions-report
                        Show program's dependencies version number and exit.
  -h, --help            show this help message and exit
  --saltfile=SALTFILE   Specify the path to a Saltfile. If not passed, one
                        will be searched for in the current working directory.
  -c CONFIG_DIR, --config-dir=CONFIG_DIR
                        Pass in an alternative configuration directory.
                        Default: '/etc/salt'.
  --hard-crash          Raise any original exception rather than exiting
                        gracefully. Default: False.
  --no-parse=argname1,argname2,...
                        Comma-separated list of named CLI arguments (i.e.
                        argname=value) which should not be parsed as Python
                        data types
  -r, --raw, --raw-shell
                        Don't execute a salt routine on the targets, execute a
                        raw shell command.
  --roster=ROSTER       Define which roster system to use, this defines if a
                        database backend, scanner, or custom roster system is
                        used. Default: 'flat'.

  --roster-file=ROSTER_FILE
                        Define an alternative location for the default roster
                        file location. The default roster file is called
                        roster and is found in the same directory as the
                        master config file.
  --refresh, --refresh-cache
                        Force a refresh of the master side data cache of the
                        target's data. This is needed if a target's grains
                        have been changed and the auto refresh timeframe has
                        not been reached.
  --max-procs=SSH_MAX_PROCS
                        Set the number of concurrent minions to communicate
                        with. This value defines how many processes are opened
                        up at a time to manage connections, the more running
                        processes the faster communication should be. Default:
                        25.
  --extra-filerefs=EXTRA_FILEREFS
                        Pass in extra files to include in the state tarball.
  --min-extra-modules=MIN_EXTRA_MODS
                        One or comma-separated list of extra Python modulesto
                        be included into Minimal Salt.
  --thin-extra-modules=THIN_EXTRA_MODS
                        One or comma-separated list of extra Python modulesto
                        be included into Thin Salt.
  -v, --verbose         Turn on command verbosity, display jid.
  -s, --static          Return the data from minions as a group after they all
                        return.
  -w, --wipe            Remove the deployment of the salt files when done
                        executing.
  -W, --rand-thin-dir   Select a random temp dir to deploy on the remote
                        system. The dir will be cleaned after the execution.
  -t, --regen-thin, --thin
                        Trigger a thin tarball regeneration. This is needed if
                        custom grains/modules/states have been added or
                        updated.
  --python2-bin=PYTHON2_BIN
                        Path to a python2 binary which has salt installed.
  --python3-bin=PYTHON3_BIN
                        Path to a python3 binary which has salt installed.
  --jid=JID             Pass a JID to be used instead of generating one.

  Logging Options:
    Logging options which override any settings defined on the
    configuration files.

    -l LOG_LEVEL, --log-level=LOG_LEVEL
                        Console logging log level. One of 'all', 'garbage',
                        'trace', 'debug', 'profile', 'info', 'warning',
                        'error', 'critical', 'quiet'. Default: 'warning'.
    --log-file=SSH_LOG_FILE
                        Log file path. Default: '/var/log/salt/ssh'.
    --log-file-level=LOG_LEVEL_LOGFILE
                        Logfile logging log level. One of 'all', 'garbage',
                        'trace', 'debug', 'profile', 'info', 'warning',
                        'error', 'critical', 'quiet'. Default: 'warning'.

  Target Options:
    Target selection options.

    -H, --hosts         List all known hosts to currently visible or other
                        specified rosters
    -E, --pcre          Instead of using shell globs to evaluate the target
                        servers, use pcre regular expressions.
    -L, --list          Instead of using shell globs to evaluate the target
                        servers, take a comma or whitespace delimited list of
                        servers.
    -G, --grain         Instead of using shell globs to evaluate the target
                        use a grain value to identify targets, the syntax for
                        the target is the grain key followed by a
                        globexpression: "os:Arch*".
    -P, --grain-pcre    Instead of using shell globs to evaluate the target
                        use a grain value to identify targets, the syntax for
                        the target is the grain key followed by a pcre regular
                        expression: "os:Arch.*".
    -N, --nodegroup     Instead of using shell globs to evaluate the target
                        use one of the predefined nodegroups to identify a
                        list of targets.
    -R, --range         Instead of using shell globs to evaluate the target
                        use a range expression to identify targets. Range
                        expressions look like %cluster.

  Additional Target Options:
    Additional options for minion targeting.

    --delimiter=DELIMITER
                        Change the default delimiter for matching in multi-
                        level data structures. Default: ':'.

  Output Options:
    Configure your preferred output format.

    --out=OUTPUT, --output=OUTPUT
                        Print the output from the 'salt-ssh' command using the
                        specified outputter.
    --out-indent=OUTPUT_INDENT, --output-indent=OUTPUT_INDENT
                        Print the output indented by the provided value in
                        spaces. Negative values disables indentation. Only
                        applicable in outputters that support indentation.
    --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Write the output to the specified file.
    --out-file-append, --output-file-append
                        Append the output to the specified file.
    --no-color, --no-colour
                        Disable all colored output.
    --force-color, --force-colour
                        Force colored output.
    --state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
                        Override the configured state_output value for minion
                        output. One of 'full', 'terse', 'mixed', 'changes' or
                        'filter'. Default: 'none'.
    --state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE
                        Override the configured state_verbose value for minion
                        output. Set to True or False. Default: none.

  SSH Options:
    Parameters for the SSH client.

    --remote-port-forwards=SSH_REMOTE_PORT_FORWARDS
                        Setup remote port forwarding using the same syntax as
                        with the -R parameter of ssh. A comma separated list
                        of port forwarding definitions will be translated into
                        multiple -R parameters.
    --ssh-option=SSH_OPTIONS
                        Equivalent to the -o ssh command option. Passes
                        options to the SSH client in the format used in the
                        client configuration file. Can be used multiple times.

  Authentication Options:
    Parameters affecting authentication.

    --priv=SSH_PRIV     Ssh private key file.
    --priv-passwd=SSH_PRIV_PASSWD
                        Passphrase for ssh private key file.
    -i, --ignore-host-keys
                        By default ssh host keys are honored and connections
                        will ask for approval. Use this option to disable
                        StrictHostKeyChecking.
    --no-host-keys      Removes all host key checking functionality from SSH
                        session.
    --user=SSH_USER     Set the default user to attempt to use when
                        authenticating.
    --passwd=SSH_PASSWD
                        Set the default password to attempt to use when
                        authenticating.
    --askpass           Interactively ask for the SSH password with no echo -
                        avoids password in process args and stored in history.
    --key-deploy        Set this flag to attempt to deploy the authorized ssh
                        key with all minions. This combined with --passwd can
                        make initial deployment of keys very fast and easy.
    --identities-only   Use the only authentication identity files configured
                        in the ssh_config files. See IdentitiesOnly flag in
                        man ssh_config.
    --sudo              Run command via sudo.
    --update-roster     If hostname is not found in the roster, store the
                        informationinto the default roster file (flat).

  Scan Roster Options:
    Parameters affecting scan roster.

    --scan-ports=SSH_SCAN_PORTS
                        Comma-separated list of ports to scan in the scan
                        roster.
    --scan-timeout=SSH_SCAN_TIMEOUT
                        Scanning socket timeout for the scan roster.

You can find additional help about salt-ssh issuing "man salt-ssh" or on
http://docs.saltstack.com

2.1.5 运行原理

  1. Master端将要执行的命令打包发送给要执行的客户端
  2. 客户端在本地解包执行命令
  3. 客户端将执行命令后的结果发送给Master

备注:salt-ssh执行命令并不是每次通过SSH连接到客户端执行命令的。

2.2 minion本地管理(无Master)

备注:此时仅需要salt-minion服务即可,不需要salt-master。

2.2.1 安装minion服务

[root@linux-node02 ~]# yum install -y salt-minion

2.2.2 修改配置文件

[root@linux-node02 ~]# vim /etc/salt/minion
574 file_client: local
# 添加以下内容
594 file_roots:
595   base:
596     - /srv/salt/base
597   dev:
598     - /srv/salt/dev
599   test:
600     - /srv/salt/test
601   prod:
602     - /srv/salt/prod

2.2.3 创建配置文件目录

[root@linux-node02 ~]# mkdir -p /srv/salt/{base,dev,test,prod}

2.2.4 关闭minion服务

[root@linux-node02 ~]# systemctl stop salt-minion

2.2.5 执行管理命令

[root@linux-node02 ~]# salt-call --local state.sls web.tomcat
local:
----------
          ID: jdk-install
    Function: pkg.installed
        Name: java-1.8.0-openjdk
      Result: True
     Comment: All specified packages are already installed
     Started: 10:19:08.534559
    Duration: 1233.081 ms
     Changes:   
----------
          ID: tomcat-group
    Function: group.present
        Name: java
      Result: True
     Comment: Group java is present and up to date
     Started: 10:19:09.768458
    Duration: 0.696 ms
     Changes:   
----------
          ID: tomcat-user
    Function: user.present
        Name: java
      Result: True
     Comment: User java is present and up to date
     Started: 10:19:09.770256
    Duration: 1.212 ms
     Changes:   
----------
          ID: tomcat-install
    Function: file.managed
        Name: /server/tools/apache-tomcat-8.5.43.tar.gz
      Result: True
     Comment: File /server/tools/apache-tomcat-8.5.43.tar.gz is in the correct state
     Started: 10:19:09.773772
    Duration: 693.251 ms
     Changes:   
----------
          ID: tomcat-install
    Function: cmd.run
        Name: cd /server/tools/ && tar xf apache-tomcat-8.5.43.tar.gz && mv apache-tomcat-8.5.43 /home/java/tomcat-8.5.43
      Result: True
     Comment: unless condition is true
     Started: 10:19:10.468042
    Duration: 47.842 ms
     Changes:   
----------
          ID: tomcat-security
    Function: file.directory
        Name: /home/java/tomcat-8.5.43
      Result: True
     Comment: The directory /home/java/tomcat-8.5.43 is in the correct state
     Started: 10:19:10.516747
    Duration: 108.957 ms
     Changes:   

Summary for local
------------
Succeeded: 6
Failed:    0
------------
Total states run:     6
Total run time:   2.085 s

2.3 API远程管理

备注:官方文档:https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#a-rest-api-for-salt

API管理必须使用https协议,若无https需要先生成ssl证书并配置https。

2.3.1 安装salt-api服务

[root@linux-node01 ~]# yum install -y salt-api

2.3.2 生成自签名证书(可选)

[root@linux-node01 ~]# yum install -y salt-minion pyOpenSSL
# salt-call命令在salt-minion包中
[root@linux-node01 ~]# salt-call --local tls.create_self_signed_cert
local:
Created Private Key: "/etc/pki/tls/certs/localhost.key." Created Certificate: "/etc/pki/tls/certs/localhost.crt."

2.3.3 创建服务用户和密码

[root@linux-node01 ~]# useradd -M -s /sbin/nologin saltapi
[root@linux-node01 ~]# echo "123456" | passwd saltapi --stdin

2.3.4 编辑配置文件

[root@linux-node01 ~]# vim /etc/salt/master
12 default_include: master.d/*.conf

[root@linux-node01 ~]# vim /etc/salt/master.d/api.conf
rest_cherrypy:
  host: 10.10.10.101
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key

[root@linux-node01 ~]# vim /etc/salt/master.d/auth.conf
external_auth:
  pam:
    saltapi:       # Authorized user
      - .*         # to allow access to all
      - '@wheel'   # to allow access to all wheel modules
      - '@runner'  # to allow access to all runner modules
      - '@jobs'    # to allow access to the jobs runner and/or wheel module

2.3.5 重启master服务

[root@linux-node01 ~]# systemctl restart salt-master
[root@linux-node01 ~]# systemctl restart salt-api

2.3.6 使用salt-api

2.3.6.1 获取用户token

[root@linux-node02 ~]# curl -sSk https://10.10.10.101:8000/login \
     -H 'Accept: application/x-yaml' \
     -d username=saltapi \
     -d password=123456 \
     -d eauth=pam
return:
- eauth: pam
  expire: 1594924413.556822
  perms:
  - .*
  - '@wheel'
  - '@runner'
  - '@jobs'
  start: 1594881213.556821
  token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95
  user: saltapi

2.3.6.2 执行模块

[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000 \
    -H 'Accept: application/x-yaml' \
    -H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95 '\
    -d client=local \
    -d tgt='*' \
-d fun=test.ping
return:
- linux-node02: true
  linux-node01: true

2.3.6.3 执行模块加参数

[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000 \
    -H 'Accept: application/x-yaml' \
    -H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95 '\
    -d client=local \
    -d tgt='*' \
-d fun=cmd.run -d arg='uptime'
return:
- linux-node02: ' 17:18:40 up 49 min,  1 user,  load average: 0.00, 0.01, 0.05'
  linux-node01: ' 17:18:40 up 50 min,  1 user,  load average: 0.40, 0.23, 0.13'

2.3.6.4 获取Grains

[root@linux-node01 ~]# curl -sSk https://10.10.10.101:8000/minions/linux-node02 \
    -H 'Accept: application/x-yaml' \
-H 'X-Auth-Token: cb0f6e82428daf87c0cd0e21bc28abaddd5b0d95'
return:
- linux-node02:
    SSDs: []
    biosreleasedate: 07/29/2019
    biosversion: '6.00'
    cpu_flags:
    ……
    virtual: VMware
    zfs_feature_flags: false
    zfs_support: false
    zmqversion: 4.1.4
温馨提示:本文最后更新于2022-12-20 20:57:38,已超过483天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/2145.html
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享