saltstack自动化管理平台搭建
| 主机名: | 角色: | IP |
| master.linuxfan.cn | 管理控制服务器master | 10.0.0.30 |
| minion1.linuxfan.cn | 被控节点1 | 10.0.0.40 |
| minion2.linuxfan.cn | 被控节点2 | 10.0.0.50 |
1: 修改主机的主机名,hosts解析配置:
(1)master配置主机名和hosts:
[root@localhost ~]# hostnamectl set-hostname master.linuxfan.cn [root@localhost ~]# bash [root@master ~]# hostname master.linuxfan.cn [root@master ~]# cat <<end >>/etc/hosts > 10.0.0.30 master.linuxfan.cn > 10.0.0.40 minion1.linuxfan.cn > 10.0.0.50 minion2.linuxfan.cn > end [root@master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.30 master.linuxfan.cn 10.0.0.40 minion1.linuxfan.cn 10.0.0.50 minion2.linuxfan.cn
测试可以解析
[root@master ~]# ping minion1.linuxfan.cn PING minion1.linuxfan.cn (10.0.0.40) 56(84) bytes of data. 64 bytes from minion1.linuxfan.cn (10.0.0.40): icmp_seq=1 ttl=64 time=1.09 ms
hosts信息可以同步到其它两台节点服务器上:
使用rsync同步工具,加上for循环,将hosts配置文件同步到两台节点服务器上。可以使用dns解析替代hosts解析
[root@master ~]# for i in 40 50;do rsync -av /etc/hosts root@10.0.0.$i:/etc/;done The authenticity of host '10.0.0.40 (10.0.0.40)' can't be established. ECDSA key fingerprint is f4:cd:b5:72:f7:ed:58:8d:ad:34:53:d4:b6:bc:71:e2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.40' (ECDSA) to the list of known hosts. root@10.0.0.40's password: sending incremental file list hosts sent 323 bytes received 37 bytes 102.86 bytes/sec total size is 250 speedup is 0.69 The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established. ECDSA key fingerprint is f4:cd:b5:72:f7:ed:58:8d:ad:34:53:d4:b6:bc:71:e2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.50' (ECDSA) to the list of known hosts. root@10.0.0.50's password: sending incremental file list hosts sent 323 bytes received 37 bytes 144.00 bytes/sec total size is 250 speedup is 0.69
(2)minion1-2节点配置主机名和hosts:
[root@localhost ~]# hostnamectl set-hostname minion1.linuxfan.cn [root@localhost ~]# bash [root@minion1 ~]# hostname minion1.linuxfan.cn ##hosts刚才已经同步过来了,查看验证一下。 [root@minion1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.30 master.linuxfan.cn 10.0.0.40 minion1.linuxfan.cn 10.0.0.50 minion2.linuxfan.cn [root@minion1 ~]# ##解析没有任何问题 [root@minion1 ~]# ping master.linuxfan.cn -c 4 PING master.linuxfan.cn (10.0.0.30) 56(84) bytes of data. 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=1 ttl=64 time=0.284 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=2 ttl=64 time=0.570 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=3 ttl=64 time=0.532 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=4 ttl=64 time=0.274 ms
节点2
[root@localhost ~]# [root@localhost ~]# hostnamectl set-hostname minion2.linuxfan.cn [root@localhost ~]# bash [root@minion2 ~]# hostname minion2.linuxfan.cn [root@minion2 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.30 master.linuxfan.cn 10.0.0.40 minion1.linuxfan.cn 10.0.0.50 minion2.linuxfan.cn [root@minion2 ~]# [root@minion2 ~]# ping -c 4 master.linuxfan.cn PING master.linuxfan.cn (10.0.0.30) 56(84) bytes of data. 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=1 ttl=64 time=0.376 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=2 ttl=64 time=0.429 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=3 ttl=64 time=0.542 ms 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=4 ttl=64 time=0.387 ms
2: 安装软件:
(1)master控制端安装salt-master软件:
下载epel-release这个yum源 来安装salt-master
[root@master ~]# yum -y install epel-release
安装master管理控制端
[root@master ~]# yum -y install salt-master
启动服务,设置开机启动:
我喜欢用for循环语句来实现,使用下面命令可以实现重启服务,加入开机启动,查看状态的目的
[root@master ~]# for i in enable restart status;do systemctl $i salt-master;done Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service. ● salt-master.service - The Salt Master Server Loaded: loaded (/usr/lib/systemd/system/salt-master.service; enabled; vendor preset: disabled) Active: active (running) since 三 2017-08-16 15:24:57 CST; 18ms ago Main PID: 16188 (salt-master) CGroup: /system.slice/salt-master.service ├─16188 /usr/bin/python /usr/bin/salt-master └─16198 /usr/bin/python /usr/bin/salt-master 8月 16 15:24:56 master.linuxfan.cn systemd[1]: Starting The Salt Master Server... 8月 16 15:24:57 master.linuxfan.cn systemd[1]: Started The Salt Master Server.
它的监听端口是 4505 4506两个,4505是saltstack的消息发布系统,4506为saltstack客户端与服务端通信的端口
[root@master ~]# netstat -utpln |grep 45 tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 16199/python tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 16219/python
(2)minion节点安装salt-minion节点端服务: (所有节点都做这样的操作)
下载安装yum源:
[root@minion1 ~]# yum -y install epel-release
安装节点端服务:
[root@minion1 ~]# yum -y install salt-minion
修改配置文件: ##修改配置文件,指向master端管理节点的主机地址
[root@minion1 ~]# vi /etc/salt/minion 16 master: master.linuxfan.cn
启动服务:
[root@minion1 ~]# for i in enable restart status;do systemctl $i salt-minion;done Created symlink from /etc/systemd/system/multi-user.target.wants/salt-minion.service to /usr/lib/systemd/system/salt-minion.service. ● salt-minion.service - The Salt Minion Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; enabled; vendor preset: disabled) Active: active (running) since 三 2017-08-16 15:42:19 CST; 45ms ago Main PID: 16209 (salt-minion) CGroup: /system.slice/salt-minion.service └─16209 /usr/bin/python /usr/bin/salt-minion 8月 16 15:42:19 minion1.linuxfan.cn systemd[1]: Started The Salt Minion. 8月 16 15:42:19 minion1.linuxfan.cn systemd[1]: Starting The Salt Minion... 所有节点都要做这些操作。
3: 授权
minion节点上在设置完成第一次启动后,会生成一个公钥和私钥,私有的公钥minion端会保留,它会把公钥传输给master端。等待master允许确认,master端确认后就能任意摆布minion节点了。
在master端接受minion上传的公钥
(1):查看等待接受授权的minion节点主机:
salt-key list和salt-key -L 都可查看:
[root@master ~]# salt-key list Accepted Keys: Denied Keys: Unaccepted Keys: minion1.linuxfan.cn minion2.linuxfan.cn Rejected Keys: [root@master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: minion1.linuxfan.cn minion2.linuxfan.cn Rejected Keys:
可以看到有两个主机为为许可的状态,
使用salt-key -A授权:
[root@master ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: minion1.linuxfan.cn minion2.linuxfan.cn Proceed? [n/Y] y Key for minion minion1.linuxfan.cn accepted. Key for minion minion2.linuxfan.cn accepted.
再次查看发现两台节点已经被许可了
[root@master ~]# salt-key -L Accepted Keys: minion1.linuxfan.cn minion2.linuxfan.cn Denied Keys: Unaccepted Keys: Rejected Keys:
验证节点主机的状态:
[root@master ~]# salt "*" test.ping minion1.linuxfan.cn: True minion2.linuxfan.cn: True
都是ok的!
4: salt命令和基本用法
查看salt的文档:
[root@master ~]# salt "*" sys.doc |less
##salt的命令语法,功能都可以在这里面查到
。。。。。。 'cmd.exec_code:' Pass in two strings, the first naming the executable language, aka - python2, python3, ruby, perl, lua, etc. the second string containing the code you wish to execute. The stdout will be returned. CLI Example: salt '*' cmd.exec_code ruby 'puts "cheese"' 'cmd.exec_code_all:' Pass in two strings, the first naming the executable language, aka - python2, python3, ruby, perl, lua, etc. the second string containing the code you wish to execute. All cmd artifacts (stdout, stderr, retcode, pid) will be returned. CLI Example: salt '*' cmd.exec_code_all ruby 'puts "cheese"' 'cmd.has_exec:' Returns true if the executable is available on the minion, false otherwise CLI Example: salt '*' cmd.has_exec cat 'cmd.retcode:' 。。。。。。
基本使用方法: salt “*”模块 * 是查看所有节点的信息,可以只改成一台或者几台主机的主机名,这样就只查看一台或者几台主机的信息, 模块作用是获取节点的哪些信息,作哪些操作。
例: 查看所有节点的路由信息
[root@master ~]# salt "*" network.default_route minion1.linuxfan.cn: |_ ---------- addr_family: inet destination: 0.0.0.0 flags: UG gateway: 10.0.0.2 interface: eth0 netmask: 0.0.0.0 minion2.linuxfan.cn: |_ ---------- addr_family: inet destination: 0.0.0.0 flags: UG gateway: 10.0.0.2 interface: eth0 netmask: 0.0.0.0
例:查看其中一台节点主机minion1.linuxfan.cn的ip信息:
[root@master ~]# salt "minion1.linuxfan.cn" network.ip_addrs minion1.linuxfan.cn: - 10.0.0.40
salt '*' network.default_route ##查看路由信息
salt '*' network.ip_addrs ##查看ip信息
salt '*' partition.list /dev/sda ##查看磁盘使用情况
salt '*' pkg.list_repos ##查看yum源的文件
salt '*' pkg.modified
salt '*' service.get_all ##查看安装的所有服务
salt '*' service.get_enabled ##获取开启的服务
salt '*' status.meminfo ##获取内存状态
salt '*' status.master
salt '*' status.netstats ##获取进程信息
salt '*' status.procs
salt '*' status.uptime
salt -E 支持正则表达式
例:
[root@master ~]# salt -E 'minion[0-9].linuxfan.cn' selinux.getenforce minion2.linuxfan.cn: Module 'selinux' is not available. minion1.linuxfan.cn: Module 'selinux' is not available. ERROR: Minions returned with non-zero exit code
匹配系统显示内核版本:
例:
salt -G 'os:centos' grains.item kernelrelease
[root@master ~]# salt -G 'os:centos' grains.item kernelrelease minion1.linuxfan.cn: ---------- kernelrelease: 3.10.0-514.el7.x86_64 minion2.linuxfan.cn: ---------- kernelrelease: 3.10.0-514.el7.x86_64
常用模块:
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.cron.html ##官方文档
cp模块(实现远程文件、目录的复制,以及下载URL文件等操作)
修改配置文件指定文件的根目录
新建文件的根目录
将要复制到远程的文件复制到根目录,或者新建到根目录下
重启服务
执行cp命令
验证
[root@master ~]# vi /etc/salt/master 406 file_roots: 407 base: 408 - /srv/salt/ [root@master ~]# mkdir /srv/salt [root@master ~]# ls /srv/salt [root@master ~]# cp /etc/resolv.conf /srv/salt/resolv.conf [root@master ~]# ls /srv/salt resolv.conf [root@master ~]# echo "nameserver 114.114.114.114" >>/srv/salt/resolv.conf [root@master ~]# cat /srv/salt/resolv.conf # Generated by NetworkManager search linuxfan.cn nameserver 202.106.0.20 nameserver 114.114.114.114 [root@master ~]# systemctl restart salt-maste 例:复制文件到远程节点 [root@master ~]# salt '*' cp.get_file salt://resolv.conf /etc/resolv.conf minion1.linuxfan.cn: /etc/resolv.conf minion2.linuxfan.cn: /etc/resolv.conf [root@master ~]# salt '*' cp.get_file salt://resolv.conf /etc/resolv.conf minion1.linuxfan.cn: /etc/resolv.conf minion2.linuxfan.cn: /etc/resolv.conf
[root@minion1 ~]# cat /etc/resolv.conf # Generated by NetworkManager search linuxfan.cn nameserver 202.106.0.20 nameserver 114.114.114.114
例2:复制目录到远程:
mount -o bin 这个是挂载的意识,是将文件从一个位置挂载到另一个位置,类似于软链接
[root@master ~]# mkdir /srv/salt/yum [root@master ~]# mount -o bind /etc/yum.repos.d/ /srv/salt/yum/ [root@master ~]# ls /srv/salt/yum/ CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo epel-testing.repo CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo epel.repo [root@master ~]# salt "*" cp.get_dir salt://yum/ /tmp/ minion1.linuxfan.cn: - /tmp//yum/CentOS-Base.repo - /tmp//yum/CentOS-CR.repo - /tmp//yum/CentOS-Debuginfo.repo - /tmp//yum/CentOS-Media.repo - /tmp//yum/CentOS-Sources.repo - /tmp//yum/CentOS-Vault.repo - /tmp//yum/CentOS-fasttrack.repo - /tmp//yum/epel-testing.repo - /tmp//yum/epel.repo minion2.linuxfan.cn: - /tmp//yum/CentOS-Base.repo - /tmp//yum/CentOS-CR.repo - /tmp//yum/CentOS-Debuginfo.repo - /tmp//yum/CentOS-Media.repo - /tmp//yum/CentOS-Sources.repo - /tmp//yum/CentOS-Vault.repo - /tmp//yum/CentOS-fasttrack.repo - /tmp//yum/epel-testing.repo - /tmp//yum/epel.repo
在节点上测试查看
[root@minion1 ~]# ls /tmp/yum CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo epel-testing.repo CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo epel.repo [root@minion1 ~]#
例3:下载url内容到指被控主机的指定位置;
比如下载个apache的源码包给minion1.linuxfan.cn
[root@master ~]# salt "minion1.linuxfan.cn" cp.get_url http://mirrors.tuna.tsinghua.edu.cn/apache//httpd/httpd-2.2.34.tar.gz /root/httpd-2.2.34.tar.gz minion1.linuxfan.cn: /root/httpd-2.2.34.tar.gz
到minion1上查看:
[root@minion1 ~]# ls /root anaconda-ks.cfg httpd-2.2.34.tar.gz
cmd模块(实现远程的命令行调用执行)
例:查看ip地址和安装httpd
[root@master ~]# salt "minion1.linuxfan.cn" cmd.run 'ifconfig' minion1.linuxfan.cn: eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.40 netmask 255.255.255.0 broadcast 10.0.0.255 ether 00:0c:29:32:d6:08 txqueuelen 1000 (Ethernet) RX packets 34832 bytes 46321413 (44.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15360 bytes 2755602 (2.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1 (Local Loopback) RX packets 64 bytes 5568 (5.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 64 bytes 5568 (5.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@master ~]# salt "minion1.linuxfan.cn" cmd.run 'yum -y install httpd' minion1.linuxfan.cn: Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.yun-idc.com * epel: mirrors.ustc.edu.cn 。。。。。。
验证
[root@minion1 ~]# rpm -qa httpd httpd-2.4.6-45.el7.centos.4.x86_64
cmd.run就相当于在主机上执行命令一样
cron模块:(实现被控主机的计划任务的管理配置)
[root@master ~]# salt "*" cron.set_job root '*0' '*' '*' '*' '6' '/usr/bin/yum -y update' minion2.linuxfan.cn: new minion1.linuxfan.cn: new [root@master ~]# salt "*" cron.raw_cron root minion2.linuxfan.cn: # Lines below here are managed by Salt, do not edit *0 * * * 6 /usr/bin/yum -y update minion1.linuxfan.cn: # Lines below here are managed by Salt, do not edit *0 * * * 6 /usr/bin/yum -y update [root@master ~]# salt '*' cron.rm_job root 'date' minion1.linuxfan.cn: absent minion2.linuxfan.cn: absent [root@master ~]# salt "*" cron.raw_cron root minion2.linuxfan.cn: # Lines below here are managed by Salt, do not edit *0 * * * 6 /usr/bin/yum -y update minion1.linuxfan.cn: # Lines below here are managed by Salt, do not edit *0 * * * 6 /usr/bin/yum -y update [root@master ~]# salt '*' cron.rm_job root '/usr/bin/yum -y update' dayweek=6 minion2.linuxfan.cn: removed minion1.linuxfan.cn: removed [root@master ~]# salt "*" cron.raw_cron root minion1.linuxfan.cn: # Lines below here are managed by Salt, do not edit minion2.linuxfan.cn: # Lines below here are managed by Salt, do not edit
dnsutil模块(实现被控主机通用DNS操作)
##给所有节点添加一条hosts解析:
[root@master ~]# salt "*" dnsutil.hosts_append /etc/hosts 10.0.0.30 master minion2.linuxfan.cn: The following line was added to /etc/hosts: 10.0.0.30 master minion1.linuxfan.cn: The following line was added to /etc/hosts: 10.0.0.30 master
测试:
[root@minion1 ~]# tail -1 /etc/hosts 10.0.0.30 master [root@minion1 ~]# ping master PING master (10.0.0.30) 56(84) bytes of data. 64 bytes from master.linuxfan.cn (10.0.0.30): icmp_seq=1 ttl=64 time=0.913 ms
file模块(被控主机文件常见操作,包括文件读写、权限、查找、校验等)
获取文件的MD5
[root@master ~]# salt "*" file.get_sum /etc/resolv.conf minion2.linuxfan.cn: 57fa7cd7226c49a1315e387c5f89af59ee4567a308a531441b8d762ff9a4ca2f minion1.linuxfan.cn: 57fa7cd7226c49a1315e387c5f89af59ee4567a308a531441b8d762ff9a4ca2f
查看文件详细信息:
[root@master ~]# salt "*" file.stats /etc/resolv.conf minion2.linuxfan.cn: ---------- atime: 1502872477.38 ctime: 1502872448.02 gid: 0 group: root inode: 67681665 mode: 0644 mtime: 1502872448.02 size: 100 target: /etc/resolv.conf type: file uid: 0 user: root
network模块:
network.ip_addrs 获取ip地址
network.interface 获取网卡接口信息
[root@master ~]# salt "*" network.ip_addrs minion2.linuxfan.cn: - 10.0.0.50 minion1.linuxfan.cn: - 10.0.0.40 [root@master ~]# salt "*" network.interfaces minion2.linuxfan.cn: ---------- eth0: ---------- hwaddr: 00:0c:29:6b:92:22 inet: |_ ---------- address: 10.0.0.50 broadcast: 10.0.0.255 label: eth0 netmask: 255.255.255.0 up: True 。。。。。。
pkg包管理模块(被控主机程序包管理,如yum、apt-get等)
[root@master ~]# salt '*' pkg.remove httpd minion2.linuxfan.cn: ---------- minion1.linuxfan.cn: ---------- httpd: ---------- new: old: 2.4.6-45.el7.centos.4 [root@master ~]# salt '*' pkg.install httpd minion1.linuxfan.cn: ---------- httpd: ---------- new: 2.4.6-45.el7.centos.4 old: minion2.linuxfan.cn: ---------- httpd: ---------- new: 2.4.6-45.el7.centos.4 old: httpd-tools: ---------- new: 2.4.6-45.el7.centos.4 old: mailcap: ---------- new: 2.1.41-2.el7 old: [root@master ~]# salt '*' pkg.file_list httpd minion1.linuxfan.cn: ---------- errors: files: - /etc/httpd - /etc/httpd/conf - /etc/httpd/conf.d - /etc/httpd/conf.d/README - /etc/httpd/conf.d/autoindex.conf - /etc/httpd/conf.d/userdir.conf - /etc/httpd/conf.d/welcome.conf - /etc/httpd/conf.modules.d - /etc/httpd/conf.modules.d/00-base.conf - /etc/httpd/conf.modules.d/00-dav.conf - /etc/httpd/conf.modules.d/00-lua.conf 。。。。。。
service模块,服务的控制。如启动停止重启服务的操作
# salt '*' service.enable 服务
# salt '*' service.disable 服务
# salt '*' service.status 服务
# salt '*' service.stop 服务
# salt '*' service.start 服务
# salt '*' service.restart 服务
# salt '*' service.reload 服务
[root@master ~]# salt "*" service.enable httpd minion1.linuxfan.cn: True minion2.linuxfan.cn: True [root@master ~]# salt "*" service.start httpd minion2.linuxfan.cn: True minion1.linuxfan.cn: True
