SaltStack 简介

• Salt，,一种全新的基础设施管理方式，部署轻松，在几分钟内可运行起来，扩展性好，很容易管理上万台服务器，速度够快，服务器之间秒级通讯。salt底层采用动态的连接总线,使其可以用于编配,远程执行,配置管理等等.
• SaltStack 官网：https://saltstack.com/
• SaltStack 官方文档：https://docs.saltstack.com/en/latest/
• SaltStack github地址：

SaltStack 安装

• 安装salt-master on Salt Master Host.

# install from EPEL
[root@linuxprobe~]# yum --enablerepo=epel -y install salt-master
[root@linuxprobe~]# systemctl start salt-master
[root@linuxprobe~]# systemctl enable salt-master
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-master.service to /usr/lib/systemd/system/salt-master.service.

• On Salt Master Server,If Firewalld is running,allow related ports.

[root@linuxprobe~]# firewall-cmd --add-port={4505/tcp,4506/tcp} --permanent
success
[root@linuxprobe~]# firewall-cmd --reload
success

• 安装 salt-minion on Salt Minion Host.

# install from EPEL
[root@vdevops~]# yum --enablerepo=epel -y install salt-minion
[root@vdevops~]# sed -i 's/\#master: salt/master: linuxprobe.org/' /etc/salt/minion
[root@vdevops~]# systemctl start salt-minion
[root@vdevops~]# systemctl enable salt-minion 
Created symlink from /etc/systemd/system/multi-user.target.wants/salt-minion.service to /usr/lib/systemd/system/salt-minion.service.

Salt Clinet客户端启动之后会发送public-key 到Salt Master获取认证. Salt Master 可以接收client发过来的认证请求。

# show the list of keys [root@linuxprobe master]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: vdevops.org Rejected Keys: # permit all keys with "A" option [root@linuxprobe master]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: vdevops.org Proceed? [n/Y] y #确认 Key for minion vdevops.org accepted. [root@linuxprobe master]# salt-key -L Accepted Keys: vdevops.org Denied Keys: Unaccepted Keys: Rejected Keys: # 测试连接 [root@linuxprobe ~]# salt '*' test.ping vdevops.org: True

saltstack基础使用

Saltstack的基础用法就是从master执行命令同步到客户端
salt [option] [target] [function] [arguments]
参考文档：https://docs.saltstack.com/en/latest/ref/modules/all/index.html

• 查看函数用法

[root@linuxprobe ~]# salt '*' sys.doc | less
'acl.delfacl:'
    Remove specific FACL from the specified file(s)
    CLI Examples:
        salt '*' acl.delfacl user myuser /tmp/house/kitchen
        salt '*' acl.delfacl default:group mygroup /tmp/house/kitchen
        salt '*' acl.delfacl d:u myuser /tmp/house/kitchen
        salt '*' acl.delfacl g myuser /tmp/house/kitchen /tmp/house/livingroom
        salt '*' acl.delfacl user myuser /tmp/house/kitchen recursive=True
'acl.getfacl:'
    Return (extremely verbose) map of FACLs on specified file(s)
    CLI Examples:
        salt '*' acl.getfacl /tmp/house/kitchen
        salt '*' acl.getfacl /tmp/house/kitchen /tmp/house/livingroom
        salt '*' acl.getfacl /tmp/house/kitchen /tmp/house/livingroom recursive=True
        ...

• It’s possible to specify targets with varIoUs way

# specify all Minions
# test.ping means that make sure Minions are acitive
[root@linuxprobe ~]# salt '*' test.ping
vdevops.org:
 True
linuxprobe.org:
 True
# specify a Minion "vdevops.org"
# disk.usage means that make sure current disk usag 
[root@linuxprobe ~]# salt 'vdevops.org' disk.usage
vdevops.org:
 ----------
 /:
 ----------
 1K-blocks:
 18307072
 available:
 16866300
 capacity:
 8%
 filesystem:
 /dev/mapper/centos-root
 used:
 1440772 
# specify some Minions with List(comma separated)
# status.loadavg means that make sure load averages 
[root@linuxprobe ~]# salt -L 'vdevops.org,linuxprobe.org' status.loadavg 
vdevops.org:
 ----------
 1-min:
 0.0
 15-min:
 0.05
 5-min:
 0.01
linuxprobe.org:
 ----------
 1-min:
 0.02
 15-min:
 0.06
 5-min:
 0.08
# specify Minions with expression (example means "node00-99.srv.world")
# selinux.getenforce means that make sure SELinux operating mode
[root@dlp ~]# salt -E 'node[0-9][0-9].srv.world' selinux.getenforce
node02.srv.world:
 Enforcing
node01.srv.world:
 Enforcing 
# specify Minions which OS is CentOS with Grains Data
# grains.item kernelrelease means that make sure Kernel version from grains.item data
# Grains is the word used in Salt and which keeps Minions' OS data and others 
[root@linuxprobe ~]# salt -G 'os:CentOS' grains.item kernelrelease
vdevops.org:
 ----------
 kernelrelease:
 3.10.0-327.36.2.el7.x86_64
linuxprobe.org:
 ----------
 kernelrelease:
 3.10.0-327.el7.x86_64 

• 自定义目标组

[root@linuxprobe ~]# vi /etc/salt/master
# line 12: uncomment
default_include: master.d/*.conf
[root@linuxprobe ~]# mkdir /etc/salt/master.d
[root@linuxprobe ~]# vi /etc/salt/master.d/nodegroups.conf 
# create new
# group_org : 
# group_os : specify OS is CentOS
nodegroups:
  group_org: 'L@linuxprobe.org,vdevops.org'
  group_os: 'G@os:CentOS'
[root@linuxprobe ~]# systemctl restart salt-master
# run to a target group_os
[root@linuxprobe master.d]# salt -N 'group_os' cmd.run 'hostname'
vdevops.org:
    vdevops.org
linuxprobe.org:
    linuxprobe.org

Salt State文件使用

学习如何配置Salt State文件对于学习saltstack和使用salt很重要，state文件采用yaml格式编写

• 首先,定义文件根目录放状态，默认/srv/salt

[root@linuxprobe ~]# vi /etc/salt/master
# line 417: uncomment and define root directory
file_roots:
  base:
    - /srv/salt
[root@linuxprobe ~]# mkdir /srv/salt 

要将状态文件放在根目录下，可以使用salt命令将配置应用到Minions,下面的示例，将wget包安装到Minions

 # (any file name).sls

[root@linuxprobe ~]# vi /srv/salt/default.sls
# create new
install_wget: pkg.installed: - name: wget [root@linuxprobe ~]# salt "vdevops.org" state.sls default vdevops.org: ---------- ID: install_wget
 Function: pkg.installed
 Name: wget
 Result: True
 Comment: The following packages were installed/updated: wget
 Started: 18:54:59.514712
 Duration: 14193.327 ms
 Changes: 
 ----------
 wget:
 ----------
 new:
 1.14-10.el7_0.1
 old:

Summary ------------
Succeeded: 1 (changed=1)
Failed: 0 ------------
Total states run:     1
# 确认
[root@linuxprobe ~]# salt "vdevops.org" cmd.run 'rpm -q wget'
vdevops.org:
 wget-1.14-10.el7_0.1.x86_64

配置状态树的示例

• 将top.sls称为“顶部文件”在您定义的根目录下

root@linuxprobe ~]# vi /srv/salt/top.sls
base:
  # define target Minions
  '*':
    # define the name of State file
    - default # create State file defined in Top File
[root@linuxprobe ~]# vi /srv/salt/default.sls
# for example,Install and start httpd and MariaDB and also install PHP

webserver:
  pkg.installed:
    - pkgs:       - httpd       - PHP       - PHP-mbstring       - PHP-pear       - mariadb-server  /var/www/html/index.PHP:
  file:
    - managed     - source: salt://httpd/index.PHP     - require:       - pkg: webserver 
# initial setup script
/tmp/setup.sql:
  file:
    - managed     - source: salt://httpd/setup.sql 
enable_httpd:
  service.running:
    - name: httpd     - enable: True     - require:       - pkg: webserver 
enable_mariadb:
  service.running:
    - name: mariadb     - enable: True     - require:       - pkg: webserver 
setup_mariadb:
  cmd.run:
    - name: '/bin/MysqL -u root < /tmp/setup.sql'     - require:       - service: enable_mariadb 
# if Firewalld is running,configure services
{% set fw_status = salt['service.status']('firewalld') %}
{% if fw_status %}
setup_fw:
  cmd.run:
    - names:       - '/bin/firewall-cmd --add-service={http,https,MysqL}'       - '/bin/firewall-cmd --add-service={http,MysqL} --permanent' {% endif %}
 # create index.PHP template
[root@linuxprobe ~]# mkdir /srv/salt/httpd
[root@linuxprobe ~]# vi /srv/salt/httpd/index.PHP
<?PHP
   print "Salt State Test Page\n";
?>
# create MariaDB initial setup script
[root@linuxprobe ~]# vi /srv/salt/httpd/setup.sql
set password for root@localhost=password('password');
set password for root@'127.0.0.1'=password('password'); 
delete from MysqL.user where user='';
delete from MysqL.user where password='';
drop database test;

• 测试，配置文件是否正确

[root@linuxprobe ~]# salt "*" state.apply test=True
vdevops.org:
    ----------
    cmd_|-setup_fw_|-/bin/firewall-cmd --add-service={http,MysqL} --permanent_|-run:
        ----------
        __run_num__:
            7
        changes:
            ----------
        comment:
            Command "/bin/firewall-cmd --add-service={http,MysqL} --permanent" would have been executed
        duration:
            0.198
        name:
            /bin/firewall-cmd --add-service={http,MysqL} --permanent
        result:
            None
        start_time:
            19:09:39.481991
    cmd_|-setup_fw_|-/bin/firewall-cmd --add-service={http,MysqL}_|-run:
        ----------
        __run_num__:
            6
        changes:
            ----------
        comment:
            Command "/bin/firewall-cmd --add-service={http,MysqL}" would have been executed
        duration:
            0.328
        name:
            /bin/firewall-cmd --add-service={http,MysqL}
        result:
            None
        start_time:
            19:09:39.481608
    cmd_|-setup_mariadb_|-/bin/MysqL -u root < /tmp/setup.sql_|-run:
...
# 不报错执行
[root@linuxprobe ~]# salt "*" state.apply

• 确认安装的服务是否正常

[root@linuxprobe ~]# salt "vdevops.org" cmd.run 'systemctl status httpd'
vdevops.org:
    * httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-11-15 19:11:41 CST; 20min ago
         Docs: man:httpd(8)
               man:apachectl(8)
     Main PID: 3261 (httpd)
       Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
       CGroup: /system.slice/httpd.service
               |-3261 /usr/sbin/httpd -DFOREGROUND
               |-3262 /usr/sbin/httpd -DFOREGROUND
               |-3263 /usr/sbin/httpd -DFOREGROUND
               |-3264 /usr/sbin/httpd -DFOREGROUND
               |-3265 /usr/sbin/httpd -DFOREGROUND
               `-3266 /usr/sbin/httpd -DFOREGROUND Nov 15 19:11:41 vdevops.org systemd[1]: Starting The Apache HTTP Server... Nov 15 19:11:41 vdevops.org httpd[3261]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name,using vdevops.org. Set the 'ServerName' directive globally to suppress this message Nov 15 19:11:41 vdevops.org systemd[1]: Started The Apache HTTP Server. [root@linuxprobe ~]# salt "vdevops.org" cmd.run 'systemctl status mariadb' vdevops.org: * mariadb.service - MariaDB database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2016-11-15 19:11:45 CST; 21min ago Main PID: 3397 (MysqLd_safe) CGroup: /system.slice/mariadb.service |-3397 /bin/sh /usr/bin/MysqLd_safe --basedir=/usr `-3554 /usr/libexec/MysqLd --basedir=/usr --datadir=/var/lib/MysqL --plugin-dir=/usr/lib64/MysqL/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/MysqL/MysqL.sock

    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: The latest information about MariaDB is available at http://mariadb.org/.
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: You can find additional information about the MysqL part at:
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: http://dev.MysqL.com
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: Support MariaDB development by buying support/new features from MariaDB
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: Corporation Ab. You can contact us about this at sales@mariadb.com.
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: Alternatively consider joining our community based development effort:
    Nov 15 19:11:42 vdevops.org mariadb-prepare-db-dir[3318]: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
    Nov 15 19:11:42 vdevops.org MysqLd_safe[3397]: 161115 19:11:42 MysqLd_safe Logging to '/var/log/mariadb/mariadb.log'.
    Nov 15 19:11:42 vdevops.org MysqLd_safe[3397]: 161115 19:11:42 MysqLd_safe Starting MysqLd daemon with databases from /var/lib/MysqL
    Nov 15 19:11:45 vdevops.org systemd[1]: Started MariaDB database server.
# 测试PHP页面
[root@linuxprobe ~]# curl http://vdevops.org/index.PHP
Salt State Test Page

Salt : 使用 Salt-cp

[root@linuxprobe ~]# salt-cp '*' anaconda-ks.cfg /tmp/
{'vdevops.org': {'/tmp/anaconda-ks.cfg': True}}