saltstack

簡(jiǎn)介

名字來(lái)源于鹽湖城
使用python語(yǔ)言開(kāi)發(fā)

運(yùn)行方式：

• local
• master/minion
• salt ssh

功能：

• 遠(yuǎn)程執(zhí)行
• 配置管理
• 云管理

實(shí)戰(zhàn)

環(huán)境：

• 一臺(tái)master，兩臺(tái)minion
• CentOS 6
• 配置好epel源

安裝

1. yum 安裝

yum install salt-master salt-minion -y 
yum install salt-minion -y

chkconfig salt-master on
chkconfig salt-minion on

/etc/init.d/salt-master start

修改minion配置文件 master 和 id

/etc/init.d/salt-minion start

2. 秘鑰認(rèn)證

# 通過(guò)pki秘鑰認(rèn)證锅锨，啟動(dòng)時(shí)生成：
/etc/salt/pki/{master,minion}
# salt-key來(lái)管理秘鑰叽赊，支持通配符
salt-key -a '*'# 同意秘鑰

salt-key -h

3. 遠(yuǎn)程管理實(shí)例：

salt '*' test.ping
salt '*' cmd.run 'uptime'

# 安裝apache
## master 配置文件(不能用tab)
file_roots：
  base:
    - /srv/salt
    
mkdir /srv/salt && /srv/salt
vim apache.sls
apache-install:
  pkg.installed:
    - names:
      - httpd
      - httpd-devel

apache-service:
  service.running:
    - name: httpd
    - enable: True
    - reload: True

salt '*' state.sls apache

## 入口狀態(tài)文件，top.sls
base：
  '*':
    - apache
    
salt '*' state.highstate

salt-call -version

saltstack數(shù)據(jù)系統(tǒng)

• Grains

• Pillar

image.png

Grains

minion端

salt 'linux-node1' grains.ls
salt 'linux-node1' grains.items
salt 'linux-node1' grains.item fqdn
salt 'linux-node1' grains.get fqdn
salt 'linux-node1' grains.get ip_interfaces:eth0
salt -G os:CentOS cmd.run 'w'

vi /etc/salt/minion 自定義grains必搞，重啟minion服務(wù)生效
salt -G 'roles:memcache' cmd.run 'echo hehe'

vi /etc/salt/grains
web: nginx
salt -G 'web: nginx' cmd.run 'echo hehe'

vi /salt/salt/top.sls
base:
  'web: nginx'
    - match: grain
    - apache

Pillar

給minion指定想要的數(shù)據(jù)
salt '*' pillar.items # 默認(rèn)是關(guān)閉的

開(kāi)啟pillar

vi /etc/salt/master
pillar_opts: True # /etc/init.d/salt-master restart

定義pillar配置文件

vi /etc/salt/master
pillar_roots:
  base:
    - /srv/pillar

pillar也有top file

mkdir /srv/pillar
vi /srv/pillar/apache.sls
{% if grains['os'] == 'CentOS' %}
apache: httpd
{% if grains['os'] == 'CentOS' %}
apache: apache2
{% endif %}

指定哪些minion可見(jiàn)

vi /srv/pillar/top.sls
base:
  '*':
    - apache
    
salt '*' pillar.items

salt '*' saltutil.refresh_pillar # 刷新后才能使用
salt -I 'apache:httpd' test.ping

遠(yuǎn)程執(zhí)行

https://docs.saltstack.com/en/latest/
https://docs.saltstack.com/en/latest/topics/execution/index.html

配置管理

基于遠(yuǎn)程執(zhí)行
https://docs.saltstack.com/en/latest/topics/states/index.html

使用的yaml語(yǔ)法：
冒號(hào)和兩個(gè)空格層級(jí)關(guān)系
短橫線(xiàn)代表列表必指，短橫線(xiàn)后面有一個(gè)空格

jinjia2 模板：
標(biāo)識(shí)狀態(tài)：
-template：jinjia
變量：

• defaults：
  DNS_SERVER: 10.0.0.2
  {{}}標(biāo)識(shí)標(biāo)量：
  nameserver {{DNS_SERVER}}
  {{ grains['fqdn_ip4'] }}

文件管理:

/etc/resolve.conf:
  file.managed:
    - source: salt://files/resolve.conf
    - user: root
    - group: root
    - mode: 644

案例：

image.png

思路：

1. 系統(tǒng)初始化
2. 功能模塊
3. 業(yè)務(wù)模塊

狀態(tài)模塊：
onlyif：返回ture時(shí)執(zhí)行
unless：返回false執(zhí)行
require： 依賴(lài)某個(gè)狀態(tài)
watch：關(guān)注某個(gè)狀態(tài)

saltstack是并行的，ansible是串行的

• 配置基礎(chǔ)環(huán)境恕洲，執(zhí)行slat '*' state.highstate test=True測(cè)試

# grep -Ev "^$|^#" /etc/salt/master
file_roots:
  base:
    - /srv/salt/base
  dev:
    - /srv/salt/dev
  prod:
    - /srv/salt/prod
# service salt-master restart

#mkdir /srv/salt/base
#cd /srv/salt/base/
#mkdir files init

#cat init/dns.sls 
/etc/resolv.conf:
  file.managed:
    - source: salt://init/files/resolv.conf
    - user: root
    - group: root
    - mode: 644

#cp /etc/resolv.conf files/

#cat init/history.sls 
/etc/profile:
  file.append:
    - text:
      - export HISTTIMEFORMAT="%F %T `whoami`"

#cat init/audit.sls 
/etc/bashrc:
  file.append:
    - text:
      - export PROMPT_COMMAND='{ msg=$(history 1|{ read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg";}'

# cat init/sysctl.sls 
vm.swappiness:
  sysctl.present:
    - value: 0

net.ipv4.ip_local_port_range:
  sysctl.present:
    - value: 10000 65000

fs.file-max:
  sysctl.present:
    - value: 100000

#cat init/env_init.sls
include:
  - init.dns
  - init.history
  - init.audit
  - init.sysctl

# cat top.sls 
base:
  '*':
    - init.env_init

# tree
.
├── files
│   └── resolv.conf
├── init
│   ├── audit.sls
│   ├── dns.sls
│   ├── env_init.sls
│   ├── history.sls
│   └── sysctl.sls
└── top.sls

• 編譯基礎(chǔ)環(huán)境

# mkdir -p /srv/salt/prod/pkg

# cd /srv/salt/prod/
# cat pkg/pkg-init.sls 
pkg-init:
  pkg.installed:
    - names:
      - gcc
      - gcc-c++
      - glibc
      - make
      - autoconf
      - openssl
      - openssl-devel

• haproxy 模塊,執(zhí)行salt 'linux-node1' state.sls haproxy.install env=prod test=True 測(cè)試

# mkdir -p /srv/salt/prod/haproxy{,/files}
# tree /srv/salt/prod/
/srv/salt/prod/
├── haproxy
│   └── files
└── pkg

# curl -o haproxy/files/haproxy-1.6.2.tar.gz http://www.haproxy.org/download/1.6/src/haproxy-1.6.2.tar.gz
# cd /srv/salt/prod/haproxy/
# cat install.sls 
include:
  - pkg.pkg-init

haproxy-install:
  file.managed:
    - name: /usr/local/src/haproxy-1.6.2.tar.gz
    - source: salt://haproxy/files/haproxy-1.6.2.tar.gz
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name:  tar zxf /usr/local/src/haproxy-1.6.2.tar.gz && cd /usr/local/src/haproxy-1.6.2 && make TARGET=linux26 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy
    - unless: test -d /usr/local/haproxy
    - require:
      - pkg: pkg-init
      - file: haproxy-install

net.ipv4.ip_nonlocal_bind:
  sysctl.present:
    - value: 1

haproxy-config-dir:
  file.directory:
    - name: /etc/haproxy
    - user: root
    - group: root
    - mode: 755

haproxy-init:
  file.managed:
    - name: /etc/init.d/haproxy
    - source: salt://haproxy/files/haproxy.init
    - user: root
    - group: root
    - mode: 755
    - require:
      - cmd: haproxy-install
  cmd.run:
    - name: chkconfig --add haproxy
    - unless: chkconfig --list | grep haproxy
    - require:
      - file: haproxy-init 
      - cmd: haproxy-install

• 創(chuàng)建集群配置文件

# mkdir -p /srv/salt/prod/cluster{,/files}
# cat haproxy-outside.sls
include:
 - haproxy.install

haproxy-service:
  file.managed:
    - name: /etc/haproxy/haproxy.cfg
    - source: salt://cluster/files/haproxy-outside.cfg
    - user: root
    - group: root
    - mode: 644
  service.running:
    - name: haproxy
    - enable: True
    - reload: True
    - require:
      - cmd: haproxy-init
    - watch:
      - file: haproxy-service

# cat /srv/salt/base/top.sls 
base:
  '*':
    - init.env_init

prod:
  '*':
    - cluster.haproxy-outside

• keepalive安裝

# curl -o /usr/local/src/keepalived-1.2.19.tar.gz http://www.keepalived.org/software/keepalived-1.2.19.tar.gz
# mkdir keepalived
# mkdir keepalived/files

# cat keepalived/install.sls
include:
  - pkg.pkg-init

keepalived-install:
  file.manage:
    - name: /usr/local/src/keepalived-1.2.19.tar.gz
    - source: salt://keepalived/files/keepalived-1.2.19.tar.gz
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - mame: tar xzf /usr/local/src/keepalived-1.2.19.tar.gz && cd /usr/local/src/keepalived-1.2.19 && ./configure --prefix=/usr/local/keepalived --disable-fwmark && make && make install
    - unless: test -d /usr/local/keepalived
    - require:
      - pkg: pkg-init
      - file: keepalived-install

keepalived-init:
  file.managed:
    - name: /etc/init.d/keeplived
    - source: salt://keepalived/files/keepalived.init
    - user: root
    - group: root
    - mode: 755
  cmd.run:
    - name: chkconfig --add keepalived
    - unless: chkconfig --list | grep keepalived
    - require:
      - file: keepalived-init

/etc/sysconfig/keepalived:
  file.manage:
    - source: salt://keepalived/files/keepalived.sysconfig
    - user: root
    - group: root
    - mode: 644

/etc/keepalived:
  file.directory:
    - user: root
    - group: root
    - mode: 755

• keepalived 業(yè)務(wù)引用

# cat cluster/haproxy-outside-keepalived.sls
include:
  - keepalived.install

keepalived-service:
  file.managed:
    - name: /etc/keepalived/keepalived.conf
    - user: root
    - group: root
    - mode: 644
    - template: jinjia
    {% if grains['fqdn'] == 'linux-node1' %}
    - ROUTEID: haproxy_ha
    - STATEID: MASTER
    - PRIORITYID: 150
    {% elif grains['fqdn'] == 'linux-node2' %}
    - ROUTEID: haproxy_ha
    - STATEID: BACKUP
    - PRIORITYID: 100
    {% endif %}
  service.running:
    - name: keepalived
    - enable: True
    - watch:
      - file: keepalived-service

# cat ../base/top.sls 
base:
  '*':
    - init.env_init

prod:
  '*':
    - cluster.haproxy-outside
    - cluster.haproxu-outside-keepalived

• zabbix.sls

# pwd
/srv/salt/base

# cat zabbix_agent.sls
zabbix-agent-install:
  pkg.installed:
    - name: zabbix-agent
  file.managed:
    - name: /etc/zabbix/zabbix_agentd.conf
    - source: salt://init/files/zabbix_agentd.conf
    - template: jinjia
    - defaults:
      Server: {{ pillar['zabbix-agent']['Zabbix_Server'] }}
    - require:
      - pkg: zabbix-agent-install
  service.running:
    - name: zabbix-agent
    - enable: True
    - watch:
      - pkg: zabbix-agent-install
      - file: zabbix-agent-install

# grep -Ev "^$|^#" /etc/salt/master 
file_roots:
  base:
    - /srv/salt/base
  dev:
    - /srv/salt/dev
  prod:
    - /srv/salt/prod
pillar_roots:
  base:
    - /srv/pillar/base

# mkdir -p /srv/pillar/base
# cd /srv/pillar/base

# vi zabbix.sls
# cat top.sls 
base:
  '*':
    - zabbix
[root@linux-node1 base]# cat zabbix.sls 
zabbix-agent:
  Zabbix_Server: 10.0.0.7

未完成：

1. 使用saltstack完成nginx+php Memcached的自動(dòng)化安裝和配置

https://github.com/unixhot/saltbook-code
底層基于zeroMQ 監(jiān)聽(tīng)端口：4505 4506
minion和master保持長(zhǎng)連接狀態(tài)

加etcd實(shí)現(xiàn)自動(dòng)化擴(kuò)容

基于etcd_pilar 模塊