SaltStack快速入门
Saltstack快速入门
saltstack介绍
Salt,一种全新的基础设施管理方式,部署轻松,在几分钟内可运行起来,扩展性好,很容易管理上万台服务器,速度够快,服务器之间秒级通讯
主要功能:远程执行
配置管理,参考官方文档:
安装说明:
https://docs.saltproject.io/salt/install-guide/en/latest/
Saltstack原理
Salt使用server-agent通信模型,服务端组件被称为Salt master,agent被称为Salt minion
Salt master主要负责向Salt minions发送命令,然后聚合并显示这些命令的结果。一个Salt master可以管理多个minion系统
Salt server与Salt minion通信的连接由Salt minion发起,这也意味着Salt minion上不需要打开任何传入端口(从而减少攻击)。
Salt server使用端口4505和4506,必须打开端口才能接收到访问连接
-
Publisher (端口4505)所有
Salt minions都需要建立一个持续连接到他们收听消息的发布者端口。命令是通过此端口异步发送给所有连接,这使命令可以在大量系统上同时执行。 -
Request Server (端口4506)
Salt minions根据需要连接到请求服务器,将结果发送给Salt master,并安全地获取请求的文件或特定minion相关的数据值(称为Salt pillar)。连接到这个端口的连接在Salt master和Salt minion之间是1:1(不是异步)。
快速安装
测试环境说明
| 操作系统版本 | 主机名 | IP | 角色 |
|---|---|---|---|
| CentOS 7.6.1810 | node0 | 192.168.1.60 | master |
| CentOS 7.6.1810 | node1 | 192.168.1.61 | minion |
| CentOS 7.6.1810 | node2 | 192.168.1.62 | minion |
| CentOS 7.6.1810 | node3 | 192.168.1.63 | minion |
| CentOS 7.6.1810 | node4 | 192.168.1.64 | minion |
安装saltstack仓库和key
#node0~4
rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/3004/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/3004.repo | tee /etc/yum.repos.d/salt.repo
yum clean expire-cache
安装master并启动服务
#node0
yum install -y salt-master
systemctl enable salt-master
systemctl start salt-master
安装minion并启动服务
#node1~4
yum install -y salt-minion
systemctl enable salt-minion
systemctl start salt-minion
minion节点修改配置文件
#node1~4
cp /etc/salt/minion{,.back}
sed -i '/#master: /c\master: node0' /etc/salt/minion
systemctl restart salt-minion
SaltStack认证方式
Salt 的数据传输是通过 AES 加密,Master 和 Minion 之前在通信之前,需要进行认证。
Salt 通过认证的方式保证安全性,完成一次认证后,Master 就可以控制 Minion 来完成各项工作了。
minion 在第一次启动时候,会在 /etc/salt/pki/minion/ 下自动生成 minion.pem(private key) 和 minion.pub(public key), 然后将 minion.pub 发送给 master
master 在第一次启动时,会在 /etc/salt/pki/master/ 下自动生成 master.pem 和 master.pub ;并且会接收到 minion 的 public key , 通过 salt-key 命令接收 minion public key, 会在 master 的 /etc/salt/pki/master/minions目录下存放以 minion id 命令的 public key ;验证成功后同时 minion 会保存一份 master public key 在 minion 的 /etc/salt/pki/minion/minion_master.pub里。
Salt认证原理总结
- minion将自己的公钥发送给master
- master认证后再将自己的公钥也发送给minion端
Master端认证示例
1、根据上面提到的认证原理,先看下未认证前的master和minion的pki目录
#master上查看
[root@node0 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ │ ├── node1
│ │ ├── node2
│ │ ├── node3
│ │ └── node4
│ └── minions_rejected
└── minion
7 directories, 6 files
[root@node0 ~]#
#minion上查看
[root@node1 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
[root@node1 ~]#
[root@node2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion.pem
└── minion.pub
2 directories, 2 files
[root@node2 ~]#
2、salt-key命令解释
[root@node0 ~]# salt-key -L
Accepted Keys: #已经接受的key
Denied Keys: #拒绝的key
Unaccepted Keys: #未加入的key
node1
node2
node3
node4
Rejected Keys: #吊销的key
[root@node0 ~]#
#常用参数
-L #查看KEY状态
-A #允许所有
-D #删除所有
-a #认证指定的key
-d #删除指定的key
-r #注销掉指定key(该状态为未被认证)
#配置master自动接受请求认证(master上配置 /etc/salt/master)
auto_accept: True
3、salt-key认证
#列出当前所有的key
[root@node0 ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node1
node2
node3
node4
Rejected Keys:
[root@node0 ~]#
#添加指定minion的key
salt-key -a node0 -y
#添加所有minion的key
salt-key -A -y
[root@node0 ~]# salt-key -A -y
The following keys are going to be accepted:
Unaccepted Keys:
node1
node2
node3
node4
Key for minion node1 accepted.
Key for minion node2 accepted.
Key for minion node3 accepted.
Key for minion node4 accepted.
[root@node0 ~]# salt-key -L
Accepted Keys:
node1
node2
node3
node4
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@node0 ~]#
4、上面认证完成后再次查看master和minion的pki目录
# master上
[root@node0 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ │ ├── node1
│ │ ├── node2
│ │ ├── node3
│ │ └── node4
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ └── minions_rejected
└── minion
7 directories, 6 files
[root@node0 ~]#
# minion上
[root@node1 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
2 directories, 3 files
[root@node1 ~]#
[root@node2 ~]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
└── minion
├── minion_master.pub
├── minion.pem
└── minion.pub
2 directories, 3 files
[root@node2 ~]#
Saltstack远程执行
远程执行是 Saltstack 的核心功能之一。主要使用 salt 模块批量给选定的 minion 端执行相应的命令,并获得返回结果。
远程执行参考文档:http://docs.saltstack.cn/topics/tutorials/modules.html
Salt命令的结构语法
salt '<target>' <function> [arguments]
命令解析
| 命令片段 | 命令片段 | 命令片段 | 命令片段 |
|---|---|---|---|
| salt | '*' |
cmd.run | "具体命令" |
| command | target | command | arguments |
| salt命令 | 需要被执行的目标主机 | (module.function) 执行的命令模块和方法 |
额外参数 |
目标主机target
1、通配符匹配
salt '*' test.ping
salt 'node1' test.ping
salt '*1' test.ping
salt 'node[1|2]' test.ping
salt 'node[!1|2]' test.ping
salt 'node?' test.ping
2、列表匹配
salt -L 'node1,node2' test.ping
3、正则匹配
salt -E '^node' test.ping
salt -E '^node[0-9]$' test.ping
4、IP匹配
salt -S '192.168.1.61' test.ping
salt -S '192.168.1.0/24' test.ping
5、复合匹配
salt -C 'G@os:CentOS and S@192.168.1.61' test.ping
6、分组匹配
[root@node0 ~]# cat /etc/salt/master
nodegroups:
webserver: 'node1,node2'
dbserver: 'node3'
[root@node0 ~]# systemctl restart salt-master
[root@node0 ~]# salt -N 'webserver' test.ping
node2:
True
node1:
True
[root@node0 ~]# salt -N 'dbserver' test.ping
node3:
True
[root@node0 ~]#
7、Grains匹配
salt -G 'os:CentOS' test.ping
salt -G 'localhost:node2' test.ping
模块Module
远程执行常用模块:
- test:多用于测试
- user:用于用户管理
- cmd:可以执行任意shell命令,实现远程的命令行调用执行(默认具备root操作权限,使用时需评估风险)
- pkg:软件包状态管理,会根据操作系统不同,选择对应的安装方式(如CentOS系统默认使用yum,Debian系统默认使用apt-get)
- file:被控主机常见的文件操作,包括文件读写、权限、查找、校验
- service:被控主机程序包服务管理
所有模块列表:
http://docs.saltstack.cn/ref/modules/all/index.html
test模块
#常用test.ping测试连通性
salt '*' test.ping
user模块
参考:http://docs.saltstack.cn/ref/modules/all/salt.modules.useradd.html#module-salt.modules.useradd
# salt '*' user.add name <uid> <gid> <groups> <home> <shell>
salt '*' user.add testuser
cmd模块
#查看所有minion内存和磁盘使用情况
salt '*' cmd.run "free -m"
salt '*' cmd.run "df -h"
pkg模块
#安装
salt '*' pkg.install "vsftpd"
#卸载
salt '*' pkg.remove "vsftpd"
#安装最新版本
salt '*' pkg.latest_version "vsftpd"
#更新软件包
salt '*' pkg.upgrade "vsftpd"
#查看帮助手册
salt '*' pkg
file模块
#校验所有minion主机文件的加密信息,支持md5、sha1、sha224、shs256、sha384、sha512加密算法
salt '*' file.get_sum /etc/passwd md5
#修改所有minion主机/etc/passwd文件的属组、用户权限、等价于chown root:root /etc/passwd
salt '*' file.chown /etc/passwd root root
#获取所有minion主机/etc/passwd的stats信息
salt '*' file.stats /etc/passwd
#获取所有minion主机/etc/passwd的权限mode,如755,644
salt '*' file.get_mode /etc/passwd
#修改所有minion主机/etc/passwd的权限mode为0644
salt '*' file.set_mode /etc/passwd 0644
#在所有minion主机创建/opt/test目录
salt '*' file.mkdir /opt/test
#在所有minion主机穿件/tmp/test.conf文件
salt '*' file.touch /tmp/test.conf
#将所有minion主机/tmp/test.conf文件追加内容'maxclient 100'
salt '*' file.append /tmp/test.conf 'maxclient 100'
#删除所有minion主机的/tmp/test.conf文件
salt '*' file.remove /tmp/test.conf
service模块
#开启(enable)禁用(disable)
salt '*' service.enable <service name>
salt '*' service.disabled <service name>
#reload、restart、start、stop、status操作
salt '*' service.reload <service name>
salt '*' service.restart <service name>
salt '*' service.start <service name>
salt '*' service.stop <service name>
salt '*' service.status <service name>
Saltstack配置管理
Salt 通过State模块来进行文件的管理;通过YAML语法来描述,后缀是.sls的文件
1、了解 YAML 参考:http://docs.saltstack.cn/topics/yaml/index.html
remove vim:
pkg.removed:
- name: vim
- 带有ID和每个函数调用的行都以冒号(:)结束。
- 每个函数调用在ID下面缩进两个空格。
- 参数作为列表传递给每个函数。
- 每行包含函数参数的行都以两个空格缩进开头,然后是连字符,然后是一个额外的空格。
- 如果参数采用单个值,则名称和值位于由冒号和空格分隔的同一行中。
- 如果一个参数需要一个列表,则列表从下一行开始,并缩进两个空格
2、配置sals ,定义环境 参考文档
# 定义环境目录
[root@node0 ~]# cp /etc/salt/master{,.back}
[root@node0 ~]# cat /etc/salt/master
file_roots:
base:
- /srv/salt/base
dev:
- /srv/salt/dev
prod:
- /srv/salt/prod
# 创建上面定义的目录
[root@node0 ~]# mkdir -p /srv/salt/{base,dev,prod}
# 重启服务
[root@node0 ~]# systemctl restart salt-master
3、编写第一个sls文件
# 在base环境下编写第一个安装apache的sls文件
[root@node0 ~]# cd /srv/salt/base/
[root@node0 base]# cat apache.sls
apache-install:
pkg.installed:
- name: httpd
apache-service:
service.running:
- name: httpd
- enable: True
[root@node0 base]#
# 在dev环境下编写一个安装ftp的sls文件
[root@node0 base]# cd /srv/salt/dev/
[root@node0 dev]# cat vsftpd.sls
vsftpd-install:
pkg.installed:
- name: vsftpd
vsftpd-service:
service.running:
- name: vsftpd
- enable: True
[root@node0 dev]#
4、使用salt命令的state状态模块让minion应用配置
# 让所有的minion都安装apache(由于salt默认的环境就是base,所以可以直接在后面指定调用的apache.sls文件,不要后缀sls)
salt '*' state.sls apache
# 让所有的minion都安装vsftpd(saltenv指定环境)
salt '*' state.sls vsftpd saltenv=dev
执行过程
[root@node0 ~]# salt '*' state.sls apache
node2:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 15:50:44.780671
Duration: 9613.398 ms
Changes:
----------
httpd:
----------
new:
2.4.6-99.el7.centos.1
old:
httpd-tools:
----------
new:
2.4.6-99.el7.centos.1
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 15:50:54.411488
Duration: 200.21 ms
Changes:
----------
httpd:
True
Summary for node2
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 9.814 s
node4:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 15:50:44.903864
Duration: 9496.846 ms
Changes:
----------
httpd:
----------
new:
2.4.6-99.el7.centos.1
old:
httpd-tools:
----------
new:
2.4.6-99.el7.centos.1
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 15:50:54.427271
Duration: 192.398 ms
Changes:
----------
httpd:
True
Summary for node4
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 9.689 s
node1:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 15:50:44.820382
Duration: 9834.754 ms
Changes:
----------
httpd:
----------
new:
2.4.6-99.el7.centos.1
old:
httpd-tools:
----------
new:
2.4.6-99.el7.centos.1
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 15:50:54.672438
Duration: 179.348 ms
Changes:
----------
httpd:
True
Summary for node1
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 10.014 s
node3:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 15:50:44.751996
Duration: 10169.652 ms
Changes:
----------
httpd:
----------
new:
2.4.6-99.el7.centos.1
old:
httpd-tools:
----------
new:
2.4.6-99.el7.centos.1
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 15:50:54.953874
Duration: 186.157 ms
Changes:
----------
httpd:
True
Summary for node3
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 10.356 s
[root@node0 ~]#
[root@node0 ~]#
[root@node0 ~]#
[root@node0 ~]#
[root@node0 ~]# salt '*' state.sls vsftpd saltenv=dev
node3:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: The following packages were installed/updated: vsftpd
Started: 15:52:04.241459
Duration: 7115.452 ms
Changes:
----------
vsftpd:
----------
new:
3.0.2-29.el7_9
old:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: Service vsftpd has been enabled, and is running
Started: 15:52:11.380043
Duration: 151.136 ms
Changes:
----------
vsftpd:
True
Summary for node3
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 7.267 s
node4:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: The following packages were installed/updated: vsftpd
Started: 15:52:04.326778
Duration: 7086.892 ms
Changes:
----------
vsftpd:
----------
new:
3.0.2-29.el7_9
old:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: Service vsftpd has been enabled, and is running
Started: 15:52:11.435433
Duration: 157.314 ms
Changes:
----------
vsftpd:
True
Summary for node4
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 7.244 s
node1:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: The following packages were installed/updated: vsftpd
Started: 15:52:04.243267
Duration: 7174.826 ms
Changes:
----------
vsftpd:
----------
new:
3.0.2-29.el7_9
old:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: Service vsftpd has been enabled, and is running
Started: 15:52:11.442439
Duration: 164.07 ms
Changes:
----------
vsftpd:
True
Summary for node1
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 7.339 s
node2:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: The following packages were installed/updated: vsftpd
Started: 15:52:04.432109
Duration: 7108.384 ms
Changes:
----------
vsftpd:
----------
new:
3.0.2-29.el7_9
old:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: Service vsftpd has been enabled, and is running
Started: 15:52:11.563358
Duration: 147.366 ms
Changes:
----------
vsftpd:
True
Summary for node2
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 7.256 s
[root@node0 ~]#
5、使用salt的高级状态使不同主机应用不同的配置
# topfile入口文件只能放在base环境
[root@node0 ~]# cat /srv/salt/base/top.sls
base:
'node1':
- apache
'node2':
- apache
dev:
'node3':
- vsftpd
'node4':
- vsftpd
[root@node0 ~]#
6、使用salt命令执行高级状态,会将top.sls当做入口文件,进行调用
# 将高级状态应用到所有主机
[root@node0 ~]# salt '*' state.highstate
执行过程
[root@node0 ~]# salt '*' state.highstate
node4:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: All specified packages are already installed
Started: 15:56:49.201061
Duration: 1101.703 ms
Changes:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: The service vsftpd is already running
Started: 15:56:50.305511
Duration: 35.393 ms
Changes:
Summary for node4
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
Total run time: 1.137 s
node1:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: All specified packages are already installed
Started: 15:56:49.225124
Duration: 1123.094 ms
Changes:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: The service httpd is already running
Started: 15:56:50.350931
Duration: 39.346 ms
Changes:
Summary for node1
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
Total run time: 1.162 s
node2:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: All specified packages are already installed
Started: 15:56:49.252688
Duration: 1113.518 ms
Changes:
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: The service httpd is already running
Started: 15:56:50.369058
Duration: 41.763 ms
Changes:
Summary for node2
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
Total run time: 1.155 s
node3:
----------
ID: vsftpd-install
Function: pkg.installed
Name: vsftpd
Result: True
Comment: All specified packages are already installed
Started: 15:56:49.231030
Duration: 1144.398 ms
Changes:
----------
ID: vsftpd-service
Function: service.running
Name: vsftpd
Result: True
Comment: The service vsftpd is already running
Started: 15:56:50.378144
Duration: 40.684 ms
Changes:
Summary for node3
------------
Succeeded: 2
Failed: 0
------------
Total states run: 2
Total run time: 1.185 s
[root@node0 ~]#
Saltstack常用配置
1、Salt Master配置
Salt Master端的配置文件/etc/salt/master,常用配置如下:
interface: //指定bind 的地址(默认为0.0.0.0)
publish_port: //指定发布端口(默认为4505)
ret_port: //指定结果返回端口, 与minion配置文件中的master_port对应(默认为4506)
user: //指定master进程的运行用户,如果调整, 则需要调整部分目录的权限(默认为root)
timeout: //指定timeout时间, 如果minion规模庞大或网络状况不好,建议增大该值(默认5s)
keep_jobs: //minion执行结果返回master, master会缓存到本地的cachedir目录,该参数指定缓存多长时间,可查看之间执行结果会占用磁盘空间(默认为24h)
job_cache: //master是否缓存执行结果,如果规模庞大(超过5000台),建议使用其他方式来存储jobs,关闭本选项(默认为True)
file_recv : //是否允许minion传送文件到master 上(默认是Flase)
file_roots: //指定file server目录, 默认为:
file_roots:
base:
- /srv/salt
pillar_roots : //指定pillar 目录, 默认为:
pillar_roots:
base:
- /srv/pillar
log_level: //日志级别
支持的日志级别有'garbage', 'trace', 'debug', info', 'warning', 'error', ‘critical ’ ( 默认为’warning’)
2、Salt Minion端的配置文件/etc/salt/minion,常用配置如下:
master: //指定master 主机(默认为salt)
master_port: //指定认证和执行结果发送到master的哪个端口, 与master配置文件中的ret_port对应(默认为4506)
id: //指定本minion的标识, salt内部使用id作为标识(默认为主机名)
user: //指定运行minion的用户.由于安装包,启动服务等操作需要特权用户, 推荐使用root( 默认为root)
cache_jobs : //minion是否缓存执行结果(默认为False)
backup_mode: //在文件操作(file.managed 或file.recurse) 时, 如果文件发送变更,指定备份目录.当前有效
providers : //指定模块对应的providers, 如在RHEL系列中, pkg对应的providers 是yumpkg5
renderer: //指定配置管理系统中的渲染器(默认值为:yaml_jinja )
file_client : //指定file clinet 默认去哪里(remote 或local) 寻找文件(默认值为remote)
loglevel: //指定日志级别(默认为warning)
tcp_keepalive : //minion 是否与master 保持keepalive 检查, zeromq3(默认为True)
参考资料
https://www.cnblogs.com/yanjieli/p/10864648.html
