what-saltstack
1>是一个服务器基础架构集中化管理平台,具备配置管理,远程执行,监控等功能。
2>使用Python开发,部署简单,主从集中化管理,支持API和自定义模块.
3>由Master和Minion构成(基于证书验证),通过轻量级消息队列ZeroMQ进行通信。
how-saltstack
Saltstack的master端监听4505与4506端口,4505为salt的消息发布系统,4506为salt客户端与服务端通信的端口;
salt客户端程序不监听端口,客户端启动后,会主动连接master端注册,然后一直保持该TCP连接,master通过这条TCP连接对客户端控制,如果连接断开,master对客户端就无能为力了。当然,客户端若检查到断开后会定期的一直连接master端的。
安装saltstack
saltstack源可以通过epel现在,本机是自己做的yum源
在真机添加一个yum源
[root@foundation88 rhel6]# pwd
/var/www/html/saltstack/rhel6
[root@foundation88 rhel6]# createrepo . #创建第三方yum源
Spawning worker 0 with 7 pkgs
Spawning worker 1 with 7 pkgs
Spawning worker 2 with 7 pkgs
Spawning worker 3 with 7 pkgs
Workers Finished
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Sqlite DBs complete
server3,server4:
yum 源配置:
vim /etc/yum.repos.d/rhel-source.repo
[salt]
name=saltstack
baseurl=http://172.25.88.250/saltstack/rhel6
gpgcheck=0
server3
yum install salt-master -y
[root@server3 ~]# ss -ntla
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:4505 (发送) *:*
LISTEN 0 128 *:4506 (订阅) *:*
server4
yum install salt-minion -y
[root@server3 ~]#vim /etc/salt/minion master: server3.lalala.com
还需要认证
[root@server3 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
server4.lalala.com
Proceed? [n/Y] Y
Key for minion server4.lalala.com accepted..
[root@server3 ~]# salt-key -L
Accepted Keys:
server4.lalala.com
Denied Keys:
Unaccepted Keys:
Rejected Keys:
检验
[root@server3 yum.repos.d]# salt server4.lalala.com test.ping
server4.lalala.com:
True
[root@server3 yum.repos.d]# salt '*' test.ping #可以正则匹配
server4.lalala.com:
True
[root@server3 yum.repos.d]# salt -S 172.25.4.4 test.ping
server4.lalala.com:
True
可以指定其他主机的任何操作。。
[root@server3 ~]# salt server4.lalala.com cmd.run 'df -h'
server4.lalala.com:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root 19G 1.3G 17G 8% /
tmpfs 499M 16K 499M 1% /dev/shm
/dev/vda1 485M 33M 427M 8% /boot
[root@server3 yum.repos.d]# salt -S 172.25.88.4 cmd.run 'cp /etc/passwd /mnt'
[root@server3 yum.repos.d]# salt -S 172.25.88.4 cmd.run 'ls -l /mnt'
server4.lalala.com:
total 4
-rw-r--r-- 1 root root 1066 Apr 15 10:15 passwd
关于key
当初始化安装 minion 启动服务启动后
minion端生成一个秘钥对,并产生一个ID值,minion服务会安装ID值命名的公钥发送给 master ,直到接受为止;
master认证完毕后,会将minion 端发送来的,以ID值命名的公钥存放在 /etc/salt/pki/master/minions 目录中(无扩展名); master认证完毕后,会将自身的公钥发送给 minion,并存储为 /etc/salt/pki/minion/minion_master.pub.
用tree,查看master的目录树
[root@server3 salt]# pwd
/etc/salt
[root@server3 salt]# tree
|-- cloud
|-- cloud.conf.d
|-- cloud.deploy.d
|-- cloud.maps.d
|-- cloud.profiles.d
|-- cloud.providers.d
|-- master
|-- master.d
|-- minion
|-- minion.d
|-- pki #与密码相关
| |-- master
| | |-- master.pem
| | |-- master.pub
| | |-- minions
| | | `-- server4.lalala.com #已添加进来的主机.
| | |-- minions_autosign
| | |-- minions_denied
| | |-- minions_pre
| | `-- minions_rejected
| `-- minion
|-- proxy
|-- proxy.d
`-- roster
被同步主机的目录
[root@server4 salt]# tree .
.
|-- cloud
|-- cloud.conf.d
|-- cloud.deploy.d
|-- cloud.maps.d
|-- cloud.profiles.d
|-- cloud.providers.d
|-- master
|-- master.d
|-- minion
|-- minion.d
| `-- _schedule.conf
|-- minion_id
|-- pki
| |-- master
| `-- minion
| |-- minion_master.pub
安装apache状态模块
vim /etc/salt/master
534 file_roots:
535 base:
536 - /srv/salt
vim /srv/salt/httpd/apache.sls
apache-install:
pkg.installed:
- name: httpd
检测与执行
[root@server3 httpd]# salt '' state.sls httpd.apache test=True
[root@server3 httpd]# salt '' state.sls httpd.apache
server4.lalala.com:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: Package httpd is already installed
Started: 14:13:13.995696
Duration: 832.407 ms
Changes:
Summary for server4.lalala.com
------------
Succeeded: 1
Failed: 0
------------
Total states run: 1
Total run time: 832.407 ms
推送配置信息,在minion中缓存的位置
[root@server4 httpd]# pwd
/var/cache/salt/minion/files/base/httpd
[root@server4 httpd]# cat apache.sls
apache-install:
pkg.installed:
- name: httpd
配置与应用
实现:
1.服务启动服务器更改apache文件
2.实现服务器更改配置文件,客户端触发更改,并且reload生效
mkdir /srv/salt/httpd/files
vim apache.sls
apache-install:
pkg.installed:
- pkgs:
- httpd
- httpd-tools
apache-config:
file.managed:
- name: /etc/httpd/conf/httpd.conf
- source: salt://httpd/files/httpd.conf
- mode: 644
- user: root
- group: root
- require:
- pkg: apache-install
-
apache-service:
service.running:
- name: httpd
- enable: True
- reload: True
- watch: #监控apache配置文件,一修改就reload
- file: apache-config
配置文件的端口进行更改,同步到client
vim /srv/salt/httpd/files/httpd.conf 改变默认端口
Listen 8080
[root@server3 httpd]# salt '*' state.sls httpd.apache
server4.lalala.com:
----------
ID: apache-install
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 11:42:54.769981
Duration: 445.517 ms
Changes:
----------
ID: apache-config
Function: file.managed
Name: /etc/httpd/conf/httpd.conf
Result: True
Comment: File /etc/httpd/conf/httpd.conf updated
Started: 11:42:55.217486
Duration: 45.472 ms
Changes:
----------
diff:
---
+++
@@ -133,7 +133,7 @@
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
-Listen 80
+Listen 8080
#
# Dynamic Shared Object (DSO) Support
----------
ID: apache-service
Function: service.running
Name: httpd
Result: True
Comment: Service reloaded
Started: 11:42:55.395103
Duration: 75.042 ms
Changes:
----------
httpd:
True
Summary for server4.lalala.com
------------
Succeeded: 3 (changed=2)
Failed: 0
------------
Total states run: 3
Total run time: 566.031 ms
查看文件两个配置文件的hash,相同
[root@server4 files]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf
[root@server3 files]# md5sum httpd.conf
b7ca7a0e786418ba7b5ad84efac70265 httpd.conf