salt、puppet、ansible
自动化工具对比
saltstack
salt简介
- C/S模式、证书认证、批量管理主机,比puppet轻量
- 集中化管理、分发文件、采集系统数据及软件包的安装与管理
- 部署简单、管理方便
- 支持大部分的操作系统
- C/S管理模式,易于扩展
- 配置简单、功能覆盖广
- Master和Minion基于认证,确保安全
- 支持API及自定义Pyhton模块,轻松实现功能扩展
salt工作原理
- Minion启动时,会自动生成一套秘钥,将公钥发送给服务器端,服务器验证并接受公钥,以此建立可靠且加密的通信连接。同时通过消息队列ZeroMQ在客户端与服务器之间建立消息发布连接。
- Minion是saltstack需要管理的客户端安装组件,会主动连接Master端,并从Master得到资源状态信息,同步资源管理信息。
- Master负责salt命令运行和资源状态的管理
- ZeroMQ消息队列软件,用于在Master和Minion建立系统通信桥梁。
- Daemon运行于每个成员内的守护进程,承担着发布消息及通信端口监听的功能。
saltstack 依赖配置
- python:
- PyYAML:
- setuptools:
- markupsafe:
- jinja2:
- pyzmq:版本>2.63
salt --versions-report
saltstack配置
master
15 interface: 0.0.0.0 22 publish_port: 4505 32 ret_port: 4506
254 worker_threads: 5
#!/bin/bash
cd /usr/local/src/
wget http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
yum install python-devel
yum install salt-master -y
sed -i -r 's/^#interface: 0.0.0.0/interface: 0.0.0.0/' master
sed -i -r 's/^#publish_port: 4505/publish_port: 4505/' master
sed -i -r 's/^#worker_threads: 5/worker_threads: 5/' master
sed -i -r 's/^#ret_port: 4506/ret_port: 4506/' master
iptables -I INPUT -p tcp --dport 4505 -j ACCEPT
iptables -I INPUT -p tcp --dport 4506 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
chkconfig salt-master on
service salt-master start
-
作者:燕涛 链接:http://www.jianshu.com/p/df98836f46e9 來源:简书 著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
minion
ssh-copy-id root@server3 ssh-copy-di root@server2 scp /etc/yum.repo.d/salt-latest.repo root@serve3:/etc/yum.repo.d/ scp /etc/yum.repo.d/salt-latest.repo root@serve2:/etc/yum.repo.d/ yum clean all yum install -y salt-minion vim /etc/salt/minion master: master IP id: minion自己的IP vim /etc/salt/master master : master自己的IP
puppet
puppet基本特性
- 基于ruby
- 基于master/agent认证机制
- 不依赖客户端系统的管理权限
- 可实现配置自动特推送客户端
- 可跨平台以
puppet 工作特性
- master以守护进程方式进行,包含所有环境需要的所有配置。
- agent使用标准SSL协议进行加密和验证的连接与master通信,然后
yaml语言
yaml语言特性
- 比JSON格式方便
- 大小写敏感
- 缩进表示层级关系
- 缩进只允许使用空格
- 缩进空格数目不重要,只要相同级别元素左侧对齐即可
- ‘#’表示注释一行,被解析器忽略
支持的数据结构
- 对象:键值对的集合
-
key:values
-
- 数组:序列
-
- Name1
- Name2
- Name3
-
- 混合:
language:
- python
- C
- C++
website:
YAML: yaml.org
Perl:perl.org
- - 纯量:单个不可再分的值(字符串、布尔值、整数、浮点数、Null、时间、日期)
-
number:12.30
- 字符串
str:memgran is a guapi
- 引用:&用来建立锚点(default) 、*用来引用锚点、<<表示合并到当前数据
- 函数和正则表示式的转换
ansible
简介
- 基于python开发,集合众多运维工具优点(puppet、cfengine、chef、func、fabric),实现了批量系统配置、批量程序部署、批量运行命令等功能;
- 基于模块,本身无批量部署能力。ansible提供一种框架;
框架
- 连接插件connection plugins:负责和被监控端实现通信;
- host inventory:指定操作的主机,是一个配置文件里面定义监控的主机;
- 各种模块核心模块、command模块、自定义模块;
- 借助于插件完成记录日志邮件等功能;
- playbook:剧本执行多个任务时,非必需可以让节点一次性运行多个任务。
总体架构图
特性
- no agents:不需在被管控主机安装任何客户端
- no server:无服务器,直接运行命令
- modules in any languages: 基于模块,可使用任意语言开发模块
- yaml,not code:使用yaml语言定制剧本playbook;
- ssh by default:基于ssh工作;
- strong multi-tier solution:可实现多级指挥
优点
- 轻量级,无需安装agent,更新时,只需在操作机上进行一次更新即可;
- 批量任务执行可写成脚本,且不用分发到远程执行;
- 使用python编写,维护简单;
- 支持 sudo;
任务执行流程
- 见笔记8.14 A4纸
Ansible基础
一、基本配置
- 安装 python:
wget http://www.zlib.net/zlib-1.2.11.tar.gz
tar zxcvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make
make install
wget https://www.python.org/ftp/python/2.7.8/Python-2.7.8.tgz
tar zxcvf Python-2.7.8.tgz
cd Python-2.7.8
./configure --prefix=/usr/local
make
make install
cd /usr/local/include/python2.7
cp -a ./* /usr/local/include/
- - 安装 setuptools:
wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz
tar xvzf setuptools-7.0.tar.gz
cd setuptools-7.0
python setup.py install
- - 安装 pycrypto:
wget https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
tar xvzf pycrypto-2.6.1.tar.gz
cd pycrypto-2.6.1
python setup.py install
-
- PyYAML模块安装
wget http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz
tar xvzf yaml-0.1.5.tar.gz
cd yaml-0.1.5
./configure --prefix=/usr/local
make
make install
-
wget https://pypi.python.org/packages/source/P/PyYAML/PyYAML-3.11.tar.gz
tar xvzf PyYAML-3.11.tar.gz
cd PyYAML-3.11
python setup.py install
-
- Jinja2模块安装
wget https://pypi.python.org/packages/source/M/MarkupSafe/MarkupSafe-0.9.3.tar.gz
tar xvzf MarkupSafe-0.9.3.tar.gz
cd MarkupSafe-0.9.3
python setup.py install
wget https://pypi.python.org/packages/source/J/Jinja2/Jinja2-2.7.3.tar.gz
tar xvzf Jinja2-2.7.3.tar.gz
cd Jinja2-2.7.3
python setup.py install
- - paramiko模块安装
wget https://pypi.python.org/packages/source/e/ecdsa/ecdsa-0.11.tar.gz
tar xvzf ecdsa-0.11.tar.gz
cd ecdsa-0.11
python setup.py install
wget https://pypi.python.org/packages/source/p/paramiko/paramiko-1.15.1.tar.gz
tar xvzf paramiko-1.15.1.tar.gz
cd paramiko-1.15.1
python setup.py install
-
- simplejson模块安装
wget https://pypi.python.org/packages/source/s/simplejson/simplejson-3.6.5.tar.gz
tar xvzf simplejson-3.6.5.tar.gz
cd simplejson-3.6.5
python setup.py install
-
- ansible安装
wget https://github.com/ansible/ansible/archive/v1.7.2.tar.gz
tar xvzf ansible-1.7.2.tar.gz
cd ansible-1.7.2
python setup.py install
二、ansible配置
- ssh配置
ssh-keygen
ssh-copy-id root@server5
scp -r .ssh/ root@server3:
ssh root@server3
- ansible配置
mdkir -p /etc/ansible
vim /etc/ansible/ansible.cfg
[defaults]
host_key_checking = False
vim /etc/ansible/hosts
[servers]
192.168.109.131
192.168.109.138
-
Options:
-a MODULE_ARGS, --args=MODULE_ARGS
module arguments
-k, --ask-pass ask for SSH password
--ask-su-pass ask for su password
-K, --ask-sudo-pass ask for sudo password
--ask-vault-pass ask for vault password
-B SECONDS, --background=SECONDS
run asynchronously, failing after X seconds
(default=N/A)
-C, --check don't make any changes; instead, try to predict some
of the changes that may occur
-c CONNECTION, --connection=CONNECTION
connection type to use (default=smart)
-f FORKS, --forks=FORKS
specify number of parallel processes to use
(default=5)
-h, --help show this help message and exit
-i INVENTORY, --inventory-file=INVENTORY
specify inventory host file
(default=/etc/ansible/hosts)
-l SUBSET, --limit=SUBSET
further limit selected hosts to an additional pattern
--list-hosts outputs a list of matching hosts; does not execute
anything else
-m MODULE_NAME, --module-name=MODULE_NAME
module name to execute (default=command)
-M MODULE_PATH, --module-path=MODULE_PATH
specify path(s) to module library
(default=/usr/share/ansible/)
-o, --one-line condense output
-P POLL_INTERVAL, --poll=POLL_INTERVAL
set the poll interval if using -B (default=15)
--private-key=PRIVATE_KEY_FILE
use this file to authenticate the connection
-S, --su run operations with su
-R SU_USER, --su-user=SU_USER
run operations with su as this user (default=root)
-s, --sudo run operations with sudo (nopasswd)
-U SUDO_USER, --sudo-user=SUDO_USER
desired sudo user (default=root)
-T TIMEOUT, --timeout=TIMEOUT
override the SSH timeout in seconds (default=10)
-t TREE, --tree=TREE log output to this directory
-u REMOTE_USER, --user=REMOTE_USER
connect as this user (default=root)
--vault-password-file=VAULT_PASSWORD_FILE
vault password file
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
--version show program's version number and exit
- - 测试 - ping
[root@server5 ~]# ansible servers -m ping
192.168.109.131 | success >> {
"changed": false,
"ping": "pong"
}
192.168.109.138 | success >> {
"changed": false,
"ping": "pong"
}
- - command
[root@server5 ~]# ansible servers -m command -a 'uptime'
192.168.109.131 | success | rc=0 >>
23:15:59 up 1:38, 5 users, load average: 0.05, 0.04, 0.05
192.168.109.138 | success | rc=0 >>
23:15:59 up 3:59, 6 users, load average: 0.00, 0.01, 0.05
- setup
-
[root@server5 ~]# ansible servers -m setup
192.168.109.131 | success >> {
"ansible_facts": {
"ansible_all_ipv4_addresses": [
"192.168.122.1",
"192.168.109.131"
],
"ansible_all_ipv6_addresses": [
"fe80::52c2:81e3:8c97:2e0"
],
"ansible_architecture": "x86_64",
"ansible_bios_date": "07/02/2015",
"ansible_bios_version": "6.00",
"ansible_cmdline": {
"BOOT_IMAGE": "/vmlinuz-3.10.0-514.el7.x86_64",
"LANG": "en_US.UTF-8",
"crashkernel": "auto",
"quiet": true,
"rhgb": true,
"ro": true,
"root": "UUID=8a43bc9e-303d-4271-92b8-bbb171dcf551"
},
-
- link
-
[root@server5 ~]# ansible servers -m file -a "src=/etc/hosts dest=/tmp/hosts state=link"
192.168.109.131 | success >> {
"changed": true,
"dest": "/tmp/hosts",
"gid": 0,
"group": "root",
"mode": "0777",
"owner": "root",
"secontext": "unconfined_u:object_r:user_tmp_t:s0",
"size": 10,
"src": "/etc/hosts",
"state": "link",
"uid": 0
}
192.168.109.138 | success >> {
-
[root@server5 ~]# ll /tmp/hosts
lrwxrwxrwx. 1 root root 10 Aug 14 14:28 /tmp/hosts -> /etc/hosts
[root@server3 ~]# ll /tmp/hosts
lrwxrwxrwx. 1 root root 10 Aug 13 23:28 /tmp/hosts -> /etc/hosts
-
- copy
-
[root@server5 ~]# ansible servers -m copy -a "src=/etc/ansible/ansible.cfg dest=/tmp/ansible.cfg owner=root group=root mode=0644"
[root@server3 ~]# ll /tmp/ansible.cfg
-rw-r--r--. 1 root root 37 Aug 13 23:33 /tmp/ansible.cfg
[root@server5 ~]# ansible servers -m copy -a "src=/root/test.sh dest=/root/test.sh owner=root group=root mode=0755"
192.168.109.138 | success >> {
"changed": false,
"dest": "/root/test.sh",
"gid": 0,
"group": "root",
"md5sum": "7c73186c5baeeced9773809d51f55903",
"mode": "0755",
"owner": "root",
"path": "/root/test.sh",
"secontext": "unconfined_u:object_r:admin_home_t:s0",
"size": 17,
"state": "file",
"uid": 0
}
192.168.109.131 | success >> {
"changed": true,
"dest": "/root/test.sh",
"gid": 0,
"group": "root",
"md5sum": "7c73186c5baeeced9773809d51f55903",
"mode": "0755",
"owner": "root",
"secontext": "system_u:object_r:admin_home_t:s0",
"size": 17,
"src": "/root/.ansible/tmp/ansible-tmp-1502692717.29-206531122290598/source",
"state": "file",
"uid": 0
}
- shell
-
[root@server5 ~]# ansible servers -m shell -a "/root/test.sh"
192.168.109.138 | success | rc=0 >>
Sun Aug 13 23:40:29 PDT 2017
192.168.109.131 | success | rc=0 >>
Sun Aug 13 23:40:29 PDT 2017
[root@server5 ~]# ansible-doc -l
acl Sets and retrieves file ACL information.
add_host add a host (and alternatively a group) to
airbrake_deployment Notify airbrake about app deployments
alternatives Manages alternative programs for common c
salt、puppet、ansible
salt
- salt有master,minion在初始化时会连接到该master上。master将命令分发到minion上。,初始化时,minion会交换一个秘钥建立握手,然后建立一个持久的加密的TCP连接。master可同时连接很多minion而无需担心过载,归功于ZeroMQ。
- 执行模块和状态模块
- 支持事件和反应器,执行引擎支持监控
- 使用PyCrypto的AES实现及key管理
ansible
- 无master,使用ssh主要的通讯工具(意味着慢);ansible也支持ZeroMQ;ansible推荐使用inventory(映射组合主机关系的)文件来追踪机器。
- 支持sudo